[HN Gopher] Uninstall the NightOwl app ___________________________________________________________________ Uninstall the NightOwl app Author : txr Score : 769 points Date : 2023-08-08 17:23 UTC (5 hours ago) (HTM) web link (robins.one) (TXT) w3m dump (robins.one) | WirelessGigabit wrote: | > It also tries to open a UPnP port forward on your router, but | fails on mine because the key names are jumbled: | | This should fail on any router as you should have UPnP disabled. | jeroenhd wrote: | Disabling UPnP makes your system more secure, but unless you | also disable all NAT ALGs in your router, you're still exposed | to its dangers. | | I don't think most routers have a setting for that, so if | infected devices are part of your security model, it would be | wise to assume NAT is entirely non-functional because of [NAT | slipstream attacks](https://samy.pl/slipstream/). An infected | device can modify the router's NAT table to effectively act | like UPnP, except they don't provide a user interface for you | to audit. | | If you're NAT free (i.e. only use IPv6) disabling UPnP can be a | decent security measure if you're willing to manually do all of | your firewall exclusions, but honestly host firewalls are the | only reliable protection method for most people these days. | klabb3 wrote: | I mean UPnP is a horrible spec but it's a stop gap for | restoring the fundamental capability of internet-connected | devices in residential settings. All p2p apps (Tailscale for | instance) need to act as a server temporarily and allow | incoming traffic. Without the _capability_ you're a second | class citizen, so to say. It's infantilizing the user. | | Now, you can of course open the ports yourself, but this is | inaccessible to the vast majority of users due to | undiscoverable, inconsistent and complicated UX. Most people | don't know what a port is. | WirelessGigabit wrote: | Tailscale uses STUN. No need for me to map ports. | https://tailscale.com/kb/1082/firewall-ports/ | klabb3 wrote: | Yeah they use several techniques but it includes UPnP if | available. | | > $ tailscale netcheck | | > [...] * PortMapping: UPnP | TheRealPomax wrote: | Let me tell you about family members that have a mac because | "they don't want the hassle of a windows laptop". They also | don't want the hassle of not having uPnP, that setting is going | to be turned on whether you know better or not. | rootusrootus wrote: | > Let me tell you about family members that have a mac | because "they don't want the hassle of a windows laptop". | | They are not wrong. E.g. It amazes me how much pain and | suffering Microsoft expects users to endure just to use a | printer. It is not lost on my stepmother that her Windows | machine has endless problems setting up and printing to her | Brother laser printer, but her iPhone just sees it without | having to be told. | smoldesu wrote: | If Microsoft embraced CUPS and Apple wrote Vulkan drivers, | society would probably look like that _The world if_ meme: | https://knowyourmeme.com/memes/the-world-if | callalex wrote: | Do you deny the need for UPnP entirely? This is a confusing | statement. | Astronaut3315 wrote: | What do you actually need it for? I've had it disabled for | ages, have no port forwards defined and have never had any | issues. | veave wrote: | I have many devices at home and I can't be administering | all the port forwards by hand, it would be a lot of work. | dingosity wrote: | +1. I also have had it disabled for ages. What features am | I missing out on? When I look at the UPnP docs it talks | about uses for which I have other mechanisms. | NavinF wrote: | VoIP and video calls have lower quality and higher | latency without UPnP since this often forces webRTC to | tunnel through a TURN server. Networks that have neither | IPv6 nor UPnP are just broken | NotYourLawyer wrote: | > sudo zsh -c "rm | /Users/*/Library/LaunchAgents/NightOwlUpdater.plist" | | Why do you need to call out to zsh for this command instead of | just running it in the current shell? | ptx wrote: | Because the expansion of the wildcard needs to happen with the | privileges granted by sudo. If you just ran "sudo rm ..." the | expansion would be done by the current shell, which doesn't | have the required privileges. | Arnavion wrote: | I don't know anything about MacOS. Normal users don't have | r-x on /Users ? How do they access their own /Users/whatever | homedir then? | nicolas_17 wrote: | Normal users have r-x on /Users, but for that wildcard to | work, they would need r-x on /Users/foo, | /Users/foo/Library, and /Users/foo/Library/LaunchAgents, | for every "foo" user in the system. | Arnavion wrote: | For that exact command, yes. But if `/Users/*` by itself | can be expanded without root you can construct the list | of files to delete without needing the `zsh -c`. Eg `for | d in /Users/*; do sudo rm -f | "$d/Library/LaunchAgents/NightOwlUpdater.plist"; done` | | It's a minor point overall. I was just checking if MacOS | had something else going on with its file permissions. | NotYourLawyer wrote: | Oh, makes sense. Thanks. | mcguire wrote: | Pardon, but with double quotes, is'nt the expansion going to | be done by the current shell anyway? | mh- wrote: | globs aren't expanded in double quotes (not in bash or zsh, | at least). | [deleted] | ecf wrote: | Developers who sell out their app to entities like this deserve | to be ostracized from the profession. | devit wrote: | Apparently the perpetrator who sold out their users to the | highest bidder is named Benjamin Kramser and they even freely | admit the deed on their homepage! (https://www.kramser.xyz/) | ecf wrote: | > I love to build digital products | | Should update that to "I love to throw the people who love my | digital products under the bus" | onemoresoop wrote: | Software as rugpull model | mindwork wrote: | Little Snitch would help detecting to which IPs and addresses app | connects and allow to block those connections | OpinionRegister wrote: | [dead] | hiatus wrote: | Or LuLu! | walthamstow wrote: | MacOS pulled it for me, refused to open it | | Replaced it with NightFall https://github.com/r-thomson/Nightfall | princevegeta89 wrote: | If toggling between modes is all that is needed, it can be done | right through BetterTouchTool. I just assigned a right- | click+option+cmd globally for