I guess they mean that Gitlab is funded in part by In-Q-Tel. In-Q-Tel is a VC started by the CIA (https://www.npr.org/sections/alltechconsidered/2012/07/16/15...) that now is used by many actors of the IC. It also has a side effect of making gitlab inaccessible in some export restricted countries.
That doesn't appear to align with what the Blacklight results actually say: "Blacklight detected a script belonging to the company Swiftype, Inc. doing this on this site." Presumably this is being used for autocomplete/search functionality, but it is a third-party script, not just Gitlab hotkeys.
Clickbait with an agenda would be unethical behaviour as well.
Like i said, I'm not defending Gitlab. But there's a difference in impact between "theres 15 trackers in the tool i use" and "there's 15 trackers in the marketing page i never visit".
Don't make it sound like you don't understand that difference.
If the cookies and/or same origin policy are shared between the marketing page and the actual "business" pages then it doesn't matter - both sides should be considered compromised.
Not affiliated with any company, just wanted to share something I found interesting. I don’t use the web UI much at all anyway. I did insert a repo url to the tool, but it redirected to the about page.
That's not what they mean by "keylogger" and some reasonable people would agree with them on their naming. Suppose you have a log-in page, and a user name field, password field, and a "Log in" button. If a website secretly submits everything entered into the password field even when "Log in" isn't clicked, such as when a user accidentally pastes a password for another website and realises it before logging in, I think most people would call that a keylogger.
In Gitlab's case, it seems to be their search function. It provides search results without needing to press Enter or clicking a button. From a technical POV, this is the exact same kind of keylogging as the above, it's only the intent that makes this okay and the above not so.
Would you agree that keylogger is a term for malicious software with the purpose of stealing private data such as credentials?
Is this is the case, then the latter is not keylogging.
The former is some sort of logging, but I wouldn't call it keylogging; after all, you are still entering data to the particular filed intended for entering credentials, to be sent to the remote server for verification. If the purpose of the remote server is something more nefarious, then it is keylogging.
The feature would even make sense if the server would let you in without pressing enter; but for understandable reasons this is not really a thing..
> Would you agree that keylogger is a term for malicious software with the purpose of stealing private data such as credentials?
No, I would not. Keylogger, I would say, is what the name implies: is a term for software that records keystrokes. In order for the term to be useful we have to limit it to such software where the recording is not obvious to the user, as otherwise even Notepad would count, but we do not have to limit it to malicious software.
Would that go along with the common consensus, or perhaps water down the term to near meaningless? Maybe Firefox is keylogging my input as well; and in fact, so is Linux. Keyboard itself, definitely.
Once I had X11 enter old keystrokes (so it had missed the read position in the input ring buffer and every stroke entered a key from the past); keyloggers all around.
Kidding aside, I believe it is important to use terminology all parties agree on; after all, words are a tool for communicating. Even if an individual finds a deeper or "fundamental" meaning in a word outside the typical use of a word, attempting to use and understand it in such a way hinders communication.
Agreed, if there is consensus on what a word means it's unnecessarily distracting to use it in a different sense. In this case, the common meaning of keylogger is not restricted to malicious software, so we shouldn't insist here that it is.
>the common meaning of keylogger is not restricted to malicious software
Over 99% of the hits on a google search use keylogger restricted to malicious software (sampled the first dozen or so pages). The first sentence in Wikipedia is "Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored". The top definition googling a definition is
"a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information."
What metric did you use to conclude that the "common meaning" is not this common meaning? Not a single place I have found claims the common meaning is anything other than surreptitiously recording user keystrokes for nefarious purposes. Do you have even one such link?
I'm curious what you searched for, because the majority of the very first page of Google search results agrees with me, actually. Two of these say define keyloggers in a way that is inherently malicious, most give a neutral definition. They do go on to say how such software can be used by criminals, but most do not say that keyloggers are inherently malicious, and some very specifically deny that:
> Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.
> A keylogger (short for keystroke logger) is software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that you don’t know that your actions are being monitored. This is usually done with malicious intent to collect your account information, credit card numbers, user names, passwords, and other private data.
> Keyloggers are often used as a spyware tool by cybercriminals [...]. Keylogger recorders may also be used by: [...] These uses could be considered ethical or appropriate in varying degrees.
