This CVE is worth mentioning too. "Local attacker" here actually means anyone with access to /tmp (like a user over SSH for instance). There was also this fiasco where they were planning to push a proprietary office suite onto new users but changed their minds after backlash.

Expired certs and bugs/vulnerabilities aren't unheard of and aren't reason enough to avoid a project on their own. However I don't think Manjaro has a good track record or a good model of rolling out updates (and doesn't appear to have their users best interests in mind), and I don't think the service it provides is worth any risk at all since I don't think it has value. Newbies can use user friendly distros, others can use other distros, like Arch in this instance. I'm not aware of any niche that Manjaro fills that other distros don't.

(Yeah the treasurer drama probably shouldn't have been brought up here. It might be relevant for prospective/current donors, but I'm not in that demographic so I haven't bothered to form a strong opinion.)

Inspect element and try to find a video URL. Sometimes it's very easy and you get a static video URL that you can access at any time. Other times you may get a video URL that expires very quickly, so you may need to write a script to extract + download from the video URL as soon as the page loads. Sometimes the video is served in chunks, I don't know how to deal with these.

And sometimes you can just give the URL to youtube-dl and it will handle everything for you.

These are not that easy to learn, but consider supplementing your workflow with ffmpeg (video, images, audio), ImageMagick (images only), and shell scripting. They are very versatile and are often used to automate part of a workflow.

About Mozilla, if you look at the analysis below, apart from Google analytics, you will also find Alphabet Inc, a Google company, dedicated to disseminating content for advertising companies and which is the tracker that Mozilla uses.

Blacklight reports 1 tracker, that is Google Analytics. We know Google Analytics is owned by Google, and Google is owned by Alphabet. This doesn't contradict anything I said in my previous reply.

The many eyes that monitor a FOSS cannot be generalized, since if it is complex applications, they can have millions of lines of code.

Yes, complex programs are more difficult to vet. Ideally we should prefer simpler programs whenever possible (for more reasons than just security, but that's a separate topic), but that is becoming more and more difficult as the software landscape evolves. Regardless, I can trust a complex FOSS program (Firefox, the Linux kernel, X11, LibreOffice, to name a few) much more than I can trust any proprietary program.

In the field of browsers, we are talking about mainly 3 engines, Gecko, WebKit and Blink, the basis for around 100 browsers and another 70 that were discontinued.

Yeah, browsers are fucked. Any browser that can handle the modern web is a bloated turd with many vulnerabilities waiting to be discovered.

In the vast majority, they are forks that make each other with small changes and putting their own logo, because major changes are impossible to make by any developer alone and is reserved for more numerous and active teams or communities, given the complexity of the product, not even talking about maintenance, which is mainly limited to patching holes and bugs that are found later.

Yes, this is sadly true. QtWebEngine (based on Blink) is an exception to this, actively maintained by the Qt Project, with 14 contributors in the last month excluding a bot. But yes, what you're saying is correct, and it has the (very intended and very anti-competitive) effect of solidifying Google's dominance over the web.

PD, Maybe usefull for you, Blacklight is very usefull to check webs, despite it discover only the most used Tracking tecnics and naturally can't check sites, which need an account to enter (Facebok, f.Ex.). You can ad it also to your search engines list you use

https://themarkup.org/blacklight?url=%s

For Android apps is recomended to use Exodus Privacy, which permits to check the apps you use.

I browse the web mostly with JavaScript disabled and I use very strict security settings in Firefox (blocks all known trackers, tries to resist fingerprinting, doesn't keep any data on shutdown) with almost no extensions. Trackers aren't much concern to me (although they do suck).

On Android I only use one proprietary app (WhatsApp, and I don't have any choice about it), and a few open source apps. I'm more worried about the operating system itself and the apps that come preinstalled with it, instead of the apps that I've installed (hopefully open source phones can become usable soon).

Ok, as I say before, it,s not directly related to the article, but generally surveillance is a problem. That moderators read reported posts is clear, but that this is also done by the Facebook company it is also a fact.

Okay, perhaps I was misunderstanding you, you won't find any disagreement on this issue here.

APIs of Google, Facebook and others are foss and you can find them in GitHub (Microsoft). Also true that Mozilla use trackers from Google, see Blacklight analyse of Mozilla.

Okay, I plugged in mozilla.org to this site, and it says it uses Google Analytics and Google Tag Manager (which appears to be a part of Google Analytics). I don't think these are even services that Mozilla could use for profit, but I'm not very familiar with these so please let me know if I'm mistaken. Looking at the source code of mozilla.org for myself I found a comment containing a link to this issue which states:

Yes, www.mozilla.org... [uses] Google Analytics premium to understand how our websites are working... Our Google Analytics premium account is set to opt-out on all of 3rd party uses of the data and the only people who have access to the anonymous aggregated data is Mozilla Employees. This is not the normal Google Analytics setup that most people use on other websites.

I don't see much issue with this outside of Google handling the data (I would prefer Mozilla to handle it themselves, but it's not much of a concern to me).

OpenSource is private as the author pretend it, same as in closed source, specified in the PP of the product, which nobody read.

This doesn't make any sense.

Secure is only a product which has a regulary maintenance, FOSS discontinued (a lot) or poorly atended is un magnet for any kind of malware (I know).

Yes. Don't trust unmaintained software. This isn't specific to open source.

Yes, the public has access to the source code, but how many users are able to read and check hundreds of thousands of lines of code and also check related external resources? If the vast majority do not even read the TOS and the PP.

