At what point does all this surveillance capitalism tech become “unauthorized access?”
Port scanning with no user consent seems borderline malicious to me. Since the late 1990s I’ve seen language in ISP acceptable use policies banning port scanning hosts without consent. If this is widely considered malicious by industry norms for decades then how can this be considered ethical for a random website to do against a user’s machine?
Never, because unilateral contracts and a negotiation imbalance bless it as being authorized. It's similar to how artists can end up not owning the rights to their own songs. Any legal protection that is transferable ends up as a liability to the individual, as the market will strongly incentivize trading it away. The Coase theorem applies to your personal life.
Yes. Most if not all websites with typical "by continuing to use the site you agree to..." terms will drop cookies and fingerprint the user on their first visit, breaching their own contract. They do it even if lack of consent is made explicit by including Do Not Track in the HTTP headers.
These terms are obviously an attempt to get away with questionable behavior. Instead of simply not doing bad things, they insist and point people to the legalese when they complain as if it excused everything.
Exactly. It's very easy to be compliant with privacy law if you aren't stalking your users in the first place. The best example I've seen for doing it right was from godbolt.org, whose GDPR notice is refreshingly direct.
> The Compiler Explorer team believes the Compiler Explorer site is compliant with the EU's General Data Protection Regulation (GDPR). Specifically, we store no personally identifying information, we anonymise the little data that we do have and we do not permanently store any user data.
Just because someone puts something in a ToS, that doesn't mean it's necessarily lawful to do it or that the term carries legal weight in any other way. Consumer protection laws are full of rules that say, roughly speaking, "You may not do this, and any attempt to permit it shall be void/illegal". That's why in my country you often see signs in shops, usually underneath whatever guarantee/refund/exchange policy the store voluntarily offers, that say "Your statutory rights are not affected." It's the same sort of argument that results in contracts disclaiming liability for everything under the sun but also including a clause that says they explicitly do not disclaim liability for certain specific outcomes like causing serious injury or death.
Additionally, website terms of service are (almost exclusively) adhesion contracts -- you don't have any ability to amend them before you accept, just say yes or no. There's a whole different set of precedents for these type of contract. Notably, unexpected/nonstandard terms are unlikely to be enforceable.
IANAL, but this is coming from a business law course I took in undergrad.
The hairyness there is that there are legitimate reasons to port scan. Think of it like checking locks or oiling hinges on doors and windows.
Totally benign in your own home; gets awkward elsewhere right? I still do it though occasionally when I arrive at a new place if the signage is bad though.
Now, what about when your friend comes over, bringing the "house" of their laptop with them. It's on your network; seems like you should be in safe waters to do that port checking since it's in line with what you'd normally do, but their stuff isn't yours. Solution? "Hey, mind if I..." or, "Here's the guest network password".
Where I draw the absolute line is where you start to get this implied consent nonsense where that interaction never takes place, or in a form where the entity doing it never has to make the fact they are consciously up front to the User in question, and provides no alternative if the user doesn't agree.
Of course they implicitly do... Just don't use the website, which I practice. However it is becoming increasingly pervasive enough that I think we need to recognize the positive utility of integrating this sort of meta-layer concern into our basic social protocols in some way.
It's not impossible they are breaking Swedish law, as our computer security laws essentially requires you to have an explicit right to do something with regards to someone elses computing resources to be allowed to do so.
As far as I understand it, there doesn't have to be any circumvention of technical protections for the possibility of a crime to occur, but only accessing computing resources having lack of some equivalent of explicit authorization.
I'm unsure of a TOS that mentioned it would hold up, I would assume no as it's not something the average consumer would a) expect b) easily understand c) might not even be in the position to accept, ie when accessing a site from a computer they don't own, they might not have the authority to allow a port scan.
I can understand banks using client fingerprinting for fraud detection, but Chick-fil-A? Are they worried that people might steal $5 of restaurant vouchers?
I know in the past Chick-fil-a has been criticized for its conservative views; perhaps this was related to their efforts to mitigate attacks on the website?
