Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youā€™ll near-instantly regret.

Any awful.systems sub may be subsneered in this subthread, techtakes or no.

If your sneer seems higher quality than you thought, feel free to cutā€™nā€™paste it into its own post ā€” thereā€™s no quota for posting and the bar really isnā€™t that high.

The post Xitter web has spawned soo many ā€œesotericā€ right wing freaks, but thereā€™s no appropriate sneer-space for them. Iā€™m talking redscare-ish, reality challenged ā€œculture criticsā€ who write about everything but understand nothing. Iā€™m talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyā€™re inescapable at this point, yet I donā€™t see them mocked (as much as they should be)

Like, there was one dude a while back who insisted that women couldnā€™t be surgeons because they didnā€™t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canā€™t escape them, I would love to sneer at them.

Last weekā€™s thread

(Semi-obligatory thanks to @dgerard for starting this)

  • Sailor Sega Saturn@awful.systems
    link
    fedilink
    English
    arrow-up
    13
    Ā·
    2 months ago

    Meanwhile, over at the orange site they discuss a browser hack: https://news.ycombinator.com/item?id=41597250 As in a hack that gave the attacker control over any user of this particular browser even if they only ever visited innocent websites, only needing to know their user ID.

    This is whatā€™s known in the biz as a company destroying level fuck-up. Iā€™m not sure this is particularly sneerable or not but Iā€™m just agog at how a company that calls themselves ā€œThe Browser Companyā€ can get the basic browser security model so incredibly wrong.

    • self@awful.systems
      link
      fedilink
      English
      arrow-up
      12
      Ā·
      edit-2
      2 months ago

      from their Wikipedia page Iā€™m starting to get why Iā€™ve never previously heard of The Browser Companyā€™s browser; itā€™s about a year old, itā€™s only for macOS, iOS, and Windows, and itā€™s just a chromium fork with a Swift UI overtop and extremely boring features you can get with plugins on Firefox without risking getting your entire life compromised (til Mozilla decides thatā€™s profitable, I suppose)

      Arc is designed to be an ā€œoperating system for the webā€, and integrates standard browsing with Arcā€™s own applications through the use of a sidebar. The browser is designed to be customisable and allows users to cosmetically change how they see specific websites.

      oh fuck off. so what makes something an operating system is:

      • the whole UI got condensed down into an awkward-looking sidebar that takes up more space instead of a top bar
      • you can re-style websites (which is the feature that enabled this hack, and which must be one of the most common browser plugins)
      • you can change the browserā€™s UI color
      • it can run ā€œits own applicationsā€? which sounds like a real security treat if theyā€™re running in the UI context of the browser. though to be honest I donā€™t see why these wouldnā€™t just be ordinary web apps, in which case itā€™s just a PWA feature
    • antifuchs@awful.systems
      link
      fedilink
      English
      arrow-up
      6
      Ā·
      2 months ago

      Hm, I donā€™t really see the sneer. They wrote a nasty bug, got notified and had a patch out for it within 36h. The remediations look reasonable too: better privacy, less firebase, actual security audits; even the bounty program is probably the right call (but they result in so many shit reports, itā€™s probably a wash).

      I gotta admit Iā€™m kind of partial to them and their browser? Itā€™s the non-Brave one that ships with an Adblocker by default, has much nicer UI than the existing ones, and the sync thing isnā€™t half bad (if it doesnā€™t sync security badness to all your instances, ouch). Sure they sound like a cult but I guess thatā€™s how browser dev gets funded since the 1990s.

      • Sailor Sega Saturn@awful.systems
        link
        fedilink
        English
        arrow-up
        7
        Ā·
        edit-2
        2 months ago

        OK I might have been a little too harsh, but the security requirements of a browser are higher than pretty much any other piece of software except perhaps for operating system code, emails, or text messages. As a serious player in the browser space it is not optional to get the basic security model / architecture right. This isnā€™t a matter of a bug slipping through (which can happen to anyone), but the system being designed wrong. Hopefully this company has learned their lesson, treats it with the care it deserves going forward, and bring some diversity to the browser market.

        Anyway that said letā€™s look at how this was a colossal bug:

        1. The browser required an account hosted on a cloud to use. This is a central point of failure, and cloud is overrated, so should be opt-in.
        2. The browser allowed arbitrary script injection into any webpage based on this cloud account. This is a central point of failure, and goes directly against browser security model so should be opt-in.
        3. The developers did not recognize how dangerous the above was, so perhaps did not treat the back-end with the paranoia it deserved.

        Compare Firefox I have an extension that allows for arbitrary CSS injection, but this extension isnā€™t cloud based. So this class of vulnerability isnā€™t possible in the first place, and also it is an extension I opted into and can enable selectively on specific sites instead of globally.