AntiProDenialist wrote
Reply to comment by Zerush in by !deleted30
And no, I do not agree on your simile, the simile would be others read all the letters by default, to find one that talks about a murder. It is clear that I go to the police, if I receive a threatening letter, but it is I who wants to read this message in MY correspondence, not someone else to do it for me, the postman or the post office.
The users are sharing the contents of the reported message with the WhatsApp moderators. Otherwise there would be no point in reporting the message. The Ars Technica article I linked makes this clear. I have stated this twice. You seem to just ignore this point. Is it wrong? Tell me how.
Messages and correspondence can only be accessed by third parties by definition, when there is a court order. In this case, it will be the security forces, but never a private company that access or uses the content for its own purposes. It is also not true that an SMS is easier to access than a service like WhatsApp, often used on WiFi networks, in the worst case in a public WiFi in a McDonalds.
This is laughable. End-to-end encryption is not defeated by McDonald's Wi-Fi. Read up on encryption.
It is also not relevant for privacy or security, if the product is OpenSource or not
I'll stop you right there. It is absolutely relevant. If the public can't vet the source code then the program should not be trusted.
it depends on the purpose or the type of license it has
Which open source license has any affect on the privacy or security of its users?
many OpenSource products carry tracking APIs from Google, Facebook, Amazon and others, which are also OpenSource
Google, Facebook, and Amazon are not open source. They may use open source software as parts of their services, and they may develop and contribute to open source software. Either way, your point seems to be that open source software doesn't guarantee privacy or security. No one is going to refute that. It's like pointing out that a bodyguard doesn't guarantee your safety.
hackers can also see the source code to find security holes or to inject all kinds of malware.
This is also laughable. No shit, hackers can find vulnerabilities in the source code. So can developers, security researchers, and anyone else who wants to read the source code, and those vulnerabilities can be properly disclosed and fixed.
Hackers can also (and often do) find vulnerabilities in proprietary software, where there are far fewer eyeballs. Additionally, with fewer eyeballs, proprietary software can more easily get away with being purposefully malicious (for instance, if a WhatsApp server could tell the client to send all of their unencrypted messages to a third party, the public wouldn't know of this feature until it was observed in practice or through reverse engineering).
Privacy and security is specified in the PP and TOS of this
Privacy Policies and Terms of Service don't get to choose what programs are or aren't secure.
Mozilla, for example, uses trackers from Google (Alphabet Inc) and others to create its revenue.
Mozilla gets revenue from setting Google to the default search engine. If I'm missing something please let me know. Either way, open source software violating user privacy for money is not unheard of. The public has access to the source code responsible for that behavior and has the ability to modify and redistribute a privacy-friendly version of the program. You can't do that with proprietary software.
Zerush wrote (edited )
Ok, as I say before, it,s not directly related to the article, but generally surveillance is a problem. That moderators read reported posts is clear, but that this is also done by the Facebook company it is also a fact. APIs of Google, Facebook and others are foss and you can find them in GitHub (Microsoft). Also true that Mozilla use trackers from Google, see Blacklight analyse of Mozilla.
Blacklight detected this website sending user data to Alphabet, the technology conglomerate that encompasses Google and associated companies like Nest. The Silicon Valley giant collects data from twice the number of websites as its closest competitor, Facebook.
OpenSource is private as the author pretend it, same as in closed source, specified in the PP of the product, which nobody read. Secure is only a product which has a regulary maintenance, FOSS discontinued (a lot) or poorly atended is un magnet for any kind of malware (I know). A hacker don't need inverse engineering to find security holes in open source codes.
Yes, the public has access to the source code, but how many users are able to read and check hundreds of thousands of lines of code and also check related external resources? If the vast majority do not even read the TOS and the PP.
What privacy is there, without going any further, in Chromium if it is used as is? Chromium is from Google and FOSS.
The main reason for OpenSource is technical, advantageous for the development of software (or also Hardware), due to the possibility of sharing resources, customizing and making changes to other products.
