Uninstall the NightOwl app
robins.oneI know this happens with some frequency, I wonder how frequently the companies update the TOS with language like this. The very idea of a self-updating TOS that will govern all usage into perpetuity feels like it should have been legally stuck down years ago. This company's current language on indistinct modification rights:
> We reserve our right to alter the terms in this Agreement and/or the pricing information and method detailed in NightOwl app's website at any time. In case the Agreement is amended as described, we will post an updated version of it in our website, at which time it becomes active and binding.
> In case NightOwl app alters the Agreement in a way which will be deemed material to the relations and/or obligations of the parties by NightOwl app's sole decision, we will inform you of these changes on our website or via our social media accounts and other established communication channels.
Great, a website update for a locally installed application. Definitely going to subscribe to your social feed to get an update.
“In case the Agreement is amended as described, we will post an updated version of it in our website, at which time it becomes active and binding”
Several years ago, a friend entered into a contract with Comcast for business internet and phone service that had similar wording and no actual URL for the site. My instinct was that would be unenforceable and unconscionable, but you’d think Comcast legal would have thought it through.
Any lawyers out there familiar with this type of wording related to contract changes being posted on a website, particularly where no notice is given?
Could maps.me also be in a similar state? It used to be a good OpenStreetsMaps frontend and it was bought (possibly twice) by some investor firm to generate profit.
I don’t know what is the state of this app now. Does anyone know? What is the profit scheme (I suspect it might be similar to this one described here) and to which app would you switch instead?
OrganicMaps is a FOSS fork of maps.me I believe.
I've been using it and it is great.
+1 for Organic Maps, it's an amazing app (I still keep OsmAnd installed for some more advanced uses)
It has been struck down and probably would be again if anyone felt like suing: https://arstechnica.com/tech-policy/2007/07/court-says-no-to..., https://scholar.google.com/scholar_case?case=592583419165850...
> [Safeway] reserves the right to, from time to time, with or without notice to you, in [Safeway's] sole discretion, amend the Terms and Conditions for use and purchases regarding the online shopping services. Any amendment by [Safeway] will be effective only as to orders you place after [Safeway's] revisions of these Terms and Conditions as displayed on the Web site. [Safeway] will plan to notify you of any material amendments to these Terms and Conditions; however, it is your responsibility to review the Terms and Conditions before submitting each order. [Safeway] has no responsibility to notify you of any changes before any such changes are effective.
> Defendant argues that, at the time of their safeway.com registration, Class Members agreed to give Safeway the authority to change the terms of the contract without notice to them, by indicating that they agreed to the version of the Special Terms that are in effect at the time they make their subsequent orders. Defendant's version of the Special Terms states that customers agree to the terms "and the form in which they appear at the time your online transaction is processed." ECF No. 187 at 16-17 (emphases added). In order to complete their registration, Customers were required to manifest agreement to the Special Terms shown to them by clicking a link. Defendant contends that, as a result of users' agreement to this Special Term at the time of their registration, Safeway was not required to notify customers of future changes to the terms for those changes to become effective. Safeway contends that, because Class Members read the initial registration contract, every time they opted to go forward with an online purchase after registration, they were on notice that they were assenting to a new contractual agreement, governed by the Special Terms operative elsewhere on the website at the time of that purchase.
> The Court rejects this argument. The safeway.com agreement did not give Safeway the power to bind its customers to unknown future contract terms, because consumers cannot assent to terms that do not yet exist. A user confronting a contract in which she purports to agree to terms in whatever form they may appear in the future cannot know to what she is are agreeing. At most, this term in the safeway.com agreement could be read to indicate that a customer agrees to read the terms and conditions every time she makes a purchase on the website in the future. But the Court also concludes that, even in light of their agreement to the Special Terms at the time of registration, customers' assent to the revised Terms cannot be inferred from their continued use of safeway.com when they were never given notice that the Special Terms had been altered.
Thanks for linking to these. They are certainly in the right direction although they're a bit vague on how much notice to give:
> Even if Douglas’s continued use of Talk America’s service could be considered assent, such assent can only be inferred after he received proper notice of the proposed changes. Douglas claims that no such notice was given. (Douglas v. Talk America)
> But the Court also concludes that, even in light of their agreement to the Special Terms at the time of registration, customers' assent to the revised Terms cannot be inferred from their continued use of safeway.com when they were never given notice that the Special Terms had been altered. (Rodman v. Safeway)
Both cases seem focused pretty narrowly on situations where notice was not given. Is continuing to use an app after an update notification enough? Glancing over a GDPR-like popup? An email? I'd prefer an explicit opt-in to changes once they've occurred.
was there a similar (policy or functionality) change to "the great suspender" chrome extension recently? Browsers seem to have marked it as unsafe.
It's been malicious for two and a half years now:
Duuuuuude. How far has time passed?!
damn.. what's the TLDR? What is the speculated worst?
TLDR: it was bought, and the new owners inserted telemetry that potentially reported all the extension's user's viewing history back to them.
What the “speculated worst” is from that depends on your paranoia about such information gathering. Most likely the information was to be fed into various marketing databases.
