Over 400 of the World's Most Popular Websites Record Your Every Keystroke

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.

Web 3.0!

[Frosty+Piss]

Quite often, these scripts are part of jQuery or some other JS framework that "needs" to know your keystrokes as a part of the web site interface, "application" if you will. Sure, this info can be used nefariously, but most likely the purpose is the web site interface mechanics itself.

Re: Web 3.0!

Did you even read the article? It discusses session replay marketing firms, such as FullStory. These are emerging companies that are finding their session recording software on more and more websites every day.

Re:Web 3.0!

Anyone know of a browser plugin I can just paste in a list of websites I want to forbid access to? I want to throw them all on that list.

Re:Web 3.0!

You're getting dangerously close to summoning him.

Re:Web 3.0!

[Arzaboa]

You use what called a hosts file. Can be found on Windows and Linux. Someone can add their two cents on IOS.

You can always block them through an ad-blocker, noscript or things of that nature in your browser.

--
"Ribbit" - Unknown Frog.

Re:Web 3.0!

[Lucky_Strikez]

Yeah, but.... Surely there's SOME kind of tool that would help you manipulate said hosts file? :P Maybe someone could tell us about it?

Re: Web 3.0!

Okay, notepad.exe

Re: Web 3.0!

It sounds like he's looking for something more automatic. Sort of like a hosts file engine.

Re: Web 3.0!

No worries, most operating systems natively support hosts files automatically. Typically faster than even a local DNS resolver.

Re:Web 3.0!

Running your own DNS server is a better solution. You can block whole domains with one entry apiece in your config, instead of winding up with 3 million lines in the hosts file like a certain spammer we know.

Re:Web 3.0!

[Bite+The+Pillow]

APK APK AP

***CONNECTION TERMINATED**+

---

Filter error: Don't use so many caps.

---

I earned these caps in the wasteland, and I'm gonna use them as I see fit. Are we clear?

---- .CRYSTAL.

Re: Web 3.0!

I might test this out: A P K hosts file engine
Found it on start64.com

Re: Web 3.0!

Pihole

Re:Web 3.0!

[ITRambo]

These days websites also use HTML5's canvas fingerprinting to identify your computer. If there's a way to gather any useful information, to be used for marketing, it'll happen. Check out Canvas Defender. You can change your machines white noise at will to help mask it's identity. It's really a bit sad that all this crap goes on.

Re: Web 3.0!

[TqUhpiQaw]

Heretic!
sudo vi /etc/hosts

Re: Web 3.0!

Not elegant.

sudo '192.168.1.10 foo.mydomain.org' >> /etc/hosts

or, if properly equipped:

sudo xclip -o >> /etc/hosts

Re: Web 3.0!

Can we compile out this ability from the browser? I don't need autocomplete - and I don't need advertisers to get 'what they want'.

While this stuff may have some uses, there are too many options for abuse. So, can I have a browser with reduced javascript functionality? Not an add-on, but a scrape-off?

Re: Web 3.0!

EFF makes a browser plugin called Privacy badger. It Will automatically block most of these scripts soon enough because the scripts will also try to track you with cookies, and that is what it detects and prevent. And you can very easily block more sites when you find them.

Re: Web 3.0!

Windows Hosts Files tool and info:

http://winhelp2002.mvps.org/

Re:Web 3.0!

[AmiMoJo]

uBlock Origin allows you to use a list of hosts, and the performance is excellent...

Shame nothing like that existed before. All those years we could have been blocking this crap, if only app had existed. I'd like to see .apk version for Android too.

Re: Web 3.0!

Fails elegantly

Re:Web 3.0!

I don't get it :-(

Re: Web 3.0!

One day you will laddie, one day.

Re: Web 3.0!

[EndlessNameless]

So, can I have a browser with reduced javascript functionality?

It will improve security, but a lot of things will break. Very few web sites are simple HTML that you can poke at in your text editor.

The best suggestion is to use a browser with Javascript disbaled for normal browsing, and to have a second browser with incognito/private mode for sites which are completely broken without Javascript. And even in this case, your "safe" browser can be exposed to any malware dropped via JS exploits.

Given the rampant snooping and exploitation, it is probably best to have a non-persistent VM with a web browser for sites with scripting, pervasive advertisement, or questionable content. Take a snapshot and be sure to reset it to its clean state after each site/session. This requires considerably more effort, although it is not particularly difficult now that Windows and Linux both offer virtualization features natively.

Re:Web 3.0!

[Dread_ed]

Quire funny, but if you look at the posts below its like he Linus'ed everyone's brains. He just uploaded his ideas to the interwebs and now everyone is mirroring them! He doesn't even have to post anymore, we are doing it for him!

Well done APK, well done.

Re:Web 3.0!

[rjstanford]

Yeah, I guess you could call him some kind of tool.

Re: Web 3.0!

[rjstanford]

Fails elegantly

And with root authority too!

Re: Web 3.0!

[Tanktalus]

ITYM

echo '192.168.1.10 foo.mydomain.org' | sudo bash -c 'cat >> /etc/hosts'

or

xclip -o | sudo bash -c 'cat >> /etc/hosts'

which doesn't seem that elegant to me. YMMV.

Re: Web 3.0!

[omnichad]

JavaScript without the ability to respond to user input events? Yeah, just disable JavaScript then. What would be left?

Re:Web 3.0!

Sure, this info can be used nefariously, but most likely the purpose is the web site interface mechanics it
That might be their purpose but they are still beholden to treat private information like this carefully.

Re:Web 3.0!

Are u looking to hire an hacker/private investigator? I will recommend you contact charlescyberwiz@gmail.com. He helped track my cheating spouse when i suspected he was cheating, all he requested for was a phone number. He can spy on any phone without physical access. If u need to keep track of the things your kids are doing on their phone/computer or track a cheater or scammer dont hesitate to contact him.You get unrestricted and unnoticeable access to your partner/spouse/anybody's social accounts,email etc.He will never disappoint u. Contact him today!
Thank me later!!

Google.com

Yandex searches as you type, so its hardly surprising it captures and sends the keystrokes in realtime....

But then again, so does Google, so why isn't Google on that list?

Re:Google.com

It's pretty obviously part of the core user interface to return live search results as the user types, so there's no point calling it out. This is a list of sites that log keystrokes surreptitiously.

Re:Google.com

[thegarbz]

Searching as you type in a search field while displaying that obviously to the user, and recording key strokes with no searching or other useful function for the end user are two very different things.

Adding Google to every tiny bit of outrage just dilutes the value of the complaints against them.

Re:Google.com

But how is it reasonable to exclude it from a massive list of websites that does what they are doing?

I'm OK

Not a lot of typing over at Thick Thigh Tranny Bitches.com

Re:I'm OK

[tepples]

Thick Thigh Tranny Bitches.com

Thick thighs, automotive gearboxes, and female dogs? That's an odd combination of topics for a website.

Re:I'm OK

[Templer421]

Manual Tranny or an Automatic Tranny?

Ford or Chevy?

What Engine and Year?

Re:I'm OK

I always prefer the "Powerglide"

Re:I'm OK

Manual, of course. I love how you can always spot the automatic driver by their driving habits.

Rides the person in front of them 1/2' off their bumper in gridlock traffic, then jams on the breaks to a complete stop every 1/2 mile? Automatic driver. Pulls up right up against your bumper on a steep grade stop sign/light (giving you no room for rollback)? Automatic driver. Riding the breaks going down hill? Automatic driver. Races to every stop light then slams on the breaks, even when they can be slow-coasted thru? Automatic driver...

Really, I think automatic transmissions encourage bad driving habits. I swear half my defensive driving decisions in the car come down to, "I could be a little more agressive, but then I'd have to clutch like twice as much..."

Re:I'm OK

[trg83]

If you're a proper manual driver, you don't have need of space for a rollback. I never had rollbacks after about 3 months of practice. It might be a little harder on your clutch, but you don't have the right to randomly back into cars because you don't know how to drive yours.

Re:I'm OK

Rule 34, my friend. Rule 34.

Not good...

I started typing:

"I fucking hate you, Microsoft. I'm going to bomb your Azure datacenters and slit your throats. Eat shit and die, you incompetent fucks."

Then I deleted it and actually submitted:

"Dear Microsoft. I hereby request that you close my Azure account as I found the service unsuitable to my specific needs at this time. Thank you very much in advance. Sincerely yours, X."

So now you're telling me that they have seen the first version?

Re:Not good...

[hcs_$reboot]

The words "bomb" and "die" being in the text, the NSA got it even before MS.

Re:Not good...

The first version, maybe. The second one? Nope, nobody reads information that they know you intentionally sent to them.
They don't want user feedback, they want to know how the user works at a more fundamental level.

Re:Not good...

[JustOK]

NSA *IS* MS

Re:Not good...

[hcs_$reboot]

Interestingly, that's an anagram of "Mass Sin".

Re:Not good...

Or in Spanish, sin mass ?
Equally as disheartening

Re:Not good...

[ebvwfbw]

Of course they saw both versions. However they realize you really love them and don't mean them any harm. Just like what you said to your mother last week. Of course we know all about that too!

Name names

Which big-name sites are doing this?

Re: Name names

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

Re:Name names

[hcs_$reboot]

BigBrother.com

Re:Name names

zombo.com

Re: Name names

Or the CSV file here

  https://webtransparency.cs.pri...

400 ?

[rtb61]

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

Re:400 ?

[dfm3]

The page at the first link was updated with a link to their data, complete with a list of all the offending sites that are ranked in the top 10,000 by Alexa.

Re:400 ?

[Arzaboa]

Here is the list, linked to from the actual article. List of 400

--
"Ribbit" - Unknown frog

Re:400 ?

"Alexa, read me the list of 10,000 websites which track users' keystrokes and mouse movements."

Re:400 ?

[AmiMoJo]

Privacy Badger fixes most of this automatically. It's a good option for less technical people.

uBlock Matrix with "medium mode" (https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode) kills it completely. Without medium mode it also kills it, but you are reliant on the block list authors keeping up with whatever changes are made. Since this threat is so well known, they are probably on top of it.

Re:400 ?

The Yandex(.ru) is strong in this one.

Tracker Sites## Weightedscore
yandex.ru 528 12,93
hotjar.com 439 9,04
clicktale.net 100 4,27
inspectlet.com 50 0,75
mouseflow.com 40 0,63
sessioncam.com 25 0,83
fullstory.com 21 0,30
decibelinsight.net 16 0,28
quantummetric.com 9 0,11
userreplay.net 7 0,23
smartlook.com 4 0,04

Weightedscore = sum(100*log(1+1/SiteRank)

Re:400 ?

[Freischutz]

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

...and how bad is this flaw? Can they read everything I type in the browser tab where this website is loaded, everything I type in the browser regardless of the tab I'm using or can they literally key-log everything typed on the computer as long as the browser is running in the background?

