[HN Gopher] Tell HN: "I don't care about cookies" extension boug...
___________________________________________________________________
Tell HN: "I don't care about cookies" extension bought by Avast,
users jump ship
Author : popcalc
Score : 255 points
Date : 2023-06-07 20:27 UTC (2 hours ago)
(HTM) web link (addons.mozilla.org)
(TXT) w3m dump (addons.mozilla.org)
| woodruffw wrote:
| This is very disappointing, and points to a weakness in these
| kinds of platforms: I can be a passive user of an excellent
| extension for years, and wake up one morning to discover that my
| browser has (silently!) upgraded the extension to one controlled
| by an entity that I don't necessarily trust.
|
| I think it would behoove Firefox and Chrome to change their
| policies around automatic extension upgrades in these scenarios:
| if an extension discloses a change in ownership, then upgrades
| should require user approval. If an extension fails to disclose a
| change in ownership, then users should be able to report it as
| malicious.
| [deleted]
| crazygringo wrote:
| Change of ownership is easily gamed though. The change can be
| hidden or the extension can be "leased for 99 years" or
| whatever.
|
| It really makes me wonder if there's a way to formalize a
| system of verification, trust, vouching, etc. not just for
| extensions but for source-viewable software in general, version
| by version, diff by diff.
|
| Volunteers actually inspect an extension's JavaScript to check
| for anything potentially malicious (is it reporting on user
| activity etc.), they vouch for each other, and you select some
| core single individual or group to trust (or majority-vote or
| something), and then only allow software on your system that is
| vouched for. Nothing ever gets upgraded until it passes.
| woodruffw wrote:
| These types of problems roughly map onto the distributed
| identity problem: there's no known way to distribute `K`
| authority identities to `M` trusting identities without
| _some_ kind of trusted intermediate.
|
| "Vouching" can form that kind of trusted intermediate, but
| probably not without grinding an ordinary speedy update
| process to a near halt. That's probably a worse outcome than
| just having the pre-existing authority (i.e., Mozilla or
| Google) establish an enforceable policy around what
| constitutes an acceptable (or acceptably transparent) update.
| npteljes wrote:
| I mean, I have been the user of my body for some time and
| things just stop working as they used to.
|
| Change just happens, you need to be on top of it, to not miss
| things like this. This isn't going to have a technological
| solution.
| that_guy_iain wrote:
| This can also happen with any SaaS and many services. They get
| bought and sold quite a lot.
| JohnFen wrote:
| This isn't just a problem with extensions, though. It's a
| problem with everything. Always has been and always will be.
|
| This is why people should be extremely cautious about becoming
| too attached to (or, worse, dependent on) any particular
| product or service. It can change ownership (and therefore
| policies) at any time.
| hedora wrote:
| As a corollary, any private information that a publicly owned
| company has is for sale (since the company could be bought or
| merge), and any information any company has can be force-sold
| during bankruptcy proceedings.
|
| Any time a company has physical access to your data, and says
| they will not sell it, they are lying (unless it is privately
| held, and never takes on debt / pays after delivery).
|
| In particular, EULAs and other contracts do not protect your
| information in the above situations, since debt and
| shareholder obligations generally come before customer
| obligations, and the data is considered an asset.
| rlpb wrote:
| It's not a problem with everything. Distributions tend to add
| editorial input here and try to do something they consider
| reasonable for their users, staking their own reputation on
| that without trying to pass it off to the component
| publisher.
|
| For example, I doubt that Debian would would take an update
| from an upstream that is detrimental to their users. They
| would follow a friendlier fork first. Debian maintainers
| follow their users' interests first.
|
| (I'm a Debian Developer)
|
| Edit: and that means you can generally trust automatic
| updates on Debian.
| msla wrote:
| This is much less of a problem with open source software,
| although, admittedly, not completely unknown.
| fhd2 wrote:
| I think it's a particular problems with extensions because:
|
| 1. They usually mostly work in the background, don't need
| much interaction. It's almost like a built-in browser feature
| changing owners.
|
| 2. They are pretty difficult to find a business model for -
| as opposed to SaaS stuff and mobile apps, which people pay
| for rather commonly. So the choice is to a) Make no money b)
| Ask for donations (seems to only work if it's somewhat
| obnoxious) c) Make money in some creative (often shady) way
| d) Sell the thing.
| HWR_14 wrote:
| That's a different issue. I can still run many old versions
| of software even if new versions are put out by some evil
| entity I no longer trust. Unless the software auto-updates.
| In which case I no longer have the old version.
|
| AFAIK, it is not easy (or maybe not possible) to opt out of
| extensions updates.
| jxramos wrote:
| I was thinking about this is the food and personal products
| space. I dreamed up something like requiring some kind of
| notation to denote how many steps you are away from a parent
| company. Direct private companies with no parent would have
| no notation, once a parent company buys the company and its
| brands put a dot for every parent company above the company
| of the product you're now purchasing. Something to make this
| transfer visible.
