This is such a fantastic bug. Firebase security rules (like with other BaaS systems like Firebase) have this weird default that is hard to describe. Basically, if I write my own API, I will set the userId of the record (a 'boost' in this case) to the userId from the session, rather than passing it in the request payload. It would never even occur to a developer writing their own API past a certain level of experience to let the client pass (what is supposed to be) their own userId to a protected API route.
On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
> On the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
Tbh you're doing it wrong if you go that way.
Default deny, and then you only have to imagine the legitimate uses.
And then when you imagine the legitimate uses you have to imagine how allowing those legitimate uses could be misused. You always need to think red and blue.
Fair enough, but my point is more conceptual, in that you still have to write `boost.userId == auth.userId` as an allowed pattern rather than making that pattern the only technically possible result, which is the convention in a traditional API.
The failure modes are much clearer: when you write the API in a default-deny context & forget to add that allowed pattern, it never works, so you notice & figure out the bug.
The same story with default-allow means the system looks like it works fine, and you end up with no security at all.
For inserts yes, but for updates I've frequently seen cases where people just stuff the whole request into their ORM or document store. It is pretty easy to think "the owner can update the document" without realizing that there are some fields (that the official client doesn't set) that shouldn't be updated (like the owner or created timestamp).
The correct solution is likely default-deny auth for every single field. Then you at least have to explicitly make the owner field writable, and hopefully consider the impact of transfering this object to another user.
HN tends to be a little hard on brief comments. My current understanding is that comments with little substance are totally acceptable provided they're good natured.
Also from the guidelines "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive": this post's topic doesn't likely qualify as divisive.
There are a lot of major security vulnerabilities in the world that were made understandably, and can be forgiven if they're handled responsibly and fixed.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.
Lots of developers and power users make a good chunk of Arc's use base. If you're after some interesting credentials then "every Arc user" is a perfect group with little noise.
If I had to guess, the typical Arc user is a Mac user in tech. It doesn't run on Linux, most windows users wouldn't run it, and non-tech people haven't heard of it.
Then most engineering IC people will most likely run Firefox or Chrome, so you're probably looking at designers/founders/managers as your target.
Probably some interesting targets there, but not the type that the NSA cares about. Just pure conjecture on my part of course ;).
I've seen quite a few. In one of my clients's Slack there are at least a couple people advocating for it all the time. They're mostly DLs or in similar roles. I also know at least one developer who uses it.
I used it for a while for a very limited use case. Some interesting concepts. Mostly I found it annoying though. I also didn't like the sign-in thing but still wanted to experiment. I have dropped it altogether and kept Firefox as main browser (as it's been for many years) and Safari as a secondary. Both work much better overall for my needs.
my brother uses arc browser , he is a developer .
I think he saw it from somebody using it (maybe theo t3 or some other creator he watches) , and he found it cool (plus there were lot of videos flooded with saying arc is really great IDK)
If someone finds something cool on the internet. They are going to try it , given that they are capable to do so.
He had a mac so he was able to do so , Even I tried to run arc on windows once when it was really beta and only available to mac (I think now it supports windows not sure)
I just kindly want to state that if the nsa could've bought this exploit , they could've simply waited and maybe even promote arc themselves (seems unlikely)
Maybe they could've tried to promote the numbers of arc users by trying to force google and microsoft search engine through some secret shady company advertising / writing blog posts for arc / giving arch funding or like how we know that there are secret courts in america
( and since these search engines basically constitutes for a high percentage of discovery of stuff by search engine by users)
People could've credited the success to arc in that case for getting more users but the real winner would've been NSA.
Everyone else at work likes it, so I signed up with my work e-mail address and use it for work. All of my complicated browsing needs are done for work, so there's a good fit there.
no I meant that
though you need to login , i think arc isn't available on linux , only mac (or maybe windows though not sure , I see some issues + the security issue)
Ye it required login and my brother logged in (just see ! , the amount of friction to login etc. yet my brother , whom I would consider to be a little conscious of security still gave to try it in the first place)
yes. I feel sad that now we have created an incentive where selling to the govt.'s is often much lucrative than telling to the vulnerable party (arc in this case)
(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))
how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency
Firestore rules are in "lock mode" (no read or write allowed) by default since a long time. Then, everything is ultra well explained in the docs.
I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.
Also, firebase? seriously? this is a company with like, low level software engineers on payroll, and they are using a CRUD backend in a box. cost effective I guess? I wouldn't even have firebase on the long list for a backend if I were architecting something like this. Especially when feature-parity competitors like Supabase just wrap a normal DBMS and auth model.
Well, it's an app that users access all their online info through - bank, email, search, work, social - everything. Even an open-source, decentralized, blockchain, grass-fed, organic, extra virgin, written in nothing but HTML, released by W3C itself browser could monetize just ~5% of market share if users are downloading their build (or if its baked into the source), considering how much a browser reveals about its user and to the extent the user can be retargeted for: Ads, marketing, surveillance, analytics.
The biggest opportunity has to be driving search traffic to the major search providers all these browsers partner with.
Could also get acquired by a major browser vendor if you have a better product and people are downloading it more than the major ones, especially if both are based on the same underlying engine. Even Firefox still sucks to this day. I'm using it right now (Waterfox) the product still sucks! I know of some browser vendors acquiring others, especially as mobile took off and it was hard to get it right.
Seems like the opportunity is similar to that of social media but slightly more modern because nobody uses new social media anymore but people are trying out new browsers (and you get richer user/usage data).
It’s the “chrome replacement we have been waiting for”, but (if I read this right), my data is still sent to Firebase? Also it’s a browser, not a “tinder but for cats” startup idea I’m writing for my cousin for a beer.
It’s not only not a smart engineering decision, it’s also a terrible product, reputation and marketing decision.
I'm not disagreeing about the severity of the security vulnerability that has been uncovered – to be clear, it's an absolute shocker of a bug. It's really disappointing to see.
But I still disagree that the use of Firebase, in and of itself, is a bad engineering decision. It's just a tool, and it's up to you how you use it.
Firebase gives you all features needed to secure your backend. But if you configure it incorrectly, then _that's_ where the poor engineering comes into play. It should have been tested more comprehensively.
Sure. You could build your own backend rather than using a Backend-as-a-Service platform. But for what gain? If you don't test it properly, you'll still be at risk of security holes.
Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.
And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)
Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc
- Firebase allows for easy misconfiguration of security rules with zero warnings
- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information
So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.
firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,
Also , you say that you have been convinced to never use arc again.
Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
this is just recently discovered , just imagine if something more serious is also just waiting in the shadows
Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?
I very much agree with the idea that browsers are security-sensitive software, unlike, say, a picture editor, and more like an ssh server. It should be assumed to be constantly under attack.
And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".
With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.
hmm interesting.
Other thing to add is if we treat it as a ssh server , we actually won't try to go out and break things.
But I think that was the whole point of arc , to break the convention and be something completely new
and I have a reason why
They were competing with the giants called google , safari , firefox which have insanely large funding and their whole point was trying to sell something later built on this arc browser.
and since chrome , firefox etc. don't try to come up with these ideas because well security reasons (which I agree to / as seen in the post)
I think arc wanted to seperate itself from chrome / firefox and that's why they became a bit reckless you could say since this exploit was available.
