Was it Pat or Brian? If I recall correctly, it was under Brian when Intel had one of its worst periods of stagnation, when the 10 nm process all the bets were on turned out to be a non-starter, and when Meltdown and Spectre erupted. It's easy to overlook this because Intel had fairly no competition around then, but that doesn't mean the company was in a good shape.
I've always felt like Pat was a scapegoat who was chosen to clean up the mess when the whole place was already up in smoke and the smell was only starting to leak out. I liked his strategy, was disappointed to see him booted out.
BK really destroyed the company and Bob Swan was the finance guy who did not have a vision. Pat was the visionary who saw the value of the fabs but it took a long time to turn things around.
>Bob Swan was the finance guy who did not have a vision
Let's be fair to Bob, he has the vision, but dont know how to execute it because he lacks the technical knowledge.
He was also the one who finally settled the argument I had for 5 years, if Intel were to made 250M Modem for Apple, where is the additional Capex for capacity expansion on their Fabs. The answer, only to be told by Bob in a 2020 interview was they never really planned for it.
Loved the brutal realization that came when the seemingly broken Extensions button the author was mashing for solid 30 seconds turned out to be a fake, extension-supplied one. One... of three.
It's far from easy in the case of Firefox [0], and the last time I tried, some .mozilla.com domains would still get pinged. Chromium doesn't even have an official guide. The only options I found to be reliable are source-level patches, i.e. ungoogled-chromium and LibreWolf.
Note that LibreWolf still leaves some of the stuff on for you to manually disable (dom.push.connection.enabled, extension updates).
I agree that push connections should be disabled. Maybe it can prompt you the first time you try to subscribe to one as to whether you're like to turn them on; this would annoy me personally, but also not break features by default. The annoyance hardly matters as websites already put an in-page prompt up before using the API, iirc because of Apple restrictions.
Enabling extension updates by default seems like a smart thing, though, as long as you can turn them off easily (there should really be a setting for this), and possibly a 6-month reminder to update them (similar to the refresh your profile reminder when you haven't used the browser in for a while). Extension updates happen, and many of the most widely used extensions (eg. ublock origin) really should be updated every time it's available. Better that than having the extensions go online to fetch and run arbitrary payloads because you know they will if disabling updates gets popular enough.
Run OpenSnitch for a while and you'll quickly realize how much of your system does phone home. Off the top of my head:
- GNOME Shell (extension updates without a way to disable this, weather),
- GNOME Calculator (currency exchange rates),
- NetworkManager (periodic hotspot portal checks in most configurations),
- GDB (debuginfod enabled by default),
- Firefox (extension updates, push notifications, feature flags, telemetry, ..., some parts cannot be disabled),
- VSCodium (Open VSX callbacks even when installing extensions from disk with updates disabled, JSON schema auto-downloads, extensions making their own unsolicited requests, ...),
- Electron (dictionary updates from Google servers, no way of disabling; includes any application running on top of upstream Electron, such as Signal, Discord, etc.),
- GoldenDict (audio samples fetched from the Internet on word look-up, no way to disable)
Of course, this is nothing compared to Windows [0] and macOS [1], but the malpractice of making Internet connections without asking, by default, has unfortunately been finding its way everywhere since modems stopped making audible sounds.
Having read about PRISM and seen the leaked dashboards of Paragon Graphite (said to be used by ICE), and with LLMs bridging the gap between mass and targeted surveillance, I don't want any of this.
Approximately 10-15 years ago I used an early Android app that synced contacts across multiple (local) accounts and deduplicated and merged them. It had Internet permission for some reason; on asking the developer why a dedicated contact management app would need to go online (in a time where I was using XPrivacy to prevent other apps from seeing my contacts), they said there was no real reason for it, and it was removed in an update two days later. This is the only time I've ever seen an app remove the ability to access the internet, and I really wish it was more common.
Of course, about 5-6(?) years ago Google removed it from both the play store and my devices (I allowed it because silly me assumed I could still get it again) because it requested a sensitive permission and didn't support runtime permissions.
Per se? No, maybe with the exception of GNOME Shell which literally runs code from the Internet unsandboxed. Can the traffic they silently generate be used for malicious purposes? Absolutely.
Wasn’t it KDE that had malware in its theme store not too long ago? Let that sink in for a bit. You changed around some icon themes and it executed arbitrary code.
And let’s not pretend that kde wouldn’t have an extension system if it could - but it’ll never have one because implanting one in that c++ spaghetti nightmare will never happen.
But if not, I'm not criticizing GNOME in isolation here. It's just what I use and what I'm most familiar with. KDE has the same issues and it does have an extension system too. It's called KNewStuff.
Problem with updates is that without automatic ones, users could stay on outdated systems and possibly get hacked through some vulnerability(of which there are many). While on the other hand, having explicit confirmations for each network request would be crazy annoying.
Maybe some middleground of having the tool OP sent built-in would be a good option.
I run all my systems with all outgoing connections blocked by default, and yes, it is annoying.
But it wasn't always this way, and so, I don't think it has to be. People just need to start paying attention to this.
The impact of a lot of those vulnerabilities would be mitigated if the affected programs didn't connect to the network in the first place.
As for updates in general, I really like the model adopted by Linux update managers and BSD port systems. The entire repository metadata is downloaded from a mirror and cached locally, so the search terms never leave your machine. Downloads happen from the nearest mirrors, there's no "standard" mirror software (unless rsync and Apache count?) so they don't report what was downloaded by whom back to any central system and you can always host your own. Everything is verified via GPG. And most importantly, nothing happens on its own; you're expected to run `apt/dnf update` yourself. It won't randomly eat your bandwidth on a metered connection or reveal your OS details to a public hotspot.
Simple, non-invasive, transparent, (almost) all-encompassing, and centrally configurable.
This. Also, for phones that don't support Android virtualization, there's a user-space hack, part of Termux upstream, that allows for root-less chroots via LD_PRELOAD: https://wiki.termux.com/wiki/PRoot.
systemd won't boot with this (needs to be PID 1), but a lot of software will work just fine and there's nearly zero emulation overhead.
I don't think it uses LD_PRELOAD, it uses ptrace to intercept system calls (hence the name). Unfortunately this does have performance overhead, although I've never bothered to measure it. Actually that would be an interesting thing to benchmark.
My bad, I must have confused it with something else. Yes, it uses ptrace; there definitely is some overhead around system calls, but that still should be better than running atop a full-scale CPU emulator. That being said, I haven't benchmarked it myself, just remember it being pretty snappy.
reply