You'd be surprised, Chick-fil-a has a TON of fraud to deal with given their food's popularity. They push the "convenience" of the mobile app (and it is in some ways), but coupon fraud was also a big hidden reason driving that; basically all paper vouchers or barcode-based coupons moved over to app-only. Same for their Christmas calendars that used to be paper coupons + those receipt-based "Free Sandwich" surveys, etc... all have been clamped down with vastly increased security over the years.
There might be a bit more sympathy for their plight, and a self-correcting problem if they'd explain why they were doing it.
Sometimes just by pointing out that it's an issue, people will start to adjust their behavior to make it not an issue anymore. There'll always be some ne'er-do-wells, but if we let that deconstruct our expectation of positive respect for one another's time and stuff, well... You reap what you sow.
A few months ago the official Android app for Instant Pot would not let me view recipes due to my device being rooted (I just checked and they have since changed this). Up until a couple years ago, my credit union had a password length limit of 10 characters. I can use 2 factor authentication with my power utility but not with my credit card company. Companies seem to have an extremely uneven view of what calls for strict security measures and what doesn't.
> I can understand banks using client fingerprinting for fraud detection
Why? What is it about banks that somehow legitimitizes this malware? They shouldn't get to pull out all the stops in order to prevent fraud just because it exists. There are some lines we can't let them cross. It doesn't matter how much money they lose.
Malware is, by definition, malicious software. Your bank attempting to prevent people from stealing your money is not malicious. Yes, your bank is insured and if your money is stolen you have a decent chance of getting the money back eventually, but not until you're able to prove it was fraud and that process finishes. That could take months in some cases, and you're missing all your money in the mean time, which is long enough that for many people they wouldn't be able to pay bills and could face eviction in the mean time.
So would it be okay if your bank forced you to install a kernel driver so it can intercept and log every network connection? Would it be okay for mobile banking apps to request every permission available and refuse to let you do anything unless you grant them? All this for "fraud prevention purposes"? Because that's what banks are like in my country.
There is no guarantee they will limit themselves to fraud prevention anyway. Any information collected is highly likely to also end up in the hands of marketing, governments and god knows who else. Without this guarantee, any and all "fraud prevention attempts" should absolutely be considered malicious.
"""In our tests, uBlock is unable to block the port scans in the new Microsoft Edge or Google Chrome as the extension does not have adequate permissions to uncloak the DNS CNAME records."""
And/or NextDNS.io - Uncloaking cloaked domains is primary what brought me to the service. Added benefits include service across all browsers, all devices, local/mobile etc.
One problem I seem to be having with FF (on Win 10 anyway) is it's not checking my hosts file for a domain lookup before using dns. Overriding the hosts file makes some things easier so I tend to do it. But now, my first time trying from Win, and it's not getting my page. Chrome works, ssh from WSL works, but FF uses dns first, apparently.
It's the first development usage I've found that Chrome works better than FF.
If you want to use DNS-over-HTTPS, you can add domain names to "network.trr.excluded-domains" in "about:config" (if, for example, you always use the .dev TLD for custom hostnames in your hosts file, you can simply exclude that domain name).
If not, well, just disable DNS-over-HTTPS entirely.
I remember when Chrome started making these permission changes and claimed that it wouldn't affect things like ublock, despite the ublock authors saying otherwise. Google is going out of its way to use the power it has as the dominant web browser to weaken ad blocking, and anyone who cares about a free web should run screaming away from Chrome based browsers.
Microsoft only seem to be acting well again because they're in the company of entities acting worse.
Google will have to be specifically not leading the charge, which may well be the case in 15 years. Google will be hiding behind a shield of some other companies worse behaviour in order to seem to be behaving well.
Windows is still going backwards in terms of hostility to users.
Truly, I don't know how one can look at Windows 10 and think Microsoft has in any way improved: the entire OS spies on you at every corner now, bloatware automatically installs in the background, updates are installed without your consent, and more.
Hahaha, yes, my wording is ambiguous, but you can probably gather from the tone and content of the first sentence that I mean it's becoming more user-hostile.