it and it works like a charm | seemaze wrote: | You can also put display settings directly in the menu bar | using: | | Settings > Control Center > Display > Always Show in Menu Bar | | I'll concede it takes a second click to toggle dark mode, but | you also have night shift as an option, and it's 100% native. | K7PJP wrote: | This option wasn't available in 2018, when NightOwl was | released. I had to test our application's Dark Mode | implementation and NightOwl was super-useful then. I'm glad | Apple made it easier to toggle dark mode in the interim. | radicality wrote: | Another very simple way is to make your own thing with the | default Automator app. | | * open up Automator and create new application | | * select "change system appearance" and select toggle | light/dark mode. | | * save the 'app' | | Now, whenever you want to toggle light/dark mode, just open up | spotlight and open up whatever you named the app. There's | probably a way to do it with Shortcuts too. | [deleted] | samwillis wrote: | Feck, I'm uninstalling right now. | | I assume this is being used by those services that sell scrapers | "real domestic IP addresses", where in fact they are selling a | botnet. | | We can't just have nice things can we. | hiatus wrote: | > I assume this is being used by those services that sell | scrapers "real domestic IP addresses", where in fact they are | selling a botnet. | | The author alleges as much in TFA. | cpleppert wrote: | >> It is an alternative to the built in macOS automatic mode | which only switches when the user steps away from the computer. | | Huh? Setting a schedule/location for nightshift and setting the | dark mode setting to auto will always change instantly. If you | use a launcher or spotlight then a simple one line applescript | can change the setting as well. (tell application "System Events" | to tell appearance preferences to set dark mode to not dark | mode). | jw1224 wrote: | > Huh? Setting a schedule/location for nightshift and setting | the dark mode setting to auto will always change instantly | | Not in my case?! I'd say there's a 25% chance that Dark Mode | enables at sunset. It's been this way for years -- even up til | Ventura. | | Has it worked flawlessly for everyone else the whole time? | balaji1 wrote: | there seem to be many features that are flawless for some, | and hit-or-miss for others. Example Airpods pairing, airplay | are not always consistent. | CoryAlexMartin wrote: | I have the same experience. Dark mode automatically turns on | way later than I'd like it to. | | From the article: "It is an alternative to the built in macOS | automatic mode which only switches when the user steps away | from the computer." | | If I set up night shift, it will switch to dark mode at the | time I set, but it also tints my screen (even subtly, if I | turn the slider all the way down), which I don't care for as | someone who does art. | fingerlocks wrote: | Only time it didn't work flawlessly was because I had | contradictory settings between my phone and MacBook | K7PJP wrote: | In 2018, when NightOwl was released, some or all of these | affordances didn't yet exist. | TZubiri wrote: | [flagged] | spiznnx wrote: | Is this a common slang in infosec? I've never seen it used | like this and it has highly insensitive connotations for me | in other contexts. | stjohnswarts wrote: | I haven't heard anyone using that homophobic edgelord word | in probably a decade. Maybe a time traveler? | chayesfss wrote: | [dead] | linuxdude314 wrote: | No it's not and its use should not be perpetuated in this | context. | | It's definitely the homophobia you are perceiving. | | No one misses the edge lords of yesteryear. | [deleted] | bertil wrote: | I had to google to check, and I've found so many | interpretations that I feel like a linguist would have a | field day with that word alone. | akira2501 wrote: | Imagine spending thousands of dollars for something that | can't even do basic personal automation reliably. | mahathu wrote: | You can use the Shortcuts application on macOS and iOS for | a wide variety of personal automation tasks. | kstrauser wrote: | "WHEREAS, NightOwl app enables Users to share internet traffic by | modifying their device's network settings to be used as a gateway | for internet traffic. Additionally, the User's device acts as a | gateway for NightOwl app's Clients, including companies that | specialize in web and market research, SEO, brand protection, | content delivery, cybersecurity, etc." | | Fuck that with a chainsaw. Burn it. Burn it with fire. | dingosity wrote: | [flagged] | kstrauser wrote: | Selling ads is one thing. Selling my Internet connection, | which violates the ToS of most ISPs, is a vastly different | situation. | dingosity wrote: | How So? I mean, NightOwl doesn't have an arrangement with | your ISP, they have an arrangement with you. | | I'm not sure your ISP is going to delete your account | because you didn't know some app was doing something shady. | If the standard is every app user has to know what each app | does under the hood, then there's going to be a lot of | people who won't be able to match that standard. | dylan604 wrote: | are you kidding? of course they will. back in the early | days of the interwebs, it was not unheard of to have the | ISP block your account when your machine got hacked from | malware and used your box/connection as a SPAM server. | From they, consumer ISPs just block that port. They've | also added terms about not running servers on the | consumer connection. While your server would have to be | using a lot of bandwidth to get noticed, it is part of | their terms that you agree to. | | So yes, they will absolutely suspend your account until | they are satisfied the usage is in alignment with their | expectations. | tayiorrobinson wrote: | Their TOS essentially just says "Don't use the app" | | > NightOwl app cannot be held responsible in any | circumstances for Shared traffic fees or any other costs | the User may incur in accordance with agreements with | their internet service provider. The Application use | might be prohibited or restricted by the User's service | provider or applicable laws. The Application may not be | compatible with all service providers' policies and | regulations. The User should confirm the ability to use | the Application