[HN Gopher] Uninstall the NightOwl app
___________________________________________________________________
Uninstall the NightOwl app
Author : txr
Score : 769 points
Date : 2023-08-08 17:23 UTC (5 hours ago)
(HTM) web link (robins.one)
(TXT) w3m dump (robins.one)
| WirelessGigabit wrote:
| > It also tries to open a UPnP port forward on your router, but
| fails on mine because the key names are jumbled:
|
| This should fail on any router as you should have UPnP disabled.
| jeroenhd wrote:
| Disabling UPnP makes your system more secure, but unless you
| also disable all NAT ALGs in your router, you're still exposed
| to its dangers.
|
| I don't think most routers have a setting for that, so if
| infected devices are part of your security model, it would be
| wise to assume NAT is entirely non-functional because of [NAT
| slipstream attacks](https://samy.pl/slipstream/). An infected
| device can modify the router's NAT table to effectively act
| like UPnP, except they don't provide a user interface for you
| to audit.
|
| If you're NAT free (i.e. only use IPv6) disabling UPnP can be a
| decent security measure if you're willing to manually do all of
| your firewall exclusions, but honestly host firewalls are the
| only reliable protection method for most people these days.
| klabb3 wrote:
| I mean UPnP is a horrible spec but it's a stop gap for
| restoring the fundamental capability of internet-connected
| devices in residential settings. All p2p apps (Tailscale for
| instance) need to act as a server temporarily and allow
| incoming traffic. Without the _capability_ you're a second
| class citizen, so to say. It's infantilizing the user.
|
| Now, you can of course open the ports yourself, but this is
| inaccessible to the vast majority of users due to
| undiscoverable, inconsistent and complicated UX. Most people
| don't know what a port is.
| WirelessGigabit wrote:
| Tailscale uses STUN. No need for me to map ports.
| https://tailscale.com/kb/1082/firewall-ports/
| klabb3 wrote:
| Yeah they use several techniques but it includes UPnP if
| available.
|
| > $ tailscale netcheck
|
| > [...] * PortMapping: UPnP
| TheRealPomax wrote:
| Let me tell you about family members that have a mac because
| "they don't want the hassle of a windows laptop". They also
| don't want the hassle of not having uPnP, that setting is going
| to be turned on whether you know better or not.
| rootusrootus wrote:
| > Let me tell you about family members that have a mac
| because "they don't want the hassle of a windows laptop".
|
| They are not wrong. E.g. It amazes me how much pain and
| suffering Microsoft expects users to endure just to use a
| printer. It is not lost on my stepmother that her Windows
| machine has endless problems setting up and printing to her
| Brother laser printer, but her iPhone just sees it without
| having to be told.
| smoldesu wrote:
| If Microsoft embraced CUPS and Apple wrote Vulkan drivers,
| society would probably look like that _The world if_ meme:
| https://knowyourmeme.com/memes/the-world-if
| callalex wrote:
| Do you deny the need for UPnP entirely? This is a confusing
| statement.
| Astronaut3315 wrote:
| What do you actually need it for? I've had it disabled for
| ages, have no port forwards defined and have never had any
| issues.
| veave wrote:
| I have many devices at home and I can't be administering
| all the port forwards by hand, it would be a lot of work.
| dingosity wrote:
| +1. I also have had it disabled for ages. What features am
| I missing out on? When I look at the UPnP docs it talks
| about uses for which I have other mechanisms.
| NavinF wrote:
| VoIP and video calls have lower quality and higher
| latency without UPnP since this often forces webRTC to
| tunnel through a TURN server. Networks that have neither
| IPv6 nor UPnP are just broken
| NotYourLawyer wrote:
| > sudo zsh -c "rm
| /Users/*/Library/LaunchAgents/NightOwlUpdater.plist"
|
| Why do you need to call out to zsh for this command instead of
| just running it in the current shell?
| ptx wrote:
| Because the expansion of the wildcard needs to happen with the
| privileges granted by sudo. If you just ran "sudo rm ..." the
| expansion would be done by the current shell, which doesn't
| have the required privileges.
| Arnavion wrote:
| I don't know anything about MacOS. Normal users don't have
| r-x on /Users ? How do they access their own /Users/whatever
| homedir then?
| nicolas_17 wrote:
| Normal users have r-x on /Users, but for that wildcard to
| work, they would need r-x on /Users/foo,
| /Users/foo/Library, and /Users/foo/Library/LaunchAgents,
| for every "foo" user in the system.
| Arnavion wrote:
| For that exact command, yes. But if `/Users/*` by itself
| can be expanded without root you can construct the list
| of files to delete without needing the `zsh -c`. Eg `for
| d in /Users/*; do sudo rm -f
| "$d/Library/LaunchAgents/NightOwlUpdater.plist"; done`
|
| It's a minor point overall. I was just checking if MacOS
| had something else going on with its file permissions.
| NotYourLawyer wrote:
| Oh, makes sense. Thanks.
| mcguire wrote:
| Pardon, but with double quotes, is'nt the expansion going to
| be done by the current shell anyway?
| mh- wrote:
| globs aren't expanded in double quotes (not in bash or zsh,
| at least).
| [deleted]
| ecf wrote:
| Developers who sell out their app to entities like this deserve
| to be ostracized from the profession.
| devit wrote:
| Apparently the perpetrator who sold out their users to the
| highest bidder is named Benjamin Kramser and they even freely
| admit the deed on their homepage! (https://www.kramser.xyz/)
| ecf wrote:
| > I love to build digital products
|
| Should update that to "I love to throw the people who love my
| digital products under the bus"
| onemoresoop wrote:
| Software as rugpull model
| mindwork wrote:
| Little Snitch would help detecting to which IPs and addresses app
| connects and allow to block those connections
| OpinionRegister wrote:
| [dead]
| hiatus wrote:
| Or LuLu!
