Hi /tech/, it's been a while since the last thread about this project, so I thought I would make a new thread because I've been more active in editing the website, and I have more free time now.
The Online Spyware Watchdog is a website I have been working on, on and off for a while, you can visit it here:
Lately, the website has been getting a lot of traffic, a lot more than it was getting earlier, I think this is because a few weeks ago RMS created a page about why Discord is bad on his website linking to an article on the website: https://stallman.org/discord.html And then there was the controversy about Discord among /pol/ users which happened more recently which probably drove a lot of traffic to the site as well. The website has had almost 40k total hits when i'm writing this. So since a lot of people are looking at the site, I thought I would fix it up a little (I've been working on it more and adding new articles lately) and make a new thread for it.
You can read my earlier thread about this project here:
I didn't want to make the OP too big, so here is another post with some explanations of questions that I think would come up a lot in the thread:
>Wouldn't a wiki work better for this kind of website?
A wiki, or git, or something would work better, but at the scale that the website is updated (maybe a few outside contributions per week) it's not an issue. You would have to have someone reveiw your edits anyway, so it wouldn't make the site update faster.
>Your website looks like shit, change it
Sorry, I want to make it look better and i'm working towards that slowly. A lot of people have a lot of diffrent opinions on what the website should look like so I havent really changed the style of it much, I only recently fixed it up to use a global CSS file for the whole site. I'm not any kind of web developer, I only know the basics of HTML. I personally think that it looks OK, I agree that it could look better, but to me excessivley talking about the fonts and stuff kind of sounds like bikeshedding. (you can set up a custom user CSS file, right? I think some websites let you choose between certain "themes" with CSS ( but I dont know how to implement that yet) so maybe I will that in the future.
>Your website looks like shit, change it
tell them there face looks like shit, change it
Your site looks good to me
UI looks refreshing to me to be honest.
((("""User friendly"""))) and/or mobile friendly UI is one of many modern cancers of the internet. Maybe change the background to a solid one and that's it, don't waste effort on it
They're probably shitposters or autists bitching because it looks like something from 1994. If you're gonna be the one solely updating this website, then just use what works.
Since you plan to update this site, I got some suggestions for to help informing users of your website.
>Common Spyware Red flags
Examples - untoggleable automatic updates, phoning home, connecting to analytics, etc. Common spyware tactics and scenarios that can be pointed out on their own.
>Defending Against Spyware
Examples - wireshark, firewall configurations, blocklists, etc. Tools and techniques you can use to defend yourself from spyware.
>Categories and Searching for articles
Something for the future if you manage to have a lot of content on your site, I'm probably just repeating what you already have planned, but it's a thought.
If this sounds like a case of "redoing the basics" I understand, but some people that use this might not know this stuff.
>((("""User friendly"""))) and/or mobile friendly UI is one of many modern cancers of the internet.
Software that is truly user friendly doesn't get in your way when you use it. The problem with this kind of modern website design is that they aren't about being friendly, they're about (((The User Experience^TM))). Also, being "Mobile Friendly" is just a way for them to be cut corners on an already cheap job so they don't have to implement two versions of the same website.
> If you're gonna be the one solely updating this website
I wont be creating all of the content (a few articles and passages in some of the articles are written by a couple of anons) but I will be the one who actually stitches the HTML together. The idea is that anyone can contribute to the site and help keep the articles relevant and expand the catalog.
>I got some suggestions for to help...
I think that your ideas are pretty good about articles that warn people about how to identify and mitigate spyware. These are articles that I've thought about making , but haven't started yes- you can see the articles that aren't finished here: https://spyware.neocities.org/articles/index2.html
It's mostly stuff about web browsers right now because those are easy to write about.
You need to run your pages through a spellcheck. There's glaringly obvious ones on every page.
>Maybe change the background to a solid one and that's it,
That's good advice. The text is a little hard to read in parts because of the background.
Otherwise, it's fine. Most people focus far too much on style over content. As a result, the web is stuffed with very pretty, but absolutely bloated and useless websites.
The entire website, with all of the images and pages, are 1mb, so 0.1% of how much I am allowed to store for free on neocities. It's pretty nice.
Also, i've changed the background so that it looks like pic related, I agree with you guys that it needed to have a more solid background, this is easier to read for me as well.
>RMS created a page about why Discord is bad on his website linking to an article on the website
RMS featured your article on his website? You really should be proud.
>I want to make it look better
Sure, but keep it as simple as possible. I would recommend to take inspiration from the Dark Theme on https://stallman.org or http://textfiles.com/directory.html
>mostly-static page needing to be updated a few times a week
Host that shit on IPFS
The 90s look is charming.
If you really need to do or just want to use a more complex design (multicolumn , modal dialogs , responsive) i'd just use bootstrap , either v3 or v4.
It's gonna make the page like a generic modern page though and some shitposters are gonna screech but it's really simple to use without knowing css.
The responsive grid alone is enough to make it worthwhile.
OP, I love how you designed your website. It brings me back to 1996. Keep up the good work!
Don't change a single thing about the layout. It's perfect! Simple and to the point.
nice site, i like it. thank you. (also yes, refreshing design)
one tip for the articles: if this is meant for a general audience and not just 8ch/4chan, then maybe put "tracking" higher on the list of issues than "not open source". While closed source is suspicious, tracking features are outright proof of spying.
protip: timestamps. policies change, so it would be good to know when these facts were last checked
I noticed some pages had "Version tested" but others did not
bootstrap is the definition of bloat.
I'd prefer the content of the articles to be in the center of the page, but other than that it's nice. Simple and effective.
>pondering to phonepostetrs
>pondering to widescreen fullscreen windowfaggots
OP, your site is good, but you need to be more elaborate on Telegram, while being (((open source))) it is not free software and is too harmful to be considered non-botnet.
>open source is somehow jewish
Stop misusing echoes. Don't decrease their meaning to nothing more than "random shit I don't like".
thanks for reminding me this exists
>try to make account over tor
>spend 1 minute making an email airmail.cc and then 9 minutes filling out recaptcha on neocities
hit "next" button
nothing happens, just goes back to the same page with all fields cleared
>hurr durr IPFS
>hurr durr net neutrality
pure virtue signalling. now ill go back to my other 10 shithosts
>>hurr durr IPFS
What's wrong with IPFS? It's literally one of the best ways to host a static or semi-static website right now.
Open Source is an exact term used by jews and other cuck-licenced subversives to present their "heh-he we slapped a bunch of proprietary binaries with this poorly written code and put it on github, oops would you forgive us the fact we can't use git properly, all commits are outdated and software is not reproducible, who needs those sources anyways, download our apk on google goy market". I'm not even touching T*legram's joke "secret chats", shitty PR tactics and virtue signalling for Russian and Iranian audience, super secure central server (((in the cloud))) and phone number verification of course. Don't be a good goy and use XMPP instead. Free as in freedom.
You should consider hosting a wiki instance, so that people can more easily submit modifications.
Or even a git of the websites' mirror.
Keep up the good work!
Since I made the thread, two new articles have been added to the site:
How do I do that?
I've started adding them to articles as I edit them. So you might notice some pages giving a date.
You're right, that the article about Telegram isn't the whole story- although I think you know a bit more about these problems than I do. If you want, you can edit the telegram article, and email me a version that is better. If you don't have time I will eventually get around to it.
The question about something being spyware isn't if it's free or open source- but if you can read the source code that you're executing to find out if it's spying on you. But I do agree that obfuscated, outdated source code isn't acceptable.
>You should consider hosting a wiki instance,
neocities is static web hosting.
I agree with this but I just use "open source" to mean something I can compile from source.
telegram requires phone to sign up?
i want to make a site listing non-internet services like google, microsoft, facebook, yandex, and games that do bullshit like require you to get an SMS from them before using. also sites that block IP addresses for no reason, sites that have a small whitelist of allowed emails, sites that use recaptcha, sites that require another non-internet service such as gmail or facebook to sign up, etc
You could host it on Github too.
It's difficult to talk about "open source" or "software freedom" because specific groups, the Open Source Initiative, and the Free Software Foundation, try and enforce a monopoly on what those words and concepts mean. So, if you have a different opinion of what those things are, you will inevitably butt heads with people who want everyone to follow the meanings enforced by this monopoly.
To be able to know if a program is spyware or not, you have to be able to compile it from source- it does not need to meet any of the other requirements that it would need to meet to be called "Free Software" or "Open Source Software" according to the definitions of the FSF or OSI. So, I don't like to use the words "Free Software" or "Open Source Software" on my website because it implies that a program needs to meet all of the requirements set by those organizations to be called "Free" or "Open" for spyware concerns to be alleviated. If you can compile it from source, that is the only thing needed.
Although, I don't want to say that just because a program allows you to compile it from source, it isn't spyware. It just ensures that you can be aware of all spyware features, and that there is no spyware hidden inside of a binary blob.
It's not a monopoly on the meaning of a word. It's their clarification on what they mean when they say the word. If you have a different meaning, that's your choice but don't be surprised when people get confused about your meaning.
Hosting on github is pretty easy tbh.
Should he add a CoC up his ass too? I've heard GitHub has a tool to make that easy.
It is. Just tell them you want a CoC up your ass, and they'll send around a Bay Area girl (male) to give it to you.