> Keyloggers are a common tool for corporations, which information technology departments use to troubleshoot technical problems on their systems and networks—or to keep an eye on employees surreptitiously. The same goes for, say, parents, who want to monitor their children’s activities.
> At its most basic definition, a keylogger is a function which records or keystrokes on a computer. Taken at this basic level, a keylogger looks absolutely harmless. In the hands of a hacker or a cybercriminal, a keylogger is a potent tool to steal away your information.
1st: title mentions they're used by attackers. First sentence: "Keystroke logging software is one of the oldest forms of malware. Under "definition" they state "One of the oldest forms of cyber threat, these keystroke loggers record the information you type into a website or application and send to back to a third party"
Why did you take your sentence out of context? Those above and below state keyloggers are used for criminal activity. The article is about keyloggers being malicious.
Second link: "Today, keyloggers are mainly used to steal user data relating to various online payment systems, and virus writers are constantly writing new keylogger Trojans for this very purpose."
Well, I guess that defines the common usage, hence the word "most". The article also states that "keyloggers have pushed phishing out of first place as the most-used method in the theft of confidential information". So not only are they mostly used for crime, they are the number one method for stealing confidential information.
And most every other link you posted also either defines them as malicious or points out that most uses are malicious.
So, by what metric you claim ". Yes, a keylogger need not be malicious. But so far you competently have made the case that the common meaning is most certainly malicious, and it's not even a close assessment.
So - what was your metric to claim "the common meaning of keylogger is not restricted to malicious software"? This list clearly supports that malicious use is by far the common meaning.
Please state your metric for "common meaning" then we'll test it. If you have no metric, we're done, since so far all the data points to your claim being false.
For the first link: here, you're either not actually reading or being blatantly dishonest. Either way, shame on you, and I'm not going to respond to anything else you write after this message. Feel free to reply to get the last word in. I'm not taking the sentence out of context, "Keyloggers are a type of monitoring software designed to record keystrokes made by a user." is the whole damn definition. The rest of what follows is what that definition actually means, and impressive how you then conveniently leave the "However, they also have legitimate uses within businesses to troubleshoot, improve user experience, or monitor employees. Law enforcement and intelligence agencies also uses keylogging for surveillance purposes." out of it.
For the rest, nobody, not myself, nor anyone else here, has suggested that keyloggers are not primarily used maliciously. Of course they are, we all know that. The whole question is whether it's possible for non-malicious keyloggers to also exist, or rephrased, whether the definition of keylogger inherently excludes anything non-malicious. You're only looking at what they refer to using that term, which will be almost exclusively malware, but that's not the point, you're not looking at how they're defining the term.
>For the first link: here, you're either not actually reading or being blatantly dishonest.
Here is your quote written to represent the link: "Keyloggers are a type of monitoring software designed to record keystrokes made by a user."
Here is that quote with the surrounding sentences:
"Keystroke logging software is one of the oldest forms of malware, dating back to typewriters. It's still popular and often used as part of larger cyber attacks. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. One of the oldest forms of cyber threat, these keystroke loggers record the information you type into a website or application and send to back to a third party."
Now again tell me who is dishonest?
> they also have legitimate uses
No one disputed that. Your claim is the most common use of the term is not related to malware. Focus on the "most common" phrase you claimed - not the exceptional cases you're obsessing over.
Seems pretty clear the common usage is for malware, from this link, to web samples, to wiki and oxford definitions, to nearly every one of your links.
>nobody, not myself, nor anyone else here, has suggested that keyloggers are not primarily used maliciously
Also you
> "the common meaning of keylogger is not restricted to malicious software"
?
The argument is not whether a program called a keylogger has other uses than malware. The argument is your claim that the most common usage of the term is not the criminal one.
And since you don't have a metric to base your claim "the common meaning of keylogger is not restricted to malicious software" on, you're right. We're done - your claim is nonsense and you cannot provide how you arrived (incorrectly) at what the common meaning is.
> In this case, the common meaning of keylogger is not restricted to malicious software, so we shouldn't insist here that it is.
The common meaning of keylogger is restricted to stealthily recording an unsuspecting users keyboard input.
Malicious or not depends on the user who uses it and what they use it for and possibly also is in they eye of the beholder, but Google Docs or a an auto complete search field is not a keylogger by any definition I've seen used.