| walthamstow wrote:
| MacOS pulled it for me, refused to open it
|
| Replaced it with NightFall https://github.com/r-thomson/Nightfall
| princevegeta89 wrote:
| If toggling between modes is all that is needed, it can be done
| right through BetterTouchTool. I just assigned a right-
| click+option+cmd globally for it and it works like a charm
| seemaze wrote:
| You can also put display settings directly in the menu bar
| using:
|
| Settings > Control Center > Display > Always Show in Menu Bar
|
| I'll concede it takes a second click to toggle dark mode, but
| you also have night shift as an option, and it's 100% native.
| K7PJP wrote:
| This option wasn't available in 2018, when NightOwl was
| released. I had to test our application's Dark Mode
| implementation and NightOwl was super-useful then. I'm glad
| Apple made it easier to toggle dark mode in the interim.
| radicality wrote:
| Another very simple way is to make your own thing with the
| default Automator app.
|
| * open up Automator and create new application
|
| * select "change system appearance" and select toggle
| light/dark mode.
|
| * save the 'app'
|
| Now, whenever you want to toggle light/dark mode, just open up
| spotlight and open up whatever you named the app. There's
| probably a way to do it with Shortcuts too.
| [deleted]
| samwillis wrote:
| Feck, I'm uninstalling right now.
|
| I assume this is being used by those services that sell scrapers
| "real domestic IP addresses", where in fact they are selling a
| botnet.
|
| We can't just have nice things can we.
| hiatus wrote:
| > I assume this is being used by those services that sell
| scrapers "real domestic IP addresses", where in fact they are
| selling a botnet.
|
| The author alleges as much in TFA.
| cpleppert wrote:
| >> It is an alternative to the built in macOS automatic mode
| which only switches when the user steps away from the computer.
|
| Huh? Setting a schedule/location for nightshift and setting the
| dark mode setting to auto will always change instantly. If you
| use a launcher or spotlight then a simple one line applescript
| can change the setting as well. (tell application "System Events"
| to tell appearance preferences to set dark mode to not dark
| mode).
| jw1224 wrote:
| > Huh? Setting a schedule/location for nightshift and setting
| the dark mode setting to auto will always change instantly
|
| Not in my case?! I'd say there's a 25% chance that Dark Mode
| enables at sunset. It's been this way for years -- even up til
| Ventura.
|
| Has it worked flawlessly for everyone else the whole time?
| balaji1 wrote:
| there seem to be many features that are flawless for some,
| and hit-or-miss for others. Example Airpods pairing, airplay
| are not always consistent.
| CoryAlexMartin wrote:
| I have the same experience. Dark mode automatically turns on
| way later than I'd like it to.
|
| From the article: "It is an alternative to the built in macOS
| automatic mode which only switches when the user steps away
| from the computer."
|
| If I set up night shift, it will switch to dark mode at the
| time I set, but it also tints my screen (even subtly, if I
| turn the slider all the way down), which I don't care for as
| someone who does art.
| fingerlocks wrote:
| Only time it didn't work flawlessly was because I had
| contradictory settings between my phone and MacBook
| K7PJP wrote:
| In 2018, when NightOwl was released, some or all of these
| affordances didn't yet exist.
| TZubiri wrote:
| [flagged]
| spiznnx wrote:
| Is this a common slang in infosec? I've never seen it used
| like this and it has highly insensitive connotations for me
| in other contexts.
| stjohnswarts wrote:
| I haven't heard anyone using that homophobic edgelord word
| in probably a decade. Maybe a time traveler?
| chayesfss wrote:
| [dead]
| linuxdude314 wrote:
| No it's not and its use should not be perpetuated in this
| context.
|
| It's definitely the homophobia you are perceiving.
|
| No one misses the edge lords of yesteryear.
| [deleted]
| bertil wrote:
| I had to google to check, and I've found so many
| interpretations that I feel like a linguist would have a
| field day with that word alone.
| akira2501 wrote:
| Imagine spending thousands of dollars for something that
| can't even do basic personal automation reliably.
| mahathu wrote:
| You can use the Shortcuts application on macOS and iOS for
| a wide variety of personal automation tasks.
| kstrauser wrote:
| "WHEREAS, NightOwl app enables Users to share internet traffic by
| modifying their device's network settings to be used as a gateway
| for internet traffic. Additionally, the User's device acts as a
| gateway for NightOwl app's Clients, including companies that
| specialize in web and market research, SEO, brand protection,
| content delivery, cybersecurity, etc."
|
| Fuck that with a chainsaw. Burn it. Burn it with fire.
| dingosity wrote:
| [flagged]
| kstrauser wrote:
| Selling ads is one thing. Selling my Internet connection,
| which violates the ToS of most ISPs, is a vastly different
| situation.
| dingosity wrote:
| How So? I mean, NightOwl doesn't have an arrangement with
| your ISP, they have an arrangement with you.
|
| I'm not sure your ISP is going to delete your account
| because you didn't know some app was doing something shady.
| If the standard is every app user has to know what each app
| does under the hood, then there's going to be a lot of
| people who won't be able to match that standard.
| dylan604 wrote:
| are you kidding? of course they will. back in the early
| days of the interwebs, it was not unheard of to have the
| ISP block your account when your machine got hacked from
| malware and used your box/connection as a SPAM server.
| From they, consumer ISPs just block that port. They've
| also added terms about not running servers on the
| consumer connection. While your server would have to be
| using a lot of bandwidth to get noticed, it is part of
| their terms that you agree to.
|
| So yes, they will absolutely suspend your account until
| they are satisfied the usage is in alignment with their
| expectations.