>Spyware Level: Low
>GZDoom has the opt-in feature
reading through the forum it doesn't appear opt-in at all, and the developer appears to love sucking glowinthedark nigger cock all day and night long uncontrollably.
it the level should be bumped up to high. the "opt-in" is opting out by digging through a configuration file or flippling a compile-time switch.
>links directly to reddit
USE Archives faggot!
these GZDoom spying niggers also pushed out all of the data collection
adding the dialog box to turn it off. they are going to sit and collect all the data they want, and THEN add the botnet opt-out dialog.
These GZDoom niggers are terrible.
it's too hard for the gzdoom developers to make a confirm dialog on linux, they are forced due to lack of resources to datamine everyone who installs gzdoom
these fucking niggers it's literally 4-5 lines in C with gtk to pop a confirm dialog. 99% of linux users who are running a GUI will have gtk installed. they already list gzdoom as a requirement to build from source.
Never install GZDoom, not even once. This should be labeled as extreme botnet spyware.
*they already list gtk as a requirement to build from source
When everyone uses a word in that way, because of an organization promoting that meaning, its a monopoly (although I don't want to get stuck on this point). Luckily my website isn't about defining software freedom as a whole, but profiling one very specific type of software freedom. So, I don't have to worry about using words like "software freedom" and only have to worry about words like "spyware" which isn't in any of the software freedoms that the FSF and OSI describe.
If I end up changing hosts (probably not for a long time), I will possibly use git for article submissions, but I will not use GitHub for hosting or article submissions. I think that the other posts on this thread should explain it: GitHub is a very political platform that is pro-censorship.
Didn't they say it was opt-in? I specifically made that article to try and create a precedent for a spyware that could fit into the "Low" score. If you read this post later in the thread:
>And even if you still don't find this data-sending okay, it's been made opt-in, so I really don't see where the problems here are coming from.
>You aren't going to be hurt in any way by this, in fact there is no possible way that you could be, given the nature of the data sent.
Even if this wasn't opt-in, that could only push it up to "Medium" since while I agree completely that GZDoom is spyware, compared to the other spyware that I wrote about, it couldn't ever be higher than that score. That would imply that something like Vivaldi is less of a spyware than GZDoom. Also because, I don't want to inflate the ratings of the software. (Think of review sites, where the average score is 7.5 and not 5 out of 10)
Look, I know that you guys are mad at me for not giving it a higher rating- but since you all seem to know a whole lot more about the situation that I do, it's probably for the best that one of you emails me an edited version of the article that properly explains the level of spying it does on its users, since I don't want to get things wrong a second time. For now will move it into the "unfinished articles" section of the website until either I get around to fixing it, or someone else emails me a version that is better. Feel free to put copious amounts of block quotes and/or screenshots of the forums where the developers explain their anti-privacy viewpoints.
read later on
>It already has given us some really valuable information, the most surprising of which is the low percentage of Windows XP. Being an old game I would have expected this to be a lot higher, but so far it's only less than 1.5%. Right now there's no need to ditch it, but this should serve as a wake-up call to those users still on XP: With such low percentage its days of support are inevitably numbered. The moment an issue arises where XP turns out to be a blocker, it will be gone.
they already took the stolen data that was not agreed to and used it
>Any news on the native or in-game dialogs?
>Most likely we will use native UI from this branch when user friendly message will be written.
<there's still no confirm dialog
<they are still using the data nobody agreed too and still collecting data from goyim who have no idea what is going on
>How do I do that?
see >>>/tech/793208 and https://ipfs.io, don't get this thread off topic
Why not literally add an option into the option menu of the game itself. I don't think it would even be that hard to do.
also just because someone removes the botnet the score should not be lowered. they can no longer be trusted.
would you lower the score on that stupid flight sim mod company who literally installed chrome password crackers and uploaded everyone's chrome passwords under the guise of trying to catch pirates? they claim they removed it now, but their score shouldn't be lowered either.
because they want to continuously datamine and are bitching an moaning that it's too difficult as an excuse.
You don't need to convince me anymore, I am agreeing with you... If you look at the page again, on my site, it clearly says that the article is being rewritten, and I changed the wording to clarify that it is not an opt-in feature.
Also I am still trying to judge, whether the "low" score is a bad score to give it or not. It's true that GZDoom is spyware, but if I say that it is "Medium", then I am putting it in the same place as much more egregious software that does things like phone-home every 24 hours. It's not that think what GZDoom is doing is acceptable, its just that when I give this program a score of "Medium" that would devalue the meaning of the "Medium" score.
Apparently neocities has IPFS already, but I don't really know how to open these URL's.
>apparently neocities has IPFS already
wow didn't know that. It works kind of ok for individual pages, but neocities' IPFS version is kind of shit because resources (stylesheets, images etc.) don't get linked properly and you can't see them.
modal dialogs are harmful. there's not even one valid reason to ever use one
Everything is a fucking botnet. I am using opera for 10 years. I am fucked beyond saving.
Graf Zahl absolutely loves modern botnet software. I'm not surprised that he would follow that trend.
I decided to put the GZDoom article back up, I think it more accurately depicts the situation now. I kept it as "low" just because it doesn't have enough botnet in it for me to justify it getting another rating. Also, one of the contributors to the site finished the Pale Moon article, you can read it here:
I'm probably going to try and sort the catalog page into categories, soon. I think that I want a few more articles before that is needed, though. If you guys still have issues with GZDoom that you think aren't being presented well enough on the site, edit the article yourself and email that to me (that's kind of the point of the site anyway- that anyone can share knowledge about spyware)
REEEEEEEEEEEEEEEEEEEEEEEEEEEEEE i hate retarded shit like palememe's startpage. why do people even do this shit, it just makes the software crap, regardless of privacy issues.
Could someone please test SeaMonkey? Thanks.
I guess this proves that (highly monolithic) free software is just as easy to compromise. You guys ought to be worried about systemd and the Linux kernel now.
I was going to stop bumping the thread, since it seemed to die off, but since it's already at the top of the catalog I might as well bring up that more articles have been added:
The iTunes article of course is a bit short, and probably doesn't capture the full extent of spyware hidden in that program, but it is a good start for someone who can do a more detailed analysis of the software to edit into something better. It at least portrays the level of data collection iTunes does and so I think it's good enough to show now.
The browsers.html article is a little different since it compares all of the web browsers that have been reviewed up against each other. Maybe such a tier-list is one that not everybody will agree with, but anyone can submit amendments with good rationales about what should be where on the list, so it should straighten itself out after that if there is something wrong.
This thread was successful in getting a lot more eyes on the website, and a lot of good feedback but unfortunately no new people submitted articles or amendments to the site because of it- hopefully in the future maybe in the future more people will want to write for the website.
Does systemd or linux contain any telemetry? You would think that such software wouldn't...
I have no problem with monolithic free software because I will always have the freedom to change any part of it, no matter how complex it is.
Remove background image, invert colors (black text on white background).
Fortunately I can do it by myself with https://github.com/m-khvoinitsky/dark-background-light-text-extension
https://spyware.neocities.org/articles/firefox.html (just one example) — you should use a dash (—) for a dash instead of a hyphen(-)
> There is no excuse to at least not make "Check for updates, but let me choose whether to install them" the default - it would still give the security benefit, but not take control away from the user.
When we talk about some critical shit like a browser, no, it's bullshit — users which are tech illiterate won't do manual updates, I've seen it countless times.
You also have encoding problems at least in this page
> For example, if your child uses audio activation commands (e.g., â€œOK, Googleâ€ or touching the microphone icon), a recording of the following speech/audio, plus a few seconds before, will be stored to their account..."
You must add the encoding declaration to the HTML header.
https://www.w3schools.com/tags/att_meta_charset.asp probably like this.
DO IT FAGGOT
The site is suppose to be ASCII, not Unicode.
This should be fixed now, sorry I've been trying to keep the Unicode from sneaking in but it renders correctly on my browser so I miss it sometimes. I'll try and fix this problem in the future.
>The site is suppose to be ASCII, not Unicode.
You're doing it wrong.
The articles are written in English, so there isn't any reason for it to use Unicode. Unicode only gives the website compatibility problems without any real benefit beyond apostrophes that look different and slightly longer dashes.
>The articles are written in English, so there isn't any reason for it to use Unicode
Proper punctuation requires Unicode.
>Unicode … gives the website compatibility problems
Only in your horribly broken mental image of the reality.
>Proper punctuation requires Unicode.
ASCII has all of the punctuation marks English uses- so I don't know what you mean.
Cancermojis are not English punctuation.
I didn't talk about them, you dinghole
Then, talk about punctuation marks that you need to use Unicode for. Don't just say "Factually incorrect." because that isn't how to explain it when I don't know.
If you're hellbent on using the spellings "resumé" and "mediæval", or insist on using dashes, maybe.
… (yes it's a single character)
these were just a few examples
But, why use Unicode for such things that can easily be constructed in ASCII? A good reason would be something that requires Unicode to express- maybe you have a point with your math symbols, but this website doesn't have a need to show math equations.
That being said, I am not going to object to anyone who wants to put a Unicode tag on their articles, or amendments to other articles, since it really doesn't have any harm to the site, so maybe I was being a little silly saying that it "should be ASCII" as if Unicode is not allowed. I just don't see any need for me to maintain or enforce this Unicode style (I can't even type those letters), so I won't spend time changing the dashes on all of the articles since that doesn't seem like a good use of time to me. You are of course welcome to go through all of the articles and change all of the dashes to long Unicode dashes and add the Unicode meta tag to the top, and then email your edited versions of the articles to me, and I'll put them up.