Obviously the same information could be used for even more nefarious purposes, particularly for users in countries with very monitor-y governments and people whose governments otherwise want human-rights abusing controls over them (women in a number of US states for instance – in fact even if their local legislature is not acting on tjhat sort of information, unpleasant groups active within the state might be).
> The application … makes a lot of connections to [site], a website that sells tickets to live music events
This is a common use for residential proxies. Ticket touts buy use of the infected users to make requests to try beat restrictions on access from data-centre hosts or high-volume access from and other hosts, to increase their charge of getting valuable tickets for later resale.
A number of backdoored (by the creator, by someone cracking into their source repositories, or in this case by buy-out) free browser extensions, VPN apps, and such, turn the user's machines into a proxy like this.
NordVPN does this as well. Google and Amazon own large blocks of IP ranges for their cloud services, so it’s fairly easy to detect bots built on AWS and Google cloud.
On the other hand, Verizon also owns a large block of IP addresses that they give out to their residential customers.
NordVPN takes advantage of the fact that people like Netflix and Amazon don’t want to block out Verizon’s ip ranges, and disguise network traffic as residential traffic.
> NordVPN does this as well.
Do they? Last time I looked into this drama, it seems like the botnet accusations were just scurrilous slander.
https://www.comparitech.com/blog/vpn-privacy/nord-vpn-botnet...
The last time someone made this claim on HN, someone from NordVPN responded saying it is false.
Almost certain. NordVPN owns Oxylabs if I'm not mistaken
Seems like it https://news.ycombinator.com/item?id=29285988
How does that "seem like it"? I don't see anything there that is proof of anything...
In an interview with TechRadar Pro, Tom Okman, the co-founder of both Tesonet and Nord Security, answered some questions regarding the relationship between Tesonet, NordVPN, and the plethora of associated online services the companies offer.
The founder of the guilty party is also the founder of the company behind NordVPN. From the article it also seems like the operational practices are similar. Additionally, it is stated by the CEO of the guilty party that operational activities will resume as normal since the suit is only for damages. Assuming that NordVPN operates in a similar way, then a residential proxy service is still on the menu.
I've never noticed unusual traffic from my machine using Nord, nor have I ever heard of that being the case. This is something trivially noticeable and measurable. Two companies having the same founder =/= the two companies operate remotely alike.
if you wait to fight a fire until you're breathing smoke, it'll be too late
I can't see anything suggesting they proxy VPN traffic through their users. Would certainly be a scandal worth talking about if true.
I believe users can opt in to let proxy traffic through.
I use NordVPN (and their client software), and I don't see any such option. I'd be pretty furious if that were happening. I have not seen evidence of it... apart from some small requests to a few of their own weirdly-named domains (which I assume are to sync their proxy list), it doesn't look like there's any traffic going from my box to anything other than whichever of their servers I'm tunneling to.
Do you have a link to more information somewhere? I'd like to know more about what NordVPN is doing, if true. It's certainly not what their customers expect.
I agree with you if you're talking about tech savvy users. But I think NordVPN has enough users who don't know what's going on under the hood that they might not understand the implications of forwarding potentially copyright-hostile packets.
That blog post does not say that NordVPN uses customer VPN endpoints as proxy servers without the customer's consent. It talks about the possibility of setting them up, but the implementation is left to the customer.
I hate silent takeovers so much. Chrome developer extensions are another very popular thing for bad actors to buy out and replace with malware, and it sucks.
As a maintainer of a semi-popular chrome extension[1], I receive so many buy-out offers that I started publicly collecting them[2] for everyone to see.
[1] https://chrome.google.com/webstore/detail/hover-zoom%20/pccc...
A Firefox equilivant: https://addons.mozilla.org/en-US/firefox/addon/imagus/
Well, Imagus also exists for Сhrome. And I do publish hoverzoom+ for Firefox and Edge as well.
I LOVE Hoverzoom. You must resist so much, since the app does require deep access.
That's exactly why it is a desirable target for would-be malware distributors.
you're one of the goodies. thank you.
what is the difference between hoverzoom and Imagus?
>I hate silent takeovers so much.
This is a great app idea. Monitor the app owner. If the owner changes overnight, alerts to the moon.
Until we learn that this monitoring app has itself been acquired. /s
Or if the browser companies themselves were owned by large corporate behemoths!
Wait…
Obviously don't narc on yourself!
Who watches the watchmen?
Have we finally found the killer app for blockchain?
Another set of watchmen.
... unless they conspire together. Ugh.
It's watchmen all the way down.
Watchwomen by a process called nagging.
They would just change the acquition details to avoid changing the owner and giving the account credentials over instead.
Yes, maybe. In this case, it would be a very actionable alert.
wouldn't they just buy the account/password and not let google know?
That's the problem with free apps. Very few people want to donate, no decent company is interested in buying the app and making it profitable, so all that's left are the worst kind of companies who buy these extensions and apps to exploit the users.
All these free apps have value but unfortunately it doesn't translate to any income for the developer so they find other ways.
And their values are what exactly? They offer something for free with no reasonable expectation of compensation then rug pull by selling out. It’s hard to be sympathetic. If you want to get paid to write code then get a job writing code.
Conversely, since it's free do they not have a right to sell their app (even if selling it to someone evil is dickish) just as they have a right to decide to "update" it to remove well-liked functionality? Or just as they have the right to update it to add ads that support the dev of the app?
