evenwicht

joined 4 months ago
MODERATOR OF
smartphone_required
text_ui
sorted by: new top controversial old
(PDF neutering) Not all PDFs are documents; some are apps! Insurance company sent me a form to sign as a PDF with ~~JavaScript~~ Java. Is it a tracker? in c/cybersecurity@infosec.pub
[–] evenwicht@lemmy.sdf.org 2 points 4 days ago* (last edited 4 days ago)

Does pdfinfo give any indication of the application used to create the document?

Oracle Documaker PDF Driver
PDF version: 1.3

If it chokes on the Java bit up front, can you extract just the PDF from the file and look at that?

Not sure how to do that but I did just try pdfimages -all which was not useful since it’s a vector PDF. pdfdetach -list shows 0 attachments. It just occurred to me that pdftocairo could be useful as far as a CLI way to neuter the doc and make it useable, but that’s a kind of a lossy meat-grinder option that doesn’t help with analysis.

You might also dig through the PDF a bit using Dider Stevens 's Tools,

Thanks for the tip. I might have to look into that. No readme.. I guess this is a /use the source, Luke/ scenario. (edit: found this).

I appreciate all the tips. I might be tempted to dig into some of those options.

(PDF neutering) Not all PDFs are documents; some are apps! Insurance company sent me a form to sign as a PDF with ~~JavaScript~~ Java. Is it a tracker? in c/cybersecurity@infosec.pub
[–] evenwicht@lemmy.sdf.org 3 points 4 days ago* (last edited 4 days ago)

Your assertion that the document is malicious without any evidence is what I’m concerned about.

I did not assert malice. I asked questions. I’m open to evidence proving or disproving malice.

At some point you have to decide to trust someone. The comment above gave you reason to trust that the document was in a standard, non-malicious format. But you outright rejected their advice in a hostile tone. You base your hostility on a youtube video.

There was too much uncertainty there to inspire trust. Getoffmylan had no idea why the data was organised as serialised java.

You should read the essay “on trusting trust” and then make a decision on whether you are going to participate in digital society or live under a bridge with a tinfoil hat.

I’ll need a more direct reference because that phrase gives copious references. Do you mean this study? Judging from the abstract:

To what extent should one trust a statement that a program is free of Trojan horses? Perhaps it is more important to trust the people who wrote the software.

I seem to have received software pretending to be a document. Trust would naturally not be a sensible reaction to that. In the infosec discipline we would be incompetent fools to loosely trust whatever comes at us. We make it a point to avoid trust and when trust cannot be avoided we seek justfiication for trust. We have a zero-trust principle. We also have the rule of leaste privilige which means not to extend trust/permissions where it’s not necessary for the mission. Why would I trust a PDF when I can take steps to access the PDF in a way that does not need excessive trust?

The masses (security naive folks) operate in the reverse-- they trust by default and look for reasons to distrust. That’s not wise.

In Canada, and elsewhere, insurance companies know everything about you before you even apply, and it’s likely true elsewhere too.

When you move, how do they find out if you don’t tell them? Tracking would be one way.

Privacy is about control. When you call it paranoia, the concept of agency has escaped you. If you have privacy, you can choose what you disclose. What would be good rationale for giving up control?

Even if they don’t have personally identifiable information, you’ll be in a data bucket with your neighbours, with risk profiles based on neighbourhood, items being insuring, claim rates for people with similar profiles, etc. Very likely every interaction you have with them has been going into a LLM even prior to the advent of ChatGPT, and they will have scored those interactions against a model.

If we assume that’s true, what do you gain by giving them more solid data to reinforce surreptitious snooping? You can’t control everything but It’s not in your interest to sacrifice control for nothing.

But what you will end up doing instead is triggering fraudulent behaviour flags. There’s something called “address fraud”, where people go out of their way to disguise their location, because some lower risk address has better rates or whatever.

Indeed for some types of insurance policies the insurer has a legitimate need to know where you reside. But that’s the insurer’s problem. This does not rationalize a consumer who recklessly feeds surreptitious surveillance. Street wise consumers protect themselves of surveillance. Of course they can (and should) disclose their new address if they move via proper channels.

