This person keeps banging the drum of agents running on untrusted inputs doing unexpected things. The proof of concept doesn't prove anything and doesn't even have working code. It's not clear why this is classed as a markdown rendering bug when it appears cline is calling out to a remote server with the contents of an env file as parameters in a url.
edit: are you the author? You seem to post a lot from that blog and the blog author's other accounts.
Interestingly, I had the exact same reaction when trying to figure out how to enable/disable WiFi. Why Apple, why? I wonder what telemetry tells them about this icon - wouldn't it be one of the most used ones? Or is there maybe an incentive for Apple to make sure users have WiFi on that I don't understand.
I think the reason is Apple wants to make it hard to turn off Wifi, so your device is part of their Find My network and will support other Wifi based data collection they do.
The buttons doesn’t actually turn off Wifi or Bluetooth, they disconnect from the current network/device. This is a huge dark pattern.
The new connectivity group is indeed awful. When expanded, some of the options are buttons that toggle state. Some open a whole new page of options. And Personal Hotspot is represented by a blank icon, and actually clicking it just dismisses the settings entirely.
Oo this is fun: guessing what the meeting was like where this decision was made. Off the top of my head, there are a few possibilities:
1. Engineers like to unify + encapsulate things where possible for its own sake, and the UX people were looped in too late.
2. There was pressure from above to make things “feel different” to stave off the accusations of “the end of an era of innovation” that get louder every iPhone/iOS release, and this stacking functionality is one of the strategies the team developed early on. No amount of negative metrics can put a hole in an Organizational Priority!
3. Despite their successful efforts to minimize intimidation-layoffs, they did end up laying off ~1000 engineers. It’s possible that the engineers were/are checked out due to a feeling of betrayal, and that the times are changing.
4. Most likely by far: a combination of all the above!
I really think it has to be some organizational mistake. No way that got past a good UX person who had the power of veto.
When WiFi is enabled, iPhones usually broadcast a list of previously connected SSIDs, which can be used in fingerprinting. Fortunately, shortcuts can disable (not just disconnect) WiFi.
> I wonder what telemetry tells them about this icon
> The reason for client scanning is to determine a suitable AP to which the client may need to roam now or in the future. A client can use two scanning methods: active and passive. During an active scan, the client radio transmits a probe request and listens for a probe response from an AP. With a passive scan, the client radio listens on each channel for beacons sent periodically by an AP. A passive scan generally takes more time, since the client must listen and wait for a beacon versus actively probing to find an AP. Another limitation with a passive scan is that if the client does not wait long enough on a channel, then the client may miss an AP beacon.
my bank used 2FA (auth codes or so called "transaction codes" send in physical mail to approve transactions) in the late 90s early 2000s. so 2fa isn't some new invention, funny how it took basically 2.5 decades until it become quite mainstream... now that i think of it, it's actually quite concerning that 2fa didn't have widespread adoption earlier - as soon as smart phones became common.
It seems there are a lot of opportunities for privacy testing here....
-) Is is possible to re-identify webpages a user visits based on Cohort ID?
-) E.g. can a website be built to show your "profile" and "interests" based on the Cohort, rather than just the FLoC ID? Google and others who (I assume) will share their back-end data will be able to build such a website.
-) Can a "rainbow table of FLoCs" be pre-calcuated? This would allow to re-identify certain browsing habits of users
-) In fact what if someone creates a Chrome extension that publishes visited domain names and their resulting FLoC ID - Imagine many people download and use it for fun! This would sort of decentralize the previous mentioned de-identification attacks and render FLoC useless for all other privacy concerned users.
-) How much easier is it now to track a user with just IP address + FLoC ID now?
BUT, what I'm missing entirely at this point is how will the web server (Google and other ad companies) actually *use/share* the Cohort information? That is not being described at all by Google - and seems rather critical to me.
What's even worse is that ML frameworks (also newer ones) don't have or support built in authenticity/integrity checking when loading model and model architecture. Developers have to build their own solutions, like checking a hash or signature themselves - very few do.
Begs the question of long-term support, etc...