People/users will complain about all of these. I've especially seen people complain about ads; the only real issue I see is when there's no alternative to ads provided (ie subscription, pay a couple dollars to buy a copy of the app, etc). It's Google's mistake, tbh, as that's the common rhetoric with Youtube, people got it for free for too long to be happy with more ads. Blame the people who're uploading "120 hours of black screen" multiple times per day.
Couldn't this happen to paid apps just as easily?
If the developer is well paid, probably not? Why would they throw away what they built for a lump sum if they have decent side-business and recurrent revenues?
For me, StackOverflow proved that literally everyone has a price. The world is hurtling full-speed towards the corporation-citizenship cyberpunk dystopia people have been writing for years, as every company buys up everything they can in order to stay "competitive."
If I offer you 100 years worth of revenue for your browser extension are you really not going to entertain the idea of selling?
Sure but they probably won't offer that much. What I mean is that the value of this app, despite being free, is not zero, but that's probably what the developer was getting. So even if he got 10K for it, he's happy and moved on.
The app originally set the desktop theme to dark mode or not. That’s not worth more than a single one dollar payment, if that.
If I want to do some shady app shit I am buying install base. 100x an app that makes a few grand a year could still be worth it for my nefarious purposes.
Given a sufficient lump sum that guarantees I no longer have to work, my morals can be easily bought.
Seems like a developer that is getting literally nothing for his app or plugin is more likely to sell it than a developer that's getting some income from it. At the least, the buyer would need to match the current value that the app provides its author.
I don't know.
A developer who didn't charge anything from the beginning has more likely other motives releasing his software than making money.
But if you already make a little money you may easily fall for a lot of money.
I mean, everyone's gotta eat. I think there's plenty of instances of someone building a tool that they personally find useful and then making that tool available for free, unsure of what the reception will be and not expecting a lot of users. But if that something does very well and finds a wide audience I think it's natural to try to earn a living from it. And, if the attempts to "monetize" fail (as they often do) and someone is offering a lot of money in a lump sum to take it off their hands, well frankly I think they'd be foolish not to take it. And if that arrangement happens to turn out poorly for the userbase, well hopefully that will be another small object lesson in paying for things you find useful, when politely asked.
(And yes, I'm aware that's a lesson that really should have been learned by now, if it was going to be learned at all. Alas.)
I think it starts with passion - he created some useful software, he shares it and initially enjoy working on it. Then he puts a donate link (I saw there was a donate link in the previous site), and gets almost nothing, but he still needs to add bug fixes, maybe new features, answer to the user's emails, etc.
After a while it becomes a chore... and still getting $0 out of it. And that's when he might want to find other ways to get something out of the efforts he put in. Unfortunately the only option is to turn it into malware since nobody wants to pay for it, or turn it into a decent profitable business.
Look at Red Shell for example:
https://www.polygon.com/2018/6/20/17485762/red-shell-spyware...
I don't have a link handy but I distinctly remember Take Two, a giant corporation with billions in revenue, saying when they removed it from Kerbal Space Program that they promised to wait a while and be more subtle next time they did that.
It's a problem with "free as in beer" apps but not with "free as in freedom" apps.
When the packages are built from source code by a trusted distributor like Debian or F-Droid [1], this kind of change is likely going to be noticed by the packager and not let through to users.
It's not a problem with Free apps. If you're forced to redistribute the source code, it heavily disincentivizes attacks like this.
ActionDash being bought by Sensor Tower comes to mind. One of the most invasive apps requiring insane levels of permissions (rightly so to perform system level functions) being bought out by an ad and data-selling entity seamlessly is absurd
<libertarian> What's silent about it? It's right there in the TOS, which you agreed to by using the software. Caveat Emptor, and all that. </libertarian>
<dictionary> silent: tending to speak very little: not loquacious <dictionary>
If the buyer alone was responsible, there would be no terms of service. It's only with community protections and regulations that you get the information required to attempt to make an informed choice. The same community should be empowered to drive normal ethics without it being overtaken by the 'drivers licenses are tyranny' crowd.
The perfect market will solve this and if it doesn't it's the users' fault for not having perfect information!
>> It is an alternative to the built in macOS automatic mode which only switches when the user steps away from the computer.
Huh? Setting a schedule/location for nightshift and setting the dark mode setting to auto will always change instantly. If you use a launcher or spotlight then a simple one line applescript can change the setting as well. (tell application "System Events" to tell appearance preferences to set dark mode to not dark mode).
> Huh? Setting a schedule/location for nightshift and setting the dark mode setting to auto will always change instantly
Not in my case?! I’d say there’s a 25% chance that Dark Mode enables at sunset. It’s been this way for years — even up til Ventura.
Has it worked flawlessly for everyone else the whole time?
I have the same experience. Dark mode automatically turns on way later than I’d like it to.
From the article: "It is an alternative to the built in macOS automatic mode which only switches when the user steps away from the computer."
If I set up night shift, it will switch to dark mode at the time I set, but it also tints my screen (even subtly, if I turn the slider all the way down), which I don't care for as someone who does art.