Why? Because someone might take a vacation somewhere and interact from another state. How long is a vacation? It’s for the consumer to declare where they intend to live, e.g. via “declaration of domicile”. Insurance companies will harrass people if their intel has an inconsistency. Where is that trust you were talking about? There is no reciprocity here.

When you do everything you can to scrub your location, this itself is a signal that you are operating as a highly paranoid individual and that might put you in a bucket.

Sure, you could end up in that bucket if you are in a strong minority of street wise consumers. If the insurer wants to waste their time chasing false positives, the time waste is on them. I would rather laugh at that than join the street unwise club that makes the street wise consumers stand out more.

(Europe) Bank shut down its website and forced everyone to use its app in c/smartphone_required@lemmy.sdf.org
[–] evenwicht@lemmy.sdf.org 3 points 4 days ago

It’s interesting to note that some research “discovered thousands of vulnerabilities in 693 banking apps, which indicates these apps are not as secure as we expected.”

(PDF neutering) Not all PDFs are documents; some are apps! Insurance company sent me a form to sign as a PDF with ~~JavaScript~~ Java. Is it a tracker? in c/cybersecurity@infosec.pub
[–] evenwicht@lemmy.sdf.org 6 points 4 days ago* (last edited 4 days ago) (3 children)

Don’t Canadian insurance companies want to know where their customers are? Or are the Canadian privacy safeguards good on this?

In the US, Europe (despite the GDPR), and other places, banks and insurance companies snoop on their customers to track their whereabouts as a normal common way of doing business. They insert surreptitious tracker pixels in email to not only track the fact that you read their msg but also when you read the msg and your IP (which gives whereabouts). If they suspect you are not where they expect you to be, they take action. They modify your policy. It’s perfectly legal in the US to use sneaky underhanded tracking techniques rather than the transparent mechanism described in RFC 2298. If your suppliers are using RFC 2298 and not involuntary tracking mechanisms, lucky you.

(PDF neutering) Not all PDFs are documents; some are apps! Insurance company sent me a form to sign as a PDF with ~~JavaScript~~ Java. Is it a tracker? in c/cybersecurity@infosec.pub
[–] evenwicht@lemmy.sdf.org 14 points 4 days ago* (last edited 4 days ago) (6 children)

You’re kind of freaking out about nothing.

I highly recommend Youtube video l6eaiBIQH8k, if you can track it down. You seem to have no general idea about PDF security problems.

And I’m not sure why an application would output a pdf this way. But there’s nothing harmful going on.

If you can’t explain it, then you don’t understand it. Thus you don’t have answers.

It’s a bad practice to just open a PDF you did not produce without safeguards. Shame on me for doing it.. I got sloppy but it won’t happen again.

50
(PDF neutering) Not all PDFs are documents; some are apps! Insurance company sent me a form to sign as a PDF with ~~JavaScript~~ Java. Is it a tracker? (lemmy.sdf.org)
submitted 4 days ago* (last edited 4 days ago) by evenwicht@lemmy.sdf.org to c/cybersecurity@infosec.pub
14 comments fedilink
 

cross-posted from: https://lemmy.sdf.org/post/24645301

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? “Java” is not JavaScript, so I’m baffled. Why is java in a PDF? (edit: explainer on java serialization, and some analysis)

My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

(note: I also wonder what happens when Firefox opens this PDF considering Mozilla is happy to blindly execute whatever code it receives no matter the context.)

1
(PDF neutering) Not all PDFs are documents; some are apps! Insurance company sent me a form to sign as a PDF with JavaScript. Is it a tracker? (lemmy.sdf.org)
submitted 4 days ago* (last edited 4 days ago) by evenwicht@lemmy.sdf.org to c/paperless@sopuli.xyz
0 comments fedilink
 

They emailed me a PDF. It opened fine with evince and looked like a simple doc at first. Then I clicked on a field in the form. Strangely, instead of simply populating the field with my text, a PDF note window popped up so my text entry went into a PDF note, which many viewers present as a sticky note icon.

