local

Stuff posted in this site by me.

JK you’ll be poor even if you attend

Schools often run deficits in normal times; in 2019, nearly 1,000 private colleges were already borderline insolvent. Covid will cause many to shutter for good. It is accounting, not epidemiology, that drives university administrators to push for a rapid return to business as usual, effectively demanding that faculty and staff sacrifice their lives for the financial health of their employer.

Source: The End of the University | The New Republic

You can attend college, the price is death.

Or you could not attend college, in which case the price is poverty.

No change, no peace

As the historian Barry A. Crouch recounts in The Dance of Freedom, Ruby warned that the formerly enslaved were beset by the “fiendish lawlessness of the whites who murder and outrage the free people with the same indifference as displayed in the killing of snakes or other venomous reptiles,” and that “terrorism engendered by the brutal and murderous acts of the inhabitants, mostly rebels,” was preventing the freedmen from so much as building schools.

Source: What Black Lives Matter Has Accomplished – The Atlantic

The Orange Maggaot calls people who support BLM “thugs”, “criminals”, “terrorists”, saying he’ll impose Law and Order however necessary.

White people have always been the one to terrorize their communities, and those of people they don’t deem acceptable.

The cold cultural war heats up.

Closing quickly, for that matter.

Social networks are universally more restrictive than web pages but also more fun in significant ways, chief amongst them being that more people can participate. What if the rest of the web have that simplicity and immediacy, but without the centralization? What if we could start over?

Source: A clean start for the web – macwright.com

Mozilla is knowingly walking away from any of these options because they’re bitter they could not come to dominate the Web after Firefox helped bring about the downfall of Internet Explorer. Big Tech will not support a reimagining of what the web could be since it will mean less profits. Can’t have that in a capitalist society, now can we?

There’s hope now that the Servo engine is cut loose, but the time window to avoid having a technological cycle (about 30 years or so) be dominated by corporations is closing.

I’m not a predator looking for them either

This article suggests a few techniques for finding personal websites on the Internet.

Source: Hunting the Nearly-Invisible Personal Website

I’m here and I’m not being that quiet either.

It’s not that I’m invisible. It’s that we don’t even figure into the Peasant Internet anymore(1) even though there’s a lot of activity on the twitters, facebooks, and instagrams of this here planet.

(1) Peasant Internet: Those who surf the waves thinking they’re safe in the embrace of social media or corporate firewalls.

Tacaño

The last valid comment on this here blargh was in 2008, even though the blog had been running for longer than that.

Time flies when you’re doing other things.

Mind your own business

Anyone who knows me knows that I was among the biggest Apple Evangelists to ever live. Apple was in my DNA.  I believed in Apple’s products, Apple’s services, and Apple’s mission (or at least what …

Source: Dear Apple: Your Services Are No Longer Required. | Low End Mac

I agree with everything they say but this entire fucken thing could have been avoided if someone hadn’t been a nosy person.

I thought of using stronger language but hopefully she knows what her stupidity begat.

Shadow cities, rising

I love NYC. When I first moved to NYC, it was a dream come true. Every corner was like a theater production happening right in front of me. So much personality, so many stories.  Every subculture I loved was in NYC. I could play chess all day and night. I could go to comedy clubs. […]

Source: NYC Is Dead Forever… Here’s Why – James Altucher

Is NYC truly over? For the longest time it was the place to be in this entire planet but now it certainly feels like it’s spiraling downwards, and we say this from my relatively comfortable perch in the Midwest, which does have problems of its own.

City government is still throwing billions into its police department even though nobody living in the city wants that anymore. Nobody likes De Blasio, who keeps thinking salvation will come from somewhere even though Trump has repeatedly said he’s more than willing to let NYC die. NY state government have their own issues, which depend a lot on the economic might of the city. Landlords are about to start throwing themselves off roofs—let them, no one stop them!

