Libraries coffeeClean • 4 months ago • 82%

1913 - library established in Houston by a black community. Years later, the city disbanded the all 8 black board members and shut the library down 1939 - 5 black people thrown out of a Virginia library for “disturbing the peace” (they were quietly reading). 1961 - Geraldine Edwards Hollis and eight other students from historically-black Tougaloo College — a group known as the Tougaloo Nine — held a sit-in at a “whites-only” public library in Jackson, Mississippi, as an act of civil disobedience. 1970 - the first meeting of the Black Caucus of the American Library Association formed to address the fact that the ALA wasn’t meeting the needs of Black library professionals. The late 1990s started to become the sweet spot for library inclusion and governance. Everyone was welcome to access books and media without restriction. In the 2000s, technology emerged in public libraries in a quite inclusive way. There some libraries had PCs and some had ethernet and/or Wi-Fi (free of captive portals). Anyone could use any of those technologies. 2024: * Ethernet becomes nearly non-existent, thus excluding: * people running FOSS systems (which often lack FOSS Wi-Fi firmware) * people with old hardware * people who oppose the energy waste of Wi-Fi * people who do not accept the security compromise of Wi-Fi (AP spoofing/mitm, traffic evesdropping, arbitrary [tracking](https://www.scss.tcd.ie/doug.leith/apple_google.pdf) by all iOS and Android devices in range) * Wi-Fi service itself has become more exclusive at public libraries: * captive portals -- not all devices can even handle a captive portal, full stop. Some captive portals are already imposing TLS 1.3 so people with slightly older hardware cannot even reach the ToS page. Some devices cannot handle a captive portal due to DNS resolution being dysfunctional before the captive portal is passed and the captive portal itself is designed to need DNS resolution. * GSM requirement -- some public library captive portals now require patrons to complete an SMS verification. This of course excludes these demographics of people: * People who do not *own* a mobile phone * People who do not *carry* a mobile phone around with them * People who do not subscribe to mobile phone service (due to poverty, or for countless privacy reasons) * People who object to disclosing their mobile phone number and who intend to exercise their right to data minimisation (under the GDPR or their country’s version thereof) * Web access restrictions intensified: * e-books outsourced to Cloudflared services, thus excluding all demographics of people who Cloudflare excludes. * Invidious blocked. This means people who do not have internet at home have lost the ability to download videos to watch in their home. * Egress Tor connections recently blocked by some libraries, which effectively excludes people whose systems are designed to use Tor to function. So if someone’s email account is on an onion service, those people are excluded from email. There’s a bit of irony in recent developments that exclude privacy seekers who, for example, deliberately choose not to have a GSM phone out of protest against compulsory GSM registration with national IDs, because the library traditionally respects people’s privacy. Now they’re evolving to actually deny service to people for exercising their privacy rights. There needs to be pushback to get public libraries back on track to becoming as inclusive as they were in the 1990s. A big part of the problem is outsourcing. The libraries are no longer administrating technology themselves. They have started outsourcing to tech giants like Oracle who have a commercial motivation to save money, which means marginalising demographics of people who don’t fit in their simplified canned workflow. When a patron gets excluded by arbitrary tech restrictions, the library is unable to remedy the problem. Librarians have lost control as a consequence of outsourcing. One factor has improved: some libraries are starting to nix their annual membership fee. It tends to be quite small anyway (e.g. $/€ 5/year), so doesn’t even begin to offset those excluded by technology.

cybersecurity coffeeClean • 5 months ago • 63%

I plugged into ethernet (as wifi w/captive portal does not work for me). I think clearnet worked but I have no interest in that. Egress Tor traffic was blocked and so was VPN. I’m not interested in editing all my scripts and configs to use clearnet, so the library’s internet is useless to me (unless I bother to try a tor bridge). I was packing my laptop and a librarian spotted me unplugging my ethernet cable and approached me with big wide open eyes and pannicked angry voice (as if to be addressing a child that did something naughty), and said “you can’t do that!” I have a lot of reasons for favoring ethernet, like not carrying a mobile phone that can facilitate the SMS verify that the library’s captive portal imposes, not to mention I’m not eager to share my mobile number willy nilly. The reason I actually gave her was that that I run a free software based system and the wifi drivers or firmware are proprietary so my wifi card doesn’t work¹. She was also worried that I was stealing an ethernet cable and I had to explain that I carry an ethernet cable with me, which she struggled to believe for a moment. When I said it didn’t work, she was like “good, I’m not surprised”, or something like that. ¹ In reality, I have whatever proprietary garbage my wifi NIC needs, but have a principled objection to a service financed by public money forcing people to install and execute proprietary non-free software on their own hardware. But there’s little hope for getting through to a librarian in the situation at hand, whereby I might as well have been caught disassembling their PCs.

