I know this happens with some frequency, I wonder how frequently the companies update the TOS with language like this. The very idea of a self-updating TOS that will govern all usage into perpetuity feels like it should have been legally stuck down years ago. This company's current language on indistinct modification rights:
> We reserve our right to alter the terms in this Agreement and/or the pricing information and method detailed in NightOwl app's website at any time. In case the Agreement is amended as described, we will post an updated version of it in our website, at which time it becomes active and binding.
> In case NightOwl app alters the Agreement in a way which will be deemed material to the relations and/or obligations of the parties by NightOwl app's sole decision, we will inform you of these changes on our website or via our social media accounts and other established communication channels.
Great, a website update for a locally installed application. Definitely going to subscribe to your social feed to get an update.
“In case the Agreement is amended as described, we will post an updated version of it in our website, at which time it becomes active and binding”
Several years ago, a friend entered into a contract with Comcast for business internet and phone service that had similar wording and no actual URL for the site. My instinct was that would be unenforceable and unconscionable, but you’d think Comcast legal would have thought it through.
Any lawyers out there familiar with this type of wording related to contract changes being posted on a website, particularly where no notice is given?
Could maps.me also be in a similar state? It used to be a good OpenStreetsMaps frontend and it was bought (possibly twice) by some investor firm to generate profit.
I don’t know what is the state of this app now. Does anyone know? What is the profit scheme (I suspect it might be similar to this one described here) and to which app would you switch instead?
> [Safeway] reserves the right to, from time to time, with or without notice to you, in [Safeway's] sole discretion, amend the Terms and Conditions for use and purchases regarding the online shopping services. Any amendment by [Safeway] will be effective only as to orders you place after [Safeway's] revisions of these Terms and Conditions as displayed on the Web site. [Safeway] will plan to notify you of any material amendments to these Terms and Conditions; however, it is your responsibility to review the Terms and Conditions before submitting each order. [Safeway] has no responsibility to notify you of any changes before any such changes are effective.
> Defendant argues that, at the time of their safeway.com registration, Class Members agreed to give Safeway the authority to change the terms of the contract without notice to them, by indicating that they agreed to the version of the Special Terms that are in effect at the time they make their subsequent orders. Defendant's version of the Special Terms states that customers agree to the terms "and the form in which they appear at the time your online transaction is processed." ECF No. 187 at 16-17 (emphases added). In order to complete their registration, Customers were required to manifest agreement to the Special Terms shown to them by clicking a link. Defendant contends that, as a result of users' agreement to this Special Term at the time of their registration, Safeway was not required to notify customers of future changes to the terms for those changes to become effective. Safeway contends that, because Class Members read the initial registration contract, every time they opted to go forward with an online purchase after registration, they were on notice that they were assenting to a new contractual agreement, governed by the Special Terms operative elsewhere on the website at the time of that purchase.
> The Court rejects this argument. The safeway.com agreement did not give Safeway the power to bind its customers to unknown future contract terms, because consumers cannot assent to terms that do not yet exist. A user confronting a contract in which she purports to agree to terms in whatever form they may appear in the future cannot know to what she is are agreeing. At most, this term in the safeway.com agreement could be read to indicate that a customer agrees to read the terms and conditions every time she makes a purchase on the website in the future. But the Court also concludes that, even in light of their agreement to the Special Terms at the time of registration, customers' assent to the revised Terms cannot be inferred from their continued use of safeway.com when they were never given notice that the Special Terms had been altered.
Thanks for linking to these. They are certainly in the right direction although they're a bit vague on how much notice to give:
> Even if Douglas’s continued use of Talk America’s service could be considered assent, such assent can only be inferred after he received proper notice of the proposed changes. Douglas claims that no such notice was given. (Douglas v. Talk America)
> But the Court also concludes that, even in light of their agreement to the Special Terms at the time of registration, customers' assent to the revised Terms cannot be inferred from their continued use of safeway.com when they were never given notice that the Special Terms had been altered. (Rodman v. Safeway)
Both cases seem focused pretty narrowly on situations where notice was not given. Is continuing to use an app after an update notification enough? Glancing over a GDPR-like popup? An email? I'd prefer an explicit opt-in to changes once they've occurred.
