This is very disappointing, and points to a weakness in these kinds of platforms: I can be a passive user of an excellent extension for years, and wake up one morning to discover that my browser has (silently!) upgraded the extension to one controlled by an entity that I don't necessarily trust.
I think it would behoove Firefox and Chrome to change their policies around automatic extension upgrades in these scenarios: if an extension discloses a change in ownership, then upgrades should require user approval. If an extension fails to disclose a change in ownership, then users should be able to report it as malicious.
This isn't just a problem with extensions, though. It's a problem with everything. Always has been and always will be.
This is why people should be extremely cautious about becoming too attached to (or, worse, dependent on) any particular product or service. It can change ownership (and therefore policies) at any time.
This wasn't a big problem with software just 20 years ago. Sure, the software you used could be bought by someone else, but that just meant you might choose not to get the next version. Software didn't automatically update, and licenses were eternal and mostly tied to physical tokens, like a disk or a fancy sticker. At some point your beloved software might become obsolete, but that was because it was outpaced in improvements by other better software, not because yours got any worse.
And, to be honest, it doesn't even really have to be a problem now. I use almost entirely FSF or Open Source software. Of the proprietary software I use, it's still software that I have an installable copy of and I'll be able to keep using it for as long as I have a machine that can run it.
I don't do automatic updates and actively prevent that from happening. Automatic updates are a plague that means you can't rely on the software anymore, if for no other reason than an update may (and likely will, eventually) remove or otherwise bork the very aspect that made it valuable to you.
But I'm a weirdo and take care to ensure that I actually own and control the software I use. I see people getting burned because they're at the mercy of a company all too often.
It has happened in open source, too: OpenOffice was once well-respected, but 10 years ago we needed to switch to LibreOffice. (and I bet still not everyone has noticed)
No, there is a huge difference. The Avast extension can update without warning adding whatever kind of tracking or leaks they want. The old OOo version won't do that.
Using open source isn't enough any more, now that everything's tightly coupled and expects the latest version. Can't run a new version of anything without "upgrading" your window manager, session manager, dbus, udev, kernel, whoops the new kernel broke compatibility with the drivers for your hardware? Too bad.
I've switched to FreeBSD and things mostly stay working, but I've already seen steps in the direction that Linux has gone, so I fear it's just a matter of time.
In theory yes, but they only help with needing specific solibs which is actually a minority of the problems you see nowadays IME. In terms of things like having the wrong dbus sessions/interfaces available in your environment, flatpak/snap/etc. seem if anything to be making things worse.
How about not talking past each other and declaring victory? The majority of software, prior to the internet, were necessarily optional. There were corporate lock-ins. These are not the software most people purchased/owned.
2000-2005, the biggest automatic updates that consumers had to deal with were Windows (Office, OS, etc) updates and games. Valve's Steam, which had come into prevalence (notably Counterstrike:Source), World of Warcraft, etc.
By 2008 (Google Chrome), automatic updates were common. I would say the ship had sailed by 2005. Yes, this is 1 full generation ago.
Sometimes this is more annoying than helpful, and I only speak with a tiny bit of hyperbole here.
On several different SaaS softwares used at my employer I have found myself asking if they have entire teams of highly compensated UX professionals and graphics designers who justify their continued employment by changing the interface every 3 months by just enough to annoy me after I finally remap my brain to the latest locations of the tools and buttons.
But the barriers to releasing and distributing software were much higher, as you had to work out to get it to people, and incremental release were basically impossible. So software was controlled by a handful of big companies.
The industry had more smaller players compared to today and a better chance to sell. The barriers were higher but expectations lower. Plus you had a fragmentation of computers and high margins. Trade shows and flea markets, magazines, shareware and asking store owners directly were accessible ways.
Today we have the illusion of speaking globally but have been gatekept out by a handful of companies.
It's another prime example of why users should be wary of always choosing automatic software updates, and particularly wary of any company that uses security and "we know what's best for our dumb users" as an excuse for trying to stop users from using only a manual update process.
Its too much effort to manage each app's update. In the age of smartphones they push an update once a day, sometimes it feels like every 5 secs.
Plus if you look at the app store updates, most of the apps post nonsense in the release notes such as "fixed bugs", "Thank you for being a user of Lyft this update will make your experience even better!", or the worst kind:
"You know how sometimes you just become aware of how much tension you're holding in your body, then take a deep breath and slowly let it out? This update is like that. It's still Slack, just with a tiny bit less friction."
HOGWASH Slack, this update will likely cause friction! If only those people that write this crap got laid off, the world would be a tiny bit better :/
Maybe its time to declutter software that you don't control in your life just like how people declutter stuff. Every item is an additional tiny mental burden and the same goes for each closed source app installed on your phone. Maybe its better if we just forgo any "benefits" the app may provide and not bother anymore.
Windows XP didn't have automatic updates in the beginning. So approximately nobody had the relevant security patches for Windows and IE. The result were Sasser and MyDoom.A on almost every Windows machine. It was a disaster.
It seems less risky to continue automatic updates and just accept the possibility of malicious ownership change.
Early always-connected computers with no NAT led to a lot of hard lessons. At this point many of those have been learned, and there's a lot more depth to network security. Operating systems and key tools like web browsers and ssh are hard enough that strictly necessary updates like heartbleed patches are few and far between, and are hard to miss. The majority of what gets pushed out now through automatic updates for OSs and key software is exploiting the update channel to deliver crap features that increase revenues or deepen the moats for the company pushing them. They want to ensure that they can collect maximum rent with the least effort for as long as possible.
Hopefully that abuse will reach a point where the camels back breaks, and the pain of freeing yourself from vendor lock-in becomes worth it, prompting smart consumers and businesses in large numbers to use and support principled software projects through contributions of money, code and labor.
Was it really a "disaster"? Or just a natural consequence that we must continue to accept if we truly believe in freedom?
People can learn and have personal responsibility, but the companies would rather use such examples for leverage to keep them ignorant and corral them into putting nooses of control around their necks.
What? Yes it did. Windows 98 had the first version of MS's Automatic Updates, with the Critical Update Notifications. Windows ME came with actual Automatic Updates, and so did XP.
> Windows XP didn't have automatic updates in the beginning. So approximately nobody had the relevant security patches for Windows and IE. The result were Sasser and MyDoom.A on almost every Windows machine. It was a disaster.
Except that this was due to a vulnerability in Windows which was fixed _after_ those worms ravaged the Windows users.
I don't recall the world ending because of a couple infected Windoze machines. Plus it made teenagers like myself a bit of cash for cleaning up friends'/relatives' computers.
The problem is that 99% of users will not be bothered with deciding anything regarding updates or any computer administration. So you either get automatic updates and situations like the current one, or you get out of date/exploited software.
True, but I don't think that justifies the practice at all.
At the very least, software needs to do what it used to do: make security updates separate from all other updates so users can just get the security bits.
Reminds me of the pending update to 1Password 7 that I keep declining because the change notes says all it does is adds a deprecation notice for 1password classic
I do this with git packages too. Sometimes I rely on something and the author then makes a move to go to a version 2.0 and ruin what I liked about the ux/ui or how the functionality behaved. I have a few privately forked packages now where I bugfix certain components alongside the author, but keep other legacy components, and even add my own functionality and behavior to my own needs.
Of course, in a world of walled gardens versus git repos, none of this very powerful use of ideas and computation can be done. I can't go to the Apple app store and easily cobble together my own franken app from what I find there. It's like a step back for innovation for our species when we set up these stupid profit seeking moats and gardens.
Ben Franklin on automatic updates: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
This quote never made sense to me. My decision to prefer one of these over the other doesn't mean I don't deserve either. It's a decision I make with my own unique economic and threat parameters. Being "deserving" plays no role here.
Morals are about behaving right or wrong because that leads to good things or bad things, so, if you make the wrong choice (here, giving up some liberty for a small amount of safety) then you do indeed deserve what you get - neither - because you chose wrong.
Ye it doesn't make sense. These rule of thumbs need the implied "too much" in them from the get go, or people will use them to silly extremes in the wrong ways. That applies all too well to programmers.
The quote actually meant something rather different than people think and has been taken out of context.
Here's a discussion about it[0].
First, here's the TL;DR:
SIEGEL: So far from being a pro-privacy quotation, if anything, it's a pro-taxation and pro-defense spending quotation.
WITTES: It is a quotation that defends the authority of a legislature to govern in the interests of collective security. It means, in context, not quite the opposite of what it's almost always quoted as saying but much closer to the opposite than to the thing that people think it means.
And here's the detail, discussed just before the TL;DR (I put in some paragraph breaks):
SIEGEL: And what was the context of this remark?
WITTES: He was writing about a tax dispute between the Pennsylvania General Assembly and the family of the Penns, the proprietary family of the Pennsylvania colony who ruled it from afar.
And the legislature was trying to tax the Penn family lands to pay for frontier defense during the French and Indian War.
And the Penn family kept instructing the governor to veto.
Franklin felt that this was a great affront to the ability of the legislature to govern. And so he actually meant purchase a little temporary safety very literally. The Penn family was trying to give a lump sum of money in exchange for the General Assembly's acknowledging that it did not have the authority to tax it.
I don't think it's feasable to check the ownership before every update of every extension. Or what do you have in mind? Just delaying the update so there's at least a chance to catch the bad news?
It's not a problem with everything. Distributions tend to add editorial input here and try to do something they consider reasonable for their users, staking their own reputation on that without trying to pass it off to the component publisher.
For example, I doubt that Debian would would take an update from an upstream that is detrimental to their users. They would follow a friendlier fork first. Debian maintainers follow their users' interests first.
(I'm a Debian Developer)
Edit: and that means you can generally trust automatic updates on Debian.
This is why the push towards application sandboxing and distribution by the developers themselvs is IMO misguided.
I'd much rather have my applications run unrestricted but vetted and if neccessary patched by a trusted third party (the distro) than lock whatever dark patters and anti-features developers come up with into a box ... where it still has access to all interactions with that box.
In particular, I wouldn't trust a Firefox distributed by Mozilla without oversight but I still use the Firefox packaged by my distro.
> In particular, I wouldn't trust a Firefox distributed by Mozilla without oversight but I still use the Firefox packaged by my distro.
But in the case of something like Firefox, distros are barely vetting anything, and are reluctant to patch because such patching rapidly becomes unmaintainable. Most dependencies don't end up unbundled, either. So distribution Firefox packages are really external packages in distribution package clothing, more so than any other package, really.
This is why I want sandboxing anyway - because I understand the limits of what is practical.
And sandboxing and limiting interaction through well-defined interfaces is better for security anyway, because security vulnerabilities happen regardless, and sandboxing does provide some level of mitigation.
