Embedded Object Allowances

[Tom T.]

Okay, I'll avoid acronyms and abbreviations. In previous posts, I said things like "smile" or (laughing). It sounds like that is better.

Also, I assume quote marks are read as such, and that it reads "open parenthesis" and "close parenthesis". I put "laughing" in parentheses in the previous paragraphs, but I can avoid quotes and/or parentheses as much as possible if that is easier. I assumed that it would recognize such standard abbreviations as "etc."

Do you suggest any other way to emphasize an important word or phrase, other than star keyword star? (I wrote out "star" there".)

I use Hushmail, for example, to send sensitive financial information to a trusted business associate. If you have no need for it, fine. But your friends could get the free version if they wanted, and then they don't have to mess with keys. Communication from one Hush user to another is as easy as from any other mail service, other than the delay of a second or two while it encrypts the message. That encrypted blob is briefly visible, which should give JAWS fits ha ha, but it disappears very quickly.

Perhaps the Hush GUI, either old or new, might be easier to navigate, even for unencrypted mail. I don't know, but it would take only a minute or two to set up a free account and try. The low storage limit is an issue, but text messages are not large. Attachments eat the space. I'm assuming that you wouldn't be sending pictures or videos. Documents and spreadsheets aren't large. A P D F document varies greatly in size.

There is the comfort of knowing that they are not mining your messages for data to sell to advertisers, which Google has been doing for a long time, and now Yahoo is doing that as well.

[Identities Infinite]

Formal abbreviations and acronyms are expanded per settings I have enabled. Punctuation can be spoken or ignored and that part of JAWS is all too configurable . I using the dialect I use use square brackets but JAWS speaks both [are parentheses in all actuality angled brackets or are those braces?].

Google is scaring the hell out me with the SO-CALLED privacy policy that goes in effect on Thursday 01 March 2012. I have a dwindling blog on Blogger and I am considering closing it because of that and sending a mass e-mail to the 40 something contacts I have telling them I am opening a HushMail account. I really hope the HushMail people respond to me saying they will be glad to offer me a premium account because I really like the convenience of Thunderbird and the IMAP protocol. I feel like I will be subjected to immense danger after 01 March even if I do delete all my e-mails from the Bin folder and expunge the sent one as well.

[Tom T.]

[are parentheses in all actuality angled brackets or are those braces?].

Parentheses are part of an arc, concave to the material included. So if I put (zebra) in parentheses, the left one curves outward to the left, and the right one curves outward to the right. For the sighted, this gives an intuitive visual indication that the word or phrase is wrapped or included in that pair of symbols. It is the same as with square brackets, except it is a single curve instead of a vertical straight line with short horizontal top and bottom lines.
Your use of square brackets here is fine. In formal English, if I were to put a phrase in parentheses, then wanted to include a second parenthetical phrase inside that one -- sort of a second-generation parenthetical thought, if you will -- I would put the second level in square brackets, still closing the the end of the phrase with the closing parenthesis. Think of it as nesting.

I am ardently anti-Google, especially given that their original motto was "Do no evil", and a philosophy of "It is possible to make money without doing evil." Perhaps, but they seem to like the fact that they can make even more money by doing evil. I avoid them as much as possible, deleted all of their default entries in the whitelist, and never temp-allow their scripting unless absolutely necessary. It makes me a bit uncomfortable to have to allow it for doing user support where the problem is on a site that requires google scripting, including their API or AJAX.

Incidentally, I don't know if I've mentioned this, but you can leave google-analytics dot com in the default-deny zone. Some sites require that it run, but Giorgio has created for us a Surrogate Script for that and many other data-miners, which convinces the page that G-A has run, but returns no sensitive data to Google. These surrogates run by default any time a page tries to load a script that is default-denied or marked as untrusted. The complete listing of surrogates is in about:config. You can bring up the list merely by typing in the filter bar the letters s u r r.

