PDA

View Full Version : The "Brave" Browser Created by Firefox Web Browser Creator Brendan Eich



Hervé
30th September 2016, 15:18
BLOCKBUSTER! NEW WEB BROWSER TRASHES GOOGLE! (http://82.221.129.208/basepageg8.html)

This made me [Jim Stone] happy:

CREATOR OF FIREFOX WEB BROWSER BRENDAN EICH WAS KICKED OUT OF HIS OWN ORGANIZATION FOR NOT SUPPORTING SAME SEX MARRIAGE AND NOT EVER BACKING DOWN. THEY THEN TURNED FIREFOX INTO A DOGPILE. HE THEN WROTE A NEW WEB BROWSER AND HAS RELEASED IT AS THE "BRAVE" BROWSER. RUMOR ON THE STREET IS THAT IT IS GREAT, CHECK IT OUT, DOWNLOAD HERE (https://brave.com/downloads.html)

UPDATE: HA HA HA, HE'S PISSED WITH GOOGLE INTENTIONALLY SABOTAGING FIREFOX AND HAS PROGRAMMED THE NEW BROWSER TO BLOW GOOGLE AWAY!

YEP. To make Chrome look better (when really it was not) Google sabotaged Firefox by causing Firefox to re-load ads multiple times, which slowed it down badly. Google did this by checking which browser was accessing a web site, and if it saw Firefox, Google would intentionally trip it up with the analytics scripts and ad scripts that loaded multiple times under instruction from Google. There was nothing Firefox could do to fix it because it was external sabotage. So what did Brendan do to get even? He ripped Google's own Chrome to pieces, took out the crapware parts of it, and had it intentionally screw over the GOOGLE tampering.

HA HA HA, BLOCKBUSTER: THE BRAVE BROWSER WILL TAKE GOOGLE ADS (IF YOU TELL IT TO) AND REPLACE THEM WITH ADS THAT ARE SERVED BY THE BRAVE BROWSER'S OWN AD SERVICE. BRAVE THEN GIVES A KICKBACK TO THE WEB SITES WHO HAD THEIR ADS SWITCHED AWAY FROM GOOGLE. TALK ABOUT REVENGE! THAT IS WORTH MORE THAN A LAUGH!

Way to go. Way to get even!

GOOGLE IS LYING ABOUT CHROME'S POPULARITY ANYWAY:


http://82.221.129.208/firefox.gif


BOTTOM LINE? IF BRENDAN EICH CAN MAKE A WEB BROWSER SO GREAT IT CAN SCORE THIS WELL AFTER TAKING SUCH A BEATING, YOU REALLY OUGHT TO CHECK OUT HIS NEW ONE (https://brave.com/downloads.html)

__________________________________________________ _____

The above is from Jim stone's blog: http://82.221.129.208/basepageg8.html

Sierra
30th September 2016, 15:53
Woohoo! (Don't know about the issue with same sex, I get a bit sick of those who wish to micro control what goes on in someone else's bedroom, but heck... )

Downloading! Thanks Hervé!

(It downloads in less than five seconds on my iPhone. Now that is a tightly written app.)

Shove it Google!

sunpaw
30th September 2016, 16:06
Thanks for the heads up - noticed Firefox is acting up more.. I only use it for some games, and today it crashed constantly.

However, I won't use the new browser. I support gay marriage. Besides that I understand 'getting back' somehow - but this way seems rather low, for me though..

:sun:

devplan
30th September 2016, 17:35
This looks really exciting! Unfortunately, their provided "packaged" installers for Linux are only for AMD 64 processors and mine is an Intel.
Anyhow - I wrote to their support and I am looking forward to their reply.
Anyone of you who installed "Brave" and was able to gather some experiences?

Daozen
30th September 2016, 17:51
I installed it painlessly in 3 minutes. Used it to log into Avalon right now. Thanks to Brendan Eich, the man who built the language of the web. I didn't like Javascript when I first saw it, but I grew to love it this Summer, after I discovered www.codepen.io

uzn
30th September 2016, 17:53
In case somebody is still using Firefox. Yesterday it was reported that Firefox makes extensive use of your Harddrive. That means that your SSD will have a way shorter Lifespan.

raregem
30th September 2016, 18:12
Thanks Herve for your detailed post. I could care less about someones sexual preference but I do care about browsers.
and their ability to work without subterfuge. I am putting BRAVE on my computer right now. I have had so many issues with IE so went to Firefox.
FF used to work fairly well but I get many setbacks that cause me to try another browser. None seemed ok
I am dreaming of a BRAVE new world working well...haha. Thanks again.

lake
30th September 2016, 18:17
Thanks for that....tried to download it but couldn’t!
Run a Linux based system witch is 64bit, but an old version and it cannot integrate!

I'm just an old and stubborn git........lol

Paul
30th September 2016, 19:07
I worked with Brendan Eich, when he first got of college, some 30 years ago. He's perhaps the smartest person I've had the pleasure of working with, ever ... smart on several levels at once.

I just noticed and tried Brave for the first time today.

On the negative side, It's still young. It's missing some features I find important, even essential, for my main browser, including finer control over tab layout (as in Tab Mix Plus) and support for Lastpass and/or KeypassX password managers. It doesn't appear to handle add-ons (extensions) yet at all (Correction - see below). I managed to get it to hang once, trying to import my bazillion Firefox bookmarks.

On the plus side, It's lickety split fast. I tried to see if how well it was multi-threading, but couldn't load new tabs fast enough to really test that. In the fraction of a second it took me to switch to the next tab and ask for a reload, it had already finished the previous reload. It's led by Brendan, perhaps the best in the business at such strategic guidance. It's planned business model for handling web ads is very interesting, and a likely winner, for everyone involved, in my book. It's being developed rapidly.

I am starting to imagine that Brave could become the basis for another funding source for Project Avalon (we could use it.)

This would enable users who so choose to budget some modest amount each month, to be split up amongst the various sites that they choose to support, which might include Avalon. Brave is setting it up so that user's can easily purchase bitcoins using their credit card, for say $10 or $20 per month, or whatever makes sense for them, and the micropayment portion of their monthly donation would transfer, as Bitcoins, anonymously, to the monthly collections of each site. The owners of any website that accumulates over $10 gets an invitation from Brave to demonstrate (with a requested modification to the sites DNS A record) that they control the website, and then gets to collect that monthly total donations. Brave user's who elect to accept ads from Brave's own ad channel will receive a portion of the revenue that Brave earns from those ads that it was paid to run, and those Bitcoins can then in turn be donated by the user to whatever sites they value (or those Bitcoins can be used wherever else the user wants.)

So far as I can tell (still haven't actually tried it) if a user, today, asked Brave to include Avalon as one of the sites they donate to, and if that user funded their donations with some Bitcoins (perhaps purchased on the spot, using their credit card), then Bill, as the registered Avalon site owner, would receive (once the donations reached $10) an invitation to prove he owns Avalon, and then be in a position to collect those funds. Bill would have no way of knowing who donated or how much each donor donated.

I look forward to the day when Brave becomes my main browser.

===

P.S. - Correction: I don't see a general Add-on facility yet, but I did find a Preferences -> Security -> Passwords and Forms option to select my choice of password manager between 1Password, Lastpass, Dashlane, Brave's built-in, or none.

Paul
30th September 2016, 19:36
Well, I logged into ProjectAvalon in the Brave browser, using Lastpass to provide the password for this Avalon account, "Paul", but there's a glitch. Lastpass couldn't automatically fill in the password field; I had to copy and past the password in from what Lastpass had saved for this site. Someone else has posted a similar bug against Brave for the other password manager I would consider using, KeepassX, whose auto-typing feature was also not working in Brave.

Daozen
1st October 2016, 01:53
Browser funding is revolutionary, and could develop into a multi-billion dollar industry within 2-15 years. It solves some major problems associated with fairly monetizing content. Brave would need to accept Paypal directly for it to really work. Right now going through Coinbase will cut out some casual, impatient users, like me. But maybe Brave want to move the net economy away from Paypal onto Bitcoin. I can see that.

I noticed you worked with Brendan Eich a couple of weeks ago, Paul. Any non-sensitive anecdotes are interesting. I watched a few of his videos last week as I was studying Javascript, and I noticed he was ridiculously clever. Once he gets on a roll the ideas and knowledge come out fast.
I'll write things I notice as UX feedback, and send them to Brave. I liked the speed, but didn't like the flashing CSS as I moved between sites. It seems unnecessary. There's no easy way to change the color or browser skin, and getting to the monetizing content section takes two mouseclicks. I think it should be easier to charge an account. I'd like to see a charge icon in the top right, next to the Lion icon. But maybe they chose to keep the monetizing aspect hidden, as a design choice.

I know Mozilla foundation are good at listening to feedback, so I hope Brave will be the same.

Paul
1st October 2016, 02:35
I noticed you worked with Brendan Eich a couple of weeks ago, Paul. Any non-sensitive anecdotes are interesting. I watched a few of his videos last week as I was studying Javascript, and I noticed he was ridiculously clever. Once he gets on a roll the ideas and knowledge come out fast.
Sometimes I'd stop by his office, just down the hall from mine, with some minor item to talk about for a minute or two.

He'd be coding his part of the project, and while he was continuing to rapdily type production quality code, on the first draft, he'd carry on a coherent conversation with me on some unrelated topic. I've seen very few who could code that well, that quickly, and I've seen no one else who could engage in idle chatter on some unrelated topic ... at the same time!

This was in the software tools group within Silicon Graphics, back in the late 1980's, where we developed tools for bug tracking, software versioning, and software packaging and installation.

Brendan didn't last long at that job ... his talents were worthy of more challenging tasks.

Olaf
1st October 2016, 07:29
It is allways a good idea to use different browsers for different purposes - especially when you are interested in your privacy.

Google ads and other ads from advertising networks track your identity across many websites, including project avalon (due to the Google translate module).

Currently I am using:

Firefox (http://www.mozilla.org/mozilla/firefox‎)
- for all sites that are allowed to know and track my identity
- currently (2016) not all sites function in firefox

Otter Browser (http://www.otter-browser.org/) (a remake of Opera 12.x)
- has the best security police, but has currently some minor bugs and should be faster
- you can block advertisings
- at any time you can restrict any cookies, their live time depending from their origin - individually for each site you visit
- you can switch on/off plugins at any time, also indiviually for each site
- you can restrict Java, Java script in general or individually for each site
- I am using this for all sites where I want to protect my privacy

Vivaldi Browser (https://vivaldi.net/en-US/) - another remake of Opera 12.x, developed by the inventor of Opera and some of his stuff
- extremely fast
- allows also most of the detailed security adjustments that Opera 12.x had, but the interface is not as intuitive (in my view)

Brave (https://brave.com/)
- blocks Google ads

Opera (http://www.opera.com) starting at 2016-09
- has'nt all of the security adjustments, that former versions of opera had
- can block ads
- can establish a VPN connection to allow access to sites that are blocked in your country

Google Chrome
- you should use this one only for one single purpose: to use the special function of Google that cannot be accessed by other browsers (such as: advanced image search)

EFO
1st October 2016, 08:00
An other interesting browser Adblock browser (1 year old) :) :
https://adblockbrowser.org/

https://getadblock.com/images/logo_adblock.png


http://www.youtube.com/watch?v=kbftxZ9W7UQ

Paul
1st October 2016, 19:48
Browser funding is revolutionary, and could develop into a multi-billion dollar industry within 2-15 years. It solves some major problems associated with fairly monetizing content. Brave would need to accept Paypal directly for it to really work. Right now going through Coinbase will cut out some casual, impatient users, like me. But maybe Brave want to move the net economy away from Paypal onto Bitcoin. I can see that. It seems to me that Brendan Eich is very serious about respecting the privacy of browser users, including which sites they donate to and how much.

Perhaps in part because Brendan himself lost his job as CEO of Mozilla, on account of a controversy that arose when it became public that he had donated $1000 to some political cause years earlier, he seems quite aware of the importance of such privacy.

Using a crypto-currency such as Bitcoin as the key transfer mechanism, which works anonymously, across all national and political borders, is a key element in providing this privacy (at least from all but the most powerful.)

Now ... if one could more easily exchange between a crypto-currency such as Bitcoins and your choice of the major currencies, that would be a major improvement (hence an improvement that I'm doubtful will happen.)

Paul
1st October 2016, 19:52
It is allways a good idea to use different browsers for different purposes - especially when you are interested in your privacy.

Google ads and other ads from advertising networks track your identity across many websites, including project avalon (due to the Google translate module).

Currently I am using:

...
Google Chrome
- you should use this one only for one single purpose: to use the special function of Google that cannot be accessed by other browsers (such as: advanced image search)

That seems to me like a good idea to spread one's usage over multiple browsers, to limit tracking.

Avalon's use of Google translate, which causes hits on Google servers everytime anyone loads most any page of the Avalon forum, bothers me ... but I haven't done anything to see if this can be avoided, outside of asking Ilie about it once, a year or two ago, and he didn't think it would be easy to avoid hitting the Google servers on each Avalon page load, short of removing what some users might find to be a useful facility.

Olaf - can you say more about what motivates you to avoid Google's Chrome wherever possible?

PurpleLama
1st October 2016, 21:29
I have had to run chrome for months now with java disabled and certain websites listed as an exception, as Google ads were redirecting me constantly every time I tried to read an article anywhere that had ads embedded in the pages. I am trying out the brave mobile, it works well so far but the bubble thing is kinda weird and will take some getting used to.

The mobile version doesn't word wrap like chrome does, so far, which honestly is the only reason why I have kept chrome going at all, for the readability of forums.

Nevermind, when you increase text zoom over 100%, it starts a wrapping! I hereby declare brave a keeper!

Daozen
2nd October 2016, 00:05
Sometimes I'd stop by his office, just down the hall from mine, with some minor item to talk about for a minute or two.

He'd be coding his part of the project, and while he was continuing to rapdily type production quality code, on the first draft, he'd carry on a coherent conversation with me on some unrelated topic. I've seen very few who could code that well, that quickly, and I've seen no one else who could engage in idle chatter on some unrelated topic ... at the same time!


Ha. I can imagine that scene perfectly. When I watch his videos, they start off normal speed, but by the end there's a lightning fast stream of ideas and strategies. He seems to have a balance of vision, strategy, technical ability and media know-how necessary to lead a project to success. I hope I develop similar skills over the next decade.

Building the language of the net, and then going on to create a revolutionary internet finance model are two massive contributions to the 21st century.

https://www.youtube.com/watch?v=jFGDhWobELc
https://www.youtube.com/watch?v=IPxQ9kEaF8c

Mike Gorman
2nd October 2016, 00:29
Thanks very much for bringing this to attention, I have been using Chrome for ages, but it uses up a lot of resources - I always have at least 20 tabs going being an online worker - I am going to take a look. I strive to not take the Internet for granted because it is the best development of humanity since the printing press, and a lot more powerful!