| tayiorrobinson wrote:
| Their TOS essentially just says "Don't use the app"
|
| > NightOwl app cannot be held responsible in any
| circumstances for Shared traffic fees or any other costs
| the User may incur in accordance with agreements with
| their internet service provider. The Application use
| might be prohibited or restricted by the User's service
| provider or applicable laws. The Application may not be
| compatible with all service providers' policies and
| regulations. The User should confirm the ability to use
| the Application with their service provider.
| prmoustache wrote:
| No but you could be SWATed because someone sold child
| porn through your IP.
|
| Regardless of how you can prove your innocence, it can be
| traumatic for you and your family, you can say goodbye
| all your computers and phone, you'd have to deal with the
| gossip from neighbours and relative and possible social
| exclusion, and possibly your couple/mariage as well.
| [deleted]
| OhMeadhbh wrote:
| Stop being a jerk and play nice. Say what you mean without
| attacking people.
| dingosity wrote:
| I don't think I was attacking people, but will defer. In
| less inflammatory prose, let me say:
|
| There is a problem on the net that is exacerbated by
| funding models which seek to use free services to do "bad"
| things. The Ad-Driven model has problems that the needs of
| the end user are often not considered paramount, but
| instead the needs of the advertiser are. After all, they're
| the ones paying the bills. Print newspapers famously had
| this problem, balancing the interests of editorial and
| advertisement.
|
| Furthermore, there are people on HN whose enterprises are
| funded by ad revenue. I worry they (and their investors)
| err on the side of the advertisers rather than on the side
| of the users when there is a conflict. I doubt there are
| many here who would go to extremes such as enrolling
| customers iPhones into botnets, but there is always that
| temptation. What if you were a couple weeks away from
| laying everyone off and a shady partner sidled up to you
| and suggested such a move. I believe it would be a moral
| crisis for any entrepreneur: shaft your customers or shaft
| your business, its investors and its employees.
|
| I am lucky to operate from retained earnings and (at least
| for the time being) could firmly reject such an offer. I
| appreciate that I am probably in the minority in this
| respect.
|
| I bemoan the current state of affairs where so many
| entrepreneurs could even conceivably be tempted by such a
| Faustian bargain (without asserting the majority are.)
|
| I am ensaddened that experiments like Bitcoin seem to have
| devolved into ponzi schemes rather than effective
| micropayment vehicles. Such a platform could conceivably
| open up new business models which would allow entrepreneurs
| to ignore this particular devil.
| worik wrote:
| > What if you were a couple weeks away from laying
| everyone off and a shady partner sidled up to you and
| suggested such a move. I believe it would be a moral
| crisis for any entrepreneur: shaft your customers or
| shaft your business, its investors and its employees.
|
| That is the difference between ethical and unethical
| operators
| rootusrootus wrote:
| > <snark>Hah! 4 downvotes! That's all you can muster! Come at
| me, bro!</snark>
|
| AFAIK, 4 is the maximum number of downvotes that will be
| recorded for a single post. It's possible I'm wrong, but
| occasionally I write things that do not receive universal
| adulation and never has one gone below -4.
| sublinear wrote:
| > Isn't this sort of what the web is for? Service providers
| give you shiny objects for free and in exchange you give them
| complete access to your digital life.
|
| If you made it clear you were being sarcastic, you wouldn't
| be getting downvoted.
|
| Yes this is what many businesses want you to think. The web
| isn't for anything in particular besides general
| communication bound only by the laws beyond the first
| amendment.
| mcguire wrote:
| Neither the First Amendment nor any particular set of laws
| bind _the web_ generally.
| dingosity wrote:
| If you're commenting on the difficulty of policing the
| intarwebs, I heartily agree with you.
|
| If you're saying CD230 doesn't exist, I encourage you to
| rejoin consensus reality. But if you're trying to say CD
| 230 is in need of review, I would heartily agree.
| dingosity wrote:
| Sarcastic? Not really. But I do see I am violating H. L.
| Mencken's rule: Never argue with a man whose job depends on
| not being convinced.
|
| I sell to customers who purchase my goods. I'm not trying
| to sell my company to a VC whose using it to suck up ad
| dollars. My customers are my users, your customers are VCs.
| OhMeadhbh wrote:
| I love you to death, but this 'aint helping.
| barbazoo wrote:
| I guess "modifying their device's network settings" is already
| covered under whatever permissions we had to give it to perform
| the original task of switching on/off dark mode? That's a
| bummer. Would be nice if app permissions were more granular if
| that's the case.
| WirelessGigabit wrote:
| And this is the risk that operating system developers run
| when you take away features or you don't develop features
| that your userbase wants.
|
| Look at the amount of Start Menu modifiers there are out
| there for Windows. All because Microsoft keeps on changing
| the start menu. Why? I don't know. I just want to get rid of
| the Recommended section, but I'm not allowed to.
| qwerpy wrote:
| Last night I got a notification that advertised Game Pass
| to me. I angrily clicked on manage notifications and
| there's a notification source called "Suggested" that
| somehow was turned on. That was the last straw for me. I go
| through so much diligence setting up my browser's ad block,
| only for the OS to bypass all that.
|
| For now "Suggested" is turned off and I disabled all
| notifications for good measure, but I don't know how much
| longer Windows will allow that. I don't intend to find out.
| PartiallyTyped wrote:
| Name and shame the developers and the company.
| crazygringo wrote:
| So, usually I associate super-shady things with _hiding_ the
| fact that they 're super-shady.
|
| I'm thankful, but also genuinely curious, why they put this
| explicitly in their TOS.
|
| It just kind of seems to be like the kind of person/org who
| would implement this shady stuff in the first place, would also
| actively hide that they're doing it.
|
| Is there a legal reason that protects NightOwl by explicitly
| putting it in the TOS? E.g. does this prevent them from being
| sued for any of it, where they could have been successfully
| sued otherwise? Like it's technically do to all this shady
| stuff but _only_ as long as it 's in your TOS?
