I've used wiz in a previous job. Its a good product. I don't know if they invented disk snapshot based security scanning, but they certainly popularized it.
Companies like CrowdStrike have copied a lot of what Wiz has been doing (and I'm sure wiz has copied some CrowdStrike features).
This announcement is pretty disappointing to me. I would have more faith in Wiz as an independent company than as part of Google. I expect their innovation to fall off a cliff.
The browser has less access to your system, and usually only if you give a specific website permission to use these features. Mobile operating systems are slowly changing that though.
what should imply checking available web apis? the comments is correct, browser can't access your location without explicit confirmation from the user, the same apply for other web apis, or at least mention a bunch of them which you know don't apply instead of linkin MDN
The more APIs available for JS to interact with, the more granular and detailed browser fingerprinting can be. For example, how your browser renders WebGL can differ depending on what graphics card (and drivers) you have. The resulting values can be read back and stored to create a detailed fingerprint of who you are -- this could potentially be done by Google Fonts or AdSense or any number of the countless ad and analytics frameworks loaded on basically all websites.
Browse the source in the following directory to see a plethora of examples of how web APIs are used to fingerprint users -- and this is just one publicly-accessible library we can easily review the source code of (proprietary, obfuscated ones likely use additional methods): https://github.com/fingerprintjs/fingerprintjs/tree/master/s...
One example used in multiple places in the above repo is "matchMedia"[0] which was a Web API method added a while ago (well, many years ago) to give a programmatic result of whether a given CSS media query matches or not. This can be used to detect, for example, user preferences like whether the display is HDR-capable[1], or the Accessibility setting "reduce motion" is enabled[2].
what is contained in the latest js standard that does let you collect fine grained information of your users without their consent? web apis that have to deal with sensitive data all requires explicit user confirmation to be used
At least on android the browser is limited by the android permission system, i.e. if you dont give browser GPS permissionit cannot give pages dito. In addition the browser will ask if you want to grant an app access to something like positioning data.
Furthermore, it is hard for a web page to run in background and receive user data.
There's a legendary Reddit comment that lays out the many, many other ways winning the lottery (or, more importantly, letting people know you won the lottery) is bad for you. Can you debunk its claims as well?
That comment makes untrue claims and cites no sources. The claim about multi-million dollar jackpot winners is a viral meme that keeps making the rounds despite the people with the actual stats repeatedly trying to debunk it. It is not true that a huge percentage of winners go bankrupt.
I imagine that it's perpetuated by the myth that people who make a shitton of money "legitimately" (ie getting insanely lucky by inheritance, investing in a moonshot, or both) are somehow magically blessed with the wisdom to handle money in a way that commoners are not. Plus a dash of cope for all the people who will never touch that amount of money. Assurance that even those who gain a lot will be no better off (or worse off) than them.
The Reddit comment is interesting, and I think the advice that starts in the reply is sound. But this person's list of lottery winner failures is a small list of people versus a very large group of winners. Surely it's not hard to cherry pick a bunch of worst case scenarios.
Haha I read the article - not surprisingly they pick lottery winners in countries that provide anonymity to winners (unlike the US where you will have a target painted on your back).
> 2019 by researchers at the University of Warwick and the University of Zurich, used a considerable dataset — fifteen years of the “German Socio-Economic Panel” (or SOEP). The SOEP has been surveying 15,000 German households since 1984.
> The second study, from 2020 by researchers from Stockholm University, Stockholm School of Economics, and New York University, surveyed 3,000 Swedish lottery winners
>EuroJackpot Countries (Croatia, Czechia, Denmark, Estonia, Finland, Germany, Hungary, Iceland, Italy, Latvia, Lithuania, Netherlands*, Norway, Poland, Slovakia, Slovenia, Spain, and Sweden): 100% Anonymous if requested by the winner.
Compare it to:
>California: Not Anonymous/Only individuals can claim. “ The name and location of the retailer who sold you the winning ticket, the date you won and the amount of your winnings are also matters of public record and are subject to disclosure. You can form a trust prior to claiming your prize, but our regulations do not allow a trust to claim a prize. Understand that your name is still public and reportable”.
The client situation for RCS is really quite bad. With SMS and MMS I can fairly easily run my own client on a linux system that has a GSM modem. This is not the case at all with RCS. Even worse, Google Messages is not open source and so far there have not been public APIs available on android to interact with RCS messages.
It sucks that the ongoing maintenance cost for the native mobile platforms is so high. Who wants to develop on top of a platform that is constantly changing out from under you?
It really makes me nostalgic for the vision of webOS (although not the implementation of webOS from 14 years ago).
But that's Scott's point. If the OS devs had thought through this from the beginning, app devs wouldn't have to keep dealing with breakage. iOS devs have other issues, but not these.
Apple and Google approached the mobile OS from opposite sides. Apple locked everything down and has gradually been adding access/features. Google left the barn door open, and is now trying to shut it. I know which OS/API I'd rather program against.