Bob
2nd October 2016, 00:32
I just tried this 'browser' and my opinion is it nothing that I am happy with. Until I see a way to completely uninstall all traces of "Brave" I will consider us being duped to having installed a program which has some serious issues with, like a betatest software. What was seen (and I will get into this in later posts) was that the files are LOCKED even when you are system administrator. Machine OWNER cannot uninstall.

At first I used the standard "remove program" from the windows control panel after installing and found out, there are a lot of folders, and programs still left, in non-standard program locations on the windows machine. And one can not just delete these. They are in some way "elevated" to a permission level that the user/system adminstrator just doesn't have. That is not right in my opinion, and such actions are what a virus or a trojan can do, thereby creating suspicions as to what is going on.

The installer apparently creates an account on your machine, which doesn't allow system or administrator access to delete this hidden/elevated account (the account does not show up as an authorized 'user'), thereby not allowing one to change permissions to delete the files which are permanently kept on your machine by this 'program'.

There are many fantastic reviews on the web telling people to try this. I wonder how many people who tried this experienced what I did? To me it seems like I at least suffered from "social engineering syndrome", or being a sheeple and just "installing" cause of all the raves.. (oops)

Any suggestions on how to remove it? Like how to actually get access to the permissions for the hidden user account that is created??

Daozen
2nd October 2016, 00:53
I just tried this 'browser' and my opinion is it is a locked virus. I think we have been duped into installing some type of spyware on our machine(s). Until I see a way to completely uninstall all traces of "Brave" I will consider us being duped to having installed spyware which will not uninstall. The files are LOCKED even when you are system administrator. Machine OWNER cannot uninstall.

I used the standard remove program from the control panel after installing and found out, there are a lot of folders, and programs still left, in non-standard program locations on the windows machine.

Any suggestions on how to remove it? Like how to actually get access to the permissions for the hidden user account that is created??

Could you suggest an alternative browser that's downloadable now? I have 5 on my machine. Chrome has also been accused of being spyware. Maxthon has had similar accusations thrown at it. Firefox, I don't know. Safari is from Apple, IE from Microsoft. That leaves Opera and Chromium.

I'm open minded about any alternative browsers.

It looks like Brave is open source:

https://github.com/brave/browser-laptop

Which means any genuine spyware capabilities would be found in a matter of weeks or months. If there were any under-the-radar additions, anyone could easily fork the github repository and release a different version. IMO, Brendan Eich would have to be crazy to trash his career by releasing an open source browser that contained spyware.

It might be a good idea to take 15 seconds to Google: "How to uninstall Brave Browser" before throwing around libelous accusations about viruses, duping, and spyware. Other people have had similar problems during uninstall. It's probably just be an early stage bug.

Bob
2nd October 2016, 00:54
I did, it says it doesn't uninstall on Windows 10 and "Case Closed" (did they finally succeed in uninstalling, don't know).

My feeling is this: When a developer uses non-standard locations for data, like the normal install location(s), and there are QUITE A FEW.. it becomes difficult (and it shouldn't be difficult in fully open source fully clear explained commented code). One could very easily become suspicious that something nefarious may be happening - so here is what I found and why I felt more and more uncomfortable -

One can do a search for the brave keyword (as some have suggested) within the whole computer to locate where the programs and the myriad of files are installed, and there are a LOT OF THEM. A LOT OF NONSTANDARD FILES. Numerous caches are created it looks like, encrypted (?) (binary maybe)... which could store passwords, etc. why are those caches needed?

Just wondering out loud, are there stored passwords somewhere in a file created by Brave? Secure where ONLY the owner would know? Untamperable, and not able to be remotely read by some script somewhere accessing the Java Engine?

How can one tell without having extreme programming skills to dissect this browser and all the 'features' offered by or to be offered by it. How is the public, not technically oriented, not skilled programmers just going to be comfortable, that everything is indeed safe and secure? How do I know that my bios didn't have code written in to it for instance? (a place some nasty issues have been known to be installed).. We have no guarantees that such is clean. Look at ALL the stuff being done by NSA, how even hard drives bios' (the firmware memory chips) can be programmed by a program running on one's machine. Paranoid? Maybe or security conscious?

I am not a happy camper. I expected "warm and fuzzy". It was not warm and fuzzy. There were too many unknowns in my view of this, and I don't like the idea of trusting private data to a third party "new" program which will transmit potentially, depending on the website clicked on, private data. I have seen no peer reviews that the security is hole/problem/issue free.

As to uninstalling: I did manage to create an an elevated senior "EVERYONE" account to take full control in the "Brave" folders which were created, and ONE by ONE I am deleting each. I should NOT have had to do that. I should have as some on various websites said (git hub included), is just go and delete the files. I could not just delete the files or folders.

As a developer myself, I have found one doesn't do installs in non-normal locations - normal locations would be such as "program files" or "program files (86)". An uninstaller would remove ALL traces of the program, files, caches, repositories.. I didn't sign up to be a beta-tester for this program, and having to actually do procedures which normally could happen during a betatest is wasting my time and energy. If the code was inadvertently written to STOP writing a proper UNINSTALLER, and what was left was seeing HOW Brave's installer treated the hard drive's folder's by creating an ELEVATED account that nothing else could touch (including the system and owner).. Maybe there is a logic to that, but if the installer is supposed to write an UN-Installer and it stops doing that, leaving the program and files/folders LOCKED that certainly is a no-no, a nasty oops !

When I test out something new I test out the uninstaller to see what damage, if anything, that it does.

I personally will COMPLETELY STAY THE HECK away from this "Brave" browser in it's current state. I am not interested in re-installing it. The example of the "spyware" actions without user permission, and an uninstaller which leaves coded scripts (without explanation of why the are there) is worrisome. Code bug I just don't know. What I saw I saw and my protection systems prevented (I believe) the compromise.

I am going to spend the next 2 hours uninstalling the traces left of this 'browser' and see what other damage (if any) has been created. (update.. it took a full day, not just two hours).

This is my advice, as any good programmer would suggest to you: If one hasn't created an uninstall point DO SO and have a backup of your system before you try this 'program' or for that matter, ANY new program. Test it as best as you can, that you can restore your machine to what state it was in before the new program addition. Having backups is important, disk drive failures, other failures..

I didn't get a "crash" of the program, but there is an UPLOAD LOCATION installed on one's machine as follows:

\Brave Developers Crashes\crash_checkpoint.txt
server is https://brave-laptop-updates.herokuapp.com/1/crashes
maximum 128 reports/day
reporter is brave-crash-service

this above, is verbatim out of a file called : "operation_log.txt" in a folder created in:
AppData\Local\Temp\Brave Developers Crashes

What I have seen with "developer crash dumps" in general, is that very specific information about one's machine, what files were open, potentially user specific information, passwords, websites visited, etc. could be part of a "crash dump" - that a program has that "automatic upload" to a server (file repository) without notice and permission IRKS me as a spyware or in the minimum malware (without a clean un-install) and files/data being transmitted..

There are many more things, having to be "uninstalled" which I will screenshot and post in a moment. I won't screenshot my registry for privacy reasons.

Here are some of the remnants after managing to create a SENIOR account to counter and gain access above the hidden or "locked" account created by "Brave". Going thru each of these to review their contents, and thento delete, afterwhch then will do an intensive REGISTRY SEARCH to see what was changed there as well (sigh), I feel what a mistake trying this - I didn't need this effort !! ALL I wanted was to see how great this new browser is supposed to be. I don't have any way of determining if any firmware was modified either on the hard drives, or motherboard.


http://chanlo.com/images/brave-1.jpg

Daozen
2nd October 2016, 01:12
I'm sorry you're having problems. Uninstalling can be a pain.

You could help Brave out by keeping a log of the hassles you had, and someone could open an issue on Github. What commands did you try, what happened. I know there are non-technical people reading this, but there are programmers here as well. Keeping a log might help others.

If you don't give any specifics, how can anyone reproduce what you've done?

Bob
2nd October 2016, 01:24
I have plenty of specifics, enough to take me two hours to uninstall. I would NEVER create a program that hides from the normal install locations. NEVER.

try uninstall and see what is left, but before doing that go see WHERE everything is modified, like registry, like non-standard locations for program folders. Anything in Beta should be using standard locations, full documentation, and support. Not turning loose a program into the public and expecting them to sort it.

AS FAR AS AUTOMATIC CRASH REPORTER SERVICES:

IT IS CUSTOMARY for a person installing a program to OPT-IN or OPT-OUT for automatically HELPING THE DEVELOPER to see what crashed and to provide a solution.

THERE WAS NO OPT-IN and NO OPT-OUT option during install. That really bothers me. As I said, not a happy camper.

I don't like it when programs automatically UPLOAD without notice, or don't ask permission. How about something like this: "We are about to upload sensitive information about your computer, programs you are running, etc. Your clicking OK will say you agree to this..." (or something like that) to some server and state that server and WHY.

THAT lack of opt-in or opt-out to have sensitive data uploaded without permission I believe strongly is violating good development practices, and it seems to me, all the other developers of the browsers out there would seriously "frown" on this "Brave" browser being so highly rated when it is not openly forthcoming about what all it opens your machine (and privacy apparently) to such as crash reports without user permission.

AND, there was NO OBVIOUS CRASH HERE running the program. No notice, no warning, nada.

BUT it created a crash report, with identifying features and apparently wanted to UPLOAD TO THAT SERVER (?) mentioned above, all without my permission.. I call that SPYWARE behavior period per the published definition.

Paul
2nd October 2016, 01:29
Any suggestions on how to remove it? Like how to actually get access to the permissions for the hidden user account that is created??
Switch to Linux ? :)

Daozen
2nd October 2016, 01:30
I can see the crash logs and screenshots in one of your posts. Names of all the non-standard files would help a lot. Once you have enough posted, someone could open a Github issue.

Bob
2nd October 2016, 01:41
Any suggestions on how to remove it? Like how to actually get access to the permissions for the hidden user account that is created??
Switch to Linux ? :)

I actually do use LINUX, Ubuntu etc.. I tried Brave cause of all the great reviews :) what worked was to create a SENIOR account EVERYONE, with full permissions above the locked account created by Brave, then hunt for and then delete.. using timestamp searches to look for newly created or modified files.

What is left is to go thru the registry to clear out that which was modified..

For an uninstaller for "Brave" I feel very strongly that it has some major issues. (see the search params above). I should NOT have had to create a special permissions account to have to go through and uninstall. There should have been an exact list showing what was done what was modified if any, what will be transmitted to 157.52.65.7:443 (or any other site on a failure).. NO regular unskilled lay person would have been able to just go in, find a way to bypass a file/folder permission lock to correct an install failure. It took many hours to sort this.

Daozen
2nd October 2016, 01:56
Any suggestions on how to remove it? Like how to actually get access to the permissions for the hidden user account that is created??
Switch to Linux ? :)

What is left is to go thru the registry to clear out that which was modified..

For an uninstaller for "Brave" it has some major issues. (see the search params above). Now if he did what other spyware writers do, he would have changed the file names to something which would not be so easy to search on.

Which kind of proves it's an early stage bug, not spyware. And who would be silly enough to release open-source spyware? lol.

Bob
2nd October 2016, 02:01
Makes ya wonder doesn't it? SPYWARE uploads private material, user identifyable material, machine identifyable material to another.. Without user permission. I never gave permission for this "Brave" browser to upload to that server.

Definition reference:

spy·ware
ˈspīwer/
noun
software that enables a user to obtain covert information about another's computer activities by transmitting data covertly from their hard drive.

Using that published definition of SPYWARE (http://www.pctools.com/security-news/what-is-spyware/), I BELIEVE most strongly that issues in the crash reporter feature can be constituted as SPYWARE installed under the delusion of installing the "best" new browser out there able to kick Chrome in the teeth, be faster, etc.. (paraphrased highly) especially without USER authorization/permission to allow private data in "reports" to be sent to the programmer's organization (or other third parties) ... (or in other words, it appears to me to be SOCIAL ENGINEERING to get one to install a seemingly useful program. (like dohh...) fell for it, my bad.. oops. Of course though I have monitors which track what things get installed, so being able to debug all this 'new stuff' is quite interesting.. isn't it? I didn't sign up for a beta-test to test out a new browser to see what issues are present (or not).

This I feel is some common logic when testing out any new program: (make your system backup, restore points, run the program in a sandbox) and when one installs it, first check in any new program is see what the uninstaller will do, see what tracking information (if any) happens, see what data may be sent to the developer (or others) and under what conditions such will be triggered.. proper checking in other words to see if one can undo an installation cleanly. This failed in step 1 of the check, can it uninstall cleanly, and failed in step 2 is it CLEAN of sending ANY DATA to any other data repository for whatever purposes (calling it crash reporting is convenient to gather data on users' machines, and who knows what else is in the encrypted files created by "Brave" on the user's hard drive. That is going to take more of an analysis, but some things seen in the "compiled" script executables have PRIVATE information in them, machine descriptors, drive identifiers..)

Rambling a bit here: One thinks a browser just has a simple data cache, to be able to present files from a website, and prevent nasty things from websites from getting in.. THAT it seems to me, is what the public is lead to believe.. That things are safe, 100%.. Bugs happen, of course, but sending user data without their permission, without opt-in or opt-out is in my opinion very wrong. We must TRUST when we install a program that it will meet our expectations, for me security is the highest, will it damage my machine or operating system, will it slow down my machine or operating system, things like that is what I am concerned about.

==update==

finally got the registry cleaned and then proceeded to find the other "hidden names" which were used besides the "brave" - located SquirrelTemp folder and then followed the "setup" steps being done, some of which proceeded to "analyze" my destktop and taskbar, and then tried to create a file to send to a server. I believe I saw my running applications in the list to be "sent" and reported on including my machine identifier, hard drive identifier, etc.

One particular code line looked interesting:
System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost) - at that point file permissions were changed (again without the USER's choice to let them be changed)..

At that point it seems that the "squirrel" setup program looked for ALL RUNNING PROGRAMS and created a list of those (also it seems like it was to upload to the server, but it was STOPPED COLD from doing so). (tmp.node executables were created looking at the time stamp, that contained private machine identifiable data, private personal programs that were on my machine were put INTO the various tmp.node executables and .pf (prefetch) files. It also gave an entry in it's setup log, that it was done "FIXING" (according to a line in one of the files found) my links (again without my permission). I don't need my shortcuts and links "FIXED" by any program/browser. Do no harm? Hardly it seems to me, with this "brave" program/installer - why do my "shortcuts" have to be analyzed and "fixed", what gives this program the RIGHT to do that without my permission? Why are the program's file and folders locked to a permission level that the machine OWNER can not over-ride (like delete the file/folder).

Afterwards it (the installer program) apparently got pissed(?), and it said: "didn't care" in the log.. (hmmmmmmm).. when it was prohibited from gaining access to more private data and sending it out. Hilarious comments in code? or something else? Unknown and questioning why such was written that way, besides it trying to send a report to that IP..


