Connect with us


Google Chrome ad-blocker overhaul plan still sucks – EFF • The Register

Voice Of EU



Analysis The Electronic Frontier Foundation on Tuesday renewed its campaign to convince Google to listen to criticism of the tech goliath’s plan to overhaul its browser extension platform and to make changes while there’s still time.

In the advocacy organization’s latest broadside against Google’s three-year-old extension renovation effort, EFF technologists Alexei Miagkov and Bennett Cyphers take the search biz to task for limiting innovation, crippling capabilities, and hindering performance by forcing Chrome extension developers to adopt a revised set of application programming interfaces (APIs) known as Manifest v3.

“According to Google, Manifest v3 will improve privacy, security and performance,” said Miagkov. “We fundamentally disagree. The changes in Manifest v3 won’t stop malicious extensions, but will hurt innovation, reduce extension capabilities, and harm real world performance.”

For those using Chrome browser extensions, Manifest v3 looks likely to either break popular extensions that rely on Manifest v2 APIs, such as content blocker uBlock Origin and the EFF’s own Privacy Badger, or force developers to rework their extension code to produce a Manifest v3 update that’s less powerful, less capable, and less effective.

The primary reason for this is that a powerful Manifest v2 API known as the blocking version of webRequest – which allows extensions to intercept incoming network data and process/filter it before it gets displayed in the browser – is being replaced by a more limited API known as declarativeNetRequest. And this has obvious implications for extensions that need to intercept data.

Google argued it needs to water down the capabilities of Chrome extensions so that their powers to observe and alter the contents of pages are not so easily abused by bad or hijacked extensions. Doing so limits the abilities of good, trusted extensions, though.

On top of this, there are many more technical changes in Manifest v3 that affect what extensions can do, like the replacement of background pages (processes that persist in the background) with “service workers,” which only run in the background for a limited period of time.

Google maintains that it needs to move from a persistent model to an event-based (where tasks start and stop) to allow Chromium or the host operating system to free up computing resources in order to prevent the end user’s device (particularly a resource-constrained mobile device) from slowing to a crawl due to poorly coded extension.

But Google’s performance claims have been challenged. A 2019 study by Ghostery found the overhead hit imposed by ad blocking extensions is in the sub-millisecond range. “Google’s Manifest V3 is trying to solve a performance issue that does not exist,” the company said last week.

It’s not just high profile extensions related to content blocking and privacy that are being affected. The Google Groups “Chromium Extensions” group is full of developers voicing frustration about functionality that they cannot (or, where alternative Manifest v3 APIs exist, don’t understand how to) replicate under Manifest v3.

For example, a school district administrator posted last month about trying to rewrite his extension under the new APIs and finding that his extension can no longer use geolocation to track lost or stolen devices or monitor battery percentage to know when a battery needs replacement.

More than a few extension developers have voiced their concern to the EFF, such as Krzysztof Modras, director of engineering and product at Ghostery: “Nearly all browser extensions as you know them today will be affected in some way: the more lucky ones will ‘only’ experience problems, some will get crippled, and some will literally cease to exist.”

Many of these issues are filed as bugs. According to Miagkov and Cyphers, observational webRequest, native messaging. background tasks, WebSockets, user script extensions, and WebAssembly are all broken under Manifest v3 presently.

The hope is that Google will fix the bugs and fill in the platform gaps in time, but time is running out. The Chrome Web Store will stop accepting Manifest v2 extensions come January 17, 2022, and plans to disable existing Manifest v2 extensions come January, 2023, though that date may slide: Google developer Devlin Cronin in 2019 said, “We will not remove support for Manifest v2 until we are confident in the platform.”

At the moment, there’s not much confidence in the platform outside of Google and the other major browser makers who like the idea, with some caveats – Apple, Microsoft, and Mozilla.

The EFF has been particularly emphatic about scolding Google over Manifest v3, having only a week ago issued a similar warning.

“Manifest V3, or Mv3 for short, is outright harmful to privacy efforts,” wrote EFF staff technologist Daly Barnett earlier this month. “It will restrict the capabilities of web extensions – especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these – like some privacy-protective tracker blockers – will have greatly reduced capabilities.”