Re:400 ?

[Mordaximus]

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

They provide a zipped csv right on their site. Good to see I have even more reason to hate wordpress.

Re:400 ?

[Bloxclay]

*Cough Cough* NSA *Cough Cough*

Re:400 ?

[jbmartin6]

Probably safer to just assume all of them

Re:400 ?

The Alexa rankings have nothing to do with Amazon or their Alexa products. No relation at all.

You're trying to be funny, but you're just wrong.

This is (sort of) old news

[dfm3]

As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:

Does tracking protection help?

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.

I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.

Re:This is (sort of) old news

As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

For years now I've been operating under the assumption that websites collect as much data on user interaction as possible,

This is the price you pay for a free Internet. "Free" meaning "no charge".

Here are your choices.

[ ] Pay for every website you access
[ ] Have websites spy on you and collect as much information on you as they possibly can

Those are your only choices. Pick one.

I'm not saying it's right or desirable, but that's just the way it is.

Re:This is (sort of) old news

I definitely prefer that mouse clicks be input, not mouse movements. I prefer Enter to sending text than search as I type.

Re:This is (sort of) old news

Ads == payment. Few users have the disposable income for not-very-important web content.

Re:This is (sort of) old news

[theweatherelectric]

This is yet one more reason why I never browse without NoScript and uBlock Origin.

In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.

Re:This is (sort of) old news

[AReilly]

The issue isn't that web sites are doing real-time analytics. It's that they've all out-sourced the process to a handful of third party companies. No one cares that the information they've provided to the company they are interacting with over SSL gets seen by that company: of course it does. What they care about is that this stream of data is parceled up and sent (not necessarily securely, according to the article) to some company you've never heard of, and have no business relationship with.

Re: This is (sort of) old news

So you're telling me we can get rid of spying and useless content at the same time?!?!

Re:This is (sort of) old news

[tquasar]

I have the nervous habit of swirling a cat around while I read. The cat sees everything. There is no privacy. Every thing is viewed and or saved.

Re:This is (sort of) old news

[Anonymous+Brave+Guy]

That's funny, my recollection is that we managed pretty well without the spying for at least a decade, and yet during that time the Web grew from an academic/enthusiast medium into a mass communication medium. It turned out that countless people were willing to contribute without trying to exploit others for profit as their only motive.

Indeed, social media today, arguably including sites like this one, is still built almost entirely from contributions given freely by normal people. It's just that today, instead of everyone getting some web space as part of their normal ISP package and making their own home page or blog, we have a relatively small number of large, mostly ad-funded, mostly data-hoarding giants centralising our basic hosting instead. That has some advantages, of course, but also a very high price to pay for anyone who values privacy and security online.

Re:This is (sort of) old news

There's a third option. Pay for website you access, and still have them all spy on you.

Re:This is (sort of) old news

I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.

Well, you could get flagged for this "anomalous" behavior, though. That's one issue with trying too hard not to be tracked: you actually stick out from the crowd. Sure, sometimes, you'll really "slip out", but other times, they might actually focus on you for your differences.

Re:This is (sort of) old news

This raises the question: why the heck was "tracking" built into browsers as a function in the first place?

My browser should only send data to the webserver when I click a link or a button. And then, it should only send data that I have explicitly entered in a web form, minus anything I've erased.

Re:This is (sort of) old news

[theweatherelectric]

Web browsers send data to a webserver every time you request a web page and every element within a page. How could HTTP work otherwise?

Re:This is (sort of) old news

This raises the question: why the heck was "tracking" built into browsers as a function in the first place?

Because the web was never really designed. Netscape introduced Javascript as an escape hatch for whatever the browser makers hadn't thought of. And it's been abused to do things like track your every keystroke.

Re:This is (sort of) old news

Uuhhh.. No. I opt for the third choice, the right I defend myself against the low-lifes who think they can just "have their way" with me.

And that, in my case, means that I do not accept third-party content, and have JS blocked.

Call me back when the low-lifes among the website-owners/exploiters* (in the worst sense of the word) are taken out because of their predatory behavior towards their unsuspecting customers (if they do not know they get mugged than what is the problem ?), and we can see if we can come to an understanding where I won't lock all the doors in my house and put an in-house detective on them to keep track of all their movements.

*with my apologies to the well-meaning-and-behaving ones among you, which I suspect is most of you.

And lets start with forcing a website owner/exploiter to be responsible for the damage a rogue advertisement - or other for monetary gain included third-party scripts - on his website causes to a users machine.

Do I sound pissed of ? Than thats maybe because I am. :-)

Re:This is (sort of) old news

I do that with my mouse too. I'll even find safe spots to click and click repeatedly.

Re:This is (sort of) old news

[holostarr]

Personally, I think people are making a mountain of a molehill and thinking there is some nefarious reason behind this. The company I work for uses a product from IBM called Tealeaf which does exactly this, it records user sessions which can then be played back. The reason why we introduced this to our product was to understand our customer better to help us improve our product. For example marketing wanted to know what caused a customer to start a purchase and then stop halfway. They wanted to understand for instance if it was due to a UI error or if the customer found the options confusing? We also used this product in several occasions to identify hard to reproduce bugs. Using this product we were able to watch the recorded user session who experienced the bug and understand exactly what steps he/she took before encountering it. I think for most companies, these kind of products are just there to help marketing or the dev departments improve their products, rather than harvest users behaviors and sell it (I'm sure some do), because I doubt there is much value to some individual's random mouse movements.

Re:This is (sort of) old news

Clicking a link or pressing a button is how I request a web page. I don't see your point.

Re:This is (sort of) old news

dude, don't be naive!
As every (powerful) tool, it can be used for good, and it can be used for evil.

The point is, that a web site is in a position of power in relationship with the user. And power grows exponentially with the number of users accessing the site!

Re:This is (sort of) old news

That's funny. If you think any serious web site would give up the additional income source of selling your data you're seriously deluded.
The choices are:
[ ] pay for every web site you access, still be tracked but no ads for you on that web site
[ ] don't pay, be tracked and get ads on that web site

Re:This is (sort of) old news

[Narcocide]

The only thing you're doing is giving them more information to fingerprint you with.

Re:This is (sort of) old news

[theweatherelectric]

You don't click to request, for example, any of the images. Or any other resource in the page (or subpages in iframes) which could be sourced from any other webserver on the web.

Re:This is (sort of) old news

[thegarbz]

In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.

You should do that anyway if for no other reason than to actually speed up the internet. http://www.ieee-security.org/T...

Re:This is (sort of) old news

It is probably a way to uniquely ID you as well.

Might want to consider that.

Re:This is (sort of) old news

I request a page, identifying it by its HTML file. The server has the HTML file, and knows what images it references. There's no reason it couldn't proactively send me those images, rather than waiting for my browser to parse the HTML and request them individually. HTTP doesn't work that way, but it *could*, and it'd save a lot of latency in loading webpages. It'd also avoid a security issue: information about the browser can leak to the server from the pattern of automatic requests.

But okay: let's say we're stuck with HTTP as it stands. There's still a single chain of events that starts with me clicking a link, the server sending me the HTML, my browser requesting the images, and the server sending them too. Once this has all played out, why the flip should my browser send anything else to the server before I click another link?

Re:This is (sort of) old news

[theweatherelectric]

There's no reason it couldn't proactively send me those images

The images could be served from a different server. This is commonly done by many websites, including Slashdot.

why the flip should my browser send anything else to the server before I click another link?

So the page can refresh itself for live updating content.

Re:This is (sort of) old news

Interesting product name. I assume that they thought about it as "reading tealeaves" to predict the future, but clearly they didn't consider the Cockney Rhyming Slang meaning: Thief. I wonder which is more accurate meaning?

Re:This is (sort of) old news

[fafalone]

Well well look who's here to yet again remind us how great FF 57 is. You got a script to help you do your job that flags keywords needing your response? Your affiliation is so blatantly obvious no amount of calling me a lunatic is going to help.

Re:This is (sort of) old news

[EndlessNameless]

Once this has all played out, why the flip should my browser send anything else to the server before I click another link?

Many web sites have dynamic content. It can be anything: a news feed, image gallery, navigation. All of those things can trigger a request for more data, some of them automatically.

Some servers send a small starter page and load more as you scroll. Why load 10+ MB of images if you will never see them? Those images can be loaded on the fly as you read the article. They just need to pick reasonable points to preload images, and most users will never notice the difference between dynamic and static delivery. This is actually beneficial to users on metered data plans. (Some countries even have metered residential connections, which is fairly terrible but still something that those users have to deal with.)

Most web apps are "live" in this respect as well. Do you want to lose an entire email or document because you refreshed your browser, accidentally clicked a link, or had a browser crash? What about losing a large form submission due to a misclick? Most people don't, so a lot of web apps will either stream or checkpoint your interactions.

Now we're starting to see the shady or illegitimate use of these browser features. Some people warned that it would happen, but a lot more people wanted those features on the browser side so they could deliver applications or content the way they want. The pendulum perpetually swings back and forth between functionality and security.

Re:This is (sort of) old news

[thegarbz]

That's funny, my recollection is that we managed pretty well without the spying for at least a decade

How well? My recollection was the internet was mostly a cesspool of garbage design until we started "spying" on how users use webpages.

But we're back to the anti-telemetry argument:
Today: don't record anything I do.
Tomorrow: why did you do that, do you not know how users use your product?

Re:This is (sort of) old news

[tepples]

Some servers send a small starter page and load more as you scroll

Anti-script hardliners would prefer to follow "Next Page" and "Previous Page" links.

Some countries even have metered residential connections, which is fairly terrible but still something that those users have to deal with.

Hardliner: "Do I have advertisers or payment processors in those countries yet? Do I have translators to translate our articles into the native languages of those countries? No? Then I needn't take special measures to serve users in those countries. Besides, if they're on a metered plan, they can just not follow 'Next Page.'"

Do you want to lose an entire email or document because you refreshed your browser, accidentally clicked a link, or had a browser crash?

Hardliner: "I won't. My mail is in a native mail user agent, and my documents are in a native text editor or word processor."

What about losing a large form submission due to a misclick?

Websites with large form submissions already provide a save button. Slashdot labels its button "Preview". This way, the values already entered are stored in the next version of the document.

Re:This is (sort of) old news

[Anonymous+Brave+Guy]

I personally think telemetry/analytics in terms of how someone's own site/app/service is used is a distinct issue to the kind of ubiquitous monitoring used by ad networks. Of course they both raise privacy concerns up to a point, but if you're using something that is running on a remote system anyway then I don't think it's realistic or particularly helpful to try to stop the operators seeing what their own system is doing.

