It would definitely reduce the attack surface. And even though Windows has “security” issues patched all the time, rarely are they ones so severe that you can just roll up to a machine and send it a weird HTTP reply and get admin access. Usually it’s stuff like if you have a shortcut file on disk it gets to run code when you look in the folder, or something. Not great for working with downloads, but hard to exploit unless at least one other thing happens (like visiting a malicious page, which then starts a download that the browser accepts).

But the browser calls out to the OS to do a lot of stuff (render images, render fonts, play sounds, etc.). It mostly assumes the OS can do those things without popping open a remote shell because too many emojis were rendered in a row or something. That is not always true, and when it isn’t you want an OS patch to fix it before you go on a site where someone can post the Magic Emoji That Hacks You.

But you are right that you can browse around trustworthy websites on an unpatched system behind a decent firewall for quite a while before you notice something bad happening. But also, a lot of bad things can have been happening for quite a while before you notice.

Why does Anthropic think they need a JS runtime though? Are they just like “well Microsoft has a command line tool for installing JS packages so we need one too”???

Probably only some people need the complexity of the category system, and if it’s off by default, people who don’t don’t need to understand it to accomplish what they want to with their notifications.

I don’t think there can be that high a density of fascists. sh.itjust.works just voted overwhelmingly to defederate some kind of MAGA nonsense instance. Mostly it seems like nice folks overhere who know fascists are bad news.

It might be full of individualists with no grounding in Marxist theory, of the type that much annoyed Vladimir Lennin. I couldn’t tell you because of my poor grounding Marxist theory, and I don’t see that as a problem because of my individualism.

I think it has something to do with your brain playing both sides of the dream. You are coming up with how to react, but you are also at the same time coming up with what happens next. So if you dream a lion and you are like “uhoh, what if the lion tried to chase me, that would be a problem, I’d have to run away,” then you’re now dreaming about a lion that is chasing you and how you are running away.

Or plants. Or whether you should shout at people. Or sort of the concept of women.

Nah, that’s an NPU.

The graphics stack is better, but the security isolation is IMHO solving a problem no one really had, at the cost of breaking a bunch of integration mechanisms people actually used.

You want UI security isolation for something like Android, where most software being run is fundamentally opposed to the interests of the user and wants to steal anything not nailed down, and you also contain things at the file system level. If Facebook could screenshot every other app all the time it absolutely would, and people would download it anyway. To some extent the enforceable promise that it can’t do that is why people are still willing to download it anyway and let it do all the other things it does to compromise a system.

In a distro shipping legitimate software, isolation at the desktop UI level is nice for defense in depth, but not really drawing a real security boundary around any program to the point where a user can trust a machine with malicious software running. It doesn’t matter if I can’t steal Firefox’s pixels if I can echo "export PATH=$HOME/.evil-firefox/bin:$PATH" >>~/.bashrc.

Probably.

This sounds like a bug in the distro packaging of the module, or maybe in Grub. You don’t want to try and install any kernel package, or make your default boot option any kernel package, that the wifi driver package doesn’t declare compatibility with.

But nobody’s package manager knows to do this by default when the driver package is installed, and most packaging systems might not even be able to articulate that constraint.

Now I’m thinking with portals.

I don’t think it is right to trivialize rape like that.

I don’t think the burden should be on users, but I do think some of the burden should be on the press. If the press just assumes Google is up to no good and never does the investigative reporting needed to show it, we will miss out on having very politically useful evidence.

Anytime I want cooperation I will need to persuade you.

That sounds suspiciously like democracy, the thing we would quite like to achieve.

But they aren’t even showing collection of data in the article. For the data to be collected, it needs to leave the phone, not just be touched by Play Services.

Play Services does collect data it shouldn’t collect, by sending it back to Google. But the difference between “I am collecting your data” and “I wrote software you are running” is important and needs defending, because obscuring it is one way that independent developers are prevented from publishing and marketing actually-privacy-preserving software. If I am deemed to have “collected” your personal data every time you type it into a text editor I wrote, I can no longer distinguish my local-only encrypted text editor from Google’s one that stores all your data unencrypted on their cloud. We both have to say we “collect” your data, and nobody non-technical can tell the difference.

You can buy a phone that arrives running GrapheneOS. This might not be advisable, because it adds another point of trust in the refurbisher who actually does the flashing, but you don’t need to have the skills or do the research to install it yourself to get access to a device that runs it.

It’s not that I want to give them the benefit of the doubt, it’s that the article neglects to bring in that whole thread of the argument that you give here. This should all be in the article.

The SensorVault data is “just” the Google Maps Timeline data though, right? Which people have always been able to turn on and off, if they knew about it.

I feel like Google not really respecting a concept of user consent and pretending people agree to poorly-publicized and often-modified tracking programs is a different, and, frankly, weirder, privacy problem than there being closed source stuff running with high permissions. If you could revoke permissions from Play Services, or if it was source available or even free software, that wouldn’t solve the problem because it would still be able to do stuff Google had manufactured consent for it to do.

Do you mean “transmits” as in “from the location service on the phone to the mapping app on the phone”?

Or do you mean the phones are all updating the wifi SSID geolocation database, which they then all can use for doing wifi-based geolocation?

The article seems to go directly from “this piece of software talks to all the sensors and isn’t well sandboxed” to “Google has directed this software to profile and surveil users” without actually providing evidence to support that leap. Is Google Play Services sampling your location so that it can send it in to Google HQ as part of a secret location tracking operation that runs without user consent or knowledge, or so that it can detect if the device has been stolen by the cops and use its proprietary ML model to activate anti-theft mode to protect the user’s privacy?

If we can actually show mismanagement of user data by Google Play Services, we need to shout it to the hills, because those sorts of scandals are important arguments for increased privacy protections. But we need to actually find that mismanagement occurring, not just assume it must be because Google wrote the code and it isn’t open source.