| asdff wrote:
| This is why tools are always better than products or
| services. Your hammer in the drawer isn't going to one day
| update itself and change. Neither is some of the bash tooling
| that's been around for decades. And should these things
| change, you always have your old versions of these tools in
| your drawers and storage drives.
| anonymousab wrote:
| It's another prime example of why users should be wary of
| always choosing automatic software updates, and particularly
| wary of any company that uses security and "we know what's
| best for our dumb users" as an excuse for trying to stop
| users from using only a manual update process.
| michaelteter wrote:
| The problem is that 99% of users will not be bothered with
| deciding anything regarding updates or any computer
| administration. So you either get automatic updates and
| situations like the current one, or you get out of
| date/exploited software.
| JohnFen wrote:
| True, but I don't think that justifies the practice at
| all.
|
| At the very least, software needs to do what it used to
| do: make security updates separate from all other updates
| so users can just get the security bits.
| nightpool wrote:
| Security update: Changed old expired analytics domain to
| avast.com analytics to prevent user data exposure
| gravitronic wrote:
| Reminds me of the pending update to 1Password 7 that I keep
| declining because the change notes says all it does is adds
| a deprecation notice for 1password classic
| [deleted]
| cubefox wrote:
| Windows XP didn't have automatic updates in the beginning.
| So approximately nobody had the relevant security patches
| for Windows and IE. The result were Sasser and MyDoom.A on
| almost every Windows machine. It was a disaster.
|
| It seems less risky to continue automatic updates and just
| accept the possibility of malicious ownership change.
| smolder wrote:
| Early always-connected computers with no NAT led to a lot
| of hard lessons. At this point many of those have been
| learned, and there's a lot more depth to network
| security. Operating systems and key tools like web
| browsers and ssh are hard enough that strictly necessary
| updates like heartbleed patches are few and far between,
| and are hard to miss. The majority of what gets pushed
| out now through automatic updates for OSs and key
| software is exploiting the update channel to deliver crap
| features that increase revenues or deepen the moats for
| the company pushing them. They want to ensure that they
| can collect maximum rent with the least effort for as
| long as possible.
|
| Hopefully that abuse will reach a point where the camels
| back breaks, and the pain of freeing yourself from vendor
| lock-in becomes worth it, prompting smart consumers and
| businesses in large numbers to use and support principled
| software projects through contributions of money, code
| and labor.
| nebula8804 wrote:
| Its too much effort to manage each app's update. In the age
| of smartphones they push an update once a day, sometimes it
| feels like every 5 secs.
|
| Plus if you look at the app store updates, most of the apps
| post nonsense in the release notes such as "fixed bugs",
| "Thank you for being a user of Lyft this update will make
| your experience even better!", or the worst kind:
|
| "You know how sometimes you just become aware of how much
| tension you're holding in your body, then take a deep
| breath and slowly let it out? This update is like that.
| It's still Slack, just with a tiny bit less friction."
|
| HOGWASH Slack, this update will likely cause friction! If
| only those people that write this crap got laid off, the
| world would be a tiny bit better :/
|
| Maybe its time to declutter software that you don't control
| in your life just like how people declutter stuff. Every
| item is an additional tiny mental burden and the same goes
| for each closed source app installed on your phone. Maybe
| its better if we just forgo any "benefits" the app may
| provide and not bother anymore.
| asdff wrote:
| I do this with git packages too. Sometimes I rely on
| something and the author then makes a move to go to a
| version 2.0 and ruin what I liked about the ux/ui or how
| the functionality behaved. I have a few privately forked
| packages now where I bugfix certain components alongside
| the author, but keep other legacy components, and even add
| my own functionality and behavior to my own needs.
|
| Of course, in a world of walled gardens versus git repos,
| none of this very powerful use of ideas and computation can
| be done. I can't go to the Apple app store and easily
| cobble together my own franken app from what I find there.
| It's like a step back for innovation for our species when
| we set up these stupid profit seeking moats and gardens.
| willcipriano wrote:
| Ben Franklin on automatic updates: "Those who would give up
| essential Liberty, to purchase a little temporary Safety,
| deserve neither Liberty nor Safety."
| sockaddr wrote:
| This quote never made sense to me. My decision to prefer
| one of these over the other doesn't mean I don't deserve
| either. It's a decision I make with my own unique
| economic and threat parameters. Being "deserving" plays
| no role here.
| [deleted]
| CoastalCoder wrote:
| I've become skeptical, at least at first, of pithy /
| catchy phrases.
|
| Many seem to be well known because they're memorable, but
| some people assume they're well know because they contain
| wisdom.
|
| E.g., "It's always darkest before dawn." or (the often
| misconstrued) "The exception proves the rule."
| [deleted]
| JohnFen wrote:
| I think what he was saying, in rather poetic language, is
| that if you give up liberty to gain safety, you won't get
| either of those things.