Couldn't write uninstall icon, don't care: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: An attempt was made to access a socket in a way forbidden by its access permissions 157.52.65.7:443
at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)

EXCUSE ME? A programmer writing "DON'T CARE" in the code when the user's system REFUSED to let confidential information be sent UNAUTHORIZED apparently to the Programmer's server, to not put the uninstaller in when an essential feature called UNINSTALL is legitimately NEEDED to completely REMOVE all traces and put back the SYSTEM to it's state BEFORE ONE INSTALLED their "program" ? Can we wonder why Brendan was supposedly "fired (https://askdrbrown.org/library/brendan-eich-fired-mozilla-defending-marriage-has-brave-new-web)" from a past job at a browser company (they say he stepped down). How much of this code was written by Mr. Eick and how much by others? Did he review all the code, check it verify it is secure safe and operating with good programming practices? (take a brief re-read of post http://projectavalon.net/forum4/showthread.php?93668-The-Brave-Browser-Created-by-Firefox-Web-Browser-Creator-Brendan-Eich&p=1102905&viewfull=1#post1102905 ). I suppose in my opinion, politics happens everywhere and anywhere and that a step-down or job changes has nothing to do with how code is written for a particular new and unique application, or that JavaScript ( or possibly old code used elsewhere ) may play a strong role in the setup and maybe running(?)of the new Brave browser. These are unknowns to me, and doing web-searches and having problems with a program gets one concerned. I thought open source with good documentation would help enlighten. What about the public do they trust and how are they assured everything is safe, and will be safe continually?

The attempt to send data to port 443 is logical. It is a guaranteed special port used for secure file uploading and downloading. 157.52.65.7:443 is what the data was attempted to be sent to and blocked.

Some background on that port:

Trojans that use this port:
W32.Kelvir.M (04.05.2005) - worm that spreads through MSN Messenger and drops a variant of the W32.Spybot.Worm. Connects to IRC servers on the s.defonic2.net and s.majesticwin.com domains, and listens for commands on port 443/tcp.

Port 443 tcp, protocol, a trojan called "Slapper" uses this

Legitimate programs also use that port for secure transmissions.. The use of secure ports are important no question.

MOST firewalls will allow that port (443) to send "secure" data without asking twice. Mine apparently refused at the point of "setup" to let this spyware transmit it's load. I refer to spyware as that which will transmit private data unauthorized by the owner to some location as per the publicly published definition of such. Some may see it differently, but no OPT-OUT, no notice that such will be transmitted certainly is not "best programming practices", is it an oversight? Who knows?

More background on port 443:


Fortunately, the fact is that TCP 443 is not a Universal Firewall Port. True, if you're using a simple stateful packet inspection only firewall, you're out of luck, but you've been out of luck for quite some time. However, many proxy based firewalls and dedicated Web proxies are able to look at the information in the HTTP header and block connections based on that header information. This is true for SSTP.

Who belongs to that IP? - it's in a block called this:
157.52.64.0 - 157.52.127.255
CIDR: 157.52.64.0/18
Organization: Fastly (SKYCA-3)
RegDate: 2015-04-02
Updated: 2015-04-02

Tracing further: Brave.com is currently hosted at Fastly.
brave.com SOA 21599 chip.ns.cloudflare.com dns@cloudflare.com 2022668191 10000 2400 604800 3600
brave.com NS 21599 kim.ns.cloudflare.com
brave.com NS 21599 chip.ns.cloudflare.com
brave.com A 299 172.111.97.7
brave.com A 299 172.111.65.7
brave.com A 299 157.52.97.7
brave.com A 299 157.52.65.7
brave.com MX 299 5 alt1.aspmx.l.google.com
brave.com MX 299 10 aspmx2.googlemail.com
brave.com MX 299 5 alt2.aspmx.l.google.com
brave.com MX 299 10 aspmx3.googlemail.com
brave.com MX 299 1 aspmx.l.google.com
www.brave.com A 29 151.101.33.7
www.brave.com CNAME 299 prod.p.ssl.global.fastly.net

(Source reference: https://who.is/dns/brave.com)

And public is just supposed to KNOW how to check for this stuff on their own, and just TRUST ? Why is the public then testing out potentially buggy betatest software that could expose private machine information to those not authorized to receive it? I just don't see it that this software is ready for public general non-technical user use.

references: http://www.nationalreview.com/corner/374734/mozilla-employees-call-ceo-be-fired-donating-prop-8-campaign-alec-torres - employees call for CEO to be 'fired'


[..] thousands have signed a petition calling for new Mozilla CEO Brendan Eich to either openly endorse gay marriage or be fired. Six years ago, Eich donated $1,000 to the successful Proposition 8 campaign that created a constitutional amendment preserving the traditional definition of marriage in California. Eich, who is famous for creating JavaScript, was a co-founder of Mozilla and was appointed CEO after having served as Mozilla’s chief technology officer since 2005.


https://www.sitepoint.com/interview-brendan-eich-ceo-brave/ -


Quote by Brendan Eick: Brave is for all people who care about their privacy and browsing speed on the Web, which are closely related concerns due to the rise of intrusive, inefficient, and even dangerous third party advertising technology.

Sleight of hand? Apparently putting the FOCUS ON AD BLOCKING but neglecting to tell users that their privates can be sent to BRAVE without their permission (when something goes 'allegedly wrong' like during an install) is an interesting kettle and pot issue isn't it? Oooops?

==update 2==

Found out what the other hidden executable files are, JAVASCRIPT executables with some containing what looks like the computer's privates within them.. hmmmmm

https://www.nsslabs.com/blog/node-js-used-in-recent-exploit-campaign/ - understanding Node.JS when tmp.node files are created what are they.

Is Java Script secure? see for instance or do a keyword search on that - http://arstechnica.com/information-technology/2013/08/how-easy-is-it-to-hack-javascript-in-a-browser/

Well it can open up HOLES in the machine's secure area.. It could with proper coding allow a specially constructed web page accessed for instance, which may contain certain codes for calling up Java (if that engine is enabled) or to to call up the javascripts or call up programs to run on a user's machine, thereby allowing for remote control (http://news.drweb.com/show/review/?lng=en&i=10119) in some instances.. and for special "features" to be activated that a browser could not normally perform. That is why JAVA has been labeled as the most obscene engineering development for safety (paraphrasing) in the computer world.. hmmmmm

And the developer of Javascrip (https://en.wikipedia.org/wiki/Brendan_Eich)t is none other than Brian Eick ! weoh... dots more dots.. And now it has been noted by reviewing closely files created at the time of install, the Brave/installer creating what looks like no less than 16 javascript executables just sitting there in an obscure (out of the way) folder possibly waiting to be activated by visiting a webpage with the appropriate CODE on them? If they aren't needed why are they still then there? A logical question to ask when one is concerned about safety, security..

See my concerns? Dot's connecting, coincidentally or otherwise?

reference: Can I get a virus or trojan from visiting a website? http://superuser.com/questions/106809/why-can-i-get-a-virus-or-trojan-from-visiting-a-website


Unfortunately, there have been several vulnerabilities in the sandboxes of Javascript, of Java and of Flash, just to name a few. It's still a kind of race between malicious hackers who detect these vulnerabilities to exploit them, and good hackers and developers who detect and fix them. Usually, they are fixed quickly, but there is sometimes a window of vulnerability.

BTW: The sandbox is the reason some Java applets pop up a "Do you trust this applet" warning on launch: These applets ask you to let them out of their sandbox and to give them access to your computer.

Why are javascript executables left hidden on the machine?

Doing a generic search on how JavaScript files can be misused (used for creating trojans, RATs, or backdoors) comes up with this: http://www.bleepingcomputer.com/forums/t/619187/suspected-persistent-low-level-malware-or-rootkit/


Was going to mention that again, I had a look at the temp folder after the commands and a restart, I see a 7464.tmp.node with some very suspicious wording if opened through notepad ++ or alike. Inbetween all the encoding breaks like NUL.

Understanding JAVA - http://www.zdnet.com/article/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates/

Understanding JAVASCRIPT - the executable - http://people.cs.pitt.edu/~mehmud/cs134/javascript1.html "the term script-kiddie (https://www.google.com/search?q=%22script+kiddie%22&oq=%22script+kiddie%22&aqs=chrome..69i57.3760j0j4&sourceid=chrome&ie=UTF-8)" refers to using script snippets pasted together to create nefarious activity on one's computer from having received a payload by visiting a properly crafted webpage. (Malicious website). I guess I should have been running this in a sandbox. Social testimony you know is certainly moving. It leads one it seems to let down one's guard. Great promises are certainly compelling, but never ever it seems to me take security for granted.

More References:

https://github.com/brave/browser-laptop/issues/954 - uninstall problems
https://nakedsecurity.sophos.com/2012/08/30/how-turn-off-java-browser/ - how to turn off JAVA
http://arstechnica.com/information-technology/2013/08/how-easy-is-it-to-hack-javascript-in-a-browser/ - HOW easy is it hack a JavaScript?
https://www.wired.com/2016/04/brave-software-publishers-respond/ - publishers threaten legal action, assorted violations about a browser messing with delivered Ads. Would the user of such a browser then also be part of an action by publishers viewing "copyrighted works" in disassembled parts (stripping out an Ad for instance part of the copyrighted webpage)..


The difference between JAVA and JavaScript - http://www.htmlgoodies.com/beyond/javascript/article.php/3470971/Java-vs-JavaScript.htm


So... what is the difference between Java and JavaScript anyway?

They are both similar and quite different depending on how you look at them. First their lineage:
Java is an Object Oriented Programming (OOP) language created by James Gosling of Sun Microsystems.

JavaScript is a scripting language that was created by the fine people at Netscape and was originally known as LiveScript. JavaScript is a (very) distant cousin of Java in that it is also an OOP language.

Many of their programming structures are similar. However, JavaScript contains a much smaller and simpler set of commands than does Java. It is easier for the average weekend warrior to understand.

You may be wondering what OOP means by now. Object Oriented Programming is a relatively new concept, whereas the sum of the parts of a program make up the whole. Think of it this way: you are building a model car. You build the engine first.

It can stand alone. It is an engine and everyone can see it's an engine. Next you build the body. It can also stand alone. Finally, you build the interior including the seats, steering wheel, and whatnot. Each, by itself is a object.

But it is not a fully functioning car until all the pieces are put together. The sum of the objects (parts) make up the whole.

The issue with the hidden xxxx.tmp.node files - a user writes a question about the tmp.node files (mentioned finding these types of files in my machine after running the brave installer) "what are they" (I noticed in some of them it started with "this program cannot run in DOS MODE" and then later in the file privates from my machine apparently were compiled INTO some of these files. They were part of the squirrel installer it looks like.)


Some Coding, Samples within the xxxx.tmp.node files which were created during the installation:

<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>

=============

Locator' too long getPassword addPassword deletePassword findPassword ..\src\main.cc keytar

==============

in other words that section of the code deals with "getting or finding PASSWORDS, adding - no browser program has ANY RIGHT to get my passwords, period.

==============
JIT must be enabled) Microsoft Visual C++ Library (JIT, Just in time debugging)
==============
RtlCaptureContext
GetStartupInfoW
IsDebuggerPresent
GetSystemTimeAsFileTime
SetFile
CreateFile
DeleteCriticalSection
/json/
c: \bbondy\.node-gyp\io-js-1.3.3 "IS NEAR DEATH" ()
================================================== ======

One starts to see things like this about getting passwords, capturing data, changing execution levels, it gets very worrisome

Olaf
2nd October 2016, 09:34
Olaf - can you say more about what motivates you to avoid Google's Chrome wherever possible?

Because Chrome knows everything about your internet behaviour when you use it. It can track you across all sites that you visit. It may even resolve the URLs that you call by its own DNS. It knows your cookies. It knows your passwords. And it may send some of this information to google. It would not be possible to check any way in which this might happen.

Of course I cannot proof this. I'm simply suspicious.

Even if you only use one of the Google DNS servers, Google knows every page you visisit. And with the call of only one single Google ad in one of those websites ist also knows your identity and can connect it to your DNS requests.

At least in the current versions Otter browser and Vivaldi just don't have any interest in knowing those things, because they are not able to make money from it.

On the other side: Browsers that earn money by presenting you their own advertisements - such as Opera (>12.x) and perhaps Brave naturally must have an interest in tracking your identity.

Hughe
2nd October 2016, 10:38
Firefox became a bloated software that newer version gets slow, bulky.
Since I switched to Pale Moon web brower, I'm enjoying solid web browing that I used have from old Firefox.
Add-ons:
Adblock Latitude
Password Exporter
Flash Video Downloader
Plugins:
Shockwave Flash

Olaf
2nd October 2016, 11:55
(deleted - I've found a wrong entry in my firewall which caused the described behavior)

Paul
2nd October 2016, 12:59
Brave is using a SSL or VPN connection to remote port 443 to access everything. Sometimes also port 80.
Brave, by default (that you can disable in Brave if you want to) tries to promote all its connections to server port 80 (plain text http) to port 443 (ssl encrypted https).

Is that what you're seeing?

devplan
2nd October 2016, 13:00
I noticed something odd too: I usually use the Adblocker browser on my Android Smartphone and I wanted to give Brave a try and installed it. The next day I uninstalled it and when I used my Adblocker browser again, it reported at the cleanup option about some potential harmful elements which I had it clean up.
I am not fully sure, if that was caused by Brave.
Has anyone experienced the same issue?

Bob
2nd October 2016, 14:52
I noticed something odd too: I usually use the Adblocker browser on my Android Smartphone and I wanted to give Brave a try and installed it. The next day I uninstalled it and when I used my Adblocker browser again, it reported at the cleanup option about some potential harmful elements which I had it clean up.
I am not fully sure, if that was caused by Brave.
Has anyone experienced the same issue?

I tried it on Win 10 which was the worst and most difficult to cleanup, uninstall (one can review another user reporting on win10 uninstall of 'brave browser' HERE (https://github.com/brave/browser-laptop/issues/954), and on a Windows 7 OS. Of course the leading name browsers have adware reporting and cookie checking for referrals. Chrome has a very good blocker called Ghostery if you want to add that. (Interesting watching for instance PA popup GoogleTranslate (when using chrome) and DoubleClick on some pages too) :rofl:

I personallywouldn't try it on the smartphones, what I have seen with smartphones is there is just not enough ability to get into the hidden folders within the Smartphones (maybe developers can do that, but a normal user can't). At least Brave's uploader wanted secure 443 to it's report gathering website when it was trying to send private information about my computer, its running programs to their repository (based on the IP and links found within the log files and script files). I suppose so nobody else would get them. Probably just for "statistical" purposes to debug why their program wouldn't run. Didn't NSA say something like that, we are just gathering statistical data, not actually looking/listening.. just really annoyed I wasn't asked if I wanted private data sent to some site without my permission.

Some one doing a blow by blow analysis (Peer Review, it is OPEN SOURCE RIGHT?), including how billing is accomplished, how one's passwords, wallet, programs one is running, bank account numbers/ID's, in general, maybe looking into the security section code (not just saying it's secure on port 443) for transferring funds to Brave.. how all that is guaranteed that your machine will never be snooped on by them or their associates, would be a great exercise. I don't have the month to get into that much code to do a security check..

