2258 stories
·
14 followers

Emails Show Facebook Is Well Aware That Tracking Contacts Is Creepy

1 Comment

Kashmir Hill, writing for Gizmodo:

Then a man named Yul Kwon came to the rescue saying that the growth team had come up with a solution! Thanks to poor Android permission design at the time, there was a way to update the Facebook app to get “Read Call Log” permission without actually asking for it. “Based on their initial testing, it seems that this would allow us to upgrade users without subjecting them to an Android permissions dialog at all,” Kwon is quoted. “It would still be a breaking change, so users would have to click to upgrade, but no permissions dialog screen. They’re trying to finish testing by tomorrow to see if the behavior holds true across different versions of Android.”

Oh yay! Facebook could suck more data from users without scaring them by telling them it was doing it! This is a little surprising coming from Yul Kwon because he is Facebook’s chief ‘privacy sherpa,’ who is supposed to make sure that new products coming out of Facebook are privacy-compliant. I know because I profiled him, in a piece that happened to come out the same day as this email was sent. A member of his team told me their job was to make sure that the things they’re working on “not show up on the front page of the New York Times” because of a privacy blow-up. And I guess that was technically true, though it would be more reassuring if they tried to make sure Facebook didn’t do the creepy things that led to privacy blow-ups rather than keeping users from knowing about the creepy things.

The Facebook executives who approved this ought to be going to jail. Facebook is to privacy what Enron was to accounting.

Read the whole story
jimwise
6 days ago
reply
...
Share this story
Delete

Samsung Used a Stock DSLR Photo to Fake Their Phone’s ‘Portrait Mode’

1 Comment

Dunja Djudjic:

Earlier this year, Samsung was busted for using stock photos to show off capabilities of Galaxy A8’s camera. And now they did it again – they used a stock image taken with a DSLR to fake the camera’s portrait mode. How do I know this, you may wonder? Well, it’s because Samsung used MY photo to do it.

Not only this is outright fraud, they did a terrible job in Photoshop doctoring the image.

Djudjic:

Sadly, it’s nothing new that smartphone companies use DSLR photos to fake phone camera’s capabilities. Samsung did it before, so did Huawei. And I believe many more brands do it, we just haven’t found out about it yet. I’m pretty sure that Samsung at least bought my photo legally, even though I haven’t received the confirmation of it. But regardless, this is false advertising.

It’s undeniable that smartphone cameras are getting better (and there are more and more lenses with every new phone). But, we definitely shouldn’t trust the ads showing off their capabilities, or at least take them with a grain of salt.

I know one brand that does not do this.

Read the whole story
jimwise
8 days ago
reply
lol
Share this story
Delete

Sponsored Amazon Baby Registry Items

1 Comment

Rolfe Winkler and Laura Stevens (tweet):

Kima Nieves recently received two Aveeno bath-time sets and a box of Huggies diapers through her baby registry on Amazon. The only problem? The new mother didn’t ask for the products, or even want them.

Instead, Johnson & Johnson and Kimberly-Clark Corp. paid Amazon.com Inc. hefty sums to place those sponsored products onto Ms. Nieves’s and other consumers’ baby registries. The ads look identical to the rest of the listed products in the registry, except for a small gray “Sponsored” tag. Unsuspecting friends and family clicked on the ads and purchased the items, assuming Ms. Nieves had chosen them.

[…]

Amazon’s sponsored ads have appeared in its baby registries for more than a year. Responding to a Wall Street Journal inquiry about the ads, an Amazon spokeswoman declined to comment on criticism that the ads are deceptive, but said the retailer is now phasing out the sponsored listings.

Read the whole story
jimwise
15 days ago
reply
Creepy
Share this story
Delete

t-rex in: proof positive

2 Comments
archive - contact - sexy exciting merchandise - search - about
November 26th, 2018next

November 26th, 2018: TIME TRAVEL BANDANAS HAVE ARRIVED!!

– Ryan

Read the whole story
jimwise
15 days ago
reply
...
Share this story
Delete
1 public comment
daanzu_alt_text_bot
17 days ago
reply
[rss title] t-rex in: proof positive

[img title] turns out i wouldn't actually like to see - gosh, a whole bunch of things

[mailto subject] ryan i just came across your comic! it's very... um... it's... it's good to have hobbies

Popular NPM Package Compromised

2 Comments and 3 Shares

yan:

wow, apparently the popular “event-stream” npm module has been backdoored for months because the maintainer transferred the ownership rights to some unknown person

dominictarr (Hacker News):

he emailed me and said he wanted to maintain the module, so I gave it to him. I don’t get any thing from maintaining this module, and I don’t even use it anymore, and havn’t for years.

Kenn White:

Holy hell, Node. A package with 2 million downloads a week and the maintainer hands over control to a rando stranger? And now it’s mining cryptocurrency. Wow.