|
| I don't think he meant "deserves" in the literal sense.
| xNeil wrote:
| That's a good way to think about it. Way I saw it was -
| if you are _foolish_ enough to give up liberty for
| safety, you don 't deserve the safety anyways.
| rightbyte wrote:
| Ye it doesn't make sense. These rule of thumbs need the
| implied "too much" in them from the get go, or people
| will use them to silly extremes in the wrong ways. That
| applies all too well to programmers.
| pixl97 wrote:
| Also Ben Franklin on turning off automatic updates:
| "Fuck, why are all my files encrypted"
| willcipriano wrote:
| Who keeps anything important on a computer?
| nazgulsenpai wrote:
| Case in point -- I mortgaged my home with a local bank then
| without me knowing or being asked I became a Wells Fargo
| customer. At least you can uninstall the extensions :)
| tric wrote:
| You can ask that the mortgage not be sold, and continue to
| be serviced at your local bank. I don't know if this
| increases costs, though.
| JohnFen wrote:
| I strongly believe that selling ongoing loans to other
| companies should just be flat out illegal. You entered into
| a contract with your local bank, not Wells Fargo. It should
| not be legal any party in the contract to unilaterally rope
| the others into a contractual relationship with someone who
| was not involved.
| ceejayoz wrote:
| I certainly don't remember all the terms of my mortgage,
| but surely there's a "we can resell your mortgage"
| provision in the terms that we _bilaterally_ agreed to.
| pixl97 wrote:
| If you don't have the ability to strike that clause is it
| really bilateral?
| jonas21 wrote:
| It's not unilateral. The contract you sign has a clause
| that gives them permission to sell the loan.
| JohnFen wrote:
| It is unilateral. That you agreed to give them the right
| to make such a unilateral change doesn't make it no
| longer unilateral.
|
| I think it's an unconscionable clause.
| gnicholas wrote:
| Why would it be unconscionable? I don't understand why
| people would care if their loan is sold. My student loans
| have been sold a couple times and I didn't mind. What's
| the downside for the borrower?
| NeoTar wrote:
| How about if a company is taken over? Should I be
| "forced" to work for a company I did not decide to work
| for?
| JohnFen wrote:
| You can quit your job. You can't quit your mortgage.
| jodrellblank wrote:
| Return the house keys to the mortgage holder and walk
| away.
|
| (This is about as convenient, pleasant, and useful advice
| as the "just quit your job" advice).
| gnicholas wrote:
| Actually it's much easier than that, though not in the
| current interest rate environment: you just refinance,
| and likely save money along the way.
|
| Note that your first mortgage in CA is nonrecourse, but a
| refinanced mortgage is not nonrecourse (meaning the
| lender can come after you personally if you end up
| underwater).
| cornel_io wrote:
| You can, though, that's literally what refinancing is.
| JohnFen wrote:
| In many (but not all) cases, that's true enough, yes.
| hiatus wrote:
| What would an alternative be in the case of a lender
| being sold? Force a balloon payment for the balance? It
| seems a better alternative to be able to transfer the
| loan like any other asset.
| JohnFen wrote:
| Well, that's an entirely different, and special, case
| that would require different rules, of course.
|
| That's not what causes loans to be transferred to others
| in the vast majority of cases.
| paulryanrogers wrote:
| They can't change the terms of your mortgage though, can
| they? If not it doesn't matter much because things cannot
| get any worse for you.
| wombatpm wrote:
| Yes they can. I had a mortgage that was sold to
| Washington Mutual (no longer in business). They did an
| audit of my escrow account and sent me a check for $2000.
| I called and said this seems to be mistake. They said no.
| OK then. Two months later I get a notice from the county
| that the second half of property taxes was overdue.
|
| WaMu pays after several phone calls. Then sends me a
| notice that my escrow account is $5000 in appears. So
| WaMu says that the 2000 was a mistake and I need to send
| that back, and that they are allowed to maintain an
| excess balance for taxes and insurance, so I need to send
| them another 3000 to bring the account current.
|
| I refinanced with a different organization that week.
|
| I was very happy to see them crater during the financial
| crisis.
| lotsofpulp wrote:
| That is a shitty mortgage servicing operation, not
| changing the terms of service.
| JohnFen wrote:
| I think who you are doing business with matters a great
| deal even if the mortgage terms don't change. You're
| still being forced to do business with someone that
| perhaps you strongly object to doing business with.
|
| The company matters just as much as the product or
| service.
| lotsofpulp wrote:
| Who you are doing business with can change even if the
| legal company is the same. Suppose an executive retires,
| and a new one wants to make their mark, perhaps by
| cutting costs.
| gigel82 wrote:
| When my mortgage was sold to a big bank I started getting
| charged a fee for "prepayment" (basically I'd do another
| payment against the principal once a year or when I had
| extra cash, which was a non-issue before the sale).
|
| Refinanced with a local CU and stayed with them ever
| since.