Finally, the distribution packaging model is insufficient for many users. Even if you are fine with it, most users want something newer than their distribution release, and we can see that they are prepared to give up security and system stability for it. This is a real need for these users, and sandboxed third party packaging mechanisms provide a real solution for them, even if you can manage without.
I think it's a particular problems with extensions because:
1. They usually mostly work in the background, don't need much interaction. It's almost like a built-in browser feature changing owners.
2. They are pretty difficult to find a business model for - as opposed to SaaS stuff and mobile apps, which people pay for rather commonly. So the choice is to a) Make no money b) Ask for donations (seems to only work if it's somewhat obnoxious) c) Make money in some creative (often shady) way d) Sell the thing.
Case in point -- I mortgaged my home with a local bank then without me knowing or being asked I became a Wells Fargo customer. At least you can uninstall the extensions :)
I strongly believe that selling ongoing loans to other companies should just be flat out illegal. You entered into a contract with your local bank, not Wells Fargo. It should not be legal any party in the contract to unilaterally rope the others into a contractual relationship with someone who was not involved.
I certainly don't remember all the terms of my mortgage, but surely there's a "we can resell your mortgage" provision in the terms that we bilaterally agreed to.
You are under no obligation to sign. They are under no obligation to accept a modified contract. Both sides can walk away. Both sides will be bummed, but the bank is likely to care a lot less.
These kind of libertarian explanations always conveniently neglect to mention any power imbalances between the parties. When called on it the response is usually just a less polite version of "oh well".
Actually it’s much easier than that, though not in the current interest rate environment: you just refinance, and likely save money along the way.
Note that your first mortgage in CA is nonrecourse, but a refinanced mortgage is not nonrecourse (meaning the lender can come after you personally if you end up underwater).
What would an alternative be in the case of a lender being sold? Force a balloon payment for the balance? It seems a better alternative to be able to transfer the loan like any other asset.
Why would it be unconscionable? I don’t understand why people would care if their loan is sold. My student loans have been sold a couple times and I didn’t mind. What’s the downside for the borrower?
Who owns the loan doesn't make a lot of difference, really, compared to who services the loan. But even still, you may not want to do business with some company for any number of reasons: maybe they treated you or someone you know poorly in the past; maybe you don't like how they do business; etc.
The loan servicer is more important --- some of them are terrible at their job and tend to misapply payments etc, causing extra work for the borrower.
Yes they can. I had a mortgage that was sold to Washington Mutual (no longer in business). They did an audit of my escrow account and sent me a check for $2000. I called and said this seems to be mistake. They said no. OK then. Two months later I get a notice from the county that the second half of property taxes was overdue.
WaMu pays after several phone calls. Then sends me a notice that my escrow account is $5000 in appears. So WaMu says that the 2000 was a mistake and I need to send that back, and that they are allowed to maintain an excess balance for taxes and insurance, so I need to send them another 3000 to bring the account current.
I refinanced with a different organization that week.
I was very happy to see them crater during the financial crisis.
You don't think another company coming in and demanding $3000 be paid early is changing the terms? Whatever you want to call it, it's bad. Even if it was authorized before, it's a very significant change to start demanding it. The practical terms have changed.
I assume every mortgage has terms to include funding an escrow account with the next ~12 +/- 6 months of property tax + insurance.
For sure, there is an adverse impact to a borrower who is not well versed in how mortgages work, but in terms of financial agreements, but unfortunately, the US does not punish financial companies for negligence in customer service.
> You don't think another company coming in and demanding $3000 be paid early is changing the terms?
No, because if (as here) the original mortgage contract included an escrow account, that contract surely allowed the mortgage holder to demand money to keep the escrow balance where they want it to be.
So no, they didn't change the terms of the mortgage contract.
When my mortgage was sold to a big bank I started getting charged a fee for "prepayment" (basically I'd do another payment against the principal once a year or when I had extra cash, which was a non-issue before the sale).
Refinanced with a local CU and stayed with them ever since.
> A lender cannot assess a prepayment penalty unless the penalty was included in the original terms of the loan.
> According to the Federal Register, Dodd-Frank Act provisions “generally prohibit prepayment penalties except for certain fixed-rate qualified mortgages where the penalties satisfy certain restrictions and the creditor has offered the consumer an alternative loan without such penalties.”
> For lenders that do charge these penalties, prepayment penalties cannot be imposed after the first three years of the loan term.
> When my mortgage was sold to a big bank I started getting charged a fee for "prepayment"
Are you sure? Whether a mortgage has prepayment penalties or not is one of the things that is specifically declared in every mortgage contract I've ever seen. They can't just change it after the fact.
I think who you are doing business with matters a great deal even if the mortgage terms don't change. You're still being forced to do business with someone that perhaps you strongly object to doing business with.
The company matters just as much as the product or service.
Who you are doing business with can change even if the legal company is the same. Suppose an executive retires, and a new one wants to make their mark, perhaps by cutting costs.
This is why tools are always better than products or services. Your hammer in the drawer isn't going to one day update itself and change. Neither is some of the bash tooling that's been around for decades. And should these things change, you always have your old versions of these tools in your drawers and storage drives.
I was thinking about this is the food and personal products space. I dreamed up something like requiring some kind of notation to denote how many steps you are away from a parent company. Direct private companies with no parent would have no notation, once a parent company buys the company and its brands put a dot for every parent company above the company of the product you're now purchasing. Something to make this transfer visible.
I think the thing to do there is to require that the controlling owner of the brand be mentioned in non-tiny print near the most prominent mention of the brand.
I agree. I also don't think this is something that's formally solvable in the general case, at least not in a way that's practical for distracted and non-technical users.
Instead, this is the kind of thing that needs to be solved on the policy level: Google and Mozilla have an interest in maintaining high-quality extension ecosystems, and ought to take a dim view of these kinds of ownership transfers.
That's a different issue. I can still run many old versions of software even if new versions are put out by some evil entity I no longer trust. Unless the software auto-updates. In which case I no longer have the old version.
AFAIK, it is not easy (or maybe not possible) to opt out of extensions updates.
This is why people should be extremely cautious against self-modifying software (ie unattended autoupdate) - it grants remote code execution on your computer to remote parties.
As a corollary, any private information that a publicly owned company has is for sale (since the company could be bought or merge), and any information any company has can be force-sold during bankruptcy proceedings.
Any time a company has physical access to your data, and says they will not sell it, they are lying (unless it is privately held, and never takes on debt / pays after delivery).
In particular, EULAs and other contracts do not protect your information in the above situations, since debt and shareholder obligations generally come before customer obligations, and the data is considered an asset.
A decade ago I wrote an extension called SelectorGadget (https://selectorgadget.com/). It's effectively unmaintained, but it still works and people still use it. I make no money from it and never have. Every few months someone tries to buy it from me, and I ignore them because I don't want to f** over my users. But there are a lot of extensions out there and maybe their owners care less, or find themselves in a moment of financial hardship and they sell.
I have received a few solicitations to sell apps that had not been updated in a while (they were still good, but hadn't required an update).
I suspect the buyer would repackage the app with some "extra spices," either advertising, or malware, and would count on the auto-update to force it onto users' devices.
I declined. I remove moribund apps. I've written over 20 but only have a few on the store.
This problem is more far reaching than just extension, and further reaching than what entity is in charge of something.
For instance, the worst company imaginable may be in charge of software that was once FOSS, and they may change absolutely nothing about it, so it should be fine. However, if a small update is added that does something bad, you should know about it immediately.
Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.
Change of ownership is easily gamed though. The change can be hidden or the extension can be "leased for 99 years" or whatever.
It really makes me wonder if there's a way to formalize a system of verification, trust, vouching, etc. not just for extensions but for source-viewable software in general, version by version, diff by diff.
Volunteers actually inspect an extension's JavaScript to check for anything potentially malicious (is it reporting on user activity etc.), they vouch for each other, and you select some core single individual or group to trust (or majority-vote or something), and then only allow software on your system that is vouched for. Nothing ever gets upgraded until it passes.
These types of problems roughly map onto the distributed identity problem: there's no known way to distribute `K` authority identities to `M` trusting identities without some kind of trusted intermediate.
"Vouching" can form that kind of trusted intermediate, but probably not without grinding an ordinary speedy update process to a near halt. That's probably a worse outcome than just having the pre-existing authority (i.e., Mozilla or Google) establish an enforceable policy around what constitutes an acceptable (or acceptably transparent) update.
I have couple extensions I've made. Most have couple hundred weekly users, but one has few thousand and I have gotten emails about adding ad and search redirect code for some money. If I was in bad financial situation or just didn't care, I could have just added the code without anyone really knowing.
Everything about this is sad. Sad that I have to install an extension to get rid of stupid messages forced upon me just for visiting a website, sad that an untrusted company is trying to buy trust, sad that users have to waste time switching away.
> If an extension fails to disclose a change in ownership,
They would just change ownership and keep that a secret from the world. Avast would 'hire' the dev of this extension, and provide him with more engineers and ideas of features to implement.
Technically that is what chrome MV3 is. The issue with that is they also heavily restricted any kind of content blocker by removing most APIs with a declarative api
This is why you have the power to turn off auto-updates on anything that has auto-updates. And you should exercise that power. That way you'll wake up to the news of a horrible change, not the reality of already being part of it.
Except.... Companies regularly switch their legal entities around. Which can be annoying. So you might wake up one day seeing ownership was transfered from <X> to <X>.
Still, it could be not disclosing it in such cases and live with it in a gray zone.
I know how to disable automatic updates. The point was that there's a substantial shift in trust when the underlying identity that controls an extension changes.
> I can be a passive user of an excellent extension for years, and wake up one morning to discover that my browser has (silently!) upgraded the extension
you want to roll the dice with automatic updates, you have only yourself to blame when they break something you care about. people always scream BUT MUH SECURITY, and at the same time ignore every other awful change that is rammed through automatic updates. pick your poison.
I don’t want to “roll the dice.” There is a significant difference in user model between trusting a single identity to provide updates automatically, and naively trusting updates that come from a new identity.
In the context of web extensions, not auto-updating is frequently not an option: web extensions are part of an arms race between users and websites, with the extensions continually playing catch-up.
just because you might find one choice extremely distasteful, doesn't mean the option ceases to exist. so I will say again, pick your poison. you opt in, or fail to opt out of automatic updates, then you accept anything that might happen because of that.
We need to stop writing “X buys Y”, and start writing “Y sold to X”. Big co’s aren’t some boogeyman that can buy whatever they want, individuals and small companies are selling out, and by pretending they’re blameless we normalize it. This extension wasn’t taken over, it sold out. Like LastPass, Private Internet Access, WhatsApp, Figma, Dark Sky, Wunderlist, the list goes on. All decided that, actually, they care less about their mission, users’ experience, and users’ trust than they do a pile of cash. And that’s not necessarily horrible or even wrong, but what is wrong is for us to not even withdraw our trust from people who have sold it. Or for us to withdraw equally from those who don’t.