Also the other thing I want to convey , is that "With that, I don't see much exploit potential in learning stats like the number of cores on your machine"
this was only recently discovered. Just imagine the true amount of exploits in these proprietory solutions which we don't know about.
Yeh. Just like a ssh server , I would personally like the source code to be available but developing browsers is time consuming and money intensive for developers but ladybird exists , but its in beta.
that being said , not open source is also that private , (xz) , but atleast it got discovered way quickly and was able to mitigate it quickly
> Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
That's pretty interesting. Where can I learn more about this?
I recall there being a thread with way more discussion at the time, but I can't put my finger on that thread right now. This post has some information:
>>Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.
TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.
Unfortunately, Zen Browser simply isn't an alternative. If you like Arc, then Zen's UI for tabs and splitting views isn't really anywhere close to satisfying the same needs.
Firefox seems to be borrowing some of the UI features slowly (at least the vertical tabs). And at least the Mozilla Foundation is very public with their wants and goals.
I was literally using Arc because of the ability to hide most of the userchrome.
Every time I open split views or tabs I curse. I've said this in the past but layering view multiplexors has to be the most stupid modern "super-user" trap. You have the ability to open multiple browser windows and composite them side by side, use it.
Does anyone know of any other browsers that are chromium based and have very little features aside the ability to hide most of the UI?
No Linux version prevented me from trying it, didn't even get to the account wall, who knows if there's a pay wall. Perhaps the "moat" concept was misunderstood.
aug 25 5:48pm: got initial contact over signal (encrypted) with arc co-founder hursh
aug 25 6:02pm: vulnerability poc executed on hursh's arc account
aug 25 6:13pm: added to slack channel after details disclosed over encrypted format
aug 26 9:41pm: vulnerability patched, bounty awarded
sep 6 7:49pm: cve assigned (CVE-2024-45489)
Four hours from out-of-the-blue initial contact until a fix pushed is pretty good, even given how simple this fix probably was.
EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.
Reacting fast is the least the vendor could do. Bare minimum. This should not be applauded. It should be treated as "well, at least they reacted at a reasonable speed so the root cause was probably not malice".
In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.
It's certainly the least a vendor should do, but it's absolutely not the least a vendor could do, as we see the vast majority of vendors do far, far less. It's worth holding people up and saying, "This is how you should be doing it."
You’re technically correct, given a literal reading of the post you quoted, but the use of “could” there was idiomatic - let me explain:
There’s a (fairly dated) idiom, “it’s the least I can do”, used when you are offering to do something to make up for a mistake or offense, but the person you hurt says your offer of compensation is unnecessary. For example:
Situation: Person A bumps into Person B in the cafe, causing B to drop their coffee cup.
A: I’m so sorry! Let me buy you another coffee.
B: That’s not necessary - it was an accident, and I had almost finished my drink anyway.
A: It’s the least I can do!
B: Oh, thank you so much!
Buying B a new coffee is not _literally_ the least A could have done - the least A could have done is nothing - but that’s the English idiom. “Can” is acting more like “should” here. You could read it as “It’s the least I can do (if I’m a good person, which I am)”.
Thank you for the explanation -- when I'm speaking foreign languages I appreciate this sort of explanation. But in this case, as a native English speaker, I was well aware of the idiom, and was trying to subvert it. :-)
The original idiom is said in the first person, and as you say means essentially, "Justice and equity compel me to do this; I don't find myself able to do less".
GGP was actually using a derivative of the idiom in the second person. What the derivative literally says is, "Justice and equity compel them to do this; they don't find themselves able to do less". But idiomatically, what it actually means is, "Justice and equity ought to compel them to do this; they ought not to find themselves able to do any less".
Which is true; but it's still the case that the vast majority of companies find themselves very much able to do far less. Justice and equity should compel companies to do this bare minimum, but in the vast majority of cases it doesn't. And so we should still commend those who do find themselves so compelled, and hold them up as an example.
Honestly I’ve always considered Arc to be a wolf in sheep’s clothing, especially when it comes to privacy.
50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.
Yeah I’m so torn. It’s honestly the best browser UX I’ve seen, the right combination of vertical tabs, auto archiving, spaces/collections, sync, etc. I don’t care for Easels, but the core is good.
Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.
I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.
Vivaldi feels like a cross platform port in all the ways I try to avoid. I understand the feature set is good, but it doesn't feel nice to use. Hard to state exactly why though.
It does get a lot right and feels smooth in ways that Chrome, the various Chrome-clones, and Firefox just don't. It's also ironically the only browser even trying to feel native on Windows, using WinUI/WinAppSDK for its UI there, despite originally being Mac only.
It's unfortunate that other cross platform browsers have such a strong tendency to phone in these little things, because they really do add up to make for a nicer experience.
Thanks for the recommendation. I just had a quick try, it's nice, seems like a very polished Firefox. It seems to have a bunch of features I don't want in a browser so not sure if they'll get in the way.
I'm torn for the same reason: The UX hits all the right notes for me and I've tried every MacOS browser under the sun. I'm an ADHD sufferer and there's something about their combination of features and UI that just lets me get stuff done. And I don't even touch their AI features.
It's a browser (chromium based) with a really nice UI that people love, I am intrigued but haven't used it because I find the requirement to create an account off-putting.
The “what makes Arc different from other browsers” section is particularly funny.
> Arc is to your ex-browser what the iPhone was to cellphones. Or as one of our members said “like moving from a PC to a Mac.” It’s from the future — and just feels great.
As a person that recently started using it: it has something like "tree style tabs", and sort of a hybrid merge of the concepts of tabs and bookmarks. In other words, the tabs work more like files on disk -- open/closed, sorted into folders. I'm probably not explaining it well either, but I encourage you to try it if you ever wanted to experiment with alternative tab management (tree style tab, tab groups etc). It's a concept that clicked for me quickly once I started using it, and now I'm angry since I want to use Firefox for philosophical reasons but don't want to go back to regular tabs.
I just wanted to say, I enjoyed the little pixel art cat that runs towards wherever you click immensely. It’s one of those fun, whimsical little touches that I don’t see all that often. A reminder that the internet can be a fun, whimsical place if we want it to be :)
As I didn’t get that, it seems like the dev honors prefers-reduced-motion, and doesn’t display it in that case. Excellent of them, give joy to those who want it, prevent annoyances for those who hate them.
I don't, but I run the same system configuration, so I can compile it on my computer, transfer it and run it.
Alternatively, if a compiler such as gcc is available, you could also run
# https seems to be broken on this website currently
wget http://www.daidouji.com/oneko/distfiles/oneko-1.2.sakura.5.tar.gz
tar -xf oneko-1.2.sakura.5.tar.gz
cd oneko-1.2.sakura.5/
gcc oneko.c -lX11 -lm -o oneko
./oneko &
cd ..
# remove all traces
rm -r oneko-1.2.sakura.5 oneko-1.2.sakura.5.tar.gz
Not the person you're responding to but my workplace has a special internal link precisely to "remind" coworkers to not leave unlocked laptops unattended.
And here I was wishing it would go away and trying to find a way to hide it because on my phone it was always covering text. Firefox reader mode worked.
I thought it just ran around on the top line of the header, and was quite taken with it. I then scrolled and it followed me right into the middle of a paragraph. Less taken, but cat's gonna cat.
