> [..]
> Using the word “private” as “anything that isn’t on a cloud” is misleading, in my opinion. We know this is not the definition of private we want.
I don't know, for me that is a very acceptable definition since anything on the cloud is not private. If anything...
> When we think private, and when software products typically use the word private, they mean it to say privacy is a primary focus of the application, as enacted and permeated through mission, culture, code and operation.
...that definition could be applied to stuff on the cloud too since a cloud app can claim to care about privacy being "its primary focus" and its "culture, code and operation".
Of course something being local doesn't mean that it is 100% watertight proven that it is private, but the default state of a computer (at least as far as regular PCs go) is that and it is only after your actions as a user that state can be compromised.
As such the advice "don't download stuff that run `rm -f` on your hard drive" is a perfectly valid advice.
TBH this looks like some product's blog claiming why another competing product is inferior and theirs is better.
It's like if someone has a private office versus a secure office. One is a room with a door on it, the other is a room with a security guard.
Unfortunately only mobile OSes are on the forefront of this.
I'm not sure why the OS would have to manage this. For example when using electron you can use node's vm and run js in a seperate context. Its a seperate process but doesn't require anything special from the os for it.
mobile OSes do sandbox the entire program usually by default though.
Ubuntu sorta tried to with snapd. Windows tried to with UWP.
Windows is still trying, hence why now WinUI 3.0, WinAppSDK and packaged applications.
Likewise Ubuntu hasn't given away snapd, rather doubled down on it.
Yet none of them are as enforceable as iOS and Android are. It isn't only the program that is sandboxed, plugins are also required to be installed as separate packages and communicate over IPC with the host.
I'd certainly trust v8's sandboxing over any attempt to do it myself but OS level sandboxing + IPC seems like an even better idea if you're trying to be really sure.
Like for example I haven't yet seen a post that decries the security vulnerabilities of VST plugins or Unreal engine plugins, but they actually have slightly worse surface areas that are harder to secure than something running on top of a JS engine.
At a certain point you have to accept that running code someone else wrote may do bad things. Zero trust doesn't have zero cost. Don't run random programs you download off the internet without accountability.
1) I think the author is mixing up privacy and security here. At least to me, security is about whether the program has any bugs that allow access to data that the developer didn't intend. Developer's intent is important here, since a program itself does not have any intention, it always behaves exactly as it should.
Privacy on the other hand, is whether the user has control over who has access to their data, assuming that the program is secure. So say, if iOS exfiltrated data to Apple, but was intentionally coded that way, then iOS might still be secure, despite not being private. On the other hand, I consider Linux private, because while you could always install malicious packages, it's still your choice to install those packages.
2) The article is specifically discussing security against plugins accessing data / processes outside the application. But this severely cripples the power of plugins. I recognize that this is subjective, but I prefer it when plugins can extend the application in very powerful ways. I think often plugin developers are more creative than the application developer. Chrome, Firefox, VS Code, all have some amazing plugins.
That being said, I do like Standard Notes, and while I only tried the product for a little bit I appreciate rhe overall vision.
I agree it's not a high bar, and I appreciate that some developers have higher security standard than others.
But I think "anything that isn't on a cloud" is an OK definition for "private". I can cut internet access from my private computer, it will still be able to run malware. I will blame myself for loading the malware into the computer, I will blame the malware's author for their malicious intention, but I will not blame my computer for executing the code.
I look at privacy as user's ability to control their own data, not necessarily the ability to control a software's behavior.
There is always a tension between communicating pedantically accurately and communicating effectively, and while I really wish there wasn't, said tension's existence requires a selection amongst trade-offs nonetheless.
(i.e. "I agree wrt 'OK definition' but I understand why others don't and I'd prefer to live in a world where believed I was wrong and they were right")
Did ... did they miss the giant, in-your-face warning that happens when you intentionally deactivate safe mode in order to be able to install plugins?