The only startup as was in didn't. They ran short of money and laid me off, but 20 years later the company is still around doing the same thing they always have and I assume making money. Just before they laid me off they rejected a buy out offer from a big company.
I think that is actually normal overall, but the real fast riches are of course in the big buyout.
Neither working in a for profit company nor having to earn a living are valid excuses for ignoring your morals. This kind of attitude is another thing we should not normalize.
There's a lot of sell outs, not just someone who sells their app.
Many people work for places and sell their soul to them, accepting the evil they push - e.g. Google
It's not unique to solo devs. Unless you work for a morally sound employer, and only interact with morally sound companies, throwing shade like that just means the boot will fit on you too.
There seems to be a lot of edtech startups being sold to big companies right now. I’m guessing these are distressed companies that need to raise tons of money or find a buyer. Since the VC landscape has changed in light of the end of free money, they’re disproportionately being sold off.
I don’t blame the companies, though I’ve taken a bootstrapped strategy because I didn’t want to get stuck on the VC treadmill.
Someone here in HN recommended Consent-O-Matic instead of I don’t care about cookies. Said “I do t care about cookies is the extension advertisers want you to install” :) apparently it just says yes to everything. Consent-O-Matic specifically configures things to share the least amount of information possible.
Sites work much better if you just say yes to everything. Devs never test the 'no' path as well, and half the time you'll find embedded videos/maps/tweets won't display or are buggy.
Since I care about a fast efficient web experience far more than I care about leaving digital footprints around, I choose the extension that says yes to everything.
I'm more or less in your camp. I really don't care about "saying no to cookies" because I don't believe that sites will implement no properly anyway. I'd much rather be relying on the clear (hopefully!) lines being drawn by my browser and its settings.
Asking me if I'd like to allow various cookies is by far the least important part of the problem. Relying in the cooperative efforts of site owners? Really?
Why answer the question at all? I use uBlock Origin's cosmetic filters to simply delete the prompt from the page. I nether accept nor decline, and I've never run into problems with this.
Have you ever tried booking flights with EasyJet? Their web servers would just literally stop sending you TCP packets once they see a session cookie that hasn't accepted the cookie consent within a minute or so. Took me a while to figure this out, and until I realised it's caused by me not seeing the cookie consent modal, my workflow was to clear cookies and then try to book the flight within 60 seconds. :-D
I've had no luck blocking YouTube's consent popup with uBlock Origin. From what I remember, it would randomize the element ID and also add a load delay, and if you managed to block it, it would block comments from loading or break scroll etc. With Consent-O-Matic, it works just fine.
I don't think I've ever seen a website that broke when I clicked "decline", or "disable all+save".
(Yes, I manually click or click click for every website. Also I don't think that EU "broke the internet", rather they made me painfully aware that every f.in website uses cookies and other tracking methods just to give my browsing history to ~300 total random company for no reason.)
Consent-O-Matic does not reject all cookies - it responds intelligently and automatically to the cookie consent dialogs and selects only essential cookies.
If someone says a cookie is non-essential and rejecting it results in their site not working that’s on them - a human might manually choose to reject it, it’d be the same end result.
With a name like "I don't care about cookies" it does kind of make sense that it would just auto-accept everything. After all, they don't care about cookies
Better to just start using Firefox multi-account containers. An add-on like I Still Don't Care About Cookies ensures you aren't bothered by the popups, and temporary containers are wiped upon tab closure so anything those sites leave behind is automatically deleted.
I found using Firefox containers (new tabs get new empty containers, sites I use often get their own separate containers but always the same ones so I don’t have to login every time) + ublock origin means that accepting cookies doesn’t matter as much anymore. Because once I close the tab, the container is destroyed and so are the cookies, and the various ad and analytics servers were not getting data anyway because uBo was blocking them.
I don't think the behavior is strictly equivalent. From this extension's description:
When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do).
I still have a copy of this addon, before it got acquired by Avast. I turned off automatic updates for extensions in Firefox, since I don't want weird / malicious code being pushed into my browser. I do this since I audit some extensions for malicious code, and want to keep the good / last-known-good version, before a tainted/malicious one arrives in my browser in an update.
It's broken though, and messes up YouTube by persisting the cookie interstitial in an invisible overlay, making the interface unusable. This is why these types of addons have so many new versions: they have to constantly watch for changes in the JS/CSS of cookie banners.
Thank god we have community maintained alternative forks[0]
> It is very wrong for the extension to change ownership without warning the user about it. I trusted the original developer of this extension, but i do not trust Avast.
I don't see the logic here. Unless Avast had threatened him, I wouldn't trust neither of the parties. How do you trust someone that sells their extension to someone you don't trust and still trust them?
A bit of that, and the fact Avast got caught just a few years ago massively spying on all their users and selling their data both in their browser extension and free anti-virus apps.
This is a fair question. Everyone is piling on here, sort of without regard to whether anything bad has actually happened. Of course, even if they don't change anything, the extension is now funneling whatever data it collected to Avast, a company that many hold in low regard (myself included). But it would be appropriate to have a discussion about what they're doing now that's bad, aside from not telling anyone about the acquisition.
I wasn't informed of this sale before it occurred, and Avast has a history of stealing and selling user data. I did not produce informed consent for this add-on to continue operating under those conditions. I reported it to Mozilla when I uninstalled the old add-on as stealing user data and I encourage everyone to do the same.
I can imagine a number of scenarios, but I'm unfamiliar with this particular case. Could someone elaborate on what actually happened or what is the danger?
A company doesn't acquire something for no reason, and people are suffering FUD over what that reason could be. Maybe they'll put in annoying popups ads for their other products. Maybe they just want market research data. Or maybe they just thought being the provider of this service would garner goodwill somehow.
companies have to provide the cookie prompt as a legal requirement - it's not something they want to do or get any benefit from. what this extension does is blindly accept the cookie prompts.
it's not something any company would want to be exempted from. companies like this.
I remember when SourceForge were the good guys. That should be a cautionary tale for many companies but they got dropped so hard and fast that now no one has heard of them.
It is a wide spread problem with extensions and much more common that you would think. Also developers completely change extension to be something else and you only discover it when it asks for more permissions or by going to the extension page.
Notable examples:
- Resolution test (allowed to change browser size so you can make perfect screenshots and videos), now needs full tab content access because "Facebook upload functionality" - [1]
- Awesome screenshots (it was perfect extension which allowed to take screenshots and videos), now it is called "Awesome ChatGPT Screenshot & Screen Recorder"
For many sites, just hiding them isn't enough - if you want the website to work properly and not randomly log you out immediately after logging in, then you need to either accept or decline cookies.
Very odd, uBlock Origin for Chrome has "EasyList Cookies Notices", but "AdGuard – Cookie Notices" is missing. The Firefox extension has both lists. The version is the same: uBlock Origin 1.49.2.
Does this have anything to do with Chrome's new extension API nerfing ad blockers?
One of the better uses of my time last year was just writing my own ad blocking extension. Of course it doesn't get everything -- that was never my intent. I just wanted to get rid of the most egregious crap, like Taboola and the variously spawned similar demons.
It's quite good at doing that.
Sounds like I might need to investigate consent as well...but the "pain identification" isn't going to work the same way. With the consent management, I'll probably end up having to do a lot of per-site work...which kind of defeats the purpose. Sigh. Guess I'll find out, on a sufficiently annoyed weekend.
I did the same! Just wrote my own extensions for features I wanted and it was super easy and straight forward (albeit a little limited in firefox). Wrote one for pinning tabs on the right and wrote one to search through all open tabs with ctrl+f.
Quite nice how accessible this is!
Between GDPR warnings and ubiquitous site notification pop-ups (side question: has anyone ever intentionally clicked "yes" to a site notifications request? can the browsers just admit this was a horrible idea and move on?) out-of-the-box browsers are basically unusable on just about every website. Leading to extensions and situations like this.
I think the original goal, and one I still support, is for websites to realize that they are better off with not showing the banners and just defaulting to "no". It's been surprising to me that an industry that has been somewhat obsessed with click latencies and getting users to content quickly are willing to annoy all their users for the extra income from personalized ads. The difference in value must be a lot.
Thing is, there are "websites" and "web apps"; the latter replace things that we used to have on the desktop and we want significant permissions for them (notifications, constant updates in the background, copy/paste integration, drag&drop integration, camera and microphone access, etc) and the former should get nothing, as all of these can and do get abused - but from a technical perspective they look the same to the browser.
The way I see it, it would make sense to explicitly whitelist a website (e.g. Gmail or Webex) in a similar manner to installing an app, and all the other websites don't even get to beg for these permissions.
> can the browsers just admit this was a horrible idea and move on?
It wasn't the browsers, it's EU regulation. Most sites choose to operate legally in Europe, so the banner is displayed. Devs don't care about making it so only European users see it, so the rest of the world must suffer too.
Still thousand times better than the walled garden app stores.
If we want complicated apps to be available on the web we need complicated browsers.
The competition situation is troublesome but nothing compared to the complete monopolies Apple and Play store has.
I still believe that cookies consent should be handled by the browser and not by sites. Because all these cookies preferences are temporary in nature and disappear when user decides to clear cache or it gets removed automatically. Not mention that this control via modals applies for device currently in use and doesn't get carried around (not sure if browser synchronization changes anything)
Having this within browser in theory should solve the issue of consent but I frankly doubt that such permanent solution would agree with Microsoft or Google goals. Mozilla - perhaps would roll this but I wouldn't have any big hopes.
And yes, I did intentionally clicked "yes" thinking no 3rd-party cookies will be saved but that was in the early days of GDPR. There are sites that allow users to disable 3rd-party "legitimate interests" cookies under modal submenus and some only show em in enabled state without any options.
I used Avast! anti-virus in Windows for a while, and for a short period on my Android device as well. I found it to be pretty usable and friendly, but most functions including anti-malware seemed superfluous or dubious. But it was nice and comforting to scan and find nothing. I had a subscription to the premium service because it had perks, like more devices and features and stuff.
I gradually found that the remote features in the vein of "Find my Device" were trash and never worked. I could never contact my Android tablet with the website, or make any meaningful GPS search for it. I didn't once try factory-wiping it, but I basically assumed that it would fail in the very moment I needed it most. Fortunately, I never did require these features, and they stayed resolutely broken.
Avast! changed something about the service and I decided it was totally not worth having anymore, so I canceled and uninstalled, then they charged me again (Google Play Store). I was able to go after them and procure a refund, but I was not happy about the casual consumer abuse after a malfunctioning product.
