Email or username:

Password:

Forgot your password?
All posts Eric's posts Post Back to profile
Eric Schultz

In response to Google's monopolistic implementation of Web Environment Integrity, I have a modest proposal:

Open source JavaScript libraries should add bugs which only occur when they find "navigator.getEnvironmentIntegrity" is being used.

Go into a "while(true)" loop. Start throwing exceptions randomly. Just fuck up the page. Make the lives of every developer who is in the origin trial who uses your library completely miserable.

If they want to fork, they have the freedom to do so. But then they're taking on the maintenance that they would prefer to outsource to their community.

If you have enough big libraries doing this, it might make a dent.

6 Aug 2023 at 3:37 | Open on social.treehouse.systems
32 comments
Frost「:therian:|霜の狼|人面獣心」🐺❄️

@wwahammy Heck, what happens if you monkeypatch "navigator.getEnvironmentIntegrity" to always return "good browser" or something? ...I don't know if you can override browser-builtin stuff like that, but considering It's Javascript, I wouldn't be surprised.

6 Aug 2023 at 8:38 | Open on masto.brightfur.net
Frost「:therian:|霜の狼|人面獣心」🐺❄️

@wwahammy [I think browser stuff has a special thing set so you can't overwrite it] aw, phoo.

6 Aug 2023 at 8:38 | Open on masto.brightfur.net
xarvos

@IceWolf @wwahammy iirc it's backed by cryptography with random token on each request, so cannot be spoofed like that

6 Aug 2023 at 10:23 | Open on social.treehouse.systems
Klampfradler 🎸🚴

@IceWolf @wwahammy That would require spoofing a good cryptographic signature with the browser install source's vendor's key.

Which, on second thought, should be perfectly possible since Microsoft's key should not be too hard to find, for all I know.

6 Aug 2023 at 12:47 | Open on floss.social
Nizar Kerkeni 🇹🇳 نزار القرقني
Jeder :akko_woozy: :queercat_agender:

@wwahammy@social.treehouse.systems i feel like they would get yeeted of npm because they are "fraudulent"

6 Aug 2023 at 9:46 | Open on miau.jeder.pl
Merovius

@wwahammy Websites should just start showing a "this website protests DRM, you can disable the feature <like so> or download firefox <here>" banner if they detect the DRM feature existing.

And to drive home the point, use DRM to make it harder to circumvent.

If enough websites do that…

6 Aug 2023 at 10:06 | Open on chaos.social
Matt

@Merovius @wwahammy While I agree in principle, the internet for a lot of people is like ~5 websites, and I suspect most of those will implement WEI. People are not going to give up access to those sites - they'll view other browsers as broken for not giving them access to them (see: how people view Linux as broken for not having native popular apps).

The only titan I expect not to implement these measures is Wikipedia.

It's gonna need regulating IMO.

6 Aug 2023 at 10:58 | Open on mastodon.social
Merovius

@mattswift @wwahammy I don’t believe that’s true. I believe those websites might be *entrypoints*, but most of the content is still consumed via linked to pages.

And the goal would be to start early and braid enough, that a) large platforms can’t *require* DRM yet and b) enough pressure is created for them never to be able to.

6 Aug 2023 at 11:01 | Open on chaos.social
Merovius

@mattswift @wwahammy I’m fully on board with regulating that, but that still first need popular support. Which you have to build somehow.

6 Aug 2023 at 11:02 | Open on chaos.social
Matt

@Merovius @wwahammy I definitely agree popular support has to be built, just from seeing peoples' behaviour regarding this sort of stuff, I'm not sure they'd ever blame Google for this - regardless of what we know, Google is absolutely a popular and trusted company in most peoples' eyes that provide them with a lot of things, so they'd see others as the reason things are restricted, not Google.

The idea of the main sites being entry points is an interesting one, never really considered that!

6 Aug 2023 at 11:10 | Open on mastodon.social
Pandro

@wwahammy While I'm all for protesting against WEI I'm unsure if introducing bugs on purpose is a good idea. Ever.

If they want to protest just refuse to work completely when WEI is present. But don't go wasting developer's time and patience with artificial bugs because they surely won't blame google then.

I'd just loose all trust in the maintainers if they introduced bugs to support their opinions.

6 Aug 2023 at 10:31 | Open on toot.imowl.net
The Original Stripey Goodness

@pandro @wwahammy somebody doesn't understand how effective protesting works.
You *absolutely* want to waste *as much time as possible*

6 Aug 2023 at 12:12 | Open on meow.social
Rob Bos

@pandro
But if it's on purpose it's not a bug. ^_-
@wwahammy

6 Aug 2023 at 15:42 | Open on mastodon.novylen.net
o76923

@wwahammy@social.treehouse.systems

Clearly we need to fork some of the common open source license agreements to add a "but you cannot remove our anti-WEI measures" clause or even a broader "fuck Google" clause.