But what do I know, I've only been interested in this since the nineties.
Strongly disagree that most people think of autosuggest in a search form as a keylogger. I've never once heard it referred to as such, outside this thread.
I think most people think of a keylogger as a malicious program that secretly records your keyboard activity when you don't know about it. If they think about it at all, they think of autosuggest as analogous to a form submission.
this is such a classic HN argument, it's almost comical. pedants from every part of the world going at it and even including google search results, picking apart each word that the original author meant to prove their point. this is the kind of conversation that would make me want to rip my head off in an office environment.
but from my POV i would also say that 95% of the time i've ever bumped into the term, it was always used in a cyber attack context. the other 5% was from corporate overlords wanting to spy on your actions.
Yeah, please take into account that I only listed the Google search results in reply to a blatantly false claim that Google search returned completely different results. Bullshit needs to be called out.
I want my Linux box or my keyboard to get my keystrokes. I don’t want my typing on a website before submitting a form sent to a third party. Key logging is how Blacklight describes it.
It honestly sounds like you've come to allow all types of keylogging to become (to yourself only) allowable and called by any other name. Yes, if Google Docs does actually take each keystroke and record it and save record of it, even once backed out/deleted from a field, this is in fact keylogging.
Indeed, it's not necessarily going to be obvious to a user that when they type in a search bar their text will be used to find relevant content on the site even before the user clicks a "Search" button.
Nope. A keylogger is any field taking whatever your input without your knowledge, and "logging" it. So as he said above, if you were accidentally typing in sensitive info in a password field, or a chatbot window and without clicking a button to send that info off, they are logging it. That is still keylogging. Just because it's not a RAT keylogger doesn't mean it's not logging keystrokes.
The technical difference would be that a keylogger logs keystrokes regardless of where the focus is, whereas normal "respond to key events" logic would be restricted to capturing key events in a field where the user understands the focus to be.
"Type to search" is OK, as the key events processed are restricted to the ones typed into the search field. A key logger would attach an event listener to capture key presses in any field, or even if no field is selected.
It is the same technical difference between a UI which has an explicit "paste" button, which reads from the clipboard only when that button is pressed, vs a web app which reads from the clipboard indiscriminately, in the off-chance that there's something interesting (a password for a different website?) stored in the clipboard.
...which implies there exist unreasonable people. In common speech, qualifiers are added when there is a need to distinguish. You wouldn't say "some people with brains" unless there existed brainless people and there was a need to distinguish them from the other.
If both conclusions can be reached by "reasonable" people then that term is contextually meaningless. Why argue semantics when your own usage is irrelevant?
And I stand by my position that considering an autocomplete to be a keylogger is unreasonable because the obvious purpose of the input is to accept you what you type. Automatically submitting may be a slight surprise but doesn't change the intent as you wouldn't type in the box if you were never going to submit it anyway.
Don't be too sure of that: you'd be surprised how often I misuse the browser's location bar when I need to make a very quick note when I don't have time to first open a text editor. Once I typed what I wanted to type, I then have time to open a text editor and copy it there. This became a habit for me back when browsers did not try to provide search suggestions in the address bar. I now still turn off the suggestions now to make sure I do not accidentally send data online that I want to keep private.
Hotjar is one of the biggest players in the market of tracking user interactions with the site. Now you've heard of them. Are they any more trustworthy?
Agreed. Seems that some of the engineers commenting here work on projects in which they would have us believe a narrower description of what keylogging actually is, because they implement shady keylogging in their own products and need to feel better about it. If I don't press a submit button, and you are fielding my keystrokes into your database at any point, you are keylogging. I would not purposely use any product, or chat window, or form that I knew was submitting my keystrokes to their backend. If there is a button to send the form, only then should it be sending anything to your server. But this is hardly surprising these days with how entirely out of hand all the total data capture scope in products has been heading.
If that's the concern, can you put a rate limit on per-domain basis instead? Many other tools that scan websites allow you to scan arbitrary page url, not just root/index url.
We could have, yeah. There are some UX questions there we'd have to answer, and we were developing this with a very small team and limited time, so opted for a simple solution.