with their service provider. | prmoustache wrote: | No but you could be SWATed because someone sold child | porn through your IP. | | Regardless of how you can prove your innocence, it can be | traumatic for you and your family, you can say goodbye | all your computers and phone, you'd have to deal with the | gossip from neighbours and relative and possible social | exclusion, and possibly your couple/mariage as well. | [deleted] | OhMeadhbh wrote: | Stop being a jerk and play nice. Say what you mean without | attacking people. | dingosity wrote: | I don't think I was attacking people, but will defer. In | less inflammatory prose, let me say: | | There is a problem on the net that is exacerbated by | funding models which seek to use free services to do "bad" | things. The Ad-Driven model has problems that the needs of | the end user are often not considered paramount, but | instead the needs of the advertiser are. After all, they're | the ones paying the bills. Print newspapers famously had | this problem, balancing the interests of editorial and | advertisement. | | Furthermore, there are people on HN whose enterprises are | funded by ad revenue. I worry they (and their investors) | err on the side of the advertisers rather than on the side | of the users when there is a conflict. I doubt there are | many here who would go to extremes such as enrolling | customers iPhones into botnets, but there is always that | temptation. What if you were a couple weeks away from | laying everyone off and a shady partner sidled up to you | and suggested such a move. I believe it would be a moral | crisis for any entrepreneur: shaft your customers or shaft | your business, its investors and its employees. | | I am lucky to operate from retained earnings and (at least | for the time being) could firmly reject such an offer. I | appreciate that I am probably in the minority in this | respect. | | I bemoan the current state of affairs where so many | entrepreneurs could even conceivably be tempted by such a | Faustian bargain (without asserting the majority are.) | | I am ensaddened that experiments like Bitcoin seem to have | devolved into ponzi schemes rather than effective | micropayment vehicles. Such a platform could conceivably | open up new business models which would allow entrepreneurs | to ignore this particular devil. | worik wrote: | > What if you were a couple weeks away from laying | everyone off and a shady partner sidled up to you and | suggested such a move. I believe it would be a moral | crisis for any entrepreneur: shaft your customers or | shaft your business, its investors and its employees. | | That is the difference between ethical and unethical | operators | rootusrootus wrote: | > <snark>Hah! 4 downvotes! That's all you can muster! Come at | me, bro!</snark> | | AFAIK, 4 is the maximum number of downvotes that will be | recorded for a single post. It's possible I'm wrong, but | occasionally I write things that do not receive universal | adulation and never has one gone below -4. | sublinear wrote: | > Isn't this sort of what the web is for? Service providers | give you shiny objects for free and in exchange you give them | complete access to your digital life. | | If you made it clear you were being sarcastic, you wouldn't | be getting downvoted. | | Yes this is what many businesses want you to think. The web | isn't for anything in particular besides general | communication bound only by the laws beyond the first | amendment. | mcguire wrote: | Neither the First Amendment nor any particular set of laws | bind _the web_ generally. | dingosity wrote: | If you're commenting on the difficulty of policing the | intarwebs, I heartily agree with you. | | If you're saying CD230 doesn't exist, I encourage you to | rejoin consensus reality. But if you're trying to say CD | 230 is in need of review, I would heartily agree. | dingosity wrote: | Sarcastic? Not really. But I do see I am violating H. L. | Mencken's rule: Never argue with a man whose job depends on | not being convinced. | | I sell to customers who purchase my goods. I'm not trying | to sell my company to a VC whose using it to suck up ad | dollars. My customers are my users, your customers are VCs. | OhMeadhbh wrote: | I love you to death, but this 'aint helping. | barbazoo wrote: | I guess "modifying their device's network settings" is already | covered under whatever permissions we had to give it to perform | the original task of switching on/off dark mode? That's a | bummer. Would be nice if app permissions were more granular if | that's the case. | WirelessGigabit wrote: | And this is the risk that operating system developers run | when you take away features or you don't develop features | that your userbase wants. | | Look at the amount of Start Menu modifiers there are out | there for Windows. All because Microsoft keeps on changing | the start menu. Why? I don't know. I just want to get rid of | the Recommended section, but I'm not allowed to. | qwerpy wrote: | Last night I got a notification that advertised Game Pass | to me. I angrily clicked on manage notifications and | there's a notification source called "Suggested" that | somehow was turned on. That was the last straw for me. I go | through so much diligence setting up my browser's ad block, | only for the OS to bypass all that. | | For now "Suggested" is turned off and I disabled all | notifications for good measure, but I don't know how much | longer Windows will allow that. I don't intend to find out. | PartiallyTyped wrote: | Name and shame the developers and the company. | crazygringo wrote: | So, usually I associate super-shady things with _hiding_ the | fact that they 're super-shady. | | I'm thankful, but also genuinely curious, why they put this | explicitly in their TOS. | | It just kind of seems to be like the kind of person/org who | would implement this shady stuff in the first place, would also | actively hide that they're doing it. | | Is there a legal reason that protects NightOwl by explicitly | putting it in the TOS? E.g. does this prevent them from being | sued for any of it, where they could have been successfully | sued otherwise? Like it's technically do to all this shady | stuff but _only_ as long as it 's in your TOS? | runlaszlorun wrote: | I'm no lawyer but my guess is that the bar is