Mastodawn

Anton Ladan Aug 8, 2023

In response to Google's monopolistic implementation of Web Environment Integrity, I have a modest proposal:

Open source JavaScript libraries should add bugs which only occur when they find "navigator.getEnvironmentIntegrity" is being used.

Go into a "while(true)" loop. Start throwing exceptions randomly. Just fuck up the page. Make the lives of every developer who is in the origin trial who uses your library completely miserable.

If they want to fork, they have the freedom to do so. But then they're taking on the maintenance that they would prefer to outsource to their community.

If you have enough big libraries doing this, it might make a dent.

Frost, wolf of winter 🐺🎄

@wwahammy Heck, what happens if you monkeypatch "navigator.getEnvironmentIntegrity" to always return "good browser" or something? ...I don't know if you can override browser-builtin stuff like that, but considering It's Javascript, I wouldn't be surprised.

Frost, wolf of winter 🐺🎄

@wwahammy [I think browser stuff has a special thing set so you can't overwrite it] aw, phoo.

yuki - queen of the snow Aug 8, 2023

@IceWolf @wwahammy i can overwrite window.open just fine from the dev tools on ff…

Frost, wolf of winter 🐺🎄

@yukijoou @wwahammy !! That's promising.

But someone else mentioned specific cryptographic stuff for WEI and I dunno what that's about.

xarvos Aug 6, 2023

@IceWolf @wwahammy iirc it's backed by cryptography with random token on each request, so cannot be spoofed like that

Nicolás Alvarez Aug 11, 2023

@IceWolf @wwahammy the result is not a boolean, it's a signed blob that the website's *server* can verify

Frost, wolf of winter 🐺🎄

@nicolas17 @wwahammy ... Oh fucking hell.

Nicolás Alvarez Aug 11, 2023

@IceWolf @wwahammy That's why people are complaining in the first place, if it was a "yes browser is good" we'd bypass it and move on.

Nizar Kerkeni 🇹🇳 نزار القرقني Aug 6, 2023

@wwahammy And this ?
https://chaos.social/@jaseg/110781306795960114

jaseg (@[email protected])

Since it seems #Google has decided to uni-laterally force through their new anti-#adblock #DRM euphemistically named "Web environment integrity", I decided to add a little bit of code to my website that blanks out the page and displays a protest message with a link to the firefox download page when you visit it from a browser with this DRM feature. Here's the source inside one toot, feel free to copy and put it at the end of your website's <body> before the closing tag:

chaos.social

Merovius Aug 6, 2023

@wwahammy Websites should just start showing a "this website protests DRM, you can disable the feature <like so> or download firefox <here>" banner if they detect the DRM feature existing.

And to drive home the point, use DRM to make it harder to circumvent.

If enough websites do that…

Pandro Aug 6, 2023

@wwahammy While I'm all for protesting against WEI I'm unsure if introducing bugs on purpose is a good idea. Ever.

If they want to protest just refuse to work completely when WEI is present. But don't go wasting developer's time and patience with artificial bugs because they surely won't blame google then.

I'd just loose all trust in the maintainers if they introduced bugs to support their opinions.

the Stripey Goodness Aug 6, 2023

@pandro @wwahammy somebody doesn't understand how effective protesting works.
You *absolutely* want to waste *as much time as possible*

Rob Bos Aug 6, 2023

@pandro
But if it's on purpose it's not a bug. ^_-
@wwahammy

James Endicott Aug 6, 2023

@wwahammy

Clearly we need to fork some of the common open source license agreements to add a "but you cannot remove our anti-WEI measures" clause or even a broader "fuck Google" clause.

[Strange Yaseenist] pjals (util-linux arc)Aug 6, 2023

@o76923 @wwahammy they would not be FSF or even OSI-approved and therefore it would have a huge impact on the popularity and packaging status of those libraries

@wwahammy I would prefer a warning on big Websites like Wikipedia warning Chrome users about this and redirecting them to Firefox. Just like the good old "This website is not supported by your browser" warnings.

Arik Aug 6, 2023

@sod0 @wwahammy Unfortunately, this means that they might lose some of their larger sponsors - see who's on the list:

https://wikimediafoundation.org/about/annualreport/2022-annual-report/donors/

Donors – Wikimedia Foundation

Wikimedia Foundation

Roaming Duck Aug 6, 2023

@pq1r @sod0 @wwahammy
Lot of “..matching gifts”

Arik Aug 7, 2023

@roamingduck @sod0 @wwahammy
It's when they match the donation of their employees. See: https://doublethedonation.com/tax-benefits-of-corporate-matching-gifts/

Tax Benefits of Corporate Matching Gifts: The Basics

The IRS deems donations to eligible 501(c)3 organizations as tax-deductible. Read this guide to learn about the tax benefits from corporate matching gifts.

Double the Donation

@pq1r @roamingduck @wwahammy I think it's not only that. Google basically steals their content and uses it for their quick answers on the search site and assistant. They really profit of Wikipedia and need it.

