NVAccess and the slow Erosion of trust: I still believe that NVDA is the best available screen reader, and I still donate monthly.
-
@fastfinge @cachondo The fact that we have been MORE open & willing to discussin things on here than basically any other company (please, point me to a thread in which ANY company got more involved on ANY topic? I'm waiting....) All we asked was that where you believe something is a security vulnerability, you disclose that privately in the first instance. That's all, nothing more sinister. Otherwise, I really don't think you can make any kind of argument that we don't discuss things publically.
-
@fastfinge No one said that. It's an open source project, discussion happens on the issue tracker and/or mailing list. Or you can ask them here. You know this. Should NVDA have a full time public relations person to handle all concerns? Who pays for that? What priorities suffer?
Your piece seems somewhat premised on the idea that you must trust NVAccess in an informational vacuum. I don't think that's true at all. You could just... ask them why they did XYZ. If that answer isn't satisfactory, okay, the discussion has moved forward.
-
@fastfinge @cachondo IN your article, you yourself open with "But I'm probably missing context, so I'll just have to trust that NVAccess knows things I don't." - hence, why would you not reach out to us first to find out WHY we did things a certain way?
-
@fastfinge No one said that. It's an open source project, discussion happens on the issue tracker and/or mailing list. Or you can ask them here. You know this. Should NVDA have a full time public relations person to handle all concerns? Who pays for that? What priorities suffer?
Your piece seems somewhat premised on the idea that you must trust NVAccess in an informational vacuum. I don't think that's true at all. You could just... ask them why they did XYZ. If that answer isn't satisfactory, okay, the discussion has moved forward.
@prism @fastfinge @cachondo Thank you. And yes, I have spent the last hour or so on this thread, and I haven't even got to half the article yet. So this HAS cost the organisation my time in doing this, when I suspect most of it could have been resolved just by asking a couple of questions first. And just to be clear, asking questions is perfectly fine. It's where they are done as public accusations of poor behaviour without first having obtained the facts that it gets frustrating
-
@fastfinge No one said that. It's an open source project, discussion happens on the issue tracker and/or mailing list. Or you can ask them here. You know this. Should NVDA have a full time public relations person to handle all concerns? Who pays for that? What priorities suffer?
Your piece seems somewhat premised on the idea that you must trust NVAccess in an informational vacuum. I don't think that's true at all. You could just... ask them why they did XYZ. If that answer isn't satisfactory, okay, the discussion has moved forward.
-
@fastfinge So start them. If you want to answer questions, in addition to asking them.
@cachondo @NVAccess -
@fastfinge So start them. If you want to answer questions, in addition to asking them.
@cachondo @NVAccess@prism @cachondo @NVAccess Seems a bit late to discuss decisions that were already made…somewhere…by someone. Compare to the Linux kernel mailing list. If I want to know what was decided, who decided it, why they decided it, when and where, all discussion is right there. NVDA also operated this way up until the last couple years. When Michael or Jamie decided anything, the reasoning was all in public. Even if I didn’t like it, the chain of thought that got them there was fully visible. -
@prism @fastfinge @cachondo Thank you. And yes, I have spent the last hour or so on this thread, and I haven't even got to half the article yet. So this HAS cost the organisation my time in doing this, when I suspect most of it could have been resolved just by asking a couple of questions first. And just to be clear, asking questions is perfectly fine. It's where they are done as public accusations of poor behaviour without first having obtained the facts that it gets frustrating
@NVAccess @prism @cachondo And that can only happen when the facts aren’t already public. For an open source foundation, that is a problem in and of itself. However, I apologize for wasting your time. In future, I’ll be sure to waste just as much of your time asking questions that should have had public answers when the pull requests were first opened. -
@prism @cachondo @NVAccess Seems a bit late to discuss decisions that were already made…somewhere…by someone. Compare to the Linux kernel mailing list. If I want to know what was decided, who decided it, why they decided it, when and where, all discussion is right there. NVDA also operated this way up until the last couple years. When Michael or Jamie decided anything, the reasoning was all in public. Even if I didn’t like it, the chain of thought that got them there was fully visible.
@fastfinge @cachondo @prism As Drew suggested, what do you want to know? I'm only halfway through your article and most of it is "I don't like this feature, it shouldn't have taken developer time" when, if you'd asked, we could have told you that things like Remote Access, Image Description, Magnifier, etc you complain about - were all done by others and only overseen by us
-
@NVAccess @prism @cachondo And that can only happen when the facts aren’t already public. For an open source foundation, that is a problem in and of itself. However, I apologize for wasting your time. In future, I’ll be sure to waste just as much of your time asking questions that should have had public answers when the pull requests were first opened.