References: - how NSA data is worked with - "how your data becomes 'our' data" https://nsa.gov1.info/surveillance/ - if you haven't seen this webpage, it may be a great read.. when one see's what may be holes in a "brower's" way of doing things, just maybe one may need to take a closer look.. I did when this didn't uninstall properly.. Glad I did.

Bob
2nd October 2016, 15:34
It is allways a good idea to use different browsers for different purposes - especially when you are interested in your privacy.

Google ads and other ads from advertising networks track your identity across many websites, including project avalon (due to the Google translate module).

Currently I am using:

...
Google Chrome
- you should use this one only for one single purpose: to use the special function of Google that cannot be accessed by other browsers (such as: advanced image search)

That seems to me like a good idea to spread one's usage over multiple browsers, to limit tracking.

Avalon's use of Google translate, which causes hits on Google servers everytime anyone loads most any page of the Avalon forum, bothers me ... but I haven't done anything to see if this can be avoided, outside of asking Ilie about it once, a year or two ago, and he didn't think it would be easy to avoid hitting the Google servers on each Avalon page load, short of removing what some users might find to be a useful facility.

Olaf - can you say more about what motivates you to avoid Google's Chrome wherever possible?

As to turning off trackers - I had mentioned Ghostery which is a Chrome extension, that blocks PA's use of GoogleTranslate, and also DoubleClick (tracker) which also appears on some PA pages.. Not sure why DoubleClick would be appearing unless it is somehow associated with some "image". BTW, I didn't see any way to guarantee a full turn off of full tracking in Brave for the brief time I had it up trying out it's "features".

I haven't had any major issues using Chrome with the proper added extensions. I have seen going to a webpage WITH a drive-by downloader/installer such will lock up the browser and using the taskmanager is needed to stop chrome, and NOT re-open the infected page (on that particular tab), such requires step by step re-opening of the tabs, but such is stored in history to make an easy get back to. If Chrome absolutely knew what to FLAG as a corrupted webpage with a dropper on it, that would be handy. (I bumped into one when looking for a webpage discussing publisher legal action to be taken against BRAVE for destroying their Ads and found that corrupted page "trap". Spyware checks for anything dropped showed nothing got through).

So it's not a matter of finding a way to remove GoogleTranslate from PA, or any other VBulletin Forum.., I personally would use Chrome and use Ghostery to block all webpage trackers. I don't have any speed issues using Chrome, with PixelBlock for instance turned on to assist with blocking tracking in looking at one's email from the browser.

For example on VBulletin, (this forum's Forum software) this code is used: http://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit Failed to load resource: net::ERR_BLOCKED_BY_CLIENT and you can see Ghostery blocking the tracking attempt.

Quick history on Forum Software and Browsers: VBulletin seems to have the GoogleTranslate "tracker" built-in (possibly other add-ons used for other "statistical purposes" as well).

PA's VBulletin forum software also uses vbulletin_Ajax_suggest.js @ http://projectavalon.net/forum4/clientscript/vbulletin_ajax_suggest.js?v=411 .. if you are curious about what is happening on the Forum webpages, use CHROME and turn on "USE INSPECT" and turn on the Applications tab. If you are experienced it should make sense to you the immensity of the VBulletin Software, and if you are not experienced, it will be a whole lot of cornfusing mumbo-jumbo :)

SCRIPTS are used everywhere (Java's claim to fame) to make it "easier" for programmers to do fancy things which simple HTML code can't do (at this time). The question has always been, are the SCRIPTS that one finds being used wherever perfectly cleared and SAFE. One has to TRUST and BELIEVE that such scripts are safe as they are not fully explained how they work, why they work, what they access and HOW.

I haven't analyzed WHY VBulletin NEEDS to have a GoogleAnalytics type of tracker as part of their "analytics" feature (http://www.vbulletin.com/forum/forum/vbulletin-legacy-versions-products/legacy-vbulletin-versions/vbulletin-3-6-questios-problems-and-troubleshooting/204568-google-analytics) (and why so much YAHOO CODE is used). Why does a Forum need to continue to analyze where a user goes? Statistics, what threads visited, thanks? Just wondering out loud..

I'm looking for more statistical extensions also, to get a better packet by packet "clean display" to see what is going where. (I've recently just had to deal with what appears to be the NSA "man in the middle" issues tied into my ISP, apparently without the ISP's knowledge.. that was a wakeup call to them it seems.. if I believe their network operations center reports...) To me knowing what is going on when one clicks on a link is important.

Hearing that "Brave" was so security conscious (http://www.technewsworld.com/story/83015.html) (even mentioned at the outset of the thread) certainly got me to "try" the program.. User testimony one would assume certainly would get people to pay attention to anything new, of course it seems to me. I definitely paid attention !

I found more programs installed that came out of the "squirrel" (literally that is the name) installer, installed/used during the "Brave" installation, that I am still analyzing - like why would it seem that Brave would need machine privates to then encrypt and store in it's hidden files, why would it need to elevate itself ABOVE normal system levels to be able to write itself and not let a regular general public-style user not be able to remove (is that good programming practices?) - all those are signs (typically in security checking) that something was "dropped" at least with properly removing the program(s), its 'leftovers' on trying to use their "uninstaller".

Hopefully, it seems to me, in the future all those observed issues will be corrected, maybe they are "non-issues" when one get's down into the full technical nitty-gritty and Brave will join the ranks of something guaranteed to be secure, fast, safe by demonstrating that it will NEVER do reporting to their website (or FTP or other repository) user "privates" without their express permission.

- What has been observed was about not getting too overly technical but trying to express concerns seen during trying to uninstall and clean up. What was seen is enough for me to red flag potential questionable points. Make your own choice to explore obviously.

If others are able to fully take apart "brave" browser and report on each feature, install function, their method or reporting "bug issues", determining if in the light or hidden, such would apparently be a good service to 'brave' and others using that browser - by all means giving them a 'chance' is certainly a noble position. A forum is a good place to share our observations and there are some great technical people who may have the time to do this.

references cited or related:

http://www.vbulletin.org/forum/showthread.php?threadid=289055
http://www.vbulletin.com/forum/forum/vbulletin-5-connect/vbulletin-5-installations/4315203-want-to-install-google-adsense-with-vbulletin
http://www.vbulletin.com/forum/forum/vbulletin-4/vbulletin-4-questions-problems-and-troubleshooting/409957-were-do-you-put-google-analytics-code
https://disqus.com/home/discussion/my-digitallife/how_to_add_google_analytics_tracking_code_in_vbull etin_4/best/
https://brave.com/
https://brave.com/#safer
http://www.technewsworld.com/story/83015.html - this one is interesting !
http://blockadblock.com/adblocking/the-new-brave-browser-and-why-its-not-going-to-work/
https://voat.co/v/technology/comments/976576 - this one is interesting, challenging Ghostery, and pushing "brave" - the writer should see what the installer is doing when it without permission sends (or tries to when blocked), from sending machine sensitive information to "brave"


This link may be useful for users (like me) who had difficulty uninstalling "brave" browser: http://www.advanceduninstaller.com/Brave-8dd96b8452a030e9f2563233b5b19fab-application.htm I have not checked AdvancedUninstaller PRO, nor can I say it is or isn't safe to use. They even have a disclaimer on their page :) which says this:


Disclaimer

This page is not a recommendation to remove Brave by Brave Software from your computer, nor are we saying that Brave by Brave Software is not a good application for your PC. This page only contains detailed instructions on how to remove Brave supposing you decide this is what you want to do. The information above contains registry and disk entries that other software left behind and Advanced Uninstaller PRO discovered and classified as "leftovers" on other users' computers.

NOTE: JAVA and JAVASCRIPT are two different things - see : http://www.htmlgoodies.com/beyond/javascript/article.php/3470971/Java-vs-JavaScript.htm



So... what is the difference between Java and JavaScript anyway?

They are both similar and quite different depending on how you look at them. First their lineage:
Java is an Object Oriented Programming (OOP) language created by James Gosling of Sun Microsystems. JavaScript is a scripting language that was created by the fine people at Netscape and was originally known as LiveScript. JavaScript is a (very) distant cousin of Java in that it is also an OOP language. Many of their programming structures are similar. However, JavaScript contains a much smaller and simpler set of commands than does Java. It is easier for the average weekend warrior to understand.

You may be wondering what OOP means by now. Object Oriented Programming is a relatively new concept, whereas the sum of the parts of a program make up the whole. Think of it this way: you are building a model car. You build the engine first. It can stand alone. It is an engine and everyone can see it's an engine. Next you build the body. It can also stand alone. Finally, you build the interior including the seats, steering wheel, and whatnot. Each, by itself is a object. But it is not a fully functioning car until all the pieces are put together. The sum of the objects (parts) make up the whole.

Now let's talk about how Java and JavaScript differ. The main difference is that Java can stand on its own while JavaScript must (primarily) be placed inside an HTML document to function. Java is a much larger and more complicated language that creates "standalone" applications. A Java "applet" (so-called because it is a little application) is a fully contained program.

JavaScript is text that is fed into a browser that can interpret it and then it is enacted by the browser--although today's web apps are starting to blur the line between traditional desktop applications and those which are created using the traditional web technologies: JavaScript, HTML and CSS.

Another major difference is how the language is presented to the end user (that's you when you're surfing).

Java must be compiled into what is known as a "machine language" before it can be run on the Web. Basically what happens is after the programmer writes the Java program and checks it for errors, he or she hands the text over to another computer program that changes the text code into a smaller language. That smaller language is formatted so that it is seen by the computer as a set program with definite beginning and ending points. Nothing can be added to it and nothing can be subtracted without destroying the program.

JavaScript is text-based. You write it to an HTML document and it is run through a browser. You can alter it after it runs and run it again and again. Once the Java is compiled, it is set. Sure, you can go back to the original text and alter it, but then you need to compile again.

Daozen
3rd October 2016, 00:34
That's some interesting information Bob. I agree 100% that Browsers shouldn't be sending crash dumps to external servers without explicit permission. We need to do something about this trend.

I would hope that this is just an innocent design choice on the part of the Brave team. As you said, it's good to bring it to their attention and see how they respond.

Javascript is well know for it's security flaws. Unfortunately we're stuck with it, as it's the language of the web. 93 percent of sites use it. VBulliten software uses it for the Project Avalon Thanks and editor button, for example. I used F12/Inspect Element and went to sources. Under Scripts, it's all JS. So every time you log onto a site, its Javascript. So there's nothing intrinsically alarming about Javascript, but it does open up security holes. They're well documented and there are fixes for most of them. The document is for NodeJS, a server side implementation of Javascript.

http://bishankochher.blogspot.com/2011/12/nodejs-security-good-bad-and-ugly.html


One particular code line stands out:
System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
- at that point file permissions were changed (again without the USER's choice to let them be changed)..


But a program altering user permissions as it sets itself up? That might be user friendly, but some security minded people might not like it.

Bob
3rd October 2016, 03:22
And if it weren't for security minded people, whistleblowers people who want security, where would we be? Why did Snowden need to let the world know be-aware and not just blindly trust and follow social media "engineering" leading the 'sheeple'? The developer of JavaScript, none other that the person mentioned in the title of the thread for Brave should know darned well about doing proper coding without leaving loose "java executables" around. In my opinion, it seems not that we need a new browser we need better security and user ability to opt-in to ads for instance which may let's say get them benefits for viewing the ad.. like points to let some free game or other benefit - more view more points/coupons or whatever.. Don't want the benefits, OPT-OUT. Brave in their page appears to claim that is the strategy (https://brave.com/blogpost_2.html), OPT-IN or OPT-OUT and get paid for viewing (at least that is how I read it..) Can anyone explain how security is guaranteed within the code? How JavaScript IS NOT going to be used? Anywhere with the code?

What Brave has done it appears is opened up in the publishing world threats of injunctions. (see https://www.wired.com/2016/04/brave-software-publishers-respond/ - "Publishers Strike Back at a Browser That Replaces Their Ads"

I can only imagine what other issues happen when private information is sent without user/owner permission. Do we know looking at the "black list" within "brave" (sites that would have their ads substituted for instance) if that would or wouldn't constitute conspiracy or racketeering? Who gets to not be on the ad blacklist? Did they pay for such a position? Brave claims certain ads WILL be allowed to make it through to the end user. Hmmmmm Favorites? Playing or could one assume at one point "paying" favorites? Make a donation and get your Ad pushed to users? What's different from that than google? or other browsers who let ads in? Are those questions that can be asked? What is a safe Ad and what is not?

Seems to me there are more issues than just "hole-y" JavaScript to worry about. 93% that is quite a statement, seems to me some of the reasons why ZERO DAY (unreported holes) are able to still be discovered. They aren't just easily patched and fixed all the time (there are threads about some of the Android, OPEN SOURCE) holes, like going open source doesn't just guarantee that things are safe, and secure, just maybe that the holes are more complex in some cases and maybe one cannot necessarily see what's under one's nose (take StageFright hole discussed in another thread)..

Taking security seriously I think is more important that complaining about ads and using that as the feature to "sell" one's new browser. Just me saying what I think is important. Asking some questions that anyone would ask when needing to understand what we trust private data, like passwords, like access to Admin for servers, webpages, sites... security should be on everyone's mind. Snowden made it clear and paid a high price bringing to the world issues which were continually poopoo'd or glossed over or "socially engineered", out of mind, out of sight..

team: https://brave.com/about.html

Hi to Brian Clifton !

reference: https://brave.com/about_ad_replacement.html What Ad Replacement means.


What is Brave Ad Replacement?
Brave’s goal is to speed up the web, stop bad ads and pay publishers. One of the ways we plan to accomplish this is with ad replacements. We will also invite users to fund their wallets and to use those funds to pay the publishers of their favorite websites.

Judgement call? from the Ad Replacement page:


Step Two: Brave Replaces Ads
We recognize that ads pay for most of our web content. Ads are not going away. So we replace the bad ads with Brave Ads, which we use to pay publishers and users. Brave Ads use anonymous protocols — not tracking pixels — to confirm impressions (details about anonymity coming soon). And unlike the ads we remove, Brave ad replacements have a negligible effect on loading performance.

The browser is going to determine? Or the programming team? B.E. or just how? Speed, tracking what issues are the criteria for ads making it through or for tracking data to make it through?

Answering my own question rhetorically we are offered this explanation HOW it works - Users are given a chance to say NO ADs (block), or Substitute Ads (generates some coin for viewing) - best to read it HERE - https://brave.com/blogpost_2.html how they describe how it works. Ad Blocking or Ad substitution and "Rewards".

Bob
3rd October 2016, 16:45
I want to let the Forum know that we have as a new Member, Brian Clifton (member nick BraveClifton), a leading developer at Brave.

He has been following the thread and is eager to help us all understand better all about Brave, the Browser, and share with the community.

Another member has applied, Jonathan Sampson, also from Brave Software.

Brian has some fantastic experience - at Brave, he is titled: Senior Software Engineer, Desktop/Electron

I didn't see a listing for Jonathan Sampson on the Brave page (Jonathan would you introduce yourself to the forum? : https://brave.com/about.html possibly he could introduce himself to the community.