so low for | what's actually legal- and no one generally reads these | EULA's- that it's easier just to have it in there. | sublinear wrote: | The bar is intentionally low "for what's actually legal". | | You really don't want the government interfering with the | implementation details and business models of software | products. That's a really bad road to go down. | | The problem is really a lack of inspiration for both the | dev and user. In this case someone made a trivial tool and | didn't know how else to monetize it than being a scumbag | and exploiting social norms and good will. The user also | decided to use something that's dumb and not worth risking | making any agreement with any entity at all. | | Situations like this are where free software excels. Things | that are inconsequential in premise should stay that way in | practice. | sublinear wrote: | I'm not a lawyer, but the terms of service are an agreement | with the user, so yes. They're not hiding anything because | then they'd get sued. | | If they didn't disclose "this shady stuff" then the user can | try to resolve their dispute via remedies stipulated | elsewhere. | | Really there are several ways they could have gone about | writing this agreement. This is probably the simplest for | everyone. This is also how the bigger orgs write their | agreements. They state their intent and you have to agree or | fuck off. | | The badly written agreements (what you were expecting) are | less honest and try to explicitly have the user waive some | rights entirely including any remedies in or out of court, | but those can usually be deemed unenforceable because they | violate established rights and precedent rulings. | kfrzcode wrote: | Also not a lawyer. I'd think there's a level of | interpretation to the enforceability of a given clause if | it's not adequately exposed or is unconscionable in | fairness. I'm guessing it's not so easy as clickwrap = rock | solid contract. | sublinear wrote: | Sure if a majority of users expect apps to not steal your | data or misuse your internet connection. | | Sadly this isn't the case anymore. The layperson is | distrustful by default and can only rely on the more | astute to blow a whistle. Even a judge would just say to | not install apps that aren't critical to your everyday | life and be done with it. Nobody has the time to swat at | flies. | ncallaway wrote: | > The layperson is distrustful by default | | This sounds like it was written from an alternate | reality. It doesn't match my experience at all | sublinear wrote: | Yeah distrust isn't enough to deter the layperson from | using an app anyway. That's my whole point. | alexpotato wrote: | This reminds me of the Jerry Seinfeld joke: | | "I bought the Superman Halloween costume and on the side of | the box it said 'do not attempt to fly'. | | I always wondered about the kid who was: | | - dumb enough to think they could fly | | BUT | | - thought to themselves 'wait, let me check the box first. | Oh! Good thing I checked!' | | The TOS sounds a little bit like the "do not attempt to fly" | warning. | NavinF wrote: | A lot of "free" VPN apps do the same thing and I haven't | heard of any of them getting in legal trouble. It's kinda | like running a tor exit node except most buyers just wanna | borrow the user's IP to scrape sites that are otherwise | impractical to scape with just a captcha solver due to | aggressive blocking of non-residential ISPs and heavy rate | limiting. | Chabsff wrote: | The difference being that it's somewhat related to the | app's operation. In this case, it's completely orthogonal | to the app's marketed function. | jallen_dot_dev wrote: | > does this prevent them from being sued for any of it, where | they could have been successfully sued otherwise? | | As I understand it, anyone can sue anyone for anything. What | matters is convincing a judge/jury that you have been | wrongfully harmed by the defendant. So if someone can make a | good enough case for damages stemming from this data | collection, then they can successfully sue. | | This doesn't prevent them from suing, but it makes their case | significantly weaker if the defendant can argue that the user | agreed to have their data collected. | hammock wrote: | >I'm thankful, but also genuinely curious, why they put this | explicitly in their TOS. | | The guy's in the US, not China or Cyprus, so there's actually | a chance he could get in trouble. | macinjosh wrote: | My assumption is there is a non-trivial number of people who | will never read or notice that. Much less understand the | ramifications. | omgJustTest wrote: | Probably compelled by Apple, or removal from store. | tayiorrobinson wrote: | The app isn't on the App Store. (switching light/dark is a | private API so it wouldn't be allowed on the store anyway) | wouldbecouldbe wrote: | There is no way reviewers would accept that if they read it | jamil7 wrote: | There's a lot the app is doing that would not be allowed | through review. It's distributed via Sparkle which is | pretty common for mac apps. | CoryAlexMartin wrote: | I installed this app earlier this year, and uninstalled it a few | days later after I noticed it constantly using obscene amounts of | my internet data. | I_am_tiberius wrote: | As a side note I want to mention that I use Night Shift on mac os | and every day!!! I need to switch it back on because there is no | option to leave it enabled all day long. | andrethegiant wrote: | I have it set to a custom schedule that starts at 4am and ends | at 3:59am, effectively leaving it enabled all day long. | I_am_tiberius wrote: | I have it set this way as well. But as I'm living a rolling | day:), I often experience the light suddenly going on, so I | have to reset it again. | linuxdude314 wrote: | What are you talking about? The whole point is you leave it on | and it tracks the sun. Does this not work for you? | I_am_tiberius wrote: | Yes, this works. but I want to have it enabled constantly | because I like my screen that way. | mschuster91 wrote: | I _hate_ silent takeovers so much. Chrome developer extensions | are another very popular thing for bad actors to buy out and | replace with malware, and it sucks. | laurent123456 wrote: | That's the problem with free apps. Very few people want to | donate, no decent company is interested in