For me, that's a very different thing to putting web bugs or tracker scripts or fingerprinting hacks all over other sites, and doing so covertly so that users are being tracked by third parties that they have no knowledge they are dealing with at all.

There's also a middle ground where you have something that is installed locally but phoning home covertly and potentially sending data the user thought was private, or an analogous situation with web sites/apps where you've got something like a form that the user might expect to be private until they explicitly submit it but which is actually sending everything ever entered even if it's subsequently edited or deleted before the user intends to continue. In these cases, I think the ethical position (and possibly also the legal one) probably depends on why the data is being sent, exactly how it's used, and what a typical user would reasonably expect to be happening or not happening.

Re: This is (sort of) old news

That is a false dichotomy. Advertising is only the simplest, laziest way to make money on the Web. There are other options, such as micro-payments or crowd-funding like Patreon, that don't breach user privacy and security.

Most "content" on the Web isn't worth paying for to begin with. Hosting is cheap these days, too.

We don't owe it to malvertising firms to support their archaic business model. It's abusive to users and we've seen how well they protect their own data. (i.e. not very well)

Blocking ads and scripts is the only way to influence their behavior, by hitting them where it hurts: their wallet.

Re:This is (sort of) old news

Thank you: you've written an excellent summary of my position. Living in a country with metered residential connections, I would still prefer static pages with "Next Page" links - or better yet, an index page, or thumbnails - to scripted dynamic pages. Dynamic pages add yet another attack vector - through carelessness, rather than malice - by potentially downloading elements without my prompting, burning through my monthly quota. And that's without even reckoning the size of the scripts themselves.

Worse still: as bandwidth improves, this benefit of dynamic pages goes away, but the problems remain. I see how we got into our current mess, but I don't see a way out of it. To reply directly to the GP:

The pendulum perpetually swings back and forth between functionality and security.

This isn't a pendulum: it's a ratchet. New features get introduced, get used, and people come to rely on them. Then no one is willing to discard them, regardless of how insecure they are.

Re:This is (sort of) old news

Some servers send a small starter page and load more as you scroll

Anti-script hardliners would prefer to follow "Next Page" and "Previous Page" links.

I'm not anti-script but "infinite scroll" is a terrible abomination I'd gladly give up anything to see it die an excruciatingly painful death. It makes even powerful computers slow to a crawl, it makes browsers leak memory & crash, and there's no way to save an arbitrary position so that browsing can be resumed from that point onwards.

Re:This is (sort of) old news

[theweatherelectric]

You've made it clear that you're a conspiracy nutcase but why can't you stick to good and honest conspiracies? Like how the Grey aliens are in league with the lizard men to take control of world government which, as everyone knows, is currently run by the Illuminati and Major League Baseball.

Re:This is (sort of) old news

[Dread_ed]

Do you know what they do with this information? I do. I got it from the proverbial horse's mouth.

About 2 years ago I was speaking with some of the marketing people at a very large retailer I am tangentially associated with. They were describing the extent of logging activity on their corporate website. They spoke about everything this article mentions, in addition to cross site tracking, data sharing with other sites, etc., ad nauseum. I was not surprised that there was this level of logging activity. However, I am surprised that this is a surprise to anyone else. I thought this was common knowledge, self evident from first principles.

What was fun to discuss was the level to which the gleaned information is analyzed. You can learn an incredible amount of "important" information about your website and, more importantly, your customers by tracing a customer interaction backwards through your records from a known completed outcome (sale, no-sale, etc.) to the initial instant of contact with your products. You can learn even more when you have a giant stack of "same outcomes" to compare.

For instance you could stack up all of your "sales" in one pile and all of your "no-sales" in another. Then compare something relatively simple and one dimensional, say like how they move their mouse on your web page. Did you know that many retailers can very quickly determine with a high degree of accuracy if you are going to end up in the "sale" bucket by how you use your mouse on their website? Apparently, people move their mouse differently when they are in a buying mode.

Keystrokes are also examined in a similar way. Not just what was typed, but when, and how. Again, comparing many different customers with known outcomes leads to a model that can predict the outcome of a website interaction from just a few bits of input.

These are just the obvious bits that come from analyzing the data. There are much deeper inferences that can be made from a multidimensional matrix of observed behaviors, and across multiple sites. One of the other things that was interesting was how the retailer was trying to get people to move, type, and ultimately look in a way that resembles modes and mannerisms which closely approximate the behaviors of known buyers. The logic being similar to the old "fake it till you make it" adage. Or more rigorously, if we can influence a site visitor who shows "non-buying" behavior to emulate "buyer" behavior it can influence them to actually purchase. This was just in the works when I had this conversation, but they indicated that there was substantive evidence to support this being a profitable practice.

After the conversation I will say that my determinism doomsday clock was advanced about 3 hours closer to midnight. The certainty and exuberance they had about their ability to influence behavior by informed application of stimulus was creepy as fuck. From what they revealed it was not born of hype, optimism, or marketing buzz. It was a direct result of processing the data, implementing reasoned changes, and observing the results. And this was years ago. Fuck, fuck, fuck!!!

I can only imagine what Facebook does with all of the data that people give them. The dimensions of their matrix must be immense, and their conclusions the stuff of nightmares.

Re:This is (sort of) old news

[epine]

Those are your only choices. Pick one.

For plain-old-text, at a blog post parcel size, the economics of the internet very nearly fall into the bucket known as "too cheap to meter".

[ ] Pay for every website you access
[ ] Have websites spy on you and collect as much information on you as they possibly can
[ ] Tell the anonymous coward to fuck off, and point out the option missed

So there. FTFY.

Re:This is (sort of) old news

[Agent0013]

You really think that companies that you pay for content would not sell extra information to another company to make even more money? Do you remember Cable television? Do you remember that you pay for television, rather than watching the free over-the-air stuff, and you get it commercial-free? That did not last very long before you pay for it and you get commercials also.

Re:This is (sort of) old news

It was not a cesspool of garbage. Sure, some crappy DIY webpages were offered to the public, but they were crappy by greedy advertising design, no because lack of telemetry. NO AMOUNT OF EXTERNAL ADVICE would save such amateurish crap. Professionals can save us from amateurish crap, that is all.

We don't need 'telemetry' to design a useful interface or host interesting subject matter.

Don't you remember the good 'ol "Intro Pages" that were a horrible 30 second flash presentation welcoming one to a site? Someone wanted something cool but anyone other than that person knows it's a pain to watch again everytime you hit HOME. So those intros fades away.

*hint: get professional PEOPLE to design & maintain sites, not an automated system with reports each day about where the mouse/finger wandered across the page. ANd why everyone avoids the blinking ad but are attracted to the Next Button.

It does not take a genius- how "Presentation" became GUI and now UX is self-elevating crap.

List of Websites

The list of websites:

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

Re:List of Websites

[hcs_$reboot]

Note that the "expected" ones are there: (main sites .com, not the .ru ...)

Norton, Microsoft, Godaddy, Skype, Adobe, ...

Re:List of Websites

[hcs_$reboot]

(and btw neither google.com nor facebook.com are in)

Re:List of Websites

"(and btw neither google.com nor facebook.com are in)"

I'm sure that's because they roll their own rather use some third party script. :P

So me typiing "fuck you microsoft" into...

[greenwow]

every website before deleting that and entering new text isn't a wasted effort. Thanks for letting us know.

WebASM Threat

JS, as dangerous as it really is, doesn't even hold a candle to WebAssembly.
Cookies are fucking welcome in comparison.

Re:WebASM Threat

WebAssembly can't do anything JS can't do.

Slimy

[Arzaboa]

I guess they do really know what I'm thinking when I leave feedback but can never send the form.

--
"Ribbit" - Unknown frog

Re:Slimy

It's why the first words I type here are "I hate msmash" before erasing and sending the comment.

Oops.

Re:Slimy

[hcs_$reboot]

I doubt slashdot does that . No offense, but considering how difficult it seems to be to implement a couple of new features on the site, they wouldn't push the hard work to perform that level of algorithmics... [ anyway, in Chrome open the dev tools / console, and check if there're any XMLHTTPrequests going on when you type a comment ]

Re:Slimy

[Narcocide]

They don't have to. Banner ads are perfectly capable of doing this type of tracking without the page's help.

Autocomplete

[fermion]

Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice. Google, for example, would need to save what the user typed and what the user chose, to optimize future results.

On the other hand, much of the web is run on advertising dollars, and we are in an arms race between intrusive tracking and privacy. It is therefore anyones guess how this will be used moving forward.

Whiny FUD.

RTFA. Thanks in advance.

Native app

[tepples]

Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice.

Cue the anti-script militants who prefer to download, compile, and install a native app when things like autocomplete are necessary.

privacy.trackingprotection.enabled in Fx 52

[tepples]

And even in earlier versions, such as the Firefox 52 that people are using in order to give Mozilla a few more months to make necessary APIs available to WebExtensions, the user can turn on Tracking Protection system-wide by entering about:config and turning on privacy.trackingprotection.enabled. The drawback is that several sites, such as TV Tropes, intentionally conflate tracking protection with an ad blocker and block page views until the user activates the "Disable protection for this site" control.

Re:privacy.trackingprotection.enabled in Fx 52

I guess I won't be visiting TV Tropes again. Or ever before come to think of it.

Javascript?

[ArchieBunker]

Does disabling javascript help? I disabled it recently and the internet looks the way it used to. No fancy shit moving around with auto scrolling pages, very refreshing.

Re:Javascript?

[tepples]

Without script, you're limited to the checkbox hack, navigation to other documents, and form submission as the only means of interaction, and every action other than the checkbox hack results in a full page reload. Some web applications aren't very usable under these constraints. On these apps, disabling JavaScript is good for showing "please download our native app or enable JavaScript" notices.

Re: Javascript?

That's fine for some people, my use of the Internet isn't almost exclusively downloading manuals or software.
Everything else I can do without, so I have not run into any issues yet with the js disabled.

Re:Javascript?

Without script, ... every action ... a full page reload.

And thats a show-stoper ... how exactly ?

And nope. If the webpage designer is even just halfway* competent only the HTML text will be downloaded (the rest, like images, CSS, scripts, etc. is than already available in your browsers cache)**.

*You don't want to know how many websites place their style-sheets in-line, resulting in, when looking at the source, several screens of makeup, and a single one (or even less) containing the actual data. :-(

**Heck, a single google advertisement picture already often downloads more bytes than the size of all the HTML on the page (text and tags).

And I rather dislike the "lets throw some AJAX at it!" pages, as they often appear to be slugguish, with no indication to if the action is stil running -- causing the page to change under your fingers because some slow-to-arrive, new data is injected into it. :-(

And yes, I'm one of those people who has JS disabled. 90%+ of JS is not used for my benefit -- as this article again shows.

Re:Javascript?