One last question, if in WhatsApp the messages are supposedly encrypted, inaccessible for WhatsApp itself, as stated in the PP, how then can the mods access it? It doesn't add up to me if this is true.
AntiProDenialist wrote (edited )
Ok, as I say before, it,s not directly related to the article, but generally surveillance is a problem. That moderators read reported posts is clear, but that this is also done by the Facebook company it is also a fact.
Okay, perhaps I was misunderstanding you, you won't find any disagreement on this issue here.
APIs of Google, Facebook and others are foss and you can find them in GitHub (Microsoft). Also true that Mozilla use trackers from Google, see Blacklight analyse of Mozilla.
Okay, I plugged in mozilla.org to this site, and it says it uses Google Analytics and Google Tag Manager (which appears to be a part of Google Analytics). I don't think these are even services that Mozilla could use for profit, but I'm not very familiar with these so please let me know if I'm mistaken. Looking at the source code of mozilla.org for myself I found a comment containing a link to this issue which states:
Yes, www.mozilla.org... [uses] Google Analytics premium to understand how our websites are working... Our Google Analytics premium account is set to opt-out on all of 3rd party uses of the data and the only people who have access to the anonymous aggregated data is Mozilla Employees. This is not the normal Google Analytics setup that most people use on other websites.
I don't see much issue with this outside of Google handling the data (I would prefer Mozilla to handle it themselves, but it's not much of a concern to me).
OpenSource is private as the author pretend it, same as in closed source, specified in the PP of the product, which nobody read.
This doesn't make any sense.
Secure is only a product which has a regulary maintenance, FOSS discontinued (a lot) or poorly atended is un magnet for any kind of malware (I know).
Yes. Don't trust unmaintained software. This isn't specific to open source.
Yes, the public has access to the source code, but how many users are able to read and check hundreds of thousands of lines of code and also check related external resources? If the vast majority do not even read the TOS and the PP.
The point is not that everyone should read all of the source code of all of the software that they use. The point is people can read the source code, so a user can expect a sufficiently popular open source project to have many eyes on it, including independent parties, and maybe even security researchers. You can see all of the different contributors and the discussion between contributors. This is far better than trusting software that was developed behind closed doors.
What privacy is there, without going any further, in Chromium if it is used as is? Chromium is from Google and FOSS.
Like I said, we can bring up any number of FOSS programs that violate user privacy. It's besides the point. We know that chromium is not privacy-respecting by default, and that is why there are forks that serve to "de-Google" chromium, like the fork used by QtWebEngine, which is the base of multiple alternative browsers. If chromium were closed source then we would only know that it violates user privacy at the discretion of Google, via a privacy policy, and I'm sure you would agree a company might mislead/lie in their privacy policy. I'm also not certain how legally binding privacy policies are, or if they are even required at all.
One last question, if in WhatsApp the messages are supposedly encrypted, inaccessible for WhatsApp itself, as stated in the PP, how then can the mods access it? It doesn't add up to me if this is true.
This was the point of my "threatening letter" analogy earlier. By using WhatsApp's "report" mechanism, the user (who has the unencrypted messages) instructs the WhatsApp client to send the reported messages to WhatsApp's servers for their human moderators to review.
Zerush wrote (edited )
I adree with this points and he certainly didn't have any bad intentions against your views. I only intend to clarify and make a few points on an important topic. About Mozilla, if you look at the analysis below, apart from Google analytics, you will also find Alphabet Inc, a Google company, dedicated to disseminating content for advertising companies and which is the tracker that Mozilla uses. I always prefer OpenSource applications, but I know that, what many say, 'what is not FOSS = Crap' or 'FOSS is synonymous with privacy and security', which in my opinion is false, this is not the purpose of OpenSource by default and also dangerous to believe, I know from my own experience.
The many eyes that monitor a FOSS cannot be generalized, since if it is complex applications, they can have millions of lines of code.
