Many Chinese manufacturers don't have close ties to the government,

Citation severely needed. Any company operating in China has close ties to the government, it's literally a requirement to get a business license there.

and any non Chinese phone that you can buy also has backdoors, and quite frankly, for average Joe, their local government may be scarier than the chinese gorvernment.

Maybe, but it really shouldn't and if it does that's a problem. It's a question of non-Chinese phone might have a backdoor, vs. Chinese phone that definitely has a backdoor. Either way saying "other options are just as bad" doesn't make it a good option.

Also, your data is being used by the Googles, Microsofts, Apples, etc... in vast quantities daily. We are the product generally.

Yes, and that's a major problem. It's why there are various replacement firmwares to de-google your phone as well as other techniques to block or disable collection. Once again though, this doesn't excuse Chinese phones doing this.

Also, remember that most brands manufacture in China, and there are ways to substitute components where the brand would be unsuspecting of the switch.

Sure, supply chain attacks are a thing. In theory there are ways to combat that but it's a tricky problem. If a Chinese manufacturer got caught doing that though it would be a major international incident. Yet again though just because that might be a risk with any phone doesn't mean you should just accept and use a phone that's known to have a backdoor.

I'm willing to work with websites to find a way to pay for them. I'm not willing to work with ad companies. Websites that want my business either come up with a way to make money that doesn't rely on ads or they put up with ad blocking. That's it, those are the only two options.

Assuming both the ad and the JS to track said ad are served from a 3rd party (or at least a different domain) that would hold at least so far as recording impressions goes. On the other hand there's still the conversions part of this to consider, although without recordings of impressions the utility of that (and privacy risk) is debatable.

Ultimately I don't like being opted into anything that collects data, theoretically anonymized or not. I don't like that this DAP process is running in the background and randomly sending data to some 3rd party (once I figure out that hostname it's absolutely getting blackholed at the network level).

Ads are a plague, you give them even an inch and they'll eventually take everything. It started with broadcast TV, then ads overran it. So they introduced cable. Sure it was expensive, but no ads! Then ads started creeping in and before you knew it cable was a complete ad infested shitshow. Then along comes streaming, a breath of fresh air. Watch what you want, we you want, and best of all no ads. Where are we now? The ads are slowly creeping back in and before long it will be just as bad as cable, 40 minutes of ads in every hour of video.

For a while we've been winning the war on the internet, able with some effort to hold back the tide, and Firefox was one of the last bastions that seemed to be working with us instead of against us. This though looks like a crack in the armor. It's the first step along a path we don't want to go down. I don't want Mozilla wasting development time pandering to ad companies, I want them improving the browser for us the users. The only ad related content I want to see from Mozilla is improved ad blocking.

Maybe, but I'm not seeing anything that suggests that would be possible.

Here is the technical documentation for how this feature works. The short version is that it exposes some new JS functions that sites can invoke to register various ad related activities. That data in turn gets forwarded by the browser to a 3rd party using a protocol called DAP which can be considered out of band for the purposes of website interactions. I see no evidence at all that uBlock would be able to block the DAP calls, and limited evidence it could effectively block the JS functions.

uBlock works primarily by blocking network requests using a series of rules. Here is the syntax supported by uBlock for defining its blocking rules. It primarily works by inspecting hostnames, although there is some capability to match on things like HTTP headers, or raw text. There is the capability of blocking an entire script element if it matches specific text E.G. navigator.privateAttribution, however doing so is likely to break sites quite drastically. There is very limited ability to surgically remove such things. Maybe if you injected some JS into each page that overwrites the navigator.privateAttribution namespace with stub functions that do nothing (I believe this is actually what the browser does when you opt-out of that feature), but I'm not sure if that's even possible or if the browser would simply ignore attempts to write to that namespace.

It's possible Firefox is being "smart" and if it sees you have uBlock or similar ad blocking extensions loaded it disables this feature. It's possible that there's some extra tricks uBlock or other extensions can pull to block this at a more fundamental level that just aren't obvious from looking at their documentation. But nothing in the documentation for this feature seems to guarantee any of that, and it's frustratingly vague in several areas. Regardless none of that changes the fact that this should have been opt-in from the start instead of opt-out. Mozilla argues that they made this opt-out because they wanted to insure a large enough user base to anonymize the collected data, but that alone suggests there might be privacy problems with this entire thing. This wouldn't be the first time that a supposedly anonymized data set could be at least partially de-anonymized.

They can certainly try (and many already do with the anti-adblocking attempts) but I've yet to see one succeed. It's trivially easy to evade nearly all attempts at browser identification, and even trying to detect ad blocking is hard to accomplish.

I do follow release notes which is how I knew to disable it, but the point is that I shouldn't need to. The reason Mozilla didn't ask before enabling this "feature" is because they know most people would disable it. That should be a pretty big clue that this isn't something their users want.

That's fine but it should have been opt-in or at least asked before enabling it. I have ad blockers and anti-tracking extensions, but they don't do anything against this new feature because it's the browser itself doing it. If I hadn't read about it and gone in and disabled it I would be providing data to ad companies without even knowing it and that's unacceptable.