> The application … makes a lot of connections to [site], a website that sells tickets to live music events
This is a common use for residential proxies. Ticket touts buy use of the infected users to make requests to try beat restrictions on access from data-centre hosts or high-volume access from and other hosts, to increase their charge of getting valuable tickets for later resale.
A number of backdoored (by the creator, by someone cracking into their source repositories, or in this case by buy-out) free browser extensions, VPN apps, and such, turn the user's machines into a proxy like this.
NordVPN does this as well. Google and Amazon own large blocks of IP ranges for their cloud services, so it’s fairly easy to detect bots built on AWS and Google cloud.
On the other hand, Verizon also owns a large block of IP addresses that they give out to their residential customers.
NordVPN takes advantage of the fact that people like Netflix and Amazon don’t want to block out Verizon’s ip ranges, and disguise network traffic as residential traffic.
Do you have a link to more information somewhere? I'd like to know more about what NordVPN is doing, if true. It's certainly not what their customers expect.
I hate silent takeovers so much. Chrome developer extensions are another very popular thing for bad actors to buy out and replace with malware, and it sucks.
As a maintainer of a semi-popular chrome extension[1], I receive so many buy-out offers that I started publicly collecting them[2] for everyone to see.
That's the problem with free apps. Very few people want to donate, no decent company is interested in buying the app and making it profitable, so all that's left are the worst kind of companies who buy these extensions and apps to exploit the users.
All these free apps have value but unfortunately it doesn't translate to any income for the developer so they find other ways.
And their values are what exactly? They offer something for free with no reasonable expectation of compensation then rug pull by selling out. It’s hard to be sympathetic. If you want to get paid to write code then get a job writing code.
It's a problem with "free as in beer" apps but not with "free as in freedom" apps.
When the packages are built from source code by a trusted distributor like Debian or F-Droid [1], this kind of change is likely going to be noticed by the packager and not let through to users.
ActionDash being bought by Sensor Tower comes to mind. One of the most invasive apps requiring insane levels of permissions (rightly so to perform system level functions) being bought out by an ad and data-selling entity seamlessly is absurd
<libertarian>
What's silent about it? It's right there in the TOS, which you agreed to by using the software. Caveat Emptor, and all that.
</libertarian>
<dictionary> silent: tending to speak very little: not loquacious <dictionary>
If the buyer alone was responsible, there would be no terms of service. It's only with community protections and regulations that you get the information required to attempt to make an informed choice. The same community should be empowered to drive normal ethics without it being overtaken by the 'drivers licenses are tyranny' crowd.
>> It is an alternative to the built in macOS automatic mode which only switches when the user steps away from the computer.
Huh? Setting a schedule/location for nightshift and setting the dark mode setting to auto will always change instantly. If you use a launcher or spotlight then a simple one line applescript can change the setting as well. (tell application "System Events" to tell appearance preferences to set dark mode to not dark mode).
I have the same experience. Dark mode automatically turns on way later than I’d like it to.
From the article:
"It is an alternative to the built in macOS automatic mode which only switches when the user steps away from the computer."
If I set up night shift, it will switch to dark mode at the time I set, but it also tints my screen (even subtly, if I turn the slider all the way down), which I don't care for as someone who does art.
I have never had any issues. Every single day I get the jarring shift as all the dynamically dark-mode-aware apps shift color schemes and realize that the sun must be setting.
It looks like Apple has revoked the developer certificate. Anyone know if there's a public log somewhere showing when it was revoked?
The app was blocked from loading, but I still saw the two dylibs running. I wondered if it was because the certificate was revoked after they had already started. However, logging out and back in still showed them running. Perhaps they're persisting through log outs?
