Forgot your password?
typodupeerror

Comment Re:Privacy nightmare (Score 1) 87

well, telling that cloudflare is a XSS is a little too much! :)
they do not care about any of the site data, they only care about their metrics and those all anonymized

i understand, but i work for one of those sites... and no, we can't expose one part without cloudflare, the few forgotten urls/sites not protected by cloudflare are quickly found down either to high load (from all the bots) or down due to some attack

you can have your own WAF and security team trying to do the same as cloudflare, but they actually work very well and are not expensive

i went to check, i allow javascripts from cloudflare.com, cloudflarestream.com, deny from cloudflareinsights.com as this is just performance metrics and less important. I also allow iframes from the first 2. That is all. you can probably try to only allow the challenge.cloudflare.com it is probably enough to pass the captcha, even if it detects you as a bot due not running the remaining scripts

Comment Re:Privacy nightmare (Score 1) 87

they see the bank traffic to be able to filter bad traffic. cloudflare have a feature to not store the TLS cerficate on cloudflare, that talks with the bank backend to share data and negotiate the TLS. In that case, i'm not sure if cloudflare actually can decrypt the traffic... but again, even if they can, the system in place blocks bad usage of that data, only the automatic WAF filtering see that traffic and is blocked as much as possible from anyone abusing this.

The keystrokes are analyzed, not stored. but again, cloudflare is doing something that many ad and debug companies already do... if you want to complain about using key event features, complain to browsers, they were the ones adding those features and make them available to everyone

https://developer.mozilla.org/...

also notice that site owner will receive your the password anyway... and stealing info with via compromised javascript is already a thing, key events is just one of the many ways to get the info, there are even simpler ones. Javcascript is the way XSS attacks work

Comment Re:Cloudflare is malware/spyware (Score 1) 87

are you talking about workers? that is still code deployed by the site owner

if you are talking about cloudflare javascript code for bot detection, captcha, that is not malware... spyware, while it grab several info, that is not actually stored, just analyzed by models. It is not identifiable information. A great example is the JA3 and JA4, it produces a hash that maps browsers/apps types but not users

Comment Re:Hearing aid batteries (Score 1) 74

People don't even think before typing!

normal disposable batteries is already ancient tech... anything build around that is either very low consumption (last several months) or also old tech (old flashlights, use led ones, specially with rechargeable batteries, much better!)
you can use them, but if it is something that consume that many so fast, better use something you can recharge! but even normal rechargeable batteries are old tech, you can now replace AA and AAA batteries with LI-Ion ones, that charge via USB. They should last much longer. But all depends of what usage we are talking about! New batteries tech are also popping up and of course, you have solar for many outdoor usage (like sensors) that can make a battery last even longer

But now if you design your device already with li-ion or something else in mind, you recharge and replace that without any problem... if people buy devices that needs disposable batteries, that have better alternatives, it is their fault... they can also buy a spring or hamster powered device, they can also work, but not a good idea for anyone unless some corner cases

instead of trowing away a airpod, you remove the old battery, insert a new one and you have a good device again. Better to buy just the battery and recycle the old battery than to throw away or recycle everything (that is still working) to buy again the same hardware

Comment Re:Hearing aid batteries (Score 1) 74

lower voltage only matter if you are talking about standard AA and AAA (and all other formats), where the device is designed for 1.5v and rechargeable works usually in the 1.2v (due to the limitation of that old rechargeable tech). That on some devices may mean less power/strength/etc
if you use a new Li-Ion battery (many with usb port), you get a constant 1.5v (with a included small device to lower from 3.7v internally to that voltage)

But if you design already the device for rechargeable, you are already ready for that voltage... and if you use other (ideally standard) rechargeable batteries, like normal li-ion, you also design for whatever voltage you need

So design the hearing aid just like air pods, but instead of sealled battery, allow one to replace it! that is what many hearing aid company actually do, they aren't all big, you have many that are very small

check this image to see some different sizes: https://global-uploads.webflow...

of course, the smaller they are, the more expensive and lower battery time you usually have

Comment Re:Cloudflare is malware/spyware (Score 1) 87

the fact that cloudflare was serving a scam site is also one of their strengths... they don't police the sites, everyone can have whatever they want there and cloudflare actively tried to give site owners the liberty to do that and fight all censor attempts... yes, sometimes it backfires, but you can't have freedom without also have to cope with some freedom abuses.
Try to limit the freedom abused and you will end limiting everyone freedom

Cloudflare do have DMCA, abuse report and many other things, but those kind of sites can recreate a new site in a few minutes and know they have a window of time between detection and block to keep working

As for javascript, i also hate it... and i disable loading javascript in all sites where it is possible... but it getting harder and harder...
on the other side, i do use more sites that work without javascript or minimal amount of it and avoid sites that require to work many scripts from many places. Reader view in firefox can do magic in many sites, just output the text and avoid all the javascript... but can't solve everything