Avast! is HQ'd in the Czech Republic, and I have mixed feelings about my cybersecurity entrusted to such a faraway foreign land that's close to the whole Eastern Bloc, so good riddance, and I guess I'll use Malwarebytes next time.
Practically speaking, none of the security risks involved have anything to do with the Czech Republic – it’s a safe, modern European democracy with data protection laws better than US.
I believe you, I really do, but they are still a foreign nation thousands of km away, and the laws are different and largely unknown to Americans. In their HQ and datacenters, they would also be subjected to a rather different mélange of threat actors, and so an adversary that would have no chance in these United States, might have an opening to use Avast! as a vector, or at least exploit the juicy, juicy log data and telemetry they are able to collect with their root-privileged apps.
Now you know how I feel every day using services from companies like Google and Apple that are in a foreign nation thousands of km away, and the laws are different and largely unknown to me :)
" I have mixed feelings about my cybersecurity entrusted to such a faraway foreign land that's close to the whole Eastern Bloc"
Interestingly, I as a Czech have very mixed feeling towards security of anything coming from a big country such as the US. Big countries with a big national security apparatus can strongarm their businesses into all sorts of backdoors more efficiently.
If anything, the former Eastern Bloc is sorta culturally more wary about trusting governments and giving them intrusive powers. We were burnt thoroughly by the old governments being too powerful. Westerners often strike us as being naive with regard to their own political class, and too willing to give up their personal autonomy if a suitable boogeyman is invoked.
This whole "I accept these cookies" is broken from the beginning. First of all, why they want to use any of those cookies which are not needed? Use a session cookie, so I can be logged in and I can access to the data and page, but the others are nonsense.
Also, I would accept one cookie, which stores that I don't accept other cookies.
"I don't care about cookies" is just the name of the extension. In actual fact, it indicates that the user doesn't care if the server sends cookies. The user agent is still in control of what it does with them, and whether it includes them in subsequent responses.
So the word on the street is to use "I still don't care about cookies", which is a fork of the original. So Avast bought an open source code base that can be forked? Is this a good business decision? I wonder how much they paid for it?
There should be a standard way for all browsers to tell sites whether they accept cookies or not. There is no reason every user should deal with this banner manually for all sites.
I see a lot of " i didnt get notified about the change" in the reviews, but personally i got 3 of them. 1 was just out of the blue and the other 2 were when i installed the extension ( i formated my PCs ). I know that the move is bad dont get me wrong, but a notification was present, most people just close the "New Tab" that open from an extension that's maybe how they missed it. Anyway, there is a community one "i still dont care about cookies" and i will be moving to that one.
Not really. Cookie banners are irrelevant and do not preclude tracking, they just take up space and give a false sense of privacy. These users installed the extension because they'd rather not see the pop-up to begin with. And then Avast bought the extension.
To be fair, websites can't track much about you - they can only track your visits to partner websites, and even then the website owner usually can't see all the detail - their ad platform won't share that with them.
Whereas the extension has full access to not only your browsing history, but also every password, every credit card number ever typed, etc.
Cookies are a minor privacy problem compared to an 'access all sites' chrome extension.
>In most cases, the add-on just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do)
Im curious what the % rate is for users to not get tracked, versus great caring tools like Consent-o-mattic.
The name itself screams apathy here. My understanding from a while back was that the tool actively accepted a wide variety of cookies, and did nothing to minimize selections. I don't know if this is a misinterpretation, or if the project has changed to actively start caring somewhat about cookies.
Yeah, that never made any sense. Is there any add-on that basically...forces websites to adhere to the browser-configured cookie settings? And if any popups contain the word "cookie" to basically just remove the element? If it renders websites inoperable, I'm okay with that.
I browse mobile with Javascript defaulting to blocked. Not sure how it happened, truth be told, Brave just started blocking it one day. Most of the experience is unaffected.
Avast collects and sells your browsing history, among other pieces of your personal data. This caused a bit of a stink a while back when people discovered it.
I don't even care that they might watch me. I care that they might use my computer's resources to do so; or might start making the extension do other stupid stuff, like injecting ads for Avast AV. "Not caring about cookies" doesn't cost anything, CPU-wise.
Random aside: this extension had absolutely the worst internals of any I've ever looked at. Love the functionality, but really wish I'd never seen the spaghetti behind the illusion (source files below). It feels like approaching it as a text classification problem might produce a clean general solution
There is nothing wrong with these internals. Hard-coded rules are not necessarily "spaghetti code". I sincerely doubt there is any reliable way to come up with a general solution without relying on hard coded rules (at least without using AI).
It doesn't seem like an overly difficult problem: try to find a text fragment (e.g. DOM mutation observer) requesting consent in some container that has some other element with an onclick handler (maybe optionally trying to figure out if image filenames / labels of that element look sensible). Maybe an approach like this will only work 70% of the time, but that seems likely to be a better strategy than embedding a giant list of every relevant site on the Internet
Not sure what's bad about the code. I mean, the variable names could be more enlightening, and there are no comments, but I don't think it qualifies as "spaghetti".
I'm not the dev but I find the code logical since each selector is arbitrary and based on a completely different HTML page. Abstracting it would be a huge hassle—would be interesting to see an attempt though!
This is very disappointing, and points to a weakness in these kinds of platforms: I can be a passive user of an excellent extension for years, and wake up one morning to discover that my browser has (silently!) upgraded the extension to one controlled by an entity that I don't necessarily trust.
I think it would behoove Firefox and Chrome to change their policies around automatic extension upgrades in these scenarios: if an extension discloses a change in ownership, then upgrades should require user approval. If an extension fails to disclose a change in ownership, then users should be able to report it as malicious.
This isn't just a problem with extensions, though. It's a problem with everything. Always has been and always will be.
This is why people should be extremely cautious about becoming too attached to (or, worse, dependent on) any particular product or service. It can change ownership (and therefore policies) at any time.
This wasn't a big problem with software just 20 years ago. Sure, the software you used could be bought by someone else, but that just meant you might choose not to get the next version. Software didn't automatically update, and licenses were eternal and mostly tied to physical tokens, like a disk or a fancy sticker. At some point your beloved software might become obsolete, but that was because it was outpaced in improvements by other better software, not because yours got any worse.
And, to be honest, it doesn't even really have to be a problem now. I use almost entirely FSF or Open Source software. Of the proprietary software I use, it's still software that I have an installable copy of and I'll be able to keep using it for as long as I have a machine that can run it.
I don't do automatic updates and actively prevent that from happening. Automatic updates are a plague that means you can't rely on the software anymore, if for no other reason than an update may (and likely will, eventually) remove or otherwise bork the very aspect that made it valuable to you.
But I'm a weirdo and take care to ensure that I actually own and control the software I use. I see people getting burned because they're at the mercy of a company all too often.
It has happened in open source, too: OpenOffice was once well-respected, but 10 years ago we needed to switch to LibreOffice. (and I bet still not everyone has noticed)
And even earlier than that you would have been using Sun StarOffice :)
You could still be using the old version of OpenOffice though.
You could still use the browser extension provided by Avast, no difference here.
No, there is a huge difference. The Avast extension can update without warning adding whatever kind of tracking or leaks they want. The old OOo version won't do that.
A lot of software is dependant on servers so it somewhat understandable (at least for the usecases where the server is essential)
Not really. In the past we defined protocols so that clients and servers don't need to be updated together.
Plus, a lot of these server dependencies are added to create that dependency and the software would be better off without them anyway.
Using open source isn't enough any more, now that everything's tightly coupled and expects the latest version. Can't run a new version of anything without "upgrading" your window manager, session manager, dbus, udev, kernel, whoops the new kernel broke compatibility with the drivers for your hardware? Too bad.
I've switched to FreeBSD and things mostly stay working, but I've already seen steps in the direction that Linux has gone, so I fear it's just a matter of time.
Flatpaks reduce the system dependencies, you may still get burned by kernel changes but hey. Inb4 someone also mentions nix.
In theory yes, but they only help with needing specific solibs which is actually a minority of the problems you see nowadays IME. In terms of things like having the wrong dbus sessions/interfaces available in your environment, flatpak/snap/etc. seem if anything to be making things worse.
[dead]
Strongly disagree. Companies like Computer Associates were exploiting vendor lock-in on products like databases via their M&A strategy for decades.
How about not talking past each other and declaring victory? The majority of software, prior to the internet, were necessarily optional. There were corporate lock-ins. These are not the software most people purchased/owned.
2000-2005, the biggest automatic updates that consumers had to deal with were Windows (Office, OS, etc) updates and games. Valve's Steam, which had come into prevalence (notably Counterstrike:Source), World of Warcraft, etc.
By 2008 (Google Chrome), automatic updates were common. I would say the ship had sailed by 2005. Yes, this is 1 full generation ago.
[dead]
Yeah this guy has rose coloured glasses.
Remember when Java and MySQL weren't owned by Oracle?
I do.
Well, software has changed a lot. Almost every software platform that I can think of gets continuous updates.
Sometimes this is more annoying than helpful, and I only speak with a tiny bit of hyperbole here.
On several different SaaS softwares used at my employer I have found myself asking if they have entire teams of highly compensated UX professionals and graphics designers who justify their continued employment by changing the interface every 3 months by just enough to annoy me after I finally remap my brain to the latest locations of the tools and buttons.
But the barriers to releasing and distributing software were much higher, as you had to work out to get it to people, and incremental release were basically impossible. So software was controlled by a handful of big companies.
The industry had more smaller players compared to today and a better chance to sell. The barriers were higher but expectations lower. Plus you had a fragmentation of computers and high margins. Trade shows and flea markets, magazines, shareware and asking store owners directly were accessible ways.
Today we have the illusion of speaking globally but have been gatekept out by a handful of companies.
> So software was controlled by a handful of big companies.
Not really, no. The software space was much, much richer and you could get along extremely well without using much software from the big guys.
It's another prime example of why users should be wary of always choosing automatic software updates, and particularly wary of any company that uses security and "we know what's best for our dumb users" as an excuse for trying to stop users from using only a manual update process.
Its too much effort to manage each app's update. In the age of smartphones they push an update once a day, sometimes it feels like every 5 secs.
Plus if you look at the app store updates, most of the apps post nonsense in the release notes such as "fixed bugs", "Thank you for being a user of Lyft this update will make your experience even better!", or the worst kind:
"You know how sometimes you just become aware of how much tension you're holding in your body, then take a deep breath and slowly let it out? This update is like that. It's still Slack, just with a tiny bit less friction."
HOGWASH Slack, this update will likely cause friction! If only those people that write this crap got laid off, the world would be a tiny bit better :/
Maybe its time to declutter software that you don't control in your life just like how people declutter stuff. Every item is an additional tiny mental burden and the same goes for each closed source app installed on your phone. Maybe its better if we just forgo any "benefits" the app may provide and not bother anymore.