Manifest V3 is outright harmful to privacy efforts … Extensions like some privacy-protective tracker blockers will have greatly reduced capabilities

The issue is whether browser extensions will be able to do the same powerful (and potentially abusable) things that native platform code can do. Those opposed to Manifest v3 argue extensions should remain fully functional programming tools rather than being downgraded to toys. And this isn’t simply a technical disagreement of no consequence: the capabilities of Chrome’s web extension platform under Manifest v3 will determine what kinds of businesses can operate there.

“Under Manifest v2, extensions are treated like first-class applications with their own persistent execution environment,” said Miagkov and Cyphers. “But under v3, they are treated like accessories, given limited privileges and only allowed to execute reactively.”

Moreover, the EFF’s repeated harping on this point reflects a sense in the developer community that Google says it listens to community input but fails to translate that input into meaningful changes to its plans. And it also reflects the persistent dominance of Google’s Chrome browser – with close to two-thirds of the global browser market, other browser makers lack the clout to force Google to compromise or consider other points of view.

On top of that, makers of rival browsers like Brave and Microsoft Edge rely on Google’s open-source Chromium project for most of their browser foundation, which limits the extent to which they can push back. And competitors like Apple have shown little interest in competing with Google to shape the technical direction of the web – Apple with Safari and WebKit has focused more on saying no to Google web technology than making the web platform more powerful, for fear of cannibalizing its App Store business.

That leaves Mozilla, which, as the EFF sees it, has failed to resist Google’s plan.

“Instead of following Google into Manifest V3, Mozilla should be fighting tooth and nail against Google’s proposal,” said Miagkov and Cyphers. “It should be absolutely clear that Google acts alone despite overwhelmingly negative community feedback. A proposal cannot become a standard when everyone else stands in opposition. Mozilla’s behavior is obscuring Google’s betrayal of the extensions ecosystem. Moreover, it gives a false sense of competition and consensus when in reality this is one of the prime examples of Google’s market dominance and anti-competitive behavior.”

Mozilla’s position

Asked about this, Mozilla’s director of communications Ellen Canale expressed confusion when presented with the EFF’s criticism.

“We’ve been really clear about our positions on Mv3 and have communicated about those positions early and often,” said Canale. “As we stated then, we want to maintain a degree of compatibility to support easier cross-browser development, while preserving important use cases from Mv2 extensions.

“Since then, we have also proposed a solution to address a major concern with Mv3, which Safari has also adopted. While Google has not accepted this proposal, they did acknowledge the need to address the gaps that exist in their implementation of Mv3. From our actions, it should be clear that while we are implementing some parts of Mv3, we departed from others that are detrimental to our users. Moreover, we constructively collaborate with other browser vendors and the community to shape the design of Mv3 towards one that fulfills the needs of browser vendors, extensions and users.”

It should be clear that while we are implementing some parts of Mv3, we departed from others that are detrimental to our users

Canale said that while all browsers are implementing some form of Mv2, it’s not a standard, and discussion about Google’s choices remain ongoing. She noted that an EFF post published in November offers some suggestions for how to improve Manifest v3 and that the first two suggestions correspond to changes that Mozilla already supports or itself proposed.

Google has taken some steps to acknowledge other viewpoints, most notably joining the W3C’s WebExtensions Community Group (WECG) in June, along with Apple, Microsoft and Mozilla. But Google’s rivals have long complained that the company, due to its size and market power, doesn’t have to respond to input.

In a September post about the problems posed by Manifest v3, AdGuard CTO and co-founder Andrey Meshkov observed about the group, “At the very least it provides a feeling of being listened to and heard, but such things rarely work fast. It’s unclear when we’ll see any real positive changes.”

The Mountain View

For its part, Google – preferring to be paraphrased rather quoted directly – told The Register that the W3C group was formed in June and so it’s premature to judge the impact of discussions. At the same time, the internet giant suggests the group has shined a light on various developer concerns and has led to efforts to look more closely at use cases that require DOM API access in service workers and persistent background processes.

The company maintains that it continues to incorporate developer feedback in the ongoing design of Manifest v3, citing as an example how the declarativeNetRequest API has been adjusted from a limit of 30,000 filtering rules per extension to a minimum of 30,000 rules plus access to a global pool that’s shared across all extensions.