| runlaszlorun wrote:
| I'm no lawyer but my guess is that the bar is so low for
| what's actually legal- and no one generally reads these
| EULA's- that it's easier just to have it in there.
| sublinear wrote:
| The bar is intentionally low "for what's actually legal".
|
| You really don't want the government interfering with the
| implementation details and business models of software
| products. That's a really bad road to go down.
|
| The problem is really a lack of inspiration for both the
| dev and user. In this case someone made a trivial tool and
| didn't know how else to monetize it than being a scumbag
| and exploiting social norms and good will. The user also
| decided to use something that's dumb and not worth risking
| making any agreement with any entity at all.
|
| Situations like this are where free software excels. Things
| that are inconsequential in premise should stay that way in
| practice.
| sublinear wrote:
| I'm not a lawyer, but the terms of service are an agreement
| with the user, so yes. They're not hiding anything because
| then they'd get sued.
|
| If they didn't disclose "this shady stuff" then the user can
| try to resolve their dispute via remedies stipulated
| elsewhere.
|
| Really there are several ways they could have gone about
| writing this agreement. This is probably the simplest for
| everyone. This is also how the bigger orgs write their
| agreements. They state their intent and you have to agree or
| fuck off.
|
| The badly written agreements (what you were expecting) are
| less honest and try to explicitly have the user waive some
| rights entirely including any remedies in or out of court,
| but those can usually be deemed unenforceable because they
| violate established rights and precedent rulings.
| kfrzcode wrote:
| Also not a lawyer. I'd think there's a level of
| interpretation to the enforceability of a given clause if
| it's not adequately exposed or is unconscionable in
| fairness. I'm guessing it's not so easy as clickwrap = rock
| solid contract.
| sublinear wrote:
| Sure if a majority of users expect apps to not steal your
| data or misuse your internet connection.
|
| Sadly this isn't the case anymore. The layperson is
| distrustful by default and can only rely on the more
| astute to blow a whistle. Even a judge would just say to
| not install apps that aren't critical to your everyday
| life and be done with it. Nobody has the time to swat at
| flies.
| ncallaway wrote:
| > The layperson is distrustful by default
|
| This sounds like it was written from an alternate
| reality. It doesn't match my experience at all
| sublinear wrote:
| Yeah distrust isn't enough to deter the layperson from
| using an app anyway. That's my whole point.
| alexpotato wrote:
| This reminds me of the Jerry Seinfeld joke:
|
| "I bought the Superman Halloween costume and on the side of
| the box it said 'do not attempt to fly'.
|
| I always wondered about the kid who was:
|
| - dumb enough to think they could fly
|
| BUT
|
| - thought to themselves 'wait, let me check the box first.
| Oh! Good thing I checked!'
|
| The TOS sounds a little bit like the "do not attempt to fly"
| warning.
| NavinF wrote:
| A lot of "free" VPN apps do the same thing and I haven't
| heard of any of them getting in legal trouble. It's kinda
| like running a tor exit node except most buyers just wanna
| borrow the user's IP to scrape sites that are otherwise
| impractical to scape with just a captcha solver due to
| aggressive blocking of non-residential ISPs and heavy rate
| limiting.
| Chabsff wrote:
| The difference being that it's somewhat related to the
| app's operation. In this case, it's completely orthogonal
| to the app's marketed function.
| jallen_dot_dev wrote:
| > does this prevent them from being sued for any of it, where
| they could have been successfully sued otherwise?
|
| As I understand it, anyone can sue anyone for anything. What
| matters is convincing a judge/jury that you have been
| wrongfully harmed by the defendant. So if someone can make a
| good enough case for damages stemming from this data
| collection, then they can successfully sue.
|
| This doesn't prevent them from suing, but it makes their case
| significantly weaker if the defendant can argue that the user
| agreed to have their data collected.
| hammock wrote:
| >I'm thankful, but also genuinely curious, why they put this
| explicitly in their TOS.
|
| The guy's in the US, not China or Cyprus, so there's actually
| a chance he could get in trouble.
| macinjosh wrote:
| My assumption is there is a non-trivial number of people who
| will never read or notice that. Much less understand the
| ramifications.
| omgJustTest wrote:
| Probably compelled by Apple, or removal from store.
| tayiorrobinson wrote:
| The app isn't on the App Store. (switching light/dark is a
| private API so it wouldn't be allowed on the store anyway)
| wouldbecouldbe wrote:
| There is no way reviewers would accept that if they read it
| jamil7 wrote:
| There's a lot the app is doing that would not be allowed
| through review. It's distributed via Sparkle which is
| pretty common for mac apps.
| CoryAlexMartin wrote:
| I installed this app earlier this year, and uninstalled it a few
| days later after I noticed it constantly using obscene amounts of
| my internet data.
| I_am_tiberius wrote:
| As a side note I want to mention that I use Night Shift on mac os
| and every day!!! I need to switch it back on because there is no
| option to leave it enabled all day long.
| andrethegiant wrote:
| I have it set to a custom schedule that starts at 4am and ends
| at 3:59am, effectively leaving it enabled all day long.
| I_am_tiberius wrote:
| I have it set this way as well. But as I'm living a rolling
| day:), I often experience the light suddenly going on, so I
| have to reset it again.
| linuxdude314 wrote:
| What are you talking about? The whole point is you leave it on
| and it tracks the sun. Does this not work for you?
| I_am_tiberius wrote:
| Yes, this works. but I want to have it enabled constantly
| because I like my screen that way.
| mschuster91 wrote:
| I _hate_ silent takeovers so much. Chrome developer extensions
| are another very popular thing for bad actors to buy out and
| replace with malware, and it sucks.
| laurent123456 wrote:
| That's the problem with free apps. Very few people want to
| donate, no decent company is interested in buying the app and
| making it profitable, so all that's left are the worst kind of
| companies who buy these extensions and apps to exploit the
| users.