It's cute but I just can't focus on the article knowing the cat is gonna move every time I move my mouse or scroll. I popped open my console and deleted him. Sorry, kitty
while researching, i saw some data being sent over to the server, like this query everytime you visit a site
I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
> We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.
> I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
Not with those exact words, but that’s Alfred. Server connections are done only to validate the license and check for updates, and you can even disable that.
> Alfred only contacts our server when activating your Powerpack license in order to validate it, as well as periodically checking for new software updates. You can disable the software update check in the Update preferences, but we recommend keeping this enabled to ensure that you always have the latest version for security reasons and to make the most of the awesome new features!
Great research. As I've said elsewhere, Firebase's authentication model is inherently broken and causes loads of issues, and people would be better off writing a small microservice or serverless function that fronts Firebase.
Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
Too late to edit... i just got around to checking and I do have system wide reduced motion and reduced transparency on this laptop. I'm sure I didn't set it up on there, just on the phone.
That seems like a perfectly reasonable thing to sync. Accessibility settings are exactly the type of thing you shouldn’t have to configure again and again on every device.
Either way, you can disable syncing of system settings.
> That seems like a perfectly reasonable thing to sync. Accessibility settings are exactly the type of thing you shouldn’t have to configure again and again on every device.
No, because I disabled motion on my phone because the wiggling of icons on the main screen annoyed me, not because I have motion sickness. Nothing wiggles on the desktop (yet). This option doesn't even belong in accessibility IMO, it should be a "stop annoying me" section.
> Either way, you can disable syncing of system settings.
Where? The same spot where I can disable syncing the clipboard? I.e. somewhere deep in an undocumented file?
Gotta be honest, the aggressive and unreasonable snark completely turns me off from helping you. It feels that regardless of the obviousness of the setting, you’ll find some nitpick to shout back at me about it. Since I don’t work for Apple or yourself, I don’t have to justify their choices or be the recipient of your unjustified and unprompted bad humour. I’m making a conscious choice to not soil my Friday on account of some internet rando. You’re on your own for this one.
I genuinely wish you a calm weekend and peaceful start of the week.
Thanks for the martyrdom but last time I checked clipboard syncing it was a package with everything that gets synced, including sms forwarding etc on Apple. If there is a way to disable syncing granularly it’s not documented anywhere.
Im dyslexic and I tend to use the pointer to follow what I am reading to help me. The cat was annoying as hell. I just had to hide the element in the DOM before i could read more than a few lines. Infuriating design choice to make it follow the pointer.
It's really not hard to build this safely in firebase, this could've been authored the same way in node too. I think whoever authored this either majorly cut corners or just isn't experienced enough to understand how to write authenticated controllers like this. This should scare people away from this browser, it's such a basic thing to mess up and it shouldn't have happened.
Arc is used disproportionately by users who work in tech which tend to be paid quite well.
Am I wrong in thinking that with this vuln you could drain any financial accounts that they log into Arc with? Or, if they use Arc at work, that you now have a way to exfiltrate whatever data you want?
A browser vuln is about as bad as an OS vuln considering how much we use browsers for.
Am I too optimistic? I feel like most regular people I know wouldn’t sell this off. Most people are not antisocial criminals by nature, and also wouldn’t know how to contact a “state actor” even if they wanted to.
How does this work in practice? What systems are in place to prevent someone selling an exploit and then turning around and disclosing it properly as soon as they have the money, potentially getting even more money through legal channels? Is there some sort of escrow?
> Am I too optimistic? I feel like most regular people I know wouldn’t sell this off.
Probably you're just used to a relatively good life, not a bad thing :)
Image being able to sell this off for $20,000 (although I think you could ask for more, seems to be a really bad vulnerability) in a marketplace, for >90% of the world that's a pretty good amount of money that you could survive a long time on or add a lot of additional quality to your life.
Judging by blog posts on HN, I got the impression that these vulnerabilities are often not rewarded at all, or rewarded by a minuscule amount. It almost seems like companies are begging hackers to sell these exploits. Perhaps because they aren't penalized by the regulator for breaches?
They offer a low price because the risk of tanking your career, landing yourself in jail, and the fact that the researcher probably doesn't know how to line up a sale means the company is the only buyer.
I would go the other way, companies offer low bug bounties because they don't want researchers to discover them in the first place. This looks terrible for Arc despite the fact if left undisclosed it probably would have continued to be unexploited for years to come.
If you were using Arc you could add a Boost for "Case: toggle between different capitalization settings - they will apply to all text on the webpage" [1]
I was similarly fascinated by the stylistic choices made here. No capitalisation of even any names, no hyphen in a compound adjective, but dots and commas and spaces are deemed necessary, also before "and" where the word clearly acts as separator already. If you look at the waveform of speech, we have no spaces between regular words so, if they want to eliminate unnecessary flourishes... though perhaps (since text largely lacks intonation markers) that makes it too unreadable compared to the other changes. All this is somehow at least as fascinating to me as the vulnerability being described!
It’s just another dumb social media trend, like tYpiNg LiKe tHiS. Hopefully it too will phase out. Search for “lowercase trend” and you’ll find reports of it going years back, there’s nothing worth being fascinated about.
It has seeped into HN as well. Look closely and you’ll notice several commenters type like that.
That's really interesting, I personally don't read those tone differences based on the casing. Neither approach carries different warmth or formality to me at all.
I wonder if this is a regional or generational thing?
It's definitely primarily generational. In my experience, capitalization-as-tone is used by many Generation Z people. On the other hand, it is not widely used by older generations, or the younger Generation Alpha.
In my experience, that isn't the case. Among people who "have gotten used to" it, using capitalization to indicate the formality and/or tone of your message allows the reader to understand the writer's intention better. I have not observed any correlation between political leanings and this.
I'm not sure what you dispute or your point is here. If people slightly or strongly start aping Trump's writing style in various forms I'd say there's a good chance those people are right wing or simply "not the same people writing in all lowercase" you know?
You highlight stylistic choices. I'd say we can observe the differences in different styles and see how uses them. Is Trump writing in all lowercase? No. Is this poster writing like Trump? No. Do a lot of left-wing people use the all-lowercase style? I see it all the time, yes.
> lowercase without caps reads with a warmer, informal tone
Personally, and I’m certain I’m not alone on this, it reads as annoying. It’s harder to follow and looks as if the writer didn’t care to do the bare minimum to make the text accessible and clear to the reader.
> there’s a Tom Scott Language Files video documenting it
Per that video (thank you for sharing), capital letters “make a paragraph easier to read” and “context matters” and “the conventions change fairly quickly” and typing in all lowercase is “sometimes okay”.
This is a post documenting a serious browser vulnerability, shared to the wide internet, not an informal conversation between buddies. Clarity matters. I don’t fully buy the tone argument and find words and sentence structure are more important. Take the following two examples:
> Just heard about your promotion, you beautiful bastard! Let’s go get pissed to celebrate, on me!
And:
> good afternoon mrs bartlet. the limousine will be available in twenty minutes. i would also like to apologise for my behaviour yesterday when i inadvertently insulted your husband it was a faux pas i promise will not be repeated. my resignation will be on your desk by noon.
