[conspire] xz exploit and backdoor

Rick Moen rick at linuxmafia.com
Fri Apr 5 12:49:45 PDT 2024 

Quoting Dire Red (deirdre at deirdre.net):

> This is related, but not the same: https://daringfireball.net/2012/02/cookies_and_privacy

I love it when bad actors like Mr. Batelle (quoted) try to manipulate
people with forked-tongue rhetoric.  It's fun to see them try, because
ad-network CxOs just aren't nearly as smooth as are lawyers.  The
shameless misrepresentation and special-pleading shows a lot more.

Here, BTW, is the referenced 2012 WSJ piece, via Archive Today to
circumvent the paywall:  https://archive.is/hebFb

I'd love to know what Google "special computer code" allowed GOOG to
circumvent the exclusion of third-party HTTP cookings on Safari and
Mobile Safari, but it's not a technical article.  All it says is

  The Google code was spotted by Stanford researcher Jonathan Mayer and
  independently confirmed by a technical adviser to the Journal, Ashkan
  Soltani...

and

  Three other online-ad companies were found using similar techniques:
  Vibrant Media Inc., WPP PLC's Media Innovation Group LLC and Gannett
  Co.'s PointRoll Inc.

As with ad-network CxOs, the unnamed GOOG spokesbeing just _isn't good_ 
at manipulative rhetoric, saying:

  The Journal mischaracterizes what happened and why.  We used known
  Safari functionality to provide features that signed-in Google users
  had enabled.

Sentence #2 is probably correct but irrelevant to the point, and
sentence #1 is implied to follow logically but very much does not.

Ah, wait, here's a layman's explanation in the WSJ piece:

  To get around Safari's default blocking, Google exploited a loophole
  in the browser's privacy settings. While Safari does block most
  tracking, it makes an exception for websites with which a person
  interacts in some way—for instance, by filling out a form. So Google
  added coding to some of its ads that made Safari think that a person was
  submitting an invisible form to Google. Safari would then let Google
  install a cookie on the phone or computer.

  The cookie that Google installed on the computer was temporary; it
  expired in 12 to 24 hours. But it could sometimes result in extensive
  tracking of Safari users. This is because of a technical quirk in Safari
  that allows companies to easily add more cookies to a user's computer
  once the company has installed at least one cookie.

As this trick is over a decade old, I'm reasonably certain good
privacy-protection browser extensions help block that and innumerable
other shady behaviour.  I'm equally certain few default browser configs
do -- except I'll bet Apple Safari does, out of the box.  Because Apple
may have its own feet of clay, but at least isn't directly and mainly a
surveillance capitalism company.


> I’m personally not convinced a small team could unfuxxor Chromium
> enough to be acceptably private or secure.

I'm not convinced _any_ Web browser is acceptably private or secure.
Everything needs independent checking.

More information about the conspire mailing list