I find it difficult to imagine equating a raspberry pi in a closet with “running a server”. Is it technically a server? Sure. But it’s not as if we’re talking about running a power hungry rack.

Bottom line is: there are very cheap and simple/easy options for maintaining a private connection to your home stuff.

> and figure out all the networking bits that will get it to talk to the printer

With something like Tailscale this is already figured out. My mostly non technical brother does this without issues.

This is entirely separate from whether or not you should need to do so for Bambu printers, which again I agree the answer is ideally “no”.

With that said, I don’t think it’s reasonable to describe setting up Tailscale as similar to “Linux server that runs 24/7 with OpenVPN and iptables”. Sure, you could go that route, but a Tailscale setup is extremely simple and lightweight. A raspberry pi is plenty if there isn’t already a system running 24/7. I personally have this set up on my router.

I point this out while still sharing the general sentiment of negativity towards Bambu here.

Where LittleSnitch is definitely ahead is showing process connections over time after said process has been allowed.

As I’ve stated clearly throughout this thread, the fingerprinting they’re doing is a problem.

Calling it “searching your computer” is also a problem.

> Defending that action is

Nowhere have I defended what LinkedIn is doing.

I’m not defending the act of scanning for these extensions, and I’m of the opinion that such an API shouldn’t even exist, but just pointing out that there are perfectly legitimate APIs that reveal information that could be framed as “files installed on your computer” that are clearly not “searching your computer” like the title implies.

First, I think it’s a major issue that Chrome is allowing websites to check for installed extensions.

With that said, scanning LinkedIn’s private network is not analogous to what is going on here. As problematic as it is, they’re getting information isolated to the browser itself and are not crossing the boundary to the rest of the OS much less the rest of the internal network.

Problematic for privacy? Yes. Should be locked down? Yes. But also surprisingly similar to other APIs that provide information like screen resolution, installed fonts, etc. Calling those APIs is not illegal. I’m curious to know what the technical legal ramifications are of calling these extension APIs.

I’m not saying it is. My point is that they appear to be trying to accomplish something like getInstalledExcentions(), which is meaningfully different from a small and targeted list like isInstalled([“Indeed.com”, “DailyBibleVerse”, “ADHD Helper”]).

One could be reasonably interpreted as targeting specific kinds of users. What they’re actually doing to your point looks more like a naive implementation of a fingerprinting strategy that uses installed extensions as one set of indicators.

Both are problematic. I’m not arguing in favor of invasive fingerprinting. But what one might infer about the intent of one vs. the other is quite different, and I think that matters.

Here are two paragraphs that illustrate my point:

> “Microsoft reduces malicious traffic to their websites by employing an anti-bot/anti-abuse system that builds a browser fingerprint consisting of categories of identifiers, including Browser/OS version, installed fonts, screen resolution, installed extensions, etc. and using that fingerprint to ban known offenders. While this approach is effective, it raises major privacy concerns due to the amount of information collected during the fingerprinting process and the risk that this data could be misused to profile users”.

vs.

> “Microsoft secretly scans every user’s computer software to determine if they’re a Christian or Muslim, have learning disabilities, are looking for jobs, are working for a competitor, etc.”

The second paragraph is what the article is effectively communicating, when in reality the first paragraph is almost certainly closer to the truth.

The implications inherent to the first paragraph are still critical and a discussion should be had about them. Collecting that much data is still a major privacy issue and makes it possible for bad things to happen.

But I would maintain that it is hyperbole and alarmism to present the information in the form of the second paragraph. And by calling this alarmism I’m not saying there isn’t a valid alarm to raise. But it’s important not to pull the fire alarm when there’s a tornado inbound.

I think that’s a far more reasonable framing of the issue.

> I don't think describing it as something everybody would expect is totally fine and normal for browsers to allow is correct.

I agree that most people would not expect their extensions to be visible. I agree that browsers shouldn’t allow this. I, and most privacy/security focused people I know have been sounding the alarm about Chrome itself as unsafe if you care about privacy for awhile now.

This is still a drastically different thing than what the title implies.

But it’s critical to sound the correct alarm.

To me, it seems like the authors pulled the fire alarm for a single building when in reality there’s a tornado bearing down.