Brian - Engineer @brave. Previously @GoDaddy & @intel. I love Mexican food and writing code in C++ and JavaScript. - (github: https://github.com/bsclifton)

https://avatars0.githubusercontent.com/u/4733304?v=3&s=466

(I love Mexican food too, the hotter the better ! We both have a passion for writing in C :) )

From his blog: https://blog.clifton.io/leaving-godaddy/


I started getting involved in early April 2016 after trying the browser out.

While I love the project and its vision, it felt very rough around the edges at the time and I wanted to help do my part.

I started off by contributing small fixes: adding favicons to the bookmarks toolbar, fixing rendering issues on Windows, fixing bugs, and reworking the context menus. I moved onto larger scope issues like making sure the window state is saved (window position / full screen status / maximized status), adding a really nice live tile for Brave on Windows 10, and fixing the way the session is stored to disk.

I did this all in my free time at night or on weekends when I was at GoDaddy as my professional growth goal. Along the way, I got a chance to meet the team and learned more about modern JavaScript and React. My favorite technology to learn about was/is Electron, an open source project maintained by GitHub. Electron is basically a web browser that is hardcoded to only load your application. You do your UI in HTML / CSS / JavaScript and unlike typical web development, you don’t have to worry about “How does this look in {{BrowserName}}?”. When you package your app, Electron includes (and wraps with a JavaScript API) components from the Chromium browser. There are several cool projects using electron, like Slack, Visual Studio Code, and of course, Atom.

Every aspect of Brave is personally appealing to me. True to its name, this small company is taking parts of Chromium (specifically libchromiumcontent), a project that advertising giant Google has put a lot of blood, sweat, and tears into, and using it to make a new browser which stands up against their core business.

Jonathan Sampson - Brave Software

https://avatars0.githubusercontent.com/u/815158?v=3&s=400


Building the web since the 90's.

Stack Overflow Moderator from 2010-2013.
Passionately tending to HTML, CSS, and JavaScript's needs.

GitHub: https://github.com/jonathansampson

Twitter posting - https://twitter.com/sampsonmsft/status/761994139546169344

I'm about to teach you how to use the Performance tools in Microsoft Edge. Tune in for a quick crash course!

Jonathan says on his facebook page: https://www.facebook.com/jonathanjdsampson/?hc_ref=PAGES_TIMELINE


Starting this month, I'm joining the great people at @brave to face these challenges head-on. To make the web work for publishers and users.

Let us give a warm welcome to the two Brave Software employees, and some of the leading experts in Web Development !

(Brian and Jonathan, would you say hi to the Forum ?)

Paul
3rd October 2016, 18:26
Welcome BraveClifton and Jonathan Sampson.

I'd be quite interested in hearing more about Brave, including even geeky details, discussing the issues raised above by some of our other members. I'm a firm believer in open source (been doing it for decades) and open discussions.

Paul
3rd October 2016, 19:55
Can anyone explain how security is guaranteed within the code? How JavaScript IS NOT going to be used? Anywhere with the code?
The Javascript train has left the station, Bob. Javascript isn't perfect, as Brendan Eich could explain to you in more detail than anyone. But it will be with us for a long time. You might have to go back to one of the venerable text browsers, such as links, lynx, elinks, netrik, w3m, or links2, if you want to avoid Javascript. Not many will be doing that.

As for security ... there are no guarantees. Even the first C program I learned to write, "main(){write(1, "Hello\n", 6);}", back in the days when we got new versions of Unix on 9 track tapes, directly from Ken Thomson, had security holes, as Ken explained here (http://c2.com/cgi/wiki?TheKenThompsonHack).

What matters is open code and open discussion and adopting, consistently and over time, as best as practical, an open architecture that allows others to understand what's going on.

Nor is privacy from all servers on the Web very practical for many uses. Some form of micropayment or information harvesting is what pays the bills for many important web content providers. Rather I seek a "division of powers", so that we users can control who knows what, can keep anyone party from "knowing too much", and keep any one party from becoming "too indispensable" (hello, Microsoft; hello Google; ... <grin>).

For example, I would welcome the opportunity for members and guests of Project Avalon, if they so choose, to send us along a few shekels. Such an additional income stream, however modest, would be most helpful to Bill's shoe string budget.

Bob
3rd October 2016, 20:43
You understand then my concern about security. Being stuck with something may be the case, but if something better can come along I am ALL FOR IT. I just REALLY want to know it is better, and that there aren't ooops or gotcha's within it. Open source certainly looks logical, but so was ANDROID and take a look at that StageFright bug - all in open source, and totally missed..

Open source is no guarantee. It is a start, but it has to be PEER REVIEWED.

OPEN SOURCE STAGEFRIGHT - summary - http://www.whitesourcesoftware.com/whitesource-blog/open-source-in-the-light-of-androids-stagefright-vulnerability/

Paul
3rd October 2016, 20:59
Open source is no guarantee.
There are no guarantees :).

Bob
3rd October 2016, 21:23
Open source is no guarantee.
There are no guarantees :).

I like this analogy Paul, one jumps out of plane, with a main parachute and a backup. One TRUSTS technology, one's skill (and sanity :) ) by taking an action which definitely can affect one's future, safety, life.. One does what one can to "GUARANTEE" that they will come out without any damage. If one is smart, but who says jumping out of a plane is smart ;p the analogy though to some people is that a BROWSER is their connect to their banks, their business, work, play, in short even security for their home may be accessed by their smartphone, or laptop, or smartpad..

They need reasonable assurances that the technology that they trust with their lives, family and future is as guaranteed safe as possible. Maybe the internet to some is a hobby that they couldn't care less if they get Ads advertising something, they do care if they got compromised like having a mp4 file in their machine that their open source operating system's security holes gave the hacker access to their privates. If there were no privates we'd be in some utopia, but that isn't here.

Security is needed, with enough EYES reviewing the security, the features, and so OPEN SOURCE provides that opportunity to gain exposure and gain more checking - BUT that which is in BETA with bugs should be noted clearly and up front. Users need to know they are "testers" and not expecting a checked working product where security is addressed and that they know they can feel safe.

It's common sense in my mind. We need the security and moving in ways that maximize that in the era of what Snowden pointed out seems to me to be tantamount. When I found what really concerned me I didn't just sit there, I presented my findings. But I was not expecting to be betatesting.

No Guarantees? Well, I get what you are saying, but one expects when jumping out of an airplane to make it to the ground safely. I view what access the internet, exposes one to the 'world' out there has to be the best it can be. I want folks to be safe, feel safe, know that they are safe. How to guarantee that? I wait to hear how that can happen.

Paul
3rd October 2016, 21:28
I wait to hear how that can happen.
That's a key reason that I'm glad a couple of developers in Brave have joined Avalon.

I look forward to continuing this discussion of Brave a bit better informed, thanks to their contributions.

Bob
3rd October 2016, 21:30
I wait to hear how that can happen.
That's a key reason that I'm glad a couple of developers in Brave have joined Avalon.

I look forward to continuing this discussion of Brave a bit better informed, thanks to their contributions.

Absolutely my friend - this is the best thing we could have happen, short of maybe Brendan Eich joining !! (hint hint hint)..

BraveClifton
3rd October 2016, 21:36
Hi there folks! and thanks Bob for the great intro :)

I signed up after seeing this thread and wanted to make myself available to understand some of the concerns and also to answer any questions regarding Brave (ask me anything!)

I'm a relatively new employee (two months in, my first day was August 1st) but I was a contributor in my free time before joining, starting back in April. I love the web, programming, and open source projects.

Brave caught my attention for a lot of reasons... but mainly for two:

The focus that Brave puts on the end user, the person being Brave. They're the ones standing up to advertisers that not only clutter websites with obtrusive ads, but serve up ads containing malware
Brave seeks to bring something new to the table. They offer a compromise which is amazing for both end users and content providers... versus the traditional model which is great for the advertiser and "ok" for the content provider.


GitHub

As Daozen had mentioned earlier, the source code is available on GitHub. For those not familiar with GitHub, it's a platform for sharing program source code which also gives the community a way to interact with the project and its developers.

Your interaction might be:

downloading the installer
sharing a bug or problem
talking with other users about the project
asking for a new feature
getting the source code, so you can review it
contributing code and/or bug fixes


Our project's GitHub page is available here:
https://github.com/brave/browser-laptop

(there are also iOS and Android versions, which live elsewhere)

Quick overview of the GitHub page:

The code tab is the default one, which lets you browse the source code
The issues tab is where you can report bugs or problems (or search for already existing problems, if you want to add your details in)
The wiki tab contains documentation, known issues, and work-arounds



Brave leverages several other existing open source projects
two important ones being:

Electron - https://github.com/electron/electron - an application framework that leverages some of the Chrome libraries to allow you to create your UI in HTML with CSS and JavaScript. This is mostly written in C++ with some JavaScript
Squirrel (on Windows) - https://github.com/Squirrel/Squirrel.Windows - used for installing and updating. This is written in a mix of C++ and C# (.NET)

Some of the issues mentioned here can be traced to either the project itself or how we integrated with the project. Jonathan captured some great details in a document which you can see here:
https://gist.github.com/jonathansampson/f989f8eb908ac29262f7f2c417475818

Some of the ones I wanted to talk to:

I know for sure that the Squirrel installer has a bug where the uninstall doesn't occur properly and the folder which contained the binaries has DENY permissions set (so you can't move it to the trash). Unfortunately, Bob hit this bug and had to retake ownership of the files so that he can delete them. It should NOT be creating an account (if you have details about that, please let me know- details can be shared privately in a PM :) ).

The Squirrel installer doesn't clean up all the files when you are successfully able to uninstall. Jonathan captured more details in the above doc (including how to clean them up)

Electron has a built in crash reporter that we make use of. Jonathan's link above describes this in more detail and also has a link to the code itself. No personally identifying information should be sent- I'd like to learn more about this. I captured an issue on GitHub asking for a way to opt-out of crash reporting. You can track that (and leave comments) here: https://github.com/brave/browser-laptop/issues/4479


Sorry for the large first post and if you got this far, thanks for reading :)

Brian

Paul
3rd October 2016, 21:54
I know for sure that the Squirrel installer has a bug where the uninstall doesn't occur properly and the folder which contained the binaries has DENY permissions set (so you can't move it to the trash).
That would explain why I saw none of the problems that Bob reported, when I installed Brave on Linux.

The Linux installation appeared normal and reasonable, in every way, and I have more tools and experience than most, to notice any problems or anomalies in such things.

Thanks for the update ... we welcome your input.

Paul
3rd October 2016, 22:05
A couple of questions that I have regarding Brave, that perhaps you, BraveClifton, or Jonathan Sampson, can comment on.

A critical feature for me, in my main browser, is Lastpass or Keepass (KeepassX on Linux). I recall seeing an open bug on Brave, that it wasn't supporting the auto-typing of passwords by KeePass, and I noticed (but have not reported yet) a problem with Lastpass entering passwords as well. With Lastpass, I'd see it apparently type in the actual password, and then, as quick as the eye could see, overwrite that field with a single '*' character (I can assure you that none of my passwords just one character long.) I had to copy and paste the correct password into the password field myself, to login successfully.

Are these known or unsurprising or already fixed problems with Brave?

===

On a semi-related issue, is there a general purpose API for browser extensions (Add-Ons) planned for Brave, that will become visible, in the not too distant future? I have some 20 extensions in my main browser, Firefox, and would miss most of them, if some such were not possible.

Bob
3rd October 2016, 22:35
I know for sure that the Squirrel installer has a bug where the uninstall doesn't occur properly and the folder which contained the binaries has DENY permissions set (so you can't move it to the trash).
That would explain why I saw none of the problems that Bob reported, when I installed Brave on Linux.

The Linux installation appeared normal and reasonable, in every way, and I have more tools and experience than most, to notice any problems or anomalies in such things.

Thanks for the update ... we welcome your input.

I didn't try it on Linux, just two versions of Windows (7 and 10). The assumption then is the Squirrel Installer had the issues.. My guess is existing MS reporting libraries were used and called, and those MS libraries were quite happy to use a generic procedure to create a report which would have gone to MS (originally as they were written for MS) what all was running (but in this case was redirected to the Brave server (but blocked from going out). What all was running on my system were private. But MS has a habit of taking everything similar to a screen shot of one's desktop (but in this case taking file names, folders) and sending all that (like a stack trace maybe). I have had that problem happen with another developer who used parts of the MS libraries, and they also showed me a dump they received (before I had turned on the blocker) the contents which included machine name, folders, programs running.

I'll have to install and then uninstall Brian and I am hesitant on this particular machine to go through that exercise again. I can setup an experimental Win 7 machine to go through such step by step. I deleted a lot but only left up the xxxx.tmp.node and .pf files for my review/analysis. The .pf files also contain privates. I'll get you a snippet (Brian) of those in a PM where the exe pf's contain what looked very potentially compromising.

BraveClifton
3rd October 2016, 22:42
A couple of questions that I have regarding Brave, that perhaps you, BraveClifton, or Jonathan Sampson, can comment on.

...

Are these known or unsurprising or already fixed problems with Brave?

===

On a semi-related issue, is there a general purpose API for browser extensions (Add-Ons) planned for Brave, that will become visible, in the not too distant future? I have some 20 extensions in my main browser, Firefox, and would miss most of them, if some such were not possible.

LastPass integration *should* be working correctly right now- I know that we have a few issues reported at the moment, which you can be found here:
https://github.com/brave/browser-laptop/issues?utf8=%E2%9C%93&q=is%3Aopen%20label%3Afeature%2Fpassword-manager%20lastpass

...however, I didn't see the issue you described (if you're still encountering this with the latest release, I'd be more than happy to open an issue on your behalf :) )

I occasionally use KeePass but I believe the auto-typing isn't supported. Here's a link to the specific issue we have if you wanted to track it, give it a +1, or leave a comment (I'd love to see someone add this)

Regarding extensions, we just shipped our first major release which has extension support. It's not ready for public extensions yet (we're still in a process of making sure all the required APIs are available, Jonathan has more info on that), but the 1Password and Dashlane password managers are now being loaded as an external extension (and should be update-able). Lots more coming soon for sure :)

BraveClifton
3rd October 2016, 22:48
I know for sure that the Squirrel installer has a bug where the uninstall doesn't occur properly and the folder which contained the binaries has DENY permissions set (so you can't move it to the trash).
That would explain why I saw none of the problems that Bob reported, when I installed Brave on Linux.

The Linux installation appeared normal and reasonable, in every way, and I have more tools and experience than most, to notice any problems or anomalies in such things.

Thanks for the update ... we welcome your input.

I didn't try it on Linux, just two versions of Windows (7 and 10). The assumption then is the Squirrel Installer had the issues.. My guess is existing MS reporting libraries were used and called, and those MS libraries were quite happy to use a generic procedure to create a report which would have gone to MS (originally as they were written for MS) what all was running (but in this case was redirected to the Brave server (but blocked from going out). What all was running on my system were private. But MS has a habit of taking everything similar to a screen shot of one's desktop (but in this case taking file names, folders) and sending all that (like a stack trace maybe). I have had that problem happen with another developer who used parts of the MS libraries, and they also showed me a dump they received (before I had turned on the blocker) the contents which included machine name, folders, programs running.

