We also need competition and for decades now the offices that were supposed to safe guard us from monopolies have been green lighting again and again mergers and acquisitions that result in only one or two dominant players in every market. There should be a blanket rule that if there are less than 10 companies (of somewhat similar scale) operating in some market none of them are allowed to merge or acquire each other.
Many Chinese manufacturers don’t have close ties to the government,
Citation severely needed. Any company operating in China has close ties to the government, it’s literally a requirement to get a business license there.
and any non Chinese phone that you can buy also has backdoors, and quite frankly, for average Joe, their local government may be scarier than the chinese gorvernment.
Maybe, but it really shouldn’t and if it does that’s a problem. It’s a question of non-Chinese phone might have a backdoor, vs. Chinese phone that definitely has a backdoor. Either way saying “other options are just as bad” doesn’t make it a good option.
Also, your data is being used by the Googles, Microsofts, Apples, etc… in vast quantities daily. We are the product generally.
Yes, and that’s a major problem. It’s why there are various replacement firmwares to de-google your phone as well as other techniques to block or disable collection. Once again though, this doesn’t excuse Chinese phones doing this.
Also, remember that most brands manufacture in China, and there are ways to substitute components where the brand would be unsuspecting of the switch.
Sure, supply chain attacks are a thing. In theory there are ways to combat that but it’s a tricky problem. If a Chinese manufacturer got caught doing that though it would be a major international incident. Yet again though just because that might be a risk with any phone doesn’t mean you should just accept and use a phone that’s known to have a backdoor.
I’m willing to work with websites to find a way to pay for them. I’m not willing to work with ad companies. Websites that want my business either come up with a way to make money that doesn’t rely on ads or they put up with ad blocking. That’s it, those are the only two options.
Assuming both the ad and the JS to track said ad are served from a 3rd party (or at least a different domain) that would hold at least so far as recording impressions goes. On the other hand there’s still the conversions part of this to consider, although without recordings of impressions the utility of that (and privacy risk) is debatable.
Ultimately I don’t like being opted into anything that collects data, theoretically anonymized or not. I don’t like that this DAP process is running in the background and randomly sending data to some 3rd party (once I figure out that hostname it’s absolutely getting blackholed at the network level).
Ads are a plague, you give them even an inch and they’ll eventually take everything. It started with broadcast TV, then ads overran it. So they introduced cable. Sure it was expensive, but no ads! Then ads started creeping in and before you knew it cable was a complete ad infested shitshow. Then along comes streaming, a breath of fresh air. Watch what you want, we you want, and best of all no ads. Where are we now? The ads are slowly creeping back in and before long it will be just as bad as cable, 40 minutes of ads in every hour of video.
For a while we’ve been winning the war on the internet, able with some effort to hold back the tide, and Firefox was one of the last bastions that seemed to be working with us instead of against us. This though looks like a crack in the armor. It’s the first step along a path we don’t want to go down. I don’t want Mozilla wasting development time pandering to ad companies, I want them improving the browser for us the users. The only ad related content I want to see from Mozilla is improved ad blocking.
Maybe, but I’m not seeing anything that suggests that would be possible.
Here is the technical documentation for how this feature works. The short version is that it exposes some new JS functions that sites can invoke to register various ad related activities. That data in turn gets forwarded by the browser to a 3rd party using a protocol called DAP which can be considered out of band for the purposes of website interactions. I see no evidence at all that uBlock would be able to block the DAP calls, and limited evidence it could effectively block the JS functions.
uBlock works primarily by blocking network requests using a series of rules. Here is the syntax supported by uBlock for defining its blocking rules. It primarily works by inspecting hostnames, although there is some capability to match on things like HTTP headers, or raw text. There is the capability of blocking an entire script element if it matches specific text E.G. navigator.privateAttribution, however doing so is likely to break sites quite drastically. There is very limited ability to surgically remove such things. Maybe if you injected some JS into each page that overwrites the navigator.privateAttribution namespace with stub functions that do nothing (I believe this is actually what the browser does when you opt-out of that feature), but I’m not sure if that’s even possible or if the browser would simply ignore attempts to write to that namespace.
It’s possible Firefox is being “smart” and if it sees you have uBlock or similar ad blocking extensions loaded it disables this feature. It’s possible that there’s some extra tricks uBlock or other extensions can pull to block this at a more fundamental level that just aren’t obvious from looking at their documentation. But nothing in the documentation for this feature seems to guarantee any of that, and it’s frustratingly vague in several areas. Regardless none of that changes the fact that this should have been opt-in from the start instead of opt-out. Mozilla argues that they made this opt-out because they wanted to insure a large enough user base to anonymize the collected data, but that alone suggests there might be privacy problems with this entire thing. This wouldn’t be the first time that a supposedly anonymized data set could be at least partially de-anonymized.
They can certainly try (and many already do with the anti-adblocking attempts) but I’ve yet to see one succeed. It’s trivially easy to evade nearly all attempts at browser identification, and even trying to detect ad blocking is hard to accomplish.
I do follow release notes which is how I knew to disable it, but the point is that I shouldn’t need to. The reason Mozilla didn’t ask before enabling this “feature” is because they know most people would disable it. That should be a pretty big clue that this isn’t something their users want.