As far as closing down your accounts, all well and good, but be advised that cached copies of almost everything remain on the Web almost forever. It is good to keep in mind that nothing posted on the web can ever truly be deleted. Someone can find the cached copies. I expect that Google will retain copies of your emails even after deletion. One legitimate reason is that such companies use backup or redundant storage, in case of a problem with one server or storage device, and with storage space so cheap, they have little incentive to go through all possible backups and delete them. Also, saving old pages enables the searching of old material from the cache.

Good luck with Hush. I checked a few hours ago, and there was no response yet.

[Identities Infinite]

Thanks for the clear description, I understand better.

I had Google Analytics in the Untrusted list ever since I noticed what it was as well as Google Syndication. I do have google.com, gstatic.com, googleapis.com, gmodules.com and googleusercontent.com on the whitelist. Is this dangerous? I thought I need those for proper functioning. I also have blogger.com and blogblog.com on it but if all those can be switched to Untrusted and still function I will. Considering the above, would it be much use to delete my Google account? I have already sent DuckDuckGo my feedback and suggestion for improvement. I hope they go forth with it.

I hope the surrogates keep coming because the more surrogates the more I can mark as Untrusted.

[Tom T.]

I do have google.com, gstatic.com, googleapis.com, gmodules.com and googleusercontent.com on the whitelist. Is this dangerous?

It poses privacy risks, and as per our previous discussion, *any* content uploaded by unknown random users is riskier.

I thought I need those for proper functioning.

Only at certain sites. I try to avoid sites that rely on Google, but in doing support, sometimes I must go to such places. Then I temp-allow them. May I use uppercase T A for "temporarily allow"? That is common here among veteran users, and it saves a lot of keystrokes for a poor typist like myself.

I also have blogger.com and blogblog.com on it but if all those can be switched to Untrusted and still function I will.

I'm pretty sure that if you continue a blog there, you'll have to allow the scripting. At the blogs of others, you can probably read it without scripting, but may or may not be able to post comments, vote, etc. without the scripting. Your choice.

Considering the above, would it be much use to delete my Google account?

I believe that they have an address to send a written request to delete whatever information they have on you, and possibly an e-mail address to do that also. I haven't looked into it. There is no enforcement mechanism short of hiring a lawyer to subpoena them. One woman did that regarding the ad agency DoubleClick, once the most notorious privacy invader on the Web, at least among legitimate registered corporations. They had the equivalent of 968 single-spaced typewritten pages of information on her browsing habits, what color shoes or underwear she looked at online, how long spent at each page, etc. Still, if you're sure you're not going to use the account, and have saved all desired information and documents locally, it wouldn't hurt to close the account.

You'll be happy to know that DoubleClick is now a subsidiary of Google. [sarcasm]

I have a lot of my Yahoo mail stored on Yahoo's servers, but their changeover to Google's privacy-invasion policy (hey, that's a good one, and just off the top of my head!) doesn't scare me too much, because as noted, anything truly sensitive goes through Hush. Incidentally, if you use Hush's Java encryption applet, even the Hush people can't read your messages, including stored ones. They can't access your private key, because it too is stored in encrypted form. Only your password unlocks that, and in any *good* password-protected site, passwords are never stored in the clear. Your password is "hashed", if you know that term, before it leaves your machine. They have only your username and the hashed version of your password. If hash matches hash, you are allowed in, and now your real stuff can go to work unlocking things. Hashes are so-called "one-way functions". It's easy to turn plain text into hash, but physically impractical to deduce the plaintext from seeing the hash output, even knowing the hash algorithm.

The downside is that if you ever lose your password, there is no way of getting the account back. No "challenge questions" or any amount of authenticating yourself will do it, because they can't see it themselves. If that were possible, than anyone who could answer your challenge questions or whatever could get in, rendering the security useless.

I hope the surrogates keep coming because the more surrogates the more I can mark as Untrusted.

Not all of those scripts are *required* to make any given page happy, so mark them Untrusted anyway, just to save the annoyance of the audible warning. If the page breaks, report it to us, and we'll see if it's because of a data-mining or advertising script for which Giorgio can make us a new surrogate.

