I wonder how long it takes until this trade war moves to the digital stage. It wouldn't be surprising to see that software license fees start increasing if this tit-for-tat continues for much longer
Hopefully Jimmy finds out a good approach for monetization here. I would actually like for my org to pay for MediatR since it's a crucial component in many a project. Donations are so difficult from an organization viewpoint...
When I was figuring out what reader to put in my ancient android 5 tablet (dedicated for offline ebooks) I tried KO, but the UI was way too complex. I've since been happy with Librera, but seeing all this high praise, it seems that I need to revisit KO.
Nice to see there are multiple open source readers going strong!
My wish for this christmas is for some large-ish organization to pull this off and then release a series of blogs discussing the tradeoffs. It's such a steep hill to climb, I think many believe it impossible unless there is a success story to refer to
Zen has quite a nice array of keybinds available in their basic settings menu. Just had a conflict of ctrl+shift+l opening some dev tools window instead of BitWarden, and the browser hotkey was easy to change. Speaking of keyboards, Tridactyl (https://docs.zen-browser.app/faq#how-can-i-sync-my-data-acro...) works out of the box in Zen as well
Better than the default, but not a nice one - the basics of tab navigation (previous/next) are missing, and you can't assign multiple shortcuts to a command.
And extensions don't cover it since they fail outside of a webpage context, so if you have a key to change tabs, you can't just (reliably) use it - it will break your changing sequence once you switch to a protected Settings tab
As someone who is greatly motivated to moving off Azure (to onprem, not to another cloud), do you know of any good collection of Azure security issues I could use as 'ammunition'? Would be greatly appreciated!
I have some notes somewhere but unfortunately they don't have citations, these are just some of the vulns they've had in the last couple years:
• Storm-0558 Breach (2023): Chinese hackers exploited a leaked signing key from a crash dump to access U.S. government emails, affecting 60,000+ State Department communications
• Azure OpenAI Service Exploitation (2024): Hackers bypassed AI guardrails using stolen credentials to generate illicit content, leading to Microsoft lawsuits against developers in Iran, UK, and Vietnam
• CVE-2025-21415 (CVSS 9.9): Spoofing vulnerability in Azure AI Face Service allowed authentication bypass and privilege escalation
• CVE-2023-36052: Azure CLI logging flaw exposed plaintext credentials in CI/CD pipelines, risking sensitive data leakage
• Azurescape (2022): Container escape vulnerability enabled cross-tenant access in Azure Container Instances, discovered by Palo Alto Networks
• ChaosDB (2022): Wiz researchers exploited CosmosDB’s Jupyter Notebook integration to access thousands of customer databases including Fortune 500 companies
• Executive Account Takeover Campaign (2024): Phishing campaign compromised 500+ executive accounts via Azure collaboration tools with MFA manipulation
If your company or workplace is considering migrating from cloud to on-prem or from one cloud to another, I do this professionally btw, feel free to reach out at this temporary email and we can chat: pale.pearl2178 at fastmail.com (to prevent my real email being scraped from HN).
Security issues/CVEs should never be used as a motivation to get off of a particular platform, otherwise we'd never use Linux, macOS, or Windows (I hope you're a fan of OpenBSD... sometimes).
If these issues remain unfixed after being disclosed, or a pattern of fixes that took much longer than you feel they should have, that's valuable ammunition as it shows the organization isn't responsive to security issues.
I agree you shouldn't write off any platform/software/etc based solely on the number of vulnerabilities. I also agree that how responsive they are to fixing things is a factor to consider. But I think that's only _a_ factor.
Take something like a container escape vulnerability.
We could have Vendor A where they're just running containerd on a bunch of hosts on a single network segment and throwing everyone's containers at it so a container escape vulnerability essentially gets you access to everything any of their customers are running.
Where-as Vendor B segments running containers into VMs, so a container escape vulnerability means you can only access your own data. Not great because if one container is compromised that gives them a path into the rest of your workloads, but at least I know they're maintaining a pretty solid wall between tenants.
