Is this a common thing? I have just recently installed the extension, so I am not sure if there are a lot of other websites who do it.
Since looking into it, I noticed that uBlock Origin already has the default list "Block Outsider Intrusion into LAN" but it wasn't enabled.
It actually makes sense to have a paid service that makes this abomination less painful. Though they work with VFS Global for collecting the applications and relevant documents, the VFS Global itself is an abomination and doesn't help with the handling of the form filling anyway.
Recently EU streamlined the Schengen visa application process for Turkish citizens as those "visa agencies" that are the official agencies and the only way to apply for a visa for many countries don't actually help with anything and are scamming people by selling the "good hours" for the visa appointment on the black market. An agency was dropped for this and the scams by agencies were listed among the reasons to streamline the application process.
Both with US and EU people are losing scholarships etc. due to outrageous wait times that are sometimes are years ahead or there's an issue with the systems handling the applications.
I guess there must be an opportunity there to fix all this together with smaller stuff like handling transliteration and character encodings, I wonder if some of those scam site are not scams and actually help with it. An AI agent can be useful here.
These random logouts happens more frequently during certain times of the day and seems to follow a semi-predictable pattern. It is almost certainly tied to system load in some way.
Also, the site's HTML and JavaScript are bloated beyond hope for what should be a fairly simple set of web forms. And itnhas been thisnway since at least 2018 with exactly zero improvements.
I worked with people on parole that were given free phones to use for job applications, finding their way around etc, and they would only get 3GB data a month. Some of the sites they visited were dropping 250MB of payload on the home page. You'd get some plans that would drop down to 2G, but try using that for Google Maps when you're trying to find a bus to get you across the city.
Sure, I'll do my best to try it. I'll approximate the throttle by limiting chrome to 128kbps, 500ms delay, and 5% packet loss for fun.
With a fresh incognito session, google responds to "here to 4th street" in 10 seconds, and when I click to open maps it needs just under two minutes to load. Then I can click on the transit option and it needs another 10 seconds to update.
Not too bad for a cold cache. If I do it again with a hot cache it only takes 20 seconds to go through the whole process. And I expect the app to be similar to the hot cache situation. Even with 64kbps I'd expect reasonable results. Do any cell providers throttle worse than that?
I agree with your argument about bloat in general, but google in particular has a lot of good engineering resources and tries to work well on bad connections.
Also I would be in favor of some spectrum licensing rules that say you can't throttle below 1Mbps...
There are probably a host of other telemetry things going on in your standard $20 Android handset in the background too, eating up all that bandwidth and causing all sorts of bottlenecks.
Agree it would be really nice to have some sane minimum speed.
> Because it is slow to render people start trying to swipe around the map to make it do something
At a certain point it's the user's fault. And once it gets to the point where you can swipe around, the tile loading should be pretty visible.
And to add more emphasis to the app being usable, I can get driving directions fully offline, then click bus and now it needs one tiny server request to tell me.
It's bad enough that in some cases I believe the designers should be threatened with legal penalties.
Two years in a row we’ve been able to fill out a 1040 and the NY state equivalent and make a paper submission in less time than it takes to reach an operator on hold.
These identity verification services look like a scam to me. LinkedIn incessantly hassles me to verify with CLEAR and it always fails without a clear error message, either “it just doesn’t work” or my hair has grown too much since I got my driver’s license or it is making me take my glasses off and comparing to a driver’s license photo where I am wearing glasses.
Even if their intent is to run an 'honest' business, the method of bouncing a user around to god knows how many domains during the process becomes effectively indistinguishable from a compromised service, and the alternative of having each site host their own id verification system screams, HACK US. I can see users becoming increasingly accustomed to getting out their cards several times during a sign-up and not having the foggiest idea of where their information went to.
I discovered this when it was late at night and I was procrastinating going to bed and I was curious what my estimated Social Security benefit would be at retirement so I tried to log into mySSA and it said the website is closed from like 11 PM to 5 AM or something like that.
I couldn't believe it. I could understand a weekly several-hour maintenance/batch processing window, but DAILY?
These aren't unsolvable problems. The UK, for example, had invested a lot of time and effort into making their websites user-friendly. In most countries filing taxes online is something you can do during your lunch break - without paying the Turbotax maffia. Driver's license? You can order that online, and make an appointment for a 15-minute window to pick it up.
