> As I understand it Chromium has freedom issues
Could you please explain what freedom issues (apart from the one mentioned by
me) there are? I have always thought Chromium is FLOSS.
> Firefox has known issues, but as free software can be modified to remove
any antifeatures.
But I am not
> My only point is that "This Firefox antifeature is an invasion of privacy"
will be a more effective argument than "The fact that this feature can't be
disabled without editing the source code violates freedom 0."
You are right about that. Perhaps I should have actually used a new
> Chromium has no good free software derivatives, firefox does.
I don't know why that makes Firefox better software (privacy or freedom
wise). It may actually have the implication that Firefox *needs*
modifications in order to be good for the user. In any case without having
expected each
> My bad...
No worries.
> As for purism, their operating system pureos is fine unless your against
systemd...
Should I be? I read some comments against it in the other thread... Then in
Wikipedia... but still I don't know if one should be worried enough to avoid
it. Again - I don't have
> newsbeuter
Yes, I have started using it yesterday too. Looks nice. Thanks for sharing
your experience.
> agree that Firefox does not adequately respect privacy, but it is free
software
I see a big danger in this. It implies that free software can be malicious to
the user and still be
> You make a similar point to the one RMS makes in the Ubuntu article Magic
Banana linked to, which I encourage you to read if you haven't already.
I am familiar with the story about Ubuntu's search forwarding info to Amazon.
> However, because RMS coined the term 'free software', it is
Hello friend of software freedom,
In December 2017, after trying FF 57 for the first time, I saw some hideous
things and I started to test various browsers myself, from privacy
perspective. I have shared some of my findings as bug reports:
Firefox:
Ok.
> Netsurf according to openhub has soem 200.000 lines of code
Good luck with exercising freedom 1 with this :)
> Highly recommended browser.
Why?
F1: I know. I just wanted to say that it is humanly impossible for a single
person to study millions of lines. Even for 100 people. Perhaps I should have
commented on a previous post of yours.
> Coz it's fast like hell?
How does it behave on the tcpdump test? BTW NetSurf's website is also
> If you're concerned about privacy issues in Mozilla, then how could you
ever consider Chromium?
Why not? The test proves it behaves better. It doesn't chatter in the
background like Firefox (and its forks). There is only one single packet sent
to translate.google.com on opening of settings
You made quite a good summary. Just to clarify:
I am not looking for an argument in the sense of stating something and then
proving it. The clarifications I made just for the sake of better mutual
understanding, not in order to oppose for the sport of it (which would be
quite silly).
> Are these words sincere, or are they meant to provoke others?
They are sincere. And they are meant to provoke actual testing, not just
theorizing.
I have not tested Iridium. And I am not planning to. So whoever says anything
about it must provide actual test. Otherwise it is just words
Another reason to keep JS disabled:
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
Why would you use TOR to download a distro?
> But there is no magic: if you send little information, then little
information is received on the other side. If you add noise, the receiver can
exploit it even less.
You send your IP address. That's more than enough. You can't add noise to
that. Also it is technically stupid
So basically you proved the results of my tests. The first 3 hosts you listed
look like the hosts which contain the lists for uMatrx (without uMatrix there
would not be connections to them). But opening preferences again shows
connections to hosts which the user has not explicitly asked for.
How are 3 nested VPNs to which you pay non-anonymously anonymize you?
Thanks. I will look into all this.
> ...or wait a minute.. is that risky in these Intel ME times?
Intel ME has nothing to do with it as it is basically a separate system
inside the CPU with its own memory etc. Of course it is possible for Intel ME
to read/modify/transmit every bit of information on your system without even
It has always been the case in human history that when a particular entity
gains power over certain resources it results in suppression, dictatorship,
exploitation, misery etc. Yet people keep repeating the nonsense about how
good it is to be ambitious, successful, "more than others", "a
> What do you use Google apps for? Which ones do you use?
Gmail, Google Drive (rarely Docs), Calendar.
> Evolution, LibreOffice and a shiny SFTP client/file manager plugin met my
needs.
I use them too but they can't replace the above.