I get that language evolves. You do you. Personally I hope this trend subsides like so many others before it. Maybe you don’t like to read properly structured text and prefer all lowercase. My preference is the reverse. And that’s OK, we don’t all have to be the same. I merely wish that people who prefer a certain style understand not everyone will see it the same way they do (and I’m including myself).
That's true. I agree with you that anything less than a formal tone would be, and is, inappropriate for this context. I also respect that you prefer standard capitalization and punctuation at all times. Being aware of the audience is critical for any writer.
> lowercase without caps reads with a warmer, informal tone
No, it reads as "I'm uneducated and don't know how to write the English language properly". It's incredibly obnoxious for people to use as an affectation.
To me, proper capitalization is easier to parse - not massively so, but a little bit. So writing without caps is a bit of a jerk move. You're making it harder for me to read, either because you're lazy or because you want to affect a style. In either case it's a bit of a jerk move.
It's more of a jerk move when it's done on a discussion board, because what you write once is read multiple times. So the cost multiplies, but (if due to laziness) the benefit only occurs once.
Now, in something like texting, I understand, when you're trying to type on that teeny phone keyboard. It's harder to hit the shift key when you don't have a spare finger because you're only using one. But for something like here, take the time and the effort to make it better for your readers.
On a formal discussion board like this, I don't believe an informal tone is correct. To me, it doesn't make it harder to read, but it does come across as mildly disrespectful of the environment.
When texting on a phone, the default is to automatically capitalize. Using all-lowercase requires more work than doing nothing. It isn't lazy or even more efficient to go back and replace your "I"s with "i"s. With the right reader, it's done to give them a better idea of the tone you wish to deliver.
With that said, it requires a certain degree of audience awareness. Many people do not interpret lack of capitalization the same way I do, as evidenced by this thread. On my phone, I have auto-capitalization disabled. When texting someone for the first time, I tend to use proper capitalization, even if I want a casual tone. I just did a typing test with capitalization and punctuation and scored 55 wpm on my phone. It's a choice I make and it varies based on audience, and intended tone. Effort, on the other hand, is not a factor.
I use lowercase in most places precisely because it forces me to use shorter sentences and split text into paragraphs. The result is easier on the reader.
It's just a habit from chat rooms and instant messengers of the beginning of this century. Most of my mates who write like that are well over 30.
This whole subthread is one projection after another.
How does lower case force you to do that? It seems to me that it's completely orthogonal to sentence length and paragraph splitting. (But then, I use uppercase, so maybe I don't understand the dynamic.)
> Now, in something like texting, I understand, when you're trying to type on that teeny phone keyboard. It's harder to hit the shift key when you don't have a spare finger because you're only using one.
Mobile operating systems (or is it just iOS?) by default turn the shift on automatically when starting a new sentence and are pretty consistently fast and right. It’s more surprising to me when someone doesn’t use proper capitalisation from mobile.
It's extremely irritating, distracting, and breaks focus on the content instead of the annoying stylistic choice, just an fyi..but I imagine you probably like that this is true and purposely try to annoy the people that aren't in the little club. If not, then I suggest not doing it. The tone I perceive from it is "F**** the reader"
> ... you probably like that this is true and purposely try to annoy ...
I don't know if you meant to direct this at the person you're replying to but I'm convinced the overwhelming majority of people don't get out of bed in the morning with any of that in mind
It's comments like these that make me reconsider what hateful meanings others might read into my communications or mistakes
Yes I mean this to anyone repeatedly, consciously fighting natural convention and muscle memory to purposely type every letter in lowercase, knowing that this produces in the reader a slight dissonance and distraction constantly, and choosing to do this instead of using convention that everyone understands so that "syntax" does not become the focus and instead the content of the message does.
Otherwise they're "drawing attention" to the style and themselves for narcissistic reasons. I would simply assume they'd have to know the annoyance this brings to the reader, so I assume it's on purpose.
I would feel the same about someone writing code in a consistently purposeful unorthodox style and against convention in such an obvious and effortful way that no one is used to. Personally, and YMMV, I like to try to write in as clear a way as I can to get my point across as much as possible. Useless stylistic fluff in something that isn't poetry, seems counter to that purpose.
>mistakes
It's not a mistake though to ensure every letter one writes is not following convention and English syntax. Accidents and mistakes are a different thing.
Strange to label a failure to capitalize words as a "dumb social media trend", as I'm sure people have been doing that for many years prior to social media.
And nobody tYpEs lIkE tHiS except when making a joke.
> as I'm sure people have been doing that for many years prior to social media.
But now it’s happening more frequently. That’s what “trend” means. It doesn’t mean it never happened before.
> And nobody tYpEs lIkE tHiS except when making a joke.
Just because you don’t know people like that, does not mean they don’t exist. The world is bigger than one person’s knowledge. I personally knew several teenagers who did it for all their communication, before smartphones. The speed at which they were able to do it was astounding.
What do you mean by "before" social media here? Surely not handwritten or typewritered letters, I guess you mean like 2005-2010ish?
The term wasn't popular then but with reddit's and Facebook's infancies being twenty years ago, "social media" (which I understand to refer to platforms where you can talk to people and post things about different topics, so broader and more person-oriented than an SMF forum but narrower than the WWW) have been around for a while
The first time I saw lowercase writing like this was two years ago on the Discord guild/community of a game which got popular on tiktok. I don't know the average age but the (statistical) mode was probably in the range of 13–16
Young people (like me) use lowercaps like that all the time. Around 50% of the young people I know purposefully turn off auto-caps on their phone.
Why? I really couldn't say. I think we just like the feel of it. The only reason I type with proper capitalization on HN and my blog is because I know older people read it.
I’m middle-aged. I’ve noticed in the last few months more and more articles with this style. Something I’ve never seen before in blogging or article writing.
I usually notice the style at some point but this time I had no idea until this other commenter pointed it out. I guess I am getting acclimatized.
the developers working with firebase should enforce common-sense document crud restrictions in the rules. that's just how firebase is. everyone knows it.
now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?
any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?
but the for-some-reason-not-obvious revelation that it's just a product that some team somewhere is working on and the fact that a browser is an important piece of software brought me back to safari (not sure if joke's on me, but in this case I trust apple engineers to do a more thorough job in ensuring my data is secure).
I did. It’s like 20 % an Arc clone, and 80 % of UX papercuts. Like, you can’t have ‘add tab’ button on top when the new tab gets added to the bottom. Or that one sidebar button opens a side window to the right of the sidebar, while another below it opens the favorites to the left and moves the whole sidebar from underneath your mouse.
Looks like a minimal effort css restyle of Firefox.
i'm rooting for them to succeed, but if the concern is security, switching your daily driver browser to a brand-new browser that's still in alpha is unfortunately not a good idea.
Vivaldi may also be worth a look. Similar setup: User-oriented team, vertical tabs, e2ee sync. If you like a thorough browser history, I think Vivaldi keeps a more detailed browsing history than most other Chromium browsers.
This is a nice investigation and a great read. Sad that they don't normally do bug bounties. $2000 seems small considering the severity of this vulnerability. Though I guess the size and finances of the company is a factor. It takes some serious skills, effort and luck to discover something like that. It should be well compensated.