@fastfinge @cachondo @prism But the decisions about <insert feature here> were made <gestures vaguely>. At this point, I do appreciate the passion you have, and I am honestly trying to work with you.... but I don't even know what you are mad about anymore?
-
@fastfinge @cachondo @prism As Drew suggested, what do you want to know? I'm only halfway through your article and most of it is "I don't like this feature, it shouldn't have taken developer time" when, if you'd asked, we could have told you that things like Remote Access, Image Description, Magnifier, etc you complain about - were all done by others and only overseen by us
@NVAccess @cachondo @prism If you have understood that to be my primary complaint, I must have written it extremely poorly. Because developer time was never even mentioned once. My complaint is that things seem to be going into NVDA without openly accessible discussion or reasoning about the trade offs. So: Why is NVDA scanning store addons with virustotal? What threat does NV Access believe this prevents, given the overall addon security landscape? What does NVAccess believe is the purpose of addons, and when should an addon be in core vs. Not? Are there types of addons that NVDA does not believe are suitable, and should just be apps on their own? What qualifies a feature for an addon vs. Being part of NVDA? How are decisions made at NV Access, now that they aren’t as frequently discussed on the GitHub or the mailing list? How should external stakeholders get involved in these decisions? Speaking of those decisions: what is the current thinking RE: the 32-bit compatibility layer? Has this been canceled as it’s no longer needed? What is the current thinking on the secure addon API? Are we talking about extremely restricted functionality, or code signing, or manual approval of secure addons, or all three? Where can we see, developers work opt planning (if any) being done on corporate mode? Surely there’s something other than “no news” on an issue tracker or mailing list somewhere. I’m avoiding “Why did you do X last year” style questions, as re-litigation of things already done is utterly pointless. But these are the current questions that I am most concerned about. -
@NVAccess @prism @cachondo And that can only happen when the facts aren’t already public. For an open source foundation, that is a problem in and of itself. However, I apologize for wasting your time. In future, I’ll be sure to waste just as much of your time asking questions that should have had public answers when the pull requests were first opened.
Ok just to satisfy you that it isn't only my time you've taken up this morning, but our other staff who also tried to work through your post, here is a comment from one of our developers:
Also I don't understand why he thinks this stuff was not discussed.
https://github.com/nvaccess/nvda/discussions/19462
https://github.com/nvaccess/nvda/discussions/19807
https://github.com/nvaccess/nvda/discussions/14912
https://github.com/nvaccess/nvda/discussions/16304and a lot of the discussion can be found from the issues/PRs linked in the change log
-
@fastfinge @cachondo @prism But the decisions about <insert feature here> were made <gestures vaguely>. At this point, I do appreciate the passion you have, and I am honestly trying to work with you.... but I don't even know what you are mad about anymore?
@NVAccess @cachondo @prism I’m not mad at all. I’m concerned. Deeply. But that’s far from anger. And I also find it strange that you seem to think my entire purpose is to waste as much developer time as possible, and would be gleeful the more of your time I can manage to take up. I’m so baffled by that assumption thatI’m starting to wonder if your mental model of me as a person is just so far off that mutual communication or understanding is even possible. -
@NVAccess @cachondo @prism If you have understood that to be my primary complaint, I must have written it extremely poorly. Because developer time was never even mentioned once. My complaint is that things seem to be going into NVDA without openly accessible discussion or reasoning about the trade offs. So: Why is NVDA scanning store addons with virustotal? What threat does NV Access believe this prevents, given the overall addon security landscape? What does NVAccess believe is the purpose of addons, and when should an addon be in core vs. Not? Are there types of addons that NVDA does not believe are suitable, and should just be apps on their own? What qualifies a feature for an addon vs. Being part of NVDA? How are decisions made at NV Access, now that they aren’t as frequently discussed on the GitHub or the mailing list? How should external stakeholders get involved in these decisions? Speaking of those decisions: what is the current thinking RE: the 32-bit compatibility layer? Has this been canceled as it’s no longer needed? What is the current thinking on the secure addon API? Are we talking about extremely restricted functionality, or code signing, or manual approval of secure addons, or all three? Where can we see, developers work opt planning (if any) being done on corporate mode? Surely there’s something other than “no news” on an issue tracker or mailing list somewhere. I’m avoiding “Why did you do X last year” style questions, as re-litigation of things already done is utterly pointless. But these are the current questions that I am most concerned about.
