eBay is port scanning your system when you load the webpage
Have you been to eBay lately? The auction site is a popular destination to buy new and used items. It may surprise you that eBay is running a local port scan when you access the site in a browser.
I verified the port scan on ebay.com and ebay.de using built-in developer tools of several web browsers. It is likely that other eBay sites will also run the port scan.
You can verify this easily. Use a browser such as Google Chrome, Firefox, Brave, Microsoft Edge or Vivaldi. Open a new Tab page and hit the F12 button to open the Developer Tools of the web browser. Switch to the Network tab in the Developer Tools and load the eBay website in the browser's address bar.
Wait for the page to load and look for 127.0.0.1 in the name in the list of connections. These are the scans that eBay performs when you connect to the site.
You can click on the connection to look up additional information; doing so reveals the port that is scanned by eBay. The scan is run by check.js, a JavaScript that is executed on eBay when users connect to the site. It uses WebSockets to perform the lookups on the local system using the specified port, and the scans occur regardless of sign-in state.
Bleeping Computer created a handy table that lists the ports:
| Program | Ebay Name | Port |
|---|---|---|
| Unknown | REF | 63333 |
| VNC | VNC | 5900 |
| VNC | VNC | 5901 |
| VNC | VNC | 5902 |
| VNC | VNC | 5903 |
| Remote Desktop Protocol | RDP | 3389 |
| Aeroadmin | ARO | 5950 |
| Ammyy Admin | AMY | 5931 |
| TeamViewer | TV0 | 5939 |
| TeamViewer | TV1 | 6039 |
| TeamViewer | TV2 | 5944 |
| TeamViewer | TV2 | 6040 |
| Anyplace Control | APC | 5279 |
| AnyDesk | ANY | 7070 |
Most of the ports are used by remote desktop applications such as VNC, Teamviewer, or Windows Remote Desktop. The eBay name is an abbreviation of the remote desktop software.
Nullsweep, the site that reported the issue first, discovered that the port scans were not run on Linux client systems.
It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
Reactions on Twitter and other social media sites are negative for the most part. Users criticize eBay for scanning ports at all, and for scanning ports of users who are not signed in to the site.
What you may do about it
If you don't want your systems to be port scanned by eBay whenever you connect to the site, you may be able to do something about it.
- Block the check.js script in a content blocker.
- In some browsers, e.g. Firefox, disable Web Sockets.
The eBay site loads the check.js script from the following URL currently: https://src.ebay-us.com/fp/check.js
Something like ||src.ebay-us.com^*/check.js should work.
The URL may change and it is different when you connect to localized eBay sites, e.g. eBay.de.
The other option, to disable WebSockets entirely, may lead to incompatibilities and loading issues on sites. Still, it is possible in Firefox by setting the parameter network.
Now You: What is your take on this? (via Born)
For the less techie it would have been useful to say how you can block check.js rather than just say do it.
Added.
Or block WebSockets entirely in e.g. UblockOrigin with the following rule:
*$websocket
(from https://news.ycombinator.com/item?id=23246877)
You can test this here:
https://websocketstest.com/
In some legitimate cases you will need to make exception rules, e.g. for https://www.speedtest.net:
@@/ws$websocket,domain=speedtest.net
(is already included in the ‘Adguard Base” list)
Already done this for long. Since i’m started to create a default rules for my ublock when I found google using websocket too.
In fact, much easier way is just to make sure that “EasyPrivacy” filter list is enabled in a content blocker. Besides, more general rule is already included in this list:
||ebay-us.com/fp/
Or even better: just make sure uBlock Origin is set as your content blocker, because it has EasyPrivacy enabled by default – besides other filter lists:
https://github.com/gorhill/uBlock/wiki/Dashboard:-Filter-lists
No need to add anything manually. FYI, the rule ||ebay-us.com/fp/ also blocks other related tracking, such as:
||src.ebay-us.com/fp/clear.png
||src.ebay-us.com/fp/fp.swf
^THIS
Saw myself that check.js script was already blocked in my ad blocker and would have written this too as it’s a much simpler solution. :)
I’m not sure why you would care, it’s not really any worse than grabbing your device/os/software info. It’s only checking if those ports are being used. I’ll have this over scummy fraudsters costing me money.
It is costing you money. Targeted adverstising (able to see if people use Steam as an example) isn’t for the greater good. People should be somehow rewarded for that.
you may care about this, the same way you would disagree, if your landlord would not only provide you the service to rent an apartment, in exchange for money, but would also read your emails or give you a colonoscopy, while your sleeping and not ask form permission.
offering a service of any kind, does not allow you to extend an agreement far and beyond what is normal and necessary for the service to work.
but hey, tonto. maybe you like getting a colonoscopy by your landlord, who knows.
What if you are using those pieces of software to support customers? You may think differently!
The Brave browser is blocking it here. This gift keeps on giving, haha.
Confirmed with Brave, both normal and private windows there is no sign of them. Tried the same with new Edge and they all show up.
@Taomyn
In Edge, you can block it as well. Follow the instructions outlined here in order to allow the installation of extensions from the Chrome Web Store, if you haven’t already:
https://pureinfotech.com/install-chrome-extension-chromium-edge/
Once this is done, I recommend an adblocker like uBlock Origin or Nano Adblocker:
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm?hl=de
https://chrome.google.com/webstore/detail/nano-adblocker/gabbbocakeomblphkmmnoamkioajlkfo?hl=de
Enable most, if not all lists (I have enabled all, no problems) in the ablocker, once this is done, it should get blocked in Edge as well.
So yeah, Brave does it out of the box, but it’s possible in Edge as well.
Thanks, I actually only use Edge, and Firefox occasionally, as alternatives to Brave when things aren’t working to diagnose issues or do tests like this, plus Edge works best for when I’m administrating Office 365 and Azure so I keep it free of extensions but useful to know there’s a way to block this even though browser is allowing it.
same here on Linux Brave :)
What an awesome gift that Brave is. Is it _STILL_ sending _MEGABYTES_ of data daily to THIRD parties, and making HUNDREDS if not THOUSANDS of connections, despite not opting into Brave Rewards or using the Crypto Wallet
3 months ago, Brave dev says oophsy, we’ll look into it
https://old.reddit.com/r/brave_browser/comments/f3e27q/why_is_brave_constantly_connecting_to/
> I have had wallets and Brave Rewards disabled since installation. Why it keeps a connection open all the time, what is it sending/receiving? 6 MB during the last connection
23 days ago – another one of many
https://old.reddit.com/r/brave_browser/comments/gcu926/disable_brave_built_in_extensions/
https://old.reddit.com/r/brave_browser/comments/g9qo7w/disabling_crypto_wallets/
> At this moment, [Crypto Wallets] can’t be disabled in such a manner, I’m afraid. Sorry for the inconvenience!
3 weeks ago – no rely
https://community.brave.com/t/brave-browser-connects-to-min-api-cryptocompare-com-every-3-minutes-all-day/116444
4 days ago – no replies
https://community.brave.com/t/brave-browser-connects-to-min-api-cryptocompare-com/128945
> exactly same as Brave browser connects to min-api.cryptocompare.com every 3 minutes, all day
github issue opened by not-a-brave-dev … handled with no pressing urgency, opened well after the reddit thread: closed a few hours ago (guess you’ll have to wait to see if if works), but read the comments
https://github.com/brave/brave-browser/issues/8925
> Almost 1k requests daily
> Yeah, and some of those requests to api.infura.io are big!
> @BrendanEich can we get some movement on this? (and no answer, asked almost 3 weeks after posting the issue)
Makes you wonder how long all that’s been going on. They sure as heck don’t seem to be in a hurry to fix it, or lodge their own bugs, or fix what is at the very least an privacy major poo poo from an optics perspective.
Enjoy your “gift”
@BraveDoesn’t Care
I think we need to remove the hyperbole first before discussing the issue at hand. First off, Brave is not establishing “thousands of connections”, this does make it seem like they are connecting to thousands of domains, while in reality, they are just frequently hitting a few domains. Secondly, since data packages are sent every single time, this adds up. You are only citing the accumulated amount (say, 6 MB), making it seem like Brave transmitted 6 MB in one single step, this is of course also not the case. What you are seeing is the accumulated amount(!) of data packages resulting from hitting 2 (not thousands!) domains repeatedly. Also, you are suggesting that data is being downloaded rather than uploaded to those servers, indicating that there is likely no privacy threat involved.
With that out of the way, let’s discuss what those domains are for: In the case of min-api.cryptocompare.com, Brave constantly checks for the exchange rate between BAT and USD. It does so on a frequent basis, in order to keep that data up to date (we could discuss if checking the exchange rate once per hour would suffice, but the developers seem to think the exchange rate has to be checked every few seconds). Anyway, that’s what it does.
The api.infura.io is related to the IPFS Companion, the one which you can disable in the settings. Now, what is IPFS?
https://en.wikipedia.org/wiki/InterPlanetary_File_System
As for api.infura.io, you can read here that it is required for the Ethereum Wallet feature, which in turn requires IPFS:
https://www.freecodecamp.org/news/hands-on-get-started-with-infura-and-ipfs-on-ethereum-b63635142af0/
—–
So, what happened here? Brave constantly checks for the exchange rate of BAT, and from the GitHub links, I infer that you went to the Crypto-Wallet page in some capacity before disabling it, thereby triggering the internal extension to start up. After that, it erroneously establishes connections to infura, thinking that the feature is operational despite being disabled, probably because it didn’t get properly terminated at the code level. To be clear, Brave should not:
– Check for BAT exchange course if you are not opted into Brave Rewards.