Without script, you're limited to the checkbox hack, navigation to other documents, and form submission as the only means of interaction, and every action other than the checkbox hack results in a full page reload.

My anecdote: Web Hosting (!) control panel demands scripts on (!!) always. No NoScript allowed.

Re:Javascript?

[tepples]

Without script, ... every action ... a full page reload.

And thats a show-stoper ... how exactly ?

I can think of three reasons:

Perceived latency Consider a machine on which a native IRC client is not currently installed, such as one to which you cannot forward port 113 for identd. For this, you would need to use a web-based front-end to IRC. Without client-side script, how would this web-based front-end check for new messages? Would the user have to mash F5 every few seconds in case another user sent a message to the channel? And even if it did, how would it add the new messages to the scrolling list of messages sent to the channel without having to resend old messages? Bandwidth inefficiency Say you have a discussion page where randomly chosen users who have not posted comments to a particular discussion can collaborate on choosing a score for how constructive each comment appears to be. Then the user can choose a score threshold above which comments appear in full and below which comments appear abbreviated, with only the subject, author, and first few words. If the user chooses to expand a particular abbreviated comment, and client-side script is on, client-side script fetches the full text to replace the first few words. Without script, the would have to save the state of which comments the user has chosen to expand and reload the entire HTML document, including the full text of all comments that are expanded on account of score or that the user has chosen to expand. This set of comments already expanded would also have to be included in the link or form for every single comment that isn't already expanded. Having to reload all the comments for each expansion would quickly run up the user's data bill. No way to input a drag Forms allow capturing clicks using the ismap attribute of an <img> element. A collaborative real-time whiteboard application without client-side script cannot let the cursor draw a curve by moving the mouse while its button is down.. Instead, the user would have to click each point along a polyline, with a full reload of the HTML and image every time.

If the webpage designer is even just halfway* competent only the HTML text will be downloaded

Even if doesn't have to redownload images or stylesheets, a web application free of client-side script has to redownload the entire HTML, not only the HTML for the parts that the user's interaction has changed. In addition, the new document would load scrolled either to the top of the document or to the top of the section identified by a fragment identifier, not to the exact point to which the user had already scrolled.

You don't want to know how many websites place their style-sheets in-line

They do this to reduce perceived latency. On a satellite or cellular network, each HTTP request may add a second to round-trip time. Thus placing style declarations required for the first screen inline can be a good thing because it reduces the number of round-trips needed to display the beginning of the document. I believe the pattern nowadays is called inline style above the fold.

Re:Javascript?

Perceived latency

Maybe someone should not try to transpose native aps like IRC to force it to work in HTML ?

But yes, If you must have IRC and you must run it in a webbrowser that thats a place where JS could actually be applicable.

And that takes care of ... what, a handful of websites outof the gazillion which abuse JS ?

Bandwidth inefficiency

Already answered too.
And just take a look at how this very website does it. A nice trade-off between bandwidth and providing info.

No way to input a drag

Same answer as the first: If you want to do something HTML is not made for, you should maybe just stick with the/a native application.

And for the record: I do not dislike JS per se, but I do dislike the fact that its abused into absurdity - often with zero fallback - and I, as the one who is expected to run all those scripts, have near to zero control over it.

A script which allows such a dragging motion to be send so collaboration is possible ? Doesn't sound too bad. But wat does sound bad is that I have no way to allow only that script to run (and limit it to only that function).

You don't want to know how many websites place their style-sheets in-line

They do this to reduce perceived latency.

On a satellite or cellular network, each HTTP request may add a second to round-trip time.

Lol. Just imagine a website using AJAX requests over such a connection ... Personally I would say that that would be exactly the place where you would want the whole thing in a single fetch. :-)

Oh my, have I now provided an example why using JS should be considered bad, in the same way you have provided examples to why its supposed to be good (while focussing at some fringe usage) ? I did, didn't I ? :-D

Re:Javascript?

[tepples]

Maybe someone should not try to transpose native aps like IRC to force it to work in HTML ?

If there's no IRC client currently installed on a particular device, there isn't much other option. This is even more true of a protocol whose native client is not ported to a particular combination of architecture and operating system at all, such as Discord on 32-bit X11/Linux devices.

And that takes care of ... what, a handful of websites outof the gazillion which abuse JS ?

A handful here, a handful there, and soon it adds up to a substantial amount of use cases.

Bandwidth inefficiency

Already answered too.

I don't see where it was. Though the images and CSS are cached, the HTML markup for the comments that were already sent is not because the query string portion of the URL has changed to reflect the comments that the user has chosen to expand.

And just take a look at how this very website does it. A nice trade-off between bandwidth and providing info.

The D2 system on Slashdot uses JavaScript. I was describing the contortion that a web application would have to make if a website were to provide functionality identical to that of D2 without JavaScript.

Same answer as the first: If you want to do something HTML is not made for, you should maybe just stick with the/a native application.

Same objection to the answer as the first: Not all native applications are available for all significant platforms. Please find me a complete Discord client for 32-bit X11/Linux.

A script which allows such a dragging motion to be send so collaboration is possible ? Doesn't sound too bad. But wat does sound bad is that I have no way to allow only that script to run (and limit it to only that function).

One possibility is LibreJS, which allows all scripts to run so long as auditable source code is available to the public under a free software license.

Just imagine a website using AJAX requests over such a connection [with a ping near 1000 ms]

It would still be painful, but importantly it's less painful than the alternative. Most users would find a seconds-long throbber for only the part of the document that has changed less jarring than a seconds-long throbber for the entire document.

Re:Javascript?

If there's no IRC client currently installed on a particular device, there isn't much other option.

Yes, there is. Especially with the current plethora of platforms which do rather similar stuff.

But hey, be my guest and keep demanding that stuff like that should run in a browser, in effect elevating it to an os-in-an-os. :-) :-(

A handful here, a handful there, and soon it adds up to a substantial amount of use cases.

"Substancial" as in a single percent-point - if as much as that ?

I don't see where it was.

Lol. You did not notice that my initial response seriously doubted the ammount of data actually needed to "re"-send a page ?

The D2 system on Slashdot uses JavaScript.

Thats a prime example. Why (does it use JS) ? Composing a reply is a rather non-interactive activity. Also, I'm not using it now, and it seems to work rather well.

Same objection to the answer as the first: Not all native applications are available for all significant platforms.

Same reply as the first in this one. And maybe you should not be buying devices which cannot do what you cannot do without ? :-)

One possibility is LibreJS, which allows all scripts to run so long as auditable source code is available to the public under a free software license.

I don't think you quite understood what I was trying to convey. I could not care less that someone else thinks a script should be allowed on my machine, for whatever reason. On my machine I'm the one who should be in control. And as vetting on individual basis isn't available you're stuck with - rather blindly and hoping for the best - allowing random ones in.

Funny that: You're warned everywhere not to open random email attachments and/or running executables from unknow sources, but in the case of JS there still is an "just download everything and run it" attitude (pushed by website designers). Idiotic if you ask me.

Most users would find a seconds-long throbber for only the part of the document that has changed less jarring than a seconds-long throbber for the entire document.

I think you are mixing up latency with bandwith there ...

"Never underestimate the bandwidth of a truckload with backup tapes" -- even if the latency is a b*tch.

Even on a 10Mbit line you would be able to download a respectable HTML page (below a meg) in less than a second. And if you are downloading a HUGE one (10 MByte?) than the browser can already start filling the screen with what it already has while continuing downloading the rest.

Re:Javascript?

[tepples]

If there's no IRC client currently installed on a particular device, there isn't much other option.

Yes, there is. Especially with the current plethora of platforms which do rather similar stuff.

Say you're logged into a PC owned by a public library using the patron ID on your library card, and you want to use this PC to connect to an IRC server. Without administrative access to this PC, how do you arrange for the installation of a native client?

Say you've received a FaceTime invitation from a person with whom you wish to communicate, but you don't own a sufficiently recent Mac, iPhone, iPad, or iPod touch. Instead, your primary PC runs X11/Linux or Windows, and your primary mobile device runs Android. How do you communicate with this person?

The D2 system on Slashdot uses JavaScript.

Thats a prime example. Why (does it use JS) ? Composing a reply is a rather non-interactive activity.

Choosing which replies to expand and collapse is interactive.

And maybe you should not be buying devices which cannot do what you cannot do without ? :-)

If you had a good reason to run six applications, each exclusive to a different operating system, would you buy six devices, one to run the operating system for each of these applications? Many operating systems cannot be installed on generic hardware for legal or technical reasons, such as macOS and mobile phone operating systems.

You're warned everywhere not to open random email attachments and/or running executables from unknow sources, but in the case of JS there still is an "just download everything and run it" attitude (pushed by website designers).

There's more sandboxing with JavaScript than with the native executables that email worms used.

Most users would find a seconds-long throbber for only the part of the document that has changed less jarring than a seconds-long throbber for the entire document.

I think you are mixing up latency with bandwith there ...

Not necessarily. As long as the rest of the user interface of a single-page web application remains visible during loading, the user is more likely to accept the latency than if the application's interface were to disappear during loading (which is the case for script-free navigation and forms). In addition, TCP's slow start keeps a new connection at low bandwidth until it has received a few packet acknowledgments (or "acks"), and these acks take a while to come back on a high-latency connection. In the terminology of RFC 2488, satellite has a high "delay*bandwidth product" (DBP), which standard TCP limits to 65.5 kB (64 KiB).

Even on a 10Mbit line you would be able to download a respectable HTML page (below a meg) in less than a second.

A lot of the data links to which I refer are far slower than 10 Mbit. A single TCP connection with the standard 64 KiB window and the 560 ms minimum ping of satellite won't be able to exceed 0.9 Mbit. On a 1 Mbit link, 100 kB of changes load in 1 second, but 100 kB of changes and 900 kB of redundant unchanged data load in about 10 seconds. In addition, at a typical cellular data transfer price of $10 per GB, it costs one cent to load a 1 MB document, but ten 100 kB change sets fit in the same cent.

IT'S OVER 9000!

[n329619]

The list is actually really long, over 90000 to be more precise. For 'session recording' web (aka tracking) it's over 7000.

Re:IT'S OVER 9000!

I think that's just the top sites that they detected these on:
yandex.ru
clicktale.net
hotjar.com
sessioncam.com
inspectlet.com
userreplay.net
mouseflow.com
decibelinsight.net
fullstory.com
quantummetric.com
smartlook.com
salemove.com
logrocket.com
luckyorange.com

Let's design a domain blocker

[tepples]

Give me a spec for what such a tool should do, and I might see if someone can build one and release it as free software. Does this feature set sound right for a minimum viable product?