If I were to fax this PDF, the PDF comments would just get lost. So to fill out the form I fed it to LaTeX and used the overpic pkg to write text wherever I choose. LaTeX rejected the file.. could not handle this PDF. Then I used the file command to see what I am dealing with:

$ file signature_page.pdf
signature_page.pdf: Java serialization data, version 5

WTF is that? I know PDF supports JavaScript (shitty indeed). Is that what this is? My workaround was to use evince to print the PDF to PDF (using a PDF-building printer driver or whatever evince uses), then feed that into LaTeX. That worked.

My question is, how common is this? Is it going to become a mechanism to embed a tracking pixel like corporate assholes do with HTML email?

I probably need to change my habits. I know PDF docs can serve as carriers of copious malware anyway. Some people go to the extreme of creating a one-time use virtual machine with PDF viewer which then prints a PDF to a PDF before destroying the VM which is assumed to be compromised.

My temptation is to take a less tedious approach. E.g. something like:

$ firejail --net=none evince untrusted.pdf

I should be able to improve on that by doing something non-interactive. My first guess:

$ firejail --net=none gs -sDEVICE=pdfwrite -q -dFIXEDMEDIA -dSCALE=1 -o is_this_output_safe.pdf -- /usr/share/ghostscript/*/lib/viewpbm.ps untrusted_input.pdf

output:

Error: /invalidfileaccess in --file--
Operand stack:
   (untrusted_input.pdf)   (r)
Execution stack:
   %interp_exit   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   false   1   %stopped_push   1990   1   3   %oparray_pop   1989   1   3   %oparray_pop   1977   1   3   %oparray_pop   1833   1   3   %oparray_pop   --nostringval--   %errorexec_pop   .runexec2   --nostringval--   --nostringval--   --nostringval--   2   %stopped_push   --nostringval--   --nostringval--   --nostringval--   %array_continue   --nostringval--
Dictionary stack:
   --dict:769/1123(ro)(G)--   --dict:0/20(G)--   --dict:87/200(L)--   --dict:0/20(L)--
Current allocation mode is local
Last OS error: Permission denied
Current file position is 10479
GPL Ghostscript 10.00.0: Unrecoverable error, exit code 1

What’s my problem? Better ideas? I would love it if attempts to reach the cloud could be trapped and recorded to a log file in the course of neutering the PDF.

Requiring ink to scan a document—yet another insult from the printer industry in c/technology@lemmy.ml
[–] evenwicht@lemmy.sdf.org 1 points 4 days ago

Also worth noting Brother uses that trick where empty cartridges are detected by a laser which is exactly not positioned as low on the cartridge as it could be, forcing people to toss not-so-empty cartridges.

BTW, regarding the trackers dots I’ll drop a link here for anyone who wants to verify Brother’s role in it:

https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots

Requiring ink to scan a document—yet another insult from the printer industry in c/technology@lemmy.ml
[–] evenwicht@lemmy.sdf.org 1 points 4 days ago (1 children)

Another reason to use inkjets: GHG footprint. Inkjets use far less energy than lasers. It’s a shame we have to choose between ecocide and tricks and traps.

The only no-compromise path I see is to pull an inkjet from the dumpster, fix it, and refill the cartridges with homemade “ink” from spent coffee grounds and tea.

military industrial publishing complex in c/science_memes@mander.xyz
3
edits silently discarded → data loss; stock front-end is buggy in general (lemmy.sdf.org)
 

I’ve noticed this problem on infosec.pub as well. If I edit a post and submit, the form is accepted but then the edits are simply scrapped. When I re-review my msg, the edits did not stick. This is a very old Lemmy bug I think going back over a year, but it’s bizarre how it’s non-reproducable. Some instances never have this problem but sdf and infosec trigger this bug unpredictably.

0.19.3 is currently the best Lemmy version but it still has this bug (just as 0.19.5 does). A good remedy would be to install an alternative front end, like alexandrite.

4
nationbuilder.com blocks Tor, yet no one is exposing this anti-democratic issue. More activists needed! (lemmy.sdf.org)
 

Political parties around the world have flocked to nationbuilder.com for some reason. This tor-hostile Cloudflare site is blocking Tor users from accessing election info. This kind of sloppy lazy web administration is common.