That’s what I intended to do, but blacklight redirected to the about page. I do not have an agenda: I use both GitLab and GitHub and am affiliated with neither.
https://gitlab.com/luke2m/
I always wondered about JS-powered keyloggers. What if you type your Linux admin password, or other sensitive things by accident into the webpage and it all gets scooped up? Yes: the keylogger would have a privacy policy in place, but it irks me to think I could accidentally reveal my dearest secrets into some nosy webpage.
An even creepier analog to this was a big problem in mobile apps until Apple squashed it by telling everyone when it happens. Mobile apps were recording the clipboard every time they gained focus and many then uploaded that to the web. Copy pasted passwords... email addresses... etc.
I often think about this when I see services that does stuff with your input to help you. For example online JSON formatters, online RegEx testers and such.
Ideally it shouldn't matter that it happens. I mean, it's not great and if you're aware of this, you should roll your password, but realistically the external services should have no way to interact with your admin account.
For better protection you can use totp codes or some type of security token which makes password leaks useless.
If you care about this, you should be casting your lot with services that care about your privacy and don't include your personal information in their valuation.
I know that anyone who recognises your username will immediately understand your affiliation to sourcehut, but it's not listed on your profile, nor is it immediately obvious from your website, so perhaps it would be a good idea to indicate your ownership in your comment?
This is a tangential conversation, as I agree that the SourceHut promotion is off-topic, but I don't see a distinction between "spyware" and "trackers on their marketing page". I would define "spyware" as programs that (1) run on an end user's computer, (2) report information back to the developer of the program, and (3) include information not necessary to the running of that service. Marketing trackers do all of those, so I think it is perfectly justifiable to refer to them as "spyware".
It is actually fairly common, Gitlab puts hundreds of different ads to Facebook and it has to track which one of these ads actually work and cancel the ones that don’t result in profit.
Most noble thing to do would be using server-side tracking/analytics but because of additional coding and losing access to Facebook analytics, most web sites usually don’t bother.
I'd go one step further, and say that the most noble thing would be to have a direct <a href="advertised-site">, and not track the user clicks at all. Even server-side tracking of <a href="local-redirect?where=advertised-site&id=user_id"> involves tracking beyond what is minimally necessary to provide a service.
True, though I'm undecided on whether that justifies tracking clicks. The fundamental problem is that neither that advertisers nor the websites trust each other. If the advertisers trusted the website, then the Referer header would be sufficient for the advertiser to know where clicks came from, and the website host could verify that those are correlated with their own server logs.
However, this would require a cost, in terms of refusing to do business with untrustworthy websites. Rather than accepting that as a fact of the business, websites/advertisers instead push the cost off to users as an externality. This cost is paid by the user in time/bandwidth (larger page load times) and privacy (ad trackers), even though they were by no means the source of the problem.
IMHO it doesnt at all. Nothing justify that kind of user tracking. That whole ad business is broken by design. Unfortunately, we can't have access to many products for a reasonable amount of money that would match the ad/spying revenue by user. I would be happy to pay many products a few dollars a month rather than use adblockers.
The current level of tracking/spying, absolutely agreed that it is immoral and unjustified. What I am undecided on is whether the minimum possible tracking, that of having a single redirect on the href, is similarly unjustified.
Maybe I'm missing how themarkup.org works, because I just had a look through the uBlock Origin log, and this seems to be vastly overstated. Looking through the source I don't see anything Facebook/Twitter related except for metatags for Facebook/Twitter. I don't see any Microsoft, LinkedIn trackers or anything as per uBo's logger.
Regardless, I have seen other sites that have a vast amount of trackers so I'm gonna ask my question anyway. Anyone know what the point is of having this many trackers? I totally understand that a company wants to figure out how a user interacts with their app, but what is the point of tracking using different trackers where there is a lot of functionality overlap. I doubt Microsoft, Google, Twitter, Facebook and whoever else collect vastly different data where this becomes useful. Maybe one or two different companies e.g. for redundancy but why do their need more than that?
uBlock Origin with some filter lists (I suspect the easy privacy is one) will block calls to google tag manager, which prevents anything that would have been loaded by that from showing up in ublock origin's block list. I suspect that's what's happening in this case.
If I load about.gitlab.com without ublock origin enabled the FB network requests show up in in the network console.