|
| All these free apps have value but unfortunately it doesn't
| translate to any income for the developer so they find other
| ways.
| reustle wrote:
| Couldn't this happen to paid apps just as easily?
| laurent123456 wrote:
| If the developer is well paid, probably not? Why would they
| throw away what they built for a lump sum if they have
| decent side-business and recurrent revenues?
| ohgodplsno wrote:
| Given a sufficient lump sum that guarantees I no longer
| have to work, my morals can be easily bought.
| [deleted]
| TheRealDunkirk wrote:
| For me, StackOverflow proved that literally everyone has
| a price. The world is hurtling full-speed towards the
| corporation-citizenship cyberpunk dystopia people have
| been writing for years, as every company buys up
| everything they can in order to stay "competitive."
| [deleted]
| mulmen wrote:
| If I offer you 100 years worth of revenue for your
| browser extension are you really not going to entertain
| the idea of selling?
| laurent123456 wrote:
| Sure but they probably won't offer that much. What I mean
| is that the value of this app, despite being free, is not
| zero, but that's probably what the developer was getting.
| So even if he got 10K for it, he's happy and moved on.
| mulmen wrote:
| The app originally set the desktop theme to dark mode or
| not. That's not worth more than a single one dollar
| payment, if that.
|
| If I want to do some shady app shit I am buying install
| base. 100x an app that makes a few grand a year could
| still be worth it for my nefarious purposes.
| deciplex wrote:
| Seems like a developer that is getting literally nothing
| for his app or plugin is more likely to sell it than a
| developer that's getting some income from it. At the least,
| the buyer would need to match the current value that the
| app provides its author.
| croes wrote:
| I don't know.
|
| A developer who didn't charge anything from the beginning
| has more likely other motives releasing his software than
| making money.
|
| But if you already make a little money you may easily
| fall for a lot of money.
| laurent123456 wrote:
| I think it starts with passion - he created some useful
| software, he shares it and initially enjoy working on it.
| Then he puts a donate link (I saw there was a donate link
| in the previous site), and gets almost nothing, but he
| still needs to add bug fixes, maybe new features, answer
| to the user's emails, etc.
|
| After a while it becomes a chore... and still getting $0
| out of it. And that's when he might want to find other
| ways to get something out of the efforts he put in.
| Unfortunately the only option is to turn it into malware
| since nobody wants to pay for it, or turn it into a
| decent profitable business.
| deciplex wrote:
| I mean, everyone's gotta eat. I think there's plenty of
| instances of someone building a tool that they personally
| find useful and then making that tool available for free,
| unsure of what the reception will be and not expecting a
| lot of users. But if that something does very well and
| finds a wide audience I think it's natural to try to earn
| a living from it. And, if the attempts to "monetize" fail
| (as they often do) and someone is offering a lot of money
| in a lump sum to take it off their hands, well frankly I
| think they'd be foolish not to take it. And if that
| arrangement happens to turn out poorly for the userbase,
| well hopefully that will be another small object lesson
| in paying for things you find useful, when politely
| asked.
|
| (And yes, I'm aware that's a lesson that really should
| have been learned by now, if it was going to be learned
| at all. Alas.)
| mulmen wrote:
| And their values are what exactly? They offer something for
| free with no reasonable expectation of compensation then rug
| pull by selling out. It's hard to be sympathetic. If you want
| to get paid to write code then get a job writing code.
| smoldesu wrote:
| It's not a problem with Free apps. If you're forced to
| redistribute the source code, it heavily disincentivizes
| attacks like this.
| 1970-01-01 wrote:
| >I hate silent takeovers so much.
|
| This is a great app idea. Monitor the app owner. If the owner
| changes overnight, alerts to the moon.
| stjohnswarts wrote:
| wouldn't they just buy the account/password and not let
| google know?
| haolez wrote:
| They would just change the acquition details to avoid
| changing the owner and giving the account credentials over
| instead.
| 1970-01-01 wrote:
| Yes, maybe. In this case, it would be a very actionable
| alert.
| agnosticmantis wrote:
| Until we learn that this monitoring app has itself been
| acquired. /s
| devrand wrote:
| Obviously don't narc on yourself!
| lapetitejort wrote:
| Who watches the watchmen?
| guessbest wrote:
| Watchwomen by a process called nagging.
| [deleted]
| justin_oaks wrote:
| Another set of watchmen.
|
| ... unless they conspire together. Ugh.
| agnosticmantis wrote:
| Have we finally found the killer app for blockchain?
| runlaszlorun wrote:
| Or if the browser companies themselves were owned by large
| corporate behemoths!
|
| Wait...
| mcguire wrote:
| <libertarian> What's silent about it? It's right there in the
| TOS, which you agreed to by using the software. Caveat Emptor,
| and all that. </libertarian>
| wlesieutre wrote:
| The perfect market will solve this and if it doesn't it's the
| users' fault for not having perfect information!
| trolan wrote:
| <dictionary> silent: tending to speak very little: not
| loquacious <dictionary>
|
| If the buyer alone was responsible, there would be no terms
| of service. It's only with community protections and
| regulations that you get the information required to attempt
| to make an informed choice. The same community should be
| empowered to drive normal ethics without it being overtaken
| by the 'drivers licenses are tyranny' crowd.
| tmpX7dMeXU wrote:
| Nice writing style. Straight to the point because the author
| actually had something useful to say. A nice departure from the
| usual 'pad it out' approach that sadly you even see people take
| for their personal writing. So many people will lament recipe
| authors including 6 paragraphs of preamble, but will happily do
| it when they're telling you about how they pwned their toaster or
| whatever.
|
| When it gets down to brass tacks, I.e. the technical details
| section, it could really do with a once-over. One too many run-on
| sentences.