@fastfinge @cachondo @prism Ok if nothing else, I can no longer complain that you haven't asked us questions.... I'm confused about the hate on VirusTotal? It's a tool which may pick up malicious code that is available, so why NOT use it? Add-on vs core for a feature is done case by case (based on user benefit, potential downsides, initial vs ongoing work, & more. For remote, as previously noted, it also allowed us to tighten security by bringing those external contact points internal
-
Ok just to satisfy you that it isn't only my time you've taken up this morning, but our other staff who also tried to work through your post, here is a comment from one of our developers:
Also I don't understand why he thinks this stuff was not discussed.
https://github.com/nvaccess/nvda/discussions/19462
https://github.com/nvaccess/nvda/discussions/19807
https://github.com/nvaccess/nvda/discussions/14912
https://github.com/nvaccess/nvda/discussions/16304and a lot of the discussion can be found from the issues/PRs linked in the change log
@NVAccess @cachondo @prism I did find some of these. But a lot of them seem to be discussions of how to do something that has already been decided would be done. Not of the what to do or why to do it. And those discussions are the majority of my concern. However, I could be mistaken, and I will certainly read the links more closely. -
@NVAccess @cachondo @prism I’m not mad at all. I’m concerned. Deeply. But that’s far from anger. And I also find it strange that you seem to think my entire purpose is to waste as much developer time as possible, and would be gleeful the more of your time I can manage to take up. I’m so baffled by that assumption thatI’m starting to wonder if your mental model of me as a person is just so far off that mutual communication or understanding is even possible.
@fastfinge @cachondo @prism Not at all, I was just concerned that you spent a LOT of time writing up incorrect assumptions which could easily have been corrected by either asking, or more fully reading discussions on github etc.
-
@fastfinge @cachondo @prism Ok if nothing else, I can no longer complain that you haven't asked us questions.... I'm confused about the hate on VirusTotal? It's a tool which may pick up malicious code that is available, so why NOT use it? Add-on vs core for a feature is done case by case (based on user benefit, potential downsides, initial vs ongoing work, & more. For remote, as previously noted, it also allowed us to tighten security by bringing those external contact points internal
@NVAccess @cachondo @prism The hate isn’t the service itself. It’s that the results are being displayed in the store. I believe that this is false reassurance, that makes everyone less secure just by existing. Best case, it will always return nothing, because no attacker would upload a virus directly to the store; they’ll have their addon download the virus days later, once it’s gotten some installs. Worst case, it makes someone think “Oh, NVDA virus scans its addons. So they’re fine.” Given the best case is nothing happens, and the worst case is someone is less secure, why do it? What problem is NVAccess trying to solve? -
@fastfinge @cachondo @prism Not at all, I was just concerned that you spent a LOT of time writing up incorrect assumptions which could easily have been corrected by either asking, or more fully reading discussions on github etc.
-
@NVAccess @cachondo @prism The hate isn’t the service itself. It’s that the results are being displayed in the store. I believe that this is false reassurance, that makes everyone less secure just by existing. Best case, it will always return nothing, because no attacker would upload a virus directly to the store; they’ll have their addon download the virus days later, once it’s gotten some installs. Worst case, it makes someone think “Oh, NVDA virus scans its addons. So they’re fine.” Given the best case is nothing happens, and the worst case is someone is less secure, why do it? What problem is NVAccess trying to solve?
@fastfinge @cachondo @prism What do you propose? At the end of the day, add-ons are potentially a risk & I think we are clear in warning users about that. If a bad add-on has to download code days later to avoid detection, at least we've made it harder for them. The add-on community itself keeps an eye on add-ons & would hopefully quite quickly alert us to any issue such as this. The alternative would be extremely tightly restricting what add-ons could do - maybe to Braille drivers & synths?
-
@fastfinge @cachondo @prism What do you propose? At the end of the day, add-ons are potentially a risk & I think we are clear in warning users about that. If a bad add-on has to download code days later to avoid detection, at least we've made it harder for them. The add-on community itself keeps an eye on add-ons & would hopefully quite quickly alert us to any issue such as this. The alternative would be extremely tightly restricting what add-ons could do - maybe to Braille drivers & synths?
@NVAccess @cachondo @prism Well, I would first propose not doing something “because the service exists and we can”. This was the kind of thinking I tried, and seem to have failed, to hilight in the article. Next, I would propose not getting stuck in an either or mindset. The duality of “we do nothing” or “we restrict all addons forever” is a false one.What about tracking reputation of addon authors and making sure that, at least, NV Access can guarantee that the author of an addon is who they say they are. Then making it extremely clear to users who they’re trusting and how much trust they’re handing over. What about having a set of “reviewed addons” and then a set of “unreviewed addons” and listing them in different places, with different levels of warning, and different corporate controls? What about some sort of sandboxing, and prompting the user “Do you want to allow this addon to X?” Where X is dangerous things like download and execute a third party program, read and write files outside of the addon directory, and so on. There are all sorts of possible solutions, some easier, and some harder, that would actually do something other than “Maybe inconvenience an attacker who knows nothing about NVDA Store security someday”.