• Read and combine hostname blacklists chosen by the user
• Periodically download updated blacklists from URLs chosen by the user
• Periodically resolve hostnames chosen by the user as most commonly accessed, such as yro.slashdot.org, twitter.com, and explosm.net, and cache them locally in case of DNS outage
• Elevate to install the combined list system-wide

Re: Let's design a domain blocker

Maybe it could display a nice error message explaining why the site is blocked, and have a button to either temporarily remove the site, or permently whitelist. Great idea ! I'd love to shitlist half the internet....

Re: Let's design a domain blocker

Great idea ! I'd love to shitlist half the internet....

Entire regions of the planet blocked in my machines. Only OCDE countries allowed.

Sorry

[PPH]

My cat was walking on the keyboard again.

Block it

[AHuxley]

from the browser. It's the only way to be sure.

Can anyone suggest an extension to totally block this illegal 3rd party key logging? Ty.

Re: Block it

I run a local dns server and block a crap load of sites(unbound).
That way no one on my home network has to deal with this stuff. I convert some hosts files from the Web into a file for unbound.

Re:Block it

[dcw3]

I'm not at all happy about it either, but what are you claiming is illegal?

Re:Block it

Logging every keypress on other pages too is nasty. I might be typing someting confidential in web-based email for example. And how about password fields?

Re: Block it

[ChoGGi]

For anyone else using unbound

local-zone: "clicktale.net" refuse
local-zone: "decibelinsight.net" refuse
local-zone: "fullstory.com" refuse
local-zone: "hotjar.com" refuse
local-zone: "inspectlet.com" refuse
local-zone: "logrocket.com" refuse
local-zone: "luckyorange.com" refuse
local-zone: "mouseflow.com" refuse
local-zone: "quantummetric.com" refuse
local-zone: "salemove.com" refuse
local-zone: "sessioncam.com" refuse
local-zone: "smartlook.com" refuse
local-zone: "userreplay.net" refuse
local-zone: "yandex.ru" refuse

Re: Block it

[ChoGGi]

err that should be always_refuse

Re: Block it

Mine is redirected to a local web server:
local zone: "yandex.ru" redirect
local data: "yandex.ru A 192.168.0.10"

Either way, it's easy to set up.

NoScript, but... (use Brave)

Previously I would have said NoScript, but Firefox has completely botched that whole migration.

Use Brave as your browser and it has script controls implemented by default. You can globally block scripts and then enable on each site as needed.

Re:NoScript, but... (use Brave)

[theweatherelectric]

Previously I would have said NoScript

Use it again. NoScript has been released for Firefox 57.

Re:NoScript, but... (use Brave)

Mine just synced to 57 recently, and I hate it though. I'm not sure if I'm actually temporarily enabling sites or not. It used to have text that *said* temporarily allow. Now it's nothing but icons. Dam it. What do those icons mean? How can they screw up something so simple. It seems slow too. I hate these kinds of UI changes in general though, so maybe I'll give it some time... but... why??? The UI wasn't broken. Also, everything in FF 57 looks like it was drawn with a fine-point pencil. Yuck. It's like the arrow is barely there. Fucking shit designers, just making changes to justify their existence.

Re:NoScript, but... (use Brave)

[theweatherelectric]

If you want UI changes in NoScript then tell the developer of NoScript. He says he wants to hear everyone's UI ideas.

Re:NoScript, but... (use Brave)

Given the new UI, he's already listening to too many people's UI ideas. My god, it's full of suck.

Re:NoScript, but... (use Brave)

[Darinbob]

Yes, the new noscript UI is disconcerting and inscrutible. I don't think any user input was taken into account here.

Re:Russia Recorded Donald Trump's Illegal Sexcapad

No wall, no travel ban, no Obamacare repeal, no draining of the swamp, definitely no being president "for all Americans"... Whole lotta cheating at golf, though, so I guess you can be proud of that.

Noscript

[Orgasmatron]

Tell me again why Noscript isn't the default mode of every browser?

Why does, for example, slashdot think that I want to run software provided by truste.com, janrain.com or pro-market.net? I don't know any of those sites, and while I appreciate that slashdot trusts those sites not to harvest my data or harm my computer, they aren't exactly the party with skin in the game.

If you want to see how fucked up the web is, how fucked up we've allowed it to become, install noscript and set your browser to treat OCSP failures as hard errors. We have the technology to fix this. We just don't care enough to use it.

Re:Noscript

I finally upgraded to FF57 today because Noscript 10 was released.
Unfortunately, I soon discovered that Noscript 10 doesn't have Noscript 5's best feature: temporary permissions.

I hope temporary permissions are only missing because the Noscript author didn't have time to port the feature. If temporary permissions are gone forever, then I'm probably just going to uninstall Noscript, because it's worse than worthless right now.

Re:Noscript

[Dwedit]

UMatrix has temporary permissions, or rather it has permissions that go away unless you hit the save permissions button.

Re:Noscript

[theweatherelectric]

temporary permissions

They're still there. See the developer's blog post.

Re:Noscript

[Mkkby]

Yep, and this is why I won't DOWNGRADE to firefox 57. I'll stay frozen on 50 until NoScript has the full functionality it had before. Note, it's been released as of today but users are complaining of missing features and a terrible UI. Keep waiting.

The internet is almost un-usable without an ad blocker and a JS blocker. I don't know how anyone can stand the slow load times and blinking/flashing ads in your face. Perhaps TV has made all this normal for most people.

Re:Noscript

it's already released!!! I just installed! Go for it while it's hot :D

Re:Noscript

[thegarbz]

Tell me again why Noscript [noscript.net] isn't the default mode of every browser?

Because by default it breaks most of the internet and all but the most dedicated put up with manually having to manage whitelists.

Re:Noscript

[thegarbz]

Tell me again why Noscript isn't the default mode of every browser?

Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.

Re:Noscript

And besides that, if it hadn't released there ar elots of alternatives..

Re:Noscript

[PeeAitchPee]

The problem is the 99.9999% don't understand what you just wrote, or why it's important to them. They probably do know that one of the times they let a tech-minded friend help them, certain web pages stopped working. So we're back to the same reason that fucks up pretty much everything, eventually: once you let "normal people" use it, well, anything, shit will get broken. And once you let for-profit companies use it, its original intent will be perverted. That's why we have a crippled, adware-laden crapfest of an Internet run by corps and consumed by the unwashed masses versus what was envisioned for a worldwide public network 25+ years ago.

Re:Noscript

[gitano_dbs]

Can also stay on older versions and still patched on Firefox ESR (Extended Support Release) https://www.mozilla.org/en-US/... at version 52.5 currently.

Re:Noscript

[Orgasmatron]

That's kinda my point. We should have been doing a better job managing the defaults that the "normies" will be operating under.

Re:Noscript

[epine]

Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.

NoScript doesn't even remotely dent my frustration meter. There's a simple reason for this. If I can't fix the site in two guesses, the site is probably shit, anyway. This isn't sour grapes, either. The correlation is strong, and positive.

Quite regularly, I click onto an unfamiliar web site, it doesn't display properly on first load, I right click the NoScript item at the bottom corner of my FF browser window (full screen, portrait mode, 23" monitor), and up comes a menu that occupies 60% of my vertical real estate. We're talking twenty to thirty foreign page elements.

Man, I can not flee those web sites fast enough.

The only time I ever get frustrated is with sites that put Amazon bucket numbers into page element URLs. For those I fire up Chromium (plug-in naked), which I only use for pages where NoScript on Firefox interferes with something I actually want to access. Then I shut Chromium down again. This happens roughly a few times per week.

Still doesn't dent my frustration meter.

And it's not like I'm generally a cool cucumber. I'm easily enraged/outraged by many things I encounter.

This TED talk had me hitting the fucking ceiling.

The first secret of design is ... noticing — March 2015

We all know what he's talking about. As human beings, we get used to everyday things really fast. As a product designer, it's my job to see those everyday things, to feel them, and try to improve upon them. For example, see this piece of fruit? See this little sticker? That sticker wasn't there when I was a kid. But somewhere as the years passed, someone had the bright idea to put that sticker on the fruit. Why? So it could be easier for us to check out at the grocery counter.

Well that's great, we can get in and out of the store quickly. But now, there's a new problem. When we get home and we're hungry and we see this ripe, juicy piece of fruit on the counter, we just want to pick it up and eat it. Except now, we have to look for this little sticker. And dig at it with our nails, damaging the flesh. Then rolling up that sticker -- you know what I mean. And then trying to flick it off your fingers. (Applause) It's not fun, not at all.

But something interesting happened. See the first time you did it, you probably felt those feelings. You just wanted to eat the piece of fruit. You felt upset. You just wanted to dive in. By the 10th time, you started to become less upset and you just started peeling the label off. By the 100th time, at least for me, I became numb to it. I simply picked up the piece of fruit, dug at it with my nails, tried to flick it off, and then wondered, "Was there another sticker?"

I've never become numb to removing a fruit sticker. There was never anything to become numb about, in the first place.

Every night lately I've been reading my wife a chapter of Henry Marsh's excellent book Do No Harm. She confessed last night that she's getting a bit tired of cute 12-year-olds with brain cancer and lovely, long red hair bleeding to death on the OR table (this is rare, actually, but there's a chapter on it).

Ten to the fucking power of nine fruit stickers, in every second chapter.

Welcome to real life, all you Tony Fadell bird brains.

Re:Noscript

> all but the most dedicated put up with manually having to manage whitelists

So why isn't Noscript managed like Adblockers, with automatic downloads of reasonable lists + custom personal rules?

Even a text file with: Slashdot needs Domains X, Y and Z (out of 20) to actually function would be a great help.

Re:Noscript

[thegarbz]

If I can't fix the site in two guesses

And you haven't dented the frustration meter? The simple reason has nothing simple in it. It's just that you have an incredible amount of patients. In the mean time the rest of the world relies on uBlock and it's far more automated cross site script blocking along with specific black lists.

No guessing. If something requires guessing it's broken. A plugin that prevents a website from loading is broken. A plugin that "regularly breaks unfamiliar websites" ... well sorry but you've just lost the majority of the world there.

I'm not saying there's no place for noscript in the world, there's just absolutely no place for it to be a default.

Ignored option

[Hallux-F-Sinister]

[ ] Don't pay for every website you access, that's what ads are for. Let advertisers be unable target you and unable to track you specifically, etc., which means sellers of ads won't make as much money, and certain companies won't have billions or trillions of dollars that they only have because people tolerated this behavior. I typed a bunch of stuff after this, but no one is going to read it anyway.

Re:Ignored option

[Pascoea]

I typed a bunch of stuff after this, but no one is going to read it anyway.

There are apparently 400 sites out there that will.

Re:Ignored option

[Hallux-F-Sinister]

Is /. one of them?

A Lot of Trouble

[techdolphin]

It seems like these websites are going to a lot of trouble to discover that I can't type and can't spell.