Other examples of APIs modified based on feedback include letting devs decide whether the method scripting.executeScript will inject a script in the extension’s isolated world or in a page’s main world and the introduction of an in-memory storage API called storage.session to preserve data that would otherwise be lost when a service worker shuts down.

To counter the perception that Google has it in for ad blockers, the company pointed to a 2020 blog post containing an endorsement from Sofia Lindberg, tech lead for Eyeo, maker of Adblock Plus: “We’ve been very pleased with the close collaboration established between Google’s Chrome Extensions Team and our own engineering team to ensure that ad-blocking extensions will still be available after Manifest v3 takes effect.”

Eyeo’s Adblock Plus is not quite the same as the open-source uBlock Origin project. It’s made by an advertising company that brokers “acceptable ads.” ®

Source link


The assailants were pixelated, I’d know them anywhere • The Register

Voice Of EU



Something for the Weekend, Sir? Stop that uterus! It stole my wallet!

What do you mean, “Can you identify the uterus in question?” It looked like a uterus! Or, as we’ve been singing it all through Christmas, a wooooom*.

Talk about getting the new year off to a bad start – I’ve just been robbed by a delinquent reproductive organ. Yet the all signs were there: I knew 2022 would be doomed back in early December when I read that the Salzburg Schokolade company, inventors of the mighty last-minute-airport-gift-shop chocolate ball Mozartkugel, had gone bust.

No, an oversize Toblerone will not suffice. M&Ms? In the bin, pal. Mr Ambassador, you can stick your Ferrero Rochers up your arse. Mozartkugeln were my faux-posh-but-actually-quite-cheap traveller chocs of choice. And now they’re gone forever!

First Bowie, then this. The world is falling apart.

A kindly officer of the law tries to bring me back to my senses following my unexpected mugging. Yes, thank you, I would like a drink. I’ll have an Adios Motherfucker*, please.

Without batting an eyelid, the policewoman strides down the corridor to the drinks machine, taps a few buttons on the display and returns after just 30 seconds with my glass of blue liquid revival. That was quick. The drinks machine must be a Mixo Two: an ingenious local invention that claims to be able to mix any of 300 cocktails in half a minute.

I glug it down, spit out the lemon slice and cherry, and hand back the little umbrella. I decide I’m feeling particularly agitated and may well need more calming down. 299 to go.

Now that my thoughts are clearing, I admit it’s possible my assailant might not have been a uterus after all. It might have been a whole human. I tell my police interviewers that my initial impression of a uterus suggests that it may have been a woman. I am lectured for the next 10 minutes on my questionable observation with the aid of infographics and a flipchart.

Choosing my words more carefully, I try to provide a full description of the thief. It all happened so fast. The last thing I remember, I had escaped the pandemonium at home – workers fixing the WC again – and settled down in a nearby cafe for a break. Well, primarily for a pee in their restroom, then I felt obliged to order a coffee. While waiting for it to arrive, I opened my laptop and continued browsing the hundreds of images taken during Mme D’s recent MRI scan.

Here’s one.

Screenshot of MRI scan of patient's uterus

Protect the innocent: to avoid identification by a web-scraping AI, this uterus has been pixelated. [Click to enlarge]

Prior to this, my only knowledge of MRI scanning comes from British colleagues at the IEEE who are finalising the unveiling of an IEEE Milestone plaque to commemorate the development in London during the 1980s of active shielding of superconducting magnets.

Mme D had a more detailed prior knowledge of MRI scanning as the result of watching every episode of House on Netflix. She reported that her only disappointment was that the operators seemed to concentrate on the scan rather than discuss their sex lives or call each other an idiot before suddenly dashing out the room after answering a call on their cellphone.

What neither of us expected was to be handed a CD of the highlights.

It doesn’t just contain a folder of images but a Windows autoplay program to browse them in detail. My favourite feature of the CD is the Cinema View, which plays back the scans at 25 frames per second. In fact, I had settled down in the living room with a Kia-Ora and carton of popcorn to watch Mme D’s innards on the big screen when the workmen arrived and enforced an early intermission.