If interacting with the government is painful, it is almost always because someone benefits from it being painful.
Obama had the Digital Service (that Trump shut down) which paid higher salaries. Those folks were sharp and everything they touched was actually decent.
As I noted this is not unique to government. Large corporate projects at the Fortune 500 are often the same sort of consultant-driven crap.
If you visit their website, you will notice that except for historical documents, there is no full name branding at all; mostly only the logo and the occasional "USDS", when prior to the reorg (as can be seen on the Wayback machine) the original full name was prominent.
Really the only reason you need TreasuryDirect is for buying Series I bonds (and maybe a few other niche Treasury products), which are not available through brokerages.
Back then I thought Treasury Direct was great.
Early in my career, I was warned that if I took a job with the state of California, I’d be stuck there for my whole career. I’d be unhirable in the private sector.
Not so much after DOGE fired entire departments for dubious reasons.
I don't know why anyone would work for the federal government now - pay still sucks, and job security has been demonstrated to no longer be guaranteed.
I'm not sure I see the upside of moving to a nation knowing that its citizens actively despise my existence.
That's probably because of the fact that the appointments are near impossible to get, they only allow booking a few months out and it's always completely booked. So everyone was refreshing (or if clever botting) to get an appointment slot.
Even if the US has a horrible visa system – as I can attest, despite only having to do it every 5 years – the EU countries could benefit from attracting talent by being more welcoming. So that is part of my mission as an MP and tech-entrepreneur. Any help and pointers is welcome.
https://www.bbc.com/turkce/articles/cz5r2l43kn2o
https://medyascope.tv/2024/01/22/vize-sorunu-kontrolden-cikt...
On the social media the anecdotes differ but some say they were able to get the visa appointments bots, others say it was agency personel selling it to them under the table. Maybe its really the agency personel, or maybe it's people running bots to snap appointments and sell those pretending to be from the agency - can't know for sure but there are multiple services where people purchase appointments unofficially.
In general the news situation in Turkey isn't very good as with the law enforcement but as you can see even BBC took notice.
Generally speaking, these visa agencies are very unfriendly and unreachable. They seem to just collect the money, provide no personalized help at all. My GF had some questions about her US visa application, we were not able to reach VFS Global. The phone numbers provided don't work, it's not even like taking long to speak with a human, the phone just gives you calling error.
She previously used the same company for her Schengen visa for a company event in Paris, of course unreachable again and no appointments available. Because she works at a French corporation, she was able to ask a high ranking French person in the company who has a contact with the French embassy and they arranged the appointment shortly.
No clue if this specific instance if scam but such scams have indeed been done before
https://www.bbc.com/news/articles/cdr56vl410go
> According to Ablakwa, a locally recruited staff member and "collaborators" were allegedly involved in a "fraudulent" scheme whereby they extracted money from visa and passport applicants.
> It is alleged that the scheme consisted of creating an unauthorised link on the embassy's website to redirect visa and passport applicants to a private firm where they were "charged extra for multiple services" without the knowledge of the foreign ministry.
> Ablakwa added that the staff member "kept the entire proceeds" in their private account, and that the scheme had been going on for five years.
> Applicants seeking visas were charged unapproved fees ranging from almost $30 (£22) to $60 by the private firm.
The rejection rates are also not bad and EU has a "return agreement" with Turkey, which is designed to keep the middle eastern refugees in Turkey(essentially, if you come from Turkey EU can send you back to Turkey right away ).
Crime rates for Turks show up among the lowest ones, unlike others from the region. So I don't think that EU is trying to reduce visas for Turks.
https://home-affairs.ec.europa.eu/news/visa-applications-rea...
https://ec.europa.eu/eurostat/statistics-explained/index.php...
Maybe in the EU it’s all good, but expect a lot of turbulence in the US.
The "waterfall model" is a toxic way of thinking that pervades corporate management. Simplistic minds can't fathom any states other than "done" or "not done". Corporations are determined to crush the human soul. That is why it's not a progressive series of forms, saving your progress all along.
It would be good if the Indian government could block the scammers but I guess it’s a lower priority for the moment.
So obviously the only way they could to this is with government contacts meaning the government themselves could already do it, but a lot of immigration stuff everywhere is full of people taking kickbacks.