| lotsofpulp wrote:
| Is this in the US? I would be very surprised if the
| prepayment (or any) terms are allowed to be changed.
|
| If in the US, I would be surprised to find out about
| prepayment penalties at all.
|
| https://money.usnews.com/loans/mortgages/articles/what-
| is-a-...
|
| > A lender cannot assess a prepayment penalty unless the
| penalty was included in the original terms of the loan.
|
| > According to the Federal Register, Dodd-Frank Act
| provisions "generally prohibit prepayment penalties
| except for certain fixed-rate qualified mortgages where
| the penalties satisfy certain restrictions and the
| creditor has offered the consumer an alternative loan
| without such penalties."
|
| > For lenders that do charge these penalties, prepayment
| penalties cannot be imposed after the first three years
| of the loan term.
| woodruffw wrote:
| I agree. I also don't think this is something that's formally
| solvable in the general case, at least not in a way that's
| practical for distracted and non-technical users.
|
| Instead, this is the kind of thing that needs to be solved on
| the policy level: Google and Mozilla have an interest in
| maintaining high-quality extension ecosystems, and _ought_ to
| take a dim view of these kinds of ownership transfers.
| wongarsu wrote:
| This wasn't a big problem with software just 20 years ago.
| Sure, the software you used could be bought by someone else,
| but that just meant you might choose not to get the next
| version. Software didn't automatically update, and licenses
| were eternal and mostly tied to physical tokens, like a disk
| or a fancy sticker. At some point your beloved software might
| become obsolete, but that was because it was outpaced in
| improvements by other better software, not because yours got
| any worse.
| pnw wrote:
| Strongly disagree. Companies like Computer Associates were
| exploiting vendor lock-in on products like databases via
| their M&A strategy for decades.
| letsdothisagain wrote:
| Yeah this guy has rose coloured glasses.
|
| Remember when Java and MySQL weren't owned by Oracle?
|
| I do.
| askvictor wrote:
| But the barriers to releasing and distributing software
| were much higher, as you had to work out to get it to
| people, and incremental release were basically impossible.
| So software was controlled by a handful of big companies.
| ipaddr wrote:
| The industry had more smaller players compared to today
| and a better chance to sell. The barriers were higher but
| expectations lower. Plus you had a fragmentation of
| computers and high margins. Trade shows and flea markets,
| magazines, shareware and asking store owners directly
| were accessible ways.
|
| Today we have the illusion of speaking globally but have
| been gatekept out by a handful of companies.
| JohnFen wrote:
| > So software was controlled by a handful of big
| companies.
|
| Not really, no. The software space was much, much richer
| and you could get along extremely well without using much
| software from the big guys.
| kzrdude wrote:
| Well, software has changed a lot. Almost every software
| platform that I can think of gets continuous updates.
| missedthecue wrote:
| Sometimes this is more annoying than helpful, and I only
| speak with a tiny bit of hyperbole here.
|
| On several different SaaS softwares used at my employer I
| have found myself asking if they have entire teams of
| highly compensated UX professionals and graphics
| designers who justify their continued employment by
| changing the interface every 3 months by just enough to
| annoy me after I finally remap my brain to the latest
| locations of the tools and buttons.
| JohnFen wrote:
| And, to be honest, it doesn't even really have to be a
| problem now. I use almost entirely FSF or Open Source
| software. Of the proprietary software I use, it's still
| software that I have an installable copy of and I'll be
| able to keep using it for as long as I have a machine that
| can run it.
|
| I don't do automatic updates and actively prevent that from
| happening. Automatic updates are a plague that means you
| can't rely on the software anymore, if for no other reason
| than an update may (and likely will, eventually) remove or
| otherwise bork the very aspect that made it valuable to
| you.
|
| But I'm a weirdo and take care to ensure that I actually
| own and control the software I use. I see people getting
| burned because they're at the mercy of a company all too
| often.
| grishka wrote:
| The problem is with automatic updates.
| tekno45 wrote:
| cause: late-stage capitalism
| [deleted]
| TheRealPomax wrote:
| This is why you have the power to turn off auto-updates on
| anything that has auto-updates. And you should exercise that
| power. That way you'll wake up to the news of a horrible
| change, not the reality of already being part of it.
| bastardoperator wrote:
| Everything about this is sad. Sad that I have to install an
| extension to get rid of stupid messages forced upon me just for
| visiting a website, sad that an untrusted company is trying to
| buy trust, sad that users have to waste time switching away.
| mozman wrote:
| The real problem is with browser extension permission models.
| It should have far less privileges.
| ChrisMarshallNY wrote:
| That's also an issue with app stores.
|
| I have received a few solicitations to sell apps that had not
| been updated in a while (they were still good, but hadn't
| required an update).
|
| I suspect the buyer would repackage the app with some "extra
| spices," either advertising, or malware, and would count on the
| auto-update to force it onto users' devices.