Then there's Vendor C that actually runs containers using some micro-VM framework so each container is running fully isolated by a hypervisor with a fully separate emulated network stack, etc so the escape really gets them no more access than they had inside the container.
A pattern of issues like Vendor A is, well, a pattern. A series of issues that show their systems are fundamentally not designed for proper isolation between tenants and are lacking defense-in-depth measures to mitigate the fallout of the inevitable security issues is a very good reason to write off Vendor A regardless of how quickly they respond to the issues.
I'm not going to go back and review all the Azure issues, but my recollection from the few writeups I've read definitely paint a picture of a lot more "Vendor A" type issues than I'd be comfortable with.
All of this presupposes that whatever you implement yourself will be more secure and/or that you have the budget to even begin to approach the same level of security.
I’ve been there, done that, and was amazed how the security aspects only rapidly escalated to many millions of dollars and an ongoing cost also in the million or two range!
Think of this like a CEO: they’re less worried about Chinese hackers and more worried about about insider attacks. They’re much more common and do way more financial damage.
The cloud automatically provides separation of roles because an entirely different vendor is in charge of the lower layers, such as networking and storage.
Do you have any idea how hard it is to prevent a smart sysadmin from simply copying all data to a USB drive and walking out of the building with it?
That’s much harder when everything is on a managed hosting platform and no single person can access all accounts / subscriptions.
They’ve improved a lot, but their Achilles heel used to be that the only way they could achieve more challenging compliance requirements was to have multiple segmented clouds.
With Office 365, for example, they had at least 4 government clouds, some of which used shared infrastructure with Azure commercial, but had different data residency or employee requirements. They have thousands of employees monitored by all of the states as a condition of working on those clouds, for example.
Technical controls are similar, but the weak point are things that can cross cloud boundaries. One of the Chinese breaches of US government systems were caused by a PKI vulnerability that allowed the attacker to pivot from a dev environment to a federal cloud instance.
Not strictly security, but there are several long-standing issues with Azure DevOps build pipelines and Artifacts feeds. Using a private artifact feed in your pipeline inexplicably adds minutes to the amount of time it takes to restore packages. And publishing C# NuGet packages together with the source/symbol files is a poorly supported and poorly documented mess (it doesn't help that NuGet support in the dotnet CLI is missing support for important and long requested features only available by using the full fat NuGet client or MSBuild directly).
I've been loving Kagi search and am really looking forward to Orion being available outside Apple land. You can join the email list here: https://kagi.com/changelog#6479
I'm a bit worried that Kagi might be over-extending here. Instead of focusing and capitalizing on search, they're expanding to the difficult business of browsers. I'm always hesitant when companies try to do everything everywhere all at once, since that might cause a loosening of focus on the original product.
I hope them all the best nonetheless - people actually paying for software is due a comeback!
Trying to use Kagi with other browsers lays bare the depth of collusion between browser makers and search providers. Getting out from under all that makes Kagi a whole lot more seamless and useful.
It’s ironic that it is its own tight collusion, with the difference that you can use Orion just as well with any other search providers as with Kagi.
So yeah, it seems like a departure from search, until you consider that for the features that make Kagi a worthwhile search product (privacy, neutrality, etc), “you can’t get there from here” with the other browsers.
This is something I don't understand. Kagi has been my only search engine since they dropped the price to $10/mo. I've only ever used Kagi with Firefox, and I use it on Linux, Windows, and Mac. I just add it to my search engines and set it as default, which takes about 15 seconds.
Everything seems to just work seamlessly. Searching in private windows works without any configuration or token juggling.
I have never tried the Orion browser or the extension because I don't understand the problem that they allegedly solve.
To set it as your default search engine on iOS, you need to first install a separate Kagi Search app from the App Store, enable the extension, and then dig through some fairly obscure Safari settings so that the Kagi app can run with enough permissions to intercept/redirect search URLs for other search engines.