| bbor wrote:
| Just want to say: amazing write up. I hope to write like this
| some day.
| I_am_tiberius wrote:
| Coming from Linux, I also have to say that I was shocked how many
| apps on mac os are only available as closed source.
| [deleted]
| jondwillis wrote:
| In 2018, I contacted the developer and tried to purchase this
| app. He turned me down, and seemed like he wasn't in it for the
| money. Seems like he picked the wrong buyer when he did finally
| sell out.
| lapcat wrote:
| If I may ask, how much did you offer, and... who are you? :-)
| andrewfromx wrote:
| wow and this is built into macOS now as NightShift right?
| txr wrote:
| Yes, the OS function works fine. Haven't used the app in a
| while, just had it still installed. I just found this by
| searching for "proxy-gw1-europe.squidyproxy.com" which seemed
| odd when I found it in my .ssh/known_hosts file.
| andrewfromx wrote:
| ah, i just used squid on my own linux server recently for a
| weird use case. A client of mine gave me access to
| https://foo.com/thing only from one ip. And I didn't want to
| give them my normal desktop ISP ip because it changes so I
| gave them my static cloud linux VM ip. But it has no gui. So
| I wanted to use the webapp from my desktop. I installed squid
| and set it as my proxy server and did tail -f thelog and OMG
| the amount of requests just my normal browser makes to all
| sorts of weird stuff!
| eyelidlessness wrote:
| NightShift is different (but somewhat related) functionality:
| it adjusts the color profile to be warmer/reduce blue light.
| Both can be scheduled to correspond to time of day[light]
| however.
| txr wrote:
| Oh right, got that mixed up
| frizlab wrote:
| I did a small Automator action that just switches dark mode on my
| computer, and I activate it with the cmd-alt-shift-P hotkey; it's
| truly convenient and there's no need for a third-party :)
| Maarius wrote:
| You can also use BetterTouchTool for that. I have CTRL-OPTION-
| CMD-M set up on macOS :)
| overvale wrote:
| osascript -e 'tell app "System Events" to tell appearance
| preferences to set dark mode to not dark mode'
| 666satanhimself wrote:
| [dead]
| DavideNL wrote:
| So this seems to be the app on VirusTotal:
| https://www.virustotal.com/gui/file/375ef0eb310d3fa82ddb5357...
| otikik wrote:
| Wow, that's scummy and desperate
| angst_ridden wrote:
| Not to be confused with NightOwlConnect, which allows one to
| remotely access NightOwl-brand security camera DVRs.
|
| I'd not be surprised to find that that app has some sketchiness
| baked into it as well.
| barefeg wrote:
| Kind of off topic. But is there any app/service/extension for
| parsing these TOS with an LLM to catch all these shady things? If
| not, would one be useful? (I'm also a bit surprised this is in
| the TOS in the first place, but theres already a thread about
| that.)
| radicality wrote:
| Could be useful. Though people might as well do it themselves?
| I just pasted the whole thing to chatgpt and told it to
| summarise it into bullet points.
|
| Related, this just brought back the memory of the Southpark
| episode 'Human centipad' where people accept the iTunes T&C
| without reading them :)
| icyfox wrote:
| I know this happens with some frequency, I wonder how frequently
| the companies update the TOS with language like this. The very
| idea of a self-updating TOS that will govern all usage into
| perpetuity feels like it should have been legally stuck down
| years ago. This company's current language on indistinct
| modification rights:
|
| > We reserve our right to alter the terms in this Agreement
| and/or the pricing information and method detailed in NightOwl
| app's website at any time. In case the Agreement is amended as
| described, we will post an updated version of it in our website,
| at which time it becomes active and binding.
|
| > In case NightOwl app alters the Agreement in a way which will
| be deemed material to the relations and/or obligations of the
| parties by NightOwl app's sole decision, we will inform you of
| these changes on our website or via our social media accounts and
| other established communication channels.
|
| Great, a website update for a locally installed application.
| Definitely going to subscribe to your social feed to get an
| update.
| balaji1 wrote:
| was there a similar (policy or functionality) change to "the
| great suspender" chrome extension recently? Browsers seem to
| have marked it as unsafe.
| cipheredStones wrote:
| It's been malicious for two and a half years now:
|
| https://news.ycombinator.com/item?id=25846504
|
| https://news.ycombinator.com/item?id=25622015
| mschuster91 wrote:
| Duuuuuude. How far has time passed?!
| lynguist wrote:
| Could maps.me also be in a similar state? It used to be a good
| OpenStreetsMaps frontend and it was bought (possibly twice) by
| some investor firm to generate profit.
|
| I don't know what is the state of this app now. Does anyone
| know? What is the profit scheme (I suspect it might be similar
| to this one described here) and to which app would you switch
| instead?
| jcul wrote:
| OrganicMaps is a FOSS fork of maps.me I believe.
|
| I've been using it and it is great.
|
| https://github.com/organicmaps/organicmaps
| andrepd wrote:
| +1 for Organic Maps, it's an amazing app (I still keep
| OsmAnd installed for some more advanced uses)
| burkaman wrote:
| It has been struck down and probably would be again if anyone
| felt like suing: https://arstechnica.com/tech-
| policy/2007/07/court-says-no-to...,
| https://scholar.google.com/scholar_case?case=592583419165850...
|
| > [Safeway] reserves the right to, from time to time, with or
| without notice to you, in [Safeway's] sole discretion, amend
| the Terms and Conditions for use and purchases regarding the
| online shopping services. Any amendment by [Safeway] will be
| effective only as to orders you place after [Safeway's]
| revisions of these Terms and Conditions as displayed on the Web
| site. [Safeway] will plan to notify you of any material
| amendments to these Terms and Conditions; however, it is your
| responsibility to review the Terms and Conditions before
| submitting each order. [Safeway] has no responsibility to
| notify you of any changes before any such changes are
| effective.
