14 comments

[ 3.8 ms ] story [ 51.9 ms ] thread
Instant pop-up of a chat, from "Matt - A Real Human" is a significant turn-off for me.

For a company that is promoting privacy, it's also discouraging to see that your privacy policy seems to only apply additional data protection rights to those within the EEA, rather than universally applying them. I'm hoping, in good faith, that this applies to everyone but is specifically spelled out for those within the EEA. If this is the case, you might want to be clear that those rights apply to everyone, not just those residing in the EEA. (If not - I'd love to hear the justification!)

Thanks for the feedback. Privacy rights are meant to apply to everyone. Will check the wording of the privacy policy to make that clear.

Regarding the instant popup, unfortunately I'm not able to keep it hidden with Drift, but wanted to make sure visitors know they can easily reach me.

I would like to know more about how the scoring-system works. I think this will be added, don't hurry - but i am curious how that works in "realtime". Every second younbeloved extension can potentially turn into your enemy.

And how does IT react on a match? Unplug the machine from the net? Close the browser? Turn off power? Sirenes?

I love the idea of your service. But how to execute countermeasures, when the red flag is raised?

Realtime refers to installations, not necessarily the threat of the extension. If a user installs an extension, you should know if the extension is a threat as soon as possible whether or not it has exposed data.

Scoring is a complex problem and there's some literature on the subject. We can break down scoring / threat intelligence into a few buckets:

- Known bad actors: some extensions are known bad actors. They've exposed data and even made the news for it. Let's make sure those are absolutely not running in your environment.

- Heuristic classification: a number of heuristics can be used to score the threat of an extension, for example, the permissions it requests, its content security policy, etc...

- Automated code review: even if an extension developer is not themselves intentionally malicious, the extension may be using outdated or vulnerable libraries that can be exploited by others.

- Manual review: there are over 200k extensions so an extensive manual review of each is not practical. Still, for the most popular extensions, a manual review can effectively score the extension based on factors that are difficult to automate. For example, review of the privacy policy, investigation of the owner entity and its business practices, etc...

- Corroboration / triangulation: a category of threat detection that Extension Monitor will be able to provide at scale is that of cross-referencing installations with purchased data to single out likely sources.

These may also apply to a single extension across versions / time.

Regarding counter-measures, Extension Monitor is read-only at this time, so remedying the threat is environment specific. Some fleet management solutions may provide this. Other self-managed machines would require the machines administrator to remove the extension. Some teams that already allowlist or blocklist extensions would find the threat scores useful in their own manual investigations of which extensions to allow or block.

Hope this helps,

Will (still a real human... and not a Matt)

Well, i think he has a valid point and it's true: Matt is a real human.
But revisting the page on firefox, his name is now: Will.

Em. This is confusing surreal and contraty to the expectation of "real".

Will it be able to switch gender, when i test landscape-mode?

I am a real human indeed. I can assure you my name is and has always been Will, regardless of the browser. I'm not sure where Matt comes from. Maybe I look like a Matt?

I can also assure you I'm not going to switch gender in the foreseeable future. I'm quite comfortable as a cisgender man.

:) Thank you for clarifying this - I hope I didn't miss the tone. I was making fun of this app / popup-widget - and not your name, of course.

I think it is a good thing to know when there is a real human behind a product, project. But it's sad when the chat-technology makes this effort senseless by switching names.

Haha, I totally understand. The funny thing to me is that the widget doesn't change the name at all. The name always shows up as "Will - A Real Human". @ziddoap just misremembered the name as Matt. They're pretty similar.
I wish I knew I was supposed to take a screenshot of it - it certainly wasn't a case of mis-remembering. In fact, there was no remembering to be had considering the website was loaded at the time of my posting.
This just in... Drift _does_ allow you to turn off the pop-up. It's now off :)

- Will (not Matt)

The website seems a bit broken (in Firefox 67):

- "Log in" link does nothing

- this green link(?) also does nothing https://i.vgy.me/D0oGjd.png

- the Pricing page is empty https://i.vgy.me/17yhiD.png (it works in Chrome though)

- the newsletter form layout is broken https://i.vgy.me/P4qtHn.png (seems okay in Chrome too)

Thanks for reporting these. I'll check it out in Firefox.

I heard about the pricing section being an issue for some but haven't been able to reproduce it. I'm going to setup BrowserStack to find all of the issues.