I have never had any issues. Every single day I get the jarring shift as all the dynamically dark-mode-aware apps shift color schemes and realize that the sun must be setting.
there seem to be many features that are flawless for some, and hit-or-miss for others. Example Airpods pairing, airplay are not always consistent.
Only time it didn’t work flawlessly was because I had contradictory settings between my phone and MacBook
In 2018, when NightOwl was released, some or all of these affordances didn't yet exist.
It looks like Apple has revoked the developer certificate. Anyone know if there's a public log somewhere showing when it was revoked?
The app was blocked from loading, but I still saw the two dylibs running. I wondered if it was because the certificate was revoked after they had already started. However, logging out and back in still showed them running. Perhaps they're persisting through log outs?
As well, I got a prompt from the macOS firewall to allow the mentioned AutoUpdate binary to listen for connections. That makes me think all of this was deployed in the last few days.
Edit: A reboot gave me the `“NightOwl” will damage your computer. You should move it to the Trash.` dialog. Allowing that did not fully clean things up (leaving a non-functional `/Users/*/Library/LaunchAgents/NightOwlUpdater.plist` in place and the usual preference files). For me, Hazel cleans those up.
I think for non-technical users who may not be familiar with the terminal would be to direct them to reboot.
> It looks like Apple has revoked the developer certificate. Anyone know if there's a public log somewhere showing when it was revoked?
No, Developer ID doesn't use a Certificate Revocation List:
Given https://eclecticlight.co/2023/08/08/apple-has-just-released-... it does look like it was revoked in response to the original article, and not the other way around.
> Given https://eclecticlight.co/2023/08/08/apple-has-just-released-...
XProtect is separate from Developer ID certifcate revocation. In many cases, malware is not even code signed, so certificate revocation would do nothing.
> it does look like it was revoked in response to the original article, and not the other way around.
I'm not sure what you mean?
I was trying to figure out how long I had possibly been running the infected code. I was certainly in a state today where binaries were running with revoked signatures. What I couldn’t tell is if this state was only for a few minutes or hours, or if it was days or weeks.
If Apple only revoked the dev certificate (and possibly XProtect) today, that would make sense. But if it was revoked a ways back, then it would be concerning that it would require a reboot (with no prompting) for a regular user to fully kill the running background processes.
Actually, thinking about this further, if Apple had revoked the certificates before today, others would probably have noticed it and investigated given the “Move to trash” dialog and the strong assertion of “this is malware” in it.
MacOS pulled it for me, refused to open it
Replaced it with NightFall https://github.com/r-thomson/Nightfall
You can also put display settings directly in the menu bar using:
Settings > Control Center > Display > Always Show in Menu Bar
I'll concede it takes a second click to toggle dark mode, but you also have night shift as an option, and it's 100% native.
This option wasn't available in 2018, when NightOwl was released. I had to test our application's Dark Mode implementation and NightOwl was super-useful then. I'm glad Apple made it easier to toggle dark mode in the interim.
Another very simple way is to make your own thing with the default Automator app.
* open up Automator and create new application
* select “change system appearance” and select toggle light/dark mode.
* save the ‘app’
Now, whenever you want to toggle light/dark mode, just open up spotlight and open up whatever you named the app. There’s probably a way to do it with Shortcuts too.
If toggling between modes is all that is needed, it can be done right through BetterTouchTool. I just assigned a right-click+option+cmd globally for it and it works like a charm
There's gotta be some law that could be passed about stuff like this. Software should have an implicit contract that it does what it says and not something wildly different than it, with harsh penalties for violations.
We should all have our own EULA’s that they implicitly agree to… lol.
I should start doing this with big websites. And of course my EULA is a 10MB file I’ll send with every request until they accept… :)
Can you imagine if that caught on? DDOS by EULA!
Common licenses specifically go out of their way not to imply such a contract. This is the start of the all-caps portion of the MIT License [0]:
> THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO […] FITNESS FOR A PARTICULAR PURPOSE
…and the GPL has nearly the same text in section 15. [1]
Yeah, but also common licenses are set by the distributor. (which they're also evidently free to secretly change?)
I want the other side of the deal: a default license implicit in the existence of software that can't be traded away without an explicit contract that involves something like an exchange of money, which a federal agency will safeguard against violations of. If an extension changes its behavior nefariously people should go to jail. If Google safeguards an extension that changes it's behavior nefariously then Google should go to company jail. (or, like, be fined and forced to comply).
(admittedly, this is hopeless idealism. But still.)
It wouldn't be that hard to make free open-source software not subject to the same rules.
I mean, contractual terms that are implied by statute exist. In English consumer contract law—which since 2015 has been extended due to the EU Consumer Rights Directive to cover digital content—includes an implied term that the goods are of satisfactory quality, and when it's a continuing service (including something like a digital content service like Netflix or Spotify, or a software product with updates), it doesn't radically depart from what's initially offered.
See https://www.legislation.gov.uk/ukpga/2015/15/part/1/chapter/...
Most jurisdictions have something broadly similar (albeit often not quite up-to-date around software and digital products). Everywhere in the EU will have laws that implement the EU's Consumer Rights Directive.
Which is great and would apply if you'd paid money for it. NightOwl is free (as in beer). The expectations the law sets out regulating the sale of goods and services do not apply when no money has changed hands.