As well, I got a prompt from the macOS firewall to allow the mentioned AutoUpdate binary to listen for connections. That makes me think all of this was deployed in the last few days.
Edit: A reboot gave me the `“NightOwl” will damage your computer. You should move it to the Trash.` dialog. Allowing that did not fully clean things up (leaving a non-functional `/Users/*/Library/LaunchAgents/NightOwlUpdater.plist` in place and the usual preference files). For me, Hazel cleans those up.
I think for non-technical users who may not be familiar with the terminal would be to direct them to reboot.
This option wasn't available in 2018, when NightOwl was released. I had to test our application's Dark Mode implementation and NightOwl was super-useful then. I'm glad Apple made it easier to toggle dark mode in the interim.
Another very simple way is to make your own thing with the default Automator app.
* open up Automator and create new application
* select “change system appearance” and select toggle light/dark mode.
* save the ‘app’
Now, whenever you want to toggle light/dark mode, just open up spotlight and open up whatever you named the app.
There’s probably a way to do it with Shortcuts too.
If toggling between modes is all that is needed, it can be done right through BetterTouchTool. I just assigned a right-click+option+cmd globally for it and it works like a charm
There's gotta be some law that could be passed about stuff like this. Software should have an implicit contract that it does what it says and not something wildly different than it, with harsh penalties for violations.
Common licenses specifically go out of their way not to imply such a contract. This is the start of the all-caps portion of the MIT License [0]:
> THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO […] FITNESS FOR A PARTICULAR PURPOSE
…and the GPL has nearly the same text in section 15. [1]
Yeah, but also common licenses are set by the distributor. (which they're also evidently free to secretly change?)
I want the other side of the deal: a default license implicit in the existence of software that can't be traded away without an explicit contract that involves something like an exchange of money, which a federal agency will safeguard against violations of. If an extension changes its behavior nefariously people should go to jail. If Google safeguards an extension that changes it's behavior nefariously then Google should go to company jail. (or, like, be fined and forced to comply).
(admittedly, this is hopeless idealism. But still.)
I mean, contractual terms that are implied by statute exist. In English consumer contract law—which since 2015 has been extended due to the EU Consumer Rights Directive to cover digital content—includes an implied term that the goods are of satisfactory quality, and when it's a continuing service (including something like a digital content service like Netflix or Spotify, or a software product with updates), it doesn't radically depart from what's initially offered.
Most jurisdictions have something broadly similar (albeit often not quite up-to-date around software and digital products). Everywhere in the EU will have laws that implement the EU's Consumer Rights Directive.
Which is great and would apply if you'd paid money for it. NightOwl is free (as in beer). The expectations the law sets out regulating the sale of goods and services do not apply when no money has changed hands.
Which I'd argue is pretty much right: while it sucks that companies get taken over and have spyware crap put into products, the idea that, say, a teenager who is hacking around and building stuff to learn how to code, puts up a project they've made as open source or a freeware download, does something silly like the left-pad debacle, then gets sued—potentially by a big corporate behemoth with very deep pockets and very scary lawyers—for a series of acts which involved them writing some software for no money. Regulation of technology should rest far heavier on the shoulders of Google, Microsoft, Apple and so on than it does on a hobbyist or small indie dev creating freebie menubar utilities or Chrome extensions or whatever.
The difficulty of ensuring those little freebie and open source apps don't become a vector for supply chain attacks remains difficult. Much better sandboxing and OS app-level permissioning, good network monitoring and anomaly detection on a per-app level, and building trust into packaging/distribution processes - these are all slow, grinding, incomplete ways to improve this. Lawsuits probably aren't.
I mean UPnP is a horrible spec but it’s a stop gap for restoring the fundamental capability of internet-connected devices in residential settings. All p2p apps (Tailscale for instance) need to act as a server temporarily and allow incoming traffic. Without the capability you’re a second class citizen, so to say. It’s infantilizing the user.