IMO this is a #netneutrality issue due to lack of access equality. People with old phones are discriminated against. cross-posted from: https://infosec.pub/post/11021006 > … > TLS-encumbered captive portal (transit service) > --- > A transit service offered wi-fi but the network forcibly redirected me to a > captive portal that triggers this error: > ``` > net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH > ``` > I tried a couple browsers and tried rewriting the `https://` scheme as `http://` but SSL redirect was forced consistently. The error apparently [implies](https://web.archive.org/web/20240318220527/https://phoenixnap.com/kb/fix-err-ssl-version-or-cipher-mismatch) my phone’s browser can’t do TLS 1.3. > > It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions: > > * I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place). > > * Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it. > > I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5. > > Bypass methods > --- > I guess I need to study: > * ICMP tunnel (slow, but IIUC it’s the least commonly blocked) > * SSH tunnel > * others? > > Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found: > > * [MultiVNC](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.coboltforge.dontmind.multivnc/index.html.en) - VNC over SSH > * [AVNC](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.gaurav.avnc/index.html.en) - VNC over SSH > * [ConnectBot](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/org.connectbot/) - Can all traffic be routed over this SSH tunnel, or just a shell session? > * [VX ConnectBot](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/sk.vx.connectbot/index.html.en) - same as connectBot but expanded > > I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option. > > My to-do list of things to tinker with so far: > * [Captive Portal Controller](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/io.github.muntashirakon.captiveportalcontroller/) > * ~~[CaptivePortalLogin](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.juliansparber.captiveportallogin/)~~ (AOS 6+, and no Izzy archives on this) > * [Hotspot Login](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/net.sf.andhsli.hotspotlogin/) > > Legal options > --- > If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases. > > And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

This is likely a Lemmy bug but infosec.pub is related because there are so many Android communities that are federated from bad places so I thought I would mention it here as well. cross-posted from: https://infosec.pub/post/11060800 > The cross-post mechanism has a limitation whereby you cannot simply enter a precise community to post to. Users are forced to search and select. When searching for “android” on infosec.pub within the cross-post page, the list of possible communities is totally clusterfucked with shitty centralized Cloudflare instances (lemmy world, sh itjust works, lemm ee, programming dev, etc). The list of these junk instances is so long !android@hilariouschaos.com does not make it to the list. > > The workaround is of course to just create a new post with the same contents. And that is what I will do. > > There are multiple bugs here: > ① First of all, when a list of communities is given in this context, the centralized instances should be listed ***last*** (at *best*) because they are antithetical to fedi philosophy. > ② Subscribed communities should be listed first, at the top > ③ Users should always be able to name a community in its full form, e.g.: > * `!android@hilariouschaos.com` > * `hilariouschaos.com/android` > > ④ Users should be able to name just the instance (e.g. hilariouschaos.com) and the search should populate with subscribed communities therein.

The cross-post mechanism has a limitation whereby you cannot simply enter a precise community to post to. Users are forced to search and select. When searching for “android” on infosec.pub within the cross-post page, the list of possible communities is totally clusterfucked with shitty centralized Cloudflare instances (lemmy world, sh itjust works, lemm ee, programming dev, etc). The list of these junk instances is so long !android@hilariouschaos.com does not make it to the list. The workaround is of course to just create a new post with the same contents. And that is what I will do. There are multiple bugs here: ① First of all, when a list of communities is given in this context, the centralized instances should be listed ***last*** (at *best*) because they are antithetical to fedi philosophy. ② Subscribed communities should be listed first, at the top ③ Users should always be able to name a community in its full form, e.g.: * `!android@hilariouschaos.com` * `hilariouschaos.com/android` ④ Users should be able to name just the instance (e.g. hilariouschaos.com) and the search should populate with subscribed communities therein.

cross-posted from: https://infosec.pub/post/11021006 > The red padlock (at a cafe) > --- > The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously. > > Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation -- like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not. > > So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them. > > TLS-encumbered captive portal (transit service) > --- > A transit service offered wi-fi but the network forcibly redirected me to a > captive portal that triggers this error: > ``` > net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH > ``` > I tried a couple browsers and tried rewriting the `https://` scheme as `http://` but SSL redirect was forced consistently. The error apparently [implies](https://web.archive.org/web/20240318220527/https://phoenixnap.com/kb/fix-err-ssl-version-or-cipher-mismatch) my phone’s browser can’t do TLS 1.3. > > It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions: > > * I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place). > > * Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it. > > I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5. > > Bypass methods > --- > I guess I need to study: > * ICMP tunnel (slow, but IIUC it’s the least commonly blocked) > * SSH tunnel > * others? > > Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found: > > * [MultiVNC](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.coboltforge.dontmind.multivnc/index.html.en) - VNC over SSH > * [AVNC](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.gaurav.avnc/index.html.en) - VNC over SSH > * [ConnectBot](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/org.connectbot/) - Can all traffic be routed over this SSH tunnel, or just a shell session? > * [VX ConnectBot](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/sk.vx.connectbot/index.html.en) - same as connectBot but expanded > > I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option. > > My to-do list of things to tinker with so far: > * [Captive Portal Controller](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/io.github.muntashirakon.captiveportalcontroller/) > * ~~[CaptivePortalLogin](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.juliansparber.captiveportallogin/)~~ (AOS 6+, and no Izzy archives on this) > * [Hotspot Login](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/net.sf.andhsli.hotspotlogin/) > > Legal options > --- > If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases. > > And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop.

