this is great. I've been well shielded from badware thanks to using FOSS since 96, but Android/Windows are a cesspit of apps that have 0 value (e.g. CMSecurity, Tune-up utilities et al) and are constantly reporting about non-problems ("risk detected" or "junk found"), with sole purpose of displaying an ad. Android (and Windows) security apps not only suck but condition you into an OC behavior for a reward (now your phone is clean).
Badware has existed for *NIX (FOSS or not). The first internet worm, back in 1988, targeted Sendmail [1]. OSes, including FOSS ones (except OpenBSD), used to have all kind of services enabled by default in the '90s. Remotely exploitable vulnerability existed in IPv6 in the Linux kernel around 2005/2006. We had shellshock as well. Just recently in 2018, there was Meltdown and Spectre bug which was remotely exploitable via JavaScript. Also, Android is arguably FOSS. Symbian is as well, nowadays.
There's a difference between unintentional bugs, which it seems a bit harsh to call "badware", and actual malware or very sloppily written, low-value commercial software that recklessly behaves almost like malware.
Also, Android, as running on most commercially available phones, is not FOSS because it contains Google's proprietary extensions and probably hardware drivers/firmware as well.
> There's a difference between unintentional bugs, which it seems a bit harsh to call "badware", and actual malware or very sloppily written, low-value commercial software that recklessly behaves almost like malware.
There's not much difference between the latter and all these smartphones, smart TVs, and other IoT devices which receive software updates for 2 or 3 years after release if you're lucky.
> Also, Android, as running on most commercially available phones, is not FOSS because it contains Google's proprietary extensions and probably hardware drivers/firmware as well.
True, its a mix. I can recommend LineageOS + microG [1]
> but Android/Windows are a cesspit of apps that have 0 value
Problem is that outside of IT tech circles the marketing of this crapware works really effectively - many simply believe the claims the ads post and buy the snake oil. The only real solution to this problem (other than law enforcement, which doesn't work because crime is international) is a hard app store requirement like on iOS, but that carries its own problems for user freedom and isn't perfect either.
But I find it kind of ironic that a site that warns about malware wants JavaScript, just to display static content.
On the positive side, the JS code seems to be used only for loading custom fonts, and the website looks perfectly well without JavaScript using the standard system fonts.
Your code example reminds me of what I just read on the StopBadware website:
> Some badware may not have malicious intentions, but still fails to put the user in control. Consider, for example, a browser toolbar that helps you shop online more effectively but does not mention that it will send a list of everything you buy online to the company that provides the toolbar.
Using hosted fonts so that they may be cached and CDN-served might not be bad, but the use of these has the effect of sharing everything you do online with Google.
It's also quite trivial to serve them locally (even fonts that you got from Google Fonts), and http/2 greatly reduces the impact of serving them (as long as they are reasonably sized). And font-display: fallback or font-display: optional in your css will also reduce the impact.
The CSS on this site is not done very well. There's a noticeable white flash while the page loads 73 CSS files. Kind of surprising because the site looks quite professional apart from that.
It doesn't remotely fit the screen on mobile and I cannot zoom out. Was unable to figure out what the site's purpose is and closed it with slight annoyance.
I feel like the idea for what “badware” is, according to this site, is put forward to assist non-english speakers, in negotiating software choices in a world where the dominant locale option is English.
Beyond a certain level of awareness and computer literacy, this site is only collecting obvious facts and offering a new name for them. I don’t foresee anyone fluent in English, above middle school age, finding a great deal of utility here.
17 comments
[ 3.8 ms ] story [ 43.6 ms ] thread[1] https://en.wikipedia.org/wiki/Morris_worm
Also, Android, as running on most commercially available phones, is not FOSS because it contains Google's proprietary extensions and probably hardware drivers/firmware as well.
There's not much difference between the latter and all these smartphones, smart TVs, and other IoT devices which receive software updates for 2 or 3 years after release if you're lucky.
> Also, Android, as running on most commercially available phones, is not FOSS because it contains Google's proprietary extensions and probably hardware drivers/firmware as well.
True, its a mix. I can recommend LineageOS + microG [1]
[1] https://lineage.microg.org/
Problem is that outside of IT tech circles the marketing of this crapware works really effectively - many simply believe the claims the ads post and buy the snake oil. The only real solution to this problem (other than law enforcement, which doesn't work because crime is international) is a hard app store requirement like on iOS, but that carries its own problems for user freedom and isn't perfect either.
But I find it kind of ironic that a site that warns about malware wants JavaScript, just to display static content.
On the positive side, the JS code seems to be used only for loading custom fonts, and the website looks perfectly well without JavaScript using the standard system fonts.
But it does not explain why they need to use it.
Moreover, they load a bunch of other JS libraries whose added value is practically non-existent (except maybe for their "email protection"):
(Note the that "superfish" here is about menus, i.e. not the well-known badware distributed by Lenovo.)Your code example reminds me of what I just read on the StopBadware website:
> Some badware may not have malicious intentions, but still fails to put the user in control. Consider, for example, a browser toolbar that helps you shop online more effectively but does not mention that it will send a list of everything you buy online to the company that provides the toolbar.
Using hosted fonts so that they may be cached and CDN-served might not be bad, but the use of these has the effect of sharing everything you do online with Google.
https://simple.wikipedia.org/wiki/Main_Page
Maybe some people need this sort of thing?
I feel like the idea for what “badware” is, according to this site, is put forward to assist non-english speakers, in negotiating software choices in a world where the dominant locale option is English.
Beyond a certain level of awareness and computer literacy, this site is only collecting obvious facts and offering a new name for them. I don’t foresee anyone fluent in English, above middle school age, finding a great deal of utility here.