>I can't even type those letters
This is only a problem of your sub-par keyboard layout. But it's easy to solve on most modern OS.
>You are of course welcome to go through all of the articles and change all of the dashes to long Unicode dashes and add the Unicode meta tag to the top, and then email your edited versions of the articles to me, and I'll put them up.
Do you mean to send the HTML files?
You write HTML by hand?
Anyways, it's doable. Maybe I will do this.
I have no issue with Discord tbh.
sent you the edited chrome page, check it out
Okay, I have updated the chrome article, and yes I write all of my HTML by hand, neocities has a text editor on its site and I mostly use that for this website, I don't know what anyone else who writes for the site uses though. I am not really a web developer at all, so that's the reason that my way of doing things is so amateurish, because I don't know much beyond basic HTML constructs. When I say at the bottom of every article, to email me amendments and new articles, I just mean emailing HTML files so that I can merge them in by hand.
Thanks a lot for helping out with the site, I do appreciate it.
No, he's doing it right. Adding more complexity for the sake of itself is part of the reason you have all this botnet shit to begin with. ASCII symbols are good enough here.
Ironically I've been on retro computer sites where the dude writes his webshit in unicode, and when you view the document on an actual retro computer, it looks like ass.
don't all blink-based browsers download a binary blob on first run, i think that feature was specifically removed from ungoogled-chromium before it was abandoned
I heard about this from a friend as well, as long as there is more info and a way to verify that it happens on all of the blink-based browsers that currently have articles on the site , then that should be included...
I looked it up and apparently the name of "hotword-x86-64.nexe". I have both google chrome, chromium, and google chrome canary installed but only google chrome seems to have downloaded this blob. Maybe I should download the other blink-based browsers and check for it coming up.
Ironically, writing for this website is damaging to my privacy, because it involves installing a ton of malicious programs and seeing what data they report about you.
>ASCII symbols are good enough here.
This is not a retro-computing resource.
Unicode is a world wide accepted standard and it's necessary for correct representation of any natural written language (compared to dumbed down versions with incorrect punctuation, etc.).
Deal with the facts of the year 2018, kid.
>Ironically, writing for this website is damaging to my privacy, because it involves installing a ton of malicious programs and seeing what data they report about you.
Use a VM. Or maybe, if you have spare computers, install an unlicensed copy of MACROSHIT WANGBLOWS with none of your data and use that.
I made my case, so enjoy your botnet since you want to indulge in it so badly.
that was a few years ago and it appropriately caused a shitstorm, google initially on their bug tracker claimed that nothing was wrong of course and just shut up and eat the binary blob but changed course after the outrage and removed it before debian and every other distro removed chromium from their repositories.
google saying shut up and take the blob
Comment 14 by email@example.com, Jun 19 2015
#11: "If the software downloads and installs a closed-source binary, how do we know when it runs and when it doesn't?"
Because the open source software has complete control of when the binary runs. You can look in the source code to see when it decides to start up and shut down the hotword module (I gave instructions on how to do that in the other bug).
Providing an extra step to install the module would be unnecessary friction for our users. There is literally no difference between downloading the module (without running it), and not downloading it, except a tiny amount of bandwidth saved. There is no difference from a privacy or security standpoint, because unless we run it, it can't do anything, no matter what behaviour it might contain within.
#13: "Once the blob is on the system the security risks have been increased". From our perspective, the blob is just another part of the Chrome codebase (just with a weird delivery mechanism). You could make a similar claim for any feature of Chrome, "it shouldn't be installed unless I ask for it." But that's not how software works. We don't download individual features of an application on demand. It's your choice whether to enable a given feature. But users generally don't get a choice of *which* features are downloaded when you download software. That's just never been the way software has worked.
google shutting it down
Comment 24 by firstname.lastname@example.org, Jun 19 2015
The bug tracker is for tracking technical development work, not debating policy or, even more, ranting about how Google is evil and you're deleting all Google software from your devices.
Closing to additional comments.
google removing the hotword module from chromium due to MSM picking it up and causing outrage
Project Member Comment 25 by email@example.com, Jun 24 2015
The following revision refers to this bug:
Author: mgiuca <firstname.lastname@example.org>
Date: Wed Jun 24 01:25:14 2015
Remove hotword installation code at compile time if hotwording disabled.
If enable_hotwording is false, the code to download/install the hotword
shared module is compiled out.
(This should not change behaviour; it was already disabled at run-time,
this just removes the installation code from the build.)
you can also reverse engineer closed source software, no matter how complex it is
free software is an illusion
>dude you need to use unicode on your website that is only in english and does not need anything in unicode
>you can also reverse engineer closed source software, it's the same as free software!
Bloated and complex free software is still low quality due to an increased number of bugs. Also it's a disgrace to the name of free software.
I wrote an article about the HTTP protocol:
Maybe it turned into a little bit of a rant at the end, but I think it's important to write things like these, because I can't find the same opinion anywhere online besides a few posts on /tech/ now and then, and those aren't a permanent resource for people to learn about those ideas.
It being 2018 doesn't make Unicode necessary for this site: also, the punctuation is correct either way.
That's a good idea, but why are you responding to yourself as if I responded to you, writing it off? I don't understand.
>>914192 (me) is not the same person as >>914017.
>Your website looks like shit, change it
No. Whatever you do don't add more js and css into it. It's fine now. You should just add a small icon next to each program under "browse articles".
>It being 2018 doesn't make Unicode necessary for this site: also, the punctuation is correct either way.
>durr muh punctuation!
The dash -- an important feature of written language -- should be written with a double-hyphen.
>inb4 triggered english teacher
This isn't school and nobody cares.
>you can also reverse engineer closed source software, it's the same as free software!
For non-experts, modifying something like firefox source code is just as insurmountable as reverse engineering. "Freedom 1" was never real.
That is not true. Sure, modifying firefucks source code without breaking something is quite difficult, but try modifying something in Internet Explorer.
(Also I heard something once about a large proportion of Firefucks code being auto-generated Java to C++. If that's true, it's even worse.)
No. Sophisticated systems in the form of human readble source code is nothing compared trying to read obfuscated code in the form of binary compiled software or minimized code.
You're assuming that the user of the software has to be the one doing the work. This is a bad assumption. There is absolutely no requirement for a user to have any kind of technical aptitude to audit and modify software as long as they can find a skilled helper to help them. Freedom in software means the user has the permission to study the code but it doesn't imply that the user must have the skill to do it.
Yeah finding a sucker to do that is even harder. In reality, Freedom 1 only applies to small scripts and such. Anything else is reserved for big corpos just as closed source software...
No it's not. It's as easy as finding a builder to build your house or finding a plumber to fix your plumbing or finding a carpenter to build a cabinet. Finding a software developer to help you is not hard at all.
Yeah that's why collaborative game development goes so well. Visit /agdg/ sometime...and you will find a bunch of guys working ALONE, because it's the only viable option...
A computer game is an artistic work of passion. The lead producer directs the game and this level of direction isn't always popular with a loose group of individuals who are working on a game project for recreation. A computer program that's designed for real practical work is different to a computer game. A practical computer program is very feasibly useable in a limited state and can continually be improved in the "release early, release often" model of development.
Yeah, but what I'm talking about is a guy taking, say, Firefox source code, and thinking to himself "okay, I want THIS feature in there!". And then he codes it in...yeah right, it's impossible. And let's say he managed it...new Firefox version is out! And he has to port his feature or else suffer from the previous security bugs, etc...
>a bunch of proprietary binaries
Holy fuck stormfags are retarded
Well hello there, fellow redditor. No gold for you today, sweetie.
Please read the following material to get yourself informed on this topic:
Is there a comprehensive guide for FF-based browsers with the following goals
<restore useful functionality that was removed
<add useful functionality (primarily improving privacy and performance)
<all the above without breaking compatibility/functionality on websites
It isn't worth the trouble. Go ahead and castigate me for being a shill, but I've switched to Iridium, and I doubt I'll go back. Not only is it faster, it also never segfaults. Make sure to run it with the following flags:
--user-agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
*You need HTTP referrers to post here.
No, there is not any such guide that I am aware of. I would love to include such a guide on the site, though. I have been thinking about writing it but I haven't actually gotten around to writing it. If you want to help me get started with it, I would really appreciate the help. I will probably need help anyway, I haven't used Firefox-based browsers for very long and so I don't know all of the about:config entries and addons and other things you should be doing. Ideally the site should include a similar guide for chrome-based browsers too, maybe this post: >>914418 is a good starting point.
If Iridium is based off of Chromium, doesn't that mean it has that (((bug))) that forces the browser to phone in to the gstatic and Client servers? Or am I just plain stupid and Iridium team already removed the (((bug))) already?
The guy who wrote that article runs the browsers through mitmproxy to check for that kind of thing. So presumably that didn't come up. You could try and verify it by downloading mitmproxy and running Iridium to really make sure that it's not doing that, if thats not the case then I will change the article to reflect that.
Ah, well do and thanks for the heads-up and the website.
>Yeah that's why collaborative game development goes so well. Visit /agdg/ sometime...and you will find a bunch of guys working ALONE, because it's the only viable option...
That's /agdg/'s problem.
There are free and open source games e.g Xonotic and Zero-K that are collaborative in nature, organized purely online, and successfully made releases without falling apart before getting anything notable done. Both of those games were in steady development over years, supported by free time, community, and donations.