Each company will want a ping related to their own tracking tags. I.e. if the visitor came from a Facebook ad, you want to notify FB about conversions so that you know how effective the ad was. Also it's required if you want some dynamic A/B behaviour on the referrer side. Multiply by each source (not just ads).
All of that could be done server side, but people don't want to build their own version of analytics, run it internally, and keep it up to date with all their data sources.
In many cases it's about running retargeting ads on multiple platforms and tracking campaigns. For example, you might want to run ads on LinkedIn only for users who have visited your page.
gitlab is awful. There is way too much front end code and I honestly wouldn't be surprised if the only way to fix it is to tear it all out and start over.
Good morning HN. I am the DRI (directly responsible individual) for about.gitlab.com and I have created this issue to audit our trackers, cookies, and other data collection on the marketing website https://gitlab.com/gitlab-com/marketing/inbound-marketing/ma...
Our product does not include the tracking that is used on the marketing site.
118 comments
[ 3.0 ms ] story [ 180 ms ] threadhttps://about.gitlab.com/press/releases/2019-01-22-gitlab-an...
Background on In-Q-Tel https://en.m.wikipedia.org/wiki/In-Q-Tel
https://docs.gitlab.com/ee/user/shortcuts.html#repository-gr...
If you're going to claim Gitlab, as in the tool, has that, then link to an actual example repository for proper comparison.
Not trying to defend Gitlab here, but this headline makes it sound like you have an agenda.
(The page linked compares about.gitlab.com, which is a wildly different site than the rest of Gitlab)
Like i said, I'm not defending Gitlab. But there's a difference in impact between "theres 15 trackers in the tool i use" and "there's 15 trackers in the marketing page i never visit".
Don't make it sound like you don't understand that difference.
Two wrong make no rights.
In Gitlab's case, it seems to be their search function. It provides search results without needing to press Enter or clicking a button. From a technical POV, this is the exact same kind of keylogging as the above, it's only the intent that makes this okay and the above not so.
Is this is the case, then the latter is not keylogging.
The former is some sort of logging, but I wouldn't call it keylogging; after all, you are still entering data to the particular filed intended for entering credentials, to be sent to the remote server for verification. If the purpose of the remote server is something more nefarious, then it is keylogging.
The feature would even make sense if the server would let you in without pressing enter; but for understandable reasons this is not really a thing..
No, I would not. Keylogger, I would say, is what the name implies: is a term for software that records keystrokes. In order for the term to be useful we have to limit it to such software where the recording is not obvious to the user, as otherwise even Notepad would count, but we do not have to limit it to malicious software.
Would that go along with the common consensus, or perhaps water down the term to near meaningless? Maybe Firefox is keylogging my input as well; and in fact, so is Linux. Keyboard itself, definitely.
Once I had X11 enter old keystrokes (so it had missed the read position in the input ring buffer and every stroke entered a key from the past); keyloggers all around.
Kidding aside, I believe it is important to use terminology all parties agree on; after all, words are a tool for communicating. Even if an individual finds a deeper or "fundamental" meaning in a word outside the typical use of a word, attempting to use and understand it in such a way hinders communication.
Over 99% of the hits on a google search use keylogger restricted to malicious software (sampled the first dozen or so pages). The first sentence in Wikipedia is "Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored". The top definition googling a definition is "a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information."
What metric did you use to conclude that the "common meaning" is not this common meaning? Not a single place I have found claims the common meaning is anything other than surreptitiously recording user keystrokes for nefarious purposes. Do you have even one such link?
https://www.csoonline.com/article/3326304/what-is-a-keylogge...:
> Keyloggers are a type of monitoring software designed to record keystrokes made by a user.
https://securelist.com/keyloggers-how-they-work-and-how-to-d...:
> The term ‘keylogger’ itself is neutral, and the word describes the program’s function.
https://en.wikipedia.org/wiki/Keystroke_logging:
> Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.
https://home.sophos.com/en-us/security-news/2019/what-is-a-k...:
> A keylogger is an insidious form of spyware.
https://www.kaspersky.co.uk/resource-center/definitions/keyl...:
> Keyloggers are used for legitimate purposes like feedback for software development but can be misused by criminals to steal your data.