It was when the coffee arrived at my table that I realised my wallet was not in my usual pocket, or indeed in any of my unusual pockets either. “Robbed!” I wailed. “No tip!” wailed the waiter. The police were duly called.

What was the last thing I saw before the incident? Er… a uterus. I describe it in as much detail as possible, at 25 frames per second.

So, I ask, are you going run it through your vast, secretive photo-fit database of the population, using some whizzy AI to shortlist the candidates?

Ah no, they respond, we’re not allowed to do that. And then they wink. All of them, in sync, which is a bit creepy. Then I am sent on my way, gently steered back up the corridor in the opposite direction from the Mix Two.

This is the usual conundrum. Scraping the net for the purposes of building a database for security services is still illegal unless you have really good PR, and the use of AI to crawl around the net and randomly apply face recognition to identify ne’er-do-wells is ethically dubious. In most cases, it can’t be done at all (yet).

On the other hand, machine learning is a fabulous tool for health research, if only we can throw enough data at it. The problem is that more people would be happy to share their medical data if they thought it wouldn’t be subsequently misused. And it will always be misused: that’s what personal data is for.

The last thing I’d want is for my photo to turn up on a hit-list of Interpol’s most-wanted criminal uteruses.

Back home, I am comforted by Mme D, who had been wondering what had prompted me to leave the house while a team of plumbers, electricians, interior decorators, plasterers, architects, stone masons, ironmongers, seismologists, stage illusionists, tap dance instructors, steel drummers, and celtic swordsmen were trampling all over it to refit the toilet for the fifth time.

I mumble a reply, collect the now-soggy popcorn and drag myself back into my office.

“By the way,” she calls, “you left your wallet on the kitchen table so I locked it in the filing cabinet.”

Youtube Video

Alistair Dabbs

Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. Back when he ran an office in London’s trendy Hoxton, he attended several cocktail workshops – an essential skill for the Silicon Roundabout crowd. The one thing he learnt was that everything is topped up with sugar water. Bleuh. More at Autosave is for Wimps and @alidabbs.

*As an infant, I reasoned that “wooooom” was the kind of thing that a sheet-clad apparition moans while a haunting a castle. It was the holy ghost.

**Vodka, rum, tequila, gin, blue curacao, 7 Up, sweet & sour mix.

Source link

Continue Reading


‘Hiring is a big challenge for the IT industry’

Voice Of EU



Citrix’s Meerah Rajavel discusses the biggest challenges in today’s IT landscape, from remote working and talent shortages to security.

Meerah Rajavel is CIO at Citrix a multinational cloud computing company that provides server, application and desktop virtualisation, networking and cloud computing technologies.

Rajavel has more than 25 years’ experience at well-known tech companies such as McAfee, Cisco and Forcepoint. In her current role, Rajavel she leads the company’s IT strategy.

What are some of the biggest challenges you’re facing in the current IT landscape?

Many companies viewed remote work as a temporary solution to the pandemic and business leaders continue to push for a return to the old days where employees work in the office every day. But we just did two polls on LinkedIn and Twitter that show this isn’t likely to happen.

That’s going to challenge a lot of organisations, because working remote isn’t easy. When it comes to addressing the technical aspects of how employees can cope and remain productive, you’ve got to walk in their shoes and understand how they leverage technology to achieve business outcomes.

The key to keeping employees engaged lies in providing consistent, secure and reliable access to the systems and information they need to get work done – wherever it needs to get done. And it takes more than just flipping the switch on technologies. Culture plays a huge role in adoption.

Another big challenge IT is faced with is hiring. It’s difficult to find high quality candidates in the areas of security, design thinking and user experience, data science and analytics right now. And there are a few reasons for this. Security remains a critical priority for CIOs. In the hybrid cloud, remote working, BYOD world we now live in, more resources are required to ensure that corporate networks and assets remain safe. And demand far exceeds supply.

When it comes to design thinking, the paradigm is shifting away from user-centric thinking toward human-and-machine thinking. This requires designers to be well versed with the constructs of the possibility of artificial intelligence and machine learning and analytics in addition to user experience in their workflow design process. And that’s a skill that’s not widely available.

What are your thoughts on digital transformation in a broad sense within your industry?