It reminds us of Tijuana when I arrived there so long ago. I was told Avenida Revolucion would be teeming with people, people who would be drinking, laughing, partying; usually loud boisterus Americans, yes, but they’d bring along people from all over the world. It all came crashing down on 9/11 and the economy of the city took a big hit when the border closed entirely. After that, there would only be light crowds and those usually on the weekends.

We worked on La Revo for years. We remember. It took nearly a decade for the city to recover, and then that stopped with the cartel drug wars.

Reading this article about NYC reminds me of all of that. It also takes into account the availability of broadband for most everyone, which changes things when you can do your job from anywhere on the planet that has the bandwidth to let you.

Other cities are suffering from the same issues. London is seeing this compounded by Brexit. Hong Kong, compounded by the hostile takeover by PRC. San Francisco, compounded by sky-high rents. With broadband you don’t have to deal with any of these issues; You can now have your dream house in the country and have good wifi.

NYC will recover first but it will take decades.

Never write documentation hangry, e.g. this post

I find I Love MDN demeaning to technical writers. It reminds me of breaking into spontaneous applause for our courageous health workers instead of funding them properly so they can do their jobs.

Source: I Love MDN, or the cult of the free in action – QuirksBlog

Another article related to the fall of Mozilla. Back in the day we relied heavily on quirksmode.org and doing that sort of data mining, collating, writing and publishing is not easy. For a while myself helped out writing documentation for WordPress during the <.09 era and we found out for myself exactly how hard technical writing is. It’s something we’re good at and, more importantly, enjoy. We appreciate the skill, nuance, talent and even luck that goes into writing good documentation.

It is something that we complain about often on teh twitter derp corn; often using ultraviolent language cos most developers are assholes. We’ve mentioned on this here blargh of using vimwiki. Their documentation looks like… actually, not even going to bother with a screenshot because they don’t have anything on their github or wiki that actually says “Documentation”. They take the easy way out and tell you “oh run :h vimwiki in vim”.

No, fuck you, lazy assholes.

Another few great examples of technical writing gone wrong:

  • Pretty much any plugins for vim. Most of them are just the same text file you’d use :h for, except without hyperlinking.
  • VirtualBox coming in with the one-page User Manual
  • Nextcloud, with documentation full of gotchas that should be mentioned prior or during installation, but aren’t.
  • Apple: Documentation? What’s that? Also there never was any documentation here.

Agent J: Move along, nothing to see here

I just had to use a gif for Apple. It’s that bad. Most Android apps don’t have any documentation of any kind whatsoever. Windows applications used to have documentation built-in but now they just direct you to their website, where documentation changes and disappears depending on the A-level goals for the quarter.

There are many more examples out there but these are some of the ones I can think of right now. The gist of it is this kind of thing is hard and people who do it should be paid for it, and if they’re good at it they should be paid well. If a developer doesn’t want to write proper documentation then… they should either have someone do it for them and listen to that feedback, or get their ass handed to them so they get on writing it themselves.

Going to go eat something now before the hunger makes me angrier.

All for a fistful of dollars

FOSS is dead. what now?

Source: Post-Open Source | boringcactus

the gods fucken damnit, Mozilla. This is but one article out of so, so, so many out there that are talking about the death, dearth, and zombification of open source projects. And that’s before we even bring in the tweets.

But sure, those Mozilla Corporation executives deserve millions of dollars so they can look preen themselves when they have to prostate themselves before their capitalist gods making hundreds of times their salaries.

I’ll stick to regular cow’s milk, thanks

What actions has Oatly taken that would make us trust them? They’ve built an incredible marketing engine and raised 100s of millions of dollars convincing you that you should put sugar and vegetable oil into your coffee each morning, while hand-waving away evidence that they’re harming you.

Source: Oatly: The New Coke – Divinations

I personally prefer my coffee without oil but if other people want to do that to theirs, sure, go for it.

dafuq does RSS even mean, seriously

Source: How would I improve RSS? Three ideas (Interconnected)

We rely heavily on RSS to find things to read and keep up with The Noise on the Internet. We also tend to shun newsletters cos RSS is a much better tool for them and en’t nobody got time for yet more email.