buying the app and | making it profitable, so all that's left are the worst kind of | companies who buy these extensions and apps to exploit the | users. | | All these free apps have value but unfortunately it doesn't | translate to any income for the developer so they find other | ways. | reustle wrote: | Couldn't this happen to paid apps just as easily? | laurent123456 wrote: | If the developer is well paid, probably not? Why would they | throw away what they built for a lump sum if they have | decent side-business and recurrent revenues? | ohgodplsno wrote: | Given a sufficient lump sum that guarantees I no longer | have to work, my morals can be easily bought. | [deleted] | TheRealDunkirk wrote: | For me, StackOverflow proved that literally everyone has | a price. The world is hurtling full-speed towards the | corporation-citizenship cyberpunk dystopia people have | been writing for years, as every company buys up | everything they can in order to stay "competitive." | [deleted] | mulmen wrote: | If I offer you 100 years worth of revenue for your | browser extension are you really not going to entertain | the idea of selling? | laurent123456 wrote: | Sure but they probably won't offer that much. What I mean | is that the value of this app, despite being free, is not | zero, but that's probably what the developer was getting. | So even if he got 10K for it, he's happy and moved on. | mulmen wrote: | The app originally set the desktop theme to dark mode or | not. That's not worth more than a single one dollar | payment, if that. | | If I want to do some shady app shit I am buying install | base. 100x an app that makes a few grand a year could | still be worth it for my nefarious purposes. | deciplex wrote: | Seems like a developer that is getting literally nothing | for his app or plugin is more likely to sell it than a | developer that's getting some income from it. At the least, | the buyer would need to match the current value that the | app provides its author. | croes wrote: | I don't know. | | A developer who didn't charge anything from the beginning | has more likely other motives releasing his software than | making money. | | But if you already make a little money you may easily | fall for a lot of money. | laurent123456 wrote: | I think it starts with passion - he created some useful | software, he shares it and initially enjoy working on it. | Then he puts a donate link (I saw there was a donate link | in the previous site), and gets almost nothing, but he | still needs to add bug fixes, maybe new features, answer | to the user's emails, etc. | | After a while it becomes a chore... and still getting $0 | out of it. And that's when he might want to find other | ways to get something out of the efforts he put in. | Unfortunately the only option is to turn it into malware | since nobody wants to pay for it, or turn it into a | decent profitable business. | deciplex wrote: | I mean, everyone's gotta eat. I think there's plenty of | instances of someone building a tool that they personally | find useful and then making that tool available for free, | unsure of what the reception will be and not expecting a | lot of users. But if that something does very well and | finds a wide audience I think it's natural to try to earn | a living from it. And, if the attempts to "monetize" fail | (as they often do) and someone is offering a lot of money | in a lump sum to take it off their hands, well frankly I | think they'd be foolish not to take it. And if that | arrangement happens to turn out poorly for the userbase, | well hopefully that will be another small object lesson | in paying for things you find useful, when politely | asked. | | (And yes, I'm aware that's a lesson that really should | have been learned by now, if it was going to be learned | at all. Alas.) | mulmen wrote: | And their values are what exactly? They offer something for | free with no reasonable expectation of compensation then rug | pull by selling out. It's hard to be sympathetic. If you want | to get paid to write code then get a job writing code. | smoldesu wrote: | It's not a problem with Free apps. If you're forced to | redistribute the source code, it heavily disincentivizes | attacks like this. | 1970-01-01 wrote: | >I hate silent takeovers so much. | | This is a great app idea. Monitor the app owner. If the owner | changes overnight, alerts to the moon. | stjohnswarts wrote: | wouldn't they just buy the account/password and not let | google know? | haolez wrote: | They would just change the acquition details to avoid | changing the owner and giving the account credentials over | instead. | 1970-01-01 wrote: | Yes, maybe. In this case, it would be a very actionable | alert. | agnosticmantis wrote: | Until we learn that this monitoring app has itself been | acquired. /s | devrand wrote: | Obviously don't narc on yourself! | lapetitejort wrote: | Who watches the watchmen? | guessbest wrote: | Watchwomen by a process called nagging. | [deleted] | justin_oaks wrote: | Another set of watchmen. | | ... unless they conspire together. Ugh. | agnosticmantis wrote: | Have we finally found the killer app for blockchain? | runlaszlorun wrote: | Or if the browser companies themselves were owned by large | corporate behemoths! | | Wait... | mcguire wrote: | <libertarian> What's silent about it? It's right there in the | TOS, which you agreed to by using the software. Caveat Emptor, | and all that. </libertarian> | wlesieutre wrote: | The perfect market will solve this and if it doesn't it's the | users' fault for not having perfect information! | trolan wrote: | <dictionary> silent: tending to speak very little: not | loquacious <dictionary> | | If the buyer alone was responsible, there would be no terms | of service. It's only with community protections and | regulations that you get the information required to attempt | to make an informed choice. The same community should be | empowered to drive normal ethics without it being overtaken | by the 'drivers licenses are tyranny' crowd. | tmpX7dMeXU wrote: | Nice writing style. Straight to the point because the author | actually had something useful to say. A nice departure from the | usual 'pad it out' approach that sadly you even see people take | for their personal writing. So many people will lament recipe | authors including 