|
| I declined. I remove moribund apps. I've written over 20 but
| only have a few on the store.
| tectonic wrote:
| A decade ago I wrote an extension called SelectorGadget
| (https://selectorgadget.com/). It's effectively unmaintained,
| but it still works and people still use it. I make no money
| from it and never have. Every few months someone tries to buy
| it from me, and I ignore them because I don't want to f** over
| my users. But there are a lot of extensions out there and maybe
| their owners care less, or find themselves in a moment of
| financial hardship and they sell.
| bombcar wrote:
| Apparently this is a known and open "business" to buy up used
| but old addons and convert them to advertising malware.
|
| Good on you!
| chaxor wrote:
| This problem is more far reaching than just extension, and
| further reaching than what entity is in charge of something.
| For instance, the worst company imaginable may be in charge of
| software that was once FOSS, and they may change absolutely
| nothing about it, so it should be fine. However, if a small
| update is added that does something bad, you should know about
| it immediately.
|
| The solution seems to be much more clearly in the realm of
| things like crev: https://github.com/crev-dev/cargo-crev/
|
| Wherein users can get a clear picture of what dependencies are
| used in the full chain, and how they have been independently
| reviewed for security and privacy. That's the real solution for
| the future. A quick score that is available upon display
| everytime you upgrade, with large warnings for anything above a
| certain threshold.
| londons_explore wrote:
| > If an extension fails to disclose a change in ownership,
|
| They would just change ownership and keep that a secret from
| the world. Avast would 'hire' the dev of this extension, and
| provide him with more engineers and ideas of features to
| implement.
| 2h wrote:
| Firefox:
|
| 1. Open application menu
|
| 2. Add-ons
|
| 3. Extensions
|
| 4. click gear
|
| 5. uncheck Update add-ons automatically
| bombcar wrote:
| I wish you could indicate some addons to update
| automatically, but after six months of no update that addon
| switches to manual.
| woodruffw wrote:
| I know how to disable automatic updates. The point was that
| there's a substantial shift in trust when the underlying
| identity that controls an extension changes.
| 2h wrote:
| > I know how to disable automatic updates
|
| doesn't seem like it:
|
| > I can be a passive user of an excellent extension for
| years, and wake up one morning to discover that my browser
| has (silently!) upgraded the extension
|
| you want to roll the dice with automatic updates, you have
| only yourself to blame when they break something you care
| about. people always scream BUT MUH SECURITY, and at the
| same time ignore every other awful change that is rammed
| through automatic updates. pick your poison.
| uoaei wrote:
| I wasn't informed of this sale before it occurred, and Avast has
| a history of stealing and selling user data. I did not produce
| informed consent for this add-on to continue operating under
| those conditions. I reported it to Mozilla when I uninstalled the
| old add-on as stealing user data and I encourage everyone to do
| the same.
| AdmiralAsshat wrote:
| Did they actually do anything yet, or is it just assumption that
| _they will_ because why buy a popular extension these days if
| that 's not the goal?
| bandrami wrote:
| Between GDPR warnings and ubiquitous site notification pop-ups
| (side question: has anyone _ever_ intentionally clicked "yes" to
| a site notifications request? can the browsers just admit this
| was a horrible idea and move on?) out-of-the-box browsers are
| basically unusable on just about every website. Leading to
| extensions and situations like this.
| technion wrote:
| An org wide policy to disable browser push notifications
| visibly changed helpdesk load and security incident reports
| over night.
|
| Non technical, average users hit "yes" in nearly every case,
| usually ending with opt in to fake tech support popups and porn
| spam.
| The_Double wrote:
| I think the original goal, and one I still support, is for
| websites to realize that they are better off with not showing
| the banners and just defaulting to "no". It's been surprising
| to me that an industry that has been somewhat obsessed with
| click latencies and getting users to content quickly are
| willing to annoy all their users for the extra income from
| personalized ads. The difference in value must be a lot.
| scq wrote:
| > has anyone ever intentionally clicked "yes" to a site
| notifications request?
|
| Yes, for Google Calendar and Slack.
| geysersam wrote:
| Still thousand times better than the walled garden app stores.
|
| If we want complicated apps to be available on the web we need
| complicated browsers. The competition situation is troublesome
| but nothing compared to the complete monopolies Apple and Play
| store has.
| PeterisP wrote:
| Thing is, there are "websites" and "web apps"; the latter
| replace things that we used to have on the desktop and we want
| significant permissions for them (notifications, constant
| updates in the background, copy/paste integration, drag&drop
| integration, camera and microphone access, etc) and the former
| should get nothing, as all of these can and do get abused - but
| from a technical perspective they look the same to the browser.
|
| The way I see it, it would make sense to explicitly whitelist a
| website (e.g. Gmail or Webex) in a similar manner to installing
| an app, and all the other websites don't even get to beg for
| these permissions.