We’re aware of other initiatives like JSON Feed but they require re-implementing RSS into something else. Maybe the solution is an evolution of what the protocol currently is?

Start with a proper name for the protocol though. Bonus points if someone figures it out how to make it recursive.

Gimme da (expensive) power

Although Fully Homomorphic Encryption makes things possible which otherwise would not be, it comes at a steep cost. Above, we can see charts indicating the additional compute power and memory resources required to operate on FHE-encrypted machine-learning models—roughly 40-50 times the compute and 10-20 times the RAM that would be required to do the same work on unencrypted models.

Source: IBM completes successful field trials on Fully Homomorphic Encryption | Ars Technica

Acquiring and maintaining this much computing power for FHE workloads is fucken expensive and that’s before you even start thinking about energy requirements for running this hardware and then cooling it.

Intel and AMD will be chomping at the bit to make us all buy new hardware though.

Y ora pa’onde?

No policy, though, would be able to stop the forces — climate, increasingly, among them — that are pushing migrants from the south to breach Mexico’s borders, legally or illegally. So what happens when still more people — many millions more — float across the Suchiate River and land in Chiapas? Our model suggests that this is what is coming — that between now and 2050, nearly 9 million migrants will head for Mexico’s southern border, more than 300,000 of them because of climate change alone.

Source: Where Will Everyone Go?

Mientras esto es lo que un modelo computacional prevee el Peje no quiere que le pregunten de nada a menos que sea sobre el avion.

Como emigrante leo esto y siento acongoje por el futuro que nos espera a todos. Mientras tanto, La Bestia sigue su implacable marcha.

I want a drink and it’s not even 0700 yet

On this here blog I use a few things to help secure everything down and avoid issues, namely, nginx location blocks disallowing access to resources, fail2ban tracking nginx logs to prevent people hammering server or trying to do improper things, and the “Limit Login Attempts” WP plugin.

A combination of all these broke access with the wordpress mobile app. Ended up having to disable the wordpress fail2ban jail and altering some of the nginx directives.

This is going to be a pain in the ass to debug cos the wordpress app doesn’t have any kind of proper error messaging, urgh.

Huawei Hacked My Laptop? « Sunburnt Technology

Source: Huawei Hacked My Laptop? « Sunburnt Technology

At the end of the post the author does say:

I’m giving Huawei the benefit of doubt on this one. As a commenter suggested, it is probably a hack to run the GUI as root.

But we still have a problem with hardware manufactures thinking “oh we can just use root for everything and it’ll turn out alright!”, because they’re not familiar with the platform.

This is one instance where Microsoft was able to impose order and open source desktop environments need to start thinking about doing so, too.

Another attempt at a note-taking workflow

In a previous post I mentioned one of the tools I use is Wiki.js. It was a great thing to learn how to set it up but… I was never entirely happy with it:

  • It’s somewhat slow on loading.
  • Not that customizable yet.
  • The update process is a total pain in the ass. They want you to use Docker and this ‘ere server can run it but performance wouldn’t be that nice.
  • On mobile I have to depend on the vagaries of whatever browser I’m using (Firefox) so I don’t get that good of an editing interface.
  • This is a private repository of knowledge so if it turns out wiki.js has a security issue my wiki is now at risk until I go through the pain of updating again.

So that’s that. I’d been playing with vimwiki since it’s text-based. After a bit of playing I was able to make it work nicely on the gVim instance I run on the Windows 10 desktop and the Ubuntu instance I run in WSL.

The mobile side of things was immensely helped along by Epsilon Notes, which blows iA Writer completely out of the water. Along the way I tried using Joplin which at first glance seems awesome but then you run into this issue:

Screencapture of JoplinApp filenames

Yes, I get the logic of completely unique filenames but it also means that I’m locked into the app. This is something people have complained about as it defeats all efforts at interoperability. I mean, these are fucken markdown files. And this is an open source app!