That’s fine but it should have been opt-in or at least asked before enabling it. I have ad blockers and anti-tracking extensions, but they don’t do anything against this new feature because it’s the browser itself doing it. If I hadn’t read about it and gone in and disabled it I would be providing data to ad companies without even knowing it and that’s unacceptable.
My browser is responsible to me, not advertisers so it should do what I want. If websites want my business they’ll support my browser. Realistically browsers shouldn’t matter because everyone should be implementing to standards not some random ass quirk of one particular browser, I thought everyone learned that lesson back in the 90s with IE. I literally don’t care if advertisers throw a hissy fit because they no longer have access to everyone’s personal details. The internet existed before ads infested it like the parasites they are and it will still exist after they’re exterminated.
I’ll save you a click, they’re sulfur crystals. This is interesting because although they can naturally form in volcanic regions this area is non-volcanic. The other way they naturally form is via microbial actions which may offer a clue about Mars past.
It’s an interesting point but I think it kind of confuses two different but related concepts. From the perspective of the library author a vulnerability is a vulnerability and needs to be fixed. From the perspective of the library consumer a vulnerability may or may not be an issue depending on a lot of factors. In some ways severity exists in the wrong place, as it’s really the consumer that needs to decide the severity not the library.
A CVE without a severity score I think is fine. Including the list of CWEs that a particular CVE is composed of I think is useful as well. But CVE should not include a severity score because there really isn’t a single severity but a range of severities depending on specific usage. At best the severity score of a CVE represents a worst case scenario not even an average case, nevermind the case for a specific project.
Yeah, our security team once flagged our app for having a SQL injection vulnerability in one of our dependencies. We told them we weren’t going to do anything about it. They got really mad and set up a meeting with one of the executives apparently planning to publicly chew us out.
We get there, they give the explanation about major security vulnerability that we’re ignoring, etc. After they said their bit we asked them how they had come to the conclusion we had a SQL injection. Explanation was about what you’d expect, they scanned our dependencies and one of the libraries had a security advisory. We then explained that there were two problems with their findings. First, we don’t use SQL anywhere in our app, so there’s no conceivable way we could have a SQL injection vulnerability. Second our app didn’t have a database or data storage of any kind, we only made RESTful web requests, so even if there was some kind of injection vulnerability (which there wasn’t) it would still be sanitized by the services we were calling. That was the last time they even bothered arguing with us when we told them we were ignoring one of their findings.
It’s a good idea to be aware of any security advisories of your projects dependencies, but it’s also equally important to be aware of your actual attack surface and audience. It for instance may not matter to your entirely offline and utterly unprivileged app that there’s an arbitrary code execution flaw in one of your dependencies because any theoretical attacker is the user themself and they would only be executing code they already had the capability to execute. On the other hand such a flaw in other circumstances could be absolutely critical. It’s really down to you as the author of the code to evaluate any security advisories through the lens of your codes expected use cases.
It’s encoded as a regex which you can find here: https://github.com/LemmyNet/lemmy/blob/78702b59fd56f767f3d5612bfd60e294979f91f8/crates/utils/src/utils/slurs.rs#L74
It’s honestly not a terrible list, but there’s at least one entry in there that falls victim to the scunthorpe problem, and it sucks that it’s not something administrators can easily customize.
Edit: looking through the PRs it seems like they made the filter customizable at some point, so this is a little outdated. The whole communist thing still applies though.
They run lemmygrad and are dedicated communists, as well as having a very opinionated “bad words” filter that’s hard coded into the lemmy server software and not configurable without building it yourself.
Edit: commented below, but it looks like at some point they added the ability to customize the bad words filter as part of the site config, so that part doesn’t currently apply. Early on there was a bit of drama about the original hard coded version though.
Most of the tools that make an IDE an IDE. Refactoring abilities are very limited and basic. Quickly navigating complex code bases becomes tricky. The code completion and type annotations are often missing or just plain wrong. When compared to something like essentially any IDE offered by JetBrains it just doesn’t stack up. Prior to RustRover being released I briefly tried to use VS Code for Rust using its LSP plugin, but it was just really bad in general, it utterly failed to analyze the code and provided almost no contextual help.
Not sure how to say this without sounding like a bit of an asshole, but why should we care? What does Theia do better than VS Code? For some relevant context I don’t consider VS Code to be a good IDE, but it’s not a bad editor. I use it when I need to crack open some random file (typically markdown or JSON) with maybe a bit of syntax highlighting, but I would never use it for programming.
Article was a bit light on who the intended audience is for Theia. VS Code’s big selling points are that it’s super fast to open and has a robust extension ecosystem, is Theia going to provide the same, and how are they planning to convince current VS Code users to switch?
That’s one of the things, but it’s also adding a dedicated sidebar for AI. That’s the sort of thing that should just be an extension, there’s absolutely no reason at all why that needs to be something built into the browser.
Developers should be providing alt text themselves, but in cases where they aren’t having a local image recognition model running to provide a description isn’t terrible as long as it’s either 100% local or completely opt-in.
The dedicated sidebar on the other hand feels very much like a cheap attempt to cash in on the AI fad.
That’s a shame. If you can convince them to use TypeScript that would be for the best, otherwise good luck, you’re going to need it. I can’t say you couldn’t pay me to write JavaScript, but I can say what I would demand to do it is way more than anyone would be willing to pay.
Yes, but now the cheque cleared. Or he’s just trying to suck up to Xi, you know one or the other.