6 paragraphs of preamble, but will happily do | it when they're telling you about how they pwned their toaster or | whatever. | | When it gets down to brass tacks, I.e. the technical details | section, it could really do with a once-over. One too many run-on | sentences. | bbor wrote: | Just want to say: amazing write up. I hope to write like this | some day. | I_am_tiberius wrote: | Coming from Linux, I also have to say that I was shocked how many | apps on mac os are only available as closed source. | [deleted] | jondwillis wrote: | In 2018, I contacted the developer and tried to purchase this | app. He turned me down, and seemed like he wasn't in it for the | money. Seems like he picked the wrong buyer when he did finally | sell out. | lapcat wrote: | If I may ask, how much did you offer, and... who are you? :-) | andrewfromx wrote: | wow and this is built into macOS now as NightShift right? | txr wrote: | Yes, the OS function works fine. Haven't used the app in a | while, just had it still installed. I just found this by | searching for "proxy-gw1-europe.squidyproxy.com" which seemed | odd when I found it in my .ssh/known_hosts file. | andrewfromx wrote: | ah, i just used squid on my own linux server recently for a | weird use case. A client of mine gave me access to | https://foo.com/thing only from one ip. And I didn't want to | give them my normal desktop ISP ip because it changes so I | gave them my static cloud linux VM ip. But it has no gui. So | I wanted to use the webapp from my desktop. I installed squid | and set it as my proxy server and did tail -f thelog and OMG | the amount of requests just my normal browser makes to all | sorts of weird stuff! | eyelidlessness wrote: | NightShift is different (but somewhat related) functionality: | it adjusts the color profile to be warmer/reduce blue light. | Both can be scheduled to correspond to time of day[light] | however. | txr wrote: | Oh right, got that mixed up | frizlab wrote: | I did a small Automator action that just switches dark mode on my | computer, and I activate it with the cmd-alt-shift-P hotkey; it's | truly convenient and there's no need for a third-party :) | Maarius wrote: | You can also use BetterTouchTool for that. I have CTRL-OPTION- | CMD-M set up on macOS :) | overvale wrote: | osascript -e 'tell app "System Events" to tell appearance | preferences to set dark mode to not dark mode' | 666satanhimself wrote: | [dead] | DavideNL wrote: | So this seems to be the app on VirusTotal: | https://www.virustotal.com/gui/file/375ef0eb310d3fa82ddb5357... | otikik wrote: | Wow, that's scummy and desperate | angst_ridden wrote: | Not to be confused with NightOwlConnect, which allows one to | remotely access NightOwl-brand security camera DVRs. | | I'd not be surprised to find that that app has some sketchiness | baked into it as well. | barefeg wrote: | Kind of off topic. But is there any app/service/extension for | parsing these TOS with an LLM to catch all these shady things? If | not, would one be useful? (I'm also a bit surprised this is in | the TOS in the first place, but theres already a thread about | that.) | radicality wrote: | Could be useful. Though people might as well do it themselves? | I just pasted the whole thing to chatgpt and told it to | summarise it into bullet points. | | Related, this just brought back the memory of the Southpark | episode 'Human centipad' where people accept the iTunes T&C | without reading them :) | icyfox wrote: | I know this happens with some frequency, I wonder how frequently | the companies update the TOS with language like this. The very | idea of a self-updating TOS that will govern all usage into | perpetuity feels like it should have been legally stuck down | years ago. This company's current language on indistinct | modification rights: | | > We reserve our right to alter the terms in this Agreement | and/or the pricing information and method detailed in NightOwl | app's website at any time. In case the Agreement is amended as | described, we will post an updated version of it in our website, | at which time it becomes active and binding. | | > In case NightOwl app alters the Agreement in a way which will | be deemed material to the relations and/or obligations of the | parties by NightOwl app's sole decision, we will inform you of | these changes on our website or via our social media accounts and | other established communication channels. | | Great, a website update for a locally installed application. | Definitely going to subscribe to your social feed to get an | update. | balaji1 wrote: | was there a similar (policy or functionality) change to "the | great suspender" chrome extension recently? Browsers seem to | have marked it as unsafe. | cipheredStones wrote: | It's been malicious for two and a half years now: | | https://news.ycombinator.com/item?id=25846504 | | https://news.ycombinator.com/item?id=25622015 | mschuster91 wrote: | Duuuuuude. How far has time passed?! | lynguist wrote: | Could maps.me also be in a similar state? It used to be a good | OpenStreetsMaps frontend and it was bought (possibly twice) by | some investor firm to generate profit. | | I don't know what is the state of this app now. Does anyone | know? What is the profit scheme (I suspect it might be similar | to this one described here) and to which app would you switch | instead? | jcul wrote: | OrganicMaps is a FOSS fork of maps.me I believe. | | I've been using it and it is great. | | https://github.com/organicmaps/organicmaps | andrepd wrote: | +1 for Organic Maps, it's an amazing app (I still keep | OsmAnd installed for some more advanced uses) | burkaman wrote: | It has been struck down and probably would be again if anyone | felt like suing: https://arstechnica.com/tech- | policy/2007/07/court-says-no-to..., | https://scholar.google.com/scholar_case?case=592583419165850... | | > [Safeway] reserves the right to, from time to time, with or | without notice to you, in [Safeway's] sole discretion, amend | the Terms and Conditions for use and purchases regarding the | online shopping services. Any amendment by [Safeway] will be | effective only as to orders you place after [Safeway's] | revisions of these Terms and Conditions as displayed on the Web | site. [Safeway] will plan to notify you of any material | amendments to these Terms and