Were you able to gather all of the surrogate sites from about:config, or would you like me to reprint them in text form? If so, in paragraph form, or one entry per line -- without list tags, of course. [grin}

[Identities Infinite]

You can use the abbreviation because I now know what it signifies.

I will mark everything as Untrusted except for the Blogger URLs which I will probably need. I use the Google Translator a lot so how would that work? I have DoubleClick marked as Untrusted. What is the difference between that and BoubleClick FloodLight? Ghostery blocks both. That is a ridiculously magnanimous amount of aggregated data! Since the acquisition I know it only became worse.

I know what a hash is. Out of curiosity, what algorithm do they use? I was reading about this time last year and read SHA512/256 was published [newer than SHA512]. SHA1 I do not think is used since it is not secure and MD5 is old. Hush sounds damn good though.

Text would be nice, thanks in advance. I can only use the Up and Down Arrow keys in about:config. I wish they would assign Left and Right to navigate from name to type to value. As a side note, I think it is interesting how about:config is automatically parsed and directed to the MozillaZine forum. If I know all the surrogates I will be able to mark all those sites as Untrusted .

[Tom T.]

I use the Google Translator a lot so how would that work?

I'm not familiar with it. I use Yahoo Babelfish, which works without allowing scripting. There is the original babelfish.com, but it seems to require scripting. Both sites use dropdown windows, and if you've answered my question about whether those are accessible for you, I haven't gotten to that reply yet.

I have DoubleClick marked as Untrusted. What is the difference between that and BoubleClick FloodLight?

Per their home page:

Floodlight is an optional feature in DFA that allows advertisers to capture and report on the actions of users who visit their website after viewing or clicking on one of the advertiser's ads. For the implementation of Floodlight, Floodlight tags must be placed on the advertiser's webpages.

How advertisers use Floodlight:

Advertisers use Floodlight to determine the effectiveness of their online campaigns in terms of both sales and user activity on their sites. You can determine the monetary value of purchases that were a direct result of your campaign, or discover how many users purchased a product or completed an online form. The information recorded by the Floodlight tag depends on its configuration and its location on the advertiser's site.

Using dynamic tags, advertisers can also include their own tracking tags, tracking tags from a publisher, or any other code that they want to serve in conjunction with the Floodlight conversion-tracking tag.
Example case

The following example illustrates one possible use of Floodlight, following the process from the user's first viewing of the ad through the generation of a Floodlight report.

1. A web user views a DFA ad offering free ring tones.
The DFA ad server reads the user's DoubleClick cookie. If there is no cookie, a new one is created. For information about how DoubleClick uses cookies and how users can opt out of the DoubleClick ad-serving cookie, see DoubleClick's Privacy Policy.

2. Later that same day, the user visits the advertiser's website, which contains a registration form that the user has to fill out before accessing the free ring tones.
To count how many users view the form, the advertiser has put a Floodlight tag on the webpage. The tag requests an invisible 1x1-pixel image from a DFA ad server, which enables the server to detect and count the page view. As part of this process, the ad server checks the user's DoubleClick cookie to see whether the user has previously viewed or clicked on the advertiser's ad. In this case, the page view is counted as a post-impression activity.

3. The user submits the form and is taken to a webpage that confirms the user's email address. This second webpage contains a different Floodlight tag, which enables DFA to record a second post-impression activity.

4. The advertiser visits ReportCentral to generate reports on the Floodlight activities in the advertiser's website. ReportCentral can report on each Floodlight activity separately or present the information in aggregate.

I know what a hash is. Out of curiosity, what algorithm do they use?

I don't know. I could find out. We're only talking about the password, of course. Message body and all attachments are encrypted with full PGP.

I was reading about this time last year and read SHA512/256 was published [newer than SHA512]. SHA1 I do not think is used since it is not secure and MD5 is old.

I frequently see SHA1 and even MD5 used for verifying integrity of downloads, especially installers. Like you, I don't know why they don't upgrade.