Oh right, it also uses its own WebDAV connection to the Nexcloud instance, so slow your roll.

So back to Epsilon. It’s got a few goodies:

  • Line numbers
  • CommonMark is the default markdown dialect.
  • It’s native to Android.
  • Let’s you use front matter for tags but doesn’t require it. I personally don’t care for it.
  • It sets up its own folder in the device filesystem which you can then sync with Nextcloud.

The workflow

All right, so this is what I have right now

vim/gvim

Assuming there’s already a working Windows gVim instance, a working WSL installation, and a working Nextcloud desktop client:

  1. Setup vim with vimwiki.
  2. Configure vimwiki to store its files in a directory being synced by the Nextcloud desktop client. For the sake of simplicity and avoid changing my .vimrc file unnecesarily in WSL/ubuntu I symlinked ~/vimwiki to the appropriate directory in Windows; this way the _vimrc file in gVim could remain the same. Using either vim instance gets me to the same location.
  3. Create your vimwiki index file: <Leader>ww, and save it. It should get picked up by Nextcloud.

Nextcloud

Using the web interface or the Android client, mark the vimwiki folder as a favorite so Nextcloud keeps it synced at all times. I don’t think there’s a way to do this in the desktop client yet.

Epsilon Notes

Assuming there’s already a working Nextcloud app

  1. Install Epsilon from the Play Store.
  2. Tap the folder icon on the top right and navigate to /storage/emulated/0/Android/media/com.nextcloud.client/nextcloud/USER@HOST/vimwiki/. If you have multiple Nextcloud accounts on the same app you’ll see all of those listed with a USER@HOST folder each and you can just jump between folders.

Another way of doing this is setting up custom folders but I think doing it this way makes for a simpler configuration. It’d probably be really useful you have multiple vimwikis or multiple Nextcloud accounts though.

Bonus: Servers

I have a couple of boxes that run headless and I also wanted to have my notes available on there. There isn’t a terminal Nextcloud client but I found Rclone. I could have used cadaver but Rclone is designed specifically for cloud file storage:

These instructions worked under my Debian 10 install:

  1. Install rclone and fuse3: sudo aptitude install rclone fuse3.
  2. Configure Rclone with rclone config. Documentation.
  3. Create an Rclone mount with something like
rclone --vfs-cache-mode writes mount NEXTCLOUD:/vimwiki ~/vimwiki --daemon

Which assumes NEXTCLOUD is what you named the remote configuration, your vimwiki directory lives at $HOME, and you want the connection to remain alive until you decide to stop it manually. The --vfs-cache-mode writes flag will enable some amount of caching. Documentation.
4. At this point you can access your vimwiki as if they were on the local filesystem.

Fucken awesome amirite

SO now we have wiki-like notes that can be edited on desktop, mobile, or server, using whichever editor you prefer. Another bonus: You’re not locked in to anything. I could edit notes on desktop with Notepad++, Sublime Text, or Atom. On mobile you can edit them with whatever text editor you end up with. On a server you can edit them natively with whatever you have at hand.

And in the sad event you don’t have anything you can still access them through the Nextcloud web interface. They even got a markdown editor but I’m not sure what dialect it uses.

The only thing I dont have anymore is a nice clean way to print these notes but this is where pandoc and a print.css file should be useful. If worst comes to worst I can always paste something into LibreOffice and just change the styling that way. Another thing I’ll have to change is how I search for things but since I do have access to the terminal I can always resort to grep if worst comes to worst.