https://www.mcafee.com/blogs/consumer/family-safety/what-is-...:
> A keylogger (short for keystroke logger) is software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that you don’t know that your actions are being monitored. This is usually done with malicious intent to collect your account information, credit card numbers, user names, passwords, and other private data.
https://searchsecurity.techtarget.com/definition/keylogger:
> Keyloggers are often used as a spyware tool by cybercriminals [...]. Keylogger recorders may also be used by: [...] These uses could be considered ethical or appropriate in varying degrees.
https://www.malwarebytes.com/keylogger/:
> Keyloggers are a common tool for corporations, which information technology departments use to troubleshoot technical problems on their systems and networks—or to keep an eye on employees surreptitiously. The same goes for, say, parents, who want to monitor their children’s activities.
https://enterprise.comodo.com/what-is-a-keylogger.php:
> At its most basic definition, a keylogger is a function which records or keystrokes on a computer. Taken at this basic level, a keylogger looks absolutely harmless. In the hands of a hacker or a cybercriminal, a keylogger is a potent tool to steal away your information.
1st: title mentions they're used by attackers. First sentence: "Keystroke logging software is one of the oldest forms of malware. Under "definition" they state "One of the oldest forms of cyber threat, these keystroke loggers record the information you type into a website or application and send to back to a third party"
Why did you take your sentence out of context? Those above and below state keyloggers are used for criminal activity. The article is about keyloggers being malicious.
Second link: "Today, keyloggers are mainly used to steal user data relating to various online payment systems, and virus writers are constantly writing new keylogger Trojans for this very purpose."
Well, I guess that defines the common usage, hence the word "most". The article also states that "keyloggers have pushed phishing out of first place as the most-used method in the theft of confidential information". So not only are they mostly used for crime, they are the number one method for stealing confidential information.
And most every other link you posted also either defines them as malicious or points out that most uses are malicious.
So, by what metric you claim ". Yes, a keylogger need not be malicious. But so far you competently have made the case that the common meaning is most certainly malicious, and it's not even a close assessment.
So - what was your metric to claim "the common meaning of keylogger is not restricted to malicious software"? This list clearly supports that malicious use is by far the common meaning.
Please state your metric for "common meaning" then we'll test it. If you have no metric, we're done, since so far all the data points to your claim being false.
For the rest, nobody, not myself, nor anyone else here, has suggested that keyloggers are not primarily used maliciously. Of course they are, we all know that. The whole question is whether it's possible for non-malicious keyloggers to also exist, or rephrased, whether the definition of keylogger inherently excludes anything non-malicious. You're only looking at what they refer to using that term, which will be almost exclusively malware, but that's not the point, you're not looking at how they're defining the term.
Here is your quote written to represent the link: "Keyloggers are a type of monitoring software designed to record keystrokes made by a user."
Here is that quote with the surrounding sentences:
"Keystroke logging software is one of the oldest forms of malware, dating back to typewriters. It's still popular and often used as part of larger cyber attacks. Keyloggers are a type of monitoring software designed to record keystrokes made by a user. One of the oldest forms of cyber threat, these keystroke loggers record the information you type into a website or application and send to back to a third party."
Now again tell me who is dishonest?
> they also have legitimate uses
No one disputed that. Your claim is the most common use of the term is not related to malware. Focus on the "most common" phrase you claimed - not the exceptional cases you're obsessing over.
Seems pretty clear the common usage is for malware, from this link, to web samples, to wiki and oxford definitions, to nearly every one of your links.
>nobody, not myself, nor anyone else here, has suggested that keyloggers are not primarily used maliciously
Also you
> "the common meaning of keylogger is not restricted to malicious software"
?
The argument is not whether a program called a keylogger has other uses than malware. The argument is your claim that the most common usage of the term is not the criminal one.
And since you don't have a metric to base your claim "the common meaning of keylogger is not restricted to malicious software" on, you're right. We're done - your claim is nonsense and you cannot provide how you arrived (incorrectly) at what the common meaning is.
The common meaning of keylogger is restricted to stealthily recording an unsuspecting users keyboard input.
Malicious or not depends on the user who uses it and what they use it for and possibly also is in they eye of the beholder, but Google Docs or a an auto complete search field is not a keylogger by any definition I've seen used.
But what do I know, I've only been interested in this since the nineties.