Google's new permissions model and APIs are actually great for weakening the power and abuse potential of extensions. Honestly, the vast majority of them aren't very trustworthy. I've seen extensions from banks that simply take over the entire browser for "fraud prevention" or some other nonsense. The new declarative APIs are great because extensions don't actually get access to user data.
Blockers just happen to be so important and trusted that they shouldn't be subjected to these reasonable limitations. Extensions like uBlock Origin and Privacy Badger are so special and important that they should probably be fully integrated into the browser itself instead of being optional.
Exactly. These extensions empower the user to such an extent they should just become part of the browser instead. Browsers that lack these features could hardly be classified as user agents. They're more like generic clients for corporate websites.
Browsers are supposed to act on our behalf by showing us the information we want to see. They aren't supposed to show us advertising noise for someone else's benefit, much less allow websites to track our every move. All such attempts should be resisted.
Interesting. Anybody knows if these changes to the blocking API affect brave? I think I remember they said they wouldn't include them, but I don't really trust them.
I'm thinking that arbitrary domains should not have access to any resource on '127.0.0.1', for the same reason that browsers restrict access to resources at 'file://' without user permission.
It isn't just websites. It's everything really. The industry has proven to me time and again that it is not worth it to explain to user's what they are doing and why they are doing it. Doing so seems like a complete waste of time on the micro-scale, but on the macro-scale it builds confidence in the integrity of practitioners and the business they're hired by by customers, reaffirms positive social values/norms (asking for permission, politely explaining when asked a question, and respecting other's prooerty), and it increases the bar in terms of expectation, and helps educate users by shaping their expectation of what kinds of things one should expect a computer to be able to do.
There wouldn't be half the computational illiteracy there is if we'd take the time to explain the basics.
This vulnerability predates websockets (in fact, you can exploit it even without Javascript) - they just make things more convenient.
Apparently, the shit hit the fan a while ago, prompting Opera to implement 'cross network protection'[1], but other browser vendors did not follow suit.
I'm increasingly convinced LexisNexis is an example of a pervasive monitoring/integration actor that has by this point scaled to the point their mere existence should be considered an attack.
The level of data aggregation, and the lengths gone through to acquire that data are just disturbing as all hell.
You can say, on the one hand that the fact they pop up everywhere is clearly a sign they provide a positive benefit to society, but nowhere I've been actually does anything to make you aware of what LexisNexis actually is, or what they provide. They're basically the Ur-example of the "Shadowy info-broker" tropeI've come across in real life.
The question that seems to be boiling to the top of life lately is whether or not there is a place in the world for a legitimate business whose business is to know as much as possible about everyone else's business.
The answer, from my perspective, is no, absolutely not. The market seems to deem otherwise.
My understanding is that you can use WebRTC and other methods of JavaScript to port scan a computer. Heck, you can literally run BitTorrent on a website using WebTorrent. You could force users to download and share copyrighted movies or other illegal material in the background without their knowledge when they visit your website. The state of the browsers is a disaster and security nightmare. Wasm is only going to make it worse. Soon you'll essentially be running binary blobs when you visit a website. What was supposed to be a permissioned sandbox to protect users, turned into an advertisers and malicious hackers' wet dream.
I think there needs to be more alternatives to JavaScript at this point.
> Heck, you can literally run BitTorrent on a website using WebTorrent. You could force users to download and share copyrighted movies or other illegal material in the background without their knowledge when they visit your website
Yes, I wrote this a few times in threads like this but for some reason
this is mostly ignored. Having WebRTC enabled by default can get you in
legal trouble (at least in a country like Germany where lawyers send
you letters based on IP addresses).
Having all three of: 1) a hypertext document viewing & retrieval system, 2) a shopping and payment system, and 3) a free-form application platform, all mixed together, is simply nuts. Clicking a link in your hypertext document viewer shouldn't load another thing that kinda looks like a hypertext document but is in fact an application, maybe containing malware, without any notification that you're about to start running arbitrary code. We have those "allow download?" prompts and don't auto-run downloaded executables for a reason. JS in the browser has way too much power to be secure. Just letting it ever initiate a remote connection without explicit user say-so, or to modify form contents being sent, any of that stuff, is probably enough to disqualify it as a sensible thing to include in your hypertext browser.