So now when I search in Safari, the browser says “DuckDuckGo Search” but when I hit return Kagi jumps in. I also had to turn off search suggestions because those (as far as I know) would still come from DDG.
This seems more like an indictment of iOS than collusion between search and browser vendors. I'm using Kagi as my default search on Android, Linux, Mac, and Windows, both Chrome and Firefox. The kind of nonsense your describing us why iOS doesn't show up in my list of devices.
My point was more that you claimed to not understand and I was just providing an example where it does take longer than “15 seconds” to switch to Kagi.
iOS/iPhone has the majority mobile market share in many countries including the United States. If you’re unaware, Google is currently being sued by the US government for establishing a monopoly over search engine placement including payments to Apple and Mozilla to keep Google as the default search engine. So, with that context, can you honestly say there’s no collusion between search providers and browser vendors?
> My point was more that you claimed to not understand and I was just providing an example where it does take longer than “15 seconds” to switch to Kagi.
It's an example, but it's not an example that proves the point.
> iOS/iPhone has the majority mobile market share in many countries including the United States. If you’re unaware, Google is currently being sued by the US government for establishing a monopoly over search engine placement including payments to Apple and Mozilla to keep Google as the default search engine. So, with that context, can you honestly say there’s no collusion between search providers and browser vendors?
Yes, easily.
The comment was talking about depth of collusion in making it significantly not seamless. But even with Google pushing a default, it's a trivial switch on Android.
On top of that, Google pushing their search engine onto Android phones has nothing to do with "browser vendors". It's a different topic.
So I say Android is not an example, and desktop is fine, leaving the only example of problems as Apple. Even if I think that's collusion, just Apple doing a thing is not collusion over the general market of browser makers. But I'm also skeptical that it's collusion. Apple always offers limited choices and bad customizability.
I find it hard to believe that Google just happens to be the default search engine everywhere. And that the best user experience for Apple’s users is to have a search engine list that you have to pay to be on. And that if you change your default search engine or browser newtab half the browsers out there will nag you to switch it back for “security”. And if you visit the internet’s home page on anything other than Chrome you get bombarded with popups compelling you to install Chrome.
If you’re not aware of the “collusion” you might just be asleep at the wheel. You may be right semantically, though: it might not really be collusion—it’s simply light of day bribery.
> I find it hard to believe that Google just happens to be the default search engine everywhere.
I didn't say there wasn't collusion of any kind. I said Google being the default on android is not collusion with browser vendors.
And on Windows, Bing is the default.
> And if you visit the internet’s home page on anything other than Chrome you get bombarded with popups compelling you to install Chrome.
Self-promotion is not collusion.
Also critical to my point is that collusion to set a mere default is not what the original comment was talking about. You don't need to switch your browser to "lay bare the depth" of a default. They were talking about something much stronger.
The point is there are non-trivial examples where it’s really hard to switch your default search engine away from Google/Bing because all paths lead back to them (via platform self-promotion and paid placement). One might even argue that the dominant search engine owning the dominant user-agent is implicitly illegal (and thus I guess collusive, but I digress). I don’t really know what we’re arguing anymore. I think everyone knows that it’s not universally easy to switch your search engine. The fact that there are good examples like Android does not invalidate the bad examples like *OS and Windows. It’s difficult enough that I can’t believe it’s all natural and organic. Money is changing hands and/or the spirit of existing laws is being ignored to enforce or at least maim the optimal-for-users search experience. Certainly we can agree on that much.
> The point is there are non-trivial examples where it’s really hard to switch your default search engine away from Google/Bing
Bing is the only one you really get stuck with, and that only happens outside of the browser. You can change the search engine for searches started inside of Edge.
Bing is also not an example of collusion. It's Microsoft promoting Microsoft.
> I don’t really know what we’re arguing anymore.