The US Government is currently hosting a competition for a new hash algorithm, SHA3, which should be decided some time this year. The entry by the team headed by Bruce Schneier, who did the encryption for the Password Safe tool that I've mentioned, made the first and second-round cuts, and is one of five finalists. His entry for A E S-256 was also among the five finalists. It was conceded by all involved that all of the A E S finalists were equally secure, and the final decision was based on slight speed differences in certain hardware configurations.

Incidentally, pardon my saying so, but I am credited in the Acknowledgments section of Schneier's just-published book, "Liars and Outliers: Enabling The Trust That Society Needs To Thrive", after spending a few hundred hours and 55,000 words critiquing his early drafts, at his invitation. But don't look for a "Tom T." in the Acknowledgments. My identities may not be infinite, but they are certainly multiple. [wink]

Anyway, I recommend the book to anyone who is interested in how the philosophies of trust and security evolved over time, from early bands of hunter-gatherers to modern complex mega-civilizations. I'm sure that it will be available on Books On Tape, or some other audio medium, sooner or later.

I will post the surrogate list in a forum here when time permits. Did you prefer one entry to a line, or standard paragraph form?

I can only use the Up and Down Arrow keys in about:config. I wish they would assign Left and Right to navigate from name to type to value.

Actually, as you navigate up or down, the entire line becomes highlighted. So presumably, JAWS should read the whole line. For example, if you navigate to
noscript.abe.enabled, I would expect JAWS to say, "noscript dot abe dot enabled (pause) default (pause) boolean (pause) true". Does it not do this?

Just as a reminder, the left-to-right order is name, *status*, type, value, where status is either default or user-set.

As a side note, I think it is interesting how about:config is automatically parsed and directed to the MozillaZine forum.

Moderators have available to them a set of shortcuts that produce commonly-used names and links with little effort. For example, I type left squiggly bracket, the letters a b c, right squiggly bracket, and it shows as about:config. Great minds think alike again, because after our previous session, I put on my to-do list to propose that all registered users be allowed to use those shortcuts, though of course, not be able to edit, modify, add, or delete them. That will be discussed in our private Moderator/Admin-only forum. Users really don't need to create those links; we do it so that someone who isn't familiar with about:config or Standard Diagnostic or ABE FAQ can click directly to learn about them. The benefit would be only in saving keystrokes, and only significant to frequent posters. This feature was implemented by Giorgio himself, and is not a standard feature of forum software, as far as I know. He made our jobs much easier with this.

[Identities Infinite]

I frequently see SHA1 and even MD5 used for verifying integrity of downloads, especially installers. Like you, I don't know why they don't upgrade.

When I tried to use the DownThemAll extension I remember MD5 being the default algorithm. It surprised me. The people who verify lossless files [generally FLAC files] use the MD5 checksum as well. That is like using Shorten or NetScape if you want a more NoScript-related analogy.

The US Government is currently hosting a competition for a new hash algorithm, SHA3, which should be decided some time this year. The entry by the team headed by Bruce Schneier, who did the encryption for the Password Safe tool that I've mentioned, made the first and second-round cuts, and is one of five finalists. His entry for A E S-256 was also among the five finalists. It was conceded by all involved that all of the A E S finalists were equally secure, and the final decision was based on slight speed differences in certain hardware configurations.

I also read about that in early 2011. I wondered if it was ever published. Why does Password Safe not use AES, DES or IDEA? I heard from the Enigmail mailing list IDEA is old and outdated. WinRAR uses AES and so does the free 7-ZIP if I am not mistaken so my guess is TwoFish provides something they do not. You got me hooked on that thing by the way but that is a different conversation because I can go on and on about that.

Incidentally, pardon my saying so, but I am credited in the Acknowledgments section of Schneier's just-published book, "Liars and Outliers: Enabling The Trust That Society Needs To Thrive", after spending a few hundred hours and 55,000 words critiquing his early drafts, at his invitation. But don't look for a "Tom T." in the Acknowledgments. My identities may not be infinite, but they are certainly multiple. [wink]

Anyway, I recommend the book to anyone who is interested in how the philosophies of trust and security evolved over time, from early bands of hunter-gatherers to modern complex mega-civilizations. I'm sure that it will be available on Books On Tape, or some other audio medium, sooner or later.

