New Update Osprey Browser Protection discussion and updates

[Vitali Ortzi]

Personally, I trade privacy for security.

Most likely your information will still stay mostly private anyway as it's not much of use for them to store it and many providers remove it in under 24 hour (keep it mostly to protect against DDos attacks etc and remove it once it isn't required)


IP address, user agent , url (without parameters) is the whole information they have
And user agent of a popular browser is usually similar between many people , IP address changes over time and gives them a general area you're located at (for non governments as only governments can get precise information from that ),url in majority of cases is so general that it won't help anyone unless you go to a non popular address


So hmmm it's just wasted storage as it's not sellable information

 

[Vitali Ortzi]

Most likely your information will still stay mostly private anyway as it's not much of use for them to store it and many providers remove it in under 24 hour (keep it mostly to protect against DDos attacks etc and remove it once it isn't required)


IP address, user agent , url (without parameters) is the whole information they have
And user agent of a popular browser is usually similar between many people , IP address changes over time and gives them a general area you're located at (for non governments as only governments can get precise information from that ),url in majority of cases is so general that it won't help anyone unless you go to a non popular address


So hmmm it's just wasted storage as it's not sellable information

@bazang what do you think will non government entities be able to gain enough from that intelligence and sell it to data brokers ?
and do you think non government entities can pinpoint a user with such general intelligence ?
To me it looks like a needle In a haystack unless you're a government

 

[CyberDevil]

You can always check the code yourself as it's JavaScript

Do you think it's so much fun to check the code of all the extensions I have installed in my browser? AI simplifies this task, I won't do it with my hands even considering that JS is my main language at work.

 

[Fan-of-spyshelter]

Personally, I trade privacy for security.

security for who ?

 

[Foulest]

@Foulest,

if you pretend to be an official partner of PrecisionSec (behind a private agreement),

where are the legals therms, accessibility, and privacy policy on the website about the CEO from PrecisionSec,
i d'ont see it, this is an obligation for every website in the World Wide Web (inside USA and CANADA), can you mention it ?

for u clear information :

Checklist of requirements for federal websites and digital services

Links to relevant laws, policies, and regulations for federal agencies.

digital.gov

I've reached out to my contact. I expect a privacy policy from PrecisionSec soon. Thanks for letting me know!

 

[bazang]

@bazang what do you think will non government entities be able to gain enough from that intelligence and sell it to data brokers ?
and do you think non government entities can pinpoint a user with such general intelligence ?
To me it looks like a needle In a haystack unless you're a government

Any data that can be commoditized and generate revenue - I think few companies would choose not to sell the data for profit.

Users are already trackable by a long list of means. To protect against all those tracking methods requires a massive effort that is not behaviorally or technically trivial. It alters the way a user interacts with a system to the extent that it is a very-limited user experience and they cannot do the things that they want with ease/convenience.

There are hardcore privacy and anonymity and anti-data collection enthusiasts over at Wilders.

 

[Parkinsond]

security for who ?

For all mankind.

 

[Andrew999]

I am now using this extension and I find it very effective. I like the block pages but I was wondering if it is possible to list all the providers who have blocked the link not just 1 so we know more likely if it is a false positive too. For example, I have multiple protection options enabled but it shows just 1 it is reported by but I assume more will have blocked the link.

Thanks

 

[Higgsie]

I am using Osprey version 1.2.1 in Edge and got an alert that <US Home | Daily Mail Online> was blocked by MalwareURL Protection.

I used the report feature and this was MalwareURL supports reply message which concerned me. What does "illegal Osprey Extension" mean? I would have assumed the extension was using their services legitimately under some kind of licence agreement.

Email from MalwareURL Support<Team@MalwareURL.com>

Hello
This alert was generated by an illegal Osprey Extension. I recommend that you uninstall it immediately.

Regards
Tim

 

[Spiff]

@Higgsie,
See yesterday's post by Foulest.
The post explains why MalwareURL was removed in the new version 1.2.2.

 

[Vitali Ortzi]

I used the report feature and this was MalwareURL supports reply message which concerned me. What does "illegal Osprey Extension" mean? I would have assumed the extension was using their services legitimately under some kind of licence agreement.

Email from MalwareURL Support<Team@MalwareURL.com>

Hello
This alert was generated by an illegal Osprey Extension. I recommend that you uninstall it immediately.

Regards
Tim

The api was public for lookups so osprey made use of it and malwareurl decided that wasn't fair use and blocked the access and since then osprey immediately removed that provider to comply with his request
Btw google , Microsoft and almost every big tech makes similar usage of apis so it's not exactly illegal but without explicit permission it can be interpreted either way but since osprey removed it immediately after a request was made then there is nothing "illegal" and even then it depends on a court order to decide if it is actually illegal or fair use

 

[mlnevese]

I'm a lawyer. If it was a public API and there was nothing in their policy prohibiting its use in software like Osprey, then it's not illegal in any country, as far as I know. Of course, they may request the removal of their service from any software and change their policy at any time, within certain limitations. In fact, Osprey's author could potentially sue them for falsely claiming that his software is illegal, if he chose to.