Now, you can of course open the ports yourself, but this is inaccessible to the vast majority of users due to undiscoverable, inconsistent and complicated UX. Most people don’t know what a port is.
Let me tell you about family members that have a mac because "they don't want the hassle of a windows laptop". They also don't want the hassle of not having uPnP, that setting is going to be turned on whether you know better or not.
> Let me tell you about family members that have a mac because "they don't want the hassle of a windows laptop".
They are not wrong. E.g. It amazes me how much pain and suffering Microsoft expects users to endure just to use a printer. It is not lost on my stepmother that her Windows machine has endless problems setting up and printing to her Brother laser printer, but her iPhone just sees it without having to be told.
Disabling UPnP makes your system more secure, but unless you also disable all NAT ALGs in your router, you're still exposed to its dangers.
I don't think most routers have a setting for that, so if infected devices are part of your security model, it would be wise to assume NAT is entirely non-functional because of [NAT slipstream attacks](https://samy.pl/slipstream/). An infected device can modify the router's NAT table to effectively act like UPnP, except they don't provide a user interface for you to audit.
If you're NAT free (i.e. only use IPv6) disabling UPnP can be a decent security measure if you're willing to manually do all of your firewall exclusions, but honestly host firewalls are the only reliable protection method for most people these days.
Readit News
> We reserve our right to alter the terms in this Agreement and/or the pricing information and method detailed in NightOwl app's website at any time. In case the Agreement is amended as described, we will post an updated version of it in our website, at which time it becomes active and binding.
> In case NightOwl app alters the Agreement in a way which will be deemed material to the relations and/or obligations of the parties by NightOwl app's sole decision, we will inform you of these changes on our website or via our social media accounts and other established communication channels.
Great, a website update for a locally installed application. Definitely going to subscribe to your social feed to get an update.
Several years ago, a friend entered into a contract with Comcast for business internet and phone service that had similar wording and no actual URL for the site. My instinct was that would be unenforceable and unconscionable, but you’d think Comcast legal would have thought it through.
Any lawyers out there familiar with this type of wording related to contract changes being posted on a website, particularly where no notice is given?
I don’t know what is the state of this app now. Does anyone know? What is the profit scheme (I suspect it might be similar to this one described here) and to which app would you switch instead?
I've been using it and it is great.
https://github.com/organicmaps/organicmaps
> [Safeway] reserves the right to, from time to time, with or without notice to you, in [Safeway's] sole discretion, amend the Terms and Conditions for use and purchases regarding the online shopping services. Any amendment by [Safeway] will be effective only as to orders you place after [Safeway's] revisions of these Terms and Conditions as displayed on the Web site. [Safeway] will plan to notify you of any material amendments to these Terms and Conditions; however, it is your responsibility to review the Terms and Conditions before submitting each order. [Safeway] has no responsibility to notify you of any changes before any such changes are effective.
> Defendant argues that, at the time of their safeway.com registration, Class Members agreed to give Safeway the authority to change the terms of the contract without notice to them, by indicating that they agreed to the version of the Special Terms that are in effect at the time they make their subsequent orders. Defendant's version of the Special Terms states that customers agree to the terms "and the form in which they appear at the time your online transaction is processed." ECF No. 187 at 16-17 (emphases added). In order to complete their registration, Customers were required to manifest agreement to the Special Terms shown to them by clicking a link. Defendant contends that, as a result of users' agreement to this Special Term at the time of their registration, Safeway was not required to notify customers of future changes to the terms for those changes to become effective. Safeway contends that, because Class Members read the initial registration contract, every time they opted to go forward with an online purchase after registration, they were on notice that they were assenting to a new contractual agreement, governed by the Special Terms operative elsewhere on the website at the time of that purchase.