I know that Indian scam stereotype is racist and bad but how much it is "that bad"
it's one hundred per cent clueless privacy invasion. they are probably also opening ports via other means and using that for side channel ID like Facebook does.
just like any other documentation scam, the only weak point is on the "last mile" that's why you will always have a human interviewer.
the visa process is abusive and unpractical because people will work around any hurdle and their kpi will never be affected no matter how crappy they manage to make to whole process. or how many doge kids implement useless privacy invasion tech just because.
Never knew that this existed. Thank you!
One popular router maker offers a ‘magic URL’ (domain name) that scans your network for the gateway management page, and redirects. It’s not necessary, but it certainly helps novice users. Having worked in IT support,
I’ve also purchased hardware devices that have a web management UI; which connects directly instead of proxying through a cloud.
Ultimately this is probably one thing that should be behind a permission request (like webcam access), but it’s not a feature without value.
Realistically, it’s a backdoor to every network firewall that has existed for the entire era in which browsers were used in “secured” internal networks also connected to the internet. Everyone has either designed with it in mind, or gotten lucky that nobody tried to use it on them for like 30 years. I think it’s good to put away this footgun, but there’s no useful blame to assign here.
Home Assistant has a well-known public name that opens your local instance. On first access, you need to give it the name or ip of your instance, which is saved in browser storage. This supports deep links into your config from forum posts.
My mum also had a shitty D-Link wifi mesh device, which was packaged as an appliance. I cannot speak lowly enough about that garbage device, but then, I am not really the target market. iirc it had something similar; a public dns name for local appliance mgmt.
I've been meaning to switch to Vivaldi. Just as soon as the onboarding dialog stops crashing.
If they worked only on Firefox, I'd have nothing against them. As it stands, I can't even donate to Firefox if I want to.
> Manifest V2 extensions will no longer function in Microsoft Edge, even with the use of enterprise policies.
[1] https://learn.microsoft.com/en-us/microsoft-edge/extensions/...
It's insane to allow any random website to port scan my LAN. If this wasn't a "feature", I would have considered this a high severity vulnerability
(There is some language online suggesting PNA has not actually shipped, but I experienced it myself in stable Chrome several years ago, so I am unsure of the current state).
Firefox doesn't implement either approach -- I assume this is indicative of their lack of development resources.
Since ublock had this as a feature for a long time, I'm sure they are aware of it. Unlike other non funded oss projects, Firefox can't and shouldn't shield themselves with this lack of development resource excuse. They have millions.
I thought Mozilla was different.
If you meant Mozilla, they’re a total indefensible trashfire for sure. But I’m not convinced they could have succeeded with their resources.
Using uMatrix was very annoying at first, most websites are broken without their CDNs, but after a few months or so, the whitelist grew and it contains 90% of websites I visit.
On my system https://ceac.state.gov/genniv/ tries to connect to captcha.com, google-analytics, googletagmanager, 127.0.0.1 and "burp" (a local hostname that doesn't exist in my network). Interestigly, the browser console doesn't list connection attempts to localhost or burp. If I allow 127.0.0.1 and "tcpdump -i lo", I see connections to port 8888, which isn't open.
This is a container that FB gives you to host that lives under your domain (it can be your main domain) that slurps up user data and sends it to Facebook from the server side. You embed some JS in your website, and they hoover up the data.
There are options to not load JS, images, XMLHttpRequests, frames, cookies, for each site, but it doesn't list individual files.
For those who want to try blocking more stuff you can enable hard mode and bind relax blocking mode keyboard shortcut
I'd recommend also enabling filter lists(I advice yokoffing/filterlists and your region/language)
https://github.com/gorhill/uBlock/wiki/Blocking-mode:-hard-m...
Besides, uMatrix works fine. It's that kind of program that doesn't need any updates.
You can't manage a whitelist with a single big red on/off button, if that's what you want.
But I found what "burp" is: https://portswigger.net/burp/communitydownload
Somewhat more worryingly, Little Snitch doesn't report them at all, though that might just be because they were already blocked at the browser.
That looks so much like test code that was shipped to prod.
Searches for that string on GH does return results.
If you're on OSX, the permission to "discover on the local network" prevents it from happening ( System Settings -> Privacy & Security -> Local Network -> yourbrowser )
Could also be 'network' permissions on firefox ( Go to Settings > Privacy & Security > Permissions ) which is on a per site level, but iirc that could be set site-wide at some point.
The other browsers likely have similar configs, but this is what I have found.