I actually think #2 could probably co-exist with #1 pretty well, and more securely than it could with #3. Would mean building a payment flow and (maybe) a shopping cart directly into the browser. Challenging, but way less work than the 50,000,000 (and counting) implementations of those in HTML+CSS+JS have been been.
The alternative is to promote JS whitelisting, but then you get a bunch of web developers screaming at you because they somehow feel like they have the right to run arbitrary code on their visitor's computers --- even to do things which shouldn't require such invasiveness.
I wonder if popularising banners on sites saying "You have JavaScript enabled, please disable it for a safer browsing experience [link to click that discusses all the negatives and how to do JS whitelisting]", in direct opposition to what some sites are doing, may have an effect...
(I've been doing that for over 2 decades now, and I naturally avoid web-app sites, but that's getting harder these days. Twenty years and I still have less than 100 sites I trust to run JS on.)
I’m surprised any web site is doing something this risky to themselves. Say I’m an attacker. I visit their website, and they attempt to open a connection to me. I accept the connection and send back a target payload to their scanner, which is certainly less well tested than their public website’s software. Even better, that seems exceptionally hard to prosecute: “wait, didn’t you go out of your way to ask the defendant to send you that data?”
Good thinking, but if I understand correctly, the javascript running the scan is running on your browser. So the scan is coming from the browser process, and both sides of the connection have IP address 127.0.0.1.
That javascript can then report back, or take other actions in your web session.
It's not a port scan in the sense of them opening a socket from their server to your computer.
It’s not impossible. They could be doing something stupid like running eval on a JSON payload, or generating SQL insert statements from the unsanitised data. But I doubt it.
83 comments
[ 2.7 ms ] story [ 140 ms ] threadPort scanning with no user consent seems borderline malicious to me. Since the late 1990s I’ve seen language in ISP acceptable use policies banning port scanning hosts without consent. If this is widely considered malicious by industry norms for decades then how can this be considered ethical for a random website to do against a user’s machine?
Apparently, the language "deliberate circumvention" makes a big difference in the context of US CFAA because of some precedent.
> For example, Citibank, Ameriprise, and TIAA-CREF immediately port scanned our computers when visiting the main page of the site.
These terms are obviously an attempt to get away with questionable behavior. Instead of simply not doing bad things, they insist and point people to the legalese when they complain as if it excused everything.
> The Compiler Explorer team believes the Compiler Explorer site is compliant with the EU's General Data Protection Regulation (GDPR). Specifically, we store no personally identifying information, we anonymise the little data that we do have and we do not permanently store any user data.
IANAL, but this is coming from a business law course I took in undergrad.
Totally benign in your own home; gets awkward elsewhere right? I still do it though occasionally when I arrive at a new place if the signage is bad though.
Now, what about when your friend comes over, bringing the "house" of their laptop with them. It's on your network; seems like you should be in safe waters to do that port checking since it's in line with what you'd normally do, but their stuff isn't yours. Solution? "Hey, mind if I..." or, "Here's the guest network password".
Where I draw the absolute line is where you start to get this implied consent nonsense where that interaction never takes place, or in a form where the entity doing it never has to make the fact they are consciously up front to the User in question, and provides no alternative if the user doesn't agree.
Of course they implicitly do... Just don't use the website, which I practice. However it is becoming increasingly pervasive enough that I think we need to recognize the positive utility of integrating this sort of meta-layer concern into our basic social protocols in some way.
As far as I understand it, there doesn't have to be any circumvention of technical protections for the possibility of a crime to occur, but only accessing computing resources having lack of some equivalent of explicit authorization.