Which I'd argue is pretty much right: while it sucks that companies get taken over and have spyware crap put into products, the idea that, say, a teenager who is hacking around and building stuff to learn how to code, puts up a project they've made as open source or a freeware download, does something silly like the left-pad debacle, then gets sued—potentially by a big corporate behemoth with very deep pockets and very scary lawyers—for a series of acts which involved them writing some software for no money. Regulation of technology should rest far heavier on the shoulders of Google, Microsoft, Apple and so on than it does on a hobbyist or small indie dev creating freebie menubar utilities or Chrome extensions or whatever.
The difficulty of ensuring those little freebie and open source apps don't become a vector for supply chain attacks remains difficult. Much better sandboxing and OS app-level permissioning, good network monitoring and anomaly detection on a per-app level, and building trust into packaging/distribution processes - these are all slow, grinding, incomplete ways to improve this. Lawsuits probably aren't.
> It also tries to open a UPnP port forward on your router, but fails on mine because the key names are jumbled:
This should fail on any router as you should have UPnP disabled.
I mean UPnP is a horrible spec but it’s a stop gap for restoring the fundamental capability of internet-connected devices in residential settings. All p2p apps (Tailscale for instance) need to act as a server temporarily and allow incoming traffic. Without the capability you’re a second class citizen, so to say. It’s infantilizing the user.
Now, you can of course open the ports yourself, but this is inaccessible to the vast majority of users due to undiscoverable, inconsistent and complicated UX. Most people don’t know what a port is.
Tailscale uses STUN. No need for me to map ports. https://tailscale.com/kb/1082/firewall-ports/
Yeah they use several techniques but it includes UPnP if available.
> $ tailscale netcheck
> […] * PortMapping: UPnP
Let me tell you about family members that have a mac because "they don't want the hassle of a windows laptop". They also don't want the hassle of not having uPnP, that setting is going to be turned on whether you know better or not.
> Let me tell you about family members that have a mac because "they don't want the hassle of a windows laptop".
They are not wrong. E.g. It amazes me how much pain and suffering Microsoft expects users to endure just to use a printer. It is not lost on my stepmother that her Windows machine has endless problems setting up and printing to her Brother laser printer, but her iPhone just sees it without having to be told.
If Microsoft embraced CUPS and Apple wrote Vulkan drivers, society would probably look like that The world if meme: https://knowyourmeme.com/memes/the-world-if
Printer companies sabotage printers. If you go through the standard Windows route (Devices > Add > Printer) you'll get most printers working quickly and reliably. In fact, if you plug in a USB cable, the printer will most likely Just Work (TM) after a few seconds of driver fetching.
They want you to use their shitty apps and shitty software, though. HP is the worst at this (they cover up the USB port, and will only allow you a limited amount of prints before you need the activate the printer through an app).
Windows has plenty of printer problems (like its print spooler that needs a serious security overhaul which would break loads of printers) but the worst of it only seems to show up if you follow the manual and install the crapware, including apps, that printer manufacturers want to shovel onto your devices.
Disabling UPnP makes your system more secure, but unless you also disable all NAT ALGs in your router, you're still exposed to its dangers.
I don't think most routers have a setting for that, so if infected devices are part of your security model, it would be wise to assume NAT is entirely non-functional because of [NAT slipstream attacks](https://samy.pl/slipstream/). An infected device can modify the router's NAT table to effectively act like UPnP, except they don't provide a user interface for you to audit.
If you're NAT free (i.e. only use IPv6) disabling UPnP can be a decent security measure if you're willing to manually do all of your firewall exclusions, but honestly host firewalls are the only reliable protection method for most people these days.
Do you deny the need for UPnP entirely? This is a confusing statement.
What do you actually need it for? I’ve had it disabled for ages, have no port forwards defined and have never had any issues.
I have many devices at home and I can't be administering all the port forwards by hand, it would be a lot of work.
+1. I also have had it disabled for ages. What features am I missing out on? When I look at the UPnP docs it talks about uses for which I have other mechanisms.
VoIP and video calls have lower quality and higher latency without UPnP since this often forces webRTC to tunnel through a TURN server. Networks that have neither IPv6 nor UPnP are just broken
Or you could use STUN and just send packets to a peer. Or use v6. Or anything from RFC6544. The reason UPnP is popular is so many home router people implemented it. If you have a real router, you have more options. As I pointed out, I have a real router and talk to people who have real routers that support things other than a 2008 version of UPnP.
Which is to say, you do not REQUIRE UPnP for webRTC. But yes, if you have a crap router given to you by your ISP (looking at you, SBC and Comcast) then UPnP may be your best bet. My point is you don't NEED UPnP if you have a real router.
I should be saying... thx for bringing me up to speed on this. UPnP is obviously not something I spend a lot of time on.
"WHEREAS, NightOwl app enables Users to share internet traffic by modifying their device’s network settings to be used as a gateway for internet traffic. Additionally, the User’s device acts as a gateway for NightOwl app’s Clients, including companies that specialize in web and market research, SEO, brand protection, content delivery, cybersecurity, etc."
Fuck that with a chainsaw. Burn it. Burn it with fire.
So, usually I associate super-shady things with hiding the fact that they're super-shady.