In the last decade, the digitalisation of everything has caused every company – regardless of industry – to become a software company. From mobile banking and virtual healthcare visits to self-driving cars and automated food prep and delivery services, software applications are embedded into nearly every aspect of the economy and our lives.

And as they embark on digital transformation initiatives to support this trend, IT leaders need to align with their business counterparts and make sure they’re collectively approaching things from an inside-out, company-wide perspective.

For me, any type of change management needs to be broken down into three key focus areas: people, process, and technology. But it’s imperative that you start with the people because without first establishing a culture around the change, it will be difficult to achieve success.

‘Digitalisation of everything has caused every company – regardless of industry – to become a software company’

When it comes to people, we are particularly mindful of two important elements: culture and training. First, we’ve worked to establish a culture that encourages risk taking and organisational success over individual success. Second, we’re investing in training programmes that enable individuals to confidently transition to the new technologies or way of working and be immediately effective.

In digital transformation, technology needs to be integrated into the ‘flow’ of business, which demands IT and business to embrace shared methods and process. For process, we’ve anchored on standards like safe agile frameworks that make culture and operational efficiency key pillars of any project, to help iterative value delivery and ease of adoption across all areas of the business.

And perhaps most important, we’re investing in the technology – including our own – to help automate and integrate workflows so we can reduce time to production, minimise disruption to the business and increase effectiveness.

What are your thoughts on how sustainability can be addressed from an IT perspective?

In embracing remote work and enabling it through technology, companies can drive their ESG goals and create a more sustainable business and future.

Using digital workspace technologies, for instance, they can give employees access to everything they need to engage and be productive wherever they happen to be, reducing the need to commute and the carbon emissions associated with doing so.

They can also eliminate the need for applications and data to reside on endpoint devices and transition from energy-intensive desktops to energy-efficient laptops to increase their energy efficiency. And because no data is required to live on these devices, they can extend the life of their equipment and reduce waste.

What big tech trends do you believe are changing the world?

We did some research that showed 93pc of business leaders think the increased digital collaboration forced by remote work has amplified more diverse voices, resulting in richer idea generation. And as flexible work becomes the norm, the vast majority expect enhanced equity and collaboration to continue and fuel an era of hyper-innovation. And this excites me.

With flexible work, I see more innovation happening to converge physical and digital experiences. Whether it’s concept like metaverse or technologies like AI/ML and VR/XR integrated into the collaboration tools, all aim to enhance the experience and effectiveness for users in a location agnostic fashion.

What are your thoughts on the security challenges currently facing your industry?

The threat landscape has become much more sophisticated as a result of remote and hybrid work and protecting employees has never been more critical – or difficult.

Employees want the freedom to work when, where and how they want using the devices of their choice. And to attract and retain them in what is no doubt the tightest labour market the world has ever seen and keep them engaged and productive, IT needs to serve it up, all while ensuring corporate assets and data remain safe.

It’s among the biggest challenges we face. And to overcome it, we must move beyond thinking that security and user experience are mutually exclusive and take an intelligent approach to workspace security that combines the two following the zero-trust model to give employees simple, unified access to the apps and information they need, when and where they need it, to perform at their best.

We’ve also witnessed two major software supply chain attacks in the last 12 months with SolarWinds and Log4j.

The first is an example of how easily malicious code can be remotely injected into a simple software update delivered to thousands of enterprises and government agencies worldwide. The second highlights how threat actors are increasingly targeting the vulnerabilities in third-party software components to cause widespread havoc.

All of this underscores the importance of securing the software supply chain and adopting practices like DevSecOps.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading


‘I was just really scared’: Apple AirTags lead to stalking complaints | Technology

Voice Of EU



In early January, Brooks Nader, a 26-year-old Sports Illustrated swimsuit model, was walking home alone from a night out in New York when she received a disturbing iPhone notification telling her she was carrying an “unknown accessory”.

“This item has been moving with you for a while,” the alert read. “The owner can see its location.”

That’s when she knew “something wasn’t right”, Nader told the NBC news program Today. Nader discovered that somebody had slipped an Apple AirTag into her coat pocket while she was sitting in a restaurant earlier. Unbeknown to her, the device tracked her location for four hours before Apple’s abuse prevention system triggered the notification to her phone.