I find it not much different from the belief that there is an almighty entity
(God) watching from above your every move and thought an deciding where you
should go next.
The only difference - before it was an idea, now man has made it into a fact.
So man created the idea of god, then
You answer makes no sense. It sounds like you oppose but you actually confirm
what was said in the original question. You cannot copy the dish, you can
only consume it. It is proprietary and you don't mind. Yet you mind the same
thing in another area. That's all.
Ok, then reduce it only to a few billion individual packages of WebExtensions
which would anyway be incompatible with some browsers.
Do you really think this is "the simplest solution"? Or even just simple? :)
New browser tested:
PaleMoon
Results:
With default ("factory") settings the browser starts with some PaleMoon's
page which obviously results in packets exchange.
After tightening of privacy settings (similar to previous browsers) the
result is:
+ No background chattering on startup
+
> That's not quite the same thing.
It is exactly the same thing. You are given something without insight into
the process (the source code).
> Proprietary software is like if they give you a recipe, but in a form that
you can't read;
No. It is a finished product. Just like a TV or a
> It should be free software.
Again: should/could != is. Still you sit in that vehicle and ride, you turn
on that radio (proprietary chips inside) and listen to music (copyrighted
non-copyleft material). You trust that airplane with all its complex systems
to take you from here to there
You seem to always explain everything with the FSF bible of freedoms. Let me
ask you some questions:
1. When you go to a restaurant, do you consider every dish for which you are
not given the recipe + the right to modify and redistribute it a "maybe
poison"?
2. Do you ever consume "maybe
I suppose the best thing we can do is have separate computers for everything:
One for watching YouTube, one for running JavaScript, one for personal
things, one for work etc.
:)
Ok. I tried myself but I am getting an error during compiling of the browser.
Their documentation seems incorrect. Then I tried simply running make but it
asks for libdom which is not available on openSUSE's repo. So I gave up.
I don't know where to start so I will stop.
That doesn't matter. A script can log your key presses.
> Is this code snippet copyrightable?
Here is the full script:
#!/bin/bash
if [ -z "$1" ]; then
echo "No link supplied as argument"
exit
fi
# [i] http://funbutlearn.com/2013/02/direct-download-link-to-your-google.html
echo $1 | sed -r -e
The question is trust and freedom.
Trusting one thing and not trusting another is a double standard. Someone
said "freedom is these 4 things" and people conform to trust "a community"
and to hate "a company" because the person has said "this is ethical".
It may sound outrageous but to me
> but I also guess you do have thousands of users who pay enough attention
and care enough as to use the tools ('member when we used tcpdump for
firecox?)
I don't know what this guess is based on. The fact is: only one user checked
it and he is not an expert whatsoever. This proves that
> I haven't directly seen an electron or the dwarf planet Pluto. I haven't
been to Thailand or Angola. Nor have I touched the original Rosetta Stone or
Terracotta Army.
Those are all things which have no or very little relation to your life. So
trust or no trust - it really doesn't expose
> If only laws like this had a prayer of passing in the US.
https://yro.slashdot.org/story/18/01/19/2210246/trump-signs-surveillance-extension-into-law
> Perhaps it is because of your time investment in your test that you weight
your test far too heavily.
No. It is because it shows something actual, not ideological or theoretical
like "would be better... if". As soon as Firefox (or a derivative) shows a
better behavior and overall
> A false sense of security is worse than no security at all, see
--disclaimer
That's a key point for all these tests. Remember that side-channel-execution
is a hardware bug, not software. So perhaps it can't really be fixed with
software patches but indeed just 'mitigated'. Whoever makes
> another application could exploit Spectre to access your browser
I store them in Gnome Keyring. Which of course is still unsafe to Spectre.
Nothing can save us from Spectre except a new CPU.
Recently I started doing something which is probably silly: if I have to
enable JS for short in a
> Why do you even bother responding if you're not going to actually refute my
reasoning?
I am not interested in fighting with you, regardless if you consider that the
only valid reason for providing a response. I am getting tired of all this.
It is impossible to discuss anything
> Then how can we depend on the possibility of catching usage of undocumented
instructions in Intel's binary code base?