Conditions; however, it is your | responsibility to review the Terms and Conditions before | submitting each order. [Safeway] has no responsibility to | notify you of any changes before any such changes are | effective. | | > Defendant argues that, at the time of their safeway.com | registration, Class Members agreed to give Safeway the | authority to change the terms of the contract without notice to | them, by indicating that they agreed to the version of the | Special Terms that are in effect at the time they make their | subsequent orders. Defendant's version of the Special Terms | states that customers agree to the terms "and the form in which | they appear at the time your online transaction is processed." | ECF No. 187 at 16-17 (emphases added). In order to complete | their registration, Customers were required to manifest | agreement to the Special Terms shown to them by clicking a | link. Defendant contends that, as a result of users' agreement | to this Special Term at the time of their registration, Safeway | was not required to notify customers of future changes to the | terms for those changes to become effective. Safeway contends | that, because Class Members read the initial registration | contract, every time they opted to go forward with an online | purchase after registration, they were on notice that they were | assenting to a new contractual agreement, governed by the | Special Terms operative elsewhere on the website at the time of | that purchase. | | > The Court rejects this argument. The safeway.com agreement | did not give Safeway the power to bind its customers to unknown | future contract terms, because consumers cannot assent to terms | that do not yet exist. A user confronting a contract in which | she purports to agree to terms in whatever form they may appear | in the future cannot know to what she is are agreeing. At most, | this term in the safeway.com agreement could be read to | indicate that a customer agrees to read the terms and | conditions every time she makes a purchase on the website in | the future. But the Court also concludes that, even in light of | their agreement to the Special Terms at the time of | registration, customers' assent to the revised Terms cannot be | inferred from their continued use of safeway.com when they were | never given notice that the Special Terms had been altered. | icyfox wrote: | Thanks for linking to these. They are certainly in the right | direction although they're a bit vague on how much notice to | give: | | > Even if Douglas's continued use of Talk America's service | could be considered assent, such assent can only be inferred | after he received proper notice of the proposed changes. | Douglas claims that no such notice was given. (Douglas v. | Talk America) | | > But the Court also concludes that, even in light of their | agreement to the Special Terms at the time of registration, | customers' assent to the revised Terms cannot be inferred | from their continued use of safeway.com when they were never | given notice that the Special Terms had been altered. (Rodman | v. Safeway) | | Both cases seem focused pretty narrowly on situations where | notice was not given. Is continuing to use an app after an | update notification enough? Glancing over a GDPR-like popup? | An email? I'd prefer an explicit opt-in to changes once | they've occurred. | deviantintegral wrote: | It looks like Apple has revoked the developer certificate. Anyone | know if there's a public log somewhere showing when it was | revoked? | | The app was blocked from loading, but I still saw the two dylibs | running. I wondered if it was because the certificate was revoked | after they had already started. However, logging out and back in | still showed them running. Perhaps they're persisting through log | outs? | | As well, I got a prompt from the macOS firewall to allow the | mentioned AutoUpdate binary to listen for connections. That makes | me think all of this was deployed in the last few days. | | Edit: A reboot gave me the `"NightOwl" will damage your computer. | You should move it to the Trash.` dialog. Allowing that did not | fully clean things up (leaving a non-functional | `/Users/*/Library/LaunchAgents/NightOwlUpdater.plist` in place | and the usual preference files). For me, Hazel cleans those up. | | I think for non-technical users who may not be familiar with the | terminal would be to direct them to reboot. | lapcat wrote: | > It looks like Apple has revoked the developer certificate. | Anyone know if there's a public log somewhere showing when it | was revoked? | | No, Developer ID doesn't use a Certificate Revocation List: | | https://lapcatsoftware.com/articles/revocation.html | deviantintegral wrote: | Given https://eclecticlight.co/2023/08/08/apple-has-just- | released-... it does look like it was revoked in response to | the original article, and not the other way around. | lapcat wrote: | > Given https://eclecticlight.co/2023/08/08/apple-has-just- | released-... | | XProtect is separate from Developer ID certifcate | revocation. In many cases, malware is not even code signed, | so certificate revocation would do nothing. | | > it does look like it was revoked in response to the | original article, and not the other way around. | | I'm not sure what you mean? | dangoodmanUT wrote: | And this is why we run little snitch! | highwaylights wrote: | This makes me really weary of all apps more generally. How many | other apps are doing this crap already and just haven't been | noticed / called out for it yet? | LB9990 wrote: | Does no one else find it difficult to read pure white on black | sites? Ironic when the post is about a dark mode app I know. | | I'm all for dark mode, but give me an option to switch back if | it's a wall of pure white text please! | hank_z wrote: | If anyone is looking for an alternative, I have been using my | script below for two years without any issue. | | --edit-- | | I do not know how to format code here. | | --edit-- | | Another attempt to format code here. | | # Step 1 Save script below to your local drive. For example, | `/Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh` | #!