They claim so much and their browsers' code is 100% proprietary so it's impossiblen to verify their lies. This is what triggered the bullshit detector in my head
> They claim so much and their browsers' code is 100% proprietary
Far from me to defend Arc (I dislike it for several reasons) but it’s based on Chromium so it’s far from 100% proprietary. Don’t Edge, Vivaldi, and even Chrome have proprietary layers on top of the open-source Chromium?
According to this article, Arc requires an account and sends Google's Firebase the hostname of every page you visit along with your user ID. Does this make Arc the least private web browser currently being used?
I trashed Arc immediately after install when I found out having an account was mandatory. That seemed so silly, like toothbrushes-requiring-wifi absurd. How much moreso now.
Truly. I was looking for a privacy respecting Chromium-based browser to use for Web MiniDisc (https://web.minidisc.wiki/) and came across some enthusiastic praise for Arc. I downloaded it and it immediately wanted me to create an account to even use it. How can that possibly respect my privacy? It went right in the trash.
What is also strange that I only found out about account after download. Like it was standard thing for the browser. (Sure there are optional accounts in others but login-walled browser?)
Hilariously (in the absurd way), this affects my girlfriend, who prefers and uses the Microsoft account feature AND onedrive exactly how Microsoft would hope she would, and STILL gets fucked by their stupidity.
Her laptop has a mediatek wifi card that doesn't have built in Windows drivers. Re-installing Windows requires you play the above game, so you can get into Windows, install the driver, and then immediately log into Microsoft.com.
In 2024 it is considered normal for an _operating_system_ to require an account, an information that is potentially passed around to any app running on it.
I had doubts already when submissions promoting the browser were added on hn while there was no way to see how it looks like or even test it out - for quite some time there was nothing but mail singup on their page.
I guess it's relatively easy to test, add the Firebase domain to your host file and point it to 127.0.0.1 and try to use the browser.
Sometimes things like this handle connection failures better than "never-ending connection attempts", so you might want to try to add a throttle or something too for the traffic between the domain and the browser, might also trip it up.
Chrome does not require an account to use. And Chrome by default doesn't send sites you visit to Google, unless you turn on the "make searches and browsing better" feature or the "enhanced safe browsing" feature.
So the OP is right. Arc's privacy is worse than Chrome.
…Firefox as an alternative to Chrome!? Am I really that old!?
I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.
The super promise died with crypto, now you have to add no backsies. My site uses No Backsies Proofs (NBPs) which are encrypted to prove that all my super promises are backed by a no backsie which is stored in the no backsie vault in Antarctica.
Later on moxie ends up writing a quick review of NBPs
> Instead of storing the data on-chain, NBPs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NBPs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NBP to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NBP spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.
this is why my startup is launching backsies rollups for the blob, with null-effect prebacksies. this way everyone can be assured that any backsies issued are technically equivalent to just not making the original agreement! if you can discover a post-agreement backsie within the availability period of 0 days, and we can confirm it, we'll pay you $2,000 no backsies. so we have a market incentive not to lie to you. it's very efficient
I would feel more comfortable if your super promises were all on a blockchain, and we made No Backsie NFTs so people could clearly see these were legitimate and bid on them.
Maybe I am just stupid, but this *super* smells of arc being able to inject whatever they want in to literally any of your websites and this dude just figured out that he could also do that.
This does not seem like a browser capability I want.
Yea if everything else is not enough of a red flag here, the fact that they are sending every single website you visit to Firebase — against stated privacy policies — is the mother of all red flags.
People say they like arc for the UI and there are all alternatives, but do you really want to risk someone stealing your bank creds and stealing all your money for some fancy UI?
> i discovered that there was a arc featured called easels, easels
> are a whiteboard like interface, and you can share them with people,
> and they can view them on the web. when i clicked the share button
> however, there was no requests in my mitmproxy instance, so whats
> happening here?
I first noticed this on a flight to Paris. I was building a Flutter app using Firestore, and tho I had not paid for the onboard wifi (I was doing local development) I was connected and all of my Firestore calls were succeeding.
I thought this was novel, and assumed it was just something to do with websockets, so I switched to another, non-firebase-but-yes-websockets project and noticed it didn't work.
At the time, I debated moving calls to Firebase just so that I could work for free while I was on flights, but realized the ROI wasn't remotely there. Glad to finally have someone else acknowledge it happening, and give some insight as to why.
Some flights have a free tier of wifi that allows messaging apps. Google Voice and Google Hangouts usually work on those so wouldn't be surprised if some other Google services make it through.
537 comments
[ 2.8 ms ] story [ 316 ms ] threadOn the other hand, with security rules you are trying to imagine every possible misuse of the system regardless of what its programmed use actually is.
Tbh you're doing it wrong if you go that way.
Default deny, and then you only have to imagine the legitimate uses.
The same story with default-allow means the system looks like it works fine, and you end up with no security at all.
The correct solution is likely default-deny auth for every single field. Then you at least have to explicitly make the owner field writable, and hopefully consider the impact of transfering this object to another user.
https://en.wikipedia.org/wiki/Neko_(software)
Now that's ruff!!
HN tends to be a little hard on brief comments. My current understanding is that comments with little substance are totally acceptable provided they're good natured.
For example this comment by dang "There's nothing wrong with submitting a comment saying just "Thanks."" https://news.ycombinator.com/item?id=37251836.
Also from the guidelines "Comments should get more thoughtful and substantive, not less, as a topic gets more divisive": this post's topic doesn't likely qualify as divisive.
This is not one of them. In my opinion, this shows a kind of reputation-ruining incompetency that would convince me to never use Arc ever again.
Also, shame on firebase for not making this a bit more idiot proof.
And really? $2500? That’s it? You could’ve owned literally every user of Arc… The NSA would’ve paid a couple more zeros on that.
Not that many. Most power users don't like to be forced for logging in, before they are able to use the browser.
i don't even like logging in WHILE using the browser and have never heard of arc
Then most engineering IC people will most likely run Firefox or Chrome, so you're probably looking at designers/founders/managers as your target.
Probably some interesting targets there, but not the type that the NSA cares about. Just pure conjecture on my part of course ;).
I used it for a while for a very limited use case. Some interesting concepts. Mostly I found it annoying though. I also didn't like the sign-in thing but still wanted to experiment. I have dropped it altogether and kept Firefox as main browser (as it's been for many years) and Safari as a secondary. Both work much better overall for my needs.
If someone finds something cool on the internet. They are going to try it , given that they are capable to do so.
He had a mac so he was able to do so , Even I tried to run arc on windows once when it was really beta and only available to mac (I think now it supports windows not sure)
I just kindly want to state that if the nsa could've bought this exploit , they could've simply waited and maybe even promote arc themselves (seems unlikely)
Maybe they could've tried to promote the numbers of arc users by trying to force google and microsoft search engine through some secret shady company advertising / writing blog posts for arc / giving arch funding or like how we know that there are secret courts in america
( and since these search engines basically constitutes for a high percentage of discovery of stuff by search engine by users)
People could've credited the success to arc in that case for getting more users but the real winner would've been NSA.
How? I have mac as well but when I've download it some time ago it required login. Has that changed?
Everyone else at work likes it, so I signed up with my work e-mail address and use it for work. All of my complicated browsing needs are done for work, so there's a good fit there.