But what’s a bit disturbing is that when I contact a political party to say I cannot reach their page because of the nationbuilder block page, they sound surprised, like it’s the first time they are hearing about web problems. So Tor users are lazy too. That’s the problem.

Just dodged a tracker pixel (I think) -- thanks to a test-based mail client and Tor in c/tor@infosec.pub
[–] evenwicht@lemmy.sdf.org 2 points 1 week ago

Question answered in the parent thread:

https://lemmy.sdf.org/comment/15364720

when a server pushes a 403, it still sees the full URL that was attempted.

6
Just dodged a tracker pixel (I think) -- thanks to a test-based mail client and Tor (lemmy.sdf.org)
 

cross-posted from: https://lemmy.sdf.org/post/24375297

Tracker pixels are surprisingly commonly used by legitimate senders.. your bank, your insurance company, any company you patronize. These assholes hide a 1-pixel image in HTML that tracks when you open your email and your IP (thus whereabouts).

I use a text-based mail client in part for this reason. But I got sloppy and opened an HTML attachment in a GUI browser without first inspecting the HTML. I inspected the code afterwards. Fuck me, I thought.. a tracker pixel. Then I visited just the hostname in my browser. Got a 403 Forbidden. I was happy to see that. Can I assume these idiots shot themselves in the foot with a firewall Tor blanket block? Or would the anti-tor firewall be smart enough to make an exception for tracker pixel URLs?

1
Just dodged a tracker pixel (I think) -- thanks to a text-based mail client and Tor (lemmy.sdf.org)
submitted 1 week ago* (last edited 1 week ago) by evenwicht@lemmy.sdf.org to c/text_ui@lemmy.sdf.org
0 comments fedilink
 

Tracker pixels are surprisingly commonly used by legitimate senders.. your bank, your insurance company, any company you patronize. These assholes hide a 1-pixel image in HTML that tracks when you open your email and your IP (thus whereabouts).

I use a text-based mail client in part for this reason. But I got sloppy and opened an HTML attachment in a GUI browser without first inspecting the HTML. I inspected the code afterwards. Fuck me, I thought.. a tracker pixel. Then I visited just the hostname in my browser. Got a 403 Forbidden. I was happy to see that. Can I assume these idiots shot themselves in the foot with a firewall Tor blanket block? Or would the anti-tor firewall be smart enough to make an exception for tracker pixel URLs?

16
To what extent does AAA fund pro-car lobbyists? Is AAA overall harmful? (lemmy.sdf.org)
submitted 1 week ago* (last edited 1 week ago) by evenwicht@lemmy.sdf.org to c/urbanism
1 comments fedilink
 

A home insurance policy offers a discount to AAA members. The discount is the same amount as the cost of membership. I so rarely use a car or motorcycle that I would not benefit significantly from a roadside assistence plan. I cycle. But there are other discounts for AAA membership, like restaurant discounts. So my knee-jerk thought was: this is a no-brainer… I’m getting some benefits for free, in effect, so it just makes sense to get the membership.

Then I dug into AAA a bit more. The wiki shows beneficial and harmful things AAA has done. From the wiki, these points stand out to me:

AAA blamed pedestrians for safety problems“As summarized by historian Peter Norton, "[AAA] and other members of motordom were crafting a new kind of traffic safety effort[. ...] It claimed that pedestrians were just as responsible as motorists for injuries and accidents. It ignored claims defending the historic rights of pedestrians to the streets—in the new motor age, historic precedents were obsolete.”

AAA fights gasoline tax“Skyrocketing gas prices led AAA to testify before three Congressional committees regarding increased gasoline prices in 2000, and to lobby to prevent Congress from repealing parts of the federal gasoline tax, which would have reduced Highway Trust Fund revenue without guaranteeing consumers any relief from high gas prices.”

AAA fights mass transit“Despite its work promoting environmental responsibility in the automotive and transportation arenas, AAA's lobbying positions have sometimes been perceived to be hostile to mass transit and environmental interests. In 2006, the Automobile Club of Southern California worked against Prop. 87. The proposition would have established a "$4 billion program to reduce petroleum consumption (in California) by 25 percent, with research and production incentives for alternative energy, alternative energy vehicles, energy efficient technologies, and for education and training."”

