There was a great Darknet Diaries episode [0] on this with some more recent developments from 2020 I came across recently, and I found it fascinating. I feel like this is something I should've known happened but somehow missed completely.
If they're not paid and you still wanna do it, make it into an interesting problem you wanna work on and have it be presentable enough to include in your portfolio.
At least, that way you might get something out of it instead of nothing, although I definitely do agree that being paid for it is the only way to solve the skin in the game problem.
I thought about the noise route, but doesn't that make you more unique? Maybe if many users share the noise, but then that makes it easier to identify what's noise and what's not.
Any thing that doesn't impact the signal, or can be separated from the signal does not qualify as noise.
You want to quickly throw targeting systems off your scent (or get them distracted) see how sticky high value sales are for the ad's you see on line. Start looking for a new car, use the word wedding too much (god help you if your a woman) or say vacation 3 times near search engine and watch how quickly your ad experience changes.
This won't work "long term"
As an example: You get an ID as a 24 year old male, who likes his local sports ball team, drinks canned domestic beer... that's a profile that is perfect to sell you a BBQ grill and a subscription to the meat of the month club. Spend an hour or two a week pursuing sewing, the engine is going to get confused! Maybe you share a device with your wife, or she got on it...
This is the sort of noise you create, its not random its "more" and you do it by going off type for a while. Have a friend who is into something you aren't (music, art, and so on) ask them some questions and go spend a week getting more informed on their hobby and have a chat with them. Suddenly the systems will see you as MORE...
There's a This American Life episode [0] that mentions this:
> When I was a kid, and I would see the school crossing signs, and there's a picture of the little kids walking, and then it would say "School Xing" And I thought that the "Xing" was a word. And I pronounced it "zing."
But you can have multiple virtual environments in the same directory, which one would it activate? You could also be using an environment that's in a different directory, or have one already loaded.
I like the concept potentially meaning less friction, but the implementation may make things more confusing for beginners when you're not explicitly activating an environment in your shell. I think maybe a flag to enable the behavior at runtime would be better than it'd be opt out.
This looks great trying it with the example data [0], but as far as I can figure out, is there no way to change the column datatypes when they are wrongly typed after loading in local files?
Awesome work on the password history export, thanks a lot!
I audited the code to the best of my ability and it doesn't look like it's malicious, but I certainly could've missed something, so to anyone who's thinking about using this, it works, but do your due diligence.
It looks like the only relevant data that was unencrypted are the URLs [0]. I'm guessing that was some sort of design decision they made for the browser extension to be able to see if you had a password for that site.
If anything, apart from leaking the domain, which could still be a privacy issue, they should have at least sanitized the URLs to remove usernames or tokens if they were going to automatically save those URLs to the vault. I can guess that not doing so allowed their auto-login function to work on some websites by saving the login URL endpoint, but all I'd really want is the vault to keep the sanitized domain.
[0]: https://darknetdiaries.com/episode/64/