Ye it required login and my brother logged in (just see ! , the amount of friction to login etc. yet my brother , whom I would consider to be a little conscious of security still gave to try it in the first place)
sry if I didn't respond correctly
https://www.boringbusinessnerd.com/startups/the-browser-comp...
That's a year ago. Looking at how upvoted this bug has been, they do have many users
(just imagine , this author was great for telling the company , this is also a cross platform exploit with very serious issues (I think arc is available on ios as well))
how many of such huge vulnerabilities exist but we just don't know about it , because the author hasn't disclosed it to the public or vulnerable party but rather nsa or some govt. agency
only the 17 users they have.
Shouldn't a government sue you if you try to sell him out vuln unless you personally know people in charge?
I was already aware of it when being a noob dev 10 years ago, and could easily write a rule to enforce auth + ownership in the rules. No way, seasoned devs can miss that.
How does The Browser Company make money? They're giving their product away for free.
Browsers are complicated. It doesn't inspire confidence that the folks in charge of that complexity can't get their heads around a business model.
(Aside: none of their stated company values have anything to do with the product or engineering [1]. They're all about how people feel.)
[1] https://thebrowser.company/values/
The biggest opportunity has to be driving search traffic to the major search providers all these browsers partner with.
Could also get acquired by a major browser vendor if you have a better product and people are downloading it more than the major ones, especially if both are based on the same underlying engine. Even Firefox still sucks to this day. I'm using it right now (Waterfox) the product still sucks! I know of some browser vendors acquiring others, especially as mobile took off and it was hard to get it right.
Seems like the opportunity is similar to that of social media but slightly more modern because nobody uses new social media anymore but people are trying out new browsers (and you get richer user/usage data).
Unfortunately you are also describing Mozilla here.
If you're trying to bring value to market, focus on your core differentiator and use existing tooling for your boilerplate stuff.
It’s not only not a smart engineering decision, it’s also a terrible product, reputation and marketing decision.
But I still disagree that the use of Firebase, in and of itself, is a bad engineering decision. It's just a tool, and it's up to you how you use it.
Firebase gives you all features needed to secure your backend. But if you configure it incorrectly, then _that's_ where the poor engineering comes into play. It should have been tested more comprehensively.
Sure. You could build your own backend rather than using a Backend-as-a-Service platform. But for what gain? If you don't test it properly, you'll still be at risk of security holes.
Needs a name. Meowr? Hissr?
My cats would use Yowlr.
Browsers are very important part of our life. If someone compromises our browsers , they basically compromise every single aspect of privacy and can lead to insane scams.
And because arc browser is new , they wanted to build fast and so they used tools like firebase / firestore to be capable of moving faster (they are a startup)
Now I have read the article but I am still not sure how much of this can be contributed to firebase or arc
On the following page from same author (I think) https://env.fail/posts/firewreck-1 , tldr states
- Firebase allows for easy misconfiguration of security rules with zero warnings
- This has resulted in hundreds of sites exposing a total of ~125 Million user records, including plaintext passwords & sensitive billing information
So because firebase advocates itself to the developers as being safe yet not being safe , I think arc succumbed to it.
firestore has a tendency to not abide by the system proxy settings in the Swift SDK for firebase, so going off my hunch,
Also , you say that you have been convinced to never use arc again.
Did you know that chrome gives an unfair advantage to its user sites by giving system information (core usage etc.) and some other things which are not supposed to be seen by browsers only to the websites starting with *.google.com ?
this is just recently discovered , just imagine if something more serious is also just waiting in the shadows Couldn't this also be considered a major security vulnerability just waiting to be happen if some other exploit like this can be discovered / google.com is leaked and now your cpu information and way more other stuff which browsers shouldn't know is with a malicious threat actor ?
But a lot of people use chrome so I wanted to atleast try to give justification on why / how arc messed up so hard.
And browser development is exactly not the area where I would like to see the "move fast, break things" attitude. While firebase may be sloppy with security and thus unfit for certain purposes, I would expect competent developers of a browser to do due diligence before considering to use it, or whatever else, for anything even remotely related to security. Or, if they want to experiment, I'd rather that be opt-in, and come with a big banner: "This is experimental software. DO NOT attempt to access your bank account, or your real email account, or your social media accounts".
With that, I don't see much exploit potential in learning stats like the number of cores on your machine. Maybe slightly more chances of fingerprinting, but nothing comparable to the leak through improper usage of firebase.
But I think that was the whole point of arc , to break the convention and be something completely new
and I have a reason why
They were competing with the giants called google , safari , firefox which have insanely large funding and their whole point was trying to sell something later built on this arc browser.
and since chrome , firefox etc. don't try to come up with these ideas because well security reasons (which I agree to / as seen in the post)
I think arc wanted to seperate itself from chrome / firefox and that's why they became a bit reckless you could say since this exploit was available.
Also the other thing I want to convey , is that "With that, I don't see much exploit potential in learning stats like the number of cores on your machine"
this was only recently discovered. Just imagine the true amount of exploits in these proprietory solutions which we don't know about.
Yeh. Just like a ssh server , I would personally like the source code to be available but developing browsers is time consuming and money intensive for developers but ladybird exists , but its in beta.
that being said , not open source is also that private , (xz) , but atleast it got discovered way quickly and was able to mitigate it quickly
That's pretty interesting. Where can I learn more about this?
https://news.ycombinator.com/item?id=35152419
Yeah so using chrome based browsers like Arc is giving more power to Google to do shady stuff while also being a victim of the third party unsafe code.
TL;DR: it's not possible to export data from Arc, but it's possible to copy-paste the folder to a Chrome profile, and Firefox and other browsers will detect&import it.
Every time I open split views or tabs I curse. I've said this in the past but layering view multiplexors has to be the most stupid modern "super-user" trap. You have the ability to open multiple browser windows and composite them side by side, use it.
Does anyone know of any other browsers that are chromium based and have very little features aside the ability to hide most of the UI?
EDIT: Oh, the date changed; so it was 28 hours until fix. Still decent; and half an hour from initial contact to "Join our slack channel" is incredibly fast response time.
In other words, a quick turnaround with a fix does not lessen the impact of being negligent about security when designing the product.
And yet, so few do. Let's remind ourselves the bar sank into the floor a long time ago.
It's certainly the least a vendor should do, but it's absolutely not the least a vendor could do, as we see the vast majority of vendors do far, far less. It's worth holding people up and saying, "This is how you should be doing it."
There’s a (fairly dated) idiom, “it’s the least I can do”, used when you are offering to do something to make up for a mistake or offense, but the person you hurt says your offer of compensation is unnecessary. For example:
Situation: Person A bumps into Person B in the cafe, causing B to drop their coffee cup.
A: I’m so sorry! Let me buy you another coffee.
B: That’s not necessary - it was an accident, and I had almost finished my drink anyway.
A: It’s the least I can do!
B: Oh, thank you so much!
Buying B a new coffee is not _literally_ the least A could have done - the least A could have done is nothing - but that’s the English idiom. “Can” is acting more like “should” here. You could read it as “It’s the least I can do (if I’m a good person, which I am)”.
The original idiom is said in the first person, and as you say means essentially, "Justice and equity compel me to do this; I don't find myself able to do less".
