Hackr News App

<@JimDabell> NB. Comment totals may still be increasing as discussion continues

Washington Post's Privacy Tip: Stop Using Chrome, Delete Meta Apps (and Yandex) (328 comments)

https://news.ycombinator.com/item?id=44210689

Meta found 'covertly tracking' Android users through Instagram and Facebook (95 comments)

https://news.ycombinator.com/item?id=44182204

Meta pauses mobile port tracking tech on Android after researchers cry foul (28 comments)

https://news.ycombinator.com/item?id=44175940

Covert web-to-app tracking via localhost on Android (6 comments)

https://news.ycombinator.com/item?id=44169314

Covert Web-to-App Tracking via Localhost on Android (6 comments)

https://news.ycombinator.com/item?id=44169314

Meta and Yandex Spying on Your Android Web Browsing Activity

https://news.ycombinator.com/item?id=44177637

New research highlights privacy abuse involving Meta and Yandex

https://news.ycombinator.com/item?id=44171535

Meta and Yandex exfiltrating tracking data on Android via WebRTC (3 comments)

https://news.ycombinator.com/item?id=44176697

<@aorth> > they were intentionally crippling Facebook Messenger at one point [in a browser]

They were/did. I was using Messenger Lite for a bit which was ok, but they killed that and the mobile browser mode.

I still need FB for some events and contacts, but I refuse to have the fat messenger app installed so now I end up using the damn thing in desktop mode which is ... painful.

All I seem to see in my feed these days is "suggested for you" so it's a lot less addictive than it was back in the day. Not sure why they're so determined to drive the user base away, but that does seem to be the plan.

<@aorth> Web apps have been sabotaged so severely for years now, and it really peeves me. Half the time they bombard the UI with "use the app!!1" popups and the other half of the time they just don't work.

The worst part is that a lot of native apps these days are just web views. You can't even be bother to use the native UI toolkit and you expect me to download your app? If this is just safari with extra steps then let me use safari!

<@aorth> I felt a prude at the time but eschewed native apps for browser versions and haven't regretted. Didn't benefit from notification distraction anyway. Apple and Google just didn't get their houses in order to be taken seriously.

If it ain't on F-Droid, I'll wait.

<@aorth> >I refused to install native versions of apps that could be used in a browser.

Same. After AT&T force obsolesced my perfectly working phone back in February 2022 (it had the bands but they simply didn't want to support it!) I kept it as a dedicated app phone. No web browsing, no stored credentials or cookies, just an app sandbox. Sending a ray of diarrhea to companies who force us to use apps instead of web. I'm looking at you, Chipotle.

<@aorth> this is still perfectly legal and allowed.

every app can scan your apps and recently opened ones "for security".

same for your contacts.

whatsapp (only meta product i need to touch in our fleet) will do both at very fast intervals, and upload a contact list diff if it detect changes.

the whole issue here was that meta bypassed the user matching on the web without paying google "cookie matching" price

<@globalise83> Sounds like the modern version of the CS Lewis quote:

> The greatest evil is not now done in those sordid dens of crime that Dickens loved to paint. It is not done even in concentration camps and labour camps. In those we see its final result. But it is conceived and ordered (moved, seconded, carried, and minuted) in clean, carpeted, warmed and well-lighted offices, by quiet men with white collars and cut fingernails and smooth-shaven cheeks who do not need to raise their voices.

<@globalise83> I like the idea, but I see no reason to shield the management that demanded this of the rank and file. Accountability should go all the way up the chain.

<@globalise83> I dont think we should fine any of the people that worked on it. In the end the decision makers are the ones being paid to be responsible so they should be held responsible.

However, there is a conversation to be had about engineers writing code that they fully know is illegal. Imo there should be a punishment for staying complicit and not reporting it to the authorities. Like that time Volkswagen components detected when they were under test and performed differently.

<@globalise83> This is such an incredibly bad (ignorant and/or malicious) idea in so many ways, chief of which is the incredible power asymmetry between bosses and subordinates in Facebook (and most other companies).

<@globalise83> How would the EU fine American engineers who live and are paid in America?

<@globalise83> Its unethical for sure, seems like some engineers will do anything for their salary, but if they don't do it somebody else will and it is an exciting technical challenge.