/bin/zsh # ref: https://unix.stackexchange.com/a/526097 | # start time is 18:33 -> 18 * 60 * 60 + 33 * 60 = 66780 # | end time is 07:33 -> 07 * 60 * 60 + 33 * 60 = 27180 # | install gdate via `brew install gdate` if [[ $(uname | -m) == 'arm64' ]]; then secsSinceMidnight=$(( | $(/opt/homebrew/bin/gdate +%s) - $(/opt/homebrew/bin/gdate -d | '00:00:00' +%s) )) else secsSinceMidnight=$(( | $(/usr/local/bin/gdate +%s) - $(/usr/local/bin/gdate -d | '00:00:00' +%s) )) fi if [[ $secsSinceMidnight | -lt 27180 || $secsSinceMidnight -gt 66780 ]]; then # | turn on dark mode osascript -e 'tell app "System | Events" to tell appearance preferences to set dark mode to true' | else # turn off dark mode osascript -e 'tell | app "System Events" to tell appearance preferences to set dark | mode to false' fi | | # Step 2 run `crontab -e` and add script below # | cron job for enabling macOS dark mode periodically # | darkModeWatcher script is executed 60s after reboot. After that, | it is executed at 35 mins of each hour if the display is not | asleep. # replace xxxx with your username @reboot | sleep 60 && /bin/zsh | /Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh >> | /Users/xxxx/Library/Logs/systemDarkModeWatcher.log 2>&1 35 | */1 * * * if [[ -n "$(/usr/sbin/system_profiler | SPDisplaysDataType | /usr/bin/grep 'Asleep')" ]]; then | newDisplayStatus=0; else newDisplayStatus=1; fi && if [[ | $newDisplayStatus == 1 ]]; then /bin/zsh | /Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh >> | /Users/xxxx/Library/Logs/systemDarkModeWatcher.log 2>&1 ; fi | dingosity wrote: | FYI... last time I tried, I could get the equivalent of a HTML | <PRE> block by putting two spaces at the beginning of every | line. Here's an example. Each line was indented two spaces: | #include <stdio.h> int main() { printf( | "Bonjour, totes le monde!\n" ); return( 0 ); } | | Looks like it worked. It looks like it's rendering with a mono | font. | hank_z wrote: | Thanks. It works. | mcguire wrote: | " _The application, at least the time of writing, and the | installations I've been made aware of, makes a lot of connections | tohttps://stubbs.frontgatetickets.com/, a website that sells | tickets to live music events for a restaurant in Austin, TX._ " | | Stubbs BBQ? | tayiorrobinson wrote: | Yes. | [deleted] | dspillett wrote: | _> The application ... makes a lot of connections to [site], a | website that sells tickets to live music events_ | | This is a common use for residential proxies. Ticket touts buy | use of the infected users to make requests to try beat | restrictions on access from data-centre hosts or high-volume | access from and other hosts, to increase their charge of getting | valuable tickets for later resale. | | A number of backdoored (by the creator, by someone cracking into | their source repositories, or in this case by buy-out) free | browser extensions, VPN apps, and such, turn the user's machines | into a proxy like this. | hoofhearted wrote: | NordVPN does this as well. Google and Amazon own large blocks | of IP ranges for their cloud services, so it's fairly easy to | detect bots built on AWS and Google cloud. | | On the other hand, Verizon also owns a large block of IP | addresses that they give out to their residential customers. | | NordVPN takes advantage of the fact that people like Netflix | and Amazon don't want to block out Verizon's ip ranges, and | disguise network traffic as residential traffic. | otterley wrote: | Do you have a link to more information somewhere? I'd like to | know more about what NordVPN is doing, if true. It's | certainly not what their customers expect. | hoofhearted wrote: | https://nordvpn.com/blog/residential-proxies/ | dingosity wrote: | I agree with you if you're talking about tech savvy users. | But I think NordVPN has enough users who don't know what's | going on under the hood that they might not understand the | implications of forwarding potentially copyright-hostile | packets. | Philip-J-Fry wrote: | I can't see anything suggesting they proxy VPN traffic | through their users. Would certainly be a scandal worth | talking about if true. | hoofhearted wrote: | I believe users can opt in to let proxy traffic through. | knodi123 wrote: | > NordVPN does this as well. | | Do they? Last time I looked into this drama, it seems like | the botnet accusations were just scurrilous slander. | | https://www.comparitech.com/blog/vpn-privacy/nord-vpn- | botnet... | reaperducer wrote: | The last time someone made this claim on HN, someone from | NordVPN responded saying it is false. | runlaszlorun wrote: | Was expecting a clickbait article. No sir! | | Great piece. | ajkjk wrote: | There's gotta be some law that could be passed about stuff like | this. Software should have an implicit contract that it does what | it says and not something wildly different than it, with harsh | penalties for violations. | cpmsmith wrote: | Common licenses specifically go out of their way not to imply | such a contract. This is the start of the all-caps portion of | the MIT License [0]: | | > THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY | KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO [...] | FITNESS FOR A PARTICULAR PURPOSE | | ...and the GPL has nearly the same text in section 15. [1] | | [0]: https://opensource.org/license/mit/ | | [1]: https://www.gnu.org/licenses/gpl-3.0.html#section15 | ajkjk wrote: | Yeah, but also common licenses are set by the distributor. | (which they're also evidently free to secretly change?) | | I want the other side of the deal: a default license implicit | in the existence of software that can't be traded away | without an explicit contract that involves something like an | exchange of money, which a federal agency will safeguard | against violations of. If an extension changes its behavior | nefariously people should go to jail. If Google safeguards an | extension that changes it's behavior nefariously then Google | should go to company jail. (or, like, be fined and forced to | comply). | | (admittedly, this is hopeless idealism. But still.) | runlaszlorun wrote: | We should all have our own EULA's that they implicitly agree | to... lol. | | I should start doing this with big websites. And of course my | EULA is a 10MB file I'll send with every request until they | accept... :) | | Can you imagine if that caught on? DDOS by EULA! | dancemethis wrote: | [flagged] ___________________________________________________________________ (page generated 2023-08-08 23:01 UTC)