I'm thankful, but also genuinely curious, why they put this explicitly in their TOS.
It just kind of seems to be like the kind of person/org who would implement this shady stuff in the first place, would also actively hide that they're doing it.
Is there a legal reason that protects NightOwl by explicitly putting it in the TOS? E.g. does this prevent them from being sued for any of it, where they could have been successfully sued otherwise? Like it's technically do to all this shady stuff but only as long as it's in your TOS?
I'm not a lawyer, but the terms of service are an agreement with the user, so yes. They're not hiding anything because then they'd get sued.
If they didn't disclose "this shady stuff" then the user can try to resolve their dispute via remedies stipulated elsewhere.
Really there are several ways they could have gone about writing this agreement. This is probably the simplest for everyone. This is also how the bigger orgs write their agreements. They state their intent and you have to agree or fuck off.
The badly written agreements (what you were expecting) are less honest and try to explicitly have the user waive some rights entirely including any remedies in or out of court, but those can usually be deemed unenforceable because they violate established rights and precedent rulings.
Also not a lawyer. I'd think there's a level of interpretation to the enforceability of a given clause if it's not adequately exposed or is unconscionable in fairness. I'm guessing it's not so easy as clickwrap = rock solid contract.
Sure if a majority of users expect apps to not steal your data or misuse your internet connection.
Sadly this isn't the case anymore. The layperson is distrustful by default and can only rely on the more astute to blow a whistle. Even a judge would just say to not install apps that aren't critical to your everyday life and be done with it. Nobody has the time to swat at flies.
> The layperson is distrustful by default
This sounds like it was written from an alternate reality. It doesn’t match my experience at all
Yeah distrust isn't enough to deter the layperson from using an app anyway. That's my whole point.
I'm curious to know why this is any more or less shady than an app that uses ads to monetize? Those ads use a ton of bandwidth and share a ton of information about you? If they're just passing some packets through your IP for web scraping what's the big deal?
Bright Data offers an SDK for app developers to monetize their apps this way (https://bright-sdk.com). Maybe I am naive but this seems exponentially better than monetizing by sharing every tidbit of information Google and FB can get about me as I move through the web. Genuinely curious why this is so negative?
This reminds me of the Jerry Seinfeld joke:
"I bought the Superman Halloween costume and on the side of the box it said 'do not attempt to fly'.
I always wondered about the kid who was:
- dumb enough to think they could fly
BUT
- thought to themselves 'wait, let me check the box first. Oh! Good thing I checked!'
The TOS sounds a little bit like the "do not attempt to fly" warning.
>I'm thankful, but also genuinely curious, why they put this explicitly in their TOS.
The guy's in the US, not China or Cyprus, so there's actually a chance he could get in trouble.
I’m no lawyer but my guess is that the bar is so low for what’s actually legal- and no one generally reads these EULA’s- that it’s easier just to have it in there.
The bar is intentionally low "for what's actually legal".
You really don't want the government interfering with the implementation details and business models of software products. That's a really bad road to go down.
The problem is really a lack of inspiration for both the dev and user. In this case someone made a trivial tool and didn't know how else to monetize it than being a scumbag and exploiting social norms and good will. The user also decided to use something that's dumb and not worth risking making any agreement with any entity at all.
Situations like this are where free software excels. Things that are inconsequential in premise should stay that way in practice.
A lot of "free" VPN apps do the same thing and I haven't heard of any of them getting in legal trouble. It's kinda like running a tor exit node except most buyers just wanna borrow the user's IP to scrape sites that are otherwise impractical to scape with just a captcha solver due to aggressive blocking of non-residential ISPs and heavy rate limiting.
The difference being that it's somewhat related to the app's operation. In this case, it's completely orthogonal to the app's marketed function.
> does this prevent them from being sued for any of it, where they could have been successfully sued otherwise?
As I understand it, anyone can sue anyone for anything. What matters is convincing a judge/jury that you have been wrongfully harmed by the defendant. So if someone can make a good enough case for damages stemming from this data collection, then they can successfully sue.
This doesn't prevent them from suing, but it makes their case significantly weaker if the defendant can argue that the user agreed to have their data collected.
Probably compelled by Apple, or removal from store.
There’s a lot the app is doing that would not be allowed through review. It’s distributed via Sparkle which is pretty common for mac apps.
The app isn't on the App Store. (switching light/dark is a private API so it wouldn't be allowed on the store anyway)
There is no way reviewers would accept that if they read it
My assumption is there is a non-trivial number of people who will never read or notice that. Much less understand the ramifications.
I guess "modifying their device’s network settings" is already covered under whatever permissions we had to give it to perform the original task of switching on/off dark mode? That's a bummer. Would be nice if app permissions were more granular if that's the case.
And this is the risk that operating system developers run when you take away features or you don't develop features that your userbase wants.
Look at the amount of Start Menu modifiers there are out there for Windows. All because Microsoft keeps on changing the start menu. Why? I don't know. I just want to get rid of the Recommended section, but I'm not allowed to.
Last night I got a notification that advertised Game Pass to me. I angrily clicked on manage notifications and there’s a notification source called “Suggested” that somehow was turned on. That was the last straw for me. I go through so much diligence setting up my browser’s ad block, only for the OS to bypass all that.