I'm unsure of a TOS that mentioned it would hold up, I would assume no as it's not something the average consumer would a) expect b) easily understand c) might not even be in the position to accept, ie when accessing a site from a computer they don't own, they might not have the authority to allow a port scan.
Sometimes just by pointing out that it's an issue, people will start to adjust their behavior to make it not an issue anymore. There'll always be some ne'er-do-wells, but if we let that deconstruct our expectation of positive respect for one another's time and stuff, well... You reap what you sow.
Why? What is it about banks that somehow legitimitizes this malware? They shouldn't get to pull out all the stops in order to prevent fraud just because it exists. There are some lines we can't let them cross. It doesn't matter how much money they lose.
There is no guarantee they will limit themselves to fraud prevention anyway. Any information collected is highly likely to also end up in the hands of marketing, governments and god knows who else. Without this guarantee, any and all "fraud prevention attempts" should absolutely be considered malicious.
Seems highly relevant...
https://news.ycombinator.com/item?id=23318830
It's the first development usage I've found that Chrome works better than FF.
If not, well, just disable DNS-over-HTTPS entirely.
See https://wiki.mozilla.org/Trusted_Recursive_Resolver for even more DoH-related settings you can tweak.
And everybody will forgive, and people will defend them on HN for being redeemed, and they will be alright.
That's been the trend.
Google will have to be specifically not leading the charge, which may well be the case in 15 years. Google will be hiding behind a shield of some other companies worse behaviour in order to seem to be behaving well.
Windows is still going backwards in terms of hostility to users.
Do you mean that Windows is becoming more user-hostile, or less?
* * *
[1] https://developer.chrome.com/extensions/migrating_to_manifes...
[2] https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/Web...
Blockers just happen to be so important and trusted that they shouldn't be subjected to these reasonable limitations. Extensions like uBlock Origin and Privacy Badger are so special and important that they should probably be fully integrated into the browser itself instead of being optional.
Browsers are supposed to act on our behalf by showing us the information we want to see. They aren't supposed to show us advertising noise for someone else's benefit, much less allow websites to track our every move. All such attempts should be resisted.
There wouldn't be half the computational illiteracy there is if we'd take the time to explain the basics.
Apparently, the shit hit the fan a while ago, prompting Opera to implement 'cross network protection'[1], but other browser vendors did not follow suit.
[1] https://web.archive.org/web/20121001002815/http://my.opera.c...
The level of data aggregation, and the lengths gone through to acquire that data are just disturbing as all hell.
You can say, on the one hand that the fact they pop up everywhere is clearly a sign they provide a positive benefit to society, but nowhere I've been actually does anything to make you aware of what LexisNexis actually is, or what they provide. They're basically the Ur-example of the "Shadowy info-broker" tropeI've come across in real life.
The question that seems to be boiling to the top of life lately is whether or not there is a place in the world for a legitimate business whose business is to know as much as possible about everyone else's business.
The answer, from my perspective, is no, absolutely not. The market seems to deem otherwise.
I think there needs to be more alternatives to JavaScript at this point.
Yes, I wrote this a few times in threads like this but for some reason this is mostly ignored. Having WebRTC enabled by default can get you in legal trouble (at least in a country like Germany where lawyers send you letters based on IP addresses).
I actually think #2 could probably co-exist with #1 pretty well, and more securely than it could with #3. Would mean building a payment flow and (maybe) a shopping cart directly into the browser. Challenging, but way less work than the 50,000,000 (and counting) implementations of those in HTML+CSS+JS have been been.
I wonder if popularising banners on sites saying "You have JavaScript enabled, please disable it for a safer browsing experience [link to click that discusses all the negatives and how to do JS whitelisting]", in direct opposition to what some sites are doing, may have an effect...
(I've been doing that for over 2 decades now, and I naturally avoid web-app sites, but that's getting harder these days. Twenty years and I still have less than 100 sites I trust to run JS on.)
Wouldn’t matter what language it was. It could be Python or Rust or anything that implemented the WebSocket API.
That javascript can then report back, or take other actions in your web session.
It's not a port scan in the sense of them opening a socket from their server to your computer.