The point is not that everyone should read all of the source code of all of the software that they use. The point is people can read the source code, so a user can expect a sufficiently popular open source project to have many eyes on it, including independent parties, and maybe even security researchers. You can see all of the different contributors and the discussion between contributors. This is far better than trusting software that was developed behind closed doors.

What privacy is there, without going any further, in Chromium if it is used as is? Chromium is from Google and FOSS.

Like I said, we can bring up any number of FOSS programs that violate user privacy. It's besides the point. We know that chromium is not privacy-respecting by default, and that is why there are forks that serve to "de-Google" chromium, like the fork used by QtWebEngine, which is the base of multiple alternative browsers. If chromium were closed source then we would only know that it violates user privacy at the discretion of Google, via a privacy policy, and I'm sure you would agree a company might mislead/lie in their privacy policy. I'm also not certain how legally binding privacy policies are, or if they are even required at all.

One last question, if in WhatsApp the messages are supposedly encrypted, inaccessible for WhatsApp itself, as stated in the PP, how then can the mods access it? It doesn't add up to me if this is true.

This was the point of my "threatening letter" analogy earlier. By using WhatsApp's "report" mechanism, the user (who has the unencrypted messages) instructs the WhatsApp client to send the reported messages to WhatsApp's servers for their human moderators to review.

And no, I do not agree on your simile, the simile would be others read all the letters by default, to find one that talks about a murder. It is clear that I go to the police, if I receive a threatening letter, but it is I who wants to read this message in MY correspondence, not someone else to do it for me, the postman or the post office.

The users are sharing the contents of the reported message with the WhatsApp moderators. Otherwise there would be no point in reporting the message. The Ars Technica article I linked makes this clear. I have stated this twice. You seem to just ignore this point. Is it wrong? Tell me how.

Messages and correspondence can only be accessed by third parties by definition, when there is a court order. In this case, it will be the security forces, but never a private company that access or uses the content for its own purposes. It is also not true that an SMS is easier to access than a service like WhatsApp, often used on WiFi networks, in the worst case in a public WiFi in a McDonalds.

This is laughable. End-to-end encryption is not defeated by McDonald's Wi-Fi. Read up on encryption.

It is also not relevant for privacy or security, if the product is OpenSource or not

I'll stop you right there. It is absolutely relevant. If the public can't vet the source code then the program should not be trusted.

it depends on the purpose or the type of license it has

Which open source license has any affect on the privacy or security of its users?

many OpenSource products carry tracking APIs from Google, Facebook, Amazon and others, which are also OpenSource

Google, Facebook, and Amazon are not open source. They may use open source software as parts of their services, and they may develop and contribute to open source software. Either way, your point seems to be that open source software doesn't guarantee privacy or security. No one is going to refute that. It's like pointing out that a bodyguard doesn't guarantee your safety.

hackers can also see the source code to find security holes or to inject all kinds of malware.

This is also laughable. No shit, hackers can find vulnerabilities in the source code. So can developers, security researchers, and anyone else who wants to read the source code, and those vulnerabilities can be properly disclosed and fixed.

Hackers can also (and often do) find vulnerabilities in proprietary software, where there are far fewer eyeballs. Additionally, with fewer eyeballs, proprietary software can more easily get away with being purposefully malicious (for instance, if a WhatsApp server could tell the client to send all of their unencrypted messages to a third party, the public wouldn't know of this feature until it was observed in practice or through reverse engineering).

Privacy and security is specified in the PP and TOS of this

Privacy Policies and Terms of Service don't get to choose what programs are or aren't secure.

Mozilla, for example, uses trackers from Google (Alphabet Inc) and others to create its revenue.

Mozilla gets revenue from setting Google to the default search engine. If I'm missing something please let me know. Either way, open source software violating user privacy for money is not unheard of. The public has access to the source code responsible for that behavior and has the ability to modify and redistribute a privacy-friendly version of the program. You can't do that with proprietary software.

Same as in Gnail, which are read by employees and bots searching for keywords, due to the US anti-terrorist policy (used as an excuse).

Either I'm misunderstanding you or you are misunderstanding me. The two cases are not remotely similar. Read the Gizmodo article, and read the Ars Technica article I linked. Neither allege that WhatsApp is automatically flagging messages for review.

The reaction of the people would be very different when the postman would open our correspondence to read it, before putting it in our mailbox, although it is exactly the same.

A more apt analogy would be if someone sent me a letter in the mail threatening to kill me and I took that letter to the local police station so they could be aware of the issue. The messages are being shared by the users of the app to the moderators through the report system. WhatsApp uses end-to-end encryption (which does not mean it should be trusted, it is still proprietary and for-profit, but it is better than many other popular messaging services).

The tracking and surveillance of the user by large companies has reached a highly indecent and criminal level, no private company has the right to spy on us and record our activities, but most users do not seem to bother.

I fully agree. In an ideal world people would be using Signal or some other open source end-to-end encrypted messenger. My worry is that press like this will serve to push average people away from WhatsApp and into something worse, like SMS, unencrypted email, Facebook Messenger etc.

Either way, misinformation should be corrected, regardless of who it benefits. Yes, fuck WhatsApp, but fuck WhatsApp for the right reasons.

WhatsApp discloses, in its terms of service, that when an account is reported, it “receives the most recent messages” from the reported group or user as well as “information on your recent interactions with the reported user.”

How does this work for non-group chats? Are the messages shared to WhatsApp's moderators by the reporting user? I don't see an issue with this if that's the case.

EDIT: Yeah this appears to be the case, from Ars Technica

The loophole in WhatsApp's end-to-end encryption is simple: The recipient of any WhatsApp message can flag it. Once flagged, the message is copied on the recipient's device and sent as a separate message to Facebook for review.