What should be the real continuing inexcusable outrage is that Windows, even today, grants all applications full access to read the titles of all windows with no way to disable it.
If you run Windows, ask yourself what information that leaks and if you trust everything running on your machine not to exfiltrate that.
> What should be the real continuing inexcusable outrage is that Windows, even today, grants all applications full access to read the titles of all windows with no way to disable it.
That's there because it's been in there forever in the win32 API, and changing that would break applications.
For example, a long time ago, I wrote a small application that would iterate through a list of executables, launch each one sequentially, and for as long as that executable ran, it would look at the window that had the current focus, enumerate every control, and then send a click message to any control that would contain the words yes, agree, continue, accept, install, ok. Made my life easier to automatically install software on computers unattended.
There are plenty of other applications that require looking up other windows and sending them messages for all kinds of user workflows, things like autohotkey and so on. Changing that behavior would break all of them.
If the user is prompted to give permission for the application to have access to this information then at least you know which ones are doing it and can avoid using them if you are worried about it.
> the real continuing inexcusable outrage is that Windows, even today, grants all applications full access to read the titles of all windows with no way to disable it.
IIUC, X11 had the same problem, but Wayland allows sandboxing to prevent this?
And MacOS has some degree of sandboxing? But many applications require "Accessibility" permission that similarly gives far too many privileges?
> But many applications require "Accessibility" permission that similarly gives far too many privileges?
I haven't run into too many applications requesting that permission, outside of desktop automation and window management tools (Hammerspoon, Magnet, etc) which need it to do their job.
> IIUC, X11 had the same problem, but Wayland allows sandboxing to prevent this?
Wayland to my knowledge is isolated by default, with non-isolation being opt-in by both compositor and application via FD shenanigans, but don't quote me on the specifics.
>What should be the real continuing inexcusable outrage is that Windows, even today, grants all applications full access to read the titles of all windows with no way to disable it.
No thank you, I want to keep my OS with apps that are powerful and that doesn't show me a useless permission prompt every five minutes.
I think applications should not have internet access by default. They should require the user to give them permission either temporary or permanent permission to connect to the internet. Ultimately that's where the security bottleneck is.
I'm frankly disgusted that drivers for hardware like this need to connect to the internet in the first place. This data is clearly not being used to improve the user experience. If it was, then it wouldn't have been a surprise for Wacom that it was collected. Other companies, like Microsoft, also wouldn't be making such terrible UI/UX decisions time and time again, if this data was actually used for improving the user experience.
More than a decade back, I used to do this using firewall rules. Ot used to be a single-click firewall setting to disable all apps by default, have a pop-up show up when an app not already in the rule set would try to access the Internet, and thus keep building / refining the rules.
One workaround apps had was to open a browser window to send information over.
There's no reason I would want mouse / keyboard / pen-tablet / printer, etc. drivers to be accessing the Internet, not even for checking for updates. And there's no real reason for these drivers to be more than a kew KB in size, leave alone 100+ MBs like these have been since ages.
I asked myself and the answer is no. Now what? I have dealbreaker problems with Linux and Mac. I'm also not going to pull a Terry Davis and make my own OS, and I'm not willing to participate in the circus that is open source either.
With these in mind, what am I supposed to do, move to the mountains and live the life of a hermit? Once again, not happening. It'd appear that I'm between a rock and a hard place - exactly as designed. This is what an ecosystem grip is like.
"What option do I have left after rejecting every other option?"
I guess the answer, for you, is that you have no other option.
For others, I'll say that I've had 3 Wacom tablets (I keep upgrading), including one with a screen and they have all worked well enough with open-source drivers. They're popular enough that you can do some research to know how they will work on Linux.
I'd say that in these cases, when there really is no viable option (including just not using...) then the optimal course of action is to choose the "least worst". Compromises work where ultimatums fail.
I have an old unbranded Chinese tablet that came with a CD-ROM containing the driver, configuration utility, their source code, and even a datasheet for the MCU it used. A huge contrast between merely selling a product, and trying to control the whole "experience". IMHO we need more of the former, but corporate attitudes strongly encourage the latter.
I have an old Wacom tablet on the larger size that I got for free from a company getting rid of stuff. I can plug it in today to my Mac and it just works. No driver software needs to be installed. This blew me away that it was that easy to use. I thought for sure I'd have to surf some hellish landscape of sketchy websites offering software for long since deprecated hardware. Maybe I don't have all the functionality of some of the buttons on the tablet, but I've never found myself needing them. As long as the pen on the tablet moves the cursor, I'm happy. The fact that it even detects pressure was just icing on the cake. I find that to be better than having the source code available. Old source code can still be a nightmare to compile on modern systems.
I am not surprised. We've known for a while old OS design can't fix this. Not in a comprehensive way. We can patch over specific cases but the basic design is wrong. Capability-based OSes like mobile ones tend to work better here.