You know that kind of thing is completely normal? This is true for all software. There's is nothing outstanding about what you're describing here.
Iridium recommendation is dumb. Sure, it might be better for vanilla installations, but you can open Firefox with your internet disabled and change all the options that connect to external sources and then it is equal to Iridium.
Then when you add addons you only download addons from the Mozilla addons store.
If you download addons in Iridium it's from Google's store, connecting to Google's servers.
I'm thinking of consolidating the "Low" and "Probably not Spyware" ratings to just "Low", and then moving Iridium to "mitigatable spyware browsers". Firefox has Google analytics on it's addons page and you cant remove the button on the GUI for it as far as I know. I'm not sure if Iridium has a direct link to the Google store on its page, if it doesn't, then cant you get addons for it from another place?
Iridium as a spyware browser, when their whole shtick is debotnetting Chromium...you're a funny guy. Or incompetent.
>I'm not sure if Iridium has a direct link to the Google store on its page, if it doesn't, then cant you get addons for it from another place?
No, actually Iridium even removed automatic updates of addons, to avoid any connection to Google. And of course it's possible to install extensions manually. Read their FAQ...there is no spyware in Iridium. You're a joke and so is your site.
Google safebrowsing requests are still a form of spyware.... It has two versions, either you download a safebrowsing list from their server, or it literally sends requests to a safebrowsing server that contain the URL of the site you are trying to access. So you cant really call that privacy at all. Yes, this server is not owned by Google, but do you trust the people who run this server? At the very least, people should be made aware of that.
I didn't personally review Iridium so I am not sure if it is downloading a list of sites to block, or sending everyone's connection requests to Iridium's servers, and I will have to test this myself, but if it is the former, I will change it's rating to "Low" and if it is the latter I will change it to "High". I don't know yet.
Really I think that this is an emotional response to my site, instead of looking at the facts... and that's why this site exists, because it's supposed to highlight privacy problems, even with so-called "privacy concerned" software. Yes, maybe its harsh to label people's work towards more private browsers as spyware, but that doesn't change the facts about what their browsers do. That's why the site has many different ratings based on how much spyware a program has in it. I think you are reacting too much to the fact that it's being called spyware, instead of realizing the purpose of these articles: it's to say that this is the kind of information you might be giving up if you use this software, are you OK with that? And really nothing else.
And now you're even considering switching Iridium to High. No, you're definitely incompetent.
>or sending everyone's connection requests to Iridium's servers
read your own article
Iridium is based on Chromium, using Blink engine which has significantly less control over your privacy in general when compared to Firefox. Not being spyware doesn't help vulnerable code.
I read the article, it mentions Google safebrowsing requests, a spyware feature, but it didn't mention which kind of safebrowsing it was using. If you look at the safebrowsing API here:
You'll see that it has the option to either download a blocklist (a form of phoning home) or to send every URL you try and connect to, to be checked agasint a blocklist at google. So either way, it's a form of spyware. According to the article, it's from Iridium's own servers, but not from Google, and the writer doesn't mention which type of safebrowsing requests are being sent.
Now that I have seen for myself, it looks like it is downloading a block list, but not from a mirror, instead directly from Google. So, I can't say that it's "not spyware" when it is literally phoning home to Google by default. I won't say that it is doing anything more, because this is the only privacy problem with it, but it's something that needs to be mentioned.
The way I see it, I have looked at Iridium browser with mitmproxy to see if it is spyware, and you have read the FAQ on their website to see if it is spyware. Which perspective is more credible? Maybe by this logic, I should label Discord as "Not Spyware" because they said that they don't sell your information on Twitter.
At least you're testing these things now, congrats.
How does your computing setup look like?
- Which OS do you use?
- Do you use VPNs?
- Which phone, in particular - which apps being installed?
It's just downloading the block list. Nothing malicious about it.
I'm not really calling it malicious, that's why the rating is only "low". They get your IP, User-Agent, etc, so it is a form of data collection, and so I have to mention it. I don't really call spyware malicious unless its really excessive in it's data collection, in this case it's kind of an incidental consequence of using spyware protocols like HTTP. So, I hope you guys think that this is a reasonable way to look at it.
I hope that this post isn't too dissapointing, because I'm really not a good example of someone who avoids all spyware.
>Which OS do you use?
I personally am using Windows 7. I download the security updates from Microsoft every once in a while but I haven't gotten around to applying the changes here: http://oxwugzccvk3dk6tj.onion/tech/w7tele.html so I'm not doing very well here. I have a laptop, it has Windows 7, Slackware, and Plan 9 front installed.
>Do you use VPNs?
>Which phone, in particular - which apps being installed?
I have an iPhone, so I am checked into the botnet. The reason is that it was "two for the price of one" to buy them, and my family wanted me to have a cell phone, so when someone else in my family got a phone, because of this I got a phone too. I wasn't very concerned about my privacy when I got it, although I didn't really want a cell phone, they wanted to be able to call me. If it breaks I will probably just buy a flip phone, or set up a land-line.
I only really have a couple of messenger apps installed on it, I have the facebook messenger app, and discord, this is because there are people that I am friends with who I can't contact in any other way. Beyond that I have an app for my bank and one that lets me buy train tickets. Maybe in the future I won't use a debit card anymore, and switch to using cash, but I am trying to do one thing at a time.
I hope that nobody thinks that because I personally use spyware, that the stuff that I write in my site isn't something that you should take seriously- if someone who smokes cigarettes tells you not to smoke, that doesn't change the risks of smoking.
>they don't use anything else
Switch some of them to riot.im. It's a very good discord alternative.
>choose a server
>choose an identity server
>choose a nickname
>choose a password
Normies seem too retarded for these things nowadays.
First thing first: there is no compromise between security, privacy and anonymity. There are the opposite sides of one triangle.
To blend in with the crowd, you have to look like the crowd, behave like the crowd. Disabling JS and hardening your browser is the exact opposite of this thing. If you want anonymity, use Tor Browser with default settings.
Now here are the guides I know:
Also these sites might be helpful:
>choose a nickname
>choose a password
Both optional. But these 2 are required on discord, so what's the difference?
You can be invited and open a link.
The only problem I have with OSW is that you guys use "Spyware" way too much, to the point it's somewhat annoying, it's expecially apparent in the Discord article
Discord babby got buttmad?
That's a real criticism of the website, not just funny hate mail from Discord fanboys.... although I can confirm that I have received some of that, and yes, it is hilarious to read.
Hey OP, would you be willing to do a check up on Qupzilla browser?
the important thing about your site is your reviews, I like the idea and reviews. keep going
>it looks like something from 1994
I seriously wondered
For web browsing, communicating etc. Which platforms do you recommend to use anon/s?
Go through and check any external sites you link to. I clicked two links and one of them was filtered by my AV and the other was a huffpost article.
Sorry everyone for the delayed response. I thought this thread had died, so I wasn't looking at it anymore.
I could do it but it says that it's changing it's name to the "falkon browser". Should I review that one instead? It sounds like a better browser to review if QupZilla isn't going to be worked on anymore like the website says.
Either way the next browser I am going to review is IceCat, since that browser is more relevant. According to some people who I think know what they are talking about IceCat is a spyware browser, but I haven't done any tests on it yet myself to find out.
If you can tell me which link was filtered by your AV, I would be happy to archive it or something. Beyond the fact that the article is from the huffington post, there isn't anything actually wrong with the content of the article. I just looked online for some articles that are alright about the topic to put into the further reading section, but i'm sure a lot of people could do better. If you have some good links feel free to share them.
the old design (90s as people have mentioned) is so old that now it looks new again! its simple and easy to read and god makes me realize how distracting modern pages are! no wonder every other kid has ADD these days.
the only thing I would suggest is to list the software alphabetically. It's easier for someone to find their software that way, especially as the list grows.
I plan to split it up into more categories later. Right now it's sorted by spyware rating. It will be reworked once the article count gets a bit higher.
lol I thought it was sorted by popularity. That's a funny trend though.
this thread has been ended up.
Thanks for posting this, it's really useful. Makes me very glad I deleted my Discord account ages ago.
This. This one site is infinitely more useful than the browser threads. Thank you.
>Discord is spyware
>Telegram is (probably not)
Hmmm, gee I wonder who might be behind this, towarisch?
would you be willing to test tor browser?
RMS' site already exist. Your shitty site is nothing to it.
Tell him to add >>922042
RMS links to this site, nerd.
Rms doesn't speak out against spyware unless it's related to his promotion of free software and the reputation of the free software movement . Otherwise, where are his articles talking about Mozilla and the free software projects written about on this site?
His answer is to change the source code. Matters of spyware in free software can be made meaningless when everybody is allowed to modify the software.
This. Also never report bugs
Telegram devs are notorious for their inability of using git properly. They publish large chunks of uncommented outdated source code to github and think they can get away with this.
Matters of spyware in free software can be made meaningless when people are no longer using that spyware. That's part of the purpose of the site, to discourage people from using software that is spyware, and to encourage them to switch to non-spyware. RMS advocates the process where someone forks the code of a project to create a non-spyware version, and then the community can reject the old spyware version and move to the new, non-spyware version. This website could be considered part of that process he is talking about, where it is advocated to move from spyware versions of software to non-spyware versions of that software. So, producing these articles is entirely consistent with what he thinks is the solution to spyware in free software.
