It's getting press because it is siphoning off the page contents which include the names of files you have stored. It is quite a different scenario than just loading an image through an img-tag (which can be controlled through things like Referrer-Policy these days)
Yes, everyone is in complete hysterics exactly because Facebook is evil (by the definition "harmful or tending to harm" (OED) or "morally reprehensible" (Merriam-Webster)). Just remember the recent(-ish) Oculus controversy, where they forced everyone who bought their hardware to sign in with Facebook and in some cases (soft-)bricked users devices because their Facebook accounts did not have enough activity [1]. Especially because Palmer Luckey (founder of Oculus) when answering questions about the acquisition in 2014 said that Facebook would not do such a thing [0].
I personally am scared because the language being used here is not at all specific to the scenario mentioned here ("hosted clients"). I understand that anything more specific would probably be rejected by their legal team. I am afraid that some 5 years down the line they'll be able to do something worse without notifying users because the TOCs and privacy policies are written in this ambiguous language.
Regarding alternatives, I can't really speak on the security/privacy of any of them but from what I can gather, Matrix does have E2E-encryption functionality [2] so I'm not quite sure how it is less secure than Signal (provided you host your own server and/or have a reasonable degree of trust in the server-operator of your conversation-partner).
And when Facebook is doing something evil, I actively blast them for it; in particular, I have been extremely vocal with everyone I know about many aspects of the Oculus account issue, which I consider to be extremely evil when combined with their closed store model and DRM setup with developer account revocation (etc. I am somewhat famous for being a broken record on some topics, so I will try to avoid going into too much depth ;P).
Obviously, though, (but maybe not to you?!?) this is a completely unrelated issue to the WhatsApp "changes" this week: trying to use "Facebook is evil, so everything they do is evil" is not only ridiculously disingenuous--to the point of undermining the ability to make these kinds of arguments at all and still be taken seriously :(--but doesn't even satisfy basic questions like "ok, and do you also consistently use this frame with Apple and Google?" (both of whom are also evil to the point of being morally reprehensible).
As for Matrix: they do not have a solution for metadata yet, and even have gone so far as to claim that maybe they will never figure it out (due to being a federated system). Your metadata just ends up getting semi-permanently logged on various machines, and there is nothing you can do about it at this time. AFAIK, Signal has implemented solutions to this (even, I believe, fixing the subtle thing I used to complain about where their server technically had a temporary in-memory metadata log for rate limiting).
Facebook logs all metadata that is available from WhatsApp as well. I'd rather have my metadata on matrix servers than on FB servers - at least it's not connected to my phone number, which is tied to my real identity. Also, matrix doesn't upload my entire contact list to Facebook. If it's secure enough for the german military and the entire french government, it's certainly secure enough for me.
> Your metadata just ends up getting semi-permanently logged on various machines, and there is nothing you can do about it at this time.
Sealed sender means that an eavesdropper who can introspect into RAM inside Signal's AWS infrastructure is no better off than a network eavesdropper who passively sniffs ingress/egress.
That doesn't mean they can't build a reasonably accurate metadata database covering most people--people who communicate from a limited number of mobile ips to a limited number of mobile ips.
Signal is way better than matrix, but let's not pretend it has totally solved the metadata problem.
Extremely evil was when an entire population was wiped off the earth in the industrial genocide of the Third Reich. Facebook or WhatsApp changing its TOS is irritating but it is not "extremely evil" I just realised that this is the same absolute language that incited the violence we saw on Wednesday. If something is "extremely evil" then there are very few constraints short of the Geneva convention and probably not that you should be bound by in your response. The point is language matters and so enough with calling everything we disagree with "evil".
It was carefully explained to me that Facebook only wishes they could be as evil as Google is, now, or as Microsoft used to be able to be. Nowadays, even Microsoft and Russia wish they could afford to be as evil as Google; and even the spooks have had to outsource theirs.
(I use "evil" in the technical sense: not necessarily intending to exterminate humanity, but wanting to be able to -- or anything short of that -- if they did.)
Most Xiaomi smart-devices speak a protocol called miIO. There are several libraries/bindings for your favorite languages/tools as well as a nice CLI tool[0].
The only tricky part is getting the device token[1]. But once you have that it's smooth sailing.
I have been using GraphQL professionally as a frontend developer for about 1.5 years and I think it is definitely getting more relevant now.
I can't speak for many services that use GraphQL since we always have our own backend that we use. But I can speak a bit from my experiences using it with a number of different backends.
So first up: The number one thing GraphQL does really well is the tooling. You can have anywhere from a full-featured client for your SPA with Apollo [0] to a simple client for just one-off requests like urql[1]. You can have your schema be automatically turned into type definitions for TypeScript so everything is strictly typed from the backend to the frontend. Do you want to adopt microservices? You can offer your frontend-devs a single GraphQL-endpoint with schema stitching or Apollo Federation[2].
Also great is the ability to compose queries how you see fit. Need a sub-sub-sub entity of whatever you're querying? If the schema is properly set up, that is easily done in one request, while with REST you are potentially looking at up to 4 requests that need to be made. So from a UX-perspective it is also quite nice because there may be lower latency.
Since GraphQL is different from REST, it does require a different way of thinking by the backend developer.
I've worked on one project where the developers weren't quite thinking in GraphQL, so they had fields that referred to objects by their ID instead of referring to it directly. That coupled with not having a unified schema in a microservices environment meant, that the end result wasn't much better than just using a REST API.
So I would recommend GraphQL for projects where, like the name suggests, you have a complex graph of objects or entities you need to regularly traverse. I wouldn't use it for things where in most cases a single REST-Request is all that's needed.
I assume the password manager is supposed to prepend the host of the login form or whatever host is configured in the password manager.
So if I save example.com in my password manager, it will access example.com/.well-known/change-password no matter which urls I later visit that might be on subdomains of that original page.
If I already configured evil.example.com in my password manager, it's game over anyway before anything relevant to this spec even happens.
Usually the place where you realize you forgot your password is the login form. So the 'standard' link/button/whatever below/next to/in proximity of the login form works quite well for this.
Since the spec is intended for password managers and other user agents, it makes sense to have a standard location to access such functionality.
Also the page could be anything (i.e. doesn't have to be a redirect) so theoretically AWS could set up an account chooser that has links to all the appropriate places for your accounts
I have used gmail as my single mail account for more than 10 years and I don't deleted anything by real spam (unsolicited mail to harvested or stolen addresses). However, I get 99% of my mail forwarded from other addresses, I don't give my gmail address out.
When I look at the linked address I get
* no purchases
* no subscriptions
* (nearly?) all of my flights and hotel reservations since 2013.
Obviously Google is too American to understand that I travel more frequently by train than by plane. Several of the flights are displayed as "cancelled" although I am 100% sure that I took them without any rebooking or anything else. As a matter of fact the only flight that I could not take because of a strike is shown as "confirmed". That much about reliability of harvested data.
Originally it was part of Gmail that they scan your mails automatically in order to show you targeted ads. However, I remember they announced some time ago they would stop scanning mails. Probably I did not read the fine print in their legalize...
Evil company that I should do even more effort to avoid.
When the news of the acquisition first broke, they said they were going to keep GitHub as a separate company. So Microsoft would not have anything to do with Atom, it's still GitHub's.
The threat model for most people in the advanced protection program is "I'm a human rights activist and a government sent me a phishing link that looked like a Google docs login, and I'm not that careful, so I put my password in it", not "I run a backbone network that Intel agencies would love to tap and they're willing to expend lots of money/risk for that".