|
| > Defendant argues that, at the time of their safeway.com
| registration, Class Members agreed to give Safeway the
| authority to change the terms of the contract without notice to
| them, by indicating that they agreed to the version of the
| Special Terms that are in effect at the time they make their
| subsequent orders. Defendant's version of the Special Terms
| states that customers agree to the terms "and the form in which
| they appear at the time your online transaction is processed."
| ECF No. 187 at 16-17 (emphases added). In order to complete
| their registration, Customers were required to manifest
| agreement to the Special Terms shown to them by clicking a
| link. Defendant contends that, as a result of users' agreement
| to this Special Term at the time of their registration, Safeway
| was not required to notify customers of future changes to the
| terms for those changes to become effective. Safeway contends
| that, because Class Members read the initial registration
| contract, every time they opted to go forward with an online
| purchase after registration, they were on notice that they were
| assenting to a new contractual agreement, governed by the
| Special Terms operative elsewhere on the website at the time of
| that purchase.
|
| > The Court rejects this argument. The safeway.com agreement
| did not give Safeway the power to bind its customers to unknown
| future contract terms, because consumers cannot assent to terms
| that do not yet exist. A user confronting a contract in which
| she purports to agree to terms in whatever form they may appear
| in the future cannot know to what she is are agreeing. At most,
| this term in the safeway.com agreement could be read to
| indicate that a customer agrees to read the terms and
| conditions every time she makes a purchase on the website in
| the future. But the Court also concludes that, even in light of
| their agreement to the Special Terms at the time of
| registration, customers' assent to the revised Terms cannot be
| inferred from their continued use of safeway.com when they were
| never given notice that the Special Terms had been altered.
| icyfox wrote:
| Thanks for linking to these. They are certainly in the right
| direction although they're a bit vague on how much notice to
| give:
|
| > Even if Douglas's continued use of Talk America's service
| could be considered assent, such assent can only be inferred
| after he received proper notice of the proposed changes.
| Douglas claims that no such notice was given. (Douglas v.
| Talk America)
|
| > But the Court also concludes that, even in light of their
| agreement to the Special Terms at the time of registration,
| customers' assent to the revised Terms cannot be inferred
| from their continued use of safeway.com when they were never
| given notice that the Special Terms had been altered. (Rodman
| v. Safeway)
|
| Both cases seem focused pretty narrowly on situations where
| notice was not given. Is continuing to use an app after an
| update notification enough? Glancing over a GDPR-like popup?
| An email? I'd prefer an explicit opt-in to changes once
| they've occurred.
| deviantintegral wrote:
| It looks like Apple has revoked the developer certificate. Anyone
| know if there's a public log somewhere showing when it was
| revoked?
|
| The app was blocked from loading, but I still saw the two dylibs
| running. I wondered if it was because the certificate was revoked
| after they had already started. However, logging out and back in
| still showed them running. Perhaps they're persisting through log
| outs?
|
| As well, I got a prompt from the macOS firewall to allow the
| mentioned AutoUpdate binary to listen for connections. That makes
| me think all of this was deployed in the last few days.
|
| Edit: A reboot gave me the `"NightOwl" will damage your computer.
| You should move it to the Trash.` dialog. Allowing that did not
| fully clean things up (leaving a non-functional
| `/Users/*/Library/LaunchAgents/NightOwlUpdater.plist` in place
| and the usual preference files). For me, Hazel cleans those up.
|
| I think for non-technical users who may not be familiar with the
| terminal would be to direct them to reboot.
| lapcat wrote:
| > It looks like Apple has revoked the developer certificate.
| Anyone know if there's a public log somewhere showing when it
| was revoked?
|
| No, Developer ID doesn't use a Certificate Revocation List:
|
| https://lapcatsoftware.com/articles/revocation.html
| deviantintegral wrote:
| Given https://eclecticlight.co/2023/08/08/apple-has-just-
| released-... it does look like it was revoked in response to
| the original article, and not the other way around.
| lapcat wrote:
| > Given https://eclecticlight.co/2023/08/08/apple-has-just-
| released-...
|
| XProtect is separate from Developer ID certifcate
| revocation. In many cases, malware is not even code signed,
| so certificate revocation would do nothing.
|
| > it does look like it was revoked in response to the
| original article, and not the other way around.
|
| I'm not sure what you mean?
| dangoodmanUT wrote:
| And this is why we run little snitch!
| highwaylights wrote:
| This makes me really weary of all apps more generally. How many
| other apps are doing this crap already and just haven't been
| noticed / called out for it yet?
| LB9990 wrote:
| Does no one else find it difficult to read pure white on black
| sites? Ironic when the post is about a dark mode app I know.
|
| I'm all for dark mode, but give me an option to switch back if
| it's a wall of pure white text please!
| hank_z wrote:
| If anyone is looking for an alternative, I have been using my
| script below for two years without any issue.
|
| --edit--
|
| I do not know how to format code here.
|
| --edit--
|
| Another attempt to format code here.