Extras

I did have a few things that led me to try and avoid using web interfaces for this

  • The Website Obesity Crisis. Comments on reddit and Hacker News
  • The reckless, infinite scope of web browsers
  • I tried creating a web browser, and Google blocked me
  • Browser bloat has been a problem for a long, long time now.
  • The proliferation of browser-based text editors (StackEdit, Dillinger, Editor.md, WordPress) that try to do too much and they end up falling flat on their face cos nothing beats the responsiveness of editing locally.
  • The flipside of the above is I can use editors native to each platform. This post was typed on vim, then pasted into WP, for example. This makes for a much, much nicer editing experience specially when doing long-form text or to-do lists.
  • Avoiding lock-in. It was a drag to move from one platform to another and paste everything manually, cos all of these tools depend on locking you in.
  • Security. My Nextcloud instance is exposed to the Internet but I can always implement more things cos I control the network, the hardware, and the operating system.
  • Other people who were also on search of a good editing experience, like this, or this.
  • Easy migration of mark-up. I’m trying to use editors that support CommonMark since that way I can always be more or less sure of how something is going to look if I export it elsewhere, and I have the freedom of switching to something else like ReStructured Text or AsciiDoc, which I have considered.

I’m super excited about this. My notes en’t locked in anywhere and they’re all in plain-text, which is the only thing guaranteed to not change in the next 20 years,

“you can have backwards compatibility with the 1990s or you can have sound cryptography; you can’t have both.”

Cryptography engineers have been tearing their hair out over PGP’s deficiencies for (literally) decades. When other kinds of engineers get wind of this, they’re shocked. PGP is bad? Why do people keep telling me to use PGP? The answer is that they shouldn’t be telling you that, because PGP is bad and needs to go away.

Source: Latacora – The PGP Problem

I knew PGP was bad and had avoided it cos I knew of its eldritch complexity of integration but I didn’t know about the rest.

Figures that Thunderbird is planning on integrating it as a built-in function.

They should probably use something else, methinks.

Lapas con rifles

Source: Special Report: Drug cartel ‘narco-antennas’ make life dangerous for Mexico’s cell tower repairmen – Reuters

Ahora con eso que el mugre peje no quiere confrontación de cualquier clase con los carteles, que pueden hacer las empresas?

Si los empleados hacen algo mal, los matan. Si la empresa hace algo mal, la balean o secuestran. Mientras tanto los costos de energía siguen y siguen.

Mal asunto de cualquier forma que se mire.

Locked out? Good luck

Let’s build and configure a minimal SSH bastion host (jump box) from scratch, using Ubuntu 20.04 LTS.

Source: DIY SSH Bastion Host

This is all well and good except for the bit where the author is clearly invested in using the cloud (i.e. other people’s computers) to run your own infrastructure.

What happens when google locks you out? Or when amazon decides to do the same. Same concern goes for Azure, or any other cloud provider.

Good luck fixing any of that without having to tear down a lot of your own work just to be able to be useful again. I get it, from a developer point of view setting it like this means it’s easy to plug into projects, but from a sysadmin point of view it means you’re going to shoot yourself in the foot sooner rather than later, specially if you missed a little onfiguration detail that lets your server wide open for takeover.

Thinking Tools: July 2020

It’s been a long while since that last post I did and my setup has changed a lot:

Web services

  • This site, which I’m trying to update more often with links and blog posts I find interesting. It’s going much better after I installed the WP Editor.md plugin to enhance the plain editor. The gutenberg editor sucks ass.
  • Nextcloud. I’m running my own instance to replace Dropbox, which I didn’t like the last time. Got the desktop client installed and it’s working quite nicely.
  • Twitter is still my social media network of choice. I’m using tweetdeck on the desktop
  • Feedly is still my RSS reader of choice but I’m looking around for a replacement that works across all my devices and it’s pretty to look at. Now that people are starting to move away from centralized social networks again there should be some movement in this space.
  • I’m running my own wiki using Wiki.js, which I’ve blogged about. This will probably merit another couple blog posts of their own specially now that I found vimwiki which could potentially run inside my Nextcloud instance.