We can't keep assuming code run on-device is trustworthy. Not just in the "not malware" sense. In that of "does what the user wants and nothing more, nothing less."
Just like all other drawing tablet manufacturers like Huion, for that matter. Block it in your firewall unless you want it to siphon your data.
I feel like this post is from a couple decades old time capsule. 99% of corporate software is just data exfiltration endpoints now, especially the kind of software that hardware manufacturers tend to make for Windows, which is bloated panels with a couple toggles that are only here to collect your data. The privacy policy is simply a cover-up in most cases. It's not like you have a choice either, because other manufacturers are the same. This stuff needs active countermeasures that treat it as hostile, but since it's hardware it often has low-level access.
"We apologize for any confusion regarding data collection being done by the Wacom software driver and the unclarity about the actual information collected."
Again and again:
any PR containing "confusion" seems BS to me.
Not the first time something like this is shown here. And it is very important to say that such a thing is a anti-feature of the driver and that something like this would probably never be acceptable on Linux, where such devices work beautifully just after plugging.
The operating system where these things happen should also be blamed.
Readit News
https://web.archive.org/web/20200307082846/https://community...
Wacom now has an opt-in for data collection.
What should be the real continuing inexcusable outrage is that Windows, even today, grants all applications full access to read the titles of all windows with no way to disable it.
If you run Windows, ask yourself what information that leaks and if you trust everything running on your machine not to exfiltrate that.
That's there because it's been in there forever in the win32 API, and changing that would break applications.
For example, a long time ago, I wrote a small application that would iterate through a list of executables, launch each one sequentially, and for as long as that executable ran, it would look at the window that had the current focus, enumerate every control, and then send a click message to any control that would contain the words yes, agree, continue, accept, install, ok. Made my life easier to automatically install software on computers unattended.
There are plenty of other applications that require looking up other windows and sending them messages for all kinds of user workflows, things like autohotkey and so on. Changing that behavior would break all of them.
IIUC, X11 had the same problem, but Wayland allows sandboxing to prevent this?
And MacOS has some degree of sandboxing? But many applications require "Accessibility" permission that similarly gives far too many privileges?
I haven't run into too many applications requesting that permission, outside of desktop automation and window management tools (Hammerspoon, Magnet, etc) which need it to do their job.
Wayland to my knowledge is isolated by default, with non-isolation being opt-in by both compositor and application via FD shenanigans, but don't quote me on the specifics.
No thank you, I want to keep my OS with apps that are powerful and that doesn't show me a useless permission prompt every five minutes.
On desktop there could be ways added to sidestep them, eg. defined in bulk in a processname.permissions file somewhere protected.
Deleted Comment
I'm frankly disgusted that drivers for hardware like this need to connect to the internet in the first place. This data is clearly not being used to improve the user experience. If it was, then it wouldn't have been a surprise for Wacom that it was collected. Other companies, like Microsoft, also wouldn't be making such terrible UI/UX decisions time and time again, if this data was actually used for improving the user experience.
One workaround apps had was to open a browser window to send information over.
There's no reason I would want mouse / keyboard / pen-tablet / printer, etc. drivers to be accessing the Internet, not even for checking for updates. And there's no real reason for these drivers to be more than a kew KB in size, leave alone 100+ MBs like these have been since ages.
With these in mind, what am I supposed to do, move to the mountains and live the life of a hermit? Once again, not happening. It'd appear that I'm between a rock and a hard place - exactly as designed. This is what an ecosystem grip is like.
I guess the answer, for you, is that you have no other option.
For others, I'll say that I've had 3 Wacom tablets (I keep upgrading), including one with a screen and they have all worked well enough with open-source drivers. They're popular enough that you can do some research to know how they will work on Linux.
I have an old unbranded Chinese tablet that came with a CD-ROM containing the driver, configuration utility, their source code, and even a datasheet for the MCU it used. A huge contrast between merely selling a product, and trying to control the whole "experience". IMHO we need more of the former, but corporate attitudes strongly encourage the latter.
We can't keep assuming code run on-device is trustworthy. Not just in the "not malware" sense. In that of "does what the user wants and nothing more, nothing less."
I feel like this post is from a couple decades old time capsule. 99% of corporate software is just data exfiltration endpoints now, especially the kind of software that hardware manufacturers tend to make for Windows, which is bloated panels with a couple toggles that are only here to collect your data. The privacy policy is simply a cover-up in most cases. It's not like you have a choice either, because other manufacturers are the same. This stuff needs active countermeasures that treat it as hostile, but since it's hardware it often has low-level access.
Again and again: any PR containing "confusion" seems BS to me.
Stop gaslighting! Take responsibility!
The operating system where these things happen should also be blamed.
Related discussion and developments then: https://news.ycombinator.com/item?id=22247292
And again later, https://news.ycombinator.com/item?id=29056847