(edit) AAA fights for more roads and fought against the Clean Air ActDaniel Becker, director of Sierra Club's global warming and energy program, described AAA as "a lobbyist for more roads, more pollution, and more gas guzzling."[86] He observed that among other lobbying activities, AAA issued a press release critical of the Clean Air Act, stating that it would "threaten the personal mobility of millions of Americans and jeopardize needed funds for new highway construction and safety improvements."[86] "AAA spokespeople have criticized open-space measures and opposed U.S. EPA restrictions on smog, soot, and tailpipe emissions."[87] "The club spent years battling stricter vehicle-emissions standards in Maryland, whose air, because of emissions and pollution from states upwind, is among the nation's worst."[88] As of 2017, AAA continues to lobby against public transportation projects.

Even though the roadside assistence is useless to me, the AAA membership comes with 2 more memberships. So I could give memberships to 2 family members and they would benefit from it. But it seems I need to drop this idea. AAA seems overall doing more harm than good.

AAA is a federation:It’s interesting to realize that AAA is not a single org. It is a federation of many clubs. Some states have more than one AAA club. This complicates the decision a bit because who is to say that specific club X in state Y spent money fighting the gas tax or fighting mass transit? Is it fair to say all clubs feed money to the top where federal lobbying happens?

(edit) And doesn’t it seem foolish to oppose mass transit even from the selfish car driver standpoint? If you drive a car, other cars are in your way slowing you down and also increasing your chances of simultaneously occupying the same space (crash). Surely you would benefit from others switching from car to public transport to give you more road space. It seems to me the anti mass transit move is AAA looking after it’s own interest in having more members paying dues.

Will AAA go the direction of the NRA?Most people know the NRA today as an evil anti gun control anti safety right wing org. It was not always that way. The NRA used to be a genuine force of good. It used to truly advocate for gun safety. Then they became hyper politicized and perversely fought for gun owner rights to the extreme extent of opposing gun safety. I wonder if AAA might take the same extreme direction as NRA, as urban planners increasingly come to their senses and start to realize cars are not good for us. Instead of being a force of saftey, AAA will likely evolve into an anti safety org in the face of safer-than-cars means of transport. (Maybe someone should start a counter org called “Safer than Cars Alliance” or “Better than Cars Alliance”)

I also noticed most AAA club’s websites block Tor. So the lack of privacy respect just made my decision to nix them even easier.

Georgia republican AG claims not carrying a smartphone makes you a criminal in c/privacy@links.hackliberty.org
[–] evenwicht@lemmy.sdf.org 4 points 3 weeks ago (1 children)

!smartphone_required@lemmy.sdf.org captures these kinds of cases. @FoxyFerengi@lemm.ee, if you know of any situations where your prof faced difficulty for not having a smartphone, consider posting about it there.

[solved] Help reducing map detail. App worked for yrs but suddently got into an extreme detail mode that causes copious chronic crashes in c/osmand@lemmy.ml
[–] evenwicht@lemmy.sdf.org 2 points 3 weeks ago* (last edited 3 weeks ago) (1 children)

Ah, interesting point. I didn’t realise the devs were Russian. That might explain this issue as well:

https://github.com/osmandapp/OsmAnd/issues/15927

OSMand is so glitchy and crash prone it would be useful to know which features are more inclined to hog resources, since resource insufficiency seems to be the reason for crashes. Things like the animation boolean and Kalman filter. I’m not sure if I should avoid those features.

For one person it crashes on long routes. For me a long route is more likely to have crashes just because the app must run for longer. My workaround is to save every route as a track before starting, so every time it crashes I don’t have to wait to recalculate the route (but I have to keep my eyes on the screen).

4
[solved] Help reducing map detail. App worked for yrs but suddently got into an extreme detail mode that causes copious chronic crashes (lemmy.sdf.org)
submitted 3 weeks ago* (last edited 3 weeks ago) by evenwicht@lemmy.sdf.org to c/osmand@lemmy.ml
3 comments fedilink
 

OSMand used to only crash 1 or 2 times per trip. It was usable enough. Now recently something changed with my config somehow and it shows extreme detail no matter how zoomed out I am. Every tiny street is being rendered. This is killing the app. It crashes so chronically it’s unusable.