Actual applications installed on my desktops and laptops

  • For messaging I’m now using Ferdi, a fork of Franz, to run most of my instant messaging needs. The great exceptions are Slack, Discord, and Signal; I discovered I work better when they have their own app instances running but when Signal offers a web interface I’ll probably fold it into Franz.
  • Spotify. Thinking of replacing it with a self-hosted option. I miss my graded playlists.
  • KeePass is still my password manager of choice.
  • Firefox. Mozilla keeps trying its best to kill all low-level functionality. This is easily the program I fuck around with the most, going from extensions to custom userChrome files.
  • Windows Subsystem for Linux. Much less of a pain in the ass than running a VirtualBox VM depending on what you’re doing. Using wsltty as its terminal.

There are some single-purpose utilities I’ve discovered in the interim that are extremely useful for working in Windows 10.

Mobile applications (Android)

  • The usual instant messaging slash social networking suspects minus TikTok, which is spyware.
  • Firefox mobile. Firefox needs to do better at syncing preferences into it.
  • Fenix twitter client. Twitter Co keeps fucking around with their API and preventing third party clients from achieving the excellence they used to have years ago.
  • Nextcloud mobile client for my Nextcloud instance. Needs a lot of work to compare with Dropbox, but it does its job well.
  • Moon+ Reader for ebooks. This one took me a long while to find, most ebook readers have utterly crazy skeuomorphic defaults.
  • Photoshop Express. This one was annoying but you’d be surprised how many image editors are missing features you’d consider basic (like cropping and image resizing), opting instead to overload with photo filters you’ll never use. This one has all the filters but at least lets you crop and resize. It replaced Snapseed. I’ve still to wade through open source editors but my hopes are dim on that front.

There are some things that underpin all of these applications but I think I’ll leave it as-is. It’s pretty fun to see how my workflow changes over time.

Cognitive Dissonance 30 minutes out of downtown

The suburbs run on federal subsidies. Without them, America’s suburbs would have to become more financially productive. They would need to get greater returns per foot on public infrastructure investment. That would mean repealing repressive zoning regulations, allowing the market to respond to supply and demand signals for housing. It would also mean allowing the “little downtowns” Kurtz fears to form where demand for them exists. Isn’t that what is supposed to happen with self-government and local control?

Source: It’s Time to Abolish Single-Family Zoning | The American Conservative

To have a conservative person say this is quite strange. Few suburbs in all of the US actively try to compete with the cities they’re attached to, mostly because they only want to attract wealthier millennials who can afford the down payment on a house by way of the parents paying for it.

And a special version of Flash for games only?

Are we ready to revisit some of the ideas of the early web again? There are trends that suggest we might just have come full circle – and I like it.

Source: The Return of the 90s Web | Max Böck

The only sites that won’t have an RSS feed are those of corporate entities that explicitly depend on keeping people on their sites, like fb.

Hopefully some enterprising engineer at google has found the Google Reader source code and are bringing it back to life…

Tie yourself together

Over and over again, I’ve seen people fix some wireless-related problem and go “wow, I had no idea how much better this could be!” • Wireless protocols often silently operate in an extremely degraded state that makes them substantially worse than wired equivalents.

Source: Wireless is a trap | benkuhn.net

I live in an apartment building that is located within the city core of my city. When I scan for WiFi networks I can see at least 25 from my main workstation. On my laptop, standing in the middle of the front courtyard, you can see at least 40 networks. Mind you, this is only WiFi networks; I’m not including everything else that might be using the 2.4 GHz spectrum, like Bluetooth or other kinds of wireless devices.

I switched to wired devices a long, long time ago precisely of unreliable connections, network lag, and the fact that WiFi optimization is more of an art than any sort of science, and that’s before you bring in newer WiFi versions. I just recently rewired my apartment to have Ethernet all over and be able to throw around 4K media with abandon.

Now if only the USB Implementers Forum would get its shit together, that’d be awesome

TikTok Security: An Opinionated Explainer

There is a post on reddit was written by someone who claims they reverse-engineered the app that is, they set about deconstructing the app to see how its internal components function and interact with each other, with the rest of the phone, and with the servers that conform the service itself.