I'll have to install and then uninstall Brian and I am hesitant on this particular machine to go through that exercise again. I can setup an experimental Win 7 machine to go through such step by step. I deleted a lot but only left up the xxxx.tmp.node and .pf files for my review/analysis. The .pf files also contain privates. I'll get you a snippet (Brian) of those in a PM where the exe pf's contain what looked very potentially compromising.
Thanks, that would be great :)

I believe the Windows error reporting (more details in Jonathan's doc: https://gist.github.com/jonathansampson/f989f8eb908ac29262f7f2c417475818) can be disabled entirely. You should be able to find it in control panel under "Security and Maintenance". This is a good concern and maybe we should document it. I am curious if Microsoft allows for apps to opt-out of the crash reporting mechanism? By default, any app that crashes will trigger this process (if enabled, which it is by default)

Paul
3rd October 2016, 22:57
I occasionally use KeePass but I believe the auto-typing isn't supported. Here's a link to the specific issue we have if you wanted to track it, give it a +1, or leave a comment (I'd love to see someone add this)
This issue: https://github.com/brave/browser-laptop/issues/1313 ?

Bob
3rd October 2016, 23:21
What is curious Brian, is no crash window appeared, nada.. it was invisible that there was a crash there, I was using Brave Browser testing it out and saw my machine tell me an unauthorized send was being attempted. Closing the browser I then looked for what was being sent, saw it and my jaw dropped, then got into the logs what all it was doing.. The logs revealed a lot stepwise what failed and what didn't.. but the point is no error was shown to the user, no crash noted.. I would not have known about the failure or the send if the machine wasn't monitoring for illegal unauthorized activity.

Windows ERROR reporting WOULD have shown that an error happened - it did not.. What that said to me was spyware behavior was noted. No crash popup appeared, and after the fact found out a file with privates was tried to be sent to a server not authorized by me as 'safe'..

--update-- thought I would put a note here for the lay person, non-technical. A referral to "illegal activity" as a generic term used in programming to denote when the program performs something with is/has not been authorized (either by the system, a security program, the operator or a combination of both), an operation was performed in an illegal way (not a legitimate way as expected by the operating system), a call to memory which does not exist (illegal call) and so forth.. Such activity could result in loss of data, routines (sub-programs) being left in unknown states, general failure of the computer especially if it was writing to the hard drive (dreaded file corruption).. Getting an illegal operation warning is not something to take lightly.. So that is the reference to 'illegal activity' was being attempted.. (Different than violating constitution, law of the land, etc.)

reference: https://support.microsoft.com/en-us/kb/320227 - "Illegal Action" - "This program has performed an illegal operation ..."

http://www.computerhope.com/issues/ch000138.htm - how to fix illegal action/operation


When the operating system or computer processor receives an instruction from a program that it does not recognize and cannot process, it may issue a command known as an Illegal Operation.

Being aware of Viruses, my first thought was this and I made it quite clear I was very worried about wondering what was going on:


Computer virus

Because computer viruses and other malware load into memory and can improperly modify files they can cause Illegal Operation error messages.

Make sure an anti-virus protection utility is installed on the computer and that it is up-to-date.

First thing I did after reading the logs was to run AV, then malware checking, but I did not do a windows comparison for any changes, such as modified dates against the originals. (That is still on my list todo.)

Dianamar
3rd October 2016, 23:54
I noticed something odd too: I usually use the Adblocker browser on my Android Smartphone and I wanted to give Brave a try and installed it. The next day I uninstalled it and when I used my Adblocker browser again, it reported at the cleanup option about some potential harmful elements which I had it clean up.
I am not fully sure, if that was caused by Brave.
Has anyone experienced the same issue?

I tried it on Win 10 which was the worst and most difficult to cleanup, uninstall (one can review another user reporting on win10 uninstall of 'brave browser' HERE (https://github.com/brave/browser-laptop/issues/954), and on a Windows 7 OS. Of course the leading name browsers have adware reporting and cookie checking for referrals. Chrome has a very good blocker called Ghostery if you want to add that. (Interesting watching for instance PA popup GoogleTranslate (when using chrome) and DoubleClick on some pages too) :rofl:

I personallywouldn't try it on the smartphones, what I have seen with smartphones is there is just not enough ability to get into the hidden folders within the Smartphones (maybe developers can do that, but a normal user can't). At least Brave's uploader wanted secure 443 to it's report gathering website when it was trying to send private information about my computer, its running programs to their repository (based on the IP and links found within the log files and script files). I suppose so nobody else would get them. Probably just for "statistical" purposes to debug why their program wouldn't run. Didn't NSA say something like that, we are just gathering statistical data, not actually looking/listening.. just really annoyed I wasn't asked if I wanted private data sent to some site without my permission.

Some one doing a blow by blow analysis (Peer Review, it is OPEN SOURCE RIGHT?), including how billing is accomplished, how one's passwords, wallet, programs one is running, bank account numbers/ID's, in general, maybe looking into the security section code (not just saying it's secure on port 443) for transferring funds to Brave.. how all that is guaranteed that your machine will never be snooped on by them or their associates, would be a great exercise. I don't have the month to get into that much code to do a security check..

References: - how NSA data is worked with - "how your data becomes 'our' data" https://nsa.gov1.info/surveillance/ - if you haven't seen this webpage, it may be a great read.. when one see's what may be holes in a "brower's" way of doing things, just maybe one may need to take a closer look.. I did when this didn't uninstall properly.. Glad I did.


Hi Bob , you know there's more than one way to skin a cat :idea:


https://brave.com/assets/jobs/Brave_SeniorSoftwareEngineer_Android.pdf


:muscle:

Paul
3rd October 2016, 23:57
Browser funding is revolutionary, and could develop into a multi-billion dollar industry within 2-15 years. It solves some major problems associated with fairly monetizing content. Brave would need to accept Paypal directly for it to really work. Right now going through Coinbase will cut out some casual, impatient users, like me. But maybe Brave want to move the net economy away from Paypal onto Bitcoin. I can see that.
Aha - Coinbase announced in June of 2016 that you can purchase bitcoins using PayPal or Credit Card: https://blog.coinbase.com/2016/06/22/coinbase-adds-support-for-paypal-and-credit-cards/

I've not tried it ... but perhaps all the critical pieces are in place to handle this.

Hughe
4th October 2016, 01:08
@Bob

If you seriously concern about security, hardened Linux without systemd or FreeBSD are the best alternatives.

FOSS gives full responsibility to end user. It's defined in the license term to ensure developers' reliability.
Inception of systemd in Linux is a fine example how corporations try to take over FOSS. Most Linux users hardly aware about it or simply don't give a ****.
Ubuntu was the first distribution that accepted systemd as service management instead Init. Nowadays all big Linux distrubitions force systemd-ed Linux to end users including Debian. Core developers of systemd are under the paycheck of major corporations. I run Devuan Linux in workstation, laptop, and raspberry pi 2.

Secruity implementation at personal level I can think of:
- Run FOSS operating system
- Encrypt every e-mail transaction
- Open Source web browser that doesn't have back door routine
- Fake MAC address that hides real network interface
- Dynamic IP address thats hide true location of the user through Tor
- Use paid Virtual Private Network server (Can we trust the VPN server company?)
- Run a Open Source router

My web browser history:
Firefox (many years) -> Chrome (two years?) -> Firefox (few weeks) -> Pale Moon (months)

Bob
4th October 2016, 01:27
Hughe thanks - I do run Linux, Ubuntu, various Apple OS's, just that for certain programs that I have and find my self using more so than browsing, they were never ported to any of those alternatives, thereby keeping me tied to windows. Doing a reboot to switch over to other OS's tends to be prohibitive time wise having to switch back and forth continually. Appreciate the thought :)

(running under emulation has been tried and in many cases the drivers are just not there and I just don't want to try to learn that level of coding. The programs that I use have specially designed machine code modules (non-standard) which were setup to use windows hooks, and windows I am more familiar with than I am the other OS's as far as using calls to their libraries for instance. Maybe someday :)

Paul
4th October 2016, 02:48
If you seriously concern about security, hardened Linux without systemd or FreeBSD are the best alternatives.
I'll second that suggestion :).

Systemd is an abomination ... might as well bring Windows to Linux.

(Speaking of which ... Windows itself is probably a greater problem than any of the afore mentioned browsers ever thought of being <grin>.)

Daozen
5th October 2016, 11:13
Browser funding is revolutionary, and could develop into a multi-billion dollar industry within 2-15 years. It solves some major problems associated with fairly monetizing content. Brave would need to accept Paypal directly for it to really work. Right now going through Coinbase will cut out some casual, impatient users, like me. But maybe Brave want to move the net economy away from Paypal onto Bitcoin. I can see that.
Aha - Coinbase announced in June of 2016 that you can purchase bitcoins using PayPal or Credit Card: https://blog.coinbase.com/2016/06/22/coinbase-adds-support-for-paypal-and-credit-cards/

I've not tried it ... but perhaps all the critical pieces are in place to handle this.

Yes, the pieces are there, but Paypal to Bitcoin is non-trivial from a legal and technical standpoint. Paypal don't officially let users buy BTC directly (last I checked) because users can just claim they were scammed and get a refund. Merchants worked around this with intermediate currencies, but some of them took a huge cut as you went from Paypal, to Linden Dollars, and then to BTC. I tried it with 15USD, I lost 30 percent. That was no good. So add mistrust of BTC to clunky User Interfaces, and you have a mess.

Circle and Coinbase are making it easier and easier to go from Paypal and Credit CArds to BTC. Whoever wins in this market will help funnel the 60 billion dollar per year Paypal economy into Bitcoin, so the race is on. It's all about guiding the user through the process and saving them mouseclicks. Most merchants have sub-optimal UIs, and don't implement feedback.

Daozen
5th October 2016, 11:28
Hi there folks! and thanks Bob for the great intro :)

I signed up after seeing this thread and wanted to make myself available to understand some of the concerns and also to answer any questions regarding Brave (ask me anything!)



Hi, Welcome Clifton, thanks for signing up. Glad the bug that Bob found will be ironed out. I know what it's like to rely on 3rd party software and dependencies. No one can be aware of every server call. Maybe the Brave installer should ask users about crash dump permissions, both in Linux and Windows.


(ask me anything!)

First question: Are you ready for a long browser war?

*

I like giving UX feedback, so I wrote these notes:

*

I think Brave could eventually pull market share away from Chrome + Firefox, as privacy is a public issue, but it will be a long, slow conflict that plays out over 5-30 years.

I guess you're relying on word-of-mouth. I'd nearly recommend Brave to friends and family. Right now there are a few things that make me unsure.





RANDOM UX NOTES:


LIKE

- I like the way page load times are displayed.
- Shields Down/Up. Cool.
- Nice choice of colors for blocking statistics. Clear and good-looking.
- Optional upgrades, asking the user before downloading new versions of Brave. Chrome upgrades automatically, which annoys some privacy buffs.
- The Brave update experience was smooth and painless.






NOT SURE, DON'T LIKE, SUGGESTIONS

- No explanation for "HTTPS upgrades". This needs a question mark, with an explanation of HTTPS that appears on click. Fingerprinting protection is explained in the menu, nothing else has an explanatory question mark.

- Not everyone knows what 3rd party cookies are. I doubt my parents or gf do. Need a hover/tooltip explaining what this means to the user.

- Suggestion: To see an excellent UI, you could checkout Handbrake.

https://handbrake.fr/downloads.php

Handbrake guides people through a complex video compression process using tooltips. It's the best UI I've seen on a program. Too much info annoys technical users, not enough info annoys casual users. Tooltips and question marks strike a balance between the groups. Right now I wouldn't recommend Brave, because the sub-menu experience is potentially confusing. The layout is the best I've seen, but the structure and writing on the menus are no more than OK.

- Brave Payments, the truly revolutionary aspect of the browser, is hidden in a sub-menu. I need 2 fiddly mouseclicks to get there. Is hiding payments a design choice because you're in beta? You could have a clickable Bitcoin logo right next to the lion.





COLOURS

- No choice of colors on the Bravery panel, either for the settings panel or the browser itself. Slack won their marketplace because they had a selection of lush color palletes. Startups live or die on their choice of color hexcodes.

- Suggestion: If you wanted to continue the sci-fi theme you started with "Shields Up", you could have optional browser skins that felt like users are in the cockpit of an X-Wing. Dark metallic grey with few subtle, understated space icons. I know you can't use an X-Wing, for copyright reasons, but making the user feel that they're in a spacecraft would be a massive UX win, especially for the first adopter/sci-fi nerd market. Bored workers who are using a browser to Google all day would feel energized.

- Microsoft used a Paperclip helper to make the Word UX more friendly. You could use a lion face, or even a tiger as a pop-up helper for first time users.

- (Half-baked suggestion: You could have an optional set of sci-fi sounds as people surfed. Sci-fi doors opening with a metallic swish for a website, for example. That would annoy most users, but the media and sci-fi crowd might like it.)

- You could also go the other direction, and have a very minimal, ultra-light option, for users who cared about speed. When I first used Maxthon, it was noticeably faster than other browsers.

- English is US only? No GB option alongside US English? I normally see the two next to each other. You've just alienated Scotland, England, Wales, and Ireland. :Party: Please stick a UK flag there for a British English option, and just route it through to US English. No one will notice or care.





BOOKMARK EXPERIENCE

- All popular browers that I've used have a bad bookmarking UX. The field is wide open for innovation. With Maxthon, (which sucks, but it's fast) I have a clickable star to reach all my bookmarks. A function hotkey or Ctrl-S to bookmark sites might help. Anything to save users mouse-clicks.

- You have a clickable star to put something into bookmarks, but how to retrieve them? The UX/UI is unintuitive. Where do I retrieve the bookmarks? The Lions face, the hamburger and the star don't take me there. Maxthon takes me to Bookmarks with one click. Brave bookmark UX is more confusing than other browsers right now.

- Oh wait, I just saw it's Ctrl-D to save a bookmark. What about a helper that pops up to explain it's Ctrl-D, when users first download Brave?

- Double Ctrl-D should bookmark a site. Right now Ctrl-D brings up the menu, but I still need to mouse-click to save the site. Unintuitive and slightly annoying.

- Typing PR in the URL window brings up Project Avalon, good. Next to each bookmark, there should be some colors that represent the bookmarked site, or an icon to help users find which site they want quickly. Text plus grey is too bland when users have hundreds of bookmarks to scroll through. Again, Maxthon got it right, but their search function is so buggy that I don't like it any more.




PRESS

I saw on Reddit that people were happy about Brave's Bitcoin Micropayments and ad-blocking, but weren't sure about replacing an ad with one from Brave. Some were calling it a protection racket. They might be right or wrong, but the marketplace has strong opinions. Replacing ads, unless very artfully done, may cause bad vibes in the first adopter market, and lose you word-of-mouth. It eclipses all the good you've done with privacy and Micro-payments.