Re: A Lot of Trouble

Welcome 1,000,000th visitor!
You've just won a FREE TRIAL of Typin'Tutor Deluxe XP!
Click Here to claim your prize.

Duh! Autocomplete REQUIRES some tracking

[redelm]

You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them? Of course some loaded script does, and whatever else it does is probably described as "trojan".

I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)

websites and windows

[bugs2squash]

so if the website steals the errant/orphan/reconsidered keystrokes does that mean windows doesn't capture them maybe this is the lesser of two evils.

Re:websites and windows

[hcs_$reboot]

Windows captures them at a lower level, even before the keyboard event reaches the browser. Don't worry, MS knows even more that those spy web sites.

But but ...

[hcs_$reboot]

what are they doing with that information? I mean 99.99% of that is completely boresome, and for the rest, they'd need a quite capable AI algo to extract relevant information. Unless there is a 24/7 staff in charge of checking the crap that's been entered then deleted... which I doubt.

Re:But but ...

Once one of those companies get hacked you'll lose all your passwords in cleartext for every site which used it. Along with any other personal info you typed on any of those sites. They are website keyloggers and you can bet they're not primarily interested in security. You are not their end user, your security doesn't matter.

Re:But but ...

Once one of those companies get hacked you'll lose all your passwords in cleartext for every site which used it. Along with any other personal info you typed on any of those sites. They are website keyloggers and you can bet they're not primarily interested in security. You are not their end user, your security doesn't matter.

That's abusrd. The hacker would need some kind of cloud based AI to run a datamining tool as powerful and complex as...

cat data.txt|grep "@"|grep ".com"

Much less the wizardry needed to use egrep.

Re: But but ...

That ought to be something like: grep -E "@.*\.com" data.txt

No extra 'cat' call; grep will happily accept a file name as an argument.

yawn ....

[Hugh+Jorgen]

Tea Leaf has been doing this since Bush was in office. Not news or new.

Re:yawn ....

[lucm]

it's now part of IBM so we can assume it will stop working soon.

Re:yawn ....

[Hugh+Jorgen]

IBM, Oracle, Google and Microsoft -- where good software goes to die.

Web Sites Behavior Control

[hcs_$reboot]

That proves (even if we've known that for a while) there is no control of web sites behavior. A concrete analogy is, you're angry after the tax office because you pay too much taxes, and start to write a letter, joking around, "go f..k yourself" etc... then throw that paper away and write the real one. Following this web site behavior, the tax officer is constantly looking over your shoulder - without you being even aware of that. This is totally unacceptable. The user should be at least made aware of that spying policy.

Re:Web Sites Behavior Control

[dinfinity]

Granted, in that case you are technically writing the letter and throwing it away in the tax officer's office. People think they're doing online stuff 'from home', but the internet is the digital equivalent of walking around outside, with all the dangers, 'spying' and caveats that come with that.

But, but, but

#NonInvasiveAdvertising

Re:Russia Recorded Donald Trump's Illegal Sexcapad

Yeah, but he's good at telling a private organization (the NFL) how to behave!

^h^h^h^h^6^6

^h^h^h^h^h^h^h^h^h^h^H^H^H^H^H^H^H^H^H^h^H^H^h^H^H^H^H keyboard apoc^Halypse

I feel pretty safe on Slashdot

[Hal_Porter]

The editors are much too lazy to implement something like this in their 20 year old Perl abomination.

javascript must die

And webasm is not the solution. embedding scripts in a text document has been always a terrible idea.

Samsung Bixby spyware

Similar topic:

Samsung's Bixby..... you can't turn it off. You can disable the button by agreeing to Samsungs terms, and then switching the button off, but in agreeing to the terms, Samsung gets your contacts, sms's, emails, accounts, location, usage of apps, wifi data, media consumed, everything. Bixby is still running, even if disabled from popping up, and still sending that data off to Samsung, all logged against your account.

What's happening on Android is orders of magnitude worse than happens on the internet.

And they don't even know how to use all that!

[CustomSolvers2]

My current position about privacy is acceptation of the reality (everyone, everywhere dealing with my a-priori-not-too-relevant data without my express consent) + neither liking nor really minding it. The key issue allowing me to think in that way is knowing what is being mostly done with that data now and in the near future: not too much.

Most of big-data efforts have been focusing on gathering and managing, but not on properly understanding; that's why and despite its huge potential value, most of this information isn't being properly maximised. In any case, I certainly don't support any kind of against-intention-of-user actions, I have never developed or used anything on so invasive lines and look forward to legislations to keeping up with all what is happening on the online/software privacy front.

Re:And they don't even know how to use all that!

[citylivin]

"what is being mostly done with that data now and in the near future: not too much."

Your going to love the future then, where our descendants can go back through forums posts from the early aughts, find all the climate deniers, and charge them with destroying the planet. Which because of the anti climate denial law of 2041, is now a mandatory life sentence and confiscation of all property.

Think its far fetched? There are nazi hunters around the world pouring through old records trying to connect the dots, 70 years after the war ended. The internet, and every single hacked (and will be hacked) database will be a treasure trove of meta data allowing anyone to go back in time to now and figure out exactly who everyone was. Heck they will probably have a service to "find what grammy wrote way back in 2017" for the low price of $19.95 per ancestor.

I've seen the future, and breaking todays pseudo anonymity will be a game of sport for future historians. Its only a small hop to then arrest people for retroactively "bad things", what they did, or said, when they thought they were being anonymous, based on laws and societal mores that we can't even envision yet.

Re:And they don't even know how to use all that!

[CustomSolvers2]

Although your whole post is a bit too melodramatic, recent events seem to kind of prove that it might not be as crazy as might seem at first sight. In any case and luckily for me, I don't have any kind of reputation to damage (other than the technical/professional one which actually shouldn't be immune to my incompetence) or any ideas, actions, expectations, etc. to hide (right the contrary: lots of things to share, mainly to help certain clueless idiots understand that they should better avoid dealing with me). Actually, my behaviour has been becoming increasingly careless about all that during the last times. Anyone can find lots of stuff about me that, at first sight and for some people, might not look too good; on the other hand, I don't care about those people, their concerns and much less about their (non-existing) authority. I correct any error as soon as I realise about it. I update my behaviour/expectations as much and as regularly as possible, every time by doing what I consider best under the given conditions. Out of all the forms of stupidity, I despise fanatics the most; and out of all their possible versions, the coward, behind-the-back, in-group, getting-everything-out-of-context, always-looking-for-unfair-advantages, etc. ones. And I will always support these "individuals" to be disrespected, ridiculed and even bashed. I always expect everyone to be fully responsible for all what they do, but expect way much more of those daring to have a so pathetic attitude toward anyone (= doubt and conspire all what you want, but better be ready for the very-bad-for-your consequences if case that you were wrong).

In case of having children (I still have to find the required second half and am quite demanding; so, not too sure on this front), I will make sure that they grow knowledgeable and fearless. I will do all what is my power to help them become fully-aware persons actively contributing to make the world a better place. That world you predict isn't a world for me, for my children or for any person with a bit of self respect and knowledge. In the extremely unlikely scenario of such an eventually to ever happen, I would be joining whatever resisting movement is available (or creating my own!) and, hopefully, my kids will join me.

Nowadays and in rich countries, problems on these lines are usually accepted or, at least, tolerated by the victims; or even better: the victim already did (or probably will do) something similar. You know what they say: live by the sword, die by the sword. If you are a politician, show business celebrity or similar, perhaps you should be very careful when choosing allies/enemies and, if you have something to hide, better start thinking about how to deal with the eventual publicity. I am not part of this and will never be. I have nothing to do even with low-level hypocrites, standard conformists. I am an outsider even within the software development industry (IMO, much more concerned about non-technical aspects than it should be). Anyone wanting to prove that I am not compatible with whatever PC trend should find more than enough references after a short research (or could contact me and I would provide whatever is needed), but this is almost a badge of honour for me. I might be poor, have lots of debts, find lots of difficulties to get clients, over-work a lot and my whole activity might be systematically under-appraised, but I am very proud of what I am, think, do and every single step I have taken. There is no buts, no "will tolerate this little thing on exchange of getting whatever" to be ashamed, no even slightly dishonest or unfair actions. I have made tons of mistakes, but every time by thinking that I was doing the right thing in that moment and by trying to correct them/accept the consequences.

Some people cannot understand why I do things as I do. They cannot understand the tremendous value of always doing what you think that should do by being as fair, honest, respectful to others and, at work work, objective/professional as possible. Nothing to hide, not

Legal

Is this legal ? Most likely not in the EU, and most likely not anywhere else.
Capturing my keypresses without my permit would be illegal almost everywhere.

Re:Legal

[CustomSolvers2]

Capturing my keypresses without my permit would be illegal almost everywhere.

The most ironic part is that you have most likely given your permission, but only in a generic or even just implicit way. Additionally, most of users aren't even completely aware about what web-based anything basically implies: browsing through files stored on a third-party computer, where every action can be easily tracked and stored. Another aspect to bear in mind is that a big proportion of modern functionalities do need to rely on visitor's information; temporary and without-allowing-access-to-anyone-else data gathering should be fine.

In summary, what is required is much more control on the visitor data non-temporary storage, sharing and usage fronts. Also clearer/express indications (and ideally the option to freely reject non-essential data collection; now, you are usually forced to accept everything in order to use whatever application) about what is happening with your data at each point like via a popup before using whatever functionality.

Re:Duh! Autocomplete REQUIRES some tracking

I like how you think it's cute to type "boxen". We're all grown up now. You should try joining us in the adult world.

Overblown. Gonna play devil's advocate.

[geekymachoman]

So, this is completely overblown out of proportion. I'm a web dev, and more. Basically I've been deciding and implementing all sort of web things, including this "tracking" everybody is hung up about. Everywhere I worked at, the "tracking" is used for the good of a consumer as in ... analyzing data to provide better user experience, to make it easier for the users to find what they need ( granted: in effort to increase sales ), when they need it, and overall just increase user experience.

After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).

I understand the concerns people are having, but jesus christ you people talk about it like we're filming you while in a shower, just because websites track where people click and what they insert into a web form ( on their own sites ) does not mean they CARE about you. No business cares about the individual.. but about statistics, percentages, numbers.

It's even said so in the article summary:
"Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages."

What on earth is so wrong about this ?
For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d". This is what they see and track, and care about.

Get over yourself, for god sake.

Re:Overblown. Gonna play devil's advocate.

[afgam28]

Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them.

If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap.

Re:Overblown. Gonna play devil's advocate.

I agree, most users probably don't even care what is collected but the tin foil hat conspiracy nuts. If privacy was a concern people in huge numbers would embrace VPN, and Tor like browsers and would be lobbying for all sorts of legislation. Given that Google Chrome is the most used browser in the world says it all. Privacy is of no real concern to the average web user.