Always find it amusing I have to do a copy paste and search to find the patch notes of windows updates.
It's pretty clear Microsoft seems to think nobody cares (and to be honest they're probably right).
Windows XP didn't have automatic updates in the beginning. So approximately nobody had the relevant security patches for Windows and IE. The result were Sasser and MyDoom.A on almost every Windows machine. It was a disaster.
It seems less risky to continue automatic updates and just accept the possibility of malicious ownership change.
Early always-connected computers with no NAT led to a lot of hard lessons. At this point many of those have been learned, and there's a lot more depth to network security. Operating systems and key tools like web browsers and ssh are hard enough that strictly necessary updates like heartbleed patches are few and far between, and are hard to miss. The majority of what gets pushed out now through automatic updates for OSs and key software is exploiting the update channel to deliver crap features that increase revenues or deepen the moats for the company pushing them. They want to ensure that they can collect maximum rent with the least effort for as long as possible.
Hopefully that abuse will reach a point where the camels back breaks, and the pain of freeing yourself from vendor lock-in becomes worth it, prompting smart consumers and businesses in large numbers to use and support principled software projects through contributions of money, code and labor.
Was it really a "disaster"? Or just a natural consequence that we must continue to accept if we truly believe in freedom?
People can learn and have personal responsibility, but the companies would rather use such examples for leverage to keep them ignorant and corral them into putting nooses of control around their necks.
What? Yes it did. Windows 98 had the first version of MS's Automatic Updates, with the Critical Update Notifications. Windows ME came with actual Automatic Updates, and so did XP.
> Windows XP didn't have automatic updates in the beginning. So approximately nobody had the relevant security patches for Windows and IE. The result were Sasser and MyDoom.A on almost every Windows machine. It was a disaster.
Except that this was due to a vulnerability in Windows which was fixed _after_ those worms ravaged the Windows users.
I don't recall the world ending because of a couple infected Windoze machines. Plus it made teenagers like myself a bit of cash for cleaning up friends'/relatives' computers.
The problem is that 99% of users will not be bothered with deciding anything regarding updates or any computer administration. So you either get automatic updates and situations like the current one, or you get out of date/exploited software.
True, but I don't think that justifies the practice at all.
At the very least, software needs to do what it used to do: make security updates separate from all other updates so users can just get the security bits.
Security update: Changed old expired analytics domain to avast.com analytics to prevent user data exposure
Today where we need exploits in order to regain computing freedom I take the exploits please.
Reminds me of the pending update to 1Password 7 that I keep declining because the change notes says all it does is adds a deprecation notice for 1password classic
I do this with git packages too. Sometimes I rely on something and the author then makes a move to go to a version 2.0 and ruin what I liked about the ux/ui or how the functionality behaved. I have a few privately forked packages now where I bugfix certain components alongside the author, but keep other legacy components, and even add my own functionality and behavior to my own needs.
Of course, in a world of walled gardens versus git repos, none of this very powerful use of ideas and computation can be done. I can't go to the Apple app store and easily cobble together my own franken app from what I find there. It's like a step back for innovation for our species when we set up these stupid profit seeking moats and gardens.
Ben Franklin on automatic updates: "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety."
Also Ben Franklin on turning off automatic updates: "Fuck, why are all my files encrypted"
Who keeps anything important on a computer?
People
Those people should enable automatic updates
This quote never made sense to me. My decision to prefer one of these over the other doesn't mean I don't deserve either. It's a decision I make with my own unique economic and threat parameters. Being "deserving" plays no role here.
I think what he was saying, in rather poetic language, is that if you give up liberty to gain safety, you won't get either of those things.
I don't think he meant "deserves" in the literal sense.
That's a good way to think about it. Way I saw it was - if you are foolish enough to give up liberty for safety, you don't deserve the safety anyways.
I've become skeptical, at least at first, of pithy / catchy phrases.
Many seem to be well known because they're memorable, but some people assume they're well know because they contain wisdom.
E.g., "It's always darkest before dawn." or (the often misconstrued) "The exception proves the rule."
Morals are about behaving right or wrong because that leads to good things or bad things, so, if you make the wrong choice (here, giving up some liberty for a small amount of safety) then you do indeed deserve what you get - neither - because you chose wrong.
Ye it doesn't make sense. These rule of thumbs need the implied "too much" in them from the get go, or people will use them to silly extremes in the wrong ways. That applies all too well to programmers.
The quote actually meant something rather different than people think and has been taken out of context.
Here's a discussion about it[0].
First, here's the TL;DR:
SIEGEL: So far from being a pro-privacy quotation, if anything, it's a pro-taxation and pro-defense spending quotation.
WITTES: It is a quotation that defends the authority of a legislature to govern in the interests of collective security. It means, in context, not quite the opposite of what it's almost always quoted as saying but much closer to the opposite than to the thing that people think it means.
And here's the detail, discussed just before the TL;DR (I put in some paragraph breaks):
SIEGEL: And what was the context of this remark?
WITTES: He was writing about a tax dispute between the Pennsylvania General Assembly and the family of the Penns, the proprietary family of the Pennsylvania colony who ruled it from afar.
And the legislature was trying to tax the Penn family lands to pay for frontier defense during the French and Indian War.
And the Penn family kept instructing the governor to veto.
Franklin felt that this was a great affront to the ability of the legislature to govern. And so he actually meant purchase a little temporary safety very literally. The Penn family was trying to give a lump sum of money in exchange for the General Assembly's acknowledging that it did not have the authority to tax it.
[0] https://www.npr.org/2015/03/02/390245038/ben-franklins-famou...
I don't think it's feasable to check the ownership before every update of every extension. Or what do you have in mind? Just delaying the update so there's at least a chance to catch the bad news?
It's not a problem with everything. Distributions tend to add editorial input here and try to do something they consider reasonable for their users, staking their own reputation on that without trying to pass it off to the component publisher.
For example, I doubt that Debian would would take an update from an upstream that is detrimental to their users. They would follow a friendlier fork first. Debian maintainers follow their users' interests first.
(I'm a Debian Developer)
Edit: and that means you can generally trust automatic updates on Debian.
This is why the push towards application sandboxing and distribution by the developers themselvs is IMO misguided.
I'd much rather have my applications run unrestricted but vetted and if neccessary patched by a trusted third party (the distro) than lock whatever dark patters and anti-features developers come up with into a box ... where it still has access to all interactions with that box.
In particular, I wouldn't trust a Firefox distributed by Mozilla without oversight but I still use the Firefox packaged by my distro.
> In particular, I wouldn't trust a Firefox distributed by Mozilla without oversight but I still use the Firefox packaged by my distro.
But in the case of something like Firefox, distros are barely vetting anything, and are reluctant to patch because such patching rapidly becomes unmaintainable. Most dependencies don't end up unbundled, either. So distribution Firefox packages are really external packages in distribution package clothing, more so than any other package, really.
This is why I want sandboxing anyway - because I understand the limits of what is practical.
And sandboxing and limiting interaction through well-defined interfaces is better for security anyway, because security vulnerabilities happen regardless, and sandboxing does provide some level of mitigation.
Finally, the distribution packaging model is insufficient for many users. Even if you are fine with it, most users want something newer than their distribution release, and we can see that they are prepared to give up security and system stability for it. This is a real need for these users, and sandboxed third party packaging mechanisms provide a real solution for them, even if you can manage without.
I think it's a particular problems with extensions because:
1. They usually mostly work in the background, don't need much interaction. It's almost like a built-in browser feature changing owners.
2. They are pretty difficult to find a business model for - as opposed to SaaS stuff and mobile apps, which people pay for rather commonly. So the choice is to a) Make no money b) Ask for donations (seems to only work if it's somewhat obnoxious) c) Make money in some creative (often shady) way d) Sell the thing.
Case in point -- I mortgaged my home with a local bank then without me knowing or being asked I became a Wells Fargo customer. At least you can uninstall the extensions :)
I strongly believe that selling ongoing loans to other companies should just be flat out illegal. You entered into a contract with your local bank, not Wells Fargo. It should not be legal any party in the contract to unilaterally rope the others into a contractual relationship with someone who was not involved.
I certainly don't remember all the terms of my mortgage, but surely there's a "we can resell your mortgage" provision in the terms that we bilaterally agreed to.
If you don't have the ability to strike that clause is it really bilateral?
You are under no obligation to sign. They are under no obligation to accept a modified contract. Both sides can walk away. Both sides will be bummed, but the bank is likely to care a lot less.
These kind of libertarian explanations always conveniently neglect to mention any power imbalances between the parties. When called on it the response is usually just a less polite version of "oh well".
How about if a company is taken over? Should I be “forced” to work for a company I did not decide to work for?
You can quit your job. You can't quit your mortgage.
Return the house keys to the mortgage holder and walk away.
(This is about as convenient, pleasant, and useful advice as the "just quit your job" advice).
Actually it’s much easier than that, though not in the current interest rate environment: you just refinance, and likely save money along the way.
Note that your first mortgage in CA is nonrecourse, but a refinanced mortgage is not nonrecourse (meaning the lender can come after you personally if you end up underwater).
What would an alternative be in the case of a lender being sold? Force a balloon payment for the balance? It seems a better alternative to be able to transfer the loan like any other asset.
Well, that's an entirely different, and special, case that would require different rules, of course.
That's not what causes loans to be transferred to others in the vast majority of cases.
You can, though, that's literally what refinancing is.
In many (but not all) cases, that's true enough, yes.
It's not unilateral. The contract you sign has a clause that gives them permission to sell the loan.
It is unilateral. That you agreed to give them the right to make such a unilateral change doesn't make it no longer unilateral.
I think it's an unconscionable clause.
Why would it be unconscionable? I don’t understand why people would care if their loan is sold. My student loans have been sold a couple times and I didn’t mind. What’s the downside for the borrower?
Who owns the loan doesn't make a lot of difference, really, compared to who services the loan. But even still, you may not want to do business with some company for any number of reasons: maybe they treated you or someone you know poorly in the past; maybe you don't like how they do business; etc.
The loan servicer is more important --- some of them are terrible at their job and tend to misapply payments etc, causing extra work for the borrower.
They can't change the terms of your mortgage though, can they? If not it doesn't matter much because things cannot get any worse for you.
Yes they can. I had a mortgage that was sold to Washington Mutual (no longer in business). They did an audit of my escrow account and sent me a check for $2000. I called and said this seems to be mistake. They said no. OK then. Two months later I get a notice from the county that the second half of property taxes was overdue.
WaMu pays after several phone calls. Then sends me a notice that my escrow account is $5000 in appears. So WaMu says that the 2000 was a mistake and I need to send that back, and that they are allowed to maintain an excess balance for taxes and insurance, so I need to send them another 3000 to bring the account current.
I refinanced with a different organization that week.