– Establish connections that are required for the Crypto Wallet to be fully operational, if you have disabled the Crypto Wallet.
That being said, those connections are NOT privacy threats. However, they still shouldn’t be established if you are clearly not using the related features / functionality of the browser. That is an unfortunate error or oversight on the part of the developers, an oversight which they have admitted to, and that they have fixed already in the beta version of the next major release (somehow you fail to mention that, I wonder why):
https://github.com/brave/brave-core/pull/5624
The Brave browser, just like any other browser, is developed by human beings making mistakes, mistakes that create bugs. Brave checking for the BAT exchange rate even when Rewards are turned off is a bug, Brave establishing connections required for the Crypto Wallet to be operational, even when Crypto Wallet is disabled, is a bug. You are implying that they deliberately implemented these connections in bad faith, instead of it being an oversight. The fact that none of your private data is uploaded here clearly implies an oversight, though, not deliberate malevolence. They are on top of the issue and are fixing it. Is that sufficient?
That being said, if you are concerned about the browser establishing requests of any kind, be they caused by a bug or not, then I wonder why you are even using a browser that has the capacity of establishing such connections in the first place? I mean, Brave is far from the only one (and may I say, not the worst one) to establish some kind of request:
https://www.ghacks.net/2020/05/25/ebay-is-port-scanning-your-system-when-you-load-the-webpage/#comment-4463830
If that’s problematic for you, which I understand to a degree as long as it’s not totally unfounded and ignoring the explanations and bugfixing activities of the developers, then may I suggest a browser like Ungoogled Chromium:
https://github.com/Eloston/ungoogled-chromium
This one is famous for establishing no unsolicited request whatsoever, you may find peace with this one, if you indeed view any kind of request – be it caused by a bug or not – as inherently problematic.
@IronHeart
That was me. Apologies, I used a made up handle to see how you would reply (content and tone)
I’m not claiming anything. The bits with indented greater than signs are quotes from the links. Nowhere did I claim it was deliberate. Please stop being so defensive and attacking people, and please read what they actually ask/say.
No one in all those links said it was making connections to thousands of domains, no one said it was sending large amounts of data on EVERY connection. The amount of 6Mb is a QUOTE from a user first hand who said that’s what it sent on one connection (“6 MB during the last connection”). That same person also asked “what is it sending/receiving”. I never said it was receiving. That question was directed at r/brave where at least one brave developer replied about the state of things. Another user said it was connecting “every 3 minutes all day”. Yet another user said it was making 1K connections daily. A brave dev said it was a bug and that also the Crypto Wallet could not be disabled. No one else is disputing the facts – except you: you’re making up arguments no-one asked for.
I don’t follow Brave, because I’m just not interested – The reason for my comment, was to see what you would say. I’m just pointing out Brave (like anyone, like Firefox, like Chrome) can make mistakes, and was intrigued as to your reply.
Of course the domains in question are used for legitimate purposes (i.e functions within the browser for features to work). Of course it’s a bug. What I did say was that the optics don’t look good from a browser that claims to be pro-privacy (sure, smaller company, and technically not a “big” issue: but did they get onto it quickly, or post a notice to alleviate any concerns, or even create the bug to get it fixed, etc – doesn’t seem like it – that’s the optics). Does that sound familiarr? Or that companies can make honest mistakes/bugs. Sound familiar? Or that connections can be legitimate for the functioning of browser features. Sound familiar? That none of your private data is being uploaded. Sound familiar?
You’re making the same (valid) arguments that others use replying in the past when debating Firefox – with all the same invalid reasons you claim I am making. Can you see the hypocrisy here? I mean, if this was Firefox, and unsolicited connections were being made, incessantly, and it went on for three months, while Firefox practically said nothing and appeared to be doing nothing (optics) – all hell would break loose. But for some reason you don’t think Brave should be held to the same standards?
Look, that’s rather generalized: it’s not like I read and memorize all your comments: That’s kinda aimed at the gist of the Firefox haters who can’t rationalize – and at times I’ve felt you’re like that. I get it, you’re passionate. When you don’t attack people, and twist their words, or troll, or shill, or post walls of text, or whatever (sorry, I don;t how else to word that) – you can be rational, and do have good points. So that “hypocrisy” statement isn’t aimed directly at you.
And .. check my earlier comment – I didn’t fail to mention that it was fixed (“you’ll have to wait to see if if works”) – I even linked to the github issue.
PS: If you’re going to promote a user.js, I wouldn’t point to one that has effectively had no meaningful updates (in terms of prefs) in almost 3 years (a quick scan shows me one pref change in the last 14 months), and one where over 35% of the prefs aren’t even in Firefox ESR68 any more. When FF83 lands and ESR68 is EOL, that percentage will go up.
PPS: I saw somewhere else where you weren’t sure on the ESR cycle. The cadence is 12 or 13 weeks (4 week cycles) – i.e once a year. Some years might be 12, others will be 13. This one is 13, next ESR is 81
@Pants
Well first off, I appreciate the reasonable reply (both content and tone) you have posted. I’d like to make some further comments, clarifying some things.
As for the 6 MB in total one user claimed to have seen… Surely you realize that many programs which analyze network traffic are displaying the sum of the packages sent / received, sometimes even without displaying how that sum came to pass. 6 MB seems to be quite a hefty (unreasonable?) amount, which I can’t confirm here, having watched Brave’s network traffic for quite some time. I think that this figure being a sum (or total amount) is highly likely, to say the least.
Likewise, how often a specific domain is hit is saying very little if anything. In most cases, if the same type of information is transmitted all the time, it matters little how often a server is hit. For example, does it make a big difference whether Brave fetched the BAT exchange rate data 30 times per hour as opposed to once per hour? No, the type of data fetched remains the same, how often it is being fetched is irrelevant in the end.
Even if something nefarious was going on, for example in case of some browser which transmits your browsing history, what difference does it make whether it transmits data once per day or twelve times per day? If it transmits only once, the data packages are likely to be bigger since the browser is sending them in one sweep, that would be pretty much it.
Size of the packages sent, especially if they are reported as a sum, proves nothing. How many times a certain domain was hit likewise proves nothing, at all. Reporting that data packages are being sent in the first place, and to which domain, suffices to describe the problem, everything else is just adding unnecessary drama on part of the users reporting.
You are right that Brave’s failure to sort this out earlier and to be more transparent about it must be criticized. However, I get the impression that their issue tracker and their forums are not very well-managed at all, so it’s possible that issues are being forgotten. This is worthy of criticism in its own right, but further proves that likely no malevolence is involved when it’s rather a case of mismanagement.
You seem to think, if I am reading that correctly, that I am unfairly judging Mozilla harsher than their competitors (Brave for example) – rest assured that this is not the case. The actions of Mozilla, the ones I am criticizing them for, are provable and unquestionably deliberate. Some examples:
– Cliqz incident: The Cliqz experiment came as preinstalled spyware with 1% of all Firefox downloads in Germany, without the user being notified about its presence or the user being asked for permission. It transmitted the browsing history and website interaction data (data that far exceeds any kind of telemetry) back to the mothership.
– Mr Robot incident: This proved (even if we give Mozilla the benefit of the doubt and suppose the add-on itself was not malicious) that Mozilla can remotely insert add-ons into Firefox at any time. They shouldn’t have that ability.
– Mozilla still preinstalls three hard-coded trackers on Firefox Preview (Leanplum, Google Analytics, Adjust) in Firefox Preview, these trackers circumvent both the internal anti-tracking measures as well as add-ons like uBlock Origin, and are partly used for marketing purposes.
– Mozilla has the ability to remotely change about:config settings and install Firefox Experiments (which do run with elevated privileges compared to ordinary WebExtensions) without user consent or approval, this could be used for nefarious purposes and shouldn’t be possible in the first place.
– Mozilla lets Google Analytics run in the internal add-ons manager view of AMO (“Discover”), an area where WebExtensions like uBlock Origin are blocked from running.
– Pocket is placed prominently in Firefox. Little does the average user know, however: Pocket has its own privacy policy that is separate from the one of Firefox. Firefox actively promotes a service that is explicitly not restricted by its own privacy policy, this is disingenuous and shouldn’t be happening.
– Firefox’s tracking protection is based on Disconnect and operates with the Disconnect whitelist without ever making that obvious or transparent, and without giving the user any visible option to disable the whitelist.
– Mozilla fails to improve user privacy in areas where they could easily achieve a better privacy level. Some examples, let’s use Brave for a reference:
Brave disables link prefetching, has a sane referer policy, has a sane cookie lifetime policy, disables scroll to anchor fragment, gets rid of all APIs that only make fingerprinting easier while never ever being actually used by any website for anything other than fingerprinting, Brave properly deals with session identifiers by treating them as non-persistent, and they actually proxy Google SafeBrowsing and Geolocation requests. Brave comes with an actual adblocker and not just with the half-hearted and plain ridiculous Disconnect list that has a whitelist which is very Google-friendly.
source: https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
Mozilla on the other hand? They make none of those non-breaking improvements and leave it to advanced users to make them in about:config, thereby ensuring that less advanced users can never make these changes and are thus exposed to multiple threats to their privacy.