FSF proponents here would argue that through trust (in so called community)
you get the necessary certainty. But as I have said on other occasions -
trust is a belief. It
Collectively - how does this actually work?
Say: 10 million lines of code for a program
10 programmers 1M lines each
100 programmers 100k lines each
1000 programmers 10k lines each (that looks feasible)
But do you really have 1000 programmers to check that program all of which
are:
-
Thanks I am not sure if it is worth the waste the time of others. Isn't
NetSurf not quite up to date with current web standards? Looking at
http://www.netsurf-browser.org/documentation/progress.html (last updated
2012) I see it doesn't support HTML5, even CSS support is incomplete. Perhaps
These test are fairly meaningless and can give you a false sense of security
(which is worse than knowing a system is insecure).
Just because you can hide your IP address and browser parameters doesn't mean
you can't be tracked through Tor. An advanced spying system detects actual
patterns
Good news. As long as one can compile it :)
> Another thought I had is to compare the about:config for Icecat and Tor
Browser and see if changing some of Icecat's values to match that of Tor
Browser can reduce background chatter.
I have been thinking the same (but only about Tor comparison). Additionally I
am planning to look at
Yes. Commercial VPNs are no different.
Good summary. I have been thinking the same as I also observe what is
happening. Although I didn't agree with some of your previous post I
intentionally didn't reply in order to avoid all that cycle. For similar
reason I don't want to engage into argumentation. That's why I prefer to
focus
> I suspect that you are instead using the word "argument" to mean "an angry
quarrel or disagreement"
https://www.youtube.com/watch?v=kQFKtI6gn9Y
No. I just think that insight is much more important than arguments. An
insight is a flash which happens when arguments stop and one looks at the
https://bugzilla.mozilla.org/show_bug.cgi?id=1424781#c20
Thanks for sharing about KDE. Has anyone filed a bug report about that
concern?
> Why does the running of “akonadictl stop” via cron initiate outgoing
traffic to a remote site?
I really don't know why it is necessary to stop akonadi every 6 minutes at
all. On my system it is stopped:
More findings about Firefox:
1. Download firefox from mozilla.org
2. firefox --ProfileManager --no-remote
3. Create a new profile and choose "Work offline"
4. Click "Start Firefox"
So far: zero packets sent
5. Close firefox
Result:
IP pc.59810 >
Maybe I should have said it is 50/50 without any other factors to avoid yet
another nitpicking.
> Lard is poison.
Eating ideas is much worse.
> You should not install proprietary microcode on your machine, but
already-existing microcode that cannot be removed is acceptable for now.
You have been accepting that lard "for now" in the last 22 years.
> This is why we have collective
> Here's a good resource for finding graphics cards that don't require
proprietary firmware. https://h-node.org/videocards/catalogue/en
Thanks for sharing. I have tried this one:
It seems you are missing the very first blatantly actual bug:
"Work offline" sends packets on closing of the browser. It is not offline at
all. So Mozilla can talk nonsense to infinity - this is not a documentation
bug.
> Once I know what I'm doing, what's the the most helpful thing to
In KDE Plasma > System Settings > Color Management I have specified the color
profiles which should be used but when I install nouveau I see the desktop
colors as non-color managed (more saturated that they should be) which tells
me that perhaps color management doesn't work properly.
Thanks Mason. I already saw your comment. You are very diplomatic as usual :)
I think they must look at this is at an actual bug, not just a documentation
issue. It it has several parts:
- "Work offline" does not work offline (sends packets on exiting).
- The documentation is wrong
- There
> Pretty sure that one is the one that controls the entire thingy.
Considering everything discussed so far - I wonder how you can be pretty sure
(or even just sure) about any thingy without testing :)
> since then you have seemed to only mistrust free software developers by
default
This is incorrect. I don't mistrust a particular group of people. I question
the value of trust as a whole.
> putting the burden on people here who aren't even interested in non-free
software like Chromium
> If you don't believe in trust, why make an exception for Google?
If you are asking "Why do you trust Google" - I don't.