And by doing so, everyone is scrambling about a fire instead of the response a tornado siren would cause.

They’re both dangerous and worthy of an immediate reaction, but the confusion and misdirection this causes seems deeply problematic.

When people realize the fire wasn’t real, they start to question the validity of the alarm. The tornado is still out there.

I realize this analogy is a bit stretched.

As someone who has spent quite a lot of time steeped in security/privacy research, the stuff described in the article has been happening pervasively across the industry.

People absolutely should be alarmed. Many of us have been alarmed for quite some time. Raising the alarm by saying “LinkedIn is searching your computer” isn’t it.

Fighting against these kinds of directives was a large factor in my own major burnout and ultimately quitting big tech. I was successful for awhile, but it takes a serious toll if you’re an IC constantly fighting against directors and VPs just concerned about solving some perceived business problem regardless of the technical barriers.

Part of the problem is that these projects often address a legitimate issue that has no “good” solution, and that makes pushing back/saying no very difficult if you don’t have enough standing within the company or aren’t willing to put your career on the line.

I’d be willing to bet good money that this LinkedIn thing was framed as an anti-bot/anti-abuse initiative. And those are real issues.

But too many people fail to consider the broader implications of the requested technical implementation.

I think most people would interpret “scanning your computer” as breaking out of the confines the browser and gathering information from the computer itself. If this was happening, the magnitude of the scandal would be hard to overstate.

But this is not happening. What actually is happening is still a problem. But the hyperbole undermines what they’re trying to communicate and this is why I objected to the title.

> They chose to put that particular extension in their target list, how is it not sinister?

Alongside thousands of other extensions. If they were scanning for a dozen things and this was one of them, I’d tend to agree with you. But this sounds more like they enumerated known extension IDs for a large number of extensions because getting all installed extensions isn’t possible.

If we step back for a moment and ask the question: “I’ve been tasked with building a unique fingerprint capability to combat (bots/scrapers/known bad actors, etc), how would I leverage installed extensions as part of that fingerprint?”

What the article describes sounds like what many devs would land on given the browser APIs available.

To reiterate, at no point am I saying this is good or acceptable. I think there’s a massive privacy problem in the tech industry that needs to be addressed.

But the authors have chosen to frame this in language that is hyperbolic and alarmist, and in doing so I thing they’re making people focus on the wrong things and actually obscuring the severity of the problem, which is certainly not limited to LinkedIn.

I’m saying that the framing of the article makes this sound like LinkedIn is the Big Bad when the reality is far worse - they’re just one in a sea of entities doing this kind of thing.

If anything, the article undersells the scale of the issue.

The point was more that the headline frames this as some major revelation about LinkedIn, while the reality is that we’re getting probed and profiled by far more sites than most people realize.

We’ve known for a long time that advertisers/“security” vendors use as many detectable characteristics as possible to constrict unique fingerprints. This seems like a major enabler of even more invasive fingerprinting and that seems like the bigger issue here.

My point isn’t that this is acceptable or that we shouldn’t push back against it. We should.

My point is that this doesn’t sound particularly surprising or unique to LinkedIn, and that the framing of the article seems a bit misleading as a result.

> Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers.

This does seem invasive. It also seems like what I’d expect to find in modern browser fingerprinting code. I’m not deeply familiar with what APIs are available for detecting extensions, but the fact that it scans for specific extensions sounds more like a product of an API limitation (i.e. no available getAllExtensions() or somesuch) vs. something inherently sinister (e.g. “they’re checking to see if you’re a Muslim”).

I’m certainly not endorsing it, do think it’s pretty problematic, and I’m glad it’s getting some visibility. But I do take some issue with the alarmist framing of what’s going on.

I’ve come to mostly expect this behavior from most websites that run advertising code and this is why I run ad blockers.

One thing that worries me about the current state of things is scale and speed. Modern technology, markets, communication systems and supply chains make it possible for things to go catastrophically wrong very quickly for a massive number of people.

I think this is somewhat unique to the current era.

I still don’t buy into the belief that we’re absolutely witnessing a collapse. Studying history shows that things have been far worse (politically, socially geopolitically, etc) and we’ve come out the other side numerous times.

So I think “ups and downs” is probably the right way to look at this. I do worry about the impact of modern technology on this equation.