And those were just some of the gripes I have with them on a technical level. Let’s not even begin to discuss the politics and ethics of Mozilla, like their CEO quadrupling her salary over the course of a few years while quartering Firefox’s market share and laying of important staff, or rich Mozilla begging for donations, donations which are not being used for Firefox development at all, but are rather used for virtue signaling by funding projects their donors have never heard of, for example RiseUp, a communication platform mainly harnessed by Antifa. We could talk about their closer-than-usual business relationship with and total financial dependence on Google (some would call that a cartel), which seems to pay off for Google, in that Mozilla does not seriously attempt to hurt their spy business. We could talk about Mozilla’s biased anti-free speech campaigns and support for censorship and many more things which I am too tired to talk of now.
A recent negative highlight was Mozilla’s misinformation and harassment campaign against the well-respected security researcher Daniel Micay, who dared to discuss security shortcomings of Firefox in public: https://old.reddit.com/r/firefox/comments/gokcis/firefox_is_insecure_refuted/
Those are all non-technical issues but they somewhat show the basis of my argument that there is something fundamentally wrong with Mozilla, in that their public image, which they try to maintain, is in stark contrast with their actual business practices and motives. That is also why, with all due respect, I am – at best – skeptical of your work. The way I see it, it only benefits a very small minority of Firefox users, those who are able to replicate the settings in about:config or can handle user.js files. These users are usually the multiplicators, i.e. they advertise this browser, which I and many others in the know consider to be spyware in its default configuration, to unsuspecting users, users who are most likely unable to do anything about the spying. I just find it ridiculous that Firefox is promoted with sentences like: “Firefox is the privacy champion, you can customize it like no other browser. You can improve its privacy in about:config” or similar, this is just not right, considering the skill set of most people out there, and I take massive issue with that. Your work, although no doubt well-intended, keeps a browser alive that is much worse than many alternatives out of the box (the state in which most people use their browsers). But your goal and that of the Firefox community as a whole should rather be to lead back Firefox to its privacy-respecting roots by demanding improvements to be made, instead of keeping this current monstrosity alive and even defending it. If Mozilla refuses to change for the better, then the morally correct and realistic thing to do would be assisting in the development of a more privacy-respecting fork.
I understand that your view is rather different from mine, in that you consider it to be morally correct to advise Firefox users on how to improve its privacy level. But then, I hope you also understand my view, I think your work furthers the adoption of spyware without most users this application (Firefox) is being advertised to being able to make use of your work anyway, due to a lack of skill, thus being exposed to Firefox’s horrid defaults. It’s the defaults, those must be changed and a browser that has better defaults must be promoted, only then will things change for the better. I disapprove of any kind of project that directly or indirectly furthers the adoption of spyware, and leads to it being advertised to less advanced users, even if the project’s goals themselves are worthy.
In case you wonder about my humble personage, I dropped Firefox after they did away with legacy (XUL) add-ons. WebExtensions are not any more powerful than their Chrome counterparts in 99% of all cases, so essentially the only reason to use Firefox and to put up with Mozilla’s shenanigans was lost. I switched to an ungoogled version of Chromium, Brave in this case, and called it a day. Unsurprisingly, all the relevant non-breaking changes that are recommended in your user.js, I can achieve with Brave as well, some of them are already in place by default even (see above), as it should be. If I were still a Firefox user, I would have to be constantly weary of Mozilla’s tactics and would have to check for nefarious changes after each major update, while having no functional benefit over Chromium anymore, I certainly lack the time and the will to do that… And when I think about the people who are currently running Mozilla into the ground with great success, I am not at all unhappy about having left.
I think Chromium, by virtue of being open source, will be the grandfather project of a whole family of very distinct browsers, much like Debian is the basis of many Linux distros. I think that Firefox will disappear in the next few years if the trend of the past few years and Mozilla’s current leadership, who were unable to stop that trend, is any indication – leaving Apple’s WebKit as Blink’s only competitor, until Apple also switches to Blink (if you know the current state of WebKit as an engine, you kind of know that it will happen eventually). I deem this outlook to be realistic considering the direction in which the market has been moving for quite some time now.
I hope that I presented my point of view in an acceptable and coherent manner here, so that it is understandable. I am aware of the fact that this opinion is non-mainstream and likely controversial, but those are the conclusions I have come to after many years of deliberation and having had a close watch on the market. I am strongly opposed Mozilla for various reasons, both technical and non-technical, some of which I have explained here. Miss Pantalones, I think we can get along, as long as we try to understand and respect each other’s point of view. Cheers.
I don’t want to get into walls of text, but you’re not making it easy :)
> … so it’s possible that issues are being forgotten. … but further proves that likely no malevolence is involved
Just saying … a “possibility” is not a “proof” (to use your words). Even if there was a constant pattern of poor issue management, that’s still not definitive. Look, I’m not saying it was deliberate: you brought that up. My point was the optics (and the hypocrisy aspect)
> etc etc
I agree with you totally up to “some examples” – forget the technical aspects, but these arguments are the same ones others (and yourself from time to time) call rubbish when it comes to Firefox – generally speaking: I’m not going to go and dig out your comments
> some examples
And there we go. Bringing these same arguments up that when others say them, are OK, but when used to explain or defend Firefox, is not. Look, you and I don’t run large software companies (or do you?), and we are not privy to all the information. There’s always two sides to a story. Not everything is what it seems. But yes, everything needs scrutiny, and everyone makes mistakes. It’s how they respond and how they learn.
If something like Mr Cliqz happened AGAIN, then heck, WTF!! Right? But it hasn’t. If something like Mr Robot happened AGAIN, same thing. But it hasn’t, and Mozilla addressed it in posts and tightened up handling of telemetry changes, and how studies get implemented and so on.
> Mozilla lets Google Analytics…
I’m not in the business, but like any web serving company I guess they need metrics for AMO (and about addons uses AMO). Rather than roll their own, or use something else, the decision was made to use GA, and they negotiated a special deal with Google. Just screaming “but GA!!, must be bad” is non-argument. Because AMO is integrated in the browser, it’s given special privileges so it can’t be abused/hijacked.
> Mozilla still preinstalls three hard-coded trackers on Firefox Preview
IDK and I don’t really care. I’m focused on desktop. Maybe they have special agreements (they will for GA), and the data is not actually a privacy issue – i.e it’s being used for legit purposes and the data is certainly not PII, etc. Maybe some are only there while it’s a “preview” so they can get good feedback/data on how changes are affected users with touch and latency etc.
> Pocket is placed prominently in Firefox…
And your point is?? You can disable it from the graphic UI. Chrome prominently promotes it’s products as well. Brave comes bundled with BAT etc. This is a non-argument.
> Firefox’s tracking protection is based on Disconnect…
So what? Mozilla leverages a list done by Disconnect – and reviews it, and augments it with it’s own OpenWPM crawls etc – and vice versa: both parties benefit under an agreement . It’s all transparent, open. Again .. “ooh disconnect, must be bad”. IMO, a non-argument.
> Mozilla has the ability to remotely…
Big deal. The reason it was added is actually a security one – it allows rapid deployment of critical fixes. It’s the fact that this is not abused that matters. It’s their browser, they can do what they like. If they ever used it for nefarious purposes, what do think would happen? There would be a massive outcry. The fact it’s not abused is a valid point, so far.
I recently (last 6 months?) read about a Chrome bug that went out that affected certain setups (some enterprises I think), and caused systems to crash: and there was no switch for it. And they had no way to remotely fix it. Enterprises had quite the headache, having to roll back, disable updates, and await a patch.
Not here to argue the pros or cons of either being able to do it or not – and I think but do not know for sure, that the catalyst for this was at least partly drive by the FF armagaddon approx 1 year ago. This is another non-argument IMO.
—
You keep bringing up old irrelevant or invalid items. And/or you don’t look at them from all points of view. Why constantly point out Cliqz or Mr Robot when they’re like three years old and everyone has learnt and moved on. It’s almost as if you’re running out of arguments to “bash” Firefox
As for default settings: we had this conversation once before. And I could pick any browser and find items to point out. It’s easy to cherry-pick out of context. Not saying all items are invalid – all browsers can do better
– First of all, Firefox has to maintain it’s own engine etc, so resources are limited – it can’t just leverage chrome/chromium whatever and focus on JUST privacy, anti-FPing and BAT for example.
– They’re also dealing with a 20+ yr old spaghetti-fied code base whilst making radical overhauls: quantum, rust, stylo, RFP, FPI, removal of XUL, and so on
– And Firefox is not a niche browser, and has to work out of the box for all open standards.
Comparing FF to Brave is not productive: they’re two very different beasts (but aiming for the same goals). You’d be better off comparing it to Waterfox
FF do do a lot of changes, all the time, to further privacy (haha, I said do do). The changes just take time to enable tracking protection and test it and ramp it up, to build dPFI, and lots more. Brave is the same. Look (everyone except Chrome I guess), is trying to increase privacy by default: it’s just that they’re all taking slightly different approaches, or are working on different things, and are all at different stages.
And, IMO, you should look at items in their entirety. For example, prefetching speeds up page loads, and Firefox is trying to combat Chrome here – so I can understand **why** they would leave this on. But it’s something they could disable in e.g. Private Window Mode (IDK if they do, I should check that). Brave doesn’t have that same limitation.
If I wanted to, I could pick out dozens of things that FF does by default that Brave doesn’t – that all improve privacy. This sort of argument (bashing other browsers) is not constructive.