cybersecurity coffeeClean • 5 months ago • 66%

The red padlock (at a cafe) --- The captive portal of a cafe simply rendered a red padlock on with a line through it. Essentially, it was apparently telling me I am being denied access arbitrarily without using any words. There was no other screen before that. Immediately after wifi handshaking Android’s built-in captive portal detection app just went straight to a padlock. I have never been in that cafe in my life and never use my device maliciously. Showed the screen to the staff who said “works for me on my phone”, who then noticed the airplane on my status bar and said “oh, you got the little airplane, that’s the problem”. Shit; so then I had to explain that wi-fi works in airplane mode. It was just a distraction for them. I couldn’t really convince them that the problem isn’t anything I’m doing wrong. There is no tech support for this situation -- like pretty much all captive portal scenarios. Being the customer of the customer is a very weak position to be in when the direct customer doesn’t really give a shit if it works or not. So, has anyone seen this kind of behavior? I run into shitty broken captive portals often enough that I guess I really need to get a better understanding of them, and ways to bypass them. TLS-encumbered captive portal (transit service) --- A transit service offered wi-fi but the network forcibly redirected me to a captive portal that triggers this error: ``` net::ERR_SSL_VERSION_OR_CIPHER_MISMATCH ``` I tried a couple browsers and tried rewriting the `https://` scheme as `http://` but SSL redirect was forced consistently. The error apparently [implies](https://web.archive.org/web/20240318220527/https://phoenixnap.com/kb/fix-err-ssl-version-or-cipher-mismatch) my phone’s browser can’t do TLS 1.3. It seems like a shitty move for a transit service to require passengers to use TLS 1.3 just to tick a fucking box that says “I agree” (to the terms no one reads anyway). Couple questions: * I’m generally in the /protect everything by default/ school of thought. But I cannot get my head around why a captive portal where people just tap “I agree” would warrant disclosure protection that could hinder availability. In reality, I don’t really know what the captive portal at hand requests.. maybe it demands people’s phone# or email, in which case it might make sense (though I would object to them collecting that info in a GDPR region in the 1st place). * Is there a good reason for a captive portal to require TLS 1.3? It seems either the network provider does not trust their own network, or they’re simply incompetent (assumes everyone runs the latest phones). But if I’m missing something I would like to understand it. I still have to investigate what limitation my browser has and whether I can update this whilst being trapped on an unrooted Android 5. Bypass methods --- I guess I need to study: * ICMP tunnel (slow, but IIUC it’s the least commonly blocked) * SSH tunnel * others? Are there any decent FOSS tools that implement the client side of tunnels without needing root? I have openvpn but have not tested to see if that can circumvent captive portals. I’ve only found: * [MultiVNC](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.coboltforge.dontmind.multivnc/index.html.en) - VNC over SSH * [AVNC](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.gaurav.avnc/index.html.en) - VNC over SSH * [ConnectBot](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/org.connectbot/) - Can all traffic be routed over this SSH tunnel, or just a shell session? * [VX ConnectBot](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/sk.vx.connectbot/index.html.en) - same as connectBot but expanded I’m curious if the VNC clients would work but at the same time I’m not keen to bring in the complexity of then having to find a VNC server. Running my own server at home is not an option. My to-do list of things to tinker with so far: * [Captive Portal Controller](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/io.github.muntashirakon.captiveportalcontroller/) * ~~[CaptivePortalLogin](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/com.juliansparber.captiveportallogin/)~~ (AOS 6+, and no Izzy archives on this) * [Hotspot Login](http://fdroidorg6cooksyluodepej4erfctzk7rrjpjbbr6wx24jh3lqyfwyd.onion/en/packages/net.sf.andhsli.hotspotlogin/) Legal options --- If a supplier advertises Wi-Fi but then they render it dysfunctional by imposing arbitrary tech requirements after consumers have already bought the product/service it was included with (coffee, train/bus/plane fare, etc), then they neglect to support it, doesn’t that constitute false advertising? Guess this is out of scope for the community but I might be ½ tempted to file false advertising claims with consumer protection agencies in some cases. And when a captive portal demands email or phone number, it would seem to be a GDPR violation. Some public libraries make wi-fi access conditional on sharing a mobile phone number which then entails an SMS verification loop. update (phones bought last year already obsolete) --- TLS 1.3 was not introduced until Android OS 10 (sept.2019). That was the release date of AOS 10. Older devices like AOS 9 would still be sold at that time and continuing ***at least*** into 2023. Shops do not pull their stock from the shelves when the end of support arrives. This means people buying new COTS Android devices just last year or even this year are already too out of date for the TLS 1.3 captive portal to function. It’s seriously disgusting how many people expect consumers to upgrade this chronically fast.

Home Networking coffeeClean • 6 months ago • 100%

There are apparently only two documented ways to reverse tether an Android via USB to a linux host: * [openVPN method](http://salutepc.altervista.org/usb-reverse-tethering-no-root-no-adb-android-all-versions-linux-quick-mode.html) * [Gnirehtet](https://www.ubuntubuzz.com/2019/09/android-reverse-tethering-with-ubuntu-1804.html) ***OpenVPN dead*** I really wanted the #openVPN method to work because I’m a fan of reducing special-purpose installations and using Swiss army knives of sorts. In principle we might expect openVPN to be well maintained well into the future. But openVPN turns out to be a shit show in this niche context. Features have been dropped from the Android version. ***Gnirehtet dying*** Gnirehtet works but it’s falling out of maintenance. ~~It’s also unclear if~~ #Gnirehtet really works without root. There is mixed info: * Ade Malsasa Akbar from Ubuntubuzz [claims](https://www.ubuntubuzz.com/2019/09/android-reverse-tethering-with-ubuntu-1804.html) root is ***not*** needed (and devs [agree](https://github.com/Genymobile/gnirehtet)). * OSradar [claims](http://web.archive.org/web/20230531011502/https://www.osradar.com/reverse-tether-from-linux-to-android/) root ***is*** needed. (edit: they are mistaken) If anyone has managed to reverse tether an unrooted Android over USB to a linux host using free software, please chime in. Thanks! update on Gnirehtet --- Gnirehtet indeed works without root. But some apps (like VOIP apps) fail to detect an internet connection and refuse to communicate. #askFedi

cybersecurity coffeeClean • 6 months ago • 80%

Question for people willing to visit Cloudflare sites: How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication. Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?