Felix Krause:

Step 1️⃣ Go through the most popular inactive open source libraries

Step 2️⃣ Reach out to author and ask to help out

Step 3️⃣ Get push access and release a compromised version

Step 4️⃣ Reach 2 million applications within a week

It shows again how much work open source maintenance can be, if your library is successful you have a ton of responsibilities and can cause severe damage

Matt Drance:

I hope the folks at @github are looking into some procedural ways of mitigating this sort of thing, because it is way too easy to accomplish given the breadth of interconnected libraries out there.

This is not GitHub’s responsiblity, or their fault, but GitHub knows how forked something is, including, I’d imagine, degrees of dependency separation. It could coordinate with npm, brew, et al to classify “community critical” repos. A sort of verified status.

From there you could, among other things, make it harder for an exhausted maintainer to toss the keys to a bad actor. Some sort of two-factor method for ownership transfer. Like a nuclear launch failsafe. Maybe some of this exists, but clearly we need better.

[…]

FWIW, there are some scary details in the comments of that link above that imply the original maintainer still “owned” the repo but lost commit access. This is a terrible scenario akin to identity theft. I don’t know how that’s possible, but it needs to be looked into.

Chris Adamson:

I think blame also goes to an entire culture of developers who blindly import OSS libraries without vetting whether the code is any good or is being actively maintained. I saw this a lot at my last job.

Gary Bernhardt:

There are basically two camps in that thread.

1) This is the original maintainer’s fault for transferring ownership to someone they didn’t know and trust.

2) Ownership transfer was fine; it’s your job to vet all of the code you run.

Option 2 (vet all dependencies) is obviously impossible. Last I looked, a new create-react-app had around a thousand dependencies, all moving fast and breaking things.

Option 1 (a chain of trust between package authors) seems culturally untenable given the reactions in that thread, including from well-known package authors.

There was an option 3: don’t decompose your application’s dependency graph into thousands of packages. People who argued that position were dismissed as (to paraphrase heavily) old and slow. That ship has sailed, and now we’re here.

Read the whole story
jimwise
16 days ago
reply
(!)
christophersw
5 days ago
reply
Baltimore, MD
Share this story
Delete
1 public comment
peelman
11 days ago
reply
So am i the only one who thinks Node is just a giant shitshow? i can’t decide if the speed at which it moves is indicative of the ignorance of so many of its users (developers is a strong word here), or the terrible nature its foundation language encourages.

Node < P**** < Ruby.

i’ll interchange PHP, Perl, and Python there
Seymour, Indiana
tingham
11 days ago
I work with Node daily but I'm incredibly cautious about what goes into my products. Being a one-man shop kind of demands that you either pay up front-end; or go bankrupt on the back-end.
peelman
11 days ago
i feel like there is a collection of people who read a bunch of best practice books for naming and versioning and decided to write a framework around it, but they never read a book on programming. like the only reason my code evolves that fast is if it’s in active development. i would never release it in the state some of those guys do (or rather have done, i punted Node and refused to work with it for a couple of years now).
tingham
11 days ago
I'm definitely not here to sell it to anyone :) I usually pin my version numbers in package.json and get grousey when I find out about new versions of things. Once "my shit" works I rarely double back to fix stuff unless I see a security alert (about any npm in the wild.) It's not easy work but it's manageable; versus an enormous catastrophe like this event stream business. Some days I miss C# .net … but only some days.
peelman
11 days ago
i guess my biggest concern is how you’d know a vulnerability was discovered, let alone patched or whatever, with the dependency hell NPM usually is. Gems aren’t a huge amount better mind you, but i can follow the dependency tree backwards fast enough, and generally speaking, anything that makes it as far as RubGems is pretty solid, in my experience.
tingham
11 days ago
The NPM foundation or whatever it's called could definitely be doing something about it. A Peer Review that gest you "certified status" or something would be nice. I also wish it was better about supporting lateral deps - at least then I get to decide when shit breaks. I should probably learn Ruby once and for all.
peelman
11 days ago
if you’re smart enough to use NewsBlur and post about the things i’ve seen you post about, ruby and rails will be easy and you’ll begin to loathe other languages as much as i do. :) some of my complaints are about the language, most are about the libraries built atop them. i took over a Laravel project when i started my current gig and i am just itching to find the time to begin burning it to the ground and rewrite it in rails. every time i have to do anything in there i want to pull my hair out. it tries so hard to be rails and fails so miserably at it. partially because it’s marred by PHP and partially because the developers obviously didn’t grok why Ruby’s libraries are superior (note: i didn’t say perfect). it’s chock full of inconsistencies, just like its language. that’s saying nothing of how much better ruby’s docs are, and how much more controlled and measured their changes and upgrade paths are.
tingham
11 days ago
*blush*

How to Give Somebody the Respect They Deserve

1 Comment
basic181126.gif

I stand by my position on Steve Jobs. He didn’t invent anything but his own public image, but he had tremendous taste and high standards, and we have all benefited from them.

As always, thanks for using my Amazon Affiliate links (USUKCanada).

Read the whole story
jimwise
17 days ago
reply
lol
Share this story
Delete
Next Page of Stories