Well alright now! If ever you secure a PDF copy I would not mind giving it a critical read. It would probably be a bit interesting if I took on that responsibility.

I will post the surrogate list in a forum here when time permits. Did you prefer one entry to a line, or standard paragraph form?

For items such as that I like the list format.

Actually, as you navigate up or down, the entire line becomes highlighted. So presumably, JAWS should read the whole line. For example, if you navigate to
noscript.abe.enabled, I would expect JAWS to say, "noscript dot abe dot enabled (pause) default (pause) boolean (pause) true". Does it not do this?

Just as a reminder, the left-to-right order is name, *status*, type, value, where status is either default or user-set.

That explains why the entire line is read. JAWS does not pause and since it is not technically a list view I can not customise headers as if it was a list view or list box. I forgot about the status column.

Moderators have available to them a set of shortcuts that produce commonly-used names and links with little effort. For example, I type left squiggly bracket, the letters a b c, right squiggly bracket, and it shows as about:config. Great minds think alike again, because after our previous session, I put on my to-do list to propose that all registered users be allowed to use those shortcuts, though of course, not be able to edit, modify, add, or delete them. That will be discussed in our private Moderator/Admin-only forum. Users really don't need to create those links; we do it so that someone who isn't familiar with about:config or Standard Diagnostic or ABE FAQ can click directly to learn about them. The benefit would be only in saving keystrokes, and only significant to frequent posters. This feature was implemented by Giorgio himself, and is not a standard feature of forum software, as far as I know. He made our jobs much easier with this.

I would not mind having those at my disposal. They sound more efficient than BBcodes. I know links are parsed on forums but on-the-fly whilst typing is not something I have ever witnessed before and certainly does not come prepackaged. I like the concept although I personally do not need that particular link.

PS. I hope I did the quoting thing correctly. It takes longer but I guess it makes more sense.

[Tom T.]

It was conceded by all involved that all of the A E S finalists were equally secure, and the final decision was based on slight speed differences in certain hardware configurations.

I also read about that in early 2011. I wondered if it was ever published.

Yes, all of this is open to the public, who were also free to attempt to break any of the codes or otherwise demonstrate a weakness in any algorithm. The respective wikipedia articles on A E S and SHA3 should have links to such sources.

Why does Password Safe not use AES, DES or IDEA?

Because Schneier created Twofish, so he is confident in it. It was his entry for A E S, even though not chosen as the winner. See the wikipedia article on twofish.

If ever you secure a PDF copy I would not mind giving it a critical read.

There was a non-disclosure agreement, or N D A, as a condition of being allowed to preview the drafts. And I would have an ethical obligation not to circulate free copies, which would deprive the author of his well-earned revenue.

(re: about: config) JAWS does not pause

Well, it's easy to tell when the setting name ends and the Status begins. When you hear "default" or "user set", you know you're at the second column. Etc.

Moderators have available to them a set of shortcuts that produce commonly-used names and links with little effort. [snip]

I would not mind having those at my disposal. They sound more efficient than BBcodes. I know links are parsed on forums but on-the-fly whilst typing is not something I have ever witnessed before and certainly does not come prepackaged.

Actually, it doesn't show the result until Preview or Submit. But I always preview anyway, to check for typos.

Right, it's original. This is one small example of the skill, talent, and creativity of Giorgio Maone. That he would go to this effort just to make his team's job easier is one reason of many why I like volunteering to work for him and help with this essential product.

PS. I hope I did the quoting thing correctly. It takes longer but I guess it makes more sense.

Perfectly, thank you. And since you replied to six different subtopics within my one post, yes, it was much easier to correlate each reply with the corresponding section of my post. But if it becomes burdensome, don't feel obligated. And on short posts, or those without sub-conversations within, it still isn't necessary.