Once in a while, users who know programming find that a free program has malicious code.
Generally the next thing they do is release a corrected version of the program; with the four
freedoms that define free software (see http://www.gnu.org/philosophy/free-sw.html), they are
free to do this. This is called a “fork” of the program. Soon the community switches to the
corrected fork, and the malicious version is rejected.
I amended the Telegram article with this information, thanks for sharing it.
I'm sorry OP, but you seem clearly biased with criticism for certain software, while ignoring the faults of others that are clearly what you use/your favorites.
Its just another my opinion>yours kind of site and not something worth our attention.
It would be great if you provided an archived link along side the orignal link on most of your cited sources.
In Your articles you direct link many sources without an archive to back them up.
What would improve the overall cited sources to the webpage was if you did something more like how that of a wiki might.
Instead of only providing 1 link you can source multiple links at any given time.
You should also always provide an archived link instead of a direct link for purposes of keeping the article's time of creation and review understandable, incase anything on the site changes or the software changes.
I.E instead of https://policies.google.com/privacy/example/collect-information it would be https://archive.fo/Hthpb (or the long link) http://archive.today/2018.05.30-050751/https://policies.google.com/privacy/example/collect-information
You could perhaps just provide the direct and the archive for comparison
It is highly advise you provide better archive links then that of archive.org because archive.org has been known to delete snapshots that they don't personally like.
How did it come off that way to you? I'm not trying to write the site in a biased way, but I would not be surprised if it can come off that way, if there is stuff I missed about certain software, or things that I wrote about unfairly, I want to change that, if you would tell me what the problems are specifically.
It's supposed to be the kind of website that anyone can contribute too, but the articles are right now only written by me and one other contributor, with some minor edits (mostly typo/formatting cleanup) by a few other people. So, it's inevitably going to be flawed by a lack of writers and criticism, which is why I made the thread.
Maybe it would be useful to provide source numbers, and then have a list of sources at the bottom of the article with links to different archived versions so that it can be more easily found, like wikipedia. That kind of editing will take a little bit but is probably the direction that I want to take it. Over the next few days, maybe I should do that.
If you want to help out I will accept any HTML pages that you send my way that are edited to provide source lists.
I edited the article about Bing to include a source list. I like how it turned out, I think this is a good idea. So I'll go on and edit the rest of the articles to have similar source lists.
>I amended the Telegram article with this information, thanks for sharing it.
> Telegram does not follow it's GPLv2 Obligations
it's -> its
I'd also suggest bumping it to "Medium" or "High" from "Low" because disclosure of telephone number is a big deal and arguably bigger than anything, for example, that's done by Firefox which has "High" spyware level.
(The phone number isn't only used for mass sign up "prevention"; any account can be immediately found by the phone number and this is a big problem for public chats where the government, by probing phone numbers, can easily find who posted what, and then they might end up like Arkadiy Babchenko who was shot yesterday)
>for public chats
…or even non-public, as the gov-t agents can eventually infiltrate them anyway, or create baits from the start
you should probably mention that it's possible to find the account by the phone number.
(and please, put it through some basic spell checker)
That's a good argument for me, so I've made the trivial edit to bump it up to medium.
If you want, I would really appreciate it if you want to edit the HTML and email it to me to add a section or edit an existing section to emphasize this about it. Suggestions are great but in the end, it all takes time to apply them into the articles, so the fastest way to change the site is that way. I'm a little busy editing source lists into articles right now and could forget to add your suggestion in by the time i'm done.
OK, I'll take the current HTML after ~15 minutes and add some details to it.
I sent am email with updated html for the google search article.
OK, I have made the source list edit to the telegram HTML now. I have also made the change for the brave browser article too. That's a good idea with the <sup> tags, I didn't know that those existed but that makes sense. I'm going to go back and edit those other articles to use <sup>. I merged the google article so it's using the HTML you sent me.
Fug I will now have to merge the differences. (and I don't have the original)
Or do you want to merge them?
Don't worry about this. I will merge the pages for you, it's not a big deal.
Also I forgot to write, thanks guys for helping me out like this. I am right now working on fixing up the citations for the google chrome article. Do any of you know any good alternatives to archive.is? sometimes it refuses to archive the page and says "network error" as the reason. So i'm trying to find a third service I can look at to get archives from in case it fails.
OK I actually merged them, wait ~1 min for the email
web.archive.org, but I don't know if it's possible to force it to save something specific.
Or trying to roll your own archive, but it's not an easy task for non-technical reasons as well. (You have to build some trust, and you will be constantly attacked, probably even pressed in the meatspace as well)
It's been merged, thanks for the help again.
I'm using web.archive.org as well as archive.is, it's just that >>922558 is concerned about using it. So I am hoping that there are other services out there I can use just to be safe.
yeah it's of course better to use several archive sites, not affiliated with each other.
OP, can you do a review on ungoogled chromium so shills can shut the fuck up about it not being a botnet
might as well, hopefully it ranks well because it's tested enough that it might be actually secure (as well as private).
>IceCat is spyware
Are you insane?
Literally an oxyMORON.
I didn't say that: I said that I heard it was spyware and didn't check. I will make an article about this; I just haven't gotten around to it yet, and when I do I will have an actual position on whether it is or not. This is someone who has an opinion that I do trust, i'm just being lazy and I had a toothache yesterday (and also I haven't finished converting all the articles to the new sources format)
OK, I will do it after I review IceCat.
I (the other guy who was writing articles for the site) just tested it briefly. It makes no requests that I didn't make myself, but this is an old profile so some requests with a new install are still possible.
That's a strong reaction. What do you have in support of it? Because I did the tests and most of what is in the Firefox article still applies.
You should write the article and share it on the dev mailing list to see their commentary. Also, I'm pretty sure 60 isn't out yet, so what would you be reviewing? Because if you're reviewing the pre-Quantum version of Icecat right as the new one comes out, that's very disingenuous.
It's not going to be reviewed until version 60 like you said, I was not really keeping up with IceCat's development so I didn't mention it when making the comment. That was pointed out to me a few days ago through email as well with >>924285 .
>mobile friendly UI is one of many modern cancers of the internet.
Depends, the responsive shit is good, simple and easy to implement, css3+html5 max. Just tell the browser, if this is phone, handle the scrolling a bit better and change layout to something vertical on small screen.
The rest that comes with it is cancer, like animations on resize/rotation, pull out menus, anything that relies on js that isn't data related like fucking carousels, parallax backgrounds, etc. Fucking dross. You can even do without js if you don't mind the entire page refresh... which I don't, some sites with js look like their entire page refresh anyways, like searching on amazon... what a joke, if it's going to look like that then they can get rid of the js.
t. guy who studied and made "webapps/responsive sites/backend apis/hybrid apps/other web2.0shit and I hate 98% of it
static pages are web1.0
sites like 8chan are web2.0
responsive/jquery/other abuses of jabbashit are web3.0
you know what?
it doesn't even need js.
unless you use some ancient versions of HTML and CSS, perhaps.
Good thread. I use configured waterfox. I occasionally use TinyWall to see http requests. Nothing unusual in my experience. Maybe its because i have that safebrowsing bullshit turned off.
Does anyone have tips for running TinyWall or PfSense?
yeah, that's what I was saying here >>928594 my ip cycled, if it can do basics of css3 and html5 it'll work. Even then operamini or operamobile, the old one, doesn't support but it re-renders to work anyways. Not sure how ie reacts. You can even forget the css3 if you want it to look the same on all screens, you still need the html5 tags
that's not what 3.0 is, jquery is definitely 2.0 most frameworks and apis like reactjs and agular are 2.0. It's rendering and routing in the frontent, using your computers resources instead of the server's. It's just tonnes of js.
you don't know what "responsive" is or how it's implemented, do you?
Responsive css is botnet too.
Now try resizing your window and think how would it look on server's side.
Problem is: there is no escape. in order to serve less traffic and appropriate width webpage to mobile users, a website should determine phone's screen width which in turn will result in loading lower resolution images (with FLIF it'd be even more intrusive), interface elements, different graphics and arrange them properly. No, default html 1.0 full-width stickiness is not an option, try reading that crap in wide window or look at your average imageboard post width on full wide window, Tim didn't even do it right from day one.
So you mean Iridium browser? There is already an article of that on the website.
Possible Canvas Fingerprinting is detected! So mozilla is also doing that, heh. (Install extension "Canvas Fingerprint Defender" to see for yourself)
>Install uMatrix on browser of choice (download the .xpi beforehand)
>Go to dashboard
>On the dashboard tab, open the uMatrix menu to see "behind-the-scene" requests
>Click the 'on' button and save
Tell me this truly blocks all spyware jewry like OCSP and Mozilla telemetry? Is this the definitive list of all connections a browser makes?
Also, Google (((Safebrowsing))) appears if you don't fully disable all of it in about:config. I recommend disconnecting from the internet before you open a browser for the first time. In theory this allows you to avoid the Pale Moon start page.
Another website mistaking analytics for spyware. If you dislike websites needing to make money to stay alive then fuck off of the internet.
sure bro I'm out of here
Sorry for not responding as fast as I could have responded. I wrote an article about DuckDuckGo for the website a few days ago:
The only method that has been used on the site is MITMproxy. I don't know if uMatrix is catching all of the requests the browser makes, but I do know that MITMproxy is doing this. If you can send me screenshots of the safebrowsing requests I would like to add them to the Palemoon article.