I think most people think of a keylogger as a malicious program that secretly records your keyboard activity when you don't know about it. If they think about it at all, they think of autosuggest as analogous to a form submission.
but from my POV i would also say that 95% of the time i've ever bumped into the term, it was always used in a cyber attack context. the other 5% was from corporate overlords wanting to spy on your actions.
wow...
"Type to search" is OK, as the key events processed are restricted to the ones typed into the search field. A key logger would attach an event listener to capture key presses in any field, or even if no field is selected.
It is the same technical difference between a UI which has an explicit "paste" button, which reads from the clipboard only when that button is pressed, vs a web app which reads from the clipboard indiscriminately, in the off-chance that there's something interesting (a password for a different website?) stored in the clipboard.
Reasonable people wouldn't call it a keylogger because they assume that a form input will actually receive what you input.
Fair point, though that's more of a corner case.
> Reasonable people wouldn't call it a keylogger
Not a fair point. If your starting assumption is that everyone who disagrees with you is unreasonable, please take a moment to reflect.
And I stand by my position that considering an autocomplete to be a keylogger is unreasonable because the obvious purpose of the input is to accept you what you type. Automatically submitting may be a slight surprise but doesn't change the intent as you wouldn't type in the box if you were never going to submit it anyway.
Yes, actually, it is. Besides, the tracker explicitly points this out as a possibility.
The tool doesn't handle the direct link, it just gives information for about.gitlab.com again.
And this mostly makes sense. It means they can cache results more easily, there is no way the tool could return so quickly unless it was cached.
(I helped work on Blacklight)
We did make the collection software available on Github if people want to check out arbitrary pages on their own: https://github.com/the-markup/blacklight-collector/
Except there's 32 third-party cookies on my repo versus 22 on the marketing landing page (about.gitlab.com)
So I'd classify it as worse than the marketing landing page. Doesn't see that wildly different.
When I go to one of my repositories, ublock origin shows exactly one third party domain, assets.gitlab-static.net.
Change your password asap.
For better protection you can use totp codes or some type of security token which makes password leaks useless.
https://themarkup.org/blacklight?url=sourcehut.org
Check out codeberg too:
https://themarkup.org/blacklight?url=codeberg.org
If you care about this, you should be casting your lot with services that care about your privacy and don't include your personal information in their valuation.
It comes off as highly unprofessional.
If you want to show how privacy friendly you are, write a blog post about it and try to get it upvoted here.
The fact you'd make such a claim while promoting your own competing software just doesn't come off as constructive.
I have different feelings about trackers on the marketing portion of a site vs. the product portion of the site.
What purpose does it even serve? Why does Facebook even care or why does it have to be informed about my visit?
This ad business is crazy stuff. Lucky for me I have some blockers for things like this.
Most noble thing to do would be using server-side tracking/analytics but because of additional coding and losing access to Facebook analytics, most web sites usually don’t bother.
However, this would require a cost, in terms of refusing to do business with untrustworthy websites. Rather than accepting that as a fact of the business, websites/advertisers instead push the cost off to users as an externality. This cost is paid by the user in time/bandwidth (larger page load times) and privacy (ad trackers), even though they were by no means the source of the problem.
I think it’s a clickbait title, for that reason.
That doesn’t sound like “autocomplete purposes” to me.
Regardless, I have seen other sites that have a vast amount of trackers so I'm gonna ask my question anyway. Anyone know what the point is of having this many trackers? I totally understand that a company wants to figure out how a user interacts with their app, but what is the point of tracking using different trackers where there is a lot of functionality overlap. I doubt Microsoft, Google, Twitter, Facebook and whoever else collect vastly different data where this becomes useful. Maybe one or two different companies e.g. for redundancy but why do their need more than that?
If I load about.gitlab.com without ublock origin enabled the FB network requests show up in in the network console.
All of that could be done server side, but people don't want to build their own version of analytics, run it internally, and keep it up to date with all their data sources.
whereas www.reddit.com doesn't [1]
slashdot seems to have all the trackers [2]
[0] https://themarkup.org/blacklight?url=old.reddit.com
[1] https://themarkup.org/blacklight?url=www.reddit.com
[2] https://themarkup.org/blacklight?url=slashdot.org
Our product does not include the tracking that is used on the marketing site.