Its better to blame the management and higher ups or zuck himself directly. Blame the people who finance it and profit from it, not the people who coded it. Follow the money

<@globalise83> This is the company that abetted genocide in Burma. Their programmers are outside EU jurisdiction. You expect them to do anything other than pay the fine, shrug, and continue to set the world on fire?

<@globalise83> [deleted]

<@globalise83> Let’s be real, the people who are culpable are truly culpable are the ones who gave them the ok to build this in the first place.

<@globalise83> Yeah and let's take away the income from the PMs and Engineers and leave the people who actually call the shots unharmed.

Once I worked at a place that actually made a calculation of how much an outage costed to the company and gave it to the engineers who resolved the issue to "think" about how bad they were.

What you propose is equally confused and wrong

<@frenchmajesty> Companies have been trying to make AR/VR the next platform shift but I'm not super convinced that people actually want or desire this outside of a few niche games. To me it feels like it has about as much staying power as 3D glasses in movies.

<@frenchmajesty> > Back in the early 2010s, they found a way to spy on HTTPS traffic on the iOS App Store to monitor which apps were getting popular.

They had people install a VPN app using enterprise certificate so it was never in the App Store and they monitored all the traffic that the VPN sent.

Unlike this case, it required users to jump through a number of hoops/scary iOS warnings. Many still did, for a gift card or less.

<@frenchmajesty> > They have an history of doing this kind of things.

They have a history because the punishment has never dissuaded anyone from being repeat offender.

<@frenchmajesty> I disagree that they're on track to make it. Their platform, Quest VR, has sold around 20 million headsets. Any company would be over the moon but we're talking Facebook here. They need way more users than that, which can only be achieved with explosive growth.

So maybe they're growing fast? Nope. Their better selling product, at 14 million of those 20 million is the Quest 2 which has been discontinued for 9 months. Doesn't sound like explosive growth to me when your best selling product is not your current product.

<@throwawayffffas> I'd split that first list into two:

1a. Arbitrary apps can listen on ports without permissions.

1b. Arbitrary apps can access local ports without permissions.

I've recently been experimenting with running the browser (on my desktop) in a network namespace precisely because of these reasons. Random websites shouldn't be able to access services running on localhost.

<@throwawayffffas> Those are two technical issues, yes.

But even with those technical issues present, Facebook shouldn't have done this.

<@throwawayffffas> > Android allows apps to open ports without permissions.

Just to clarify: you need `android.permission.INTERNET`. This is a default permission (granted by default at install time with no user interaction).

GrapheneOS allows this permission to be disabled.

As far as I'm aware, you can't lock this down to 'allow only intra-app communications via localhost', please let me know if I'm mistaken.

<@throwawayffffas> There is a proposal to restrict sites from accessing a users' local network without permission: https://github.com/explainers-by-googlers/local-network-acce...

<@ls-a> AND, whenever you suggest here that engineers should consider the morals or ethics of what they are being asked to work on, you often get lots of push back in the comments. "I just want to work on cool tech! It's my company's problem what they use it for!" and "Hey, I'm just a code monkey, don't blame me! If my manager tells me to build the Torment Nexus, I build the Torment Nexus!"

<@ls-a> Absolutely. I’ve done so many bad things with my career. Less over time, but in the beginning I was naive and eager to please. I can’t criticize anyone without admitting I did the exact same thing. We want to stay relevant, get promoted, be the hero who keeps big projects moving, etc. Certain people in leadership see this and use us to execute on things less enthusiastic or more aware/morally grounded types won’t.

This is why I earn half as much working in science now. We will never reach unicorn status but we also won’t treat our end users and partners like pawns to exploit on our path to wealth and power. I can live with that.

<@ls-a> That's what they need AI for. It won't say no.

<@geerlingguy> > I think some people are under the impression that's a way to act like you're in total privacy... but it's not.

It should be for the average person. VPN and private browsing should be enough for what most people use it for. I don’t think it’s fair to expect people to think that the browser is secretly communicating with apps on their phone, tying all behavior to their identity.

<@geerlingguy> And if you actually leave the Facebook or instagram apps running in the background.

Some people hate apps running in the background and they terminate all apps as soon as they are done using them.

<@jasonthorsness> Shouldn't a sensible CORS policy by the webserver block these access attempts?

