By chaining various messaging APIs in browsers and browser extensions, I demonstrate how we can jump from web pages to “universal code execution”, breaking both Same Origin Policy and the browser sandbox.
“However, to go beyond existing research and web-only impact, we can turn to another browser extension capability: native messaging. This allows background scripts to communicate with native applications running on the host operating system itself. For example, password manager extensions that retrieve passwords from the native password manager application on the desktop.”
This is why you don’t want your password manager to integrate with your web browser.
Librem 5: True freedom in your pocket. Privacy-first smartphone, no tracking, no data collection. Made in USA, runs PureOS. Starting at $699. Your data, your control. #Librem5 #PrivacyMatters puri.sm/products/librem-5/
Looks great as always, I want to start running everything Gnome from the main git branch because I keep seeing all the cool shit that's going on (I know it's a really bad idea but it is really tempting)
My pull request that fixed DECtalk PC emulation in MAME got merged yesterday. I just uploaded a short video showcasing the emulation in action. youtube.com/watch?v=jRhsZHLpBE…
In today’s digital age, accessibility is more important than ever. Ensuring that everyone, regardless of their abilities, can access and use digital content
Demonstrates iOS SwiftUI Accessibility programming techniques using live good and bad examples that can be tested with VoiceOver and other AT. Includes documentation for developers explaining how t...
neither android nor ios. It is Linux phones. Very close to daily driver already. Please go ahead with updates for the flatpak version of the Tuta app as this is what we can use on Linux phones.
How FastSpring are working with retailers, including music and audio software companies, to ensure that processes for purchasing software online are as accessible as possible.
Yup, it's true. Firefox 128 includes new adtech features that are turned on by default and announced with very little fanfare, so most people might not even know they're there.
Well, this is me telling you they're there. You might want to go ahead and take a minute to opt out.
Here's the little helpful explainer from Mozilla about how it all works:
My read seems to be: Mozilla says website surveillance is generally bad and should be defended against. Cool. No notes. Firefox actually has a lot of nice anti-tracking and privacy features there and that's the main reason why I like Firefox.
But, and I swear I'm not even joking a little bit here, Mozilla goes on to say that advertisers might be happier if Firefox itself just tracked you directly and sent activity reports back to them.
Doesn't that sound great?
Now, to Mozilla's credit, they claim to anonymize the activity reports. And you can still meaningfully opt out of the whole system.
But WTF, mate?! I use Firefox *because* it fights against adtech. Or at least it used to. Now, Mozilla just lets adtech right in the front door and hopes you won't notice?
Well, we noticed. Mozilla is damage and we need to route around it.
UPDATE: The about:config setting for this is `dom.private-attribution.submission.enabled`. It's a bool. Set it to false to turn it off.
The story of Maurice Hilleman, a wonderfully sweary virologist from Montana responsible for vaccines that currently save 8 million lives a year, “noted by some researchers as having saved more lives than any other scientist in the 20th century”.
A foul-mouthed, chicken-loving Montanan completely altered the course of human health. His story also lays bare the struggles inherent in our global effort to create a covid-19 vaccine.
This is a development relase intended for GNOME 47.
The crate release is version 2.59.0-beta.2.
Two bug fixes from fuzz testing, and a new API to allow cancellable rendering. You can start rendering in one thread, and cancel it from another thread with a GCancellable.
librsvg crate version 2.59.0-beta.2 Librsvg is now part of Google's oss-fuzz and is fuzz-tested automatically - see https://gnome.pages.gitlab.gnome.org/librsvg/devel-docs/oss_fuzz.html for details. Many...
Hello privacy-forward friends. You might want to uncheck this checkbox that comes pre-checked in the latest iteration of Firefox (if you are still using it. I realize you may not be, yes I still am). The vibe I get is that it's like "cookie trackers lite" and still not cool.
You might be aware Chrome— a browser made by an ad company— has been trying to claw back the limitations recently placed on ad networks by the death of third-party cookies, and added new features that gather and report data directly to ad networks. You'd know this because Chrome displayed a popup.
If you're a Firefox user, what you probably don't know is Firefox added this feature and *has already turned it on without asking you*
Attached: 1 image
Firefox is just another US-corporate product with an 'open source' sticker on it.