cybersecurity coffeeClean • 6 months ago • 90%

An HTML-only email from a gov agency has a logo referencing an URL that looks like this: `https://1wy1y.mjt.lu/tplimg/1wy1y/f/l9hl7/g3q3v.png` It’s not exactly that (apart from the domain) but of course it’s rather unique looking. They send email routinely. The initial emails had an obviously non-suspicious basic logo, like “(their office domain)/files/logo.png”. But then later they switched and every message from them is the URL in the mjt.lu domain. It’s not unique per message but it could be unique to the user, perhaps to keep tabs on when each person reads their messages. The output of `torsocks curl -LI` looks like this: ``` HTTP/2 200 date: (exactly now) content-type: image/png accept-ranges: bytes ``` That’s it. It’s the shortest HTTP header I’ve seen. There’s no content-length. I find that suspicious because if this is a service that facilitates tracker pixels, then they would want to withhold the length in order to dodge detection. Although from its usage in my case it wouldn’t just be a pixel -- it’s a logo. The date is also suspect. Shouldn’t the date be the date of the object, not the current time this second? Are there any other checks to investigate this?

DeGoogle Yourself coffeeClean • 6 months ago • 89%

infosec.pub

The technical mechanism: https://play.google.com/store/apps/details?id=com.google.android.apps.devicelock update --- To be clear, I am not the OP who experienced this problem. I just linked them from here.

There used to be no problem archiving a Mastodon thread in the #internetArchive #waybackMachine. Now on recent threads it just shows a blank page: https://web.archive.org/web/20240318210031/https://mastodon.social/@lrvick/112079059323905912 Or is it my browser? Does that page have content for others?

I received several machine-generate e-mails which are all mostly the same: a notification. They are HTML emails with no plaintext MIME part. Yikes! And to complicate matters further, the messages traversed my anonaddy forwarding account which PGP encrypts every message to me before forwarding it to my normal email account. The gov wants me to give them an “unaltered copy” of these e-mails. This gov office actually blocks my mail server so I am generally unwilling to send them email. This means I will be giving them the emails on paper hardcopy. So wtf, this is tricky. They want an “unaltered copy”. If I were to print the MBOX files, it would be useless to them because it’s a base64 blob that only I can decrypt. My mail client is mutt so the HTML is detected and piped through w3m to give me a text version that is readable enough. But in general, how do you give unaltered copies of an HTML email on paper form? This is not necessarily for a court but it could go down that path. Would a court want to see raw HTML tags? Or do courts prefer the HTML to be rendered for readability? Normally I copy the w3m-rendered text of email into LaTeX and typeset it to look pretty and copy-paste the useful headers into a well-styled header in a monospaced font. And I omit the useless headers. But I get the impression my way of working would not pass for “unaltered”. I could perhaps try to feed the HTML into `wkhtmltopdf`. In the end, HTML rendering always varies depending on the rendering tool. Normies use MS Outlook, and I have to figure that the gov is normally dealing with normies. So maybe I should install Evolution or Thunderbird. Any suggestions for a tool that is particularly good at making HTML email presentable on paper without looking too custom? #askFedi

Is this Instance Down? coffeeClean • 6 months ago • 33%

Just like catcatnya, infosec.exchange just gives a black page. Up, but broken, at least in my browser. (update) browser issue. Downvoted myself on this to lessen the visibility although some may still find that interesting so I’ll let the thread live.

DeGoogle Yourself coffeeClean • 6 months ago • 90%

cross-posted from: https://infosec.pub/post/9936059 > I would like to collect the scenarios in which people are forced to enter Google’s #walledGarden (that is, to establish and/or maintain an account). > > If someone ***needs*** a Google service to access something essential like healthcare or education, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list: > > * right to life > * healthcare > * freedom of expression > * freedom of assembly and of association > * right to education > * right to engage in work and access to placement services > * fair and just working conditions > * social security and social assistance > * consumer protection > * right to vote > * right to petition > * right of access to (government) documents > * right to a nationality (passport acquisition) > * right of equal access to public service in his country > > Below is what I have encountered personally, which serves as an example of the kind of experiences I want to hear about: > > * Google’s Playstore is a gate-keeper to most Android apps in the world and this includes relatively essential apps, such as: > * emergency apps (e.g. that dial 112 in Europe or 911 in the US) > * banking apps > * apps for public services (e.g. public parking) > * others? > * (education) Google docs is used by students in public schools, by force to some extent. Thus gdocs sometimes cannot be escaped in pursuit of education. When groups of students collaborate, sometimes the study groups impose use of gdocs. Some secondary school teachers impose the use of Google accounts for classroom projects. > * (education) A public university’s wi-fi network involved a captive portal and the only way to gain access was to supply credentials for a Google or Facebook account. > > I’ve noticed that when creating an account for a public service I often have the option to supply credentials for Google or Facebook to bypass the verification process. In all cases of this kind of registration shortcut being used for public service, there was an alternative Google-free way to open the account. But in the private sector, I’ve seen this style of registration that absolutely required a proxy login via some shitty walled garden (like the university wi-fi). So I wonder if there are any situations where a government (anywhere in the world) requires a Google account in order to get service. >