The app

These are the main points made by analysis of the app itself.

Phone hardware (cpu type, number of course, hardware ids, screen dimensions, dpi, memory usage, disk space, etc)

The app will try to learn everything it can about the phone hardware itself, going from the big things like if it’s running on a phone or a tablet, who the manufacturer is, make and model; to the small, like how many megapixels the front camera is.

What you can do about it: Nothing. This is a function done by the app on its own.

Other apps you have installed (I’ve even seen some I’ve deleted show up in their analytics payload – maybe using as cached value?)

The app will check what else is installed on the device regardless whether it’s a competing social media app or not. This also applies to the clipboard (the function to copy and paste), as TikTok was caught red-handed accessing its contents. As users we use this function to copy/paste everything, from emojis to phone numbers to credit card numbers to social security numbers.

What you can do about it: Nothing. This is a function done by the app on its own.

Everything network-related (ip, local ip, router mac, your mac, wifi access point name)

The app will log:

  • The MAC addresses of all network interfaces on the device (cellular, wifi, bluetooth, nfc, etc). A MAC address is a unique hardware identifier for network hardware.
  • Whether those interfaces are connected to anything. If they are, the name and of the cellular network, wifi network, and MAC addresses of that hardware.
  • Then, if they are connected, the IP address used for that connection at both Local Area Network (LAN) and Wide Area Network (WAN).

Taken all together, TikTok will find out what kind of network the device lives in, what other devices are on it, how it moves within the LAN. This also means the WAN IP address revealed, allowing them to use GeoIP databases to try and determine the geographical location of a device.

What you can do about it: Nothing. This is a function done by the app on its own. You could limit the app’s network access but this requires deep expertise in networking and the operating system being used at the time.

Whether or not you’re rooted/jailbroken

Jailbreaking refers to “breaking out” of the limitations placed by Apple on iPhones and iPads to enable additional functions that were not available in either the hardware or the software. The same action in Android is referred to as [rooting](https://en.wikipedia.org/wiki/Rooting_(Android). Either one means you can do anything on the device and is a common goal of spyware/malware so they can operate with unfettered access and without the user knowing.

A common example in the past it was used to enable tethering when it was disabled by cellular carriers trying to force you to pay an extra charge to enable the function.

What you can do about it: You could limit what the app sees if you’re jailbroken/rooted, but requires deep expertise in the operating system.

Some variants of the app had GPS pinging enabled at the time, roughly once every 30 seconds – this is enabled by default if you ever location-tag a post IIRC

As most smartphones and tables now have GPS, TikTok will check for the current GPS data as often as it can, enabling them to follow a device as it moves through a geographical area. Coupling this with the network data, they can determine with lots of accuracy where a device is. Both Google and Apple have this information but keep in mind they are the entities making the operating systems themselves. TikTok is just an app.

What you can do about it: Both Google and Apple let you limit if an app has access to GPS. Be aware TikTok will limit its own functionality if it cannot access GPS, though.

They set up a local proxy server on your device for “transcoding media”, but that can be abused very easily as it has zero authentication

TikTok sets up a special kind of server to help with converting videos from one format to another (transcoding) with a minimum of configuration on the part of the app developers or the users. The problem is that it doesn’t check whether anything connecting to that server is actually allowed to both connect and use the server (i.e. it doesn’t ask for a username or a password); this means other apps could potentially connect to that server and use or abuse its resources.

What you can do about it: Nothing. This is very much one of the core functions of the app itself since most device manufacturers have their own ways of saving video on a device and the app needs to be able to deal with all of them.

Potential for remote configurations

The scariest part of all of this is that much of the logging they’re doing is remotely configurable

Every time the app downloads an update they can change what information is logged, how often, where to send it, etc, and you as an user have no way to stop it.

What you can do about it: Nothing. This is a function done by the app on its own.