China. Do you have a Chinese translation? Firefox OS lost because it came too late. Wait, I just saw it, but it's hidden in 'General'. Installers should ask what language the users want. Defaulting to Chinese language because you see a user is coming from China is very annoying for multi-lingual households + workplaces. It took me 10 minutes of trawling through docs to reset VSCode to English, for example.

*

tl;dr: Innovative skins, softer/clearer ad-policy and a better right click experience might push Brave past Chrome long term, but it'll be an incremental slog.

I had a few other points, but I have to do things. Thanks for making Javascript, Brendan, Codepen is one of my favourite sites.

Bob
5th October 2016, 20:36
Besides finding an unauthorized user account installed in thousands of places in the computer that the Brave Browser was installed (with locked permissions), that evening unknown to me and not picked up by the firewall, Windows PowerShell was activated 10/1/2016 11:43:52 PM by some remote login. Apparently using ID: 1a3b37a6-cd0f-4f57-817e-69c0ff68b51c, Afterwhich, the remote user activated WSMan, which is the powershell console access to my machine.


The Connect-WSMan cmdlet connects to the WinRM service on a remote computer, and it establishes a persistent connection to the remote computer. You can use this cmdlet in the context of the WSMan provider to connect to the WinRM service on a remote computer.

This has never happened before, and I DON'T USE and don't turn on powershell.

(see http://forums.whirlpool.net.au/archive/1564473 - "it is a windows process that allows remote machine access")

As I said at the outset, my feeling was something very very wrong is happening with the "installer". And I made it quite clear something wrong is happening in my first post.

Looking in the Task Manager (great tool to tell an experienced user what all is going on), I find that WinRM was indeed in the list, but currently as I write this not running.. It has been permanently disabled now as a precaution.

Brian and I are looking into what unauthorized user account was created by the browser install (probably squirrel.exe) such apparently into the released build of Brave on the date that I downloaded from the link provided in the OP post 1. I wonder how many downloads and installs of that happened and if users are able to check their event logs to see if PowerShell had been activated on their computer after the install. My feeling is IF the window powershell was turned on, each machine was then compromised.

EventViewer from Admin tools, look in the list for Windows POWERSHELL.

reference - WSMan - WSMan object. Provides methods and properties used to create a session, represented by a Session object. Any Windows Remote Management operations require creation of a Session that connects to a remote computer, base management controller (BMC), or the local computer.

https://technet.microsoft.com/en-us/library/ff700227.aspx

The steps which the remote user performed appears to be
choosing Alias
going to Environment
going to the File System
doing Function
going to the Registry
going to a Variable
going to (security) Certificate
--NOTE- Engine state change
NewEngineState=Available
PreviousEngineState=None
by 10/1/2016 11:45 PM they were done and disconnected.

After having forcibly blocked the unknown-user account in many files and folders (thousands were changed), my total "automatic" internet use during the night/day has dropped by a factor of 10, normally my internet use is 30-40 megabytes.. With the unknown-user account it was as high as 10X that amount.

This had not been there until I had tried "Brave".. Still trying to get rid of all the changes made by the "squirrel".

==update==

I am doing a system registry search for that account that it logged in with. My install of Brave was like 5:26 PM, and files were still being created by the installer by 5:46, so that is extremely odd, as Daozen said 3 minutes is all it took for him. This is a fast 4 core 4 mirror CPU with like a 400 gigs to spare, fully defragmented, nothing in the 'way' of installing except for checks for unauthorized activity. 6 hours after the install the powershell was activated remotely by the looks of the log, and such completely got through my firewall. I had zonealarm up as the firewall with paranoid mode selected, ask for every connection.. The assumption is the installer masqueraded as "system" or admin account to bypass. I think that is innovative to bypass normal security.. (Seems to me only someone very good in knowing scripts may understand how to do that? unless its some new zero-day that nobody out there is talking about).. As I have pointed out, your browser is your access to the "real world out there" and if there is something wrong, it's jumping out of a plane with somebody else packing your parachute....

The certificate on the downloaded Brave Setup file is

‎0f 78 bb a9 9e 61 b1 a4 b1 fe 0b e6 77 d6 93 e7

In the Security permissions even for the installer file, "account-unknown-xxx.1002" (where the xxx is machine dependent I think) was created - this account locks itself preventing removal, preventing file and folder changes. It elevates itself above normal user/owner levels.

There was NO BUILD number showing up in the setup "details" for the download, but Rechecking the components error logs, shows app-0.12.1, which could be the build number. Generally in numbering programs, when one sees 1.xx.xx one has gotten out of BETA and into a real gold standard release.. Had I been paying attention, I would have caught 0.12.1 if such was listed on the brave download page, I didn't notice at the time. Again, how social engineering works, I looked at the OP post, and read a few enthusiastic posts afterwards and said what the heck what could go wrong with so many users enjoying this ??

==update==

just checked to try to ensure that powershell is removed/prevented from turning on, and the windows feature choice for WindowsPowershell to turn off powershell has been removed from the list of features .. (I can hard turn it off by deleting the .dll for powershell so that it will never turn on by any remote connection.. So whomever, apparently is/was sufficiently skilled and knows what they are doing to ensure permanent access remotely is/was possible.. fascinating eh? Feeling warm and fuzzy yet?

scratching my head here.. if I recall, and this is a looooong shot, during debugging, it is possible in some cases to have some remote desktop feature enabled to facilitate debugging where some developer will correspond with the user, remotely and thereby sort out installation or operating problems.. however for such a feature to be turned on, again, an opt-in, opt-out should have been given, in advance. In this case, something connected at 10/1/2016 11:43:52 PM like 6 hours after the install and made some critical changes apparently.. looking for the IP that it communicated on currently..

Olaf
6th October 2016, 07:16
I have the same built 0.12.1 with the same certificate running on a Win 7 machine. In computer management console I see no additional user accounts listed, also not in the security properties of the install file.

What bothered me from the start is that the install file is 93 MB big. Otter has 30 Mb. What the heck is the purpose of all that code?

Daozen
6th October 2016, 10:55
What bothered me from the start is that the install file is 93 MB big. Otter has 30 Mb. What the heck is the purpose of all that code?

It looks like the mechanism to log micro-payments to sites is innovative. Then there's a high tech ad-blocker which both blocks spamware, and pipes in new ads. Then Brave has to interface with Bitcoin somehow. 90+MB is huge, I agree. I'd like to know what's going on under the hood too. It looks like the caching is good.

The repository is online and open source, we could check ourselves.

https://github.com/brave/browser-laptop

I searched the repo for bitcoin. 34 results in multiple languages.

Paul
6th October 2016, 11:07
What bothered me from the start is that the install file is 93 MB big. Otter has 30 Mb. What the heck is the purpose of all that code?
Looking at the various Firefox tarballs that I have installed on my main Linux system over the years, I see that the size of the compressed installation file, as downloaded, ranges from about 9 Mb (Firefox 3, circa 2008) to 53 Mb (Firefox 49, recent).

The corresponding compressed installation file, as downloaded recently for Brave, is 69 Mb.

After this compressed Brave download file is unpacked and decompressed, the biggest elements in it are a 21 Mb libnode.so (a Javascript runtime, I presume), the dynamically linked brave executable (72 Mb), and the biggest file, a 124 Mb file called resources/app.asar. This app.asar file contains some 30,000 javascript and similar such files, packed in an archive format that I'm not familiar with. My Skype-for-Linux download, from Microsoft, contains a quite similar looking libnode.so as well, just to indicate the sort of technology being used here.

Bob
6th October 2016, 17:21
I have the same built 0.12.1 with the same certificate running on a Win 7 machine. In computer management console I see no additional user accounts listed, also not in the security properties of the install file.

What bothered me from the start is that the install file is 93 MB big. Otter has 30 Mb. What the heck is the purpose of all that code?

Computer Management Console (User Accounts) would not show up a user there, this is a hidden account, for instance created in the SECURITY TAB, for the Brave folder, the Squirrel folder and various other files and folders (many many..).

The "account unknown" was set to be elevated ABOVE regular ADMIN (administrator) for the machine. I changed ALL PERMISSIONS for that hidden account here to DENY.. And let it migrate to the many many files and folders created with that squirrel installer.. Some were not able to be changed to DENY for that hidden account. I have yet to get digging in there to see where they were lodged as not changeable yet for the hidden account. Here is a screenshot to see what it looked like:

To find for instance "Squirrel", one can go to My Computer, select the C: drive, then in the search box type SQUIRREL, and let the computer find all instances of "Squirrel". (It may be that your Windows Explorer has to be set to SHOW HIDDEN FILES and SYSTEM FILES (I have mine set to also show file extensions, such as Squirrel.EXE where EXE is the extension), so that you get a full file name..

I will look for the installer folder - SquirrelTemp which is located on my machine at this path: C: Users [computerusername] AppData Local SquirrelTemp

If I then RIGHT CLICK on SquirrelTemp, I get a popup, find PROPERTIES, click on that. FIND the SECURITY TAB, click on that and review it. Those are the security settings for that folder.

http://chanlo.com/images/brave/account-unknown-3.jpg

I've redacted some private machine names here and my own account, but please note the UNKNOWN USER ACCOUNT. THAT is what was created on my computer, hundreds, if not thousands of files and folders were modified with that account taking ownership and not allowing me to remove it by normal means. If you see that unknown account or anything in there which is NOT created by you or your machine, I would take note of that.

Next, open your windows TASK MANAGER. Bottom toolbar if that is where your windows shortcuts are, in task manger, find the tab, SERVICES. Open that, and then take a look to see if you have WinRM (the remote manager). If you have WinRM running (and you are not the one who wants remote desktop control, remote 'help' etc.. TURN THAT OFF. This apparently is what the "unknown user" did to my machine during that session which happened 6 hours after the browser install. I would take note of that..

This is what the task manager services tab shows with the highlight on WinRM.

http://chanlo.com/images/brave/winRM.jpg

I have permanently disabled the WinRM in services now.

Bob
6th October 2016, 19:14
PARTIAL List of infiltrated folders by the unknown-user which appeared after the "brave browser 0.12.1 install". From a windows 7 OS system. One can see in the file/folders and security permissions images (screenshots) examples of the changes made by what looks like the squirrel's activity. Reiterating, the hidden account was found when I tried to see if Brave was really uninstalled and found that I could NOT delete the SquirrelTemp, or the Brave folder still remaining. The hidden account therefore ONLY came from the brave install.

Here are some questions to ponder on:

WHAT and WHY DOES a browser need an elevated permissions hidden account to review and access to every folder on my desktop?

To have senior elevated write execute delete permissions, to prohibit the OWNER from being able to access them where the hidden account infiltrated?

To even get into every private folder where I would store emails, passwords, all my documents and records?

Just as a thought exercise, will anyone want to venture to tell us about how virus' and trojan's work what they do to create elevated hidden accounts? what is their behavior like in other words. Please take a look here - Privilege Escalation - https://en.wikipedia.org/wiki/Privilege_escalation - its a good read to understand why I was concerned at the outset when I saw this type of behavior happening during/after the install of the Brave Browser. (see the Account Unknown (screenshots) created within some folders security settings permissions which were modified).

Do I have a right to be concerned about this?

C:\Users\{machineaccountname}\Pictures
C:\Users\{machineaccountname}\ EVERY FOLDER ON THE DESKTOP
C:\Users\{machineaccountname}\ EVERY FILE WITHIN EVERY FOLDER

on the desktop (this is insurmountable, seriously, here is an example)

One of my desktop folders called
C:\Users\{machineaccountname}\DesktopWork
4,153 Files, 342 Folders have been looked at and infiltrated with the hidden

account that came out of the Brave Installer, assuming it is that "squirrel" that did this..

My Desktop though, has a lot more files and folders, note the amount and the "Account-Unknown" account that was added..

http://chanlo.com/images/brave/account-unknown-5.jpg

http://chanlo.com/images/brave/account-unknown-6.jpg

And the top level which is where the "squirrel" took over with it's probe:

http://chanlo.com/images/brave/account-unknown-4.jpg

EVERY FILE that I had on my desktop apparently was infiltrated with the hidden user account which still remains there and the security permissions changed with the addition of this new unauthorized "Account Unknown".

I have executed a top level switch to DENY ALL settings in security permissions of that "Account Unknown" , but have left that hidden account within the file folder permissions so that I can further document what I still don't have access to.

While doing a migrate of security settings changing the hidden user account to DENY ALL, windows OS said some files/folders are NOT able to be changed for that hidden account. I am in the process of going thru making a list of what I can't fix.

This is totally unacceptable for a program to do that legitimately to one's computer in a legitimate install/uninstall - still uncertain why/where this issue appeared, what triggered it and what allowed me to see what damage was being done to my file system.

I can only imagine the hundreds of hours I will have ahead of me to correct this awful installation/uninstallation.

Reading the setup log for the Squirrel, looks like it got very pissed that it was prevented access to one of my folders by it's "probe" and then it decided to stop installing whatever else it had to do, including a proper uninstaller..


2016-10-01 17:27:13> Program: Starting install, writing to C:\Users\{MachineAccountName}\AppData\Local\Squirr elTemp

2016-10-01 17:27:13> Program: About to install to: C:\Users\{MachineAccountName}\AppData\Local\brave

2016-10-01 17:27:14> ApplyReleasesImpl: Writing files to app directory: C:\Users\{MachineAccountName}\AppData\Local\brave\ app-0.12.1

2016-10-01 17:27:14> CheckForUpdateImpl: Couldn't write out staging user ID, this user probably shouldn't get beta anything: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\{MachineAccountName}\AppData\Local\brave \packages\.betaId'.
at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)

2016-10-01 17:27:32> ApplyReleasesImpl: Squirrel Enabled Apps: [C:\Users\{MachineAccountName}\AppData\Local\brave\ app-0.12.1\Brave.exe]



I've redacted my machine user account name {MachineAccountName} in the log extract above for security reasons. But you can see it is complaining that "THIS USER" should not be getting a betatest program ! Afterwards it tries to go to the Brave server and it is denied access as it is using an illegal hook into a data socket to try to get there (my firewall is set to prevent unauthorized outgoing activity)...


2016-10-01 17:29:55> InstallHelperImpl:
Couldn't write uninstall icon, don't care:

System.Net.WebException: Unable to connect to the remote server --->

System.Net.Sockets.SocketException:
An attempt was made to access a socket in a way forbidden by its access permissions 157.52.65.7:443 <<<---NOTE: This shows the "try to connect" my machine directly to the BRAVE SERVER. IF IT TURNED ON winRM (the remote control access, and LEFT IT ON, PERMANENTLY, that then is where the later unknown user that nite was able to get into my machine, modify registry, do something with security certificates, It is a good trail of the awful installer activity.)..

at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult)
at System.Net.ServicePoint.ConnectSocketInternal(Bool ean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)




When it (the squirrel) did that "squirrely install/uninstall), it showed me (us) how severely it got into every unauthorized folder on my computer that it could stick its "probe into". I suppose that is a blessing really, as users would not know what is happening to one's computer during installation/uninstallation by the "squirrel" installer.