Re:Overblown. Gonna play devil's advocate.

I didn't study the articles, but the references I could find were not that data was sent to the third-parties through unencrypted channels, it was that replay could occur over unencrypted channels. Small difference, but important.

In either case, companies that use these services without the interest in the privacy of their users' information are doing their users a disservice. The company I work for uses a session recording/replay product (not one in the article), but we do first-party capture - mostly through a span port (some script-based capture) - we perform our own redaction, and the replay feature is on our intranet and over HTTPS. If we find something that slipped through the redaction, we fix it and reprocess all of session data to remove it from the indexes. We also only temporarily keep the session data. The tool is invaluable to our support teams as 1) it provides details on hard-to-reproduce bugs and 2) provides factual progression through an HTTP/S session and not what a user 'remembers'. It's also beneficial to marketing for aggregating click-streams and determining success of promotions (we don't do any third-party advertising/promoting - it is all first-party).

Session replay can be done well, but I think the article shows many examples of how not to do it.

Re:Overblown. Gonna play devil's advocate.

[AmiMoJo]

Looking at the number of sites that use anti-patterns (malicious UIs designed to trick the user) I'd say you have lived a very sheltered life.

Getting you to buy more stuff IS abuse in many cases. Jacking up prices because your page view times and mouse hover positions suggest that you will pay 10% more is also abuse, and spying. It's creepy AF.

Re:Overblown. Gonna play devil's advocate.

On behalf of your customers who you have chosen to belittle: Fuck You! If you can't make a good web page without spying on people, then you are incompetent.

Re:Overblown. Gonna play devil's advocate.

I would be very surprised if input fields with type="password" weren't automatically excluded. I would, of course, sanity check that as due diligence, but you've made a number of baseless assumptions. E.g. unencrypted channels; if the website is HTTPS it's likely whatever 3rd party call will be too as browsers tend to complain about mixed secure content. If you're inputting a password into a non-HTTPS website anyway, then more fool you.

I can't comprehend anyone who gets bent out of shape about this sort of stuff... Unless you're one of those people with a single password for everything, and if so, more fool you (again).

Re:Overblown. Gonna play devil's advocate.

So a $30 BILLION business doesn't invite corruption?

Re:Overblown. Gonna play devil's advocate.

"What on earth is so wrong about this ?"

One serious thing; this is done without consent.
And usually without clear policy about future use of the data, auditable by a respectable authority.
You ping my screensize/fonts/whatever = we're at war (and if I'm still interested in your content, expect a visit through Tor).

Web-sniffers are the new Spam...

Re:Overblown. Gonna play devil's advocate.

[bluegutang]

For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d".

No, this is you: ID "a3727fd0a20d5eef697d3c2f41bf0e4d", username bob123, email address bobsmith123@gmail.com.

And email address bobsmith123@gmail.com can be correlated with a Facebook account, medical history, credit rating, and much more.

Re:Overblown. Gonna play devil's advocate.

Jacking up prices because your page view times and mouse hover positions suggest that you will pay 10% more is also abuse, and spying. It's creepy AF.

The thing I always compare this to, is imagine if when you walked through the grocery store prices changed continually based on who walked by. I think online shopping like Amazon and the tricks they play is just absurd. Same price for everyone should be the goal. Get off my lawn!

Re: Overblown. Gonna play devil's advocate.

[afgam28]

Even if passwords are excluded, the article gives other examples of sensitive information like medical info that would get logged.

The unencrypted channel thing wasn't an assumption either, the article mentions that some of the dashboards are served over HTTP, so sensitive information would be sent unencrypted from the third party tracking company to the developers looking at the dashboard.

Re:Overblown. Gonna play devil's advocate.

[geekymachoman]

> Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them. > If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap. So, who's talking about security ? If you want to talk about security and how tracking is done, then open another thread that discusses security. This topic, and my reply to it is about tracking itself, and session replays.
Your assumption appears to be "if you track, you're bad at security" - which makes no sense at all.

I never said I don't see a problem with sending password fields, or sending them even clear text even. Again, where did you read that ?

What I said is that for people that are tracking, you are not afgam28, you are "a3727fd0a20d5eef697d3c2f41bf0e4d" for purposes of improving the UI, and automating certain things to, again, improve your experience in using our website.

Re:Overblown. Gonna play devil's advocate.

You have to wonder how someone so fucking dumb can be a 'web dev, and more'

Re:Duh! Autocomplete REQUIRES some tracking

[Narcocide]

Gee, you don't make it sound very welcoming or enjoyable. I can only imagine you think the best way to make yourself feel better about your miserable life is to drag other people down to your level. It stinks of a trap. Or, maybe that wasn't your intent and in reading this you just realized you're still a petulant child after all?

Re:Duh! Autocomplete REQUIRES some tracking

[thegarbz]

You know how Goggle and others do autocomplete on your search entries?

Yeah I do. They don't typically do so on username or password fields. Maybe read the entire summary or article and actually understand the topic at hand before posting. Your UID is too low to be spouting something so silly.

Re:Duh! Autocomplete REQUIRES some tracking

[DNS-and-BIND]

Here's a fun party trick: go to Google.com, type in "Hillary Clinton", and try to get autocomplete to say something bad about her. Then, try it with "Donald Trump" (impeachment was the first auto-complete result I got, it may vary with your location).

During the James Damore scandal, I couldn't get Google to suggest anything at all about his name. It just suggested variations on "d'amore", the French word for love. Weird, eh?

Zounds!

[cascadingstylesheet]

It's almost as though the web were some sort of client-server technology!

Most users don't care

In general most users might say they care about privacy but most don't really. It's like a knee jerk reaction to follow the crowd and say you care. Its hypocritical to complain about Microsoft Windows collecting data but not Google. Because I guess most people use Chrome and Google services. Even if you live your web life in a so called private browsing mode. Are you really?

Re:Duh! Autocomplete REQUIRES some tracking

"I must not have fun. Fun is the time-killer. Fun is for children, customers, and the help. I will forget fun. I will take a pass on it. And while it is going, I will turn a blind eye toward it. When fun is gone there will be nothing. Only I will remain—I, and my will to win. Damn, I'm good."

Greasemonkey script to disable all onchange events

Make it apply to textareas. Or prevent all javascript affecting textareas.

Re:Duh! Autocomplete REQUIRES some tracking

[drinkypoo]

You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them?

You know you can turn off autocomplete in your browser search field, right?

Overblown

My company uses one these services to help identify site issues. That said, we mask many of the user entered fields for PII and PCI compliance. I can watch what you searched for on the site and other interactions with the site. Big deal.

Re:Overblown

[avandesande]

I suspect 'cat' and 'video' is going to show up a lot in the data.

Re:Duh! Autocomplete REQUIRES some tracking

and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)

I use emacs for web browsing. I win.

Re:Duh! Autocomplete REQUIRES some tracking

[redelm]

Yes, at least some browsers have this setting. And as another poster mentioned, scripts do not autocomplete all fields (uid/pwd). But this does not necessarily stop the scripts from running and sending running data, even if the browser does not show any useful return. Websites can adjust their behaviour per user, and might appear less intrusive to some users. Cookies & per-user scripts. That does not mean that they do not track and capture data, just that they are more subtle in displaying the results of tracking.

Two words

[volodymyrbiryuk]

Use uMatrix

Mark of the beast

[HalAtWork]

"He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead, so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name. This calls for wisdom. If anyone has insight, let him calculate the number of the beast, for it is man's number. His number is a3727fd0a20d5eef697d3c2f41bf0e4d."

WTF? How robostupid are you?

That's the case for Yandex too, and so, an invalid answer. Holy shit are "people" robots these days! Is this the Microsoft hotline, or what?

The first step

The first step to fixing this problem is to decide there is a problem.
Then put real constraints on these programs called web pages that folks allow to randomly run on what they fondly think of as their computers.
The first constraint might be that if you click on web site A, the page must be served from web site A so you know who to blame.

Unless/until something really bad happens, I don't see that happening.
The geeks making the web are steering away from that.
For most of the folks here, a clear case of 'We have seen the enemy and he is us'.

https://en.wikipedia.org/wiki/Pogo_(comic_strip)

Wrong devil.

So you may be okay with your every keystroke recorded and sent to a third party without your prior consent or even information. Why would you then mind if someone turned on the microphone and listened to every word said in your house? How about recording your porn habit and then leaking that to your spouse, employer, law enforcement? How about leaking the fact that you looked up various diseases to potential employers, current employers, or others? How about leaking web browsing to politicians? Wouldn't you just love to be hassled by the local sheriff for opposing him? How about suspicious purchases like hydroponics equipment? If a cop can sit outside a hardware store and justify raiding someone's home based upon legal purchases of indoor gardening supplies, imagine how far that rabbit can go with a bit of tax payer money and creative investigation.

You've been isolated from the real world of how people use information to hurt other people. Every tool humans create can be and has been used to hurt other people.

Poison the Well?

[Maritz]

Anyone ever come up with software to just pile shitloads of fake data into all these sniffers? I'd like every web page to think I hovered over every fucking link and wrote a bunch of random shit. All day every day.

Would like to see something that requests pages off completely random websites every few seconds. Sure would make GCHQ style pricks work for their dinners.

If you can't stop the trickle, make them drink from the fucking firehose.

No surprise this is happening.

[Bloxclay]

Well well well how predictable that search engine companies are still "in bed" with the NSA and all those Nosey shady government entities. ..... #RIP Privacy

Firefox ESR

[gitano_dbs]

I am using Firefox ESR (Extended Support Release) https://www.mozilla.org/en-US/... for this only reason, can keep using the add-ons i want. They are currently at version 52.5

There are valid uses for this...

[gosand]

I think I understand your point, there ARE valid uses for this.
It's frustrating to develop software and not have full understanding about how your clients use it. There is a desire and a need to have that information in raw data that can be used to make the product better. It could even be used by client support and to help prevent bugs. I'm not talking about shopping carts or blogs, but enterprise-level systems that are very complex.

But let's not kid ourselves... that isn't what this story is about.

Sounds like

[no-body]

jail time for somebody for illegally snooping without consent. Oh, we are in the USA, sorry for bringing that up.

If I want updates, I'll press Ctrl+R

[tepples]

So the page can refresh itself for live updating content.

Likely reply of anti-JS hardliners: "I don't want live updating content in the web browser. I'll press Ctrl+R to poll for new content when I want new content, thank you very much. If I wanted live updating content, I would download, compile, and install a native application that provides live updating content, such as an IRC client."

Re:Duh! Autocomplete REQUIRES some tracking

[hawk]

It's time they start.