Their version 128 update has auto checked a new little privacy breach setting.
You might be aware Chrome— a browser made by an ad company— has been trying to claw back the limitations recently placed on ad networks by the death of third-party cookies, and added new features that gather and report data directly to ad networks. You'd know this because Chrome displayed a popup.
If you're a Firefox user, what you probably don't know is Firefox added this feature and *has already turned it on without asking you*
Attached: 1 image
Firefox is just another US-corporate product with an 'open source' sticker on it.
Their version 128 update has auto checked a new little privacy breach setting.
This is weird & bad for so many reasons. But what I focus on is:
1. I believe, morally if not practically, this tracking is *worse* than the old 3rd-party cookies. This is because 3rd-party cookies were a legitimately useful tech that could be misused for ads. This tech is *designed* to benefit advertisers from word go, yet is installed on *your* computer, like Malware.
2. Firefox is *worse than Chrome* in their implementation of ad snitching, because Chrome enables it only after user consent.
Now to be clear, the disclosure Chrome provides to users is not *adequate*. Their wording of the "Ad Privacy" feature popup is highly disingenuous and the process to disable once notification is given is too complex and must be performed on a per-profile basis. But at least they *do it*, and to my knowledge don't track/send the data until the popup is displayed. Whereas Firefox just snuck this in in a software update, checked by default and you're probably learning about it now, on social media.
- Google/Firefox claim their tracking features are not "tracking" because they use something called "differential privacy". I don't have room to explain this class of technology, but I sincerely consider it to be fake. Without getting into the details, they provide *less* information to the advertisers than a cookie would have. But I'd prefer they provide none. Steps are taken to anonymize the data, but what is anonymized can often be de-anonymized.
- The language Google/Firefox use to describe their ad snitching policies just makes my blood boil, an insult on top of the injury of the features themselves. Google uses the label "Ad Privacy" for a feature group that strictly decreases privacy over doing nothing. Firefox calls it "Privacy-preserving ad measurement". You know what would preserve my privacy more? *Not measuring*. I understand why Google is lying to me to protect their own business, but Firefox is supposed to be a nonprofit. WTF.
- Firefox's "Privacy-preserving" ad tracking has other interesting issues. In another way the new ad snitching is worse than the old tracker cookies, Firefox doesn't *tell* you what data it's collected or reported, and unlike with cookies doesn't give you the ability to delete recorded "impressions".
Also interestingly, the feature is not available to *all* advertisers currently, only a "small number" of partner sites. *Firefox doesn't disclose who they are*, again making this worse than $GOOG.
- This event seems to tie in with other confusing developments around Mozilla as a company/"Foundation". I do not know enough about these issues to comment on them intelligently. I know only that Mozilla has, inexplicably for a nominal nonprofit, recently bought an advertising firm: mastodon.social/@jwz/112650295…
This seems completely normal and cool and not troublesome in any way.
Mozilla has acquired Anonym, a [blah blah blah] raise the bar for the advertising industry [blah blah blah] while delivering effective... jwz.org/b/ykVg
Anyway, I guess that's a lot of typing. The TLDR is:
- There is now a feature labeled "Privacy-preserving ad measurement" near the bottom of your Firefox Privacy settings. I recommend turning it off, or switching to a more privacy-conscious browser such as Google Chrome.
- I have filed two bugs on Firefox about this, which I am choosing not to link to dissuade brigading. If I have not been banned from the bug tracker by next week I will file another bug about the ChatGPT integration in nightly
Update 1: In this thread I complain Mozilla does not provide specific technical details about this feature. It turns out there *is* a document with the technical details, on Github:
Update 2: I didn't know this, but it turns out Apple Safari is *also* spying on what ads you view and click on, and sending that info (with some anonymization) directly to advertisers via a backchannel?
It's worse documented than the Firefox/Chrome versions, and like Firefox (unlike Chrome) there is no clickthrough consent. I don't expect better of Apple, but this *grates* given they're running big "A browser that's actually private." billboard ads in my neighborhood.
lol I just checked on Apple Safari and it turns out you have to go to Settings, Safari, then scroll all the way down to "Advanced" to find and turn off "Privacy Preserving Ad Measurement"
(TIL participating in a market economy without leaking an information advantage to counterparties is considered "Advanced" now)
Do you realize that Chrome’s Topics API which provides the websites with your interests is very different from what Firefox is doing here? Firefox does not give websites anything that they cannot achieve via regular tracking. That should be the reason why no consent is requested – you as a user have no disadvantage whatsoever from this feature. In the unlikely event that a website decides to use it, audience measurement will be performed in a way that cannot be traced back to you.