| bmarquez wrote:
| Previous discussion (from 8 months ago):
| https://news.ycombinator.com/item?id=32850799
| rektide wrote:
| I'm sort of surprised these users would care. They literally went
| to go download an extension to let anyone track/survellied them
| however they wanted.
|
| But oh no, now there's a big corp that owns the extension! And
| they might be survellied!
| londons_explore wrote:
| To be fair, websites can't track much about you - they can only
| track your visits to partner websites, and even then the
| website owner usually can't see all the detail - their ad
| platform won't share that with them.
|
| Whereas the extension has full access to not only your browsing
| history, but also every password, every credit card number ever
| typed, etc.
|
| Cookies are a minor privacy problem compared to an 'access all
| sites' chrome extension.
| JohnFen wrote:
| I think the issue isn't just that it's a big corp. It's that
| it's Avast, specifically.
| norman784 wrote:
| Why does matter that is Avast? I have a decade not following
| antivirus scene.
| JohnFen wrote:
| Avast collects and sells your browsing history, among other
| pieces of your personal data. This caused a bit of a stink
| a while back when people discovered it.
| yazzku wrote:
| Not really. Cookie banners are irrelevant and do not preclude
| tracking, they just take up space and give a false sense of
| privacy. These users installed the extension because they'd
| rather not see the pop-up to begin with. And then Avast bought
| the extension.
| mynameishere wrote:
| Yeah, that never made any sense. Is there any add-on that
| basically...forces websites to adhere to the browser-configured
| cookie settings? And if any popups contain the word "cookie" to
| basically just remove the element? If it renders websites
| inoperable, I'm okay with that.
| tomrod wrote:
| I browse mobile with Javascript defaulting to blocked. Not
| sure how it happened, truth be told, Brave just started
| blocking it one day. Most of the experience is unaffected.
| larperdoodle wrote:
| >In most cases, the add-on just blocks or hides cookie related
| pop-ups. When it's needed for the website to work properly, it
| will automatically accept the cookie policy for you (sometimes
| it will accept all and sometimes only necessary cookie
| categories, depending on what's easier to do)
| rektide wrote:
| Im curious what the % rate is for users to not get tracked,
| versus great caring tools like Consent-o-mattic.
|
| The name itself screams apathy here. My understanding from a
| while back was that the tool actively accepted a wide variety
| of cookies, and did nothing to minimize selections. I don't
| know if this is a misinterpretation, or if the project has
| changed to actively start caring somewhat about cookies.
| derefr wrote:
| I don't even care that they might watch me. I care that they
| might use my computer's resources to do so; or might start
| making the extension do other stupid stuff, like injecting ads
| for Avast AV. "Not caring about cookies" doesn't cost anything,
| CPU-wise.
| handsclean wrote:
| We need to stop writing "X buys Y", and start writing "Y sold to
| X". Big co's aren't some boogeyman that can buy whatever they
| want, individuals and small companies are selling out, and by
| pretending they're blameless we normalize it. This extension
| wasn't taken over, it sold out. Like LastPass, Private Internet
| Access, WhatsApp, Figma, Dark Sky, Wunderlist, the list goes on.
| All decided that, actually, they care less about their mission,
| users' experience, and users' trust than they do a pile of cash.
| And that's not necessarily horrible or even wrong, but what is
| wrong is for us to not even withdraw our trust from people who
| have sold it. Or for us to withdraw equally from those who don't.
| legitster wrote:
| Nearly every startup I worked at had a slide deck as early as
| day one that included "get bought" as their primary exit
| strategy.
| bluGill wrote:
| The only startup as was in didn't. They ran short of money
| and laid me off, but 20 years later the company is still
| around doing the same thing they always have and I assume
| making money. Just before they laid me off they rejected a
| buy out offer from a big company.
|
| I think that is actually normal overall, but the real fast
| riches are of course in the big buyout.
| gnicholas wrote:
| There seems to be a lot of edtech startups being sold to big
| companies right now. I'm guessing these are distressed
| companies that need to raise tons of money or find a buyer.
| Since the VC landscape has changed in light of the end of free
| money, they're disproportionately being sold off.
|
| I don't blame the companies, though I've taken a bootstrapped
| strategy because I didn't want to get stuck on the VC
| treadmill.
| thih9 wrote:
| Why is this a problem?
|
| I can imagine a number of scenarios, but I'm unfamiliar with this
| particular case. Could someone elaborate on what actually
| happened or what is the danger?
| phendrenad2 wrote:
| A company doesn't acquire something for no reason, and people
| are suffering FUD over what that reason could be. Maybe they'll
| put in annoying popups ads for their other products. Maybe they
| just want market research data. Or maybe they just thought
| being the provider of this service would garner goodwill
| somehow.
| itronitron wrote:
| What are the scenarios that you can imagine?
| papichulo2023 wrote:
| Charging companies to exclude them(adblock way)
| notatoad wrote:
| companies have to provide the cookie prompt as a legal
| requirement - it's not something they want to do or get any
| benefit from. what this extension does is blindly _accept_
| the cookie prompts.