AirTags are wireless, quarter-sized Bluetooth devices that retail for $29 each. Apple launched the product in April 2021 as tracking tools that users can pair with the company’s Find My app to help locate lost belongings, like backpacks or car keys.

Yet AirTags have proven easy to abuse – police in New York, Maryland, Idaho, Colorado, Georgia, Michigan, Texas and elsewhere both within the US and internationally, have reported instances of AirTags being used to stalk individuals, as well as to target cars for theft.

Last week, the New Jersey Regional Operations & Intelligence Center issued a warning to police that AirTags posed an “inherent threat to law enforcement, as criminals could use them to identify officers’ sensitive locations” and personal routines.

AirTags have abuse-mitigation features, including pop-ups like the one Nader received, and an alarm that beeps at 60 decibels (a conversational volume) after the AirTag has been away from its owner anywhere between eight to 24 hours.

Near the end of 2021, the company released a new Android app called Tracker Detect, which was designed to help people who own Androids discover suspicious AirTags near them – yet the app must be proactively downloaded and kept active to be effective, and is only compatible with Android 9 or higher.

The outcome of more anti-stalking mechanisms is that more people are realizing they are being stalked. On 14 January, police in Montgomery county, Maryland, responded to a call from a person who was stalked home from a movie theater after an AirTag was planted on their car. Around the same time, two California women called 911 after receiving a notification that their whereabouts were being tracked while out shopping. A 30 December report from the New York Times cites seven women who believe AirTags were used to surveil them. On social media, posts from mainly women sharing their own experiences of being tracked by AirTags have drawn attention to the issue, with one TikTok video from November 2021 receiving more than 31m views.

If you suspect you’re being tracked, the conventional wisdom is not to head home, but rather call – or go to – the police. However, law enforcement responses to incidences of AirTag stalking have thus far been inconsistent, and help is not always guaranteed.

When Arizona’s Kimberly Scroop went to local police after receiving an iPhone notification that she was being tracked in September last year, “they were not interested in taking a report, they didn’t take my name or phone number,” she says. “They said if I noticed someone following me, to call the police then.”

Scroop went home and made a TikTok video about her experience being tracked, thinking she should “make as much noise as possible, so there was some public record of it” online in case anything bad happened to her. “I was having a mini panic attack, just really scared,” she says in the post that has now been viewed more than 5.5m times.

In New York, Jackie’s Law – passed in 2014 to allow police to charge people using GPS tracking devices to stalk victims even if the victims have not pressed charges – contributed to police in West Seneca’s decision to subpoena Apple for information about a case involving an AirTag attached to a victim’s car bumper. Nonetheless, Nader claims she was unable to file a report after being tracked in Tribeca, New York City, as police told her no crime had been committed.

In an official statement, Apple says it will cooperate with police “to provide any available information” about unknown AirTags people discover on their person or property. “We take customer safety very seriously and are committed to AirTags’ privacy and security,” says a spokesperson.

Ultimately, their built-in anti-stalking mechanisms and the fact that they can be easily disabled when discovered render AirTags less dangerous than other forms of stalkerware. “If you really are nefarious and evil and you really want to find someone, there are things that are much better than an AirTag,” in the $100 to $300 range, says Jon Callas, director of technology projects at the Electronic Frontier Foundation.

Indeed, stalking affects an estimated 7.5 million people in the United States each year, and one in four victims report being stalked through some form of technology, according to the Stalking Prevention Awareness & Resource Center. And it’s on the rise: a 2021 international study by the security company Norton found the number of devices reporting stalkerware daily “increased markedly by 63% between September 2020 and May 2021” with the 30-day average increasing from 48,000 to 78,000 detections. There are thousands of different stalkerware variants, such as Cerberus, GPS tracking devices and Tile, a Bluetooth-enabled AirTag competitor that announced a partnership with Amazon last spring.

To Callas, the conversation around AirTags is drawing much-needed attention to the potential for technology to be misused; he hopes more people will consider the safety risks of tracking devices, regardless of how innocent they seem. “If you make a generalized technology that helps you find your lost keys, it can help you find anything,” he says, “and that includes people”.

Source link

Continue Reading


Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!