I dunno what audience this article is aimed at, but it could do with trying to use less abbreviations - I've never seen the new tab page be abbreviated to NTP (that's the time server thing after all).
Big companies tend to do this sort of thing, they are large enough to ignore convention 'outside' and it tends to give the insiders the feeling that they are special, it's another form of gatekeeping. You see the same in the military with endless acronyms.
On a smaller scale, tech people do the same thing by using more complex terms for simple things to appear to have some kind of special knowledge. It's all about who is on the inside and who is on the outside. Highly annoying.
Such DSLs can serve to increase the speed of communication but more often than not they are simply used for obfuscation purposes.
> Such domain specific languages can serve to increase the speed of communication but more often than not they are simply used for obfuscation purposes.
> You see the same in the military with endless acronyms.
The military take the abbr.hl. to the next level. But atleast the abbreviations are properly documented there. I guess the root is keeping telegraphy short?
On my last job it was so bad that it took like a year before you could follow conversations properly. Also old deprecated abbreviations were used for extra flavor. E.g. calling projects or departments by their former former name.
> Just kidding, trick question, the answer is NEVER.
What? The answer is ALWAYS. Set your start page to be `about:blank` and you see a blank page. I've had this as my starting page in every single browser since the 90s.
You can have about:blank be the on start up page and the home button, but not for new tabs. You used to be able to do that. Won't be surprised when start page will need to be an https link, you know for security reasons.
Chrome has that setting too, but it's not that simple. It's only available as an enterprise policy. If anyone doesn't know about this, Chrome has tons of hidden settings configurable through Group Policy on Windows and through /etc/opt/chrome/policies/managed/policies.json on Linux.
I have a personal new tab chrome / firefox extension that does exactly this. A black screen, a button, that's it. Don't install someone else's extension -- make your own off a minimal example on github. It's... well it's about the simplest bit of code I've written that I rely on daily.
The first thing that I do is turn off these fancy new tab pages. Very often, there is no option to have a blank page instead and less and less people know about pages like about:blank
Firefox opens new tabs saying “We care about your privacy, look, LOOK!” every time you start, sometimes two of those tabs (release notes + privacy). I wish I could just deactivate those built-in ads.
Does Firefox actually get hate? I don't think I've seen people actually make digs at FF.
For me it would be Edge that gets the most laughs but I find is a better performing browser, at least in terms of UI than FF or Chrome. Side-bar tasks, grouping, integrated screen-shot, etc.
It wasn't a particularly likely exploitation route... The user had to already be double-clicking files they'd downloaded from a malicious webpage. At that point, it might as well have been an .exe file.
And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.
> And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.
Doesn't that contradict the following?
> “However, because the IPC channel was exposed to JS directly in New Tab page, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”
I also hate not having option to make my new tab page empty but thinking about the time I have spent for people I know to make their browser homepage cleared ... I won't object it being managed by the browser companies... if you know what I mean... mendokusai...
Google VRP is giving the wrong incentives here, as such a small (insulting?) reward will surely orient some researchers to exploit market rather than responsible disclosure.
Q: Do you have enough domain knowledge to be judging the incentives ?
Well... I don't know. Does anyone have to be a domain expert to say that security reporting that affects tens or hundreds of million of people should be compensated better than 1k USD?
I dislike a bit the "justified" argument, as very often it dismisses important weak signal warnings. Our work in Security is often about being sensitive and not dismissal. But here you go:
I'm infosec since 1987 (34 years) and never left it, so I'll let you decide ;-) even if i'm a dinosaur in Internet times ;-)
Q: What do you think would be a fair amount ?
IMHO, the fair amount is definitely in the tens of thousands.
But we could attempt a quantified approach, always debatable (Risk = Likelihood * Consequence), eg. Likelihood based on fishing campaign success per country or global, and then mean / average cost of theft when leveraging the full exploit chain (IPC included), i.e. cookies -> auth -> leveraged identity theft impact. And then give percentage of cost as an bounty-based "insurance" mechanism. Not easy but attempt could be done. Surely that would result in way higher compensation.
I'd be interested to know what the market would have paid for this bug. I don't really see why it would be useful to anyone but I am far from an expert.
Readit News
On a smaller scale, tech people do the same thing by using more complex terms for simple things to appear to have some kind of special knowledge. It's all about who is on the inside and who is on the outside. Highly annoying.
Such DSLs can serve to increase the speed of communication but more often than not they are simply used for obfuscation purposes.
(I think I missed the self referencing joke).
The military take the abbr.hl. to the next level. But atleast the abbreviations are properly documented there. I guess the root is keeping telegraphy short?
On my last job it was so bad that it took like a year before you could follow conversations properly. Also old deprecated abbreviations were used for extra flavor. E.g. calling projects or departments by their former former name.
Just kidding, trick question, the answer is NEVER.
(No, an extension which overrides all the bloated pile of crap after it's already been processed and rendered does not count.)
What? The answer is ALWAYS. Set your start page to be `about:blank` and you see a blank page. I've had this as my starting page in every single browser since the 90s.
https://chromeenterprise.google/policies/#NewTabPageLocation
Preferences » Home » New Tab page [Firefox startpage v]
or, about:preferences#home
afaik, extensions that set chrome_url_overrides.newtab in their manifests file prevent the native NTP from loading at all.
i would never use a browser w/o a blank new tab page; it's universally supported isn't it?
Deleted Comment
For all the hate they get, FF is easily the best and most respectful browser around
What I don't like is Mozilla using it as a dairy cow, and starving it on top of that.
For me it would be Edge that gets the most laughs but I find is a better performing browser, at least in terms of UI than FF or Chrome. Side-bar tasks, grouping, integrated screen-shot, etc.
Dead Comment
Damn that is an offensively small amount - less than the cost of a Google engineer for a days work.
And after all that, all it can do is run a search query. It can't leak all your Gmail emails or exploit the local machine.
Doesn't that contradict the following?
> “However, because the IPC channel was exposed to JS directly in New Tab page, the XSS in Chrome’s NTP can be treated as the equivalent of renderer process RCE.”
Google, shame on you.
Well... I don't know. Does anyone have to be a domain expert to say that security reporting that affects tens or hundreds of million of people should be compensated better than 1k USD?
I dislike a bit the "justified" argument, as very often it dismisses important weak signal warnings. Our work in Security is often about being sensitive and not dismissal. But here you go:
I'm infosec since 1987 (34 years) and never left it, so I'll let you decide ;-) even if i'm a dinosaur in Internet times ;-)
Q: What do you think would be a fair amount ?
IMHO, the fair amount is definitely in the tens of thousands.
But we could attempt a quantified approach, always debatable (Risk = Likelihood * Consequence), eg. Likelihood based on fishing campaign success per country or global, and then mean / average cost of theft when leveraging the full exploit chain (IPC included), i.e. cookies -> auth -> leveraged identity theft impact. And then give percentage of cost as an bounty-based "insurance" mechanism. Not easy but attempt could be done. Surely that would result in way higher compensation.