The people coding the app consciously obfuscate how the code works and what specific functions and tasks it performs.

and unless you reverse every single one of their native libraries (have fun reading all of that assembly, assuming you can get past their customized fork of OLLVM!!!) and manually inspect every single obfuscated function.

TikTok developers are purposely hiding how the app itself operates. You can determine this if you have the know-how and the experience to do it but you will not like the experience of it.

What you can do about it: Nothing.

The app will monitor its environment and change its behavior if it detects someone is trying to analyze it.

They have several different protections in place to prevent you from reversing or debugging the app as well. App behavior changes slightly if they know you’re trying to figure out what they’re doing.

TikTok will monitor the device and if it detects any attempt to analyze any of its internal functions and configuration it will try to change its own behavior to prevent that. Failing that it will try to present behavior that is deemed more acceptable to the person doing this work.

This is how the Volkswagen emissions scandal came to be:

  1. Cars were programmed at the factory to detect whether they were being tested for emissions at a laboratory or government facility.
  2. If they were, they would enable emissions control in order to be able to pass those tests.
  3. At any time they were not being tested, emissions control was reduced or disabled entirely, leading the vehicle to emit far more than the allowed legal limit of greenhouse gases.

TikTok is doing essentially the same but it’s all in software.

What you can do about it: Nothing. This is a function done by the app on its own.

File downloads without user interaction.

There’s also a few snippets of code on the Android version that allows for the downloading of a remote zip file, unzipping it, and executing said binary. There is zero reason a mobile app would need this functionality legitimately.

TikTok can download a file, extract its contents, then run its contents without needing user interaction or without having to be updated from the App Store or the Play Store. Both Apple and Google forbid this kind of functionality in any app.

What you can do about it: Nothing. This is a function done by the app on its own.

Lax security standards

On top of all of the above, they weren’t even using HTTPS for the longest time. They leaked users’ email addresses in their HTTP REST API, as well as their secondary emails used for password resets. Don’t forget about users’ real names and birthdays, too. It was allllll publicly viewable a few months ago if you MITM’d the application.

This is something that has been reported about TikTok in the past:

Basically, the TikTok devs won’t implement basic security standards to protect the user, the account, or any of the media the app stores and transmits. This allows intelligence agencies, corporations, anyone who cares to look, to surveil and hack users of the service.

What you can do about it: Nothing.

The Company

All of the previous points point to the one overarching theme of the app: it sucks up as much information as possible, then sends it to the servers that actually run the service (aka “the backend”). There are a of of shady practices on that side of things and the only people who know what’s going on are the people working for TikTok itself. Here are but a few examples:

The company is performing data collection on a level that far surpasses what Facebook, Twitter, Instagram, Snapchat, or most other social media companies have done so far. Only the Big Four (Microsoft, Apple, Google, Amazon) could obtain so much information but that’s because they control both the platforms their operating systems work with; if governments even thought they were doing what TikTok is doing they would face major fines, lawsuits, and antitrust enforcement.

The Combination of Both

When you add what the app does (again, suck up as much information about the user and their devices) with what the company is doing (actively avoiding answering questions of its practices) it all means one thing:

TikTok is combination spyware/malware with the backing of a corporation valued in billions of US dollars.

Most entities that write malware and spyware are:

  • A single person with technical knowledge, like the person who created the ILOVEYOU virus.
  • Nation-states and their various intelligence agencies using software vulnerabilities like BlueKeep or creating their own malware like Stuxnet
  • Organized crime, like the creators of the Conficker worm.

Having a corporation create this kind of software and for users to willingly install that software is something new. I am also leaving out all the advertising practices of the company, as that is how TikTok entices companies to buy into the platform.

What is there to do, then?

It amounts to

  • If you have not installed the app, do not install the app on any device you own.
  • If you have installed the app, remove it immediately from any and all devices you own.
  • Don’t let friends and family use the app, and push for them to remove it if they have used it.