I was very happy to see them crater during the financial crisis.
That is a shitty mortgage servicing operation, not changing the terms of service.
You don't think another company coming in and demanding $3000 be paid early is changing the terms? Whatever you want to call it, it's bad. Even if it was authorized before, it's a very significant change to start demanding it. The practical terms have changed.
I assume every mortgage has terms to include funding an escrow account with the next ~12 +/- 6 months of property tax + insurance.
For sure, there is an adverse impact to a borrower who is not well versed in how mortgages work, but in terms of financial agreements, but unfortunately, the US does not punish financial companies for negligence in customer service.
The old company wasn't using that term, though. I think activating a major term is reasonable to talk about as a change.
> You don't think another company coming in and demanding $3000 be paid early is changing the terms?
No, because if (as here) the original mortgage contract included an escrow account, that contract surely allowed the mortgage holder to demand money to keep the escrow balance where they want it to be.
So no, they didn't change the terms of the mortgage contract.
When my mortgage was sold to a big bank I started getting charged a fee for "prepayment" (basically I'd do another payment against the principal once a year or when I had extra cash, which was a non-issue before the sale).
Refinanced with a local CU and stayed with them ever since.
Is this in the US? I would be very surprised if the prepayment (or any) terms are allowed to be changed.
If in the US, I would be surprised to find out about prepayment penalties at all.
https://money.usnews.com/loans/mortgages/articles/what-is-a-...
> A lender cannot assess a prepayment penalty unless the penalty was included in the original terms of the loan.
> According to the Federal Register, Dodd-Frank Act provisions “generally prohibit prepayment penalties except for certain fixed-rate qualified mortgages where the penalties satisfy certain restrictions and the creditor has offered the consumer an alternative loan without such penalties.”
> For lenders that do charge these penalties, prepayment penalties cannot be imposed after the first three years of the loan term.
> When my mortgage was sold to a big bank I started getting charged a fee for "prepayment"
Are you sure? Whether a mortgage has prepayment penalties or not is one of the things that is specifically declared in every mortgage contract I've ever seen. They can't just change it after the fact.
I think who you are doing business with matters a great deal even if the mortgage terms don't change. You're still being forced to do business with someone that perhaps you strongly object to doing business with.
The company matters just as much as the product or service.
Who you are doing business with can change even if the legal company is the same. Suppose an executive retires, and a new one wants to make their mark, perhaps by cutting costs.
> At least you can uninstall the extensions
Not a great example because the terms of the mortgage are fixed by the original contract, regardless of who they sell it to later.
Whereas the extension (or any software) can radically change their terms (privacy policy, etc) in a single ugprade.
You can ask that the mortgage not be sold, and continue to be serviced at your local bank. I don't know if this increases costs, though.
This is why tools are always better than products or services. Your hammer in the drawer isn't going to one day update itself and change. Neither is some of the bash tooling that's been around for decades. And should these things change, you always have your old versions of these tools in your drawers and storage drives.
I'm beginning to think Richard Stallman was correct about everything.
I was thinking about this is the food and personal products space. I dreamed up something like requiring some kind of notation to denote how many steps you are away from a parent company. Direct private companies with no parent would have no notation, once a parent company buys the company and its brands put a dot for every parent company above the company of the product you're now purchasing. Something to make this transfer visible.
come to think of it this would hide transfers between similar ranking networks where companies swapped things out.
I think the thing to do there is to require that the controlling owner of the brand be mentioned in non-tiny print near the most prominent mention of the brand.
Better yet, make it so each independent company only gets one trademark and companies owned by another get none.
The entire purpose of trademarks is to protect consumers. Being able to use them to mislead consumers is the opposite of that.
I agree. I also don't think this is something that's formally solvable in the general case, at least not in a way that's practical for distracted and non-technical users.
Instead, this is the kind of thing that needs to be solved on the policy level: Google and Mozilla have an interest in maintaining high-quality extension ecosystems, and ought to take a dim view of these kinds of ownership transfers.
That's a different issue. I can still run many old versions of software even if new versions are put out by some evil entity I no longer trust. Unless the software auto-updates. In which case I no longer have the old version.
AFAIK, it is not easy (or maybe not possible) to opt out of extensions updates.
This is much less of a problem with open source software, although, admittedly, not completely unknown.
At the risk of pointing out the obvious, this is mostly referring to Internet enabled goods and services.
As other commenters have pointed out, it doesn't apply as much to actual physical products.
So this leads to reason, should any of this be accepted as the norm?
This is why people should be extremely cautious against self-modifying software (ie unattended autoupdate) - it grants remote code execution on your computer to remote parties.
The problem is with automatic updates.
As a corollary, any private information that a publicly owned company has is for sale (since the company could be bought or merge), and any information any company has can be force-sold during bankruptcy proceedings.
Any time a company has physical access to your data, and says they will not sell it, they are lying (unless it is privately held, and never takes on debt / pays after delivery).
In particular, EULAs and other contracts do not protect your information in the above situations, since debt and shareholder obligations generally come before customer obligations, and the data is considered an asset.
A decade ago I wrote an extension called SelectorGadget (https://selectorgadget.com/). It's effectively unmaintained, but it still works and people still use it. I make no money from it and never have. Every few months someone tries to buy it from me, and I ignore them because I don't want to f** over my users. But there are a lot of extensions out there and maybe their owners care less, or find themselves in a moment of financial hardship and they sell.
Apparently this is a known and open “business” to buy up used but old addons and convert them to advertising malware.
Good on you!
That's also an issue with app stores.
I have received a few solicitations to sell apps that had not been updated in a while (they were still good, but hadn't required an update).
I suspect the buyer would repackage the app with some "extra spices," either advertising, or malware, and would count on the auto-update to force it onto users' devices.
I declined. I remove moribund apps. I've written over 20 but only have a few on the store.
This problem is more far reaching than just extension, and further reaching than what entity is in charge of something. For instance, the worst company imaginable may be in charge of software that was once FOSS, and they may change absolutely nothing about it, so it should be fine. However, if a small update is added that does something bad, you should know about it immediately.
The solution seems to be much more clearly in the realm of things like crev: https://github.com/crev-dev/cargo-crev/
Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.
Just went to the extension page. A couple of interesting things I noticed.
1. There is a "Write a review" button, but you cannot leave a review.
2. There is no owner listed on the extension page. Only the text "Featured", and some kind of rosette certificate badge.
https://chrome.google.com/webstore/detail/i-dont-care-about-...
Change of ownership is easily gamed though. The change can be hidden or the extension can be "leased for 99 years" or whatever.
It really makes me wonder if there's a way to formalize a system of verification, trust, vouching, etc. not just for extensions but for source-viewable software in general, version by version, diff by diff.
Volunteers actually inspect an extension's JavaScript to check for anything potentially malicious (is it reporting on user activity etc.), they vouch for each other, and you select some core single individual or group to trust (or majority-vote or something), and then only allow software on your system that is vouched for. Nothing ever gets upgraded until it passes.
These types of problems roughly map onto the distributed identity problem: there's no known way to distribute `K` authority identities to `M` trusting identities without some kind of trusted intermediate.
"Vouching" can form that kind of trusted intermediate, but probably not without grinding an ordinary speedy update process to a near halt. That's probably a worse outcome than just having the pre-existing authority (i.e., Mozilla or Google) establish an enforceable policy around what constitutes an acceptable (or acceptably transparent) update.
Whole extension business is very shady.
I have couple extensions I've made. Most have couple hundred weekly users, but one has few thousand and I have gotten emails about adding ad and search redirect code for some money. If I was in bad financial situation or just didn't care, I could have just added the code without anyone really knowing.
Everything about this is sad. Sad that I have to install an extension to get rid of stupid messages forced upon me just for visiting a website, sad that an untrusted company is trying to buy trust, sad that users have to waste time switching away.
> If an extension fails to disclose a change in ownership,
They would just change ownership and keep that a secret from the world. Avast would 'hire' the dev of this extension, and provide him with more engineers and ideas of features to implement.
The real problem is with browser extension permission models. It should have far less privileges.
Technically that is what chrome MV3 is. The issue with that is they also heavily restricted any kind of content blocker by removing most APIs with a declarative api
The permissions granted should be more granular and controlled by the user, not less granular and controlled by Google.
MV3 is the reason I switched back hesitantly to Firefox.
This is why you have the power to turn off auto-updates on anything that has auto-updates. And you should exercise that power. That way you'll wake up to the news of a horrible change, not the reality of already being part of it.
I mean, I have been the user of my body for some time and things just stop working as they used to.
Change just happens, you need to be on top of it, to not miss things like this. This isn't going to have a technological solution.
I can't recall the last time a software update had a noticeable improvement for me but many cases where it made things worse.
So I just refuse and skip all updates, but yeah that's not an option with extensions afaik.
Except.... Companies regularly switch their legal entities around. Which can be annoying. So you might wake up one day seeing ownership was transfered from <X> to <X>.
Still, it could be not disclosing it in such cases and live with it in a gray zone.
This can also happen with any SaaS and many services. They get bought and sold quite a lot.
Firefox:
1. Open application menu
2. Add-ons
3. Extensions
4. click gear
5. uncheck Update add-ons automatically
I know how to disable automatic updates. The point was that there's a substantial shift in trust when the underlying identity that controls an extension changes.
> I know how to disable automatic updates
doesn't seem like it:
> I can be a passive user of an excellent extension for years, and wake up one morning to discover that my browser has (silently!) upgraded the extension
you want to roll the dice with automatic updates, you have only yourself to blame when they break something you care about. people always scream BUT MUH SECURITY, and at the same time ignore every other awful change that is rammed through automatic updates. pick your poison.
Please read charitably.
I don’t want to “roll the dice.” There is a significant difference in user model between trusting a single identity to provide updates automatically, and naively trusting updates that come from a new identity.
In the context of web extensions, not auto-updating is frequently not an option: web extensions are part of an arms race between users and websites, with the extensions continually playing catch-up.
it is an option.
just because you might find one choice extremely distasteful, doesn't mean the option ceases to exist. so I will say again, pick your poison. you opt in, or fail to opt out of automatic updates, then you accept anything that might happen because of that.
I wish you could indicate some addons to update automatically, but after six months of no update that addon switches to manual.
cause: late-stage capitalism
We need to stop writing “X buys Y”, and start writing “Y sold to X”. Big co’s aren’t some boogeyman that can buy whatever they want, individuals and small companies are selling out, and by pretending they’re blameless we normalize it. This extension wasn’t taken over, it sold out. Like LastPass, Private Internet Access, WhatsApp, Figma, Dark Sky, Wunderlist, the list goes on. All decided that, actually, they care less about their mission, users’ experience, and users’ trust than they do a pile of cash. And that’s not necessarily horrible or even wrong, but what is wrong is for us to not even withdraw our trust from people who have sold it. Or for us to withdraw equally from those who don’t.