cross-posted from: https://infosec.pub/post/9936059 > I would like to collect the scenarios in which people are forced to enter Google’s #walledGarden (that is, to establish and/or maintain an account). > > If someone ***needs*** a Google service to access something essential like healthcare or education, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list: > > * right to life > * healthcare > * freedom of expression > * freedom of assembly and of association > * right to education > * right to engage in work and access to placement services > * fair and just working conditions > * social security and social assistance > * consumer protection > * right to vote > * right to petition > * right of access to (government) documents > * right to a nationality (passport acquisition) > * right of equal access to public service in his country > > Below is what I have encountered personally, which serves as an example of the kind of experiences I want to hear about: > > * Google’s Playstore is a gate-keeper to most Android apps in the world and this includes relatively essential apps, such as: > * emergency apps (e.g. that dial 112 in Europe or 911 in the US) > * banking apps > * apps for public services (e.g. public parking) > * others? > * (education) Google docs is used by students in public schools, by force to some extent. Thus gdocs sometimes cannot be escaped in pursuit of education. When groups of students collaborate, sometimes the study groups impose use of gdocs. Some secondary school teachers impose the use of Google accounts for classroom projects. > * (education) A public university’s wi-fi network involved a captive portal and the only way to gain access was to supply credentials for a Google or Facebook account. > > I’ve noticed that when creating an account for a public service I often have the option to supply credentials for Google or Facebook to bypass the verification process. In all cases of this kind of registration shortcut being used for public service, there was an alternative Google-free way to open the account. But in the private sector, I’ve seen this style of registration that absolutely required a proxy login via some shitty walled garden (like the university wi-fi). So I wonder if there are any situations where a government (anywhere in the world) requires a Google account in order to get service. >

I would like to collect the scenarios in which people are forced to enter Google’s #walledGarden (that is, to establish and/or maintain an account). If someone ***needs*** a Google service to access something essential like healthcare or education, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list: * right to life * healthcare * freedom of expression * freedom of assembly and of association * right to education * right to engage in work and access to placement services * fair and just working conditions * social security and social assistance * consumer protection * right to vote * right to petition * right of access to (government) documents * right to a nationality (passport acquisition) * right of equal access to public service in his country Below is what I have encountered personally, which serves as an example of the kind of experiences I want to hear about: * Google’s Playstore is a gate-keeper to most Android apps in the world and this includes relatively essential apps, such as: * major medical provider ([megathread](https://mastodon.social/@lrvick/112085186821900663)) * emergency apps (e.g. that dial 112 in Europe or 911 in the US) * banking apps * apps for public services (e.g. public parking) * others? * (education) Google docs is used by students in public schools, by force to some extent. Thus gdocs sometimes cannot be escaped in pursuit of education. When groups of students collaborate, sometimes the study groups impose use of gdocs. Some secondary school teachers impose the use of Google accounts for classroom projects. * (education) A public university’s wi-fi network involved a captive portal and the only way to gain access was to supply credentials for a Google or Facebook account. I’ve noticed that when creating an account for a public service I often have the option to supply credentials for Google or Facebook to bypass the verification process. In all cases of this kind of registration shortcut being used for public service, there was an alternative Google-free way to open the account. But in the private sector, I’ve seen this style of registration that absolutely required a proxy login via some shitty walled garden (like the university wi-fi). So I wonder if there are any situations where a government (anywhere in the world) requires a Google account in order to get service.

cross-posted from: https://infosec.pub/post/9930406 > I have never used Facebook. I’m trying to understand the ways in which people are getting trapped in there. Obviously there is an [addiction factor](https://en.wikipedia.org/wiki/Criticism_of_Facebook#Facebook_addiction), but I’m more interested in how someone who is (hypothetically) immune to addiction might still be forced into #Facebook. > > If someone ***needs*** Facebook to access something essential like healthcare, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list: > > * right to life > * healthcare > * freedom of expression > * freedom of assembly and of association > * right to education > * right to engage in work and access to placement services > * fair and just working conditions > * social security and social assistance > * consumer protection > * right to vote > * right to petition > * right of access to (government) documents > * right to a nationality (passport acquisition) > * right of equal access to public service in his country > > I don’t imagine that Facebook has an essential role in supporting people’s human rights. I assume most gov offices have a Facebook presence, but there is always a way to access the same services outside of FB, correct? > > I can think of a couple situations where FB access is important to reaching something essential. E.g. > > * A police department recovered stolen bicycles and announced that theft victims could visit the FB page of the police dept. to see if their bicycle appears in the photos. Non-FB users were blocked from the page and there was no other means to reach the photos. Effectively, non-FB users were denied equal access to public services. > > * A Danish university has a Facebook page as well as just about every single student. Facebook was used exclusively to announce campus social events and even some optional classes. Students without FB were excluded. In a sense, they were being excluded from some aspects to public education, although strictly speaking the FB exclusive events were not required to obtain a degree. > > * Regarding freedom of assembly, there is an activist group in my local area fighting for the right to be offline. I wanted to join the group, but their sole presence is on Facebook, ironically. So my freedom of assembly in this case is conditioned on being trapped in Facebook. > > In any case, I would like to hear more examples of what essential information or services is compromised by leaving or neglecting to join Facebook. > > #askFedi #Meta #walledGarden