I am so tired of typing out "Shazam" and "1234" in their entirety . . . :)

hawk

Thanks (it's what my detractors can't stand)

"he Linus'ed everyone's brains. He just uploaded his ideas to the interwebs and now everyone is mirroring them! He doesn't even have to post anymore, we are doing it for him! Well done APK, well done." - by Dread_ed ( 260158 ) on Tuesday November 21, 2017 @11:30AM (#55595451)

See subject: You hit the nail on the head on what my "ne'er-do-well" jealous detractors can't stand & manage themselves OR do better than creating it themselves (all talk do nothing jokes).

* After replies like yours? The JOKE is truly on them (above being the windbag bs artists they are, IT IS TOO OBVIOUS, they are all talk/no action)!

They couldn't get the better of me technically proving my points wrong, so now they effetely use Saul Alinsky RULES FOR RADICALS "tactics" losers use of mockery on me (last resort of losers except they're in reverse being backasswards idiots that they are ala Ghandi "1st they ignore you, then they LAUGH @ YOU, then they fight you, & then I WIN!"

Well - there is NO mockery of my success & doing well - you prove that much in YOUR reply!

So thank you again Dread_ed!

APK

P.S.=> They're 1 of 5 types in "their kind" above the jealous worms I note above - Advertisers, webmasters (both profiting by ads that slow, track, infect & annoy users), malware makers, botnet herders OR inferior competitors - period (it's too obvious)... apk

Shouldn't have opened YOUR "piehole" about it

Shouldn't have opened YOUR "piehole" about it - PiHole/DNSMasq = buggy, exploitable & dangerous https://yro.slashdot.org/comments.pl?sid=11381875&cid=55596087/

* Better luck next time boys - you REALLY need it vs. me!

APK

P.S.=> Ah yes, folks - there is NOTHING QUITE LIKE being invincible, lol... apk

Re:Duh! Autocomplete REQUIRES some tracking

[citylivin]

"You know how Goggle and others do autocomplete on your search entries?"

Oh i love that feature that replaces text i am typing with some other random terms and then when you try and highlight the field to delete the stupid auto complete, it actually submits the search (because you are clicking on the term in some kind of blocking mouse order drop down list). I also love the browser lag that these stupid lookups cause.

What a wonderful feature that no one needs! is it really hard to type entire words and sentences without a computer holding your hand for you?

Remote DNS = slower & DNS = buggy/inefficient

See subject + TONS of proofs galore enumerated (not even fully complete mind you) https://news.slashdot.org/comments.pl?sid=9007355&threshold=-1&commentsort=0&mode=thread&pid=51969075/

Addtionally - DNS many "moving parts" & excessive complexity OPEN IT TO EXPLOIT & excess power, cpu, ram & other I/O use = inefficient vs. hosts (a SINGLE part of the TCP/IP stack itself makes DNS locally even inferior (calling out to remote DNS, 99++% of which are unpatched vs. the kaminsky redirect security bug = bad news/risky)) - FACT: Hosts are NOT "illogic-logic" of "Bolting on 'MoAr'", local DNS is!

APK

P.S.=> Accept NO substitute for APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Good choice: /.ers 2nd you... apk

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

(APK's) work, I've flat out said it's good by BronsCon

I've tried his hosts file generating software. It works by bmo

APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

I like your host file system by Karmashock

(NEED MORE? Ask!)

* It's recommended/hosted by Malwarebytes' hpHosts!

APK

P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

uBlock = inefficient redundant inferior imitation

Hosts protect when addons can't (or as well):

Bad sites (past ads)
Botnet C&Cs
DNS down/poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.

AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/

UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/

Hosts~6mb

Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/

NoScript tag parses. Hosts block script prior to it!

No 1 addon does as much.

Stacked addons slowup.

ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/

APK

P.S.=> APK Hosts File Engine https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

HUGE PiHole/DNSMasq bug Oct 3rd discovered

See subject & so much for Pi-Hole/DNSMasq being safe (discovered in late Sept. & still unpatched afaik) https://www.bleepingcomputer.c... [bleepingcomputer.com]

* Stack & heap "buffer" overflows galore, bypasses of ASLR, memory leaks (lacks free for malloc/needs delinting), Boundary checks needed & bug collision.

PiHole also means spending on a raspberry Pi unit (vs. hosts = native & free) + running TONS of moving parts (of which may also have exploitability & inefficiency - complexity IS the enemy of security + efficiency).

* LASTLY - Someone SURE DIDN'T LIKE THIS BAD NEWS for Pi-Hole users having to TRY to effetely "downmod hide it" last time I posted it, lol -> https://yro.slashdot.org/comments.pl?sid=11381875&cid=55596087/

APK

P.S.=> Accept NO substitute for https://yro.slashdot.org/comme... [slashdot.org] by "yours truly"... apk

Ghostery

For those who don't want to be bothered with customizing things, there is Ghostery. uBlock Origin for the bulk of ads (fast elimination) and Ghostery picks up trackers and anything left over. Between the two, I rarely see weird web requests being made except that which is absolutely necessary to render the page correctly.

APK Hosts File Engine 9.0++ SR-7 32/64-bit

APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Ads/script/malware rob speed/security/privacy/bandwidth.

Hosts add speed (via hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).

Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!

Avoids DNSChangers in routers/IP settings & dns redirect (99++% of ISP DNS != patched vs. it) + DNS tracking & lighten DNS load & resolve faster from local RAM!

* Via what u NATIVELY have in a FASTER kernelmode IP stack (doing more w/ less).

APK

P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ (self checking code vs. infection of it built-in)

poison the well

[gosand]

I can only hope someone sets up a botnet to visit these sites and relentlessly hammer their pages with searches for bizarre words and profanity.

rjstanford, let's see you do better then... apk

I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell

his hosts program is actually pretty good by xenotransplant

his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg

(APK's) work, I've flat out said it's good by BronsCon

I've tried his hosts file generating software. It works by bmo

APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat

Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad

I like your host file system by Karmashock

(NEED MORE? Ask!)

* It's recommended/hosted by Malwarebytes' hpHosts!

APK

P.S.=> China imitated me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk

TeaLeaf is now standard

[JamesKeane7745]

How is this even news - TeaLeaf, since being bought by IBM is near ubiquitous on most new e-com deployments, and in this community I thought enough people would have known this fact..

Wordpress plugin

[wolfheart111]

Theres a plugin for that. :) https://wordpress.org/plugins/... I think this one actually records a video of the user interactions.

Seeing is believing i guess

[Apuleus]

After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).

I have never seen a robbery, but that doesn't mean they don't happen.

theweatherelectric, thank-you... apk

theweatherelectric, thank-you - I was waiting for that (it functions like Vivaldi's does (not as 'granular' by default @ least as NoScript on older FireFox was - BUT, it does work)).

* Yes people - on FF browsers, I use an AddOn but more for 1 reason: TO POPULATE MY HOSTS FILE vs. TRACKING SCRIPTS!

Except older NoScript on FF older models TOLD ME where 3rd party & LOCAL scripts were for hosts - new one doesn't seem to BUT IT DOES WORK (which blocks script FAR FASTER in kernelmode via the IP stack itself LONG before NoScript parses script src tags in HTML webpages)).

APK

P.S.=> Onwards & UPWARDS... apk

Re:Duh! Autocomplete REQUIRES some tracking

hurr durr liberals blurrrr

Hostsman mvps lists = inferior & SQLite buggy

See subject: Hostsman doesn't speed up your fav sites you spend most time online @ - mine does (which also secures you vs. dns down or kaminsky redirect flaw poisoned dns) & it uses SQLite (which has a BUG in it Google Found Over 1,000 Bugs In 47 Open Source Projects https://it.slashdot.org/story/17/05/13/0113255/google-found-over-1000-bugs-in-47-open-source-projects/ & YES - SQLite IS one of those found with flaws there... )

* Has SQLite been PATCHED vs. that? Not that I'm aware of (feel free to correct me if so) & HAS HOSTSMAN been reissued WITH said patched SQLite?? Again - not that I am aware of.

APK

P.S.=> Does Hostsman work? Yes. Does it WORK AS WELL?? Hell no (but it too is hosted & equally as well noted @ Malwarebytes' hpHosts where my program is featured alongside it)... apk

There are still good companies

There are still good, honest companies. For example, I happily pay Fastmail for their email service, which as an IT guy approaching 20 years in the business, I have yet to see its rival. I've been a customer since 2002 and I've tried them all. Fastmail rivals them all. Fastmail are honest, quick to help, and have never done me wrong. They enjoy consistently high reviews from users. They give a damn and it shows in their product.

Plugins = inferior & inefficient vs. hosts

Hosts protect when plugins can't (or as well):

Bad sites (past ads)
Botnet C&Cs
DNS down/poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.

AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/

UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/

Hosts~6mb

Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/

NoScript tag parses. Hosts block script prior to it!

No 1 addon does as much.

Stacked addons slowup.

ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/

APK

P.S.=> APK Hosts File Engine https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Plugins = inferior & inefficient vs. hosts

Hosts protect when plugins can't (or as well):

Bad sites (past ads)
Botnet C&Cs
DNS down/poisoned
Trackers (dns logs/ads/transparent ISP proxy)
Dns blocks
Spam/phish payload
Slowdown 2 ways: adblocks & hardcodes
Hosts = Ez edit.

AB+ 151mb https://www.google.com/search?q=Adblock+memory+consumption&btnG=Search&hl=en&gbv=1/

UBlock 64MB https://www.google.com/search?q=UBlock+memory+consumption&btnG=Search&hl=en&gbv=1/

Hosts~6mb

Addons = ClarityRay defeatable & crippled http://www.businessinsider.com/google-microsoft-amazon-taboola-pay-adblock-plus-to-stop-blocking-their-ads-2015-2/

NoScript tag parses. Hosts block script prior to it!

No 1 addon does as much.

Stacked addons slowup.

ADDONS = EXPLOITABLE https://news.slashdot.org/comments.pl?sid=11166303&cid=55266729/

APK

P.S.=> APK Hosts File Engine https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/

Google is Evil

Google does it for sure. These fucking search engines today can't wait until I press the fucking enter key. They have to SLURP UP every fucking keystroke I type.

PaleMoon still allows canvas.poisondata vs. it

See subject: In PaleMoon (firefox) it allows canvas.poisondata vs. it via about:config (you may have to add it, set it to TRUE).

* Enjoy...

APK

P.S.=> That was given me by others here (can't recall EXACTLY who OR I'd credit them for it, I was thankful is why) so I am only "paying it forward" is all... apk

Useless article: No site names included

[PlaynBass]

What a frickin' useless article!

No site names included in order to protect the cash flow of the guilty. No doubt /. is one of them...

Is this the dead of SuperGenPass

[twms2h]

.. at least the version that runs in the context of the web site.

Or isn't it?

I mean: SGP relies on you typing your master password into an entry field which it then uses together with the domain name to generate the actual password. If the sites can spy on all your key strokes, they will know your master password, which is not good.