Nearly every startup I worked at had a slide deck as early as day one that included "get bought" as their primary exit strategy.
The only startup as was in didn't. They ran short of money and laid me off, but 20 years later the company is still around doing the same thing they always have and I assume making money. Just before they laid me off they rejected a buy out offer from a big company.
I think that is actually normal overall, but the real fast riches are of course in the big buyout.
> they care less about their mission, users’ experience, and users’ trust than they do a pile of cash
It's called "being a for-profit company."
Also known as "trying to earn a living"
Neither working in a for profit company nor having to earn a living are valid excuses for ignoring your morals. This kind of attitude is another thing we should not normalize.
There's a lot of sell outs, not just someone who sells their app.
Many people work for places and sell their soul to them, accepting the evil they push - e.g. Google
It's not unique to solo devs. Unless you work for a morally sound employer, and only interact with morally sound companies, throwing shade like that just means the boot will fit on you too.
And? The proper action here is to improve yoursef not to let others get away with immoral behavior.
There seems to be a lot of edtech startups being sold to big companies right now. I’m guessing these are distressed companies that need to raise tons of money or find a buyer. Since the VC landscape has changed in light of the end of free money, they’re disproportionately being sold off.
I don’t blame the companies, though I’ve taken a bootstrapped strategy because I didn’t want to get stuck on the VC treadmill.
Because the overall mission is to make money. The stated mission is just how they plan to do so.
Community maintained fork: https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...
Repo: https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
Someone here in HN recommended Consent-O-Matic instead of I don’t care about cookies. Said “I do t care about cookies is the extension advertisers want you to install” :) apparently it just says yes to everything. Consent-O-Matic specifically configures things to share the least amount of information possible.
Sites work much better if you just say yes to everything. Devs never test the 'no' path as well, and half the time you'll find embedded videos/maps/tweets won't display or are buggy.
Since I care about a fast efficient web experience far more than I care about leaving digital footprints around, I choose the extension that says yes to everything.
I'm more or less in your camp. I really don't care about "saying no to cookies" because I don't believe that sites will implement no properly anyway. I'd much rather be relying on the clear (hopefully!) lines being drawn by my browser and its settings.
Asking me if I'd like to allow various cookies is by far the least important part of the problem. Relying in the cooperative efforts of site owners? Really?
This kind of defeatist attitude is exactly why we can't have nice things. The overton window is a thing. Pushing back matters.
Why answer the question at all? I use uBlock Origin's cosmetic filters to simply delete the prompt from the page. I nether accept nor decline, and I've never run into problems with this.
Have you ever tried booking flights with EasyJet? Their web servers would just literally stop sending you TCP packets once they see a session cookie that hasn't accepted the cookie consent within a minute or so. Took me a while to figure this out, and until I realised it's caused by me not seeing the cookie consent modal, my workflow was to clear cookies and then try to book the flight within 60 seconds. :-D
I've had no luck blocking YouTube's consent popup with uBlock Origin. From what I remember, it would randomize the element ID and also add a load delay, and if you managed to block it, it would block comments from loading or break scroll etc. With Consent-O-Matic, it works just fine.
Some websites block interaction until the pop-up is dismissed
In that case I usually just leave if it's not a site I absolutely have to use
As far as I've seen, they all do this using a transparent element placed over the page.. which I filter away.
I don't think I've ever seen a website that broke when I clicked "decline", or "disable all+save".
(Yes, I manually click or click click for every website. Also I don't think that EU "broke the internet", rather they made me painfully aware that every f.in website uses cookies and other tracking methods just to give my browsing history to ~300 total random company for no reason.)
Well if "no" becomes the default then I'm sure engineers would switch over to testing that path more frequently instead
> Devs never test the 'no' path as well
It's not just that - some services are literally unrenderable without cookies! (Fewer these days at least).
Consent-O-Matic does not reject all cookies - it responds intelligently and automatically to the cookie consent dialogs and selects only essential cookies.
If someone says a cookie is non-essential and rejecting it results in their site not working that’s on them - a human might manually choose to reject it, it’d be the same end result.
Inaccurate
Links for Consent-O-Matic if anyone wants to take a look:
https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat... (Firefox)
https://chrome.google.com/webstore/detail/consent-o-matic/md... (Chrome)
https://consentomatic.au.dk/ (Official site)
With a name like "I don't care about cookies" it does kind of make sense that it would just auto-accept everything. After all, they don't care about cookies
Better to just start using Firefox multi-account containers. An add-on like I Still Don't Care About Cookies ensures you aren't bothered by the popups, and temporary containers are wiped upon tab closure so anything those sites leave behind is automatically deleted.
Reminder that consent applies not just to cookies but to all kinds of tracking, inluding fingerprinting and server-side techniques.
I found using Firefox containers (new tabs get new empty containers, sites I use often get their own separate containers but always the same ones so I don’t have to login every time) + ublock origin means that accepting cookies doesn’t matter as much anymore. Because once I close the tab, the container is destroyed and so are the cookies, and the various ad and analytics servers were not getting data anyway because uBo was blocking them.
I just hit control-w when i see a consent dialog. It is rare that anyone is really important enough that i'd do more.
Instead of this, just activate the filter in uBlock Origin: Filter Lists -> Annoyances -> EasyList Cookie
I don't think the behavior is strictly equivalent. From this extension's description:
When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do).
Also block 3rd party scripts.
Previous discussion (from 8 months ago): https://news.ycombinator.com/item?id=32850799
[flagged]
I still have a copy of this addon, before it got acquired by Avast. I turned off automatic updates for extensions in Firefox, since I don't want weird / malicious code being pushed into my browser. I do this since I audit some extensions for malicious code, and want to keep the good / last-known-good version, before a tainted/malicious one arrives in my browser in an update.
It's broken though, and messes up YouTube by persisting the cookie interstitial in an invisible overlay, making the interface unusable. This is why these types of addons have so many new versions: they have to constantly watch for changes in the JS/CSS of cookie banners.
Thank god we have community maintained alternative forks[0]
[0] https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...
One comment:
> It is very wrong for the extension to change ownership without warning the user about it. I trusted the original developer of this extension, but i do not trust Avast.
I don't see the logic here. Unless Avast had threatened him, I wouldn't trust neither of the parties. How do you trust someone that sells their extension to someone you don't trust and still trust them?
Avast has a well-documented history of selling people's browser data. Random Developer #155767 does not, and is therefore more trustworthy.
The trust is in the fact that Firefox has proofread the extension. It is marked as "Recommended".
Did they actually do anything yet, or is it just assumption that they will because why buy a popular extension these days if that's not the goal?
A bit of that, and the fact Avast got caught just a few years ago massively spying on all their users and selling their data both in their browser extension and free anti-virus apps.
This is a fair question. Everyone is piling on here, sort of without regard to whether anything bad has actually happened. Of course, even if they don't change anything, the extension is now funneling whatever data it collected to Avast, a company that many hold in low regard (myself included). But it would be appropriate to have a discussion about what they're doing now that's bad, aside from not telling anyone about the acquisition.
I wasn't informed of this sale before it occurred, and Avast has a history of stealing and selling user data. I did not produce informed consent for this add-on to continue operating under those conditions. I reported it to Mozilla when I uninstalled the old add-on as stealing user data and I encourage everyone to do the same.
Why is this a problem?
I can imagine a number of scenarios, but I'm unfamiliar with this particular case. Could someone elaborate on what actually happened or what is the danger?
A company doesn't acquire something for no reason, and people are suffering FUD over what that reason could be. Maybe they'll put in annoying popups ads for their other products. Maybe they just want market research data. Or maybe they just thought being the provider of this service would garner goodwill somehow.
Avast was caught massively spying on their users in their browser extension and anti-virus apps just a few years ago, check out their wikipedia page.
What are the scenarios that you can imagine?
Charging companies to exclude them(adblock way)
companies have to provide the cookie prompt as a legal requirement - it's not something they want to do or get any benefit from. what this extension does is blindly accept the cookie prompts.
it's not something any company would want to be exempted from. companies like this.
Companies only need that if they place nonessential cookies.
Irrelevant in this thread
I was under the impression this was obsolete using Firefox 114 "Cookie Banner Reduction" feature.
That feature slipped to Firefox 115: https://9to5linux.com/firefox-115-beta-brings-cookie-banner-...
In some weird double irony this website showed me two different cookie overlays on top of each other. Never seen that before.
I turned it on in FF 114 with about:config flag:
cookiebanners.ui.desktop.enabled = true
It will appear in Settings / Privacy / Cookie Banner Reduction
I remember 20 years ago when Avast were the good guys.
It's interesting how brand perception changes over time.
I remember when SourceForge were the good guys. That should be a cautionary tale for many companies but they got dropped so hard and fast that now no one has heard of them.
I remember leaving my computer on overnight in my room and being startled awake by a really loud pig squeal when Avast detected a virus on my PC.
Just looked up what Avast looked like in the 2000's. The aftermarket car stereo GUI[1] just brought back memories I forgot about :P
[1]http://assets.oldversion.s3.amazonaws.com/images/avast-free-...
That looks like WinAmp.
I miss old Avast, the brushed metal UI, the radioactive virus dialogs with the siren sound (https://www.youtube.com/watch?v=ycs92N_rph8).
Norton and McAfee were the bogeymen those days.
At least you can still rely on some things to not change.
It is a wide spread problem with extensions and much more common that you would think. Also developers completely change extension to be something else and you only discover it when it asks for more permissions or by going to the extension page.
Notable examples:
- Resolution test (allowed to change browser size so you can make perfect screenshots and videos), now needs full tab content access because "Facebook upload functionality" - [1]
- Awesome screenshots (it was perfect extension which allowed to take screenshots and videos), now it is called "Awesome ChatGPT Screenshot & Screen Recorder"
- [1] https://chrome.google.com/webstore/detail/resolution-test/id... - [2] https://chrome.google.com/webstore/detail/awesome-chatgpt-sc...
there are cookie dialog lists for ublock origin and other adblockers, btw
In uBO, it's under Settings > Filter lists > Annoyances > enable EasyList Cookies Notices and AdGuard – Cookie Notices to hide cookie banners.
For many sites, just hiding them isn't enough - if you want the website to work properly and not randomly log you out immediately after logging in, then you need to either accept or decline cookies.
Very odd, uBlock Origin for Chrome has "EasyList Cookies Notices", but "AdGuard – Cookie Notices" is missing. The Firefox extension has both lists. The version is the same: uBlock Origin 1.49.2.
Does this have anything to do with Chrome's new extension API nerfing ad blockers?
I'm not sure. I'm in Firefox, but I did have to refresh the sources in the uBO settings and more showed up.
