@Decentralize_today @particl particl.io looks interesting for sure

@resist1984
That said I've just cancelled my Amazon Audible and Prime subscription and will be looking for alternative so I'm not coming to this blind...just interested in your perspective?

@jubes i'm not real sure what Amazon Audible is. Looks like audio books from a quick glance. Libraries have those at no cost, but I don't know of an online resource off the top of my head. Sometimes my boycott withstands even when there is no alternative.

@jubes I've never had Prime myself, but my understanding is that it gives free/fast shipping & streaming. The shipping can just be tossed b/c it's only for Amazon shopping anyway. Perhaps #Hulu is a decent streaming replacement (I boycott #Netflix also). Don't overlook free broadcast.. there are less commercials on free broadcast these days than cable/satellite.

@jubes also, #MythTV is a great free s/w package to record broadcast TV and cut out what few commercials there are.

@Obscurequokka @jubes I #boycott #MACFANG (#Microsoft #Amazon #CloudFlare #Facebook #Apple #Netflix #Google). I think #Netflix is commonly boycotted b/c it imposes DRM & the DRM is an exclusive MS technology which excludes some platforms.

@jubes @Obscurequokka I also have a strong distaste for #Netflix exclusive content, which is an anti-competitive practice of blocking films from being sold outside the Netflix ecosystem. I'm not even sure how it's legal.

@Obscurequokka @jubes An environmental problem also emerges from #Netflix. Netflix collaborates with #Roku on designed obsolescence, enabling Roku to force consumers to toss their old smartTVs into the landfill and buy new hardware, needlessly. It's all enabled by a coupling of DRM w/proprietary tech.

@resist1984 @jubes @Obscurequokka Doesn't your reasons for boycotting Amazon apply to most other streaming services?

Also if you need something to listen to instead of Audible, I've got some recommendations: https://adrian.geek.nz/movies

@alcinnz @Obscurequokka @jubes My approach is always to patronize the lesser of evils. For streaming, #Amazon is the most evil choice and #Netflix is the 2nd most evil, I find, so they are both off the table. I'm not subscribed to any streaming myself (I live with subscribers). If I were in the market I'd be doing more research on it.

@resist1984 @Obscurequokka @jubes Similar here, when I visit my parents I usually end up watching Netflix or something. Usually something special like Jojo Rabbit or Marx Brothers to tempt me away from my boycott.

Are Marx Brothers public domain yet?

@alcinnz @jubes @Obscurequokka i'm not sure you can count on anything expiring into public domain, considering the Micky Mouse shenanigans of making a slight change to renew copyright. But I've noticed public broadcast TV airs commercial-free films from the 50s & 60s.

@Obscurequokka @jubes @alcinnz A useful option in your situation might be to setup kodi with a plugin at your parent's place to save Netflix content for later viewing. Note that I boycott #Kodi by extension from the #CloudFlare boycott. But Kodi could facilitate a partial Netflix boycott where you drop Netflix for a stretch of time and watch past downloads.

@resist1984 @Obscurequokka @jubes I don't know if I can convince them. We used to use Kodi.

I'll just keep checking out what the other options are, and see if I can hopefully find something non-DRM'd that interests them.

This boycott certainly delivers a clearer picture of how marketting influences us!

@resist1984
@alcinnz @Obscurequokka
Thanks for the inspiring input all. It's certainly given me food for thought. A lot of services use at least one of AWS, GCP or Azure cloud platforms thus would you extend a boycott of Amazon to all services that use AWS for example?

@jubes @Obscurequokka @alcinnz I do extend my #Amazon boycott to customers of Amazon (e.g. Github, #Reddit, & DuckDuckGo), but I'm not diligent enough to avoid every news article that's Amazon-hosted, largely because the #CloudFlare boycott kills a big enough portion of the web.

@resist1984
@Obscurequokka @alcinnz
Ok and what's the end goal or ideal? i.e. boycott them until?

@jubes @alcinnz @Obscurequokka I boycott them until they become the lesser of evils -- which likely means forever.