cross-posted from: https://infosec.pub/post/9930406 > I have never used Facebook. I’m trying to understand the ways in which people are getting trapped in there. Obviously there is an [addiction factor](https://en.wikipedia.org/wiki/Criticism_of_Facebook#Facebook_addiction), but I’m more interested in how someone who is (hypothetically) immune to addiction might still be forced into #Facebook. > > If someone ***needs*** Facebook to access something essential like healthcare, that’s what I want to hear about. To inspire a list of things that are “essential” I had a look at human rights law to derive this list: > > * right to life > * healthcare > * freedom of expression > * freedom of assembly and of association > * right to education > * right to engage in work and access to placement services > * fair and just working conditions > * social security and social assistance > * consumer protection > * right to vote > * right to petition > * right of access to (government) documents > * right to a nationality (passport acquisition) > * right of equal access to public service in his country > > I don’t imagine that Facebook has an essential role in supporting people’s human rights. I assume most gov offices have a Facebook presence, but there is always a way to access the same services outside of FB, correct? > > I can think of a couple situations where FB access is important to reaching something essential. E.g. > > * A police department recovered stolen bicycles and announced that theft victims could visit the FB page of the police dept. to see if their bicycle appears in the photos. Non-FB users were blocked from the page and there was no other means to reach the photos. Effectively, non-FB users were denied equal access to public services. > > * A Danish university has a Facebook page as well as just about every single student. Facebook was used exclusively to announce campus social events and even some optional classes. Students without FB were excluded. In a sense, they were being excluded from some aspects to public education, although strictly speaking the FB exclusive events were not required to obtain a degree. > > * Regarding freedom of assembly, there is an activist group in my local area fighting for the right to be offline. I wanted to join the group, but their sole presence is on Facebook, ironically. So my freedom of assembly in this case is conditioned on being trapped in Facebook. > > In any case, I would like to hear more examples of what essential information or services is compromised by leaving or neglecting to join Facebook.

Offgrid living coffeeClean • 6 months ago • 100%

cross-posted from: https://infosec.pub/post/8864206 > I bought a Silicondust HD Homerun back before they put their website on Cloudflare. I love the design of having a tuner with a cat5 port, so the tuner can work with laptops and is not dependent on being installed into a PC. > > But now that Silicondust is part of Cloudflare, I will no longer buy their products. I do not patronize Cloudflare patrons. > > I would love to have a satellite tuner in a separate external box that: > * tunes into free-to-air content > * has a cat5 connection > * is MythTV compatible > > Any hardware suggestions other than #Silicondust?

cross-posted from: https://infosec.pub/post/8864206 > I bought a Silicondust HD Homerun back before they put their website on Cloudflare. I love the design of having a tuner with a cat5 port, so the tuner can work with laptops and is not dependent on being installed into a PC. > > But now that Silicondust is part of Cloudflare, I will no longer buy their products. I do not patronize Cloudflare patrons. > > I would love to have a satellite tuner in a separate external box that: > * tunes into free-to-air content > * has a cat5 connection > * is MythTV compatible > > Any hardware suggestions other than #Silicondust?

Is this Instance Down? coffeeClean • 6 months ago • 0%

catcatnya.com just gives a black page. Up, but broken, at least in my browser. (update) browser issue. Downvoted myself on this to lessen the visibility although some may still find that interesting so I’ll let the thread live.

Images do not get mirrored from one Lemmy instance to another. Understandably so. But there is a harmful side effect: if SourceNode is behind an access-restricted walled-garden and an image from that node is cross-posted to a DestinationNode that is not inside the same access-restricted walled-garden, then some readers on DestinationNode see posts where the image is inaccessible. All variants of walled gardens are can trigger this problem but the most common is Cloudflare. So posts that contain images coming from instances like `sh.itjust.works` and `lemmy.world` are exclusive and do not include all people who infosec.pub includes. How can this be fixed? 1. infosec.pub could defederate from all Cloudflare nodes. This would prevent CF pawns from *pushing* exclusive content onto infosec.pub, but infosec.pub users could probably still post links to the exclusive venues. 1. infosec.pub could block just cross-posts from CF nodes that contain images. 1. infosec.pub could mirror images when the image is in a known exclusive walled garden. 1. infosec.pub could accept posts that contain images in walled gardens and then immediately hide those posts. Perhaps a bot could populate a community designated for exclusive walled gardens with links to hidden posts so users not excluded by the walled garden can still reach the content. Some of those options might require changes to lemmy code.

cybersecurity coffeeClean • 7 months ago • 70%

cross-posted from: https://infosec.pub/post/9382315 > I have had no problem using VOIP over #protonVPN until recently. Connections happen but there is no audio. Anyone notice this? > > I wondered if maybe they decided to make VOIP a non-free feature, but their premium plans do not list VOIP as an extra feature.

VPN coffeeClean • 7 months ago • 100%

I have had no problem using VOIP over #protonVPN until recently. Connections happen but there is no audio. Anyone notice this? I wondered if maybe they decided to make VOIP a non-free feature, but their premium plans do not list VOIP as an extra feature.

This may be an instance-specific problem because I’ve had no problem editing posts on other instances. When I try to exit the title and body of [this post](https://infosec.pub/post/9339866), I click save (or whatever) and without error it behaves as if my change was accepted. Most instances take a minute or two to re-render the screen to show my updates. If the wait is long, I sometimes do a hard refresh to make sure the change got accepted (and if I don’t do that and I do another update, the old content populates the form and causes the recent edit to be lost). Anyway, with infosec.pub my edits on the above-mentioned post just take no effect, confirmed by a hard-refresh showing no change.

Unofficial Tor Community coffeeClean • 7 months ago • 100%

What happens if an app uses UDP instead of TCP (or both UDP and TCP), and you use the `torsocks` wrapper script? Would the UDP connections all leak without the Tor user knowing?