|
| # Step 1 Save script below to your local drive. For example,
| `/Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh`
| #!/bin/zsh # ref: https://unix.stackexchange.com/a/526097
| # start time is 18:33 -> 18 * 60 * 60 + 33 * 60 = 66780 #
| end time is 07:33 -> 07 * 60 * 60 + 33 * 60 = 27180 #
| install gdate via `brew install gdate` if [[ $(uname
| -m) == 'arm64' ]]; then secsSinceMidnight=$((
| $(/opt/homebrew/bin/gdate +%s) - $(/opt/homebrew/bin/gdate -d
| '00:00:00' +%s) )) else secsSinceMidnight=$((
| $(/usr/local/bin/gdate +%s) - $(/usr/local/bin/gdate -d
| '00:00:00' +%s) )) fi if [[ $secsSinceMidnight
| -lt 27180 || $secsSinceMidnight -gt 66780 ]]; then #
| turn on dark mode osascript -e 'tell app "System
| Events" to tell appearance preferences to set dark mode to true'
| else # turn off dark mode osascript -e 'tell
| app "System Events" to tell appearance preferences to set dark
| mode to false' fi
|
| # Step 2 run `crontab -e` and add script below #
| cron job for enabling macOS dark mode periodically #
| darkModeWatcher script is executed 60s after reboot. After that,
| it is executed at 35 mins of each hour if the display is not
| asleep. # replace xxxx with your username @reboot
| sleep 60 && /bin/zsh
| /Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh >>
| /Users/xxxx/Library/Logs/systemDarkModeWatcher.log 2>&1 35
| */1 * * * if [[ -n "$(/usr/sbin/system_profiler
| SPDisplaysDataType | /usr/bin/grep 'Asleep')" ]]; then
| newDisplayStatus=0; else newDisplayStatus=1; fi && if [[
| $newDisplayStatus == 1 ]]; then /bin/zsh
| /Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh >>
| /Users/xxxx/Library/Logs/systemDarkModeWatcher.log 2>&1 ; fi
| dingosity wrote:
| FYI... last time I tried, I could get the equivalent of a HTML
| <PRE> block by putting two spaces at the beginning of every
| line. Here's an example. Each line was indented two spaces:
| #include <stdio.h> int main() { printf(
| "Bonjour, totes le monde!\n" ); return( 0 ); }
|
| Looks like it worked. It looks like it's rendering with a mono
| font.
| hank_z wrote:
| Thanks. It works.
| mcguire wrote:
| " _The application, at least the time of writing, and the
| installations I've been made aware of, makes a lot of connections
| tohttps://stubbs.frontgatetickets.com/, a website that sells
| tickets to live music events for a restaurant in Austin, TX._ "
|
| Stubbs BBQ?
| tayiorrobinson wrote:
| Yes.
| [deleted]
| dspillett wrote:
| _> The application ... makes a lot of connections to [site], a
| website that sells tickets to live music events_
|
| This is a common use for residential proxies. Ticket touts buy
| use of the infected users to make requests to try beat
| restrictions on access from data-centre hosts or high-volume
| access from and other hosts, to increase their charge of getting
| valuable tickets for later resale.
|
| A number of backdoored (by the creator, by someone cracking into
| their source repositories, or in this case by buy-out) free
| browser extensions, VPN apps, and such, turn the user's machines
| into a proxy like this.
| hoofhearted wrote:
| NordVPN does this as well. Google and Amazon own large blocks
| of IP ranges for their cloud services, so it's fairly easy to
| detect bots built on AWS and Google cloud.
|
| On the other hand, Verizon also owns a large block of IP
| addresses that they give out to their residential customers.
|
| NordVPN takes advantage of the fact that people like Netflix
| and Amazon don't want to block out Verizon's ip ranges, and
| disguise network traffic as residential traffic.
| otterley wrote:
| Do you have a link to more information somewhere? I'd like to
| know more about what NordVPN is doing, if true. It's
| certainly not what their customers expect.
| hoofhearted wrote:
| https://nordvpn.com/blog/residential-proxies/
| dingosity wrote:
| I agree with you if you're talking about tech savvy users.
| But I think NordVPN has enough users who don't know what's
| going on under the hood that they might not understand the
| implications of forwarding potentially copyright-hostile
| packets.
| Philip-J-Fry wrote:
| I can't see anything suggesting they proxy VPN traffic
| through their users. Would certainly be a scandal worth
| talking about if true.
| hoofhearted wrote:
| I believe users can opt in to let proxy traffic through.
| knodi123 wrote:
| > NordVPN does this as well.
|
| Do they? Last time I looked into this drama, it seems like
| the botnet accusations were just scurrilous slander.
|
| https://www.comparitech.com/blog/vpn-privacy/nord-vpn-
| botnet...
| reaperducer wrote:
| The last time someone made this claim on HN, someone from
| NordVPN responded saying it is false.
| runlaszlorun wrote:
| Was expecting a clickbait article. No sir!
|
| Great piece.
| ajkjk wrote:
| There's gotta be some law that could be passed about stuff like
| this. Software should have an implicit contract that it does what
| it says and not something wildly different than it, with harsh
| penalties for violations.
| cpmsmith wrote:
| Common licenses specifically go out of their way not to imply
| such a contract. This is the start of the all-caps portion of
| the MIT License [0]:
|
| > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY
| KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO [...]
| FITNESS FOR A PARTICULAR PURPOSE
|
| ...and the GPL has nearly the same text in section 15. [1]
|
| [0]: https://opensource.org/license/mit/
|
| [1]: https://www.gnu.org/licenses/gpl-3.0.html#section15
| ajkjk wrote:
| Yeah, but also common licenses are set by the distributor.
| (which they're also evidently free to secretly change?)
|
| I want the other side of the deal: a default license implicit
| in the existence of software that can't be traded away
| without an explicit contract that involves something like an
| exchange of money, which a federal agency will safeguard
| against violations of. If an extension changes its behavior
| nefariously people should go to jail. If Google safeguards an
| extension that changes it's behavior nefariously then Google
| should go to company jail. (or, like, be fined and forced to
| comply).
|
| (admittedly, this is hopeless idealism. But still.)
| runlaszlorun wrote:
| We should all have our own EULA's that they implicitly agree
| to... lol.
|
| I should start doing this with big websites. And of course my
| EULA is a 10MB file I'll send with every request until they
| accept... :)
|
| Can you imagine if that caught on? DDOS by EULA!
| dancemethis wrote:
| [flagged]
___________________________________________________________________
(page generated 2023-08-08 23:01 UTC)