> Brave comes with an actual adblocker and not just with the half-hearted and plain ridiculous Disconnect list
ETP is not an adblocker, it’s a tracking blocker – it doesn’t block content. If you want an adblocker, use an extension. You’re comparing two different things. And I suspect the reason why Brave does it as an adblocker is to integrate with BAT. I’m not here to discuss the ethics or approaches of ads.
> they actually proxy Google SafeBrowsing and Geolocation requests
Not sure exactly what you mean by “proxy”. Fuck geo :) Anyway, Mozilla have their own key. As for Safe Browsing, there is zero privacy issues with updating local lists from the source, and Mozilla struck that privacy deal with google (yeah, I know they’re the devil, but if they broke that deal they’d be liable for gazillions): all Firefox users are the same – all 200 million or so browsers checking and getting SB updates: there’s zero privacy issues here. Hosting the files yourself, like Brave is a nice touch/optics, but it’s privacy theatre.
> blah
And then you went off tangent and brought up the CEO. And as for that Daniel Micay thing – AFAICT he’s lost the plot and making unfounded accusations after lurking in 4chan (lulz – he fell for it). Do you believe everything you read? Of course not.
I’m not interested. I only care about what the product itself can do. And I don’t really give a shit what other browsers can do either, except for the positive parts – I only want to be constructive (or highlighting where things could be tightened up: e.g prefetching in PB mode for FF when discussing FF), rather than trying to tear holes in other browsers. Who cares about other browsers – focus on your own. Every browser has pros and cons – it’s a waste of time and energy trying to compare them all in some sort of overall discussion. That’s what causes walls of text.
Instead of sliding in remarks and inuendo about other browsers in your comments, just state the positive things about your own. You’ll be taken far more seriously, and people will engage.
Thanks for being civil
And lets stop these walls of text and going off-tangent, or flogging dead horses :)
—
me, just before
> I’m not interested. I only care about what the product itself can do.
That’s my philosophy. That’s where my energy goes. I only care about privacy, anonymity, and security (in the context of privacy). I don’t lie and I don’t put people wrong (that I know of – I mean have I ever compromised the ghacks user.js in regards to those three key points?). And Firefox is the only browser that comes close in terms of being able to deliver those – and that’s because of, among other things, Tor Project’s involvement and ideas and research, and the ease in which so many things can be controlled, and because Mozilla enables that. That’s not me poo-pooing any other browser’s attempt to do this – that’s just me focusing on what can do the job best. Everything else is immaterial. I don’t really even care what the defaults are (except to the point that it reduces changes) – it’s all about what can actually BE achieved. Does that make more sense to you about where I’m coming from?
If you want to discuss Brave vs Firefox: happy to. But not overall (one thing at a time): just point out what they do better that Firefox CAN’T do (not defaults, what it actually can’t do) – that’s being constructive. I have no time for massive walls of text (I’m guilty here) or pointing out flaws in others, or trying to cover too many points at once. Precision commentary dude! :) Peace out
@Pants
> I don’t want to get into walls of text, but you’re not making it easy :)
Miss Panatalones, it is kind of a mute to frequently complain about my walls of text, while you are writing walls of text yourself, even in other threads where you are not replying to me. In my leisure time, I am an avid reader of novels, so my definition of “walls of text” might be skewed, who knows.
> generally speaking: I’m not going to go and dig out your comments
Even if you did, I have nothing to hide. :)
> There’s always two sides to a story.
You know, some actions speak for themselves, sometimes it is very hard to come up with reasonable explanations for things so blatantly user-hostile. Even if there is another side to the story, in the cases I mentioned, I don’t expect it to amount to more than glossing over the issues with marketing talk.
> But it hasn’t, and Mozilla addressed it in posts and tightened up handling of telemetry changes, and how studies get implemented and so on.
I can’t seem to recognize any change in their policy regarding Firefox Experiments in particular, sorry.
> Just screaming “but GA!!, must be bad†is non-argument.
You are misrepresenting my argument. The problem is not that they use Google Analytics instead of some other tracker, the problem is that they stop WebExtensions like uBlock Origin from blocking that tracker, by denying it that privilege. There is no pro-user reason for doing that.
> Because AMO is integrated in the browser, it’s given special privileges so it can’t be abused/hijacked.
Okay, what is stopping them from giving trusted and manually reviewed extensions like uBlock Origin special privileges? Oh right, nothing.
> IDK and I don’t really care. I’m focused on desktop.
Your personal focus is irrelevant to the problem at hand.
> Maybe some are only there while it’s a “preview†so they can get good feedback/data on how changes are affected users with touch and latency etc.
Purely speculative until they are fully removed. I totally expect them to still be present in the release version, by the way (speculative too, I know).
> And your point is??
My point is that Firefox is heavily promoting a service that has its own (worse) privacy policy, while actively making it seem like it is covered by Firefox’s privacy protection standards, this shouldn’t be happening.
> Brave comes bundled with BAT etc.
Not comparable, this is being covered by Brave’s privacy policy. Can’t say the same about Pocket.
> ETP is not an adblocker, it’s a tracking blocker – it doesn’t block content. If you want an adblocker, use an extension. You’re comparing two different things.
Even if we reduce the discussion to purely tracker blocking, Brave’s solution is still superior. By the way, why doesn’t Mozilla include a real adblocker again (hint: financial background of Mozilla)?
> Again .. “ooh disconnect, must be badâ€. IMO, a non-argument.
It’s only a non-argument because you are once again misrepresenting my argument (you pulled the exact same trick with Google Analytics already, please stop). My argument was not that they use Disconnect instead of some other list (although there are indeed better lists out there, but that’s besides the point), my argument was that Firefox uses Disconnect’s whitelist without ever making it obvious to the user that a whitelist is being used at all, and without giving the user any visible way to disable the whitelist.
> it allows rapid deployment of critical fixes.
So does the standard update functionality, what’s your point? There is no speed difference between the two methods – Firefox checks for updates in quick intervals already.
> It’s their browser, they can do what they like.
Which doesn’t mean that they are above criticism for it.
> The fact it’s not abused is a valid point, so far.
How about removing the potential for abuse in the first place, instead of keeping that door open on purpose? And they have abused it already – Cliqz (that one was a Firefox experiment).
> the catalyst for this was at least partly drive by the FF armagaddon approx 1 year ago
Wrong, those capabilities existed before the add-on armageddon already. In fact, using those capabilities is how they managed to fix the add-on armageddon. That was a case of those capabilities being used for the better, but they can also be abused. And yes, they could easily have fixed that with a standard update as well.
> Why constantly point out Cliqz or Mr Robot when they’re like three years old and everyone has learnt and moved on.
Because the persons responsible are still working at Mozilla as if nothing happened, this is not exactly building up trust. We could write novels about the psychology behind trust, but it should suffice to say that getting backstabbed by a person or organization once leads to doubt being cast on all further actions this person or organization might undertake. Or in short: If they steep that low, I am not trusting that they protect my privacy anymore, period. And no, their current track record is not exactly changing my mind, either.
> It’s almost as if you’re running out of arguments to “bash†Firefox
We seem to have different definitions of “bashing”. “Bashing” means coming up with lies or deliberate misrepresentations in order to damage a person or organization, in my book. Bringing up problems, as long as they are factual, is not bashing, it’s criticism.
> It’s easy to cherry-pick out of context.
I can’t remember the last time I “cherry-picked out of context”. I always try to look at the broader ramifications, but especially with the issues I listed, there is just no valid pro-user argument I could think of.
> First of all, Firefox has to maintain it’s own engine etc, so resources are limited
Come on now, this is laughable. Mozilla is a $500.000.000 p.a. operation, don’t you think they could afford one person that has the duty of improving Firefox’s defaults? Like, seriously? They could hire you for all I care. The real reason for them not improving the defaults is that they do not care, or even specifically want to have bad defaults that plays their sponsor in the cards (speculative, I know, so scrap that). And engine development has very little if anything to do with bad privacy defaults, there are always two different routes they could take.
> They’re also dealing with a 20+ yr old spaghetti-fied code base whilst making radical overhauls: quantum, rust, stylo, RFP, FPI, removal of XUL, and so on
Again, this has very little if anything to do with bad privacy defaults.
> And Firefox is not a niche browser, and has to work out of the box for all open standards.
They most certainly could disable nefarious stuff like prefetching or certain useless APIs, and websites would render just as well as before, but you already know that, don’t you? Pale Moon does it and it works fine, Brave does it and it works fine etc.
> Comparing FF to Brave is not productive: they’re two very different beasts (but aiming for the same goals). You’d be better off comparing it to Waterfox
Yeah, if we go by the assumption that impoverished Mozilla doesn’t have the money to hire someone who has the duty to improve the privacy defaults, then maybe.
> For example, prefetching speeds up page loads, and Firefox is trying to combat Chrome here – so I can understand **why** they would leave this on.
In times of Gigabit connections, 4G / 5G etc., there is no sane or justifiable reason to keep prefetching enabled. What is this, ISDN? The difference between prefetching being on and off is invisible to the human eye, Miss Pantalones.
> Brave doesn’t have that same limitation.
Mozilla and Brave are applying the same considerations when turning things on or off, both browsers are meant to be fully operational on all websites, after all. This is very contrived.
> And then you went off tangent and brought up the CEO.
Yes, because there is always a connection between the person in charge and the result achieved in the end. There not being a connection between the two is unthinkable. But it’s not just the CEO, there are bigger problems than her.
> And as for that Daniel Micay thing – AFAICT he’s lost the plot and making unfounded accusations after lurking in 4chan (lulz – he fell for it). Do you believe everything you read? Of course not.