Of course the website owner wants the tracking, but I think they should also be a guilty party here next to Facebook, even if they just bought the service.

<@jasonthorsness> yeah...how does this get approved?

<@jmward01> This provides them an easy way to build a labelled dataset for training the fingerprinting ML models.

<@jmward01> Sociopathic people are running the company. You tell them they can't do something, they take it as a challenge and try to do it without getting caught.

<@hurtuvac78> Yeah, would be interested to know why exactly

EDIT: Ok probably because it basically is a repost. I just haven't seen it 6 days ago.

<@tdiff> They knew who was going to be president this year.

<@eqvinox> > people need to learn they shouldn't trust apps made by these giant adzillas.

I do wish life were that simple. Users (including myself) get value out of natively installed apps. Until that changes, this suggestion is impractical.

<@teleforce> "If you're paying, you're still the product", so apparently other factors anon didn't mention are involved

<@ranguna> And according to the article, they're using RTC because Android is meant to be hardened against backdooring localhost, but Meta found a loophole that allowed it if over RTC.

<@ranguna> The technical details roughly boil down to "your browser lets internet sites talk to local services"; in this case if they cooperate they can identify each other, but cf. https://mrbruh.com/asusdriverhub/

In practical terms this is a privacy leak a couple bits more informative but slightly less robust than "these requests are coming from the same IP address."

<@ranguna> Does anyone know how long was this going on, are we talking weeks, months or years?

<@fifilura> I have an anecdote about fines not being about making a victim whole.

I was hit by a hit-and-run while driving my car. Totally destroyed the back-end.

I personally investigated and gathered info/videos to figure out the car and plates because the police essentially said they couldn't be bothered.

After finding out the owner of the car the insurance company said that under their criteria it was no longer a hit-and-run and I'm not covered by them. The person did not have insurance.

The law here is the owner of the vehicle faces a $2000 fine, plus the $2000 fine for a vehicle being operated without insurance. I was subpoenaed as a witness (lol) to the hit and run, for which I had to take a day off work.

So, the government earned a cool $4000 for my troubles, and i was out a $3000 car and a day of work.

I've since accepted that fines are just a lazy blunt instrument that serve as nothing more than a deterrent; not a way to fix past injustices. Maybe obvious but still counter intuitive when you're the wronged party.

<@fifilura> Theoretically, fines replace tax revenue, so you get compensated by lower taxes. (Practically, spending and income are decoupled and taxes are mostly just an inflation management strategy.)

<@sidcool> It’s allowed over RTC

<@throwawayffffas> I did a quick check with adb, it looks like whatsapp is not opening any ports.

<@throwawayffffas> ...and FB Messenger

<@ajsnigrutin> The EU doesn’t play around in this realm.

1.2 billion fine for an earlier incident: https://www.edpb.europa.eu/news/news/2023/12-billion-euro-fi...

<@Waterluvian> > Companies have no soul. They are, by design, just chasing revenue. Everything else is just a risk to be factored.

I disagree - companies are set up/run by people, and those people define company culture/ company culture reflects those people.

Not all companies, even big ones, are the same.

To make that concrete - if Mark Zuckerberg found out about the above activity and was appalled and sacked everyone involved that would send out a very strong signal.

Note this particular method can't be a rogue one man job - it requires coordination across multiple parts of the Meta stack - senior people had to know - which would point to a rotten culture at Meta emanating from the top.

<@Waterluvian> > I think it’s just very, very easy to create a system of people collectively doing evil things where no one person carries the burden of evil individually enough to really feel sick enough with what they’re contributing to.

Which is why I don't think punishing just the company itself is enough. The engineers, designers, PM's that implemented this should also receive punishment, sufficient enough to make anyone thinking of participating in the implementation of such systems has reason enough to feel sick, if only for their own skin. Make it clear that participating in such things carries the risk of losing your career, a lot of money, and potentially even your freedom.

<@Waterluvian> I think (haven't actually watched it, but on my watchlist) this is exactly what the movie "The Corporation" (2003) [1] lays out.

[1] https://m.imdb.com/title/tt0379225

<@Waterluvian> Never underestimate the evil a human can perpetuate in the name of a paycheck.

<@Waterluvian> I think about this a lot …

I think the key aspect of a company with “soul” is humans directing the company rather than the company directing the humans.