For now “Suggested” is turned off and I disabled all notifications for good measure, but I don’t know how much longer Windows will allow that. I don’t intend to find out.
> "enables"
it's not a violation of your freedoms and privacy, it's an opportunity!
/s
Name and shame the developers and the company.
Little Snitch would help detecting to which IPs and addresses app connects and allow to block those connections
Or LuLu!
I've paid for Little Snitch every time I could. I never want them to consider selling.
Kind of off topic. But is there any app/service/extension for parsing these TOS with an LLM to catch all these shady things? If not, would one be useful? (I’m also a bit surprised this is in the TOS in the first place, but theres already a thread about that.)
Could be useful. Though people might as well do it themselves? I just pasted the whole thing to chatgpt and told it to summarise it into bullet points.
Related, this just brought back the memory of the Southpark episode ‘Human centipad’ where people accept the iTunes T&C without reading them :)
If anyone is looking for an alternative, I have been using my script below for two years without any issue.
--edit--
I do not know how to format code here.
--edit--
Another attempt to format code here.
# Step 1 Save script below to your local drive. For example, `/Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh`
#!/bin/zsh
# ref: https://unix.stackexchange.com/a/526097
# start time is 18:33 -> 18 * 60 * 60 + 33 * 60 = 66780
# end time is 07:33 -> 07 * 60 * 60 + 33 * 60 = 27180
# install gdate via `brew install gdate`
if [[ $(uname -m) == 'arm64' ]]; then
secsSinceMidnight=$(( $(/opt/homebrew/bin/gdate +%s) - $(/opt/homebrew/bin/gdate -d '00:00:00' +%s) ))
else
secsSinceMidnight=$(( $(/usr/local/bin/gdate +%s) - $(/usr/local/bin/gdate -d '00:00:00' +%s) ))
fi
if [[ $secsSinceMidnight -lt 27180 || $secsSinceMidnight -gt 66780 ]]; then
# turn on dark mode
osascript -e 'tell app "System Events" to tell appearance preferences to set dark mode to true'
else
# turn off dark mode
osascript -e 'tell app "System Events" to tell appearance preferences to set dark mode to false'
fi
# cron job for enabling macOS dark mode periodically
# darkModeWatcher script is executed 60s after reboot. After that, it is executed at 35 mins of each hour if the display is not asleep.
# replace xxxx with your username
@reboot sleep 60 && /bin/zsh /Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh >> /Users/xxxx/Library/Logs/systemDarkModeWatcher.log 2>&1
35 */1 * * * if [[ -n "$(/usr/sbin/system_profiler SPDisplaysDataType | /usr/bin/grep 'Asleep')" ]]; then newDisplayStatus=0; else newDisplayStatus=1; fi && if [[ $newDisplayStatus == 1 ]]; then /bin/zsh /Users/xxxx/Documents/Scripts/DarkMode/darkModeWatcher.sh >> /Users/xxxx/Library/Logs/systemDarkModeWatcher.log 2>&1 ; fiFYI... last time I tried, I could get the equivalent of a HTML <PRE> block by putting two spaces at the beginning of every line. Here's an example. Each line was indented two spaces:
Looks like it worked. It looks like it's rendering with a mono font.#include <stdio.h> int main() { printf( "Bonjour, totes le monde!\n" ); return( 0 ); }Thanks. It works.
> sudo zsh -c "rm /Users/*/Library/LaunchAgents/NightOwlUpdater.plist"
Why do you need to call out to zsh for this command instead of just running it in the current shell?
Because the expansion of the wildcard needs to happen with the privileges granted by sudo. If you just ran "sudo rm ..." the expansion would be done by the current shell, which doesn't have the required privileges.
I don't know anything about MacOS. Normal users don't have r-x on /Users ? How do they access their own /Users/whatever homedir then?
Normal users have r-x on /Users, but for that wildcard to work, they would need r-x on /Users/foo, /Users/foo/Library, and /Users/foo/Library/LaunchAgents, for every "foo" user in the system.
For that exact command, yes. But if `/Users/*` by itself can be expanded without root you can construct the list of files to delete without needing the `zsh -c`. Eg `for d in /Users/*; do sudo rm -f "$d/Library/LaunchAgents/NightOwlUpdater.plist"; done`
It's a minor point overall. I was just checking if MacOS had something else going on with its file permissions.
Pardon, but with double quotes, is'nt the expansion going to be done by the current shell anyway?
globs aren't expanded in double quotes (not in bash or zsh, at least).
Oh, makes sense. Thanks.
Apple is locking down macOS more and more, and yet there is no built in feature like Little Snitch or LuLu neither in MacOS or iOS. So basically they don’t mind apps spying on you, as long as it is approved by Apple.
Coming from Linux, I also have to say that I was shocked how many apps on mac os are only available as closed source.
In 2018, I contacted the developer and tried to purchase this app. He turned me down, and seemed like he wasn’t in it for the money. Seems like he picked the wrong buyer when he did finally sell out.
If I may ask, how much did you offer, and... who are you? :-)
Feck, I'm uninstalling right now.
I assume this is being used by those services that sell scrapers "real domestic IP addresses", where in fact they are selling a botnet.
We can't just have nice things can we.