Comment Re:whitelist sites that don't use Cloudflare (Score 1) 87

yes, i agree that is annoying and is also my main complain about cloudflare captchas.
I understand that part is cloudflare fault, by testing many browser corner cases and so they target the latest browser versions to match their statistical distribution
another part is site owners, that may have enable the "required up to date browser" in cloudflare settings
and finally a part is user fault, many people use browsers "requiring updated" for weeks... at least from my experience, i see many people in meetings with +20 tabs open and the update notification and they keep that for weeks. probably browsers need to study why they don't update and restar the browser and find a better way to keep browsers updated.

finally, less used browsers is also a problem, cloudflare wants a NDA to finetune browsers in the captchas, but many small browses either don't have that option or refuse to do that... and cloudflare don't want to tell anyone what they are using to detect bots, as of course, people would workaround those very quickly. so this is a balance also hard to find

Comment Re:Privacy nightmare (Score 1) 87

cloudflare is a proxy, while the computer have access to your data, it doesn't store it. They have compliance rules to follow and audits, to make sure that a credit card number is not stolen in transit in cloudflare. Even a hacker inside cloudflare would have problems to access the info, exactly because they are required to make it hard to access that info. I'm excluding 3 letters agencies demanding the info in a secret way, as that can happen in any place (and for sure they can fake certificates to act as a hidden proxy if needed, as the USA control many CA)

the keys/mouse, of course it is stats about it, what you are typing or where you click do not really matter for this, what matter is the movement speed, direction, we all make small mouse corrections during movement... in keyboard, the speed how you type, the time between keys, how long you take to press enter (submit or not), if you use delete/backspace, Caps, punctuation, etc if you press shift, ctrl, alt, meta, etc. What you type is already in the payload and don't really matter, the stats about how it was produced is what matter

Finally, i do agree that the traffic should be private, that is why we all use https... but bots, ai and attacks make it hard, so site owners agree in to having a middle men that helps filter the bad traffic and that can see the traffic. Cloudflare works because people trust them, and they until now, they didn't broke that trust that they are doing bad things with the traffic data... the day they break that trust, many people will stop using it for sure.

So if the site owner is ok in to having a middle men in their connections, it is mostly the same as not having it (you also do not know if the site side is using any cloud service, that is also a proxy, sending data between partners internally or have a hacker inside their network, seeing all traffic)

Comment Re:Chrome only, I assume (Score 1) 87

there are probably better ways than identify users by mouse/keyboard data...
chrome for instance have a unique ID in every browser, so google can identify that browser no matter if you clean cookies, create new profiles or even use different users in your machine. the browsers id is the same and set during download.
That is why chromium also have to have a google id to access google services and de-googled chromium can't access those services, because without the ID, they will refuse to work

Comment Re: People do the same. (Score 1) 87

sure, but again, if it blocks 50% of the bots, it is 50% less bots arriving and more resources that the remaining 50% have to use in order of not being blocked. For sure cloudflare will have other detections too! like a onion, many layers, there isn't one that solves all, but all together can make a good filter

Comment Re:whitelist sites that don't use Cloudflare (Score 1) 87

agree, but anubis doesn't really work on everything...

anubis waste resources and slow down requests, this protect against normal scrapers and AI... but i doesn't protect against attacks. if the host is yours, anubis forces you to waste more money, but attacks use someone else resources, they use infected devices all over the place, so if their CPU is 100% or not, it doesn't matter much... yes, it may still slow down the attack, but the attack can bypass it by just adding more vulnerable hosts if really needed

That is why also cloudflare have a javascript captcha and the interactive captcha. The javascript one is mostly like anubis, but it can't protect for everything, so they also have the interactive one to make sure someone/something have to click on the box and they check how that is done. Notice that AI browsers are now able to solve the cloudflare interactive captcha too, that is why cloudflare is now testing other ways (like this of tracking mouse and keyboard between several pages), as tradicional capchas are usually easier to solve by AI than by humans

this is a balance hard to find, another never ending cat-mouse war

Comment Re:Cloudflare is malware/spyware (Score 1) 87

hey, the site i manage have no ads, people pay money ... we actually pay money to cloudflare.
we want to protect from attacks and all the bots and AI browsers are using a huge amount of resources, that we have to pay, so it is cheaper for us to pay cloudflare than scale the infra and pay for it.

and if you disable javascript, most site will actually not work (i know, i tried, i used noscript for many years), better option is use umatrix where you choose what to load or not or using a curated list like adblock. I use umatrix and while i allow cloudflare javascript for captchas (i do block some other resources), i block ads server and javascripts, cookies, etc from many sites

Slashdot Top Deals

"It takes all sorts of in & out-door schooling to get adapted to my kind of fooling" - R. Frost

Working...