Heh, I never worked on iOS but based on what I heard from our iOS team at the time, I don't think iOS was any better. Though a lot of the frustrations back then were largely app review issues rather than API stability, like trying to push out a big feature release or bug fix and getting rejected because the reviewer found a new way to follow 20 links to get from the help center website to a page allowing you to sign up for a subscription outside the app store...
Web might be a better counter example - it started super locked down, but has slowly gained useful functionality like notifications, USB, serial, GPU, etc within the sandbox model. It just encourages more investment over time as new functionality is added, rather than annoying devs as useful functionality (documented or undocumented) is taken away.
iOS doesn't regularly break these mainstay APIs.. but when they do break APIs, they never backport them, unlike Google.
One example of an API where we lost power in exchange for security was UIWebView -> WKWebView.
It can end up being far more annoying than usual, even for smaller APIs, because you must maintain both versions of APIs until you get the green light to raise the minimum permitted iOS version.
I'm a little sad that this has seemingly taken precedence over all other hardware support. M3 support, dp-alt mode, making the microphone work are all things that I was hoping were going to land in the past year.
I understand the sentiment. But the people who could work on the Asahi Linux graphics stack are generally not the same as the people who could e.g. bring up Asahi Linux on M3 chips.
I would not consider the lack of activity in some Asahi Linux areas to be a conflict of priorities. It is in my opinion mostly a result of these lacking areas naturally attracting less developers capable of moving them forward.
The M3 GPU is a lot different and has a bunch of new features like ray tracing, so the super talented team working on the Asahi Linux graphics stack might have a lot of work ahead of them to support the M3's GPU fully as well.
God I wish I was smart enough to help out with Asahi Linux...
It's an Apple chip with no documentation and zero existent driver code to reference. You have to set realistic expectations here, and acknowledge that not every contributor is going to have the domain-specific knowledge required to make everything work. It's nothing short of a divine miracle that it has working Vulkan drivers you can download within a half-decade of it's release.
If you want more, you'll have to take it up with Tim Cook or God (both have a nasty habit of ignoring us little guys). Also an option: not using a laptop that treats Linux as a threat to it's business model.
Alyssa Rosenzweig already talked a bit about that on her Mastodon. She said that after having worked to implement a GPU drivers, it was annoying that she never had the time to quite finish them. On each device release, she had to support the new device instead of polishing what she got.
I'm aware of no better way to see your desired features land in open source than to build them yourself. That is the power of open source, nobody can stop you!
i don't hate to be the one to tell you, but skills and context can be learnt. personally, i have found no better way to learn skills than to work on something i care about.
I do hope that LLMs learn more from the Asahi Linux team's code and their amazing blog posts, in order to provide better guidance for new systems programmers.
I guarantee you'll get much further than you would have previously done in the same amount of time, just by virtue of it being able to point you in the right direction. You don't need perfection when learning, you need a wayfinder, and it can do that just fine.
It won’t point you in the right direction though. At least in my experience. It will only give very superficial answers. And fe just trying to write rust - it will try to explain the error message but most of the time says nothing new and to find out how to fix it you will have to read docs and understand things the old way anyway. At least in my experience
AFAIK the M3 is going to take a lot longer as the asahi team leverages apple silicon in their CI which means mac mini servers and the M3 generation never got their mac mini. Of all the generations to finally take the plunge into apple silicon, I had to choose the weird one... (typing this on an M3 mbair and not on linux sigh)
I mean this is the nature of the beast with arm and apple. It’s a closed system. There are some devs that are going to be willing to go through the effort just for the challenge of it, but most are just going to use x86/linux because you don’t have to actively fight against the vendor.
I have an opensource android app on the app store. I was a little annoyed/worried that the 'Verify your Play Console Developer account' was going to be super painful since I'm not running a business or trying to make money off my app. The messaging was, shall we say, confusing. They wanted you to choose a verification deadline for some reason. The email talked about a D-U-N-S number, and an official document verifying your identity.
When my verification time came up, I basically didn't have to do anything. I checked a checkbox saying I was an individual, not a business/organization. I didn't have to verify my identity (maybe I did that when I first created the google play account).
Even though my situation was not the same as the OP's, I do have a lot of sympathy for them. Its a pain to distribute apps through the play store (or the app store). I would opt out of there were a real alternative.
I use magit. I still use git absorb. The issue for me is not the speed at which I can run the interactive rebase, it is the amount of looking I have to do to find the correct commit to fixup onto in a big stack of commits. git absorb figures that out for me.
Companies like CrowdStrike have copied a lot of what Wiz has been doing (and I'm sure wiz has copied some CrowdStrike features).
This announcement is pretty disappointing to me. I would have more faith in Wiz as an independent company than as part of Google. I expect their innovation to fall off a cliff.
reply