> The Court rejects this argument. The safeway.com agreement did not give Safeway the power to bind its customers to unknown future contract terms, because consumers cannot assent to terms that do not yet exist. A user confronting a contract in which she purports to agree to terms in whatever form they may appear in the future cannot know to what she is are agreeing. At most, this term in the safeway.com agreement could be read to indicate that a customer agrees to read the terms and conditions every time she makes a purchase on the website in the future. But the Court also concludes that, even in light of their agreement to the Special Terms at the time of registration, customers' assent to the revised Terms cannot be inferred from their continued use of safeway.com when they were never given notice that the Special Terms had been altered.
> Even if Douglas’s continued use of Talk America’s service could be considered assent, such assent can only be inferred after he received proper notice of the proposed changes. Douglas claims that no such notice was given. (Douglas v. Talk America)
> But the Court also concludes that, even in light of their agreement to the Special Terms at the time of registration, customers' assent to the revised Terms cannot be inferred from their continued use of safeway.com when they were never given notice that the Special Terms had been altered. (Rodman v. Safeway)
Both cases seem focused pretty narrowly on situations where notice was not given. Is continuing to use an app after an update notification enough? Glancing over a GDPR-like popup? An email? I'd prefer an explicit opt-in to changes once they've occurred.
https://news.ycombinator.com/item?id=25846504
https://news.ycombinator.com/item?id=25622015
This is a common use for residential proxies. Ticket touts buy use of the infected users to make requests to try beat restrictions on access from data-centre hosts or high-volume access from and other hosts, to increase their charge of getting valuable tickets for later resale.
A number of backdoored (by the creator, by someone cracking into their source repositories, or in this case by buy-out) free browser extensions, VPN apps, and such, turn the user's machines into a proxy like this.
On the other hand, Verizon also owns a large block of IP addresses that they give out to their residential customers.
NordVPN takes advantage of the fact that people like Netflix and Amazon don’t want to block out Verizon’s ip ranges, and disguise network traffic as residential traffic.
Do they? Last time I looked into this drama, it seems like the botnet accusations were just scurrilous slander.
https://www.comparitech.com/blog/vpn-privacy/nord-vpn-botnet...
[1] https://chrome.google.com/webstore/detail/hover-zoom%20/pccc...
[2] https://github.com/extesy/hoverzoom/discussions/670
This is a great app idea. Monitor the app owner. If the owner changes overnight, alerts to the moon.
All these free apps have value but unfortunately it doesn't translate to any income for the developer so they find other ways.
When the packages are built from source code by a trusted distributor like Debian or F-Droid [1], this kind of change is likely going to be noticed by the packager and not let through to users.
[1] https://f-droid.org/
If the buyer alone was responsible, there would be no terms of service. It's only with community protections and regulations that you get the information required to attempt to make an informed choice. The same community should be empowered to drive normal ethics without it being overtaken by the 'drivers licenses are tyranny' crowd.
Huh? Setting a schedule/location for nightshift and setting the dark mode setting to auto will always change instantly. If you use a launcher or spotlight then a simple one line applescript can change the setting as well. (tell application "System Events" to tell appearance preferences to set dark mode to not dark mode).
Not in my case?! I’d say there’s a 25% chance that Dark Mode enables at sunset. It’s been this way for years — even up til Ventura.
Has it worked flawlessly for everyone else the whole time?
From the article: "It is an alternative to the built in macOS automatic mode which only switches when the user steps away from the computer."
If I set up night shift, it will switch to dark mode at the time I set, but it also tints my screen (even subtly, if I turn the slider all the way down), which I don't care for as someone who does art.
Dead Comment
The app was blocked from loading, but I still saw the two dylibs running. I wondered if it was because the certificate was revoked after they had already started. However, logging out and back in still showed them running. Perhaps they're persisting through log outs?
As well, I got a prompt from the macOS firewall to allow the mentioned AutoUpdate binary to listen for connections. That makes me think all of this was deployed in the last few days.