My browser is responsible to me, not advertisers so it should do what I want. If websites want my business they'll support my browser. Realistically browsers shouldn't matter because everyone should be implementing to standards not some random ass quirk of one particular browser, I thought everyone learned that lesson back in the 90s with IE. I literally don't care if advertisers throw a hissy fit because they no longer have access to everyone's personal details. The internet existed before ads infested it like the parasites they are and it will still exist after they're exterminated.

I mean, he was a moron. He ordered him executed because he thought everything he had suggested failed and it caused a major problem (he tanked the value of Brawndo leading to an economic collapse), not realizing they just needed to wait a little longer to see the results. He was very short sighted, but he at least tried to do the right thing. He also pardoned him as soon as he was shown evidence that the problem had been solved.

Dwayne Elizondo Mountain Dew Herbert Camacho was several orders of magnitude a better president than any of these chucklefucks could ever hope to be. He saw his country had a problem he didn't know how to solve so he found the smartest person he could, asked him what to do, and then did it even when it sounded crazy to him and his entire cabinet. We would all be a lot better off if we had more presidents like Camacho and less like Trump.

The real powerplay if Trump loses would be to pass an amendment setting a maximum age to run for president. Maybe tie it to retirement age. Old enough to receive social security, too old to run. Ideally you make that apply to all political offices, but I'm not that optimistic. Not that I think there's a snowballs chance in hell of this actually happening as that would be a sane and sensible thing to do and therefore antithetical to everything our current crop of politicians stand for.

It would be somewhat interesting to see what would happen if Biden called their bluff. Biden resigns, Harris becomes the President, she nominates someone to replace her as VP, then runs a reelection campaign in a few months. Without their usual talking points to bitch about with Biden I feel like they'd be kind of at a loss for what to even say. No more Hunter to complain about, none of the tired bullshit they've recycled for years now. They've sunk so much time and effort into attacking Biden I'm not sure they could pivot to Harris quickly enough. What could they dig up on Harris? A lot of progressives don't like her stance on law enforcement, but that's a non-starter for the Republicans as it's basically their stance.

I'll save you a click, they're sulfur crystals. This is interesting because although they can naturally form in volcanic regions this area is non-volcanic. The other way they naturally form is via microbial actions which may offer a clue about Mars past.

Anyone with a brain saw that this was the goal all along.

Usually it's even dumber than that. Shows use the logos to try to blackmail large companies into paying them for "advertising", and if the companies don't pay up they censor the logos.

The problem is that Republicans don't vote for a candidate they vote for a party. The Republicans could run Hitler's reanimated corpse as their candidate and as long as it had that R next to its name it would get their vote. Democrats on the other hand are much more likely to not vote for or not even show up to vote at all for a candidate they don't particularly like. It's why good Democrat candidates always beat Republican candidates of any kind, but bad candidates usually lose. Democrats massively outnumber Republicans, but the Democrat party nearly always runs the worst possible candidate. If Republicans win any election it's not because they had a good candidate, it's always because Democrats ran a bad one.

It's an interesting point but I think it kind of confuses two different but related concepts. From the perspective of the library author a vulnerability is a vulnerability and needs to be fixed. From the perspective of the library consumer a vulnerability may or may not be an issue depending on a lot of factors. In some ways severity exists in the wrong place, as it's really the consumer that needs to decide the severity not the library.

A CVE without a severity score I think is fine. Including the list of CWEs that a particular CVE is composed of I think is useful as well. But CVE should not include a severity score because there really isn't a single severity but a range of severities depending on specific usage. At best the severity score of a CVE represents a worst case scenario not even an average case, nevermind the case for a specific project.

Yeah, our security team once flagged our app for having a SQL injection vulnerability in one of our dependencies. We told them we weren't going to do anything about it. They got really mad and set up a meeting with one of the executives apparently planning to publicly chew us out.

We get there, they give the explanation about major security vulnerability that we're ignoring, etc. After they said their bit we asked them how they had come to the conclusion we had a SQL injection. Explanation was about what you'd expect, they scanned our dependencies and one of the libraries had a security advisory. We then explained that there were two problems with their findings. First, we don't use SQL anywhere in our app, so there's no conceivable way we could have a SQL injection vulnerability. Second our app didn't have a database or data storage of any kind, we only made RESTful web requests, so even if there was some kind of injection vulnerability (which there wasn't) it would still be sanitized by the services we were calling. That was the last time they even bothered arguing with us when we told them we were ignoring one of their findings.

It's a good idea to be aware of any security advisories of your projects dependencies, but it's also equally important to be aware of your actual attack surface and audience. It for instance may not matter to your entirely offline and utterly unprivileged app that there's an arbitrary code execution flaw in one of your dependencies because any theoretical attacker is the user themself and they would only be executing code they already had the capability to execute. On the other hand such a flaw in other circumstances could be absolutely critical. It's really down to you as the author of the code to evaluate any security advisories through the lens of your codes expected use cases.

So I listened to that entire video and I still don't know what corporatism actually is. There was a lot of talk about how various fascist regimes were corporatist and how it's about all the classes working together, but no actual explanation of what that means in practice.