|
| it's not something any company would want to be exempted
| from. companies like this.
| bluGill wrote:
| Companies only need that if they place nonessential
| cookies.
| valcron1000 wrote:
| How much did Avast paid for the extension?
| [deleted]
| sysadm1n wrote:
| I still have a copy of this addon, before it got acquired by
| Avast. I turned off automatic updates for extensions in Firefox,
| since I don't want weird / malicious code being pushed into my
| browser. I do this since I audit some extensions for malicious
| code, and want to keep the good / last-known-good version, before
| a tainted/malicious one arrives in my browser in an update.
|
| It's broken though, and messes up YouTube by persisting the
| cookie interstitial in an invisible overlay, making the interface
| unusable. This is why these types of addons have so many new
| versions: they have to constantly watch for changes in the JS/CSS
| of cookie banners.
|
| Thank god we have community maintained alternative forks[0]
|
| [0] https://addons.mozilla.org/en-
| US/firefox/addon/istilldontcar...
| dmw_ng wrote:
| Random aside: this extension had absolutely the worst internals
| of any I've ever looked at. Love the functionality, but really
| wish I'd never seen the spaghetti behind the illusion (source
| files below). It feels like approaching it as a text
| classification problem might produce a clean general solution
|
| https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies/...
|
| https://github.com/OhMyGuus/I-Still-Dont-Care-About-Cookies/...
| geysersam wrote:
| Isn't it just a lot of data?
|
| Not sure what's bad about the _code_. I mean, the variable
| names could be more enlightening, and there are no comments,
| but I don 't think it qualifies as "spaghetti".
| jamesmurdza wrote:
| I'm not the dev but I find the code logical since each selector
| is arbitrary and based on a completely different HTML page.
| Abstracting it would be a huge hassle--would be interesting to
| see an attempt though!
| paddw wrote:
| There is nothing wrong with these internals. Hard-coded rules
| are not necessarily "spaghetti code". I sincerely doubt there
| is any reliable way to come up with a general solution without
| relying on hard coded rules (at least without using AI).
| dmw_ng wrote:
| It doesn't seem like an overly difficult problem: try to find
| a text fragment (e.g. DOM mutation observer) requesting
| consent in some container that has some other element with an
| onclick handler (maybe optionally trying to figure out if
| image filenames / labels of that element look sensible).
| Maybe an approach like this will only work 70% of the time,
| but that seems likely to be a better strategy than embedding
| a giant list of every relevant site on the Internet
| arp242 wrote:
| Even a single false positive would be too many, as it would
| probably break the entire site.
| cdme wrote:
| Does this impact the community version?
| https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...
| subarctic wrote:
| I think that was created back when this was announced last
| september, so probably not (see previous discussion here:
| https://news.ycombinator.com/item?id=32850799)
| popcalc wrote:
| Community maintained fork: https://addons.mozilla.org/en-
| US/firefox/addon/istilldontcar...
| stavros wrote:
| Repo: https://github.com/OhMyGuus/I-Still-Dont-Care-About-
| Cookies
| ruined wrote:
| there are cookie dialog lists for ublock origin and other
| adblockers, btw
| sphars wrote:
| In uBO, it's under Settings > Filter lists > Annoyances >
| enable EasyList Cookies Notices and AdGuard - Cookie Notices to
| hide cookie banners.
| londons_explore wrote:
| For many sites, just hiding them isn't enough - if you want
| the website to work properly and not randomly log you out
| immediately after logging in, then you need to either accept
| or decline cookies.
| codewiz wrote:
| Very odd, uBlock Origin for Chrome has "EasyList Cookies
| Notices", but "AdGuard - Cookie Notices" is missing. The
| Firefox extension has both lists. The version is the same:
| uBlock Origin 1.49.2.
|
| Does this have anything to do with Chrome's new extension API
| nerfing ad blockers?
| phendrenad2 wrote:
| Why exactly can't browsers provide this functionality themselves?
| Is this prohibited by some questionably-well-meaning-but-
| nonetheless-harmful law?
| slondr wrote:
| They are, and Firefox does (Beta currently, hitting stable in
| July)
| rossjudson wrote:
| One of the better uses of my time last year was just writing my
| own ad blocking extension. Of course it doesn't get everything --
| that was never my intent. I just wanted to get rid of the most
| egregious crap, like Taboola and the variously spawned similar
| demons.
|
| It's quite good at doing that.
|
| Sounds like I might need to investigate consent as well...but the
| "pain identification" isn't going to work the same way. With the
| consent management, I'll probably end up having to do a lot of
| per-site work...which kind of defeats the purpose. Sigh. Guess
| I'll find out, on a sufficiently annoyed weekend.