GGP was actually using a derivative of the idiom in the second person. What the derivative literally says is, "Justice and equity compel them to do this; they don't find themselves able to do less". But idiomatically, what it actually means is, "Justice and equity ought to compel them to do this; they ought not to find themselves able to do any less".
Which is true; but it's still the case that the vast majority of companies find themselves very much able to do far less. Justice and equity should compel companies to do this bare minimum, but in the vast majority of cases it doesn't. And so we should still commend those who do find themselves so compelled, and hold them up as an example.
[some edits]
Phew, glad that's over and will never happen again.
50-60mm cash at 500mm (!) valuation and no business model is a big red flag when it comes to something as important, as personal as a browser. This is not a charity. Someone, somehow will have to pay for that.
Except… the growth hacks have started to creep in. They overlay an advert for their own AI services on top of regular Google search results pages in their mobile app. Not even a browser chrome UI element, it’s literally over the page content. That feels like a huge violation of what it means to be a browser.
I don’t want their AI features. I don’t want growth hacks. I don’t want to sign in except for sync. I’d happily pay $40 a year for Arc as a product-focused-product, but as a VC-focused-product it’s heading downhill.
It's unfortunate that other cross platform browsers have such a strong tendency to phone in these little things, because they really do add up to make for a nicer experience.
This is all really sad news.
I'm definitely not the target audience... Even after reading the faq I have no idea what it does
> Arc is to your ex-browser what the iPhone was to cellphones. Or as one of our members said “like moving from a PC to a Mac.” It’s from the future — and just feels great.
https://en.wikipedia.org/wiki/Neko_(software)
Current version is hard to even see with high-res screens. A few checks shows endless ports, code from the 90s and before, and all sorts of other fun.
Wonder if the author will reply.
Alternatively, if a compiler such as gcc is available, you could also run
Don't worry, it's https ;)
https://en.wikipedia.org/wiki/Neko_(software)
I'm not surprised in the least --- basically the vast majority of software these days is spyware. Looking at Arc's privacy page, it appears to be mainly marketing fluff similar to what I've seen from other companies. I have yet to find a privacy policy that says frankly "we only know your IP and time you downloaded the software, for the few weeks before the server logs are overwritten."
> We’ve fixed the issues with leaking your current website on navigation while you had the Boost editor open. We don’t log these requests anywhere, and if you didn’t have the Boosts editor open these requests were not made. Regardless this is against our privacy policy and should have never been in the product to begin with.
Not with those exact words, but that’s Alfred. Server connections are done only to validate the license and check for updates, and you can even disable that.
https://www.alfredapp.com/terms/
> Alfred only contacts our server when activating your Powerpack license in order to validate it, as well as periodically checking for new software updates. You can disable the software update check in the Update preferences, but we recommend keeping this enabled to ensure that you always have the latest version for security reasons and to make the most of the awesome new features!
I'd rather a company have simple goals that can be explained in a sentence or two. No hand wavey BS like "we care about your privacy"
Also, for anyone trying to read the article, they should put `/oneko.js` in their adblocker.
Only if you hate cats, pixel art, or are easily distracted.
Or maybe the cat doesn't support Firefox...
Which is scary come to think of it.
I think Apple is starting to sync too much...
Either way, you can disable syncing of system settings.
No, because I disabled motion on my phone because the wiggling of icons on the main screen annoyed me, not because I have motion sickness. Nothing wiggles on the desktop (yet). This option doesn't even belong in accessibility IMO, it should be a "stop annoying me" section.
> Either way, you can disable syncing of system settings.
Where? The same spot where I can disable syncing the clipboard? I.e. somewhere deep in an undocumented file?
I genuinely wish you a calm weekend and peaceful start of the week.
I'm not very familiar with Firebase. In what way is it broken and what issues does it cause?
There are security rules in Firebase to prevent this, but bolt-on security models that the user has to explicitly enable haven't shown to work.
Am I wrong in thinking that with this vuln you could drain any financial accounts that they log into Arc with? Or, if they use Arc at work, that you now have a way to exfiltrate whatever data you want?
A browser vuln is about as bad as an OS vuln considering how much we use browsers for.
That's why brokerages like Zerodium exist - you can sell it to them, and they'll sell it onto state actors.
Probably you're just used to a relatively good life, not a bad thing :)
Image being able to sell this off for $20,000 (although I think you could ask for more, seems to be a really bad vulnerability) in a marketplace, for >90% of the world that's a pretty good amount of money that you could survive a long time on or add a lot of additional quality to your life.
I would go the other way, companies offer low bug bounties because they don't want researchers to discover them in the first place. This looks terrible for Arc despite the fact if left undisclosed it probably would have continued to be unexploited for years to come.
Honestly I strongly feel the title should be “fundamental bug in Arc browser (CVE 123-4567)” or similar.
/s
[1] https://resources.arc.net/hc/en-us/articles/19212718608151-B...
It has seeped into HN as well. Look closely and you’ll notice several commenters type like that.
lowercase without caps reads with a warmer, informal tone
there’s a Tom Scott Language Files video documenting it: https://www.youtube.com/watch?v=fS4X1JfX6_Q
I wonder if this is a regional or generational thing?
Generational is a good bet:
https://news.ycombinator.com/item?id=41537994
You highlight stylistic choices. I'd say we can observe the differences in different styles and see how uses them. Is Trump writing in all lowercase? No. Is this poster writing like Trump? No. Do a lot of left-wing people use the all-lowercase style? I see it all the time, yes.
Personally, and I’m certain I’m not alone on this, it reads as annoying. It’s harder to follow and looks as if the writer didn’t care to do the bare minimum to make the text accessible and clear to the reader.
> there’s a Tom Scott Language Files video documenting it
Per that video (thank you for sharing), capital letters “make a paragraph easier to read” and “context matters” and “the conventions change fairly quickly” and typing in all lowercase is “sometimes okay”.
This is a post documenting a serious browser vulnerability, shared to the wide internet, not an informal conversation between buddies. Clarity matters. I don’t fully buy the tone argument and find words and sentence structure are more important. Take the following two examples:
> Just heard about your promotion, you beautiful bastard! Let’s go get pissed to celebrate, on me!
And:
> good afternoon mrs bartlet. the limousine will be available in twenty minutes. i would also like to apologise for my behaviour yesterday when i inadvertently insulted your husband it was a faux pas i promise will not be repeated. my resignation will be on your desk by noon.
I get that language evolves. You do you. Personally I hope this trend subsides like so many others before it. Maybe you don’t like to read properly structured text and prefer all lowercase. My preference is the reverse. And that’s OK, we don’t all have to be the same. I merely wish that people who prefer a certain style understand not everyone will see it the same way they do (and I’m including myself).
No, it reads as "I'm uneducated and don't know how to write the English language properly". It's incredibly obnoxious for people to use as an affectation.
It's more of a jerk move when it's done on a discussion board, because what you write once is read multiple times. So the cost multiplies, but (if due to laziness) the benefit only occurs once.
Now, in something like texting, I understand, when you're trying to type on that teeny phone keyboard. It's harder to hit the shift key when you don't have a spare finger because you're only using one. But for something like here, take the time and the effort to make it better for your readers.
When texting on a phone, the default is to automatically capitalize. Using all-lowercase requires more work than doing nothing. It isn't lazy or even more efficient to go back and replace your "I"s with "i"s. With the right reader, it's done to give them a better idea of the tone you wish to deliver.