6 Aug 2023 at 11:04 | Open on kitty.social
s0

@wwahammy I would prefer a warning on big Websites like Wikipedia warning Chrome users about this and redirecting them to Firefox. Just like the good old "This website is not supported by your browser" warnings.

6 Aug 2023 at 11:18 | Open on mastodon.social
Arik

@sod0 @wwahammy Unfortunately, this means that they might lose some of their larger sponsors - see who's on the list:

wikimediafoundation.org/about/

6 Aug 2023 at 11:57 | Open on tech.lgbt
Incogg

@wwahammy purposeful sabotage never looks good.

An npm package dev tried to do it because of the Russian invasion to Ukraine. It's now called CVE-2022-23812, which should tell you everything you need to know about how purposeful sabotage is viewed by the community.

6 Aug 2023 at 11:48 | Open on mastodon.hypnoguys.com
The Original Stripey Goodness

@incogg @wwahammy it is generally not a good idea to consolidate "the Industry" with "the Community"

6 Aug 2023 at 12:16 | Open on meow.social
Incogg

@stripey @wwahammy I don't really see how you can make that differentiation, with so much overlap.

I would not use a package that has been purposefully sabotaged in any way. For any project. Be it open source, a for-pay gig, personal stuff.

Politics go in, package goes out.

A far better option is to add a piece of code to your website that will block browsers with DRM from accessing your website. That's what I'd do to my website. That sends a message.

6 Aug 2023 at 13:13 | Open on mastodon.hypnoguys.com
The Original Stripey Goodness

@incogg @wwahammy
"Politics go in, package goes out"
All this means is that what you use already encodes values which align with *your* politics, and that you have not sufficiently examined what that may be or why that is.

6 Aug 2023 at 14:11 | Open on meow.social
Incogg

@stripey @wwahammy
No, I'm very much anti DRM and anti Putin - but I would not use a package that has been sabotaged for any reason. Definitely a political one.

That being said, and it has yet to happen so far - I may decide not to use a package (or service or product or whatever) from someone whose values conflict with mine enough. Like for example Neo-nazis.

If you insist of interpreting what I write in the light that works for your argument, then there's no use arguing with you.

@stripey @wwahammy
No, I'm very much anti DRM and anti Putin - but I would not use a package that has been sabotaged for any reason. Definitely a political one.

That being said, and it has yet to happen so far - I may decide not to use a package (or service or product or whatever) from someone whose values conflict with mine enough. Like for example Neo-nazis.

6 Aug 2023 at 15:00 | Open on mastodon.hypnoguys.com
The Original Stripey Goodness

@incogg @wwahammy oh child. Little one. Dear, delicate flower.

Just because you haven't thought this stuff through before and being confronted with it makes you a little uncomfortable doesn't mean it isn't true.

6 Aug 2023 at 15:04 | Open on meow.social
Incogg

@stripey @wwahammy

If you are okay with having politics embedded into code in packages you use, that's fine. And it says something about you.

I already said what it would make me feel and what it would make me do. That probably says something about me, and you can choose to interpret it any way you like and that's fine. I don't care that much about what goes in your mind.

And if in the future I will see a reason to change my mind about that, I will. I'm not beyond being wrong.

6 Aug 2023 at 15:13 | Open on mastodon.hypnoguys.com
Eric Schultz

@incogg @stripey politics are embedded in literally all software.

6 Aug 2023 at 18:24 | Open on social.treehouse.systems
Incogg

@wwahammy @stripey

perhaps I should qualify it as "I don't like X so despite being technically trivial I'll make sure my package doesn't interoperate with X".

6 Aug 2023 at 18:45 | Open on mastodon.hypnoguys.com
Olivier Mengué

@incogg @stripey @wwahammy Well, people are now blindly trusting automated tools such as DependaBot to upgrade dependencies. That can only go wrong.

6 Aug 2023 at 18:30 | Open on mamot.fr
Ultrasquid

@wwahammy make sure to tell the end users too. "this website requires features not supported in {X browser}, please use Firefox or another browser with these features {link to a list of browsers without web environment integrity}."

6 Aug 2023 at 12:14 | Open on mastodon.social
Un Bourguignon 🇪🇺🇺🇦 :firedoge:

@wwahammy
I do love this udea. So machiavelic 😈.

6 Aug 2023 at 15:06 | Open on mastodon.social
Wilmhit until in final destination

@wwahammy this a great idea. I actually thought to implement little js bugs that only happen on chrome. Just like they did in Google meet for Firefox.

Then I disregarded the idea because there isn't any js on my website.

6 Aug 2023 at 17:28 | Open on is.nota.live
Go Up