Edit: A reboot gave me the `“NightOwl” will damage your computer. You should move it to the Trash.` dialog. Allowing that did not fully clean things up (leaving a non-functional `/Users/*/Library/LaunchAgents/NightOwlUpdater.plist` in place and the usual preference files). For me, Hazel cleans those up.
I think for non-technical users who may not be familiar with the terminal would be to direct them to reboot.
No, Developer ID doesn't use a Certificate Revocation List:
https://lapcatsoftware.com/articles/revocation.html
Replaced it with NightFall https://github.com/r-thomson/Nightfall
Settings > Control Center > Display > Always Show in Menu Bar
I'll concede it takes a second click to toggle dark mode, but you also have night shift as an option, and it's 100% native.
* open up Automator and create new application
* select “change system appearance” and select toggle light/dark mode.
* save the ‘app’
Now, whenever you want to toggle light/dark mode, just open up spotlight and open up whatever you named the app. There’s probably a way to do it with Shortcuts too.
I should start doing this with big websites. And of course my EULA is a 10MB file I’ll send with every request until they accept… :)
Can you imagine if that caught on? DDOS by EULA!
> THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO […] FITNESS FOR A PARTICULAR PURPOSE
…and the GPL has nearly the same text in section 15. [1]
[0]: https://opensource.org/license/mit/
[1]: https://www.gnu.org/licenses/gpl-3.0.html#section15
I want the other side of the deal: a default license implicit in the existence of software that can't be traded away without an explicit contract that involves something like an exchange of money, which a federal agency will safeguard against violations of. If an extension changes its behavior nefariously people should go to jail. If Google safeguards an extension that changes it's behavior nefariously then Google should go to company jail. (or, like, be fined and forced to comply).
(admittedly, this is hopeless idealism. But still.)
See https://www.legislation.gov.uk/ukpga/2015/15/part/1/chapter/...
Most jurisdictions have something broadly similar (albeit often not quite up-to-date around software and digital products). Everywhere in the EU will have laws that implement the EU's Consumer Rights Directive.
Which is great and would apply if you'd paid money for it. NightOwl is free (as in beer). The expectations the law sets out regulating the sale of goods and services do not apply when no money has changed hands.
Which I'd argue is pretty much right: while it sucks that companies get taken over and have spyware crap put into products, the idea that, say, a teenager who is hacking around and building stuff to learn how to code, puts up a project they've made as open source or a freeware download, does something silly like the left-pad debacle, then gets sued—potentially by a big corporate behemoth with very deep pockets and very scary lawyers—for a series of acts which involved them writing some software for no money. Regulation of technology should rest far heavier on the shoulders of Google, Microsoft, Apple and so on than it does on a hobbyist or small indie dev creating freebie menubar utilities or Chrome extensions or whatever.
The difficulty of ensuring those little freebie and open source apps don't become a vector for supply chain attacks remains difficult. Much better sandboxing and OS app-level permissioning, good network monitoring and anomaly detection on a per-app level, and building trust into packaging/distribution processes - these are all slow, grinding, incomplete ways to improve this. Lawsuits probably aren't.
This should fail on any router as you should have UPnP disabled.
Now, you can of course open the ports yourself, but this is inaccessible to the vast majority of users due to undiscoverable, inconsistent and complicated UX. Most people don’t know what a port is.
They are not wrong. E.g. It amazes me how much pain and suffering Microsoft expects users to endure just to use a printer. It is not lost on my stepmother that her Windows machine has endless problems setting up and printing to her Brother laser printer, but her iPhone just sees it without having to be told.
I don't think most routers have a setting for that, so if infected devices are part of your security model, it would be wise to assume NAT is entirely non-functional because of [NAT slipstream attacks](https://samy.pl/slipstream/). An infected device can modify the router's NAT table to effectively act like UPnP, except they don't provide a user interface for you to audit.
If you're NAT free (i.e. only use IPv6) disabling UPnP can be a decent security measure if you're willing to manually do all of your firewall exclusions, but honestly host firewalls are the only reliable protection method for most people these days.