Fight For Privacy coffeeClean • 7 months ago • 25%

cross-posted from: https://infosec.pub/post/9048075 > I simply make a GDPR request. Write to a Tor-hostile data controller making an Article 15 request for a copy of all your data. Also ask for a list of all entities your data is shared with. > > The idea is that if a website blocks Tor (or worse, uses Cloudflare to also share all traffic with a privacy offender), then they don’t give a shit about privacy. So you punish them with some busy work and that busy work might lead to interesting discoveries about data abuses. > > Of course this only works in the EU and also only works with entities that have collected your personal data non-anonymously. After getting your data it generally makes sense to also file an Article 17 request to erase it and boycott that company.

Unofficial Tor Community coffeeClean • 7 months ago • 82%

I simply make a GDPR request. Write to a Tor-hostile data controller making an Article 15 request for a copy of all your data. Also ask for a list of all entities your data is shared with. The idea is that if a website blocks Tor (or worse, uses Cloudflare to also share all traffic with a privacy offender), then they don’t give a shit about privacy. So you punish them with some busy work and that busy work might lead to interesting discoveries about data abuses. Of course this only works in the EU and also only works with entities that have collected your personal data non-anonymously.

Is this Instance Down? coffeeClean • 7 months ago • 83%

tested from tor. Also reported down by downinspector.com. BTW, downinspector.com is the only Cloudflare-free service of its kind, but it’s notable that noscript reports XSS scripting attempts via Google. (edit) it came back online yesterday.

Fight For Privacy coffeeClean • 7 months ago • 88%

Language is important. The corporate propagandists are winning the language branding battle. In fact there is no battle because the pushover public just accepts their terms. We need to organize and define their garbage with our terms. E.g. * (**smart → dependent**) Homes and appliances *dependent* on a corporation and contract are perversely called *smart*. So we should refer to them as “contract-dependent” or simply “dependent”. It’s not a smart dryer or doorbell, it’s a *dependent* dryer or doorbell. Probably makes no progress to mess with “smartphone”, but anything that has an avoidable and needless dependency needs renaming. (smartphone is debatable.. maybe a degoogled or Postmarket OS phone is a smartphone while a stock Android is a dependent phone, but let’s not get too carried away). Initially it’s not effective to just start saying “dependent washer” because readers won’t understand. Say “‘smart’ (read: dependent) washer”. Credit for this terminology goes to [@dannym@lemmy.escapebigtech.info](https://lemmy.escapebigtech.info/u/dannym) for [this post](https://lemmy.escapebigtech.info/post/7395), which gives a bit [more detail](https://escapebigtech.info/posts/dependent-devices-are-not-smart/). * (**Meta→Facebook**) Meta hi-jacks a common English word to benefit a surveillance advertiser. We can’t allow this. IMO *Facebook* is understood and clear enough, but note that it’s not technically accurate because Meta is a parent company which has Facebook and Threads as subsidiaries IIUC (just like Alphabet owns Google). * (**Threads→fbThreads™/®?**) Since Threads is the original name of Facebook’s forum, there is no unambiguous past name to cling to. We must invent something here. Fuck those egocentric self-centered asshole fucks for hi-jacking a generic common word to describe their service. There are already confusing conversations where it’s unclear from context if someone means FB’s Threads or a generic forum (threads). It’s not just a confusion problem.. when you refer to a thread in the generic sense and it is understood, there is still a subconcious tie to that shitty company.. their brand benefits from conversation that does not even involve their brand. * (**X→Twitter**) This is an easy one. Just keep with the old term. * (**Cloudflare→CF walled garden**) I’ve not encountered a replacement term for Cloudflare that’s not overly hyperbolic. But we can often incorporate “walled garden” and “centralized” to stress the issues. Instead of just saying “it’s a Cloudflare site”, say some variant of “the site is jailed in Cloudflare’s exclusive centralized access-restricted discriminatory walled garden contrary to netneutrality principles of access equality”. It’s worth nothing that hyperbole doesn’t help. E.g. we might want: * Meta/Facebook→Fakebook * Microsoft Windows→Microsnot Winblows The problem is these terms are only accepted by fully committed digital rights folks. That’s not the crowd that needs to be swayed. Hyperbole does not catch on with moderates - the masses where it’s most important for rebranding to take hold. Good rebranding doesn’t deviate too much from neutrality. * (**user→pawn**) Exceptionally, I refer to “users” of surveillance capitalists as “pawns”. It’s probably too edgy to catch on, but it is what it is. *Users* is neutral and understood so it can’t easily be rebranded anyway. I will just say pawns to stress the point: who is using who? Anyway, this is just the start of a crowd-sourcing effort. Please contribute more rebrandings in this thread as well as improved alternatives to my effort above.

Fight For Privacy coffeeClean • 7 months ago • 64%

Suppose you’re fed up with being video surveilled in public and you object to your neighbor placing your home under 24/7 video surveillance which is fed to a surveillance advertiser (#Amazon). Or you want to kill the video surveillance [in vending machines](https://infosec.pub/comment/6866300). laser --- Is it practical and affordable to buy laser that can reach across the street and still have enough focus and power to burn a CCD? Can it be done from different angles without the CCD capturing the source before the damage manifests? There is some chatter [here](https://laserpointerforums.com/threads/do-i-destroy-the-ccd-in-the-camera-if-i-shine-directly-in-to-it.56824/) on power levels. Of course it must be precisely controllable as well; obviously no one wants to inadvertently hit an eyeball and blind someone. Which I suppose implies that the laser either needs a well calibrated scope or it needs to be in the visible spectrum so you can see where it lands. I would really love it if someone would rig up a drone to do this, which could then go down the street and knock out many Amazon Rings. cyber attack --- (Amazon Ring only) A simple cyber attack: if you can find out (social engineer?) the username of the Ring pawn¹, you can deliberately submit wrong passwords until the acct locks. When an Amazon account is suspended, the doorbell no longer functions. Funnily enough. So people with smart homes must constantly obey Amazon’s wishes if they want their home to continue to function. Would love to see that backfire. But it’s unclear if an account locked due to failed passwords goes into the same state of suspension that breaks the doorbell. I just recall a story where someone’s Amazon account was suspended due to some dispute or misunderstanding with Amazon which then broke their doorbell and probably other “smart” (read: dependent) appliances to go out of service. 1) I don’t say “user” because they are *being used by* Amazon. That means they are a “pawn”.