@Obscurequokka @alcinnz @jubes I should also say that when shopping for a product or service, price & quality ("value") is lower priority for me than the ethical standing of the supply chain. So I do what I can as a consumer to make it a competition of ethics rather than a competition of value.

@jubes @alcinnz @Obscurequokka If Nestle chocolate where both the cheapest and also the highest quality chocolate, even then I still would not buy it because child slaves in the Ivory Coast have been found in #Nestle's supply chain. Nestle refuses responsibility, points the finger, and also fights transparency, amid other things like the CEO saying drinking water is not a right. So I won't buy Nespresso.

@jubes
I haven't tried it, but libro.fm might be an audiobook option
@resist1984

@jubes have a look at the #Amazon pull-down here: https://codeberg.org/swiso/website/issues/141

@jubes Another reason to #boycott #Amazon: 100 million debit/credit card users leaked from Amazon's credit card processor (who foolishly used AWS to store the data):

@jubes Note that Amazon failed to learn from their 2018 Amazon breach: https://www.medianama.com/2018/07/223-data-buckets-with-personal-info-from-swiggy-health-startup-and-others-exposed/

@resist1984 @jubes #CapitalOne also suffered a #databreach for trusting Amazon #AWS with sensitive data. And more importantly, #Liberapay foolishly continues to trust AWS w/financial data with full-throated defense of Amazon despite leaks: https://mastodon.xyz/@Liberapay/104417896428193223

@resist1984 @jubes According to the article most of the actual card info was hashed; here's hoping they didn't use MD5 or something...

@gerowen @jubes i guess the critical question is how much of it was hashed. If just 4 digits were hashed, it would be trivial to hash and compare 10,000 combinations.

@jubes @gerowen i'm assuming all hashes are designed to be fast and simple to compute.. at least, I've not heard of hashes that are deliberately computationally slow.

@resist1984 @jubes @gerowen bcrypt, for instance, is designed to be slow ("bcrypt is an adaptive function: over time, the iteration count can be increased to make it slower", https://en.m.wikipedia.org/wiki/Bcrypt ). So are proof of work functions.

@resist1984 @jubes That's true, and part of the article said the last 4 were visible, which leaves 12 unknown numbers, presumably hashed and hopefully salted as well. Depending on what information was stolen, they might have the salt. Some numbers can also be guessed because certain card types have different patterns. I've noticed when entering card info it'll auto detect Visa/MC before I finish typing. If you know it's MC and have the last 4...

@resist1984 I'm not excusing Amazon's misbehaviours but from a technical perspective I don't think it's foolish, it was either poor design or ignorance. The article posted indicates the leak was from an open S3 buckets which is the end users issue not Amazon's.

@jubes Even if the containers are secure, the financial institutions are still exposing sensitive data to #Amazon. Amazon is big, with untrustworthy insiders, proven by the Capital One #dataleak.

@resist1984 Fair point, but insider threat is a risk which affects all businesses. You can also use standard Public Key Infrastructure to secure data so you don't need to trust Amazon if you're going to use them for storage. In addition, from what I understand the Capital One breach wasn't due to untrustworthy insiders, it was due to a misconfigured Web Application Firewall (ModSecurity) which in turn allowed for Server Side Request Forgery.

@jubes Is Capone, Amazon-Swiggy-Juspay, & Liberapay only using AWS for storage? AWS is also a hosting service, so I thought AWS was where these financial services ran their web server. The Capital One attack was executed by a contractor who worked for Amazon. Perhaps their insider access gave awareness of the malconfig.

@resist1984 I don't know and maybe. My point is, it's not unique to Amazon but I understand the need to make the points into beating sticks.

@jubes #Liberapay uses #CloudFlare (a recipe for disaster in itself), so we're blocked from checking the hosting provider, but Liberapay bluntly states that #AMZN is their hosting provider. It's a given that a service must trust their own insiders, but making a tech giant an insider kills trust particularly given a history of breaches.

@jubes Management loves to outsource b/c when shit hits the fan, finger pointing is a form of job security. It's not good for users though.

@resist1984 Apologise, I'm not sure how to interpret this. As a manager, i'd still be held responsible my "choices". There are also plenty of other reasons why oursourcing is a good thing e.g. reducing overheads if you're a small business.

