If it produces no output, does that mean that there's no code that could act in the future?
I first acted out of nerves and deleted the whole node-modules and package.lock in a couple of freshly opened Astro projects, curious if I should considered my web surfing to still be potentially malicious
The malware introduced here is a crypto address swapper. It's possible that even after deleting node_modules that some malicious code could persist in a browser cache.
If you have crypto wallets on the potentially compromised machine, or intend to transfer crypto via some web client, proceed with caution.
you can simply selfhost Plausible or other not-invasive analytics to see all aggregated info you might need. it will be 100% yours and compliant with all sorts of privacy laws and principles
This whole online safety act thing gives me goosebumps.
I had lived most of my live in Russia until migrating in 2022 and I’m pretty familiar with what it means when the gov starts messing with digital censorship.
If you’re not aware, it’s getting systematically harder and harder to browse the free web in Russia despite 50%+ of population using “some” VPN app.
And I’m not even talking extremist / anti-russian resources that the government turned against originally, but most of the independent websites that use CloudFlare free tier, for example. Because cloudflare enables proxying and a couple other IP-masquerading techniques by default, to effectively block a single website you have to block the entire cloudflare IP range and DNS - which is >20% of the web.
As for the VPNs, most of the common protocols and frameworks (eg OpenVPN) are already banned + detected via DPI, and people have to get into more and more sophisticated setups like VLESS+Reality (= most of the non-technical people can’t set it up by themselves or even buy a subscription to such thing).
“Simple” shadowsocks, originally popularized in China to fight the great firewall are already almost rendered completely useless.
And it will get worse. The gov service which is responsible for blocking has a very high budget + some pretty neat tech to help them cut off more and more ways to bypass the censorship.
This is the future of any state that gets into this game. The future where you might have to become very proficient in networking and use some “shady” stuff like Tor to just read a blog post about Linux.
It doesn’t matter what it starts with - fighting anti-gov propaganda or, for god’s sake, porn (the least harmful thing for the kids in this horrible ai-post-capitalism world that we live in) — once the regulators get the feeling of power over the free web, every lobbyist, organization and party will come for a part of the web that you personally might enjoy, or even earn living from.
A bit off-topic but wtf is this preview image of a spider in the eye?
It’s even worse than the clickbait title of this post.
I think this should be considered bad practice.
I fully agree, and speaking as someone macroinsectophobia (fear of large or many insect (or insect-like) creatures), seeing it really makes me uncomfortable. It isn't enough to send me into panic mode or anything, but damn if it doesn't freak me out.
This whole online safety act thing gives me goosebumps.
I’d lived most of my live in Russia until migrating in 2022 and I’m pretty familiar with what it means when the gov starts messing with digital censorship.
If you’re not aware, it’s getting systematically harder and harder to browse the free web in Russia despite 50%+ of population using “some” VPN app.
And I’m not even talking extremist / anti-russian resources that the government turned against originally, but most of the independent websites that use CloudFlare free tier, for example.
Because cloudflare enables proxying and a couple other IP-masquerading techniques by default, to effectively block a single website you have to block the entire cloudflare IP range and DNS - which is >20% of the web.
As for the VPNs, most of the common protocols and frameworks (eg OpenVPN) are already banned + detected via DPI, and people have to get into more and more sophisticated setups like VLESS+Reality (= most of the non-technical people can’t set it up by themselves or even buy a subscription to such thing).
“Simple” shadowsocks, originally popularized in China to fight the great firewall are already almost rendered completely useless.
And it will get worse. The gov service which is responsible for blocking has a very high budget + some pretty neat tech to help them cut off more and more ways to bypass the censorship.
This is the future of any state that gets into this game.
The future where you might have to become very proficient in networking and use some “shady” stuff like Tor to just read a blog post about Linux.
It doesn’t matter what it starts with - fighting anti-gov propaganda or, for god’s sake, porn (the least harmful thing for the kids in this horrible ai-post-capitalism world that we live in) — once the regulators get the feeling of power over the free web, every lobbyist, organization and party will come for a part of the web that you personally might enjoy, or even earn living from.
not trying to justify it even a bit, but shouldn't people in his position (actively acting against the US-supported position) use something more secure?
Like proton for starters?
I think most of the activists know the drill (not to use gmail/outlook/icloud... in their activism-related communications).
They're not activists, but a 900 people intergovernmental org representing 100+ countries that needs to deal with a lot of bureaucracy efficiently.
They might start spending the time and money to move away from Microsoft's control, but there's few solutions that reliably work at that scale and for their needs, and I honestly wouldn't fault them for assuming that the arrangement that worked for decades wouldn't suddenly fall apart.
I think that's just another side of the same coin.
Until recently I'm sure people at the heart of the western political establishment saw the US as essentially trustworthy with regard to fundamental things like not stealing their emails.
Just like they wouldn't have expected the executive to deny them access to the product. Now it's clear expectations need to be updated.
On the question of “why do they collect all this data” - brightness, battery life, headphone usage, volume etc: It’s not just because the data is valuable in itself, it’s also to ‘fingerprint’ the device across IPFA boundaries and in the face of things like NAT and VPNs. There are so many disparate data points that are different across different devices that two apps reporting an identical or near-identical set in a short timeframe are likely on the same device.
Because you and almost everyone else agreed to the Terms of Service where you consented to let them stalk you until they can make an accurate enough simulation of you to sell increased chances to change your behavior to the highest bidder.
You can stop at any time. Cancel your cell phone subscription and turn off your phone. It is a perfectly valid choice.
True, but a Terms of Service document is the vehicle by which you are informed and consenting. If you're not willing to read the information you're choosing to remain uninformed.
When it takes multiple lifetimes to read the Terms of Service for everything a normal person uses to get through daily life, it’s not a case of willingness
I do think apps should force people to actually scroll through ToS at a normal reading speed or tldr the horrible things they will do to you front and center like we forced the tobacco industry to do.
Most of humanity enjoyed their lives without pocket internet until the last couple decades. Saying people cannot be happy without that is like saying they cannot be happy without smoking.
This Apple or Google phone culture is a false dichotomy.
I run a b2b tech company in silicon valley, and have endless technical hobbies and do not need Apple or Google products or a cell carrier to be happy.
It is always possible to choose tech that you own and control. It just takes a bit more research because the open ecosystems lack marketing budgets.
This is not how the GDPR works, just because you stuff it in the ToS doesn't make it legal. Consent has to be explicit and freely given, using the service cannot hinge on accepting tracking.
It’s also because good UI/UX is expensive, open source has never been able to do it, and people are lazy. If you are a person who likes messing with computers and figuring stuff out, you are weird. Most people loathe it. It was super easy for superior UX to capture users and herd them into surveillance ecosystems.
Good stuff. You might find more interesting data by implementing Frida [0] into your process to snoop on encrypted traffic normally not visible due to pinned certificates.
I haven't gone through setting it up (yet) but I imagine there should be differences between EU and US versions of the apps. Is that something you expect to and if so, are you recording that info in your survey?
Or am I just naive here?
The difference should be only at the consent level, eg you might see less or more “Accept All” buttons with different design or different ToS linked.
I don’t believe there’s a real difference on the code or even SDK level based on geo.