You are misrepresenting the argument of Mr. Micay. He named several security-related shortcomings of Firefox. This riled up some Firefox fanboys (yes, fanboys) who then attempted to disprove his arguments – miserably failing, as was expected – while increasingly using ad hominem tactics. The Mozilla moderation tolerated this kind of character assassination without intervening. That Mr. Micay came up with the theory that Mozilla supposedly had sent 4chan trolls to hunt him down, so to speak, is indeed ridiculous and contrived, but that doesn’t automatically invalidate his original and factually correct argument about the security holes of Firefox. Let’s just say I believe in one stupid thing, that doesn’t automatically mean that I am wrong about everything else. The same is true for Daniel Micay.
[Editor: removed the unsubstantiated claim]
> Instead of sliding in remarks and inuendo about other browsers in your comments, just state the positive things about your own. You’ll be taken far more seriously, and people will engage.
Let’s keep this short and simple: My impression is that I am being taken seriously outside of the innermost temple circle of Firefox fanboys, but those people hate my guts anyway. Obtaining their approval is not a goal of mine.
> I don’t really even care what the defaults are (except to the point that it reduces changes) – it’s all about what can actually BE achieved. Does that make more sense to you about where I’m coming from?
I understand your approach, but if that’s really it, you can’t really complain when I assert that your work only benefits a tiny minority of Firefox users. The majority has to live with the defaults, unless the defaults are actively being improved. Improving the situation for the majority of users must be the goal, anything else is bound to remain a fringe solution for as long as Mozilla allows it.
Contributing to a fork is the only sensible thing to do, unless Mozilla changes for the better. I also think discussing anything but the defaults, or nigh-defaults, as far as browser choice is concerned, is ultimately a waste of time, a hobby discussion we can have here, in the god-forsaken outer rim of the Internet, but ultimately doesn’t help the vast majority out there. That’s not a strategy that can possibly succeed – if your goal is not to improve the situation for everybody (e.g. by contributing to a fork, i.e. a real alternative that non-techies can actually use), then what is the point in the end?
I tried to keep this one shorter than usual, maybe you noticed. However, I think the differences between our outlooks can’t ultimately be resolved. I am coming from the “Improve the defaults, so that non-techies, i.e. the grand majority, can have a better privacy level.” angle, while you come from the “If it’s possible at all, even if the defaults are bad, that’s enough to restore privacy, people should learn how to use my work correctly.” angle. Both have merit to them, but I strongly believe that my approach is closer to how most people would prefer it, and closer to how the real world operates, with all due respect.
I just hope that brand loyalty does not supersede common sense in either case.
@Martin Brinkmann
Forgive me for having called gHacks the “god-forsaken outer rim of the Internet”, you know that the outer rim is where the good guys originate from. ;-)
I get it, you “feel” attacked. I’m not attacking **you** personally, I’m going out of my way to try and make that clear – saying things like “in general”, putting words in quote marks because of slang differences (bash means something different to me: it doesn’t mean fabrication at all, it simply means to verbally put down or attack) or it’s not quite the right word. Even going overboard with the smileys doesn’t seem to work. Nitpicking near every single thing and quoting near every single line isn’t productive or conducive, and is not what I wanted. This is why I find it so hard to converse with you. Somehow everything seems personal to you, and you revert to type.
I said I didn’t want to get into walls of text because I knew my reply would be long (I’m stating the irony, I’d thought you’d laugh). Even that bit of levity didn’t work. How about the “Peace out” at the end – no dice, huh? I wasn’t accusing you of things to hide, I was **trying** to convey that this wasn’t a personal attack, and that I’m not interested in trying to catch you out in a lie or whatever
I do think you have some valid points at times, and I do think you bring something to the conversation. But, and this is the only way I can say this … “when you act like an utter ass” (like the previous post: calling me names like “Miss Panatalones” is immature as one example) … then fuck it, I’m done trying to have any meaningful discussion.
—-
> I can’t seem to recognize any change in their policy regarding Firefox Experiments in particular, sorry
All telemetry and shield studies have to undergo peer review and be signed off by one of a limited number of people with that authority. There’s also a “form” they use where they have to state why it’s needed, how long (e.g. telemetry items have expiry dates), what is collected if not already covered under the telemetry/shield privacy policy (I haven’t seen anything that needed that, TBH), etc. Basically it’s more robust and has a document trail. Something like this should have stopped Mr Robot and made them redesign it or drop it.
> … There is no pro-user reason for doing that
It’s not a **user** thing: it’s a **security** thing. Just leave it at that: agree to disagree. I think you’ve misunderstood and are making a massive molehill out of nothing
> Purely speculative
Of course it’s speculative when I say “maybe it is this or that”
> Wrong, those capabilities existed before the add-on armageddon … so does the standard update functionality
Fair point. I should have been clearer. A lot of the actual mechanics were changed after the review of what went wrong, and how they leveraged it to push the fix. AFAIK, prior to it being used in the addon thing, it wasn’t used. It took a bunch of them to work out that it could be used this way. I pointed out the chrome bug, where they couldn’t update (I should find a link, but fuck it). Shit happens despite best intentions. This is a fallback mechanism that they’ve changed since the addon thing in order to make security more robust
> Daniel Micay
I’m not commenting on his work. I was commenting about his twitter rant, and the ridiculousness of the accusation with a prepended “AFAIK”. You brought him up, not me. I couldn’t care less.
> I tried to keep this one shorter than usual, maybe you noticed
lol. This is not the right forum. Everything else I’m not going bother to comment on (I disagree on a lot of it), or we’ll just end up writing War & Peace, going around in circles.
In future, when anyone goes off on a tangent (not just you), I’m going to use a new rule: I’m not going to bother to address it except for the same line: something like “invalid, off-topic, not-relevant: please answer the actual question”: so be forewarned that IF I do this to you, it’s not just you. Hopefully this might keep the threads shorter
@Pants
Let’s keep this short, eh? No, I don’t feel attacked by you in general, and feeling attacked by you was not the reason why I wrote my reply. I wrote my reply in order to point out where I disagree with you for the reasons mentioned, and when I disagree with you on almost every single point, then this can get quite long. Although I don’t mind long texts.
Just one last comment on this:
> But, and this is the only way I can say this … “when you act like an utter ass†(like the previous post: calling me names like “Miss Panatalones†is immature as one example) … then fuck it, I’m done trying to have any meaningful discussion.
Pantalones = Pants, Pants is the short form of it. But then, even if that one had been immature on my part (it wasn’t), I don’t think you can really demand a mature reply from me to things like:
> blah
…instead of quoting what I write, this was truly kindergarten level of conversation. Or something like this…
> When you don’t attack people, and twist their words, or troll, or shill, or post walls of text, or whatever
…baseless accusations, some very unkind remarks on your part about me right there.
I think after things like these, you have forfeited your right for a meaningful discussion, unfortunately. Regardless, I tried explicitly not to attack your personally, ignoring these unkind remarks that hardly have an equal in my own replies.
Pants, you should try not to…
– Incessantly complain about walls of text while writing them yourself.
– Demand courtesy while being unable or unwilling to show the same yourself.
– Accuse others of nitpicking while most of the time nitpicking, or even shortening quotes out of context, yourself.
There is more, but I’ll leave it at that. Preaching water while drinking whine is never a solid basis for a conversation. If that wouldn’t happen, a meaningful conversation with you could potentially take place. For what it’s worth, I think that you are a person with good intentions at heart, and knowledgeable in a certain area, but also a person who has a very strong brand loyalty, at times resorting to underhanded tactics and baseless accusations when trying to defend said brand. But then again, you want to achieve a positive thing (regardless of what I think about the effectiveness of your way) and I largely view you in that light, believe it or not.
@Pants and @IronHeart
Get a room.
Brave is hijacking links and sending affiliate codes. Enjoy your “gift”.
https://davidgerard.co.uk/blockchain/2020/06/06/the-brave-web-browser-is-hijacking-links-and-inserting-affiliate-codes/
My scan comes up clean, no web sockets listed.
yeah more and more I’ve been using Brave and honestly, with its built in EasyPrivacy list its pretty solid out of the box, definitely becoming the only browser I recommend to people when I still see them using Edge or some other nonsense these days.
Can’t say the same for Chrome/Firefox because they leak a lot of data in their without being heavily configured. goodluck explaining to a basic user that you need to goto about:config or use a customized user.js file to configure it so it doesnt suck.
firefox is out of discussion since it went full rogue, installing telemetry tasks on Windows machines without user knowledge.
At least with Chrome you can make the argument of it being secure and easy to install and keep updated for the lowest common denominator.
Yawn…
@MikeO
Name a browser that has saner defaults than Brave… Don’t make us all laugh by saying Firefox, it’s easily proven that this is not the case.
And again: no article without unrelated trolling against Mozilla by Yuliya. It is so embarrassing. Martin, please finally block her comments. There was never an useful comment by her…
@Tom
Well, @Yuliya is not wrong. Firefox is pretty bad out of the box, going to about:config is absolutely imperative, if you want privacy. It’s also true that this is not something normies would buy into easily, even advanced users are annoyed by it to the point where they install Firefox ESR in order to reduce configuring it to once per year…
@iron heart.
Is there a comprehensive list of about:config settings available to lockdown firefox.
I notice brave has no 32bit linux version which counts me out.Also ublock origin has the easy privacy and other lists so it can block them too.