Anyone know how to control this?

In “configure map” I have disabled everything except cycling routes. The “details” shows 0/9, which apparently only configures objects, not street details.

(edit) I think the “map magnifier” might be the issue. It was at 25% (the lowest), which I would intuitively think means less road detail. But it’s apparently counter-intuitive. I chose 100% and I seem to get less map detail -- which is what I need because the more detail, the more crashes. So I might have solved this.. need to experiment.

fetchmail logs showing a Tor exit node is compromised in c/tor@infosec.pub
[–] evenwicht@lemmy.sdf.org 1 points 1 month ago

Thanks for the tip. The info would be gone now but I’ll try that next time it happens.

5
fetchmail logs showing a Tor exit node is compromised (lemmy.sdf.org)
16
fetchmail logs showing a Tor exit node is compromised (lemmy.sdf.org)
submitted 1 month ago* (last edited 1 month ago) by evenwicht@lemmy.sdf.org to c/cybersecurity@infosec.pub
0 comments fedilink
 

This is what my fetchmail log looks like today (UIDs and domains obfuscated):

fetchmail: starting fetchmail 6.4.37 daemon
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server4.com: SSL connection failed.
fetchmail: socket error while fetching from user4@server4.com@server4.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server3.com: SSL connection failed.
fetchmail: socket error while fetching from user3@server3.com@server3.com
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server2.com: SSL connection failed.
fetchmail: socket error while fetching from user2@server2.com@server2.com
fetchmail: Query status=2 (SOCKET)
fetchmail: Server certificate verification error: self-signed certificate in certificate chain
fetchmail: Missing trust anchor certificate: /C=US/O=Let's Encrypt/CN=R3
fetchmail: This could mean that the root CA's signing certificate is not in the trusted CA certificate location, or that c_rehash needs to be run on the certificate directory. For details, please see the documentation of --sslcertpath and --sslcertfile in the manual page. See README.SSL for details.
fetchmail: OpenSSL reported: error:0A000086:SSL routines::certificate verify failed
fetchmail: server1.com: SSL connection failed.
fetchmail: socket error while fetching from user1@server1.com@server1.com
fetchmail: Query status=2 (SOCKET)

In principle I should be able to report the exit node somewhere. But I don’t even know how I can determine which exit node is the culprit. Running nyx just shows some of the circuits (guard, middle, exit) but I seem to have no way of associating those circuits with fetchmail’s traffic.

Anyone know how to track which exit node is used for various sessions? I could of course pin an exit node to a domain, then I would know it, but that loses the benefit of random selection.

1
(US) Users of text-based mail clients can legally penalize corporate senders who send HTML-only e-mail (possible legal theory) (lemmy.sdf.org)
submitted 1 month ago* (last edited 1 month ago) by evenwicht@lemmy.sdf.org to c/text_ui@lemmy.sdf.org
0 comments fedilink
 

cross-posted from: https://lemmy.sdf.org/post/22571649

According to 15 U.S.C. 7704 §5(a)(5):

INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN COMMERCIAL ELECTRONIC MAIL.—

(A) It is unlawful for any person to initiate the transmission of any commercial electronic mail message to a protected computer unless the message provides—

(i) clear and conspicuous identification that the message is an advertisement or solicitation;
(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and
(iii) a valid physical postal address of the sender.

When my text-based mail client receives an HTML-only email message, it tries to render the HTML as text. It’s sometimes a jumbled up unreadable heap of garbage because the HTML is malformed and relies on a forgiving/tolerant rendering engine. Even when the HTML is proper and standards compliant, links are not exposed to text rendered. E.g. a msg will say “to unsubscribe and stop receiving emails, update preferences here.”

Where is “here”? That is just raw text. Sure, an advanced user can do a number of things to dig up that link. But I doubt that would pass the legal standard of “clear and conspicuous”.

Anyone have confidence either way whether HTML-only spam is legally actionable on this basis?

view more: next ›