> the closest thing I see is asking Magic Banana to investigate the Firefox
source code, so I may have been mistaken.
Yep, np. And I wasn't necessarily asking him to
It seems to me you expect from people here to tell you how to talk to your
family so that they listen to you and stop using Facebook.
Ask yourself:
Why do you want to modify the behavior of others? How is that different from
what Facebook does? Are you able to love someone if he does stupid
> You use Chromium desite not understanding every line of source code. You
have argued, and I agree, that this requires trust.
I use it just because I haven't found anything better (privacy-wise).
FWIW I also use Google Apps... as I still can't find the perfect alternative
to it. But I
https://yro.slashdot.org/story/18/01/17/2141212/facebook-is-a-living-breathing-crime-scene-says-former-tech-insider
When you quote automatically whole (especially lengthy posts) it is difficult
to follow what exactly you are commenting on (without rereading the whole
post). You obviously do this through email but please consider quoting only
what you comment on.
As for recommendations to web developers:
> I won't tell you to change your decision
It is not particularly a decision but rather simple logic:
I still use Google's services and while I am looking for a freedom+privacy
respecting alternative it would be silly to drop them because this would
block my work. So considering that my
Midori
Procedure: Set home page to blank, disable scripts, restart.
Result:
On startup: Zero (0) packets sent.
On opening of preferences only this was shown in tcpdump:
IP pc.49352 > 239.255.255.250.ssdp: UDP, length 132
IP pc.49352 > 239.255.255.250.ssdp: UDP, length 133
but only the first
New browser tested:
TOR
Result: Lots of background communication but all of it to subdomains of
your-server.de over https.
Can you recommend a way to send email (using the TOR network) with Gnome
Evolution? (so that the sender IP address is not revealed)
Note: I know about Tor Birdy but I don't plan to use Thunderbird
TOR is for anonymity.
VPN is for privacy (supposedly).
You can be identified even if you use TOR if you do wrong things, e.g. give
info to provide "a trace" which can lead to you.
Recently I was reading through a book called "Tor and the Dark Art of
Anonymity". It is fairly old but
> *That* (not adding noise) would be extremely inefficient. And why stopping
there? By your logic, every website should continuously broadcast whatever
they host to all online systems!
And by your logic it is much more efficient that the clients (which are
always more than the servers)
To use a VPN you pay and the payment is not anonymous. VPNs store logs (even
though they may claim they not, it is safer to assume that they do). So a VPN
cannot give you anonymity, just a layer of privacy.
That's what I have read.
> Taking a look at outgoing connections is not enough to deem how
privacy-respectful a feature is. And that feature has advantages too.
The problem with this statement is that you know (or rather can check) only
what happens on the sending side. So you don't have enough data to evaluate
Just for the sake of privacy investigation I tested the same way Thunderbird
(without any profile/mail configured). On startup it immediately makes
connections to Amazon, Linode, Comodo, Akamai and other hosts etc. The
majority are HTTPS but some are plain HTTP connections.
To the best of my knowledge Bitcoin is not completely anonymous. There can
still be a trace to you if you buy the coins with a credit card. Also paying
in cash may not be completely anonymous because there may be CCTV at the
office you pay. It is difficult to evaluate how likely all this is
> I do not.
Then ask, don't assume or twist.
> Since you are redefining words, it is not surprising.
I have shared the original dictionary meaning of words. I don't define
anything, I just stick to it. If someone else has invented a new different
meaning because it sounds pleasing ("free
> Just a heads up that the way you've started quoting text does work in the
mailing list making this very difficult to read.
Thank you for mentioning that. I was just trying to make my post more
readable as ">" doesn't give good enough visual separation.
I was also wondering how to get
> I agree with (was it?) Lunduke when he says Mozilla is nothing else but
business.
youtube-dl https://www.youtube.com/watch?v=qMALm1VthGY
BTW I am looking for a way to search/browse Youtube without JS. Any ideas?