I think the biggest inflection point where this flips is when companies “pivot”.

The human founders of a company should have a well-defined philosophical Vision of what it is they are building and who it is for. If this doesn’t work out, the business should be terminated.

It is the zombie husks of corporate organizations that have been repurposed to other ends by finance that are dangerous.

<@Waterluvian> There are multiple entire industries built around diluting and proxying accountability.

I suppose since diluting accountability aligns well with making more money by allowing shadier activities it naturally happens "by accident", but I also think it's quite deliberate in many cases.

<@Waterluvian> I agree except perhaps an over generalization.

Some companies do have soul, and some pockets within big companies do. Patagonia, of course but even some big companies like Unilever are surprisingly soulful. They’re the exception maybe, but it’s not like companies have to be amoral.

In tech, there used to be a ton of borderline hippy companies, including Apple and Google. There are probably smaller ones now, but growth and pressure and wealth does seem to squeeze the soul out of places.

<@Waterluvian> > I don’t think these humans have no soul

They're sellouts and traitors.

Then there are people who will take to pondering what it means to be a sellout in a disingenuous manner. They act like it takes a haughty philosophy club to stroke their beards, reinvent paid labor from first principals and through motivated reasoning discovered "sellout" isn't that all that bad. And it turns out everyone sells out one way or another, so it's a wash what line of work you go into anyway.

Now those are the people who have no souls.

<@Waterluvian> Is this just a particular case of diffusion of responsibility?

<@Waterluvian> Look at atrocities of animal agriculture and all difficult engineering done to scale massive slaughter.

For some its evil, for others its an interesting itch to scratch.

<@OptionOfT> I read this:

> Android has many flaws, but in the relevant part here, it’s specifically designed to prevent apps from doing this — from listening to local ports like localhost.

to mean that they could not do it via HTTP, and instead had to circumvent Android's privacy measures via WebRTC.

<@riddley> Nothing, notably programs like discord do exactly this under the guise of detecting if you are playing a game or not, but I find it hard to believe that discord can resist the temptation to send back the entire process tree to their servers.

<@riddley> Nothing really. Desktop operating systems are basically grandfathered into the modern world. They have the old timey approach to application security. That being, applications can access everything on your computer, and there's no fine-grained permission systems.

But, for OS that we've developed later, we kind of decided that's a problem, and applications are a vector for malware, and "trust" just isn't enough. So Android and iOS did the whole permissions thing.

Now, we've gone back and added some stuff onto desktop operating systems. Of course Linux has containers these days on desktop. Like, I'm running Firefox right now - but Firefox can only access it's runtime folders and ~/Downloads. So, if there's a zero day sandbox breach, I won't get data stolen. There's also SELinux and Apparmor and stuff and you can really jump into the deep end with this.

But, we largely view it as unnecessary because we're running open-source software from trusted repositories. We probably shouldn't view it that way.

<@riddley> File mode bits prevent processes not running as root from reading much of the info in /proc.

<@pupppet> I mean, we can assume they are doing something bad and not install their software.

<@pupppet> Yes, I just love all those cookie banners. Thanks!

<@davedx> It's 32B€

<@davedx> Ditto on the 32B, especially since that's IIRC one of the llama model sizes!

<@Thorrez> > How does choice of search engine protect from this?

I don’t use android or either of those browsers but my guess is that either block the tracking pixel from loading in the first place or they’re more locked down on what they allow websites to reach out to (aka no Localhost access).

<@Thorrez> I think they meant our browser.

<@udev4096> > they fully deserve to be tracked

Absolutely not. The law is still the law. The fact that Meta is able to break the law via technical means doesn’t mean victims deserve to be victimized.

Just because someone is able to pick your lock at night doesn’t mean you deserve to be burglarized.

<@fidotron> Is there anything in those EU directives that requires browsers to let webpages connect to localhost? Because that's the main issue here. And also maybe apps should need permission to listen on ports or connect to localhost, but I doubt the regulation prevents that either.

On https://localmess.github.io/, they think that this is technically possible on iOS too, and the main reason it wasn't done there is due to restrictions on apps running in the background.

This is nothing new that has been opened up because of those regulations.

<@fidotron> It is kind of funny that EU may well require these kinds of vulns to be present, while reacting with outrage when used.