Kubrick, extensions can’t block core “functionality”. Your best solution is using your operatings system’s hosts file:
0.0.0.0 activations.cdn.mozilla.net
0.0.0.0 aus5.mozilla.org
0.0.0.0 crash-stats.mozilla.com
0.0.0.0 detectportal.firefox.com
0.0.0.0 experiments.mozilla.org
0.0.0.0 fhr.cdn.mozilla.net
0.0.0.0 getpocket.cdn.mozilla.net
0.0.0.0 incoming.telemetry.mozilla.org
0.0.0.0 input.mozilla.org
0.0.0.0 install.mozilla.org
0.0.0.0 onyx_tiles.stage.mozaws.net
0.0.0.0 qsurvey.mozilla.com
0.0.0.0 search.services.mozilla.com
0.0.0.0 self-repair.mozilla.org
0.0.0.0 telemetry.mozilla.org
0.0.0.0 telemetry-experiment.cdn.mozilla.net
0.0.0.0 tiles.services.mozilla.com
0.0.0.0 token.services.mozilla.com
0.0.0.0 versioncheck.addons.mozilla.org
Do note this list is from Firefox 60-62, I stopped using it after v63 started forcing the updater down my throat and the whole “extra telemetry for users who disabled telemetry” nonsense mozillians still defend to this date.
I’ll probaly look after some updates on domain current firefox connects to, you now have to deal with default-browser-agent.exex and its related tasks as well.
A quick tip, I’d axe out every single exe within the installation directory, save for the main firefox.exe and installer, and purge the “features” folder’s content as well. You always have to do this after every update, so it’s quite a pain in the ass.
PS: Give SeaMonkey a try, it has been recently updated, and it offers both x86 and x64 installers. It’s probably the best solution if you need a Gecko browser.
Oh, you’re on Linux. Disregard the executables removal part, you may have other steps to follow though to remove that nastyness.
@yuliya.
Many thanks for that intense reply.I do use seamonkey occasionally actually and it’s a nice old browser.I launch seamonkey with the apulse command as pulseaudio is not installed.
@ironheart.
Vivaldi offers a 32bit version as does chromium.
Is there a host file list for blocking most telemetry from various software?
Minded Security provides the extension Behave! for monitoring events like:
– DNS Rebinding attacks to Private IPs
– Access to Private IPs
– Browser based Port Scan
https://addons.mozilla.org/en-US/firefox/addon/behave/
https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/
@Kubrick
Sure, there is. I recommend Firefox Zero for a start (tries to cut all connections to Mozilla):
https://old.reddit.com/r/privacytoolsIO/comments/d3of43/firefox_privacy_guide/
There is also pyllyukko’s user.js, which is more in depth and website-related:
https://github.com/pyllyukko/user.js/
In case you want to move away from Firefox, here is my personal Brave setup, which I consider to be fine as well (dare I say):
https://www.ghacks.net/2020/05/25/ebay-is-port-scanning-your-system-when-you-load-the-webpage/#comment-4463827
Brave has a 32 bit version as well (download link):
https://github.com/brave/brave-browser/releases/download/v1.9.72/BraveBrowserStandaloneSetup32.exe
@Kubrick
I forgot that you were using Linux 32 bit, alright. Forget about the download link, then. Firefox and Pale Moon are the only browsers I am aware of that offer 32 bit builds for Linux.
@Kubrick
The article says the port scans don’t take place on Linux systems, so you’re already “Ebay-proofed” on that front. uBlock Origin on a locked down Firefox or Ungoogled Chromium with the Easy Privacy extension just to double down.
I agree about Brave, but the point is people have become so accustomed to Google Chrome. Despite tuning Brave is not that hard, and being quite better privacy wise as Google Chrome imo.
Still, in my country, The Netherlands, Brave is getting better known now as is in the beginning, especially on Android.
It is a scan to ports binded to the loopback interface, to check for local malware. Dont see a problem with it.
It’s that it’s doing it without asking is the main issue.
Definitely looks to violate GDPR and other privacy standards.
not really, Chrome leaks the same if not more data than Firefox out of the box, both can be bad at the same time. Chromium based browsers like Brave on the other hand do try to clamp down on the amount of data being sent, and this is verifiable just by running the browser for the first time and looking at how many connections it makes through a firewall.
Sure, but Chrome nowhere claims to be privacy-friendly. It’s only claims are ecurity and speed, both of which are met to the highest standards. They only care what you do inside Chrome only.
Mozilla on the other hand creates a task specifically for tracking you outside of firefox; if this is not the definition of crossing the line, I don’t know what it is.
@Ironheart: you give valuable info about Brave and useful extensions. Do you have an opinion about Privacy Possum versus Privacy Badger? See https://www.ghacks.net/2018/05/07/privacy-possum-is-privacy-badger-on-steroids/
Redundant if you’ve got hosts filtering or something like uB0. The best way of dealing with tracking is to cut the connection between you and the entity which wants to track you.
@Sebas
First off, I have to agree with @Yuliya here. Running uBlock Origin or Nano Adblocker in medium mode is sufficient to get rid of tracking, there is no need for yet another tool that would be considered a redundancy.
As for your question, I’d like to defer the answer to the developer of Privacy Badger, which is IMHO excellent and fair:
https://old.reddit.com/r/privacy/comments/9lanyg/privacy_possum_or_privacy_badger_and_whyhow/e78a0ii/
Privacy Badger has a self-learning algorithm that will become quite good over time in identifying and totally blocking trackers. Privacy Possum is based on the premise of feeding trackers fake values. Both methods are capable of restoring your privacy, they are just two different approaches. But then again, running uBlock Origin with most / all lists enabled and in medium mode suffices, newly discovered trackers are being added to the lists quite quickly.
For you or anyone else who is interested, a full disclosure of my Brave setup:
1. Why use Brave instead of Chrome, or standard Chromium?
Essentially, it’s not calling home to the mothership and has sane privacy defaults on the code level already, more info here: https://github.com/brave/brave-browser/wiki/Deviations-from-Chromium-(features-we-disable-or-remove)
2. My settings in Brave itself:
– All adblock lists enabled.
– HTTPS Everywhere enabled.
– All cross-site cookies blocked (blocking all cookies breaks too many things, especially login forms).
– All cross-site fingerprinting attempts blocked (blocking all fingerprinting breaks e.g. the eBay login form, ironic considering the article this post appears under).
– Whitelisting social media login forms disabled (keep that enabled if you use Facebook / Twitter / Linkedin / Google accounts)
– Hangouts / IPFS Companion / Media Router / WebTorrent disabled.
– Tor Window enabled.
– Widevine – depends, if you are using commercial streaming services in your browser, leave it enabled, otherwise disable it.
– URL autocomplete – disabled
– WebRTC – Disable Non-Proxied UDP – https://github.com/brave/brave-browser/wiki/WebRTC-Custom-Settings
– Brave telemetry / remote debugging – disabled
– Push notifications – disabled
– Google SafeBrowsing – disabled
– Allow sites to check for payment methods – disabled
– I also have set the browser to delete cookies and cache upon closing in its website settings.
3. Chromium flags I have set in Brave:
– Reduce default ‘referer’ header granularity. – Enabled. – chrome://flags/#reduced-referrer-granularity
– Prefetch request properties are updated to be privacy-preserving – Enabled. – chrome://flags/#prefetch-privacy-changes
– Secure DNS lookups (DNS over HTTPS, DoH) – Disabled. – chrome://flags/#dns-over-https
My reason for disabling this you can find here: https://blog.powerdns.com/2019/09/25/centralised-doh-is-bad-for-privacy-in-2019-and-beyond/
4. Extensions I run in Brave:
– Nano Adblocker (fork of uBlock Origin, I use it because of its default integration with Nano Defender) – for custom element blocking and additional filter lists, I highly recommend to add an anti-cryptomining blocklist as well, since uBO / Nano Adblocker seem to be a bit lacking in that department.
– Nano Defender, to conceal the presence of Nano Adblocker
– LocalCDN (fork of Decentraleyes, more active now and supports more libraries), to block connections to CDNs
– Cookie AutoDelete, because there is no reason to keep cookies after the related tab is closed, I have set this to delete upon domain change; also clears IndexedDB storage
– ClearURLs, to get rid of tracking parameters in URLs and to prevent eTag tracking, also prevents tracking via the History API
I have no trouble on any website whatsoever with this setup. I have only encountered one problem. In YouTube, autoplay seems to be realized via a cookie, so if you have turn autoplay off and then close all YouTube tabs, Cookie AutoDelete will delete this cookie and autoplay will get re-enabled again. But fear not, I found a solution: Enhancer for YouTube, developed by MaximeRF, has an option in its settings that allows you to disable YouTube autoplay via a separate script run by the extension, this is how I turned off YouTube autoplay for good, even when Cookie AutoDelete is running. Apart from that, no problems.
The one weakness that still remains is being vulnerable to new (not yet blacklisted) fingerprinting scripts, but the Brave team is already working on Fingerprinting Randomization, so there is that. I also recommend setting up a Pi-Hole in your home no matter which browser you use.
A bit lengthy, but I hope this helps.
@Yuliya Thank you.
@Iron Heart Thank you for your elaborate list of settings, and the links, very helpful. The ClearURLs extension, notably the latest version, is good, I did install that quite a time ago.
I do have some troubles with Nano Adblock in medium mode (and Youblock origin too of course). It is for me a bit cumbersome, breaks too much sometimes and requires quite some attention for me.