> I assume this is being used by those services that sell scrapers "real domestic IP addresses", where in fact they are selling a botnet.
The author alleges as much in TFA.
I did a small Automator action that just switches dark mode on my computer, and I activate it with the cmd-alt-shift-P hotkey; it’s truly convenient and there’s no need for a third-party :)
osascript -e 'tell app "System Events" to tell appearance preferences to set dark mode to not dark mode'You can also use BetterTouchTool for that. I have CTRL-OPTION-CMD-M set up on macOS :)
Just want to say: amazing write up. I hope to write like this some day.
Nice writing style. Straight to the point because the author actually had something useful to say. A nice departure from the usual ‘pad it out’ approach that sadly you even see people take for their personal writing. So many people will lament recipe authors including 6 paragraphs of preamble, but will happily do it when they’re telling you about how they pwned their toaster or whatever.
When it gets down to brass tacks, I.e. the technical details section, it could really do with a once-over. One too many run-on sentences.
Not to be confused with NightOwlConnect, which allows one to remotely access NightOwl-brand security camera DVRs.
I'd not be surprised to find that that app has some sketchiness baked into it as well.
This makes me really weary of all apps more generally. How many other apps are doing this crap already and just haven’t been noticed / called out for it yet?
An interesting other-side of this, a Chrome add-on dev published how they continuously receive monetary offers from the kind of organisation that does exactly this:
"The application, at least the time of writing, and the installations I’ve been made aware of, makes a lot of connections to https://stubbs.frontgatetickets.com/, a website that sells tickets to live music events for a restaurant in Austin, TX."
Stubbs BBQ?
Yes.
So this seems to be the app on VirusTotal: https://www.virustotal.com/gui/file/375ef0eb310d3fa82ddb5357...
wow and this is built into macOS now as NightShift right?
Yes, the OS function works fine. Haven't used the app in a while, just had it still installed. I just found this by searching for "proxy-gw1-europe.squidyproxy.com" which seemed odd when I found it in my .ssh/known_hosts file.
ah, i just used squid on my own linux server recently for a weird use case. A client of mine gave me access to https://foo.com/thing only from one ip. And I didn't want to give them my normal desktop ISP ip because it changes so I gave them my static cloud linux VM ip. But it has no gui. So I wanted to use the webapp from my desktop. I installed squid and set it as my proxy server and did tail -f thelog and OMG the amount of requests just my normal browser makes to all sorts of weird stuff!
NightShift is different (but somewhat related) functionality: it adjusts the color profile to be warmer/reduce blue light. Both can be scheduled to correspond to time of day[light] however.
Oh right, got that mixed up
Does no one else find it difficult to read pure white on black sites? Ironic when the post is about a dark mode app I know.
I'm all for dark mode, but give me an option to switch back if it's a wall of pure white text please!
As a side note I want to mention that I use Night Shift on mac os and every day!!! I need to switch it back on because there is no option to leave it enabled all day long.
I have it set to a custom schedule that starts at 4am and ends at 3:59am, effectively leaving it enabled all day long.
I have it set this way as well. But as I'm living a rolling day:), I often experience the light suddenly going on, so I have to reset it again.
What are you talking about? The whole point is you leave it on and it tracks the sun. Does this not work for you?
Yes, this works. but I want to have it enabled constantly because I like my screen that way.
Are you talking about Night Shift, to change the white balance of your screen to be more yellow, or Dark Mode, which can be turned on permanently without scheduling?
It sounds like you’re trying to schedule Dark Mode to stay on all the time, which can be accomplished by choosing “Dark” in System Settings-> Appearance in Ventura or later, or in System Preferences-> General in Monterey or earlier.
No, I'm talking about Night Shift.
Thanks for clarifying! You can modify your display so it looks that way all the time by changing the white point. Most designers use 6500K but you probably are looking for something near 3500-4000K. You can do this by calibrating your monitor to create a new custom display profile. Hope that helps!
https://support.apple.com/en-ca/guide/mac-help/mchlp1109/mac
Great, thank you!
I installed this app earlier this year, and uninstalled it a few days later after I noticed it constantly using obscene amounts of my internet data.
It seems kinda weird to Dox the guy's home address.
While my comment might be borderline off-topic, is this functionality somehow replicated on Linux, especially in KDE?
Developers who sell out their app to entities like this deserve to be ostracized from the profession.
Apparently the perpetrator who sold out their users to the highest bidder is named Benjamin Kramser and they even freely admit the deed on their homepage! (https://www.kramser.xyz/)
> I love to build digital products
Should update that to “I love to throw the people who love my digital products under the bus”
I don’t think it’s fair to blame the developer unless you can prove that they knew this was going to happen
I’m sure an LLC named TPE.FYI is going to have good intentions with a closed sourced, free menu bar app that’s a gloried AppleScript any junior developer can build in a day.
Developer knew exactly what was going to happen.
yes, you're paying his rent probably right? What did he do? Did he sell his app? I would sell any app I own for the right price btw.
And people wonder why software developers are starting to get bad reputations…
Software as rugpull model
Is this a MacOS app? From the App Store?
And this is why we run little snitch!
Was expecting a clickbait article. No sir!
Great piece.
Wow, that’s scummy and desperate
Is this same for Dropbox?