I bought a Silicondust HD Homerun back before they put their website on Cloudflare. I love the design of having a tuner with a cat5 port, so the tuner can work with laptops and is not dependent on being installed into a PC. But now that Silicondust is part of Cloudflare, I will no longer buy their products. I do not patronize Cloudflare patrons. I would love to have a satellite tuner in a separate external box that: * tunes into free-to-air content * has a cat5 connection * is MythTV compatible Any hardware suggestions other than #Silicondust? #AskFedi

cross-posted from: https://infosec.pub/post/8863199 > This post was composed with a link to a Wired article: > > https://lemmy.ohaa.xyz/post/1939209 > > Then in a separate step, the article was edited and an image was uploaded. The URL of the local image unexpectedly replaced the URL of the article. Luckily I noticed the problem before losing track of the article URL.

This post was composed with a link to a Wired article: https://lemmy.ohaa.xyz/post/1939209 Then in a separate step, the article was edited and an image was uploaded. The URL of the local image unexpectedly replaced the URL of the article. Luckily I noticed the problem before losing track of the article URL.

Public Blue Screens Of Death coffeeClean • 7 months ago • 98%

“Only because of that official investigation did Canadians learn that ‘over 5 million nonconsenting Canadians’ were scanned into Cadillac Fairview's database”. Wow. This Wired article is contradictory. The spokesperson says: “an individual person cannot be identified using the technology in the machines. The technology acts as a motion sensor that detects faces, so the machine knows when to activate the purchasing interface” I suppose it’s possible that a sloppy developer would name an executable `Invenda.Vending.FacialRecognitionApp.exe` which merely senses the presence of a face. But it seems like a baldfaced lie when you consider that: “Invenda sales brochures that promised ‘the machines are capable of sending estimated ages and genders’ of every person who used the machines—without ever requesting consent.” Boycott Mars --- I already boycott Mars because they are a GMA member and they spent ~$500k lobbying against #GMO labeling -- and they have been blackballed for using child slave labor -- and Mars supports Russia. This is another good reason to #boycottMars. Update --- Apparently a [LemmyBug](https://infosec.pub/post/8863199) replaced the article URL with a picture URL. The article is here: https://www.wired.com/story/facial-recognition-vending-machine-error-investigation/ The vending machine pic is here: https://infosec.pub/pictrs/image/2041d717-7cd7-4393-94f3-96aa87817aa7.jpeg

Is this Instance Down? coffeeClean • 7 months ago • 100%

The mamot.fr website and web client seems to be up for everyone. But for the past few days the #mamot.fr API for 3rd-party apps has been unreachable. Unverified: whether Tor is a factor. It would be interesting to hear from a non-Tor user if they can reach #MamotFR from a 3rd party app. update --- mamot.fr has been unreliable for 2 weeks now for API access as well as normal web access. It’s hit or miss. Sometimes it’s up, sometimes down, slow to load, and slow to login. I’m on Tor every time so it could be some kind of tor defensive move. Like tar-pitting. I guess at this point we should consider this problem permanent. It’s much less convenient to use now.

Is this Instance Down? coffeeClean • 7 months ago • 87%

The following fedi instances are perpetually exclusive because they sit inside Cloudflare’s walled garden: * lemmy.world * sh.itjust.works * zerobytes.monster * lemmy·ca * lemm·ee * programming.dev * lemmy.zip If you cannot reach these instances, there are many possible reasons: * you use a VPN * you use a browser Cloudflare discriminates against while also using Tor * you are using a public library PC * your ISP uses CGNAT to allocate your IP address (often in impoverished communities) * you have disabled image loading (because you are visually impaired, or you are on a capped uplink, or you are an environmentalist), which then triggers a false positive for being a robot. * you are a legitimate beneficial bot (Cloudflare treats beneficial bots the same as malicious bots) The listed sites will rarely be down for everyone but will often be unavailable to those in the above mentioned discriminated demographics of people.

Chemistry coffeeClean • 10 months ago • 100%

cross-posted from: https://infosec.pub/post/5276026 > I have a hot water dispenser, which heats the water to the temp you specify, on-the-fly. Sometimes this technology is called “insti-heat”. Instead of filling a kettle and waiting, it pumps water from a tank and heats it inline as fast as it draws it. Likely similar to how Nespresso machines work. > > This means the limescale is hidden in the internal tubes. When descaling solution is put in the tank and the descaling program runs, there are no white chips of limescale like you would get in a water kettle. Yet it seems to be working because after descaling the water flows smoothly (as opposed to coughing and sputtering which is what happens when limescale is built up). > > So it’s a mystery- where did the limescale go? Does it actually dissolve into the descaling solution? I ask because I’d rather not be wasteful.. I’d like to reuse the descaling solution, if that’s sensible.