That will be this burp: https://portswigger.net/burp/documentation/desktop/tools/pro...
Sounds like they don't want you to analyze their site.
"Hacks and Hops" doesn't even have a valid home page. The extension links to https://g666gle.me/ which does not exist. The domain name itself does not want to make me give access to all my data for all websites to them.
As nice as this extension seems, I would ever in a million years install it.
1MB of obfuscated fingerprinting + portscan + Webgl . But oddity this one is trying to find burp suite specific route's.
That being said, I think this is an overall win, hopefully Firefox implements it in a consistent manner as well.
Are you seeing connection attempts to other IPs?
Could also be incompetence :D until I fixed it, deploying from my local machine rather than CD resulted in one of the baked in URLs being localhost rather than the public host on the project I'm working on now. Their local development server might just be at port 8888. Wouldn't surprise me.
https://my.f5.com/manage/s/article/K000138794
> These requests are caused by the bot profile to test the different browser capabilities.
> 'http://127.0.0.1:xxxx' request is a call to the localhost/client machine, which is normal when trying to protect assets like end-server using ant-bot defense. It does not have any impact regarding application page load.
Remember back in June when Facebook/meta got caught tracking users trough a webserver on Android phone thought Messenger and Instagram? Same thing.
See: https://news.ycombinator.com/item?id=44169115 and https://news.ycombinator.com/item?id=44175940
This is a common pattern for connecting to smart cards / hardware security devices. Probably a service or hardware that’s run on official CBP machines that should be disabled for prod, but forgot.
I personally use pages that authenticate via a smartcard using this exact scheme.
There is a Java "plugin" that is nothing but a mini webserver that listens on a specific port and performs authentication.
Although, from personal experience, it used to require java and it worked only on internet explorer and since it has been retired and replaced with chromium, i am not sure what is the way to make it work nowadays, as i have not been able to figure out to use it when i needed the last time.
When I visit the site from Safari on macOS I see this in the console. Are there any particular services that use port 8888 for the website to do this?
It seems to be part of some "bot defense" product by these F5 people, to "test the different browser capabilities". I doubt it's intended to hit a real endpoint on any system.
https://www.digitalsamba.com/blog/metas-localhost-spyware-ho...
How does that work? A browser extension can't influence how your router and other machines in your network react to incoming requests.
If you did not go into the details, chances are that when you will, this will turned out to be a false positive case.
If you did, where are the evidence?
* uBlock Origin and Lite have it as an option under Filter List > Privacy > Block Outsider Intrusion into LAN
* Brave prevents it, tested with Aggressively block Trackers and Ads.
Also I wonder if this protection is available only with old extension manifest version or new network request hooks API also supports it.
Like a less sophisticated Tor/VPN that is easily detected by port scans
It looks useful and looks good, there's minimal unneeded whitespace and I'm glad it looks as it does. We'd be better off if the entire web switched to a style like this.
So much better.
Modern web design is a joke.
In the 90s and early 00s, we did tons of user-testing and feedback collection. We threw all that research away to create UX's that are minimal and "sleek". Tons of unnecessary whitespace and the concept of "Discovery" just thrown into the dumpster. Skeuomorphism was one of the greatest features of 90s-00s software, ironically thrown away as computers got faster and were able to handle the graphics better.
I will give it a try and see what happens and if I see anything I will add it here.
SO, I guess that is going to be used on all my firefox runs.
To be serious, this has introduced me to sandboxing on BSD via pledge [0] and comparisons against Linux seccomp [1] - thank you!
[0] https://news.ycombinator.com/item?id=17289654
[1] https://kristaps.bsd.lv/devsecflops/ (submission by same poster at https://news.ycombinator.com/item?id=44264021)
There is also a lot of fingerprintable material within such a port scan from clock skew, TCP ISN, and a few other areas.
You can sieve this quite easily with this available, thanks to Roku's, Phone's, and other things doing this while just sitting locally in a shared collision domain (a digital soldier quartered in every home).
The metadata node graph of devices locally acts as a unique fingerprint once in RFC1918 space, technically not unique but close enough.
I might create a login for a porn site so that I can have some favorite videos bookmarked and it can figure out the type of material I like. That doesn't mean I want my history saved locally.
I remember years back when people would run these firewalls and we'd get complaints from home users about normal traffic.
Thinks like complaints our mail servers was scanning them on port 25 when they sent email.