Yes, this is a feature designed specifically for advertisers. But that’s just reality: if Mozilla wants to make advertising less invasive, they have to acknowledge that it exists. It needs to give advertisers more privacy-preserving alternatives rather than merely hope that they will disappear into thin air. Mind you, you are still free to use an ad blocker, so that nothing is tracked (messing with cookies wouldn’t give you that effect).
As to “a small number of sites,” I don’t read this as Firefox limiting who they make this feature available to. Very few websites will be interested in using it at that point, so Mozilla apparently explicitly partnered with some who will test this and provide feedback.
@WPalant Hi, I think you're behind on what Chrome is doing. Chrome's "ad sandbox" technology comprises three distinct features, of which Topics is only one. Another is "Ad measurement" (screenshot). I agree "Topics" is worse for privacy than "Ad Measurement". However, as far as I can tell, Chrome's "Ad measurement" is the exact same tech as Firefox's "Ad measurement" (and a similarly labeled checkbox in Safari, apparently). However I haven't compared the whitepapers line by line yet.
- What Chrome is doing is actually worse than what you thought,
- What Firefox is doing *is* identical to a feature already in Chrome,
- Chrome's implementation of that specific feature is better than Firefox's, because (1) Google shows a disclosure rather than enabling it secretly as Firefox did (2) their description of the feature does not falsely describe it as "privacy-preserving" (where in fact the feature strictly decreases privacy).
@WPalant Also: "It needs to give advertisers more privacy-preserving alternatives rather than merely hope that they will disappear into thin air" No it doesn't. Nobody is making them do that, and my conversations in this thread suggest that if they *do* do that, then they lose customers to LibreWolf/Waterfox
http://www.youtube.com/parrygrippradioSpecial thanks to all of the cool people who let me use their video clips!Please check out the original videos:Hamster ...
— Them: “Please test #GNOMECalendar's sidebar again” — Me, coming back from another round of testing: “Code’s haunted” — Them: “What?” — Me, loading a pistol and getting back to the bug tracker: “Code’s haunted”
I was briefly looking at this code today after your last posts... and I have no magic solution, but you may be interested in the gnome-crosswords talk that JRB and (ahem, I, remotely) are giving at GUADEC :) Lots of related stuff about complex GUIs vs. data models and testing.
@bijram DAS ist DIE Erklärung! Warum bin ich da nicht drauf gekommen… @eichkat3r ist wieder im Modus "Schleichkat3r"! Hat ihn überhaupt irgendwer gesehen in letzter Zeit? Nach Deiner ursprünglichen Theorie könnte er natürlich auch Deichkat3r sein. Oder er sitzt ganz woanders als Teichkat3r. Mal schauen wann er kommt, der Zeichkat3r…
AT&T says it will begin notifying consumers about a data breach that allowed cybercriminals to steal phone records of "nearly all" of its customers (Zack Whittaker/TechCrunch)
Introducing, our latest handmade typeface, Dragönsteel. Inspired by heavy metal logos, 1980s role-playing games, and maybe dragons and dusty, leather-bound books, Dragönsteel is our take on a modern-ish blackletter typeface.
Valuta has joined GNOME Circle! This neat tool lets you quickly convert between currencies. You can also choose between 3 different conversion providers. Congratulations!
Convert between currencies – Valuta is a simple and fast conversion tool, ideal for those who need to convert between different currencies repeatedly. Use it while traveling, budgeting, or anytime else you need to quickly convert...
Soren Stoutner
in reply to Soren Stoutner • • •“However, to go beyond existing research and web-only impact, we can turn to another browser extension capability: native messaging. This allows background scripts to communicate with native applications running on the host operating system itself. For example, password manager extensions that retrieve passwords from the native password manager application on the desktop.”
This is why you don’t want your password manager to integrate with your web browser.
Daniel Blake
in reply to Soren Stoutner • • •