With that said, it requires a certain degree of audience awareness. Many people do not interpret lack of capitalization the same way I do, as evidenced by this thread. On my phone, I have auto-capitalization disabled. When texting someone for the first time, I tend to use proper capitalization, even if I want a casual tone. I just did a typing test with capitalization and punctuation and scored 55 wpm on my phone. It's a choice I make and it varies based on audience, and intended tone. Effort, on the other hand, is not a factor.
It's just a habit from chat rooms and instant messengers of the beginning of this century. Most of my mates who write like that are well over 30.
This whole subthread is one projection after another.
Mobile operating systems (or is it just iOS?) by default turn the shift on automatically when starting a new sentence and are pretty consistently fast and right. It’s more surprising to me when someone doesn’t use proper capitalisation from mobile.
I don't know if you meant to direct this at the person you're replying to but I'm convinced the overwhelming majority of people don't get out of bed in the morning with any of that in mind
It's comments like these that make me reconsider what hateful meanings others might read into my communications or mistakes
Otherwise they're "drawing attention" to the style and themselves for narcissistic reasons. I would simply assume they'd have to know the annoyance this brings to the reader, so I assume it's on purpose.
I would feel the same about someone writing code in a consistently purposeful unorthodox style and against convention in such an obvious and effortful way that no one is used to. Personally, and YMMV, I like to try to write in as clear a way as I can to get my point across as much as possible. Useless stylistic fluff in something that isn't poetry, seems counter to that purpose.
>mistakes
It's not a mistake though to ensure every letter one writes is not following convention and English syntax. Accidents and mistakes are a different thing.
And nobody tYpEs lIkE tHiS except when making a joke.
It’s not a failure, it’s a conscious choice.
> as I'm sure people have been doing that for many years prior to social media.
But now it’s happening more frequently. That’s what “trend” means. It doesn’t mean it never happened before.
> And nobody tYpEs lIkE tHiS except when making a joke.
Just because you don’t know people like that, does not mean they don’t exist. The world is bigger than one person’s knowledge. I personally knew several teenagers who did it for all their communication, before smartphones. The speed at which they were able to do it was astounding.
The term wasn't popular then but with reddit's and Facebook's infancies being twenty years ago, "social media" (which I understand to refer to platforms where you can talk to people and post things about different topics, so broader and more person-oriented than an SMF forum but narrower than the WWW) have been around for a while
The first time I saw lowercase writing like this was two years ago on the Discord guild/community of a game which got popular on tiktok. I don't know the average age but the (statistical) mode was probably in the range of 13–16
Why? I really couldn't say. I think we just like the feel of it. The only reason I type with proper capitalization on HN and my blog is because I know older people read it.
I usually notice the style at some point but this time I had no idea until this other commenter pointed it out. I guess I am getting acclimatized.
using lowercase is for chat (less formal)
now, when talking about ARC BROWSER, i am seriously starting to doubt the competence of the team. I mean, if the rules are broken (no tests? no rules whatsoever?), what else is broken with ARC? are we to await a data leak from ARC?
any browser recommendations with proper vertical tabs and basically everything working like it does in ARC?
but the for-some-reason-not-obvious revelation that it's just a product that some team somewhere is working on and the fact that a browser is an important piece of software brought me back to safari (not sure if joke's on me, but in this case I trust apple engineers to do a more thorough job in ensuring my data is secure).
Looks like a minimal effort css restyle of Firefox.
Vivaldi may also be worth a look. Similar setup: User-oriented team, vertical tabs, e2ee sync. If you like a thorough browser history, I think Vivaldi keeps a more detailed browsing history than most other Chromium browsers.
Far from me to defend Arc (I dislike it for several reasons) but it’s based on Chromium so it’s far from 100% proprietary. Don’t Edge, Vivaldi, and even Chrome have proprietary layers on top of the open-source Chromium?
[0] witness the magic incantations needed https://www.tomshardware.com/how-to/install-windows-11-witho...
Her laptop has a mediatek wifi card that doesn't have built in Windows drivers. Re-installing Windows requires you play the above game, so you can get into Windows, install the driver, and then immediately log into Microsoft.com.
>"Why does Arc require an account to use?"
The answer is:
>"Here's a link to our forum that explains the rationale behind requiring an account to use Arc: Why do I need an account?"
That link goes to here: https://resources.arc.net/hc/en-us/articles/19401542261911-B...
Which... Doesn't explain why you need an account!
https://news.ycombinator.com/item?id=35801529
Sometimes things like this handle connection failures better than "never-ending connection attempts", so you might want to try to add a throttle or something too for the traffic between the domain and the browser, might also trip it up.
> https://arc.net/
I guess now we know why they frame it that way.
So the OP is right. Arc's privacy is worse than Chrome.
I mean, even Google suggests doing this with sensitive data.
EDIT: seems to be a browser or so?
Browsers are hard and my only choice has been chrome and will remain so for the long foreseeable future.
When I was younger I would enjoy switching to firefox, opera, etc..
But I always came back to chrome because it just worked and always performed when I needed.
Chrome/chromium is the safest browser.
People tend to fall for the shiny new thing and then realize it was just hype.
Please be very careful about what software you choose to perform most of your activities.
The same applies to these “new ai IDEs” that keep popping up every other say.
I used Chrome for years and years, right from when it first came out. Since then, I switched back to Firefox, and have used it for years. It works perfectly fine.
Why do you say that?
2. I don't know how accurate it is in 2024, but there are comparisons like https://madaidans-insecurities.github.io/firefox-chromium.ht... out there.
People often confuse these two, but they’re the polar opposites.
That's pretty bad, whether or not they track these requests, just seems wasteful.
> firebase .collection("boosts") .where("creatorID", "==", "UvMIUnuxJ2h0E47fmZPpHLisHn12") .where("hostPattern", "==", "www.google.com");
> the hostPattern being the site you visit, this is against arc's privacy policy which clearly states arc does not know which sites you visit.
We don’t know which websites you visit
> Instead of storing the data on-chain, NBPs instead contain a URL that points to the data. What surprised me about the standards was that there’s no hash commitment for the data located at the URL. Looking at many of the NBPs on popular marketplaces being sold for tens, hundreds, or millions of dollars, that URL often just points to some VPS running Apache somewhere. Anyone with access to that machine, anyone who buys that domain name in the future, or anyone who compromises that machine can change the image, title, description, etc for the NBP to whatever they’d like at any time (regardless of whether or not they “own” the token). There’s nothing in the NBP spec that tells you what the image “should” be, or even allows you to confirm whether something is the “correct” image.
This does not seem like a browser capability I want.
People say they like arc for the UI and there are all alternatives, but do you really want to risk someone stealing your bank creds and stealing all your money for some fancy UI?
Interestingly enough, contains a field for entering your Father's name (but not your mother's).
I thought this was novel, and assumed it was just something to do with websockets, so I switched to another, non-firebase-but-yes-websockets project and noticed it didn't work.
At the time, I debated moving calls to Firebase just so that I could work for free while I was on flights, but realized the ROI wasn't remotely there. Glad to finally have someone else acknowledge it happening, and give some insight as to why.
After seeing this level of incompetence, I am happy they didn't attempt that.
Yet.