There are plans to write articles about how to de-botnet all browsers listed but none of these have been started yet. A lot of people expect this and so maybe the site will be understood better when it has guides on removing or mitigating spyware in these browsers.
Check this for more information, it's written by a contributor:
Analytics are spyware, why analytics are being used does not change what they are.
Those are two different projects, ungoogled chromium hasn't been reviewed on the site yet.
There are lots of things I could write articles about, but I don't have an infinite amount of time. Anyone can contribute to the website, so if you want an article on the website you can just write it yourself and submit it to me.
>MITMProxy has a jewgle analytics script and 2 cloudflare scripts on their site
I don't condone what they are doing but the source code is available so they aren't hiding anything in that at least. (I hope). There are probably other ways of doing this that are made by people who respect your privacy better, but I don't really know that many ways of doing it.
You are utterly incorrect, any file a server sends you can, and has been used for tracking, more popular are fonts, fav.ico, DOM Storage, SWF Super Cookies, and more described ITT, which do not use XML|Ecmascript.
Keep up the good work. It's nice that your site is raising awareness to the issue that is everything calling home automatically without any warning or way to make the user aware.
Protip: go up to reviewing operational systems too.
>want an article on the website you can just write it yourself and submit it to me.
Got an XMPP account with an OMEMO enabled client?
Email is asking to deanonymize users here.
You truly are a hero OP, but >>910069 has a point. No reason to link directly to other sites, especially ones that can have content removed as easily as Reddit.
Sorry but I didn't know about this kind of thing before you brought it up, I'm trying to set up an XMPP account but I'm not really sure what i'm doing yet. So far downloaded a client called "gajim", I made an account called "spyware" at some server called "404.city", and installed the OMEMO plugin with the plugin manager it has. Hopefully that's enough for you to contact me.
Yeah, but that is the *content*, not the *protocol* that this content is sent through. I could send the exact same things through FTP and it would track you- but the reason FTP has a lower spyware rating is because FTP does not have spyware built directly into the protocol through features like user-agents.
The review was of the protocol itself, not of the content that people use the protocol for.
If you look at the site more recently, you'll notice that this is no longer a problem. Every single source cited also comes with an archive link to at least one archive and most of the time the sources have two archives or more, no matter where it comes from.
I still need to archive youtube videos that might be useful, but, unfortunately I'm not sure what service I should use to do that. I can compress video files but it makes the quality too poor and bloats the size of the site. The entire website is 1.5mb right now, but one video would be many times that size. Luckily I don't have any videos to archive right now that are seriously important, just that I link to some stuff as supplementary material.
Sorry, didn't finish reading the thread when I posted.
Chatting with someone through XMPP with OMEMO enabled is no more anonymous than sending an email.
Simply host screenshots/pdfs of the pages you mention, and you're done.
I don't think hosting these pics will take you any resources.
Can you do an article about Slimjet OP?
is it only Chromium forks, or do all Blink-based browsers download blobs and use Google safebrowsing?
or you could just take a plaintext excerpt for journalistic purposes?
also, if you're going to lambast KSP, you might as well bully all the software using Red Shell
>FTP is not spyware
can plaintext protocols be considered the opposite of spyware now? I guess the spyware lies in Deep Packet Inspection rather than the protocol itself. Still, SFTP is much better solution.
website looks just fine and the UI is easy to read, I like that the information is presented in an orderly and simple to understand manner, bookmarked it tbh and I'm gonna show it to my normalfag retarded friends when I tell em why they shouldn't use what
>Should I review that one instead?
Yeah, that would probably be better.
Just FYI that picture (of the shepherd) is copyrighted. I suggest finding a public domain one.
The Firefox and IceCat articles are rubbish. You should at least investigate about what the features do instead of claiming that anything with an Internet connection is spyware.s
OP. I hate to be a grammar nazi but a project like this has to be polished until it blinds everyone with its shine.
In the HTTP article, the first phrase of the last paragraph.
>At best, you could call this mindset naieve
And go ask /v/ about spyware in vidya.
They can help with that.
It's botnet and uses an unsafe browser engine. You'd be better off using a blink browser.
All of them do. Blink engine is unsafe even if you ignore that.
>It's botnet and uses an unsafe browser engine.
Test using mitmproxy to make sure
>You'd be better off using ungoogled-chromium.
botnet. use actual free software without embedded proprietary software
>muh ungoogled-chromium is botnet still!
>Win32fags cucked since version 55 (unless they build the latest versions by themselves)
if you care about privacy you shouldn't be using win32, /g/nigger
>if you REALLY care about privacy, you shouldn't be using wangblowz
It's not that I don't want to write these articles, it's that I'm only one person. I want to write them and eventually I hopefully will have written them, it will just take some time. Unity game engine for example phones home, a lot of things in modern games do too. But I can only write one article at a time. If any of you can contribute (it needs to be CC0 now also) then I will gladly put your articles up. I'm thinking of writing about unity first.
Thanks for telling me, I will change that tonight.
Phoning home is a form of profiling and is awayls collecting information. Especially with HTTP user agents.
I agree sftp is better. But the ratings aren't about security as much as they are about how much information is required vs how much information is actually collected.
I'll do that kind of thing when I have more free time to answer questions and take requests. I have so many requests from this thread that I'm not running out of work to do yet.
You can find public domain/libre licensed media here (this one in particular is of the german shepherd, although wikimedia has media of practically everything):
You can also use (((Google))), it has copyright filters.
I'll help you with what I can.
I think that I'll drop txts on your threads, if I ever stop losing sanity trying to decipher mathematics and write something.
I like this one
Here is the new watchdog, thanks again guys for helping me with this. Maybe later tonight I can do more work on the site.
Sorry I didn't respond to this, yes I do need to fix spelling mistakes, it's on the list but unfortunately hasn't been done. You are welcome to help too, I would appreciate it. It seems the more articles that are on the site, the more my changes are about maintenance...
I'm glad you're enjoying it!
Have there been any new updates to the site? If not then kys.
I have continued to add new things to the site, you could see when I update the site here: https://neocities.org/site/spyware
But I don't want to bump this thread anymore because I don't think there is anything more for me to talk about right now.
The latter. Iridium seems more "professional" (UC is made by like one guy and it's entirely on shithub), but the devs have a bad attitude towards privacy. I used to use it with the safebrowsing turned off, but the bad attitude put me off.
Good site. Keep it going.
The site is still active, I just don't want to keep bumping my thread, it's been alive too long.
Here are three finished articles:
And one unfinished article:
I think I can review things more efficiently now, because I have been looking into software that is more convenient for me. Microsoft Network Monitor 3.4 is a very nice program for this because it tells you what requests are being made by which programs, and I don't need to do anything special. MITMproxy needs me to install a special certificate to browse the web, and some other things, it's just not as fast for what I want to do because of my trouble setting it up.
If you want to reply, it would be nice to sage the thread. There are a lot of new threads up and so I think this thread should be allowed to die just because of how old it is.
You're doing God's work, son...
I recommend writing an article for Ungoogled-Chromium, it's a good option for those who want privacy but also want to use all the extensions that are in Chrome.
I finished another article today:
And started on another:
Falkon might be phoning home, but I really want to test it on another machine. It doesn't work on my computer right now. Network Monitor is pretty poor compared to MITMproxy, except for it's ability to link a request to a process. But I don't think it can recognize HTTPS, and instead it just shows up as a lot of TCP and TLS requests. Maybe in the future I will understand all of these programs better...
For now, https://digdeeper.neocities.org/ghost/browsers.html Seems to be a good place to show people. I want to write an article, and maybe I'll have one in the next few days. If you want an article on it faster, you're welcome to write it yourself and email it to me, and i'll put it up.
I should really make a list of the most requested software, so that I don't forget.
As if there wasn't enough on the Steam page already I've seen this that ought to be included
Also I'm thinking of drawing you up a logo for this project. I can't think of a better way to point out the merits of FOSS than the facts that you're collecting on your web page.
I've added a link to that with some archives into the "further reading" section. Although, I'm not sure how to merge it, since the site is just to talk about spying done by the developers of the software- not possible security issues with the software.
I have a few old logos, but I like the current one the best... if you want to draw one, that's fine, but I don't know if I will use it.
FOSS software is certainly not as bad in general but I think that it has a problem where it creates a false sense of security, while in reality a lot of common FOSS software, like Firefox, is spyware. It's relatively easier to have progress made on it in that area, at least, but it's still very hard. Only a couple of FOSS projects are really committed to privacy, at least at the standard that the site holds everyone too.
I think it should get its own mini section of a sentence considering it was running with the --no-sandbox option on top of using an outdated and vulnerable browser. Also I may be wrong but it looks like CEF or Chromium Embedded Framework uses Google's Safe Browsing by default.
And this section is incorrect
>Steam also uses its social network features such as the user profile and friends list to broadcast a users program usage habits publicly. This spyware feature can be partially disabled by setting your profile to private, but it cannot be opted-out of if you are using the "friends" social networking feature.
They've made that opt in back in April.
Yeah that makes sense. I guess I need to rework the article and MITM-check steam, which I never did. So i'll have to do that, hopefully in the next few days.
Don't just give me "lmao this software has telemetry" warning. I want you to intercept the system calls the program makes and see exactly all the private data that it is collecting and/or exfiltrating.
How will he do that if Steam uses SSL, genius?
Install a root certificate and MITM it. If it pins certificates, they must be in the binary. Find and extract them.