In the field of browsers, we are talking about mainly 3 engines, Gecko, WebKit and Blink, the basis for around 100 browsers and another 70 that were discontinued.
In the vast majority, they are forks that make each other with small changes and putting their own logo, because major changes are impossible to make by any developer alone and is reserved for more numerous and active teams or communities, given the complexity of the product, not even talking about maintenance, which is mainly limited to patching holes and bugs that are found later.
Many fall by the wayside for this reason, in a fairly saturated market dominated by the Big 4 (well, Mozilla not so much anymore, currently in freefall, which is sad).
PD, Maybe usefull for you, Blacklight is very usefull to check webs, despite it discover only the most used Tracking tecnics and naturally can't check sites, which need an account to enter (Facebok, f.Ex.). You can ad it also to your search engines list you use
For Android apps is recomended to use Exodus Privacy, which permits to check the apps you use.
AntiProDenialist wrote
About Mozilla, if you look at the analysis below, apart from Google analytics, you will also find Alphabet Inc, a Google company, dedicated to disseminating content for advertising companies and which is the tracker that Mozilla uses.
Blacklight reports 1 tracker, that is Google Analytics. We know Google Analytics is owned by Google, and Google is owned by Alphabet. This doesn't contradict anything I said in my previous reply.
The many eyes that monitor a FOSS cannot be generalized, since if it is complex applications, they can have millions of lines of code.
Yes, complex programs are more difficult to vet. Ideally we should prefer simpler programs whenever possible (for more reasons than just security, but that's a separate topic), but that is becoming more and more difficult as the software landscape evolves. Regardless, I can trust a complex FOSS program (Firefox, the Linux kernel, X11, LibreOffice, to name a few) much more than I can trust any proprietary program.
In the field of browsers, we are talking about mainly 3 engines, Gecko, WebKit and Blink, the basis for around 100 browsers and another 70 that were discontinued.
Yeah, browsers are fucked. Any browser that can handle the modern web is a bloated turd with many vulnerabilities waiting to be discovered.
In the vast majority, they are forks that make each other with small changes and putting their own logo, because major changes are impossible to make by any developer alone and is reserved for more numerous and active teams or communities, given the complexity of the product, not even talking about maintenance, which is mainly limited to patching holes and bugs that are found later.
Yes, this is sadly true. QtWebEngine (based on Blink) is an exception to this, actively maintained by the Qt Project, with 14 contributors in the last month excluding a bot. But yes, what you're saying is correct, and it has the (very intended and very anti-competitive) effect of solidifying Google's dominance over the web.
PD, Maybe usefull for you, Blacklight is very usefull to check webs, despite it discover only the most used Tracking tecnics and naturally can't check sites, which need an account to enter (Facebok, f.Ex.). You can ad it also to your search engines list you use
https://themarkup.org/blacklight?url=%s
For Android apps is recomended to use Exodus Privacy, which permits to check the apps you use.
I browse the web mostly with JavaScript disabled and I use very strict security settings in Firefox (blocks all known trackers, tries to resist fingerprinting, doesn't keep any data on shutdown) with almost no extensions. Trackers aren't much concern to me (although they do suck).
On Android I only use one proprietary app (WhatsApp, and I don't have any choice about it), and a few open source apps. I'm more worried about the operating system itself and the apps that come preinstalled with it, instead of the apps that I've installed (hopefully open source phones can become usable soon).
Zerush wrote (edited )
I use Vivaldi and sometimes UR and FF. As extensions I mainly use Trace and Site Bleacher. Also uBlock Origin in FF, in Vivaldi I don't need with its own blockers where are also the filterlists from uBO and others. In Android also Vivaldi and naturally OpenSource apps from F-Droid as much as possible, proprietary only an app for medical appointments, that I need as an old retiree that I am.
Because of this I use Windows10 (tuned, without telemetries and other spy-crap it has by default). Well, at least it has the biggest catalogue of FOSS of all OS.
Viewing a single comment thread. View all comments