So instead I use the No Opener, No Phishers extension, Ping Blocker, plus all the ones you mention. Probably some redundancy here and maybe not as good as medium mode, but it works for me.
I will check the Enhancer for YouTube, since indeed the autoplay re-occuring is annoying.
I have four different Brave profiles for seperate login sites, to prevent tracking.
@Sebas
If the medium mode of uBO gives you too much trouble, then I would suggest turning it off and installing Privacy Badger, then let Privacy Badger’s self-learning algorithm do its thing.
And yes, using separate profiles in Brave is also a good idea of course.
Does Brave have a way to toggle adblocking on/off while you are on a site? I liked Brave, but only way I could figure out how to do this was to go to settings and turn off security, when finished, turn it back on. I need a on/off toggle like Ublock or Nano Adblocker have. Therefore, I switched to Edge. Not sure why Brave either doesn’t have this or makes it so difficult to toggle off quickly (when you only need adblockers etc off on one site for a minute or so)
@Anonymous
You can disable the Brave adblocker on individual websites. When you are on a website where you don’t want Brave’s internal adblocker to run, click on the Brave logo / lion icon in the address bar, there you can either disable Brave Shields totally, or partially (say, if you want to disable adblocking but still keep HTTPS upgrades enabled).
Thanks, my Brave didn’t have this, I uninstalled it, cleaned out everything, reinstalled, and now it works.
Thanks for these details.
However; to your comment that Brave doesn’t call home to the mothership: when I tried Brave several months ago, it constantly checked for updates! I think it was a running service. It tried to phone home even when the browser wasn’t on. There was no way to disable that. I uninstalled it immediately.
Has this changed?
@GoodMeasure
No, it hasn’t changed. That being said, when Brave checks for updates, it will transmit the following information to the server:
– the Brave version you are running (in order to determine whether or not an update is necessary at all)
– your operating system (in order to deliver the correct update package, so that Windows users do not receive e.g. the Linux version or vice versa)
I think that they can have that type of information without it being a threat to privacy, to be honest. It’s also highly advisable to keep automatic updates enabled for security reasons.
That being said, if you want to disable automatic updates, there are two ways to achieve that:
– If you want to keep Brave, you can block the URL of the update server, either in the HOSTS file of your operating system or perhaps in the settings of your router (domain blocking / family safety settings or similar). You’d have to block https://brave-laptop-updates.global.ssl.fastly.net and https://brave-download.global.ssl.fastly.net
– You can switch to another browser which doesn’t do automatic updates at all, and therefore also doesn’t contact an update server, Ungoogled Chromium comes to mind here. Beware though that Ungoogled Chromium has the disadvantage of having to add extensions manually, I have described a good method for that here though: https://www.ghacks.net/2020/05/21/chrome-83-google-starts-rollout-of-redesigned-privacy-and-security-settings/#comment-4463560
@GoodMeasure
As for your problem of Brave running in the background, even if closed:
Open the Brave settings, scroll all the way down, click on “Advanced Settings”, then scroll all the way down again. You’ll find the following setting:
>>Continue running background apps when Brave is closed<<
Disable this setting, then close Brave. Check your Task Manager again, on Windows 8.1 at least, I am not seeing any Brave-realted tasks anymore.
This setting, in case you wonder, was inherited from Chromium (the browser Brave is based on), Chromium has this setting as well, it is not an invention of the Brave developers.
I failed to mention it because I am using a Mac as my primary machine, and this setting doesn't exist in Brave on macOS – and seemingly doesn't have to exist, because if you close Brave on the Mac, no Brave-related tasks are to be found in the Task Manager anymore, by default.
@GoodMeasure Another way to disable Brave auto update is with Autoruns for Windows from Windows Sysinternals:
https://community.brave.com/t/option-to-turn-on-off-auto-update-downloads-and-when-to-install-the-updates/67409/3
Uncheck the Brave entry in Autoruns logon tab.
Autoruns is portable.
Thanks Iron Heart and Sebas for the suggestions! OK, finally got around to re-installing.
So far Autoruns found one entry in Login, two entries in Scheduled Tasks, and two entries in Services. I will disable all these, hoping it doesn’t break anything.
I really like some of the ideas around Brave, so am giving it another try, but this instantly feels like the opposite of a pro-privacy, non-phoning home browser. My non-Microsoft firewall was telling me it is constantly trying to phone home. Trust me, I will update you regularly, Brave!
I will reboot and see what happens…
@GoodMeasure
As for the connections Brave establishes, have you turned off Google SafeBrowsing and Brave’s own telemetry in the settings (scroll all the way down the settings page, click on “Advanced settings”)? Turning those off significantly reduces the count of connections the browser establishes.
Yes, I did those things. I had already followed your settings for Brave above.
BTW, after turning off the 5 autoruns (thanks again Sebas) Brave is not phoning home when it is off now. Now I need a way for Brave to have multi-row tabs and tab groups. I’m a tab hoarder.
Thanks for your advice!
@GoodMeasure
Chromium / Brave has a native, but very basic Tab Groups feature, you can activate it by visiting the address…
chrome://flags/#tab-groups
…and by changing the value of the setting to “Enabled”, the functionality is active after you restart Brave. After the restart, you have Tab Groups functionality when you are right-clicking on any tab.
As for Multi-row tabs, I fear the situation looks rather dire here. No Chromium-based browser supports multi-row tabs. Neither does Safari, neither does Firefox. In Firefox, you can somewhat achieve this functionality via userChrome.css manipulation, here is a fitting thread:
https://github.com/aris-t2/customcssforfx/issues/39
That being said, as you can read in the thread, Mozilla breaks it on regular basis, so you have to constantly amend or even replace the code. You can somewhat lower the annoyance by using Firefox ESR, since the ESR version only gets new major Firefox versions once per year (only security updates in between), in this case it “only” breaks once per year, instead of multiple times per year.
Tab Mix Plus was an extension that had multi-row tabs functionality, but the current Tab Mix Plus which you can find in the Firefox add-ons store doesn’t have it anymore. The classic Tab Mix Plus 0.5.8.1 still works in the Pale Moon and Basilisk browsers, though:
https://bitbucket.org/onemen/tabmixplus/downloads/
So yes, only Pale Moon and Basilisk support this feature reliably, Firefox can be made to have it if you have some basic userChrome.css skills. Sorry that I don’t have better news for you regarding multi-row tabs. :/
That being said, I think Tabs Outliner is certainly worth a look:
https://chrome.google.com/webstore/detail/tabs-outliner/eggkanocgddhmamlbiijnphhppkpkmkl
Tabli is weaker, but also OK:
https://chrome.google.com/webstore/detail/tabli/igeehkedfibbnhbfponhjjplpkeomghi
OK, trying Brave’s Tab Groups and tabs-outliner now. Thanks! Had already seen that multi-row css stuff and rejected it for the reasons you mention – unstable and my limited css skills.
Currently mostly using Waterfox Classic with TMP 0.5.8.1. Also Tab Groups and Tab Groups Helper. It works pretty well. But I desire privacy, customizability, user control, and long term browser/project stability. You know, the stuff that Firefox used to be about. Been also using Vivaldi, Firefox 5.2.9 ESR (not much anymore), little bit of Iridium. On mobile: F-Droid’s Fennec.
I will try to give Brave a chance, but the out-of-control updating thing reminded me of Win 10 (I’m still clinging to W7). It was really off-putting and aggressive.
Again, thanks!
Iridium is not a good choice:
https://github.com/iridium-browser/tracker/issues/274#issuecomment-629210956
@Iron Heart
I am now trying the Brave tab-groups and tabs-outliner. Thanks for the suggestion! I had already seen the css site and rejected it for the reasons you mentioned – unstable and my poor css skills.
Currently, I have been using Waterfox Classic with TMP 0.5.8.1 and Tab Groups Helper for perhaps a year. It works pretty well, but I am seeking privacy, customization, user control and long term project/browser stability, the things Firefox used to provide. And tab groups and multi-row tabs, of course.
I am also using Vivaldi, occasionally Iridium, and Firefox 52.9 ESR (though not so much any more). For Android: Fennec F-Droid.
I will give Brave another shot, but the crazy updating thing, repeatedly phoning home for updates, even when the browser is not running, reminds me of Win10 (still clinging to Win7 here). It is off-putting and aggressive. I get that it comes from Chromium. I think a lot of people don’t notice it as fewer people use non-Microsoft outbound firewalls anymore.
Also, after turning off the five autoruns, it won’t let me manually check for updates through the browser. I can probably download and install over it, but then it will likely re-enable the five autoruns. They need to give the user a choice on auto-updates. Maybe the right combination of autoruns allowed would work.
I guess this has been off topic for a while. Sorry everyone. Martin should also have a forum! Thanks for your patience Iron Heart…
Why use Nano Adblocker and Brave? Doesn’t Brave have its own adblocker no extension needed?
@Anonymous
Because the Nano Adblocker allows for:
– additional filter lists (there is no option to add more filter lists to Brave’s internal adblocker yet)
– custom element blocking (Brave’s internal adblocker can’t do that yet)
Yet I must say that Brave’s internal adblocker is already pretty good and Nano Adblocker hardly has anything to do here… But still, on a regular basis it catches a minor number of ads that Brave’s internal adblocker has missed, so I keep it installed.
@ironheart
Can you run Non Defender without running nano adblock?
@Anonymous
There is no point in running Nano Defender without a compatible adblocker also being installed. The very point of Nano Defender is to hide the presence of the adblocker from websites.