Here is what I'm arguing: If you want to say there is a mixture of different types of collusion and monopolistic self-pushing connected to search engines, I agree with you. But the claim earlier was about a very specific type of [deep] collusion, that would make it difficult to change the search engine that a browser uses, that is easy to see when trying to use Kagi. But that difficulty only exists on iOS. It's not true in general. (And I'm not convinced that the specific issue on iOS is a collusion problem rather than an Apple-knows-best problem.)
Google pays to be the default. AFAIK they don't pay to make the switching experience maliciously difficult. After all, the switching experience on Android is dead simple. That seems to be another unilateral decision by Apple to keep you in your lane.
> To set it as your default search engine on iOS, you need to first install a separate Kagi Search app from the App Store, enable the extension, and then dig through some fairly obscure Safari settings so that the Kagi app can run with enough permissions to intercept/redirect search URLs for other search engines.
And worse, even then it will then only work (at least for me) about 3 times of 4. The other times it will give you the "dummy" site you don't want, and you'll have to reload to get Kagi. Or sometimes it will reload for you after an indeterminate delay, sometimes even after you've already clicked through to a result.
I'm still (mostly) happy with Kagi, but I gave up using their extension for Safari on desktop. I'm having much better luck using a custom redirect in StopTheMadness. I'm not sure what they do differently, but setting Safari to use Ecosia and redirecting with StopTheMadness seems to avoid the problems I was having with Kagi's dedicated extension.
If I understand your response correctly, it boils down to "specific browsers do irritating things".
So I honestly still do not understand. It does not make sense for the raison-d'etre for the Orion browser to be "we don't do the irritating thing that Safari does" when most other browsers also don't do that thing. But clearly people want to use the Orion browser. So I guess I'm just (still) missing what the point is.
that extension intercepts the queries. Kagi couldn't make it any other way. And I don't mean this as a grievance against Kagi, but agains APPL's policies.
It’s Safari you’re talking about. All other browsers, even Chrome, support arbitrary default search engines, while Safari doesn’t even support them via extension, requiring ugly redirect hacks. Privacy Pass is similar, with all browsers letting you implement it as an extension, except Safari. The problem is entirely and only Safari.
> Trying to use Kagi with other browsers lays bare the depth of collusion between browser makers and search providers.
Absolutely. Safari not offering any way to add Kagi without weird hacks or extensions is absurd.
I get the case for search engines paying browser vendors a cut for being the default, but still getting paid after the user has overridden that selection is already somewhat dubious, and not allowing the user to fully provide their own query URL at all should be illegal.
I'm curious how you think this can be analyzed effectively.
Yes, I'm aware of bytecode analysis, but that's a slow difficult process, and for browsers, the release cycle is short enough that by the time you're done analyzing the current version, a new version is out, and it's significantly harder and less useful to diff a binary, so you end up having to basically start the analysis over for the new version. Unless there's something going on here that I don't know of, that's simply not a viable means of keeping track of browser security.
Evaluating browser security is hard. Checking privacy guarantees is easy: you can just look at the traffic it generates. Vlad has a pretty simple and quite strong policy that Kagi doesn’t phone home unless you agree to it. If you find it does otherwise (should be pretty easy to monitor) you should take it up with him.
Malicious software has a long history of detecting monitoring so it can avoid detection. A closed-source browser with backdoors can detect Wireshark, Little Snitch, or whatever you're using to detect outgoing connections, and not connect while those programs are running.
The problem is even more insidious when you're making regular expected connections to a site that the browser creator controls. Many (most?) Orion users are already connecting to Kagi on a regular basis, so they can simply wait until the user logs in to Kagi and smuggle out the data they've collected along with the login request.
In the most extreme case, the browser can not exfiltrate any data at all unless triggered to do so. In this case, the attacker targets specific victims to exfiltrate data from, but avoids exfiltrating from any security researchers or knowledgeable users who might be running software to detect the exfiltration.