If you're technically literate enough to understand what those system calls and the data it collects means you ought to be able to scan your network and do it yourself. If that site had a wiki it'd be easy to collaborate on such info.
The biggest things I can think of that most typical users would use that are missing are uTorrent(pure spyware) and CCleaner(telemetry added earlier this year). There's also anything built with .net that includes telemetry by default
And I'd add an extra subcategory to web browsers to cover some of the major addons. Sure there's Stylish and Ghostery that most people know about but others like NoScript which phones home to a server in Italy aren't so well known.
>To be able to know if a program has absolutely no spyware features, you have to be able to compile it from source- it does not need to meet any of the other requirements that it would need to meet to be called "Free Software" or "Open Source Software" according to the definitions of the FSF or OSI.
Without using free open source software compilers to avoid compiler level attacks that's not the case. Brendan Eich made a post about this;
To keep track of all the requests I get I have written it all down
on a text file that is a TODO list for the site. If anyone wants to help me knock some of these out the help would be greatly appreciated.
These are all good ideas. I can understand system calls and read documentation about them, I do lower level programming with them (mostly on windows) so I'm not unfamiliar with it. Someone just has to take the time to actually run the tests.
That comment is just about the code, not the compiler, I get what you mean, I should amend that section.
There is a place for articles about spyware addons. It's just nobody has written any articles about those yet. If anyone wants to contribute help with that I will be happy to host it. Just make sure you write on your submission that you're keeping it CC0 like the rest of the site.
>you ought to be able to scan your network and do it yourself
I am able to and have done it before with some mobile games in order to reverse engineer their network protocol. I just don't care enough to do it just to uncover some spyware. I don't actually use any of the programs mentioned there anyway.
So put all those sad "aw shucks we don't have the source code so we can't know what it's doing" parts and put in some original research. With browser addons it will be easy: they're written in JS. Even if the code's obfuscated, you'll still be able to easily find all the interactions with the browser's extension APIs. The application's source code doesn't actually matter; only those API endpoints do. All data passes through them. Same thing can be said about native code: all data passes through system calls. If you intercept those calls, you got the program by the balls. You'll catch them in the act sending the data you don't want them to send. The source or machine codes will be more or less a curiosity after this point.
Keep in mind Windows doesn't have a stable syscall interface like Linux does. The kernel interface changes all the time in Windows. The actual interface user space is supposed to use is the Win32 API, found in DLLs like user32.dll. Those are the functions you should be intercepting. There's also kernel32.dll and ntdll.dll.
Just for the record: on Linux, intercepting system calls is as easy as strace some-program. If the program really doesn't like being debugged... I suppose we can make a custom kernel and/or kernel module that logs all system calls performed by that specific program.
On windows, you'd need to find some similar software. They exist according to google. If anyone is interested, they can just download one and start documenting what their binaries are doing. Obviously, note down the version and sha1 of the binary you're analyzing. Updated versions may have different behavior.
I wrote a new article today:
Not anything in the requested articles list but because in my review of the WeDiscover says that Yahoo! Search is a spyware search engine, even though I didn't review Yahoo yet. So I wanted to write that so it could link to that.
I also added some stub articles:
I know about user32, kernel32, ntdll... Most of the stuff I write is C programs that use the windows API. If you ever saw someone on /tech/ defending the win32 API, that is probably me So, I program with those functions all the time, except stuff in ntdll since I never had a reason to. So, I can do it, I just never tried capturing those calls before. I need to look into profilers, and all that... I can try out Process Monitor 3.5 (https://docs.microsoft.com/en-us/sysinternals/downloads/procmon) and see how it works..
It looks like this was exactly what I am looking for. Here's an example of one of my text editors reading out of a dll file.
It's cool. I'm just posting info in case other people here care enough to learn the stuff as well and help out. This is actually a ridiculously useful skill that very few people learn.
Excellent. I've used process monitor before myself. Mostly to check out open files and other I/O handles. I never realized it could trace syscalls! That makes things a LOT easier.
>currently most private option for web 2+ apps
thanks for sharing
i thought this was horribly out of date, but it seems there are now contributors updating the bastard
"syscall" is pretty vauge on windows because we don't have explicit access but it can check for registry access, filesystem access, network activity... all the kinds of stuff you need to know to detect spying. So hopefully it can be used to find some interesting things about the programs...
> I'm just posting info in case other people here care enough to learn the stuff as well and help out.
Maybe I didn't get it when you were first talking about it, now I understand. Yeah hopefully, although my knowledge on how to do this on windows is pretty shaky on linux.
Certainly this kind of deeper look at what the program does is needed to find everything- just monitoring network activity is kind of surface level but at least lets you at a glance catch most programs out.
True. I mean the OS interface typically used by programs. On Linux this is undoubtedly the syscall interface; glibc and shit are just wrappers over that, programs can and do use it directly. On Windows, that interface is unstable and hidden by the userspace DLLs that provide GUIs and other OS services as well.
I mention network activity because that's how programs exfiltrate data to servers. A program can literally image your machine -- there's no actual harm unless it sends that data over to someone else's computer. So I figured for the purpose of your site the network activity will be extremely important. Of course, it depends on the nature of the program. I saw the steam entry and read about how it access DNS caches to see if you've been looking up tehcheatcodez. It might not transmit that data at all, but it might still send a "BAN" signal to Valve.
One thing that is chock full of spyware are those gaming peripherals programs. Some of the newer models you can't even use all the features without creating an account logging in and keeping their software running all the time. Razer is one of the worst offenders but they're all just as bad.
>Information about how you use our products and services ► such as information about the amount of time you use our products/services for, your typing patterns, the pages you visit, and other information about your activities while using our hardware or software (including Synapse) or while logged into your Razer ID account.
http://wp.xin.at/archives/1438 Older article that gives an idea what the average user has to go through to get this to work normally
For mitigation guides there's an easy way to run any program without letting it connect to the internet using scripts through iptables and there's always the --net=none option with firejail.
https://serverfault.com/questions/550276/how-to-block-internet-access-to-certain-programs-on-linux I use 'ni' instead of 'no-internet'.
Honestly, in any other thread I'd just say "gaming gear" faggots probably deserve it but this is just too shitty. Someone should reverse engineer those programs and write a custom driver or something. It's just ridiculous to not be able to use hardware functions without creating some "account" or some horseshit.
I added your suggestions to:
So that eventually someone can work on it. Lots of people make really great suggestions, but it will unfortunately take a while for me to get through them all without any help... If you want to write about it, I would be very happy to put it up.
is this a website for left handed people?
>but others like NoScript which phones home to a server in Italy aren't so well known.
>NoScript 2.0rc5 and above extends its protection against DNS rebinding to those attacks which specifically target your router's external (WAN) IP address. In order to protect it, NoScript needs to detect the WAN IP currently exposed to internet web sites by your HTTP requests: for this purpose, NoScript sends a completely anonymous query to the https://secure.informaction.com/ipecho web service, which provides back this information on a secure channel, typically once a day. Again, no data except the aforementioned WAN IP address travels on the secure channel, and no user data at all is collected, nor stored, nor shared nor reused by InformAction or any other party.
>This feature, enabled by default, can be disabled by unchecking "NoScript Options|Advanced|ABE|WAN IP ∈ LOCAL".
I'm not calling Noscript spyware I'm just pointing out that addons often phone home so it would be a good idea to list those that do so and aren't worth worrying about with an explanation of what they're doing as they'll be noticed firewall logs.
And the same is true for some addons like Privacy Badger from the EFF
>I'm not calling Noscript spyware I'm just pointing out that addons often phone home so it would be a good idea to list those that do so and aren't worth worrying about with an explanation of what they're doing as they'll be noticed firewall logs.
You have to be careful not to ruin the signal to noise ratio tho: if you start listing all the "might be" and other non-spyware stuff the list becomes as useful as the "hate symbol list" that includes Pepe and the numbers 12, 13, 14, and 15.
yes! I usually just zoom in until it fills the page...
That's still phoning home and should be pointed out. Unless it is entirely opt-in (it's not) I would have to give it a "Low" rating for that. It's consistent with the rest of the site to do that.
This is all good stuff, added to the to-do text file. Maybe i'll be able to knock some of the stuff on there out today.
> gives you the option to disable it
until an (((update))) occurs and you have to re-disable it. Same goes for the (((whitelist))) containing google trackers.
Unrelated to OP, yet regarding browser extensions: add
to uBlock Origin's My Filters.
Instead of HTTPS Everywhere, if that extension breaks sites.
I just saw your site online the other day and only stumbled across this post now. good work. I'm the guy who asked about mitigation.
I finished a new article:
Which was really quite a lot to make, so I don't think I'll write any more today. At least I have fulfilled my request in this thread from... >>934862 a little over 2 months ago.
I also improved the WebDiscover article.
Thanks! Yeah, I do want to do this but I'm just a little back-logged in requests.
no problem man, you're doing good work. And god damn, the memes really come true when everything is botnet. Thanks to your analyses I'm considering dropping waterfox for a better alternative.
> I'm just a little back-logged in requests.
On a somewhat unrelated note, this is what I really love about the web and why I started my own site on neocities. It never crossed my mind when I saw your site that you're an 8ch user, small world isn't it?
>Self updates are a spyware feature since they are usually ways for the developer of a program to put spyware into their software without presenting it in a prominent way where the user can understand what they are giving up when they download the update.
