HackerTrans
TopNewTrendsCommentsPastAskShowJobs

palant

no profile record

comments

palant
·last year·discuss
Note: I am the author of this article.

Apples and oranges. Android is supposed to isolate apps from each other (yes, theory). So a malicious app should only be able to steal data the user provides it with.

On the other hand, a single malicious extension will compromise the entire browser. Nothing you do on any website is any longer safe.

Not that I don’t think that Google should pay more attention to the apps in the Play Store. But allowing extensions to hide their functionality with remote code is plain negligent.
palant
·2 years ago·discuss
Note: I am the author of this article.

MV3 makes it considerably harder to introduce a security vulnerability, but it doesn’t really help with outright malicious extensions. In the end this isn’t an issue which can be solved by technical means. It’s a moderation issue, and Google currently seems to be scaling back moderation despite not being great at it to start with.
palant
·2 years ago·discuss
Note: I am the author of this article.

That question is answered, in the last section of the article. And: yes, they are selling it, as they admit in the privacy policy.
palant
·2 years ago·discuss
As I said: “according to many credible witnesses, not all of them anonymous. Heck, some of it is even on video.”
palant
·2 years ago·discuss
What is there to be gained you ask? Well, there is currently a creep in a position of power at FSF who is actively making women and other people feel unwelcome, effectively pushing them out of the community. By removing him from this position, making it clear that such behavior is unacceptable and will not be tolerated, a much broader participation could be achieved. And then these "much bigger" issues you seem to care about have a better chance of being solved.

Unless of course your whole point was using whataboutism to defend your hero, because you think that past achievements always outweigh any harm he may be doing.
palant
·2 years ago·discuss
[flagged]
palant
·3 years ago·discuss
As I said, one device is enough.
palant
·3 years ago·discuss
Note: I am the author of this article.

They have at least one device with an unencrypted copy of their data, likely two or more. They only need this passphrase to set up sync. If they ever forget it, they reset sync, set a new passphrase and re-upload the data. No nuking.
palant
·3 years ago·discuss
Note: I am the author of this article.

Yes, they will probably ask Facebook then. Or check your web search history. There is more than one source for them to draw from. But you can shut down this huge source of your private information easily. You can deal with the rest of them later (all possible).
palant
·3 years ago·discuss
Note: I am the author of this article.

Firefox Sync encrypts all data on the client side before sending it. Chrome Sync can do the same if you know which settings to use. 1Password, Bitwarden, Dashlane – every password manager worth their salt encrypts data locally (LastPass is the only one which failed really badly here). How is this rare and not something we should expect?
palant
·3 years ago·discuss
Funny thing is: declarative access to websites still allows for plenty of mischief if one wanted to do it. I’ve actually seen malicious extensions abuse that. Browsers might have to revisit the decision to ignore declarative access as far as the permission prompt goes.
palant
·3 years ago·discuss
Note: I am the author of this article.

Yes, they fixed this particular issue (and a few more), the article mentions it. But the update I published today explains why Chrome Sync is still very bad privacy-wise (as opposed to outright horrible which it was back in 2018). https://palant.info/2023/08/29/chrome-sync-privacy-is-still-...
palant
·3 years ago·discuss
Note: I am the author of this article.

Every ad blocker gets full and complete access to all your data. It needs that kind of access in order to … tada … remove ads. It’s really simple: ads are on all websites, so an ad blocker needs access to all websites.

You probably mean that Adblock Plus abuses this access? Surely this is something you have proof for? Here you can see an example of how this kind of thing looks like: https://palant.info/2023/06/05/introducing-pcvark-and-their-.... You can look around in my blog, there is more.

It has been a while since I’ve been involved with Adblock Plus. I sincerely doubt however that ABP’s privacy stance changed that much since I’ve left. But I’ll wait for you to find proof for your claims.
palant
·3 years ago·discuss
Note: I am the author of this article.

They fixed this particular issue (and a few more), the article mentions it. But the update I published today explains why Chrome Sync is still very bad privacy-wise (as opposed to outright horrible which it was back in 2018). https://palant.info/2023/08/29/chrome-sync-privacy-is-still-...
palant
·3 years ago·discuss
Note: I’m the author of this article.

I’m fairly certain that these users didn’t leave it at reviews. There is a “Report abuse” form which one can use and which was certainly used here. If only someone were actually looking at these submissions…
palant
·3 years ago·discuss
It wasn’t really intended. I originally looked at ad blockers since I know that most of them are shady, that’s how I immediately found the PCVARK ad blockers. I stumbled upon these extensions because I was trying to find more PCVARK software – one of my queries turned up that translator extension. I realized that it wasn’t PCVARK but still malicious.
palant
·3 years ago·discuss
Note: I am the author of this article.

Yes, Chrome uses Safe Browsing to flag malicious extensions. But they seem to use it very sparingly for some reason.
palant
·3 years ago·discuss
Note: I am the author of this article.

Yes, Mozilla doesn’t publish the source code. Back when I was reviewing add-ons there (a long time ago), I did compile the supplied source and compared it with the submitted one. It was sometimes awkward when the tool in question didn’t produce reproducible builds but mostly ok.
palant
·3 years ago·discuss
Note: I am the author of this article.

I have no idea what it takes to get “featured” but having seen how pretty much any extension gets this tag, including plenty of malicious ones – it’s pretty meaningless.
palant
·3 years ago·discuss
Unfortunately, an extension in use is expected to behave very differently from one that was merely installed. That’s the crux with observing software in sandboxes in order to determine its behavior.