In short, the goal here is for those of us with more knowledge to be able to verify the software for every user, because not everyone is capable of monitoring their outgoing traffic effectively, and it's far too easy for backdoored software to simply not phone home when it's being monitored.
This is true of open source software too. At some point you have to trust that the software you run is not designed to act like malware, because if it is actually backdoored your life is going to be miserable regardless.
Huh? It's not true of open source software at all.
With open source software, you can read the source and verify that it doesn't have backdoors. With reproducible builds, you can verify that distributed binaries are the result of building the source code you've verified.
Honestly, if you couldn't figure out that this was going to be my response, you simply don't have the knowledge to be commenting on this topic. I didn't come up with anything I've said here myself, it's pretty basic, widely agreed-upon understanding of why open source is generally more secure. The only people who actually know the topic who "disagree" on this generally have a vested interest in some closed-source software they want to be seen as secure.
I doubt this is the case. They were working on a prototype back in October 2023 [1], but then the contractor bailed out [2], but now they got (probably different) people working on it now
I think this is correct. I refuse to touch Chromium with a ten-foot pole, but there aren't really any other options on Linux. (Yes, there is LibreWolf and other forks, but I doubt any have the resources to "go it alone" should Mozilla fold or go completely turncoat.)
The closest extant option is something like GNOME Web (also based on WebKit like Orion) but the lack of extension support and poor performance makes it a non-starter.
As someone who already pays for Kagi search, Orion will definitely be on my radar. I'll gladly volunteer $5/mo if I can just copy-paste my extensions unchanged and keep browsing.
WebKitGTk performance has improved a ton in the past few releases. Orion will ofc match that. Also working on WebExtensions in upstream hopefully by end of year.
Having been wondering what their cross platform plans for Orion were the other day and seeing this in the FAQ I don't think it's fair to frame it as small potatoes work just because it could have been even harder. It's still real work and a significant effort. https://help.kagi.com/orion/faq/faq.html#other_os_support:
"Are there plans for a Windows/Linux/Android version of Orion?
We currently do not have the resources to hire a new team to do any of these platforms yet.
Since Orion is funded by its users only, it is entirely up to the number of subscribers and Orion+ sales we have that will enable funding a new team to make Orion for any new platform. And building a browser is not cheap, especially one on top of WebKit."
Interesting that they concluded Linux was the next most worthwhile one to target but I suppose is probably more popular with users attracted to Kagi/Orion.
The CEO of Kagi has fairly strong views on user privacy as far as I can tell. I don’t know what his opinion of Windows is, but I’m willing to bet there’s a personal dislike of Windows and Android that is at least partially affecting the decision-making process here.
They also don’t seem like they’re trying to go big, just stay profitable.
Sure, can be. On the other hand, most people are running Google’s Android or a PRC-market exclusive offshoot on Samsung, Xiaomi, Huawei and OnePlus phones. That’s Android. Everything else is a rounding error.
That seems like saying people who climb Everest are not starting in the Mariana Trench. The fact you could have made it ten times harder doesn't necessarily stop it being foolhardy.
Wrong analogy if you ask me. Building a browser without the render engine and scripting engine is a walk in the park compared to building the entire thing, which would correspond to climbing the mt Everest.
Kagi mixes many different sources, including some from their own indexes. They lean heavy into the "try to answer using an integration with a more focused oracle" rather than the "throw as many sites at the user as possible" approach.
I'm a Kagi user and did a couple of test searches just now. Ignoring inserts like image results and "related searches" and so on, the results were completely different.
Note that if it this were true, Kagi brings features to the table that make it worth the price. For one, it allows you to prioritize/deprioritize sites, and it allows you to block sites from all search results.
It’s a little deceptive. While early work began on Kagi prior to Orion, Orion launched prior to Kagi becoming GA. I think that can be interpreted in relatively different ways, mine being that I got to experience Orion as a product before Kagi. Anyway thanks for the timeline link.