@jubes It's far easier for a manager to justify the choice to outsource than it is to take responsibility for an internal disaster where you had control over all the moving parts. Managers don't get sacked for the mere decision to outsource, so outsourcing is the /safest/ path.. the path of least risk for a manager's job security.

@jubes As someone worked in the trenches of several fortune 500 corps, I've been forced to interact with incompetent services & poorly designed tools to interface w/those svcs many times. The waste is stark yet hard to quantify mathematically (& if it were quantified there's not generally a path to present it to upper management - such trouble makers risk getting cut loose)

@jubes when a small company outsources to CloudFlare, they're often over-estimating the threat of outsider attack while under-estimating the threat of CF compromise (cloudbleed or CF exploiting the data). And if the threat manifests into a DoS attack, admins usually aren't aware that CF is non-gratis for high traffic.

@jubes I think clever web design can mitigate the perceived need for #CloudFlare. E.g. code image dimensions into the html so the important content can quickly render before the images. Use #SBLAM (#CAPTCHA alternative) on pages with form input. Failing that, CF has competitors that are more worthy, who don't attack your own users as a consequence of their sloppy technique.

@resist1984 I agree that it's useful to be able to know which hosting services a service provider uses to be able to have all the facts and make an informed decision about whether you want to use said service. That said cloudflare does offer some useful protective services thus i'd be interested in knowing how you approach this in the light of hackers etc? I'd also be interested in understanding which economic models you prescibe to which would result in something that isn't a tech giant?

@resist1984 Also assuming the service deals with users in the EU you should be able to find the data processors (GDPR speak) within their documentation.

@jubes I think you are implying that #GDPR compliance is somehow the end of the story. It's an abuse of the spirit that drives the GDPR's data minimization clause. It would be too ambitious for the GDPR to restrict who can be a data processor, so it's important as users to refuse unreasonable data sharing, like that of CloudFlare.

@resist1984 Thanks for your insights, I appreciate it, certainly food for thought.

@jubes When someone reported #Cloudflare-proxied child porn to CF, instead of taking corrective action CF doxxed the person who reported it to the admins running the site that hosted the porn, who then publically smeared the whistle blower to solicit attack on that person. This proves that CF cannot be trusted with sensitive information.

@jubes CF has taken over 10% of the web, which makes them a highly desirable target. And when attacked such as when #cloudbleed happened, the impact is unacceptably devestating. All users on the affected sites had to change their passwords.

@jubes #CloudFlare actually directly and deliberately /reduces/ availability by blocking legitimate Tor users. Availability is the most important security factor and they arbitrarily marginalize users who take steps for their own security, forcing unreasonable exposure.

@jubes the business case for #Liberapay (as a non-profit) is not to maximise profits. An ethics-lacking profit-driven business may use CloudFlare if their bottom line justifies it, but that's not the economic model that #Liberapay users are expecting.

@jubes Non-profit or not, if an org opts to use #CloudFlare amid its huge list of ethical issues (https://codeberg.org/swiso/website/issues/141), ethical users have a duty to condemn it. Users don't have a duty to the bottom line.

@resist1984 Yeah I know. But that's a bit to much for me, cause than I would have to restrict my online behaviour to much with just a very small outcome. E.G. I couldn't use Signal anymore wich I really prefer against Whatsapp to cantact friends that aren't that privacy focused ;)
Also I already moved my repos away from Github cause it's owned by MS, but it would be bad not to support OpenSource projects that are still there. (1/2)

@resist1984 So I do not buy anything from or on amazon (also really good to consume less) and try to convince people to do the same. I also think it's a good idea to help websites/services to stay/get away from amazon instead of boycotting them as well. (2/2)

@techware Actually #Signal is an example of a svc to avoid. See https://github.com/privacytoolsIO/privacytools.io/issues/779 It's impractical & tedious to avoid AWS sites for every news article, but when deciding on a regular service like Signal & Github, it makes sense to hold AWS against them. AWS should be a factor when comparing Signal is #Jami.