| sureglymop wrote:
| I did the same! Just wrote my own extensions for features I
| wanted and it was super easy and straight forward (albeit a
| little limited in firefox). Wrote one for pinning tabs on the
| right and wrote one to search through all open tabs with
| ctrl+f. Quite nice how accessible this is!
| [deleted]
| debacle wrote:
| I remember 20 years ago when Avast were the good guys.
|
| It's interesting how brand perception changes over time.
| [deleted]
| nyanpasu64 wrote:
| I miss old Avast, the brushed metal UI, the radioactive virus
| dialogs with the siren sound
| (https://www.youtube.com/watch?v=ycs92N_rph8).
| scohesc wrote:
| I remember leaving my computer on overnight in my room and
| being startled awake by a really loud pig squeal when Avast
| detected a virus on my PC.
|
| Just looked up what Avast looked like in the 2000's. The
| aftermarket car stereo GUI[1] just brought back memories I
| forgot about :P
|
| [1]http://assets.oldversion.s3.amazonaws.com/images/avast-
| free-...
| cubefox wrote:
| That looks like WinAmp.
| itronitron wrote:
| I remember when SourceForge were the good guys. That should be
| a cautionary tale for many companies but they got dropped so
| hard and fast that now no one has heard of them.
| clumsysmurf wrote:
| I was under the impression this was obsolete using Firefox 114
| "Cookie Banner Reduction" feature.
| codewiz wrote:
| That feature slipped to Firefox 115:
| https://9to5linux.com/firefox-115-beta-brings-cookie-banner-...
| clumsysmurf wrote:
| I turned it on in FF 114 with about:config flag:
|
| cookiebanners.ui.desktop.enabled = true
|
| It will appear in Settings / Privacy / Cookie Banner
| Reduction
| cubefox wrote:
| In some weird double irony this website showed me two
| different cookie overlays on top of each other. Never seen
| that before.
| loloquwowndueo wrote:
| Someone here in HN recommended Consent-O-Matic instead of I don't
| care about cookies. Said "I do t care about cookies is the
| extension advertisers want you to install" :) apparently it just
| says yes to everything. Consent-O-Matic specifically configures
| things to share the least amount of information possible.
| mcmcmc wrote:
| With a name like "I don't care about cookies" it does kind of
| make sense that it would just auto-accept everything. After
| all, they don't care about cookies
| londons_explore wrote:
| Sites work much better if you just say yes to everything. Devs
| never test the 'no' path as well, and half the time you'll find
| embedded videos/maps/tweets won't display or are buggy.
|
| Since I care about a fast efficient web experience far more
| than I care about leaving digital footprints around, I choose
| the extension that says yes to everything.
| legitster wrote:
| > Devs never test the 'no' path as well
|
| It's not just that - some services are literally unrenderable
| without cookies! (Fewer these days at least).
| loloquwowndueo wrote:
| Consent-O-Matic does not reject all cookies - it responds
| intelligently and automatically to the cookie consent
| dialogs and selects only essential cookies.
|
| If someone says a cookie is non-essential and rejecting it
| results in their site not working that's on them - a human
| might manually choose to reject it, it'd be the same end
| result.
| rossjudson wrote:
| I'm more or less in your camp. I really don't care about
| "saying no to cookies" because I don't believe that sites
| will implement no properly anyway. I'd much rather be relying
| on the clear (hopefully!) lines being drawn by my browser and
| its settings.
|
| Asking me if I'd like to allow various cookies is by far the
| least important part of the problem. Relying in the
| cooperative efforts of site owners? Really?
| chillbill wrote:
| Inaccurate
| wavesounds wrote:
| Well if "no" becomes the default then I'm sure engineers
| would switch over to testing that path more frequently
| instead
| BaseballPhysics wrote:
| Better to just start using Firefox multi-account containers. An
| add-on like I Still Don't Care About Cookies ensures you aren't
| bothered by the popups, and temporary containers are wiped upon
| tab closure so anything those sites leave behind is
| automatically deleted.
| DerekBickerton wrote:
| Links for Consent-O-Matic if anyone wants to take a look:
|
| https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat...
| (Firefox)
|
| https://chrome.google.com/webstore/detail/consent-o-matic/md...
| (Chrome)
|
| https://consentomatic.au.dk/ (Official site)
| bluGill wrote:
| I just hit control-w when i see a consent dialog. It is rare
| that anyone is really important enough that i'd do more.
| JimWestergren wrote:
| Instead of this, just activate the filter in uBlock Origin:
| Filter Lists -> Annoyances -> EasyList Cookie
| michaelgiba wrote:
| Next up: "I don't care about cookies but care when an extension
| tracks the fact I don't care about cookies"
| recursive wrote:
| "I don't care about cookies" is just the name of the extension.
| In actual fact, it indicates that the user doesn't care if the
| server _sends_ cookies. The user agent is still in control of
| what it does with them, and whether it includes them in
| subsequent responses.
___________________________________________________________________
(page generated 2023-06-07 23:00 UTC)