Why even bother making the site if you're this retarded.
Thanks OP. Prior to that I found out that SlimJet's makers are chinks based in Texas, therefore SlimJet is a chink-made fork of botnet without bothering to combat it.
Yeah, it is pretty cool. I think that people who are aware of the botnet seem to use the same types of websites.
I like your site too, it was fun to read it.
I had my hopes up a little bit looking at their homepage... but MITMproxy's results really gave me a lot of negative stuff to write about.
well maybe they aren't always bed but they certainly aren't good. I think he's doing a good job. it would take much more effort to look at individual updates and determine if those updates include spyware rather than looking at a program as a whole.
> I think that people who are aware of the botnet seem to use the same types of websites.
yeah, you're right. recently I've seen people popping up left and right that I've talked to on the chans, visited their site or talked to in IRC.
>I like your site too
thanks pal. by the way, do you think you might ever be able to do an analysis on systemd for linux systems? it seems to be all the rage to meme about these days.
>do you think you might ever be able to do an analysis on systemd for linux systems?
I think that, if a systemd article ever is made for the site, it will probably be made by someone else. Just because I don't have as much Linux knowledge as most of the people who read my site... I do know how to use Linux, but I have literally only used slackware. I never saw a reason to use anything else, especially with all of the complaints about systemd. So even though I know how to use GNU/Linux, I have no experience whatsoever with any of the modern Systemd/Linux distros.
But, if I write a systemd article it might be disappointing. Even though there are lots of reasons to criticize systemd, is there any kind of spyware in it? I imagine that something privacy-related would have come up by now, just because systemd haters would have found it and talked about it by now... There are plenty of reasons to not like it, but I don't think that any fall into the scope of my website.
Suckless seems to have made a great article about it already, that I couldn't make:
But if (when) some evidence comes up I will try and make an article in a very quick amount of time. I don't think that I'm skilled enough to prove that it spies on you, even if it did.
>well maybe they aren't always bed but they certainly aren't good.
Have you ever seen a computer illiterate normie?
If you don't have automatic updates, way too many users never install them: and I don't mean "never" in the windows 10 sense aka "install within 2 weeks or else", I mean multiple years and in some cases zero updates as long as the computer keeps working.
>it would take much more effort to look at individual updates and determine if those updates include spyware rather than looking at a program as a whole.
So let's go full FUD and claim that automatic updates, whether or not optional, are all spyware.
Worth noting that YouTube suddenly started Canvas fingerprinting.
>So let's go full FUD and claim that automatic updates, whether or not optional, are all spyware.
They are the truck that spyware goes into.
you're totally right. Maybe Spyware should add this simply as a disclaimer, instead.
More spyware bundled with hardware starting with Lenovo
>Appearing on devices that shipped from October 2014 to June 2015, the Lenovo Service Engine supposedly sent non-identifiable system information from your PC to Lenovo, the first time your computer goes online.
>In early 2015, it was discovered that Lenovo laptops shipped to stores and consumers in late 2014 had malware preinstalled. Masquerading as a piece of typical manufacturer bloatware, Superfish Visual Discovery was a browser extension that analyzed images, checked if they were products, and then displayed cheaper alternatives.
>... were being sold with preinstalled malware, the Lenovo Customer Feedback Program, that forwards personal usage data to Omniture on a daily basis. Omni-who? Omniture is an online marketing and web analytics company, currently owned by Adobe.
>HP has been caught installing a new telemetry-gathering system on its Windows 10 PCs without informing users it was doing or so requesting permission to gather data. In a recent update (it’s not clear if HP or Microsoft pushed out the software), multiple HP owners have reported the “HP TouchPoint Analytics Client” is connecting on a daily basis to upload various information to HP’s servers.
There's good reason for the concern over automatic updates. Now with Dell, Toshiba and Acer
>A few years ago, they got into some PR trouble when internal memos came out telling tech support staff that they couldn't even tell callers about anti-spyware apps, because Dell was afraid such apps might remove some products that Dell was putting on the computers itself.
>When enabled, this application periodically transmits to our servers a limited amount of system information required to perform these update
Spyware can be added in a lot of ways, many of which don't require changing the program running on the user's machine.
Serving different remote resources, selling the diag data you get, using backdoors...
Updates only tend to shit things up if they are the result of a change in management: even if they don't, trusting updates still goes back to trusting the dev.
And if you don't trust the dev, don't use their programs without audits and sandboxing, most importantly don'yt trust some anon making a dumb site that does zero auditing and only collects blogposts.
systemD defaults to Google's DNS under certain conditions
So the only good laptop/PC resellers are System76 and Librem?
>libreboot project recommends avoiding all modern AMD hardware.
AMD stated that they'll let users disable PSP now. If you're going to use anything modern then AMD is the only choice, honestly. We need at least 1 or 2 more competitors. Perhaps everyone will move from x86 to ARM in future anyways.
you should compare spyware levels for different operating systems too.
>AMD stated that they'll let users disable PSP now
that's nice, but how do we know if their settings will actually disable the PSP?
>If you're going to use anything modern then AMD is the only choice
well, if you're willing to pay you can choose the POWER9 architecture.
I heard it was locked down as bad as x86. Those could just be memers, though.
Both of the recommended browsers crash on startup on my openbsd machine. Am I doing something wrong
You're using openBSD
I tried writing an article on systemd:
Maybe it needs to be reworked, but I don't really see any actual privacy problems in it, although I can't actually see for myself. I can only read what other people wrote about it. So if someone wants to write a better article on systemd, since I can't really do that, you are welcome to do so and email it to me, and I can put it up.
I haven't written for the site in a couple of days, but maybe I will write something today.
I put these links into the requested articles file so I don't lose them.
An article is in the works, here:
Ungoogled Chromium is another "Not Spyware" browser at least according to https://digdeeper.neocities.org/ghost/browsers.html which is made by the author of a lot of the web browser articles on the site.
If you can't get those to work, its also possible to disable all of the spyware on other browsers that didn't receive the "Not Spyware" rating, like Pale Moon, Iridium, etc. so that they aren't spying on you. Just make sure you don't let them connect to the internet before you start configuring them.
hey, I decided to make you an 88x31 button icon since on my site I only have a text link to yours. I'm going to replace it with pic related, if you don't like it I'll take it down.
That's really rad to look at, How did you make it?
I like it... don't worry about it. It's your website. I got an email with a button today as well. The author said uses it on his site to link to the Discord article. I put the button up here: https://spyware.neocities.org/extra.html
Pretty cool, right? I don't know who's site it belongs too, though. If it's OK with you I put your button up on that page, too.
cool, I knew you'd be OK but I wanted to double check anyway just in case. it's OK with me as well and thanks for the site shoutout my man
Would be nice to have an article on userscripts managers (Greasemonkey, Tampermonkey and Violentmonkey). I know Tampermonkey went from open source to closed and has opt-in google analytics built in that according to the dev is used to track bugs.
took the image on his site and shrunk it, resized the work area to 88x31, filled the background black, drew a white border using lines, and used OCR A extended text for the text. at that small size it works fine.
all done in ms paint
>used to use IE a long time ago
>realize it's shit and switch to (((chrome)))
>realize firefox is better
>lately realize mozilla is botnet, switch to waterfox
>find out it still phones home to jewgle and mozilla
>switch to pale moon and configure for privacy
>based off old firefox so umatrix isn't available
>lack of addon support
>it's chrome based with little customization
>otter and qute feel less refined
>still on pale moon now
when will the ride ever end? can someone just clone firefox already and just make it not call home to google? or do I have to learn to program this myself?
Tor has an alpha fork of the new 60 ESR out, so does Icecat.
Just purge anything with google in it in about:config.
In brave article,
>fingerprinting protection I don't think is found in any other browser
privacy.firstparty.isolate = true
privacy.resistFingerprinting = true
privacy.trackingprotection.enabled = true
These will possibly be enabled by default too, once Firefox Fusion project finishes.
I wrote a new article about realplayer:
That part has been removed, thanks for pointing it out.
Ungoogled Chromium is maybe what you are looking for. But it might have the same problems for you that iridium has.
Personally I have been using Pale Moon with NoScript.
It looks like I need to check out the new Icecat, since my article is outdated now... Hopefully they got rid of the issues that the earlier version has.
Some about:config entries are not the same as a GUI. Shouldn't remove it IMO.
OK, I've put it back.
Puffin Browser has a desktop version that looks like fun, to think that over 80 million use the mobile version with the same PP makes me cringe.
Puffin is Taiwanshit made in commiefornia
Can author's get bylines? If I write an article can I put my name and a link to my site at the end?
It's absolutely spyware
This. What a piece of closed-source garbage Chromium fork with nonexistent support for extensions.
Sure, if you want to do that , then that is fine. For example, the author of a great deal of pages on web browsers has a link to his site on the front page.
A proprietary browser for a proprietary cuck.
Please rewrite it.
You're right, I've right now put a warning on the article saying it's no good. Since I don't have any kind of distro with systemd installed, I probably wont rewrite it for a while. At some point I will probably need to install system/linux so I can look at it then if nobody else wants to write it.
Cool. I'm working on one and have ideas for a few more. Was hoping to be able to still my blog a little. I'm just going to slap on a little byline at the end when I finish.
Yeah that's good. I don't mind it at all, the site needs ways to motivate people to contribute so I am very happy, if this is a model that works, there needs to be something that I can offer back after all.