One of the better uses of my time last year was just writing my own ad blocking extension. Of course it doesn't get everything -- that was never my intent. I just wanted to get rid of the most egregious crap, like Taboola and the variously spawned similar demons.
It's quite good at doing that.
Sounds like I might need to investigate consent as well...but the "pain identification" isn't going to work the same way. With the consent management, I'll probably end up having to do a lot of per-site work...which kind of defeats the purpose. Sigh. Guess I'll find out, on a sufficiently annoyed weekend.
I did the same! Just wrote my own extensions for features I wanted and it was super easy and straight forward (albeit a little limited in firefox). Wrote one for pinning tabs on the right and wrote one to search through all open tabs with ctrl+f. Quite nice how accessible this is!
Between GDPR warnings and ubiquitous site notification pop-ups (side question: has anyone ever intentionally clicked "yes" to a site notifications request? can the browsers just admit this was a horrible idea and move on?) out-of-the-box browsers are basically unusable on just about every website. Leading to extensions and situations like this.
I think the original goal, and one I still support, is for websites to realize that they are better off with not showing the banners and just defaulting to "no". It's been surprising to me that an industry that has been somewhat obsessed with click latencies and getting users to content quickly are willing to annoy all their users for the extra income from personalized ads. The difference in value must be a lot.
An org wide policy to disable browser push notifications visibly changed helpdesk load and security incident reports over night.
Non technical, average users hit "yes" in nearly every case, usually ending with opt in to fake tech support popups and porn spam.
Thing is, there are "websites" and "web apps"; the latter replace things that we used to have on the desktop and we want significant permissions for them (notifications, constant updates in the background, copy/paste integration, drag&drop integration, camera and microphone access, etc) and the former should get nothing, as all of these can and do get abused - but from a technical perspective they look the same to the browser.
The way I see it, it would make sense to explicitly whitelist a website (e.g. Gmail or Webex) in a similar manner to installing an app, and all the other websites don't even get to beg for these permissions.
> can the browsers just admit this was a horrible idea and move on?
It wasn't the browsers, it's EU regulation. Most sites choose to operate legally in Europe, so the banner is displayed. Devs don't care about making it so only European users see it, so the rest of the world must suffer too.
The EU should've just mandated websites to follow the Do Not Track header. That would have saved everyone a lot of effort.
I meant the ability to offer desktop notifications. The browsers should just deprecate that.
> has anyone ever intentionally clicked "yes" to a site notifications request?
Yes, for Google Calendar and Slack.
Still thousand times better than the walled garden app stores.
If we want complicated apps to be available on the web we need complicated browsers. The competition situation is troublesome but nothing compared to the complete monopolies Apple and Play store has.
I still believe that cookies consent should be handled by the browser and not by sites. Because all these cookies preferences are temporary in nature and disappear when user decides to clear cache or it gets removed automatically. Not mention that this control via modals applies for device currently in use and doesn't get carried around (not sure if browser synchronization changes anything)
Having this within browser in theory should solve the issue of consent but I frankly doubt that such permanent solution would agree with Microsoft or Google goals. Mozilla - perhaps would roll this but I wouldn't have any big hopes.
And yes, I did intentionally clicked "yes" thinking no 3rd-party cookies will be saved but that was in the early days of GDPR. There are sites that allow users to disable 3rd-party "legitimate interests" cookies under modal submenus and some only show em in enabled state without any options.
I used Avast! anti-virus in Windows for a while, and for a short period on my Android device as well. I found it to be pretty usable and friendly, but most functions including anti-malware seemed superfluous or dubious. But it was nice and comforting to scan and find nothing. I had a subscription to the premium service because it had perks, like more devices and features and stuff.
I gradually found that the remote features in the vein of "Find my Device" were trash and never worked. I could never contact my Android tablet with the website, or make any meaningful GPS search for it. I didn't once try factory-wiping it, but I basically assumed that it would fail in the very moment I needed it most. Fortunately, I never did require these features, and they stayed resolutely broken.
Avast! changed something about the service and I decided it was totally not worth having anymore, so I canceled and uninstalled, then they charged me again (Google Play Store). I was able to go after them and procure a refund, but I was not happy about the casual consumer abuse after a malfunctioning product.
Avast! is HQ'd in the Czech Republic, and I have mixed feelings about my cybersecurity entrusted to such a faraway foreign land that's close to the whole Eastern Bloc, so good riddance, and I guess I'll use Malwarebytes next time.
Practically speaking, none of the security risks involved have anything to do with the Czech Republic – it’s a safe, modern European democracy with data protection laws better than US.
I believe you, I really do, but they are still a foreign nation thousands of km away, and the laws are different and largely unknown to Americans. In their HQ and datacenters, they would also be subjected to a rather different mélange of threat actors, and so an adversary that would have no chance in these United States, might have an opening to use Avast! as a vector, or at least exploit the juicy, juicy log data and telemetry they are able to collect with their root-privileged apps.
Now you know how I feel every day using services from companies like Google and Apple that are in a foreign nation thousands of km away, and the laws are different and largely unknown to me :)
Who is the chairman of Avast ? Who owns Avast ? Americans do.
Americans buying Avast is when Avast became this bad.
" I have mixed feelings about my cybersecurity entrusted to such a faraway foreign land that's close to the whole Eastern Bloc"
Interestingly, I as a Czech have very mixed feeling towards security of anything coming from a big country such as the US. Big countries with a big national security apparatus can strongarm their businesses into all sorts of backdoors more efficiently.
If anything, the former Eastern Bloc is sorta culturally more wary about trusting governments and giving them intrusive powers. We were burnt thoroughly by the old governments being too powerful. Westerners often strike us as being naive with regard to their own political class, and too willing to give up their personal autonomy if a suitable boogeyman is invoked.
This whole "I accept these cookies" is broken from the beginning. First of all, why they want to use any of those cookies which are not needed? Use a session cookie, so I can be logged in and I can access to the data and page, but the others are nonsense.
Also, I would accept one cookie, which stores that I don't accept other cookies.
Next up: “I don’t care about cookies but care when an extension tracks the fact I don’t care about cookies”
"I don't care about cookies" is just the name of the extension. In actual fact, it indicates that the user doesn't care if the server sends cookies. The user agent is still in control of what it does with them, and whether it includes them in subsequent responses.
"I don’t care about tracking" gets bought by a tracking company. I guess that makes sense.
Does this impact the community version? https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...
I think that was created back when this was announced last september, so probably not (see previous discussion here: https://news.ycombinator.com/item?id=32850799)
So the word on the street is to use "I still don't care about cookies", which is a fork of the original. So Avast bought an open source code base that can be forked? Is this a good business decision? I wonder how much they paid for it?
It's a good business decision if the vast majority of users never find out, and keep blithely using the original version.
Time to move on to the fork at https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies
There should be a standard way for all browsers to tell sites whether they accept cookies or not. There is no reason every user should deal with this banner manually for all sites.
Why exactly can't browsers provide this functionality themselves? Is this prohibited by some questionably-well-meaning-but-nonetheless-harmful law?
They are, and Firefox does (Beta currently, hitting stable in July)
I see a lot of " i didnt get notified about the change" in the reviews, but personally i got 3 of them. 1 was just out of the blue and the other 2 were when i installed the extension ( i formated my PCs ). I know that the move is bad dont get me wrong, but a notification was present, most people just close the "New Tab" that open from an extension that's maybe how they missed it. Anyway, there is a community one "i still dont care about cookies" and i will be moving to that one.
I've been using Consent-O-Matic instead. It takes your preferences and tries to opt out of tracking everywhere possible.
I still don't care about cookies & Cookie AutoDelete is a powerful combo
How much did Avast paid for the extension?
Capitalist supply-chain attack
[dead]
I'm sort of surprised these users would care. They literally went to go download an extension to let anyone track/survellied them however they wanted.
But oh no, now there's a big corp that owns the extension! And they might be survellied!
Not really. Cookie banners are irrelevant and do not preclude tracking, they just take up space and give a false sense of privacy. These users installed the extension because they'd rather not see the pop-up to begin with. And then Avast bought the extension.
To be fair, websites can't track much about you - they can only track your visits to partner websites, and even then the website owner usually can't see all the detail - their ad platform won't share that with them.
Whereas the extension has full access to not only your browsing history, but also every password, every credit card number ever typed, etc.
Cookies are a minor privacy problem compared to an 'access all sites' chrome extension.
>In most cases, the add-on just blocks or hides cookie related pop-ups. When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do)
Im curious what the % rate is for users to not get tracked, versus great caring tools like Consent-o-mattic.
The name itself screams apathy here. My understanding from a while back was that the tool actively accepted a wide variety of cookies, and did nothing to minimize selections. I don't know if this is a misinterpretation, or if the project has changed to actively start caring somewhat about cookies.
Yeah, that never made any sense. Is there any add-on that basically...forces websites to adhere to the browser-configured cookie settings? And if any popups contain the word "cookie" to basically just remove the element? If it renders websites inoperable, I'm okay with that.
I browse mobile with Javascript defaulting to blocked. Not sure how it happened, truth be told, Brave just started blocking it one day. Most of the experience is unaffected.
I think the issue isn't just that it's a big corp. It's that it's Avast, specifically.
Why does matter that is Avast? I have a decade not following antivirus scene.
Avast collects and sells your browsing history, among other pieces of your personal data. This caused a bit of a stink a while back when people discovered it.
I don't even care that they might watch me. I care that they might use my computer's resources to do so; or might start making the extension do other stupid stuff, like injecting ads for Avast AV. "Not caring about cookies" doesn't cost anything, CPU-wise.
Random aside: this extension had absolutely the worst internals of any I've ever looked at. Love the functionality, but really wish I'd never seen the spaghetti behind the illusion (source files below). It feels like approaching it as a text classification problem might produce a clean general solution
https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies/...
https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies/...
There is nothing wrong with these internals. Hard-coded rules are not necessarily "spaghetti code". I sincerely doubt there is any reliable way to come up with a general solution without relying on hard coded rules (at least without using AI).
It doesn't seem like an overly difficult problem: try to find a text fragment (e.g. DOM mutation observer) requesting consent in some container that has some other element with an onclick handler (maybe optionally trying to figure out if image filenames / labels of that element look sensible). Maybe an approach like this will only work 70% of the time, but that seems likely to be a better strategy than embedding a giant list of every relevant site on the Internet
Even a single false positive would be too many, as it would probably break the entire site.
Isn't it just a lot of data?
Not sure what's bad about the code. I mean, the variable names could be more enlightening, and there are no comments, but I don't think it qualifies as "spaghetti".
I'm not the dev but I find the code logical since each selector is arbitrary and based on a completely different HTML page. Abstracting it would be a huge hassle—would be interesting to see an attempt though!