 

[Vitali Ortzi]

I'm a lawyer. If it was a public API and there was nothing in their policy prohibiting its use in software like Osprey, then it's not illegal in any country, as far as I know. Of course, they may request the removal of their service from any software and change their policy at any time, within certain limitations. In fact, Osprey's author could potentially sue them for falsely claiming that his software is illegal, if he chose to.

The false positives information users would have provided to malwareurl would have benefited them so regardless of legality both parties lose (us with one less provider , malwareurl with intelligence data including false positive reports that the users could have provided )

 

[Foulest]

I am now using this extension and I find it very effective. I like the block pages but I was wondering if it is possible to list all the providers who have blocked the link not just 1 so we know more likely if it is a false positive too. For example, I have multiple protection options enabled but it shows just 1 it is reported by but I assume more will have blocked the link.

View attachment 288936

Thanks

This isn't possible due to the nature of the extension. All pending network requests are stopped if the block page is shown to prevent conflicts. Also, reporting is done per provider, so opening multiple report pages at once wouldn't be optimal.

 

[Foulest]

I'm a lawyer. If it was a public API and there was nothing in their policy prohibiting its use in software like Osprey, then it's not illegal in any country, as far as I know. Of course, they may request the removal of their service from any software and change their policy at any time, within certain limitations. In fact, Osprey's author could potentially sue them for falsely claiming that his software is illegal, if he chose to.

I'll always comply with removal requests, no matter what. Also, I wasn't aware that the API was illegal to use. Their Chrome extension is free to use seemingly indefinitely, the source code isn't obscured, and the code to generate an API key is freely available for anyone to see and is incredibly simple. Not to mention, there is no TOS on their website. Anyway, it's removed and won't be brought back. Osprey is safe to use.

 

[Foulest]

The false positives information users would have provided to malwareurl would have benefited them so regardless of legality both parties lose (us with one less provider , malwareurl with intelligence data including false positive reports that the users could have provided )

They never responded to any false positive requests in the first place. That's why they were disabled by default. I track the response times for Osprey users to make sure that if there is a false positive, it gets fixed between 1-3 business days. Otherwise, they're disabled.

 

[Higgsie]

@Foulest
Thanks you for updating the thread, I didn't remove the extension as I trusted it, but thought I would highlight their email response.

Keep up the good work

 

[simmerskool]

I'm a lawyer. If it was a public API and there was nothing in their policy prohibiting its use in software like Osprey, then it's not illegal in any country, as far as I know.

res ipsa liquitur

 

[goodjohnjr]

They sent a cease and desist, which they had every right to do considering I was using their API without their explicit consent, and within 30 minutes the 1.2.2 update was pushed and MalwareURL was removed. It isn't exactly the worst case scenario for something like this to happen, but it's up there.

I wouldn't expect this type of thing to happen much or at all in the future, but if it does happen with any other provider that isn't an official partner, they will be removed from Osprey effective immediately, as per their request. I wouldn't expect this to happen at all with any DNS-based provider like Quad9, as all of them are public DNS servers.

Thank you, @Foulest, for responding and for your web browser extension.

Thanks for sharing that, I do recommend sharing that in your change log / news / social media / blog / website / whatever next time.

Please do not continue to put yourself at risk like this.

Be cautious, use common sense, and follow the law(s).

Contact all list & API creators for permission before adding them to your extension.

I recommend removing any that you did not get permission for.

Otherwise, you are setting yourself to get sued, your extension removed from various stores, et cetera.

That would be a shame.

Also, you lose trust, by using your current approach.

You have a good extension with a lot of potential to help people.

Please consider my suggestions.

Have a good night.

 

[Vitali Ortzi]

Thank you, @Foulest, for responding and for your web browser extension.

Thanks for sharing that, I do recommend sharing that in your change log / news / social media / blog / website / whatever next time.

Please do not continue to put yourself at risk like this.

Be cautious, use common sense, and follow the law(s).

Contact all list & API creators for permission before adding them to your extension.

I recommend removing any that you did not get permission for.

Otherwise, you are setting yourself to get sued, your extension removed from various stores, et cetera.

That would be a shame.

Also, you lose trust, by using your current approach.

You have a good extension with a lot of potential to help people.

Please consider my suggestions.

Have a good night.

Companies play with other companies apis without necessarily having permission if an API is public you shouldn't need permission to make use of it