As for the adblockers Nano Defender is compatible with: Nano Adblocker or uBlock Origin.
Nano Adblocker is prepared for the Nano Defender out of the box, no setup required. If you want to use Nano Defender with uBlock Origin, follow these steps (scroll all the way down the page, there it is described how to set it up with uBlock Origin):
https://jspenguin2017.github.io/uBlockProtector/
Can’t you just turn of ICMP in your modem? (Maybe I’m misunderstanding the issue.)
The firewall in Macs (at least up to OS X El Capitan 10.11.6) allows the user “to block all incoming connections except for those required for basic internet services…” In addition, the firewall allows the user to “Enable stealth mode” so the computer doesn’t respond to attempts to access the computer from the network.
I think the main issue here is that these scans are run locally, not from outside the network.
I also use one of those pieces of software to support people with computer issues. Really pisses me off w eBay as I have had nothing but problems with their tactics lately.
is this even legal doing such w/o consent?
EBay is probably already working on a way to get around the blocking of check.js.
Another way is to avoid EBay.
My take on this:
Maybe a better way for E-Bay to have handled it is to show a banner asking it’s users for permission to scan open ports, also a brief explanation of why, ……to prevent fraudulent charges.
While I mostly don’t like the idea I would rather have been scanned for open ports than receive an outrageous bill. I can’t say if E-Bay is data collecting or not but to me it seems like they have good intentions with the scan by preventing online theft.
I agree with your comment.
QUESTION:
If I donot store my credit card data in my browser: can a thief still purchase and I get the bill?
Is Ebay storing my credit card data after a purchase?
Thanks for clarification.
REgards
Jan
I block websockets and only enable them if it breaks functionality for a site. Usually for reCAPTCHA, which requires allowing websockets (sigh).
I can imagine some benign reason for scanning, but I haven’t used eBay in a long time for more basic reasons like scam artists, over charges for shipping, and generally miss representing merchandise.
Hmmm. I wonder if this is why Ebay wouldn’t allow me to buy an item with a credit card the other day. Also, previously had some trouble with a non-linked Paypal transaction that wouldn’t let me transfer funds to bank without them going in a review process twice.
I am using a proxy to bypass ISP throttling, so maybe they couldn’t scan my ports. Their loss.
Can’t see anything of this in my Win10 Vivaldi. I use uMatrix 1st-party sites only, custom filter lists, no cookies, no 3rd party cookies. Maybe they have removed the script by now?
Well, AdGuard System blocked the scans on FF and Ungoogled Chromium. My 6 blocked entries were all for the sign in page.
Overall, I’m not convinced any real human beings work for ebay.
“Good news! Your case has been settled in favor of the seller.”
How is that good?
Tried the same test on Amazon and minutes later, Amazon was still adding entries. ebay wins this round; they’re both botfarms.
Once can also use Requestly Chrome & Firefox extension to block a request. – https://chrome.google.com/webstore/detail/requestly-redirect-url-mo/mdnleldcmiljblolnjhpnblkcekpdkpa?hl=en
Here are the steps to block using Requestly Block/Cancel Rule
Url Source -> Wildcard Matches -> https://*ebay*check.js
These assets are hosted on a CNAME to another domain, and that domain hosts for thousands of sites. Better to block that, and also restrict third party to IANA reserved ranges.
Yes,
src.ebay-us.com is a CNAME to h-ebay.online-metrix.net.
So, just block *online-metrix.net and you are protected against this notorious script on about 30.000 sites!
See also my comment here:
https://old.reddit.com/r/uBlockOrigin/comments/gqaodx/is_it_possible_to_block_only_one_script_load_from/fruwz5g/
Just tried it in Firefox and don’t see any local port scans to 127.0.0.1. Ublock or Badger already blocking it or has eBay removed the scanning?
It’s a good thing we can at least trust Microsoft not to engage in this kind of shady private data stealing… oh, wait.
All replies here focus on one of the two things:
a) Block all (websockets, or privacy stuff in general)
b) Block ebay’s script
But a) (can) break websites using legit websocket connections, and b) does block ebay. But what if other websites start abusing it?
As a web dev, I’d say the best solution would be an extension that blocks non-default websocket ports (there aren’t too many!) – or better, browser vendors should do that. Another possibility is, blocking it via the windows firewall? But not sure how the latter would go.
Blame Ebay if you want, but I also choose to blame web browser makers for enabling Ebay to do this. Websites have far, FAR too much freedom on my PC when I visit them.
And it seems that enabling functionality like this in the browser is a great discrete way to let websites dodge my firewall and attack my PC from the inside of my network, when all I wanted to do was read some articles and maybe watch a video.
With uBlock Origin the local access and thus the portscan of eBay can be prevented very easily. The following rules are sufficient:
||localhost^$important,third-party
||127.0.*^$important,third-party
||[::1]^$important,third-party
More information (German language): https://scheible.it/lokale-verbindung-im-webbrowser-blockieren/
Not really since there is a very large range of IANA internal IP addresses.
https://github.com/uBlockOrigin/uBlock-issues/issues/1070
HI ALL: FIRST, I HAVE AMD-WET AND SO THAT IS WHY I POST IN CAPS (SO I CAN SEE WHAT I TYPE). SECOND, I SWITCHED TO BRAVE A FEW MONTHS AGO AND AM EXTREMELY HAPPY THAT I DID. THIRD, I HAD ALWAYS USED AMAZON TO PURCHASE ITEMS ONLINE BUT AFTER CHINA UNLEASHED THE PANDEMIC ON THE WORLD, I SWORE I WOULD NOT PURCHASE ANYTHING MADE IN CHINA IF POSSIBLE. ON AMAZON IT BECAME IMPOSSIBLE TO DETERMINE WHERE AN ITEM IS MADE, I ORDERED A CAM FOR MY DESKTOP ON APRIL 6TH NOT KNOWING IT WAS MADE IN CHINA AND ISN’T DUE HERE UNTIL JUNE 16TH. THAT’S OVER TWO MONTHS. SO AFTER FINDING OUT AMAZON DOES NOT SHOW WHERE THE PRODUCT IS MADE I SWITCHED TO E-BAY. SAY WHAT YOU LIKE ABOUT E-BAY BUT IT OFFERS ALL KINDS OF FILTERS THAT YOU CAN USE TO PINPOINT WHERE AND HOW THE PRODUCT IS MADE, BRAND, SHIPPING, ETC… AND HAS A U.S. FLAG IMPOSED ON THE ITEMS AD TO SHOW MADE IN THE U.S.A. SO NOW I AM A DEDICATED E-BAY BUYER AND THE SELECTION IS MUCH GREATER THAN AMAZON LED PRODUCTS.
I would personally suggest people to just enable advanced user mode and create rules such as:
* 127.0.0.1 * blocked
Adding the string to uBlock Origin’s “My Filters” tab worked perfect.
Tested with https://websocketstest.com/
https://github.com/uBlockOrigin/uBlock-issues/issues/1070
WebSockets (among others) can be turned on and off with a slider by installing this addon: https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/
@Iron Heart
I appreciate your insider knowledge as it offers valuable insight. However your bias/logic/value judgments (as a privacy focused software developer) give me a headache!
For example Ungoogled Chromium is JUST source code. Building it into an executable product usually requires proprietary tools (which can trivially link-in spyware). Building requires an extensive development environment to be precisely configured. Does its building require an Internet connection to external modules like binaries? Is there source code for every build component external or are they proprietary?
Why bother with all the security compromises or ‘mistakes’ by developers?
Rather than endlessly discuss them over-and months-over, which alternatives have the least fuss and highest privacy? Instead simplify!
Here are (the ready to go) icecat binaries. For Windows I would download the portable version (to uncouple MS), Then install uBlock, uMatrix CanvasBlocker, Chameleon and Javascript Toggle extensions.
https://github.com/muslayev/icecat-win64/releases
Note the correct syntax for uBlock is:
* 127.0.0.1 * block
@Red Pill
> For example Ungoogled Chromium is JUST source code. Building it into an executable product usually requires proprietary tools (which can trivially link-in spyware). Building requires an extensive development environment to be precisely configured. Does its building require an Internet connection to external modules like binaries? Is there source code for every build component external or are they proprietary?
Since I am not knowledgeable enough in the that field, I can only point you to the documentation:
https://github.com/Eloston/ungoogled-chromium/blob/master/docs/design.md#source-file-processors
However, what I can tell you is that there were no reports yet of Ungoogled Chromium binaries that contained any kind of spyware, malware etc. yet.
> Here are (the ready to go) icecat binaries. For Windows I would download the portable version (to uncouple MS), Then install uBlock, uMatrix CanvasBlocker, Chameleon and Javascript Toggle extensions.
That sounds like a good idea. Good to see that those binaries are up to date as well, contrary to the official IceCat builds (which are always lagging behind, and were thus never recommended by me). I may try them out, I may also add this to my personal list of browsers that can be recommended.
> Note the correct syntax for uBlock is: * 127.0.0.1 * block
Thanks for the hint, but I was already aware of that one. :) I may need this in other browsers, I currently do not need it in Brave, since it does already block the script in question by default.
I used chrome/incognito and don’t see the 127.0.0.1 checks you state. I assume this technique works to prevent ebay’s scanning?
Quick hypothetical question… could a social media platform use port scanning to identify a device’s “thumbprint”, and then deploy JS Injection attacks against certain user demographics? Troubleshooting for a friend who’s too darn smart for his own good.