Testing as you suggested:
---
(Potential) issues which I see:
Mozilla:
- deliberately created telemetry
- enabled it by default
- created "features" imprisoning the user in their network
- made privacy an impossible task
- disrespect the effort put in the bug reports
- obviously don't care about fixing documentation
- partnered with Google
- relay the
> But may I ask, what't the alternative? Use Tor Browser exclusively? Lynx,
Mosaic? Wget? Curl?
Encrypted smoke signals.
And the so called documentation:
http://kb.mozillazine.org/About:config_entries
doesn't even mention settings about experiments, telemetry and datareporting.
I have just found something interesting. As a default setting in Tor there
is:
network.allow-experiments;true
For which ghacks says:
// 0341: disable Mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);
When I tested for the first time in late December FF52 and 57 behaved the
same.
I have been thinking about the same about Tor but I think this may not work
correctly because in Tor things seem more complicated. Perhaps there are
additional (Tor specific) about:config variables which don't
> How is that inconvenient?
Private mode cleans cookies on each exit and I don't like having to re-login
to sites just because I restarted the browser.
> and adds are basically just javascript nowadays, rarely a plain image file
Just a side note: Pixel trackes are not JS based. And you can
New browser tested:
Brave
Result: Lots of background communication, even after tightening of settings.
Worse than Firefox.
Details submitted in bug report:
https://github.com/brave/browser-laptop/issues/12632
New browser tested with tcpdump: Konqueror
Settings used (listing only the ones different from the default values):
General
When Konqueror starts: Show blank page
Home page: about:blank
Performance
Always try to have one preloaded instance: OFF
Java
Enable JavaScript globally:
lynx
Behaves exactly as expected: zero packets sent on startup. Opening
https://fsf.org/robots.txt communicates only with fsf.org
Chromium new findings:
Opening settings:// sends packets to translate.google.com (although
translation is turned off). Testing browsing to actual pages shows
It's a matter of trust. If you still trust them after something like that,
your trust is easy. Mine is very difficult.
If you believe it was an unintentional bug then I would go so far as to call
you gullible.
A gullible person doesn't test browsers with tcpdump.
As far as the tcpdump test,
What's wrong with just calling it "privacy"? Privacy is important enough on
its own that I don't think we need to reframe the discussion in ways that
might cause confusion.
Nothing wrong at all. I just wanted to accent on the fact that for people
privacy (as a form of personal security) is
Perhaps they've done something differently from OpenSUSE either in their
build of Firefox or elsewhere in the distro?
In my tests I downloaded Firefox from Mozilla directly.
> Yeah, as I said a truly libre and privacy friendly browser would not come
with a ton of antiprivacy nonsense and a user should not have to do such a
hard work to 'clean it up'.
How can something be privacy friendly and come with antiprivacy? :)
> Will do later, I'm curious.
Great.
> Ugh. I spent a long time writing a message and then accidentally deleted
it.
For reasons like that I learned to first write my answer in a text file and
then paste it :)
> The forum is mirrored to a mailing list
Thanks, I already found that. Unfortunately it sends me emails from all
I am not enforcing rights on anyone. I am just pointing out the fact that on
the other side of the wire there is a compromised system which cannot be
trusted and that by securing just one node in a network doesn't give security
of communication as long as the other nodes are not secure.
> it is because their communities do not see those as critical issues
This is nonsense. They have deliberately created the issue of telemetry and
all the rest. And they ignore repeatedly what has been shown to them. So it
is not because they "do not see". I have made everything possible so
I am not an authority in FOSS or any matter. I test for myself and share. I
am not selling anything. I don't even take donations.
If a program is good (works as expected, doesn't spy or damage data) and
gives you freedom 0 and 1 - do you really need freedom 2 and 3?
> unless of course the other person uses Gmail in which case it doesn't
matter
That is the actual case I am talking about. You may have the perfect free,
clean hardware and software, not use any spying services etc. but you have to
communicate with others and others are inside a corrupt
> I admire your persistence, mate Joe.
Join me.
> I don't know about Basilisk but AFAIK Palemoon is proprietary software. Is
it not?
Do I have to check even that? :)
https://www.palemoon.org/
"Pale Moon is, and will always be, completely FREE to download and use! (Open
Source and
1 - 100 of 348 matches
Mail list logo
