Threads for ponguile

1. 4

   ponguile 8 months ago | link | on: Mozilla has automated Microsoft’s default browser protections in Windows

   This circumvents Microsoft’s anti-hijacking protections that the company built into Windows 10 to ensure malware couldn’t hijack default apps. Microsoft tells us this is not supported in Windows

   Uhhh…

   1. 21

      Hales edited 8 months ago | link

      Beware companies claiming they do something for the security of their users when it also affects their bottom line. Security, “anti-hijacking” and related terms are often used manipulatively (especially in EULAs!).

      Restricting browser defaults choice is not an effective security feature for protecting user security or privacy:

      1. Situation: viewing malware sites and suffering a drive-by-attack: I have no reason to believe Edge to be better (on average) than other major browsers.
      2. Situation: malware addons: I have no reason to believe Edge to be better (on average) than other major browsers, all addon sites have reports of malware addons or addon authors turning bad (eg selling control of their successful addon).
      3. Situation: malware already running on your computer, wants to change your default browser: by this point it’s too late, making ‘changing the default browser’ more obscure is not an effective defence of a user’s security or privacy.

      Making it harder for users to change browser (and directly suggesting they do not do it with a little info box when they try, as Win10 does) is an effective method of enforcing market security. That’s not user security.

      You start to get a sense of manipulation when you read Microsoft’s statements about edge and privacy::

      Like all modern browsers, Microsoft Edge lets you collect and store specific data on your device, like cookies, and lets you send information to us, like browsing history, to make the experience as rich, fast, and personal as possible.

      That’s straight out false. Not “all modern browsers” send information like “browsing history” to their makers. Notice how they have designed this sentence to make it feel normal and acceptable.

      Whenever we collect data, we want to make sure it’s the right choice for you.

      Uhuh. Is that the only reason you share data? Somehow you must be making money off this, otherwise you wouldn’t be doing it, right?

      https://privacy.microsoft.com/en-ca/privacystatement

      For example, we share your content with third parties when you tell us to do so, such as when you send an email to a friend, share photos and documents on OneDrive, or link accounts with another service.

      Manipulative writing by business’ like this makes me ill. In a different content (eg flyers in your letterbox) this style of writing would be considered scam material.
   2. 12

      grawlinson 8 months ago | link

      Mozilla has been trying to convince Microsoft to improve its default browser settings in Windows since its open letter to Microsoft in 2015. Nothing has changed, and Windows 11 is now making it even harder to switch default browsers.

      Microsoft and anti-competitive practises go hand in hand, nothing to be surprised about.

      1. 4

         ponguile 8 months ago | link

         Was more concerned about the obvious security implications! If ff can do it, what is stopping malware from doing it?

         1. 15

            caius 8 months ago | link

            Likewise if Edge can bypass the mechanisms in the background, what’s stopping malware from doing it? Or apparently Firefox 😆😭

            1. 4

               gecko 8 months ago | link

               Yep. I’m in a slightly weird position here: I think Microsoft is right to lock down that API; I just think they’re wrong for unlocking it for Edge. So I’d prefer neither Mozilla nor Edge could pull this stunt.
            2. 2

               gpm 8 months ago | link

               Theoretically the mechanism could check that the software performing the bypass comes from microsoft (via cryptographic signature) and is therefore “safe”. It is possible for microsoft to allow Edge to bypass it and nothing else.

               I’m actually sort of surprised they didn’t, but I guess doing it properly would have taken more work.

               1. 2

                  ac 8 months ago | link

                  Or perhaps it was a silent protest by the engineers involved to allow firefox to do this.
         2. 6

            x64k 8 months ago | link

            Nothing, of course, which isn’t too surprising, as this is pretty unlikely to have ever been about malware in the first place. If it had been, we’d have seen a real, secure API exposed to developers, whereas this is barely security by obscurity.
         3. 4

            inactive-user 8 months ago | link

            Nothing is stopping malware engineers from adding associations; SetUserFTA has been available for years.

1. 2

   ponguile 9 months ago | link | on: A new way of blogging about Golang

   What are the security implications?

   1. 7

      viraptor 9 months ago | link

      No new implications. The website executes code which you provide and executes it locally. You already trust it with externally provided code, so nothing changes.
   2. 3

      viebel 9 months ago | link

      In case Klipse would be used on a blogging platform like medium, it might allow a malicious blogger to run arbitrary code on a medium page. That’s why blogging platform forbids script tags et al… But on your own blog, there are no security issues.

1. 5

   ponguile 9 months ago | link | on: Growing Object-Oriented Software vs what I would do

   Thanks for this! I appreciate emphasizing the overarching data architecture rather than the lower level programming paradigms used to implement the abstractions.

1. 1

   ponguile 10 months ago | link | on: Programming Languages for Enthusiasts

   Thanks for this!

1. 2

   ponguile 11 months ago | link | on: China's gigantic multi-modal AI is no one-trick pony

   Wow, AI is getting real good, real fast.