A browser has absolutely NO BUSINESS getting into privates, no business looking at my desktop, my \User\{machineaccountname} folders and files.

It certainly should not ever allow winRM or any other superconsole access to be left ON so that unauthorized users connected to the machine, I can only assume the IP is what was shown in the failed socket attempt - I noticed my machine kept pinging something continually ever few minutes before I caught that winRM was turned ON, that all the machine's normally OFF remote features were changed to MANUAL instead of DISABLED (the way I keep them set..) I point this out that this behavior started AFTER the Brave Browser was installed and then the Uninstall chosen, to remove the browser (and all changes it made).

AFTER setting the remote features in the Services back to DISABLED and removing from RUNNING TASKS winRM did the firewall stop complaining about continual unauthorized attempts.. Go figure eh? What IP was winRM permanently opened to? Who was the mysterious hacker changing security Certificates diddling with the registry?

This fiasco is totally unacceptable. And I am incurring quite a loss of time and effort trying to fix a compromised machine at this point. I was not told at the outset we would be downloading a version 0.12.1 BETA - I would never have tried a BETA on a critical machine.

Looking at the list of files and folders in the screenshot of C:\Users\{machineaccountname}
it seems to be saying

112,027 Files, 9,384 Folders
have been affected, probed and hidden account senior permission given to.. That number may vary a bit lower (slightly lower) as I have been continuing to use my machine, create files and so forth, maybe 30 or so files I have created since the botched install/uninstall.

Gee.. what fun.

PS: Brian and I are in PM trying to sort out how to deal with this situation of the installer issues. What worries me still is what happened during the session started 6 hours after the install, why a registry change was done, why a certificate change was done. What was uninstalled when I clicked the uninstall, were some critical holes left opened up? Just seems to me, leaving winRM on is wrong or any remote services, or hooks to some other computer somewhere on the internet.

I have not created any new accounts on this machine, have not changed my username, machine name - - none of that, the Account-Unknown came out of the squirrelsetup installer I believe 100% certain.

BraveClifton
6th October 2016, 20:31
Alright, let's do this :) Apologies in advance for the massive wall of text (and the time it's taken me to type it all up)




(ask me anything!)

First question: Are you ready for a long browser war?


Personally, I think the "browser wars" are over... What I mean by that is: all the major browser engines are "fairly" standards compliant.

If we look at a "state of the market", we have:
- Chrome has an extremely large market share. Even when you take mobile (android) out of the picture. Consider how Chrome extensions are almost a standard that other browsers are pulling in
- Safari (in my opinion) being like the new IE in terms of Apple bundling it's browser and in the case of mobile, forcing users to use it (rather than allowing them to change default browser)
- Firefox has a fairly small (and declining) market share in comparison to those
- Windows has IE and Edge which see decent usage

There's still LOTS of room to iterate and improve the overall experience. I personally have believed for years that websites will replace traditional apps. IMO, the iTunes store blew up in the late 2000's because the web is just not there yet. Standardizing major features takes time and I believe we've seen great progress towards adding native features to the browser (ex: WebGL). As more features are added, the browser and how it renders the content (what used to be important) becomes less important than the overall features the browser adds. Web browsers are getting close to the point where they are just an app launcher.

We can't forget there are over 7 billion folks out there and a decent amount of them have access to the internet; even small gains in market share have huge potential impacts. IMO, there is lots of room for different web browsers to co-exist and thrive. Each segment of users has acceptance criteria for their browser (features, privacy concerns, speed, etc) and each web browser has a chance to cater to them. My hope is that the competition to gain more users helps drive innovation.




I like giving UX feedback, so I wrote these notes:

*

I think Brave could eventually pull market share away from Chrome + Firefox, as privacy is a public issue, but it will be a long, slow conflict that plays out over 5-30 years.

I guess you're relying on word-of-mouth. I'd nearly recommend Brave to friends and family. Right now there are a few things that make me unsure.


RANDOM UX NOTES:


LIKE

- I like the way page load times are displayed.
- Shields Down/Up. Cool.
- Nice choice of colors for blocking statistics. Clear and good-looking.
- Optional upgrades, asking the user before downloading new versions of Brave. Chrome upgrades automatically, which annoys some privacy buffs.
- The Brave update experience was smooth and painless.


Really glad you like it so far and yes- word of mouth is huge :)



NOT SURE, DON'T LIKE, SUGGESTIONS

- No explanation for "HTTPS upgrades". This needs a question mark, with an explanation of HTTPS that appears on click. Fingerprinting protection is explained in the menu, nothing else has an explanatory question mark.

That is a great point- I captured this concern with:
https://github.com/brave/browser-laptop/issues/4593



- Not everyone knows what 3rd party cookies are. I doubt my parents or gf do. Need a hover/tooltip explaining what this means to the user.

Another great point :) I captured this issue w/ https://github.com/brave/browser-laptop/issues/4594



- Suggestion: To see an excellent UI, you could checkout Handbrake.

https://handbrake.fr/downloads.php

Handbrake guides people through a complex video compression process using tooltips. It's the best UI I've seen on a program. Too much info annoys technical users, not enough info annoys casual users. Tooltips and question marks strike a balance between the groups. Right now I wouldn't recommend Brave, because the sub-menu experience is potentially confusing. The layout is the best I've seen, but the structure and writing on the menus are no more than OK.

I'll be sure to pass this feedback onto our head of design, Mr Bradley Richter :)



- Brave Payments, the truly revolutionary aspect of the browser, is hidden in a sub-menu. I need 2 fiddly mouseclicks to get there. Is hiding payments a design choice because you're in beta? You could have a clickable Bitcoin logo right next to the lion.

Yes- we are in beta and have things to iron out. Updates to the lion logo, including a bitcoin logo, are considerations that are underway right now :)





COLOURS

- No choice of colors on the Bravery panel, either for the settings panel or the browser itself. Slack won their marketplace because they had a selection of lush color palletes. Startups live or die on their choice of color hexcodes.

- Suggestion: If you wanted to continue the sci-fi theme you started with "Shields Up", you could have optional browser skins that felt like users are in the cockpit of an X-Wing. Dark metallic grey with few subtle, understated space icons. I know you can't use an X-Wing, for copyright reasons, but making the user feel that they're in a spacecraft would be a massive UX win, especially for the first adopter/sci-fi nerd market. Bored workers who are using a browser to Google all day would feel energized.

- Microsoft used a Paperclip helper to make the Word UX more friendly. You could use a lion face, or even a tiger as a pop-up helper for first time users.

- (Half-baked suggestion: You could have an optional set of sci-fi sounds as people surfed. Sci-fi doors opening with a metallic swish for a website, for example. That would annoy most users, but the media and sci-fi crowd might like it.)

- You could also go the other direction, and have a very minimal, ultra-light option, for users who cared about speed. When I first used Maxthon, it was noticeably faster than other browsers.

- English is US only? No GB option alongside US English? I normally see the two next to each other. You've just alienated Scotland, England, Wales, and Ireland. :Party: Please stick a UK flag there for a British English option, and just route it through to US English. No one will notice or care.


This is great feedback- customizability is important and I know we have a TON of issues opened tracking functionality including:
- making the browser easier to use for folks with disabilities
- dark color alternatives
- being able to customize the controls in the browser

The hard part is making sure the fundamentals are there first. For example, we just pulled in extension support recently. It's not really live for customers yet (other than our 1Password and Dashlane plug-ins are now updatable). Other major features we've been working on include:
- being able to tear tabs off and put into a new window (in progress)
- importing bookmarks from other browsers (recently finished)
- polishing up the UI associated with browser history and bookmark management
- improving Brave Payments with bug fixes and also with feedback we've gotten
- providing a way for content publishers to sign up so that they can collect the funds from Brave Payments

It'll be exciting to see where the project is at in a year from now, when a lot of the basics are in place (and well executed). The English comment is funny- I didn't perceive it as being intentionally offensive. I'll mention that in our chat. We're basically using as "English" rather than actually localizing to various English speaking markets (no offense intended, I swear!)



BOOKMARK EXPERIENCE

- All popular browers that I've used have a bad bookmarking UX. The field is wide open for innovation. With Maxthon, (which sucks, but it's fast) I have a clickable star to reach all my bookmarks. A function hotkey or Ctrl-S to bookmark sites might help. Anything to save users mouse-clicks.

- You have a clickable star to put something into bookmarks, but how to retrieve them? The UX/UI is unintuitive. Where do I retrieve the bookmarks? The Lions face, the hamburger and the star don't take me there. Maxthon takes me to Bookmarks with one click. Brave bookmark UX is more confusing than other browsers right now.

- Oh wait, I just saw it's Ctrl-D to save a bookmark. What about a helper that pops up to explain it's Ctrl-D, when users first download Brave?

- Double Ctrl-D should bookmark a site. Right now Ctrl-D brings up the menu, but I still need to mouse-click to save the site. Unintuitive and slightly annoying.

- Typing PR in the URL window brings up Project Avalon, good. Next to each bookmark, there should be some colors that represent the bookmarked site, or an icon to help users find which site they want quickly. Text plus grey is too bland when users have hundreds of bookmarks to scroll through. Again, Maxthon got it right, but their search function is so buggy that I don't like it any more.

This is a huge one that we are actively working on. You can see (and make) Bookmark feature requests here (as of this writing, there are 66 open issues/requests):
https://github.com/brave/browser-laptop/issues?q=is%3Aopen+is%3Aissue+label%3Afeature%2Fbo okmarks




PRESS

I saw on Reddit that people were happy about Brave's Bitcoin Micropayments and ad-blocking, but weren't sure about replacing an ad with one from Brave. Some were calling it a protection racket. They might be right or wrong, but the marketplace has strong opinions. Replacing ads, unless very artfully done, may cause bad vibes in the first adopter market, and lose you word-of-mouth. It eclipses all the good you've done with privacy and Micro-payments.

China. Do you have a Chinese translation? Firefox OS lost because it came too late. Wait, I just saw it, but it's hidden in 'General'. Installers should ask what language the users want. Defaulting to Chinese language because you see a user is coming from China is very annoying for multi-lingual households + workplaces. It took me 10 minutes of trawling through docs to reset VSCode to English, for example.

*

tl;dr: Innovative skins, softer/clearer ad-policy and a better right click experience might push Brave past Chrome long term, but it'll be an incremental slog.

I had a few other points, but I have to do things. Thanks for making Javascript, Brendan, Codepen is one of my favourite sites.
We recently added Chinese I believe (which is great!)

Like you stated, gaining users will take time. I personally see this as a long term game and browsers will become increasingly important to people as they offer more features and native apps become less important. Many native apps right now just wrap a web page and offer native features like push notifications.

Thanks for all the input :)

Wide-Eyed
6th October 2016, 21:24
Thanks for comments BraveClifton, but ever since I downloaded Brave from PA's thread from Herve' it has highjacked something on my Windows 7 OS and has ranup my cpu usage to 100%. What is that all about? I would love to eliminate and go back to normal cpu usage rates.

Hervé
6th October 2016, 22:03
Thanks for comments BraveClifton, but ever since I downloaded Brave from PA's thread from Herve' it has highjacked something on my Windows 7 OS and has ranup my cpu usage to 100%. What is that all about? I would love to eliminate and go back to normal cpu usage rates.
This might give you some avenues of investigation and permanent solutions to that High CPU Usage:

How to fix: Svchost.exe (netsvcs) memory leak or high CPU usage problems (https://www.wintips.org/how-to-fix-svchost-exe-netsvcs-memory-leak-or-high-cpu-usage-problems/)

Daozen
6th October 2016, 22:30
Thanks for typing that up BraveClifton. It's an interesting insight into how projects are managed. I know programmer time is expensive, and don't want to drag you away from development.

I didn't realise I could open Github issues for fiddly UX feature requests. Looks like you have things well documented and a good community. I like the clear feedback structure you have. By 'long browser war' I meant that it'll take a while to drag users away from established options. But in a billion+ person market, even a 0.5 percent gain is a huge win. Yes, there's room for many browsers, like you said.

I doubt anyone in Scotland really cares that there's no UK English option, but in my experience, localizing with small language markets like Hungary, Czech Republic, Sweden... taking the time to get everything right, makes a huge difference in word of mouth. But I shall lecture you no longer! It looks like you have a solid gameplan and a long term view. My name on Github is Microflow, I'll contribute when I can.

Best Wishes.

Wide-Eyed
6th October 2016, 22:37
I have the same built 0.12.1 with the same certificate running on a Win 7 machine. In computer management console I see no additional user accounts listed, also not in the security properties of the install file.

What bothered me from the start is that the install file is 93 MB big. Otter has 30 Mb. What the heck is the purpose of all that code?

Exactly, Olaf. The high MB # was a red flag to me but I only looked into that or noted it after I installed Brave from post then ... it never let me use Brave browser. ??? I'm no comp-sci major, but I downloaded Brave from a PA thread thinking it was kosher and then it locks up my cpu sends it to a hot 100% constant cpu usage and I'm thwarted at every turn constantly going into services under task manager to alleviate the issue. No more consciousness elevating from me, I'm left with the old school system of truth seeking- research by legal pad, dewey. card catalog, and the cold hard quiet comfort of the library I guess:( It's going to be a cold dark winter... time to hit the books. Anyone in the market for a used, very warm PC?

Bob
6th October 2016, 23:12
Thanks for comments BraveClifton, but ever since I downloaded Brave from PA's thread from Herve' it has highjacked something on my Windows 7 OS and has ranup my cpu usage to 100%. What is that all about? I would love to eliminate and go back to normal cpu usage rates.
This might give you some avenues of investigation and permanent solutions to that High CPU Usage:

How to fix: Svchost.exe (netsvcs) memory leak or high CPU usage problems (https://www.wintips.org/how-to-fix-svchost-exe-netsvcs-memory-leak-or-high-cpu-usage-problems/)

Just a brief observation Herve', going to that page tells the user down the list of suggestions to DELETE (clear) the logs in Event Viewer which could be providing FORENSIC data on the machine, so doing that will remove the log traces of what went wrong. I would not recommend deleting logs.. just have the user look in task manager, and go to processes and SEE what is taking up 100% or high usage. Then noting what program it is take some notes.. Stopping that by right clicking on the offending program and then use END PROCESS TREE gets rid of the offending program.

That way FORENSICS are saved and not lost for later evaluation why things weren't working as they should.

The page assumes How to fix: Svchost.exe (netsvcs) memory leak or high CPU usage problems. Is the assumption here that BraveBrowser induced netsvcs issues?

I think just doing the find the process, not the service that is acting up is the way to fix it quick without a novice user having to try to sort some potentially complex issues.. total fix time, that way 20 seconds. Nobody should be stuck with a computer being forced to run at 100%. Laptops can be permanently damaged by such overload if such continues for any length of time. (cpu meltdown, and so forth, like loss of data if the machine thermal's out.)

If not already ticked "Show Processes from ALