Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - W3C incites 'Assassination of dissenters' as 'well within Process' 1

FredAndrews writes: In a dispute between the open web community and the W3C (directed by Sir Tim Berners-Lee), the W3C raises 'participants could very well resort to assassination of dissenters ... it would be well within Process.'. The W3C is supported in adding a DRM interface to the W3C web standards by the usual suspects: Google, Microsoft, Apple, and Netflix. Mozilla and the EFF are also active members of the W3C. Not one of these members has publicly distanced themselves from this position or condemned it. The 'dissenters' support security and privacy on the web, and the health of the open web and the web economy. The next time Mozilla stick their head up, ask them if they are still conspiring with the W3C which holds the 'Assassination' of these members of the open web community as 'within Process'. The next time the EFF stick their head up, ask them if the they are still conspiring with the W3C which holds the 'Assassination of dissenters' as 'within Process'.

Comment Re:There's only one company on that list... (Score 1) 133

For example, Mozilla supported CSP reporting being required. I tried hard to just allow CSP reporting to be optional, but even the Mozilla reps failed to support me, actually they were quite rude. I would note that Mozilla provide no option to disable the reporting when CSP is enabled. The mandatory CSP reporting effectively outsources client side security to the cloud and leads to the CSP becoming useless for enforcement by the user. The proponents held the view that most deployments would be 'reporting' not enforcement and that allowing reporting to be optional was a show stopper. PayPal organized a 'red-herring' discussion about fingerprinting being inevitable and thus argued that reporting does not add to the privacy issues, but of course fingerprinting is hardly the only issue. Everyone congratulated themselves for 'successfully' addressing the 'privacy' concerns, even the W3C PING, and CSP advances with mandatory reporting - PayPal got what they wanted and probably had a good laugh. My trust in Mozilla is limited, but they still seem worthy of some support for their work. I believe a shadowing derivative distribution by a separate entity will be necessary to really tackle some areas of concern.

Comment Re:There's only one company on that list... (Score 2) 133

Mozilla keeping the code base open source does go a long way to protecting the open web, as attempts by Google to compromise Mozilla can be 'corrected' by derivative distributions. Keep up the good work. However Mozilla might not be best placed to stand up to Google given that they get the bulk of revenue from Google advertising streams! Would Mozilla be prepared to eek out a much diminished existence without the advertising revenue? Mozilla could help the situation a lot be publicly refusing to implement the EME API, and adding ad-blocking infrastructure etc.

Comment Re:Not putting in DRM isn't going to eliminate DRM (Score 2) 351

DRM actually restricts what people can do, so it hardly encourages creativity. You might argue it helps support a revenue model to reward creativity but this is a separate matter. If people can not exercise fair use rights then this limit creativity. If people are restricted in how they use the content in their own privacy then entire ecosystems are eliminated that produce innovative ways to better use content in your own privacy.

Submission + - W3C declare DRM in scope for HTML, big business supports Web DRM - Schism looms (w3.org) 1

FredAndrews writes: The W3C has ruled DRM in-scope for their HTML standard. A lot of big businesses have supported advancing the Encrypted Media Extension (EME), including Google, Microsoft, and Netfix. The BBC calls for a solution with legal sanstions. The EME could well be used to implement a DRM HTML engine. A DRM enabled web would break a long tradition of the web browser being the User's Agent, and would restrict user choice and control over their security and privacy. There are other applications that can serve the purpose of viewing DRM video content, and I appeal to people to not taint the web standards with DRM but to please use other applications when necessary.

Comment Re:HTML/A like PDF/A (Score 1) 149

You might be interesting in the work of the W3C Private User Agent Community Group that is exploring solutions to prevent such leaks. One option for limiting the capability to leak the mouse positions is to limiting the back channels available to leak the state out to the web. A web browser that resists such leaks can still support rich client side Javascript content. Not surprisingly, early results demonstrate that much web advertising is caught by such protections - for example Google search ads still work but most content network ads violate security and are blocked. Other options are being explored such as declarative web actions to offload interactive tasks to trusted apps, and a curated database of trusted scripts that implement widely used features such as slide shows etc. There is a lot of resistance from shills wanting to entangle our computing use with web services and even offload web browser security to the cloud, and they are currently winning, so if people are interested in such solutions then please consider supporting this group, see: http://www.w3.org/community/pua/

Comment PUA HTML could be great to childrens apps (Score 4, Interesting) 65

A significant motivation for starting the W3C Private User Agent community group was the experience of watching children using online apps with the understand of all the covert monitoring and tracking going on. I believe that a lot could be done to better secure the privacy of the web browser and to better support a more private platform for children, and others. Most of the apps for very young children really do not need to be connected to the web, the apps just need to be downloaded, and could then be run in a sandbox.

Comment Re:Privacy hysteria (Score 1) 76

Personal computers have traditionally been a private space and the Internet has not been 'complete anarchy' so you are simply wrong. Simply because the web browser is becoming a platform for delivering applications should in no way make the personal computer open to the covert sharing of its state. I understand that 'privacy' is a loaded word and perhaps you have misunderstood the intention of this group - 'complete privacy on the Internet' is certainly way out of its scope as is discussion about privacy in public places. I believe it is possible to do a lot better than simply disabling Javascript and this is a challenge for the group. Please understand that I expect a web application run on my personal computer to have the same level of privacy as a local application which I do not believe is unreasonable, and if the HTML standards can not and will not address this issue then I believe they have lots their legitimacy.

Comment Re:Fuck JavaScript (Score 1) 76

Noscript has many useful features, and some of it's features are being integrated into standards, such as ClearClick which is proposed for CSP - although in CSP it is proposed that any violations are silently reported to the server rather than the user. I think we can do better than just disabling JS to prevent covert sharing of UA state. Further there are other source of leaks, such as CSS.

Comment Re:If I can't track your interactions with the sit (Score 1) 76

Through a navigation request or form submission request, or you can send me Javascript to handle the button click on the UA and it will be run in a context that has no access to back channels, or it may be that the button press is intentional enough that it could be passed to a Javascript context that has no access to the AU state but can proxy the event back to your server and then forward an update from your server back to the private UA context. Keep in mind that this is a proposed group to work on the issues, not a detailed proposal to solve all the problems.

Comment Re:Translation... (Score 1) 76

The proposed group is open to a range of technical solutions. Limiting the back channels open to Javascript is one approach and this could be very effective for many web activities and still support interactive pages driven by Javascript such as games and children's leaning tools. Another approach is limiting the access that Javascript has to the UA state or spoofing the state. A combination of both approaches may also be explored. Javascript is not the only issue, there are other leaks that also need to be addressed. Unfortunately it does not appear possible to solve the problems without breaking something, but I do not accept that this is a good reason not to fix the problems. The damage just gets worse as new standards are developed ignoring the issue and building upon functionality that is not salvageable. User Agents already allow Javscript to be completely disabling and a good range of website are still quite functional, and I am confident we can do a lot better the this.

Submission + - W3C Community Group proposed to tackle covert sharing of user agent state. (w3.org)

FredAndrews writes: "A W3C Community Group (Private User Agent PUA) has been proposed to tackle the privacy of the web browser by developing technical solutions to close the leaks. Current Javascript APIs are capable of leaking a lot of information as we browse the Internet, such as details of our browser that can be used to identify and track our online presence, and the content on the page including any private customizations and the effects of extensions, and can monitor and leak our usage on the page such a mouse movements and interactions on the page. This problem is compounded by the increased use of the web browser as a platform for delivering softare, and also by yet more leak standards are being developed which is often justifying by their authors by pointing to the current leaky infrastructure. While the community ignores the issue, solutions are being developed commercially and patented — we run the risk of ending up unable to have privacy because the solutions are patented. The proposed W3C PUA CG proposes to address the problem with technical solutions at the web browser, such as restricting the back channels available to Javascript, and also by proposing HTML extensions to mitigate lost functionality. Note this work can not address the privacy of information that we overty share, and there are other current W3C innitiatives working on this such as DNT."

Slashdot Top Deals

Man is an animal that makes bargains: no other animal does this-- no dog exchanges bones with another. -- Adam Smith