Arik Aug 7, 2023

@sod0 @roamingduck @wwahammy Wikipedia is under a CC license that allows Google to copy and use it as long as they attribute it to Wikipedia. So legally they can do it.

From a moral perspective, I would hope that they continue donating even if Wikipedia decide to block DRM-enabled browsers. There's nothing legally stopping Google from discontinuing the donations and still using Wikipedia content. We're way past the "don't be evil" Google, and well into the "anything to increase shareholder value" Google.

Incogg Aug 6, 2023

@wwahammy purposeful sabotage never looks good.

An npm package dev tried to do it because of the Russian invasion to Ukraine. It's now called CVE-2022-23812, which should tell you everything you need to know about how purposeful sabotage is viewed by the community.

the Stripey Goodness Aug 6, 2023

@incogg @wwahammy it is generally not a good idea to consolidate "the Industry" with "the Community"

Incogg Aug 6, 2023

@stripey @wwahammy I don't really see how you can make that differentiation, with so much overlap.

I would not use a package that has been purposefully sabotaged in any way. For any project. Be it open source, a for-pay gig, personal stuff.

Politics go in, package goes out.

A far better option is to add a piece of code to your website that will block browsers with DRM from accessing your website. That's what I'd do to my website. That sends a message.

the Stripey Goodness Aug 6, 2023

@incogg @wwahammy
"Politics go in, package goes out"
All this means is that what you use already encodes values which align with *your* politics, and that you have not sufficiently examined what that may be or why that is.

Incogg Aug 6, 2023

@stripey @wwahammy
No, I'm very much anti DRM and anti Putin - but I would not use a package that has been sabotaged for any reason. Definitely a political one.

That being said, and it has yet to happen so far - I may decide not to use a package (or service or product or whatever) from someone whose values conflict with mine enough. Like for example Neo-nazis.

If you insist of interpreting what I write in the light that works for your argument, then there's no use arguing with you.

the Stripey Goodness Aug 6, 2023

@incogg @wwahammy oh child. Little one. Dear, delicate flower.

Just because you haven't thought this stuff through before and being confronted with it makes you a little uncomfortable doesn't mean it isn't true.

Incogg Aug 6, 2023

@stripey @wwahammy

If you are okay with having politics embedded into code in packages you use, that's fine. And it says something about you.

I already said what it would make me feel and what it would make me do. That probably says something about me, and you can choose to interpret it any way you like and that's fine. I don't care that much about what goes in your mind.

And if in the future I will see a reason to change my mind about that, I will. I'm not beyond being wrong.

Eric Schultz Aug 6, 2023

@incogg @stripey politics are embedded in literally all software.

Incogg Aug 6, 2023

@wwahammy @stripey

perhaps I should qualify it as "I don't like X so despite being technically trivial I'll make sure my package doesn't interoperate with X".

Nicolás Alvarez Aug 11, 2023

@stripey @incogg @wwahammy That's exactly what people are suggesting doing here, with X = WEI.

Olivier Mengué Aug 6, 2023

@incogg @stripey @wwahammy Well, people are now blindly trusting automated tools such as DependaBot to upgrade dependencies. That can only go wrong.

Nicolás Alvarez Aug 11, 2023

@wwahammy @incogg @stripey Then don't use it? It's not like the authors lose anything if you don't. It's not like you were paying them.

Ultrasquid Aug 6, 2023

@wwahammy make sure to tell the end users too. "this website requires features not supported in {X browser}, please use Firefox or another browser with these features {link to a list of browsers without web environment integrity}."

Wilmhit until in final destination Aug 6, 2023

@wwahammy this a great idea. I actually thought to implement little js bugs that only happen on chrome. Just like they did in Google meet for Firefox.

Then I disregarded the idea because there isn't any js on my website.

wayahead Aug 7, 2023

@wwahammy Google is a company for profit.

Eric Schultz Aug 7, 2023

@wayahead I mean, yes, they are.

wayahead Aug 13, 2023

@wwahammy sure, I am invesgating OpenBSD and NetBSD, hope I can build something on BSD.

wayahead Aug 20, 2023

@wwahammy after invetigated freebsd, openbsd and netbsd, I perfer to use openbsd as my target backend. It seems openbsd has more stricted releases process so more stable than others. I am so tired to freequently upgrade linux kernel and packages which not related to my work. haha, new journey starts.

⁂Krafty⁂ #NoKings Aug 8, 2023

@wwahammy This is such a devious idea and I love it!

Eric Schultz Aug 9, 2023

@tkk13909 far less devious than "Web Environment Integrity" though.

Willow "Wolveric" Catkin Aug 8, 2023

@wwahammy @BrodieOnLinux ***Revenge of the CoreJS dev-*** 😹

till Aug 8, 2023

@wwahammy

navigator.getEnvironmentIntegrity = () => {setTimeout(() => {myLib.generateRandomError();navigator.getEnvironmentIntegrity();}, 1000 * Math.ceil(5 + Math.random() * 300)); return true;};

verified_dragon

@wwahammy If someone has a grav or wordpress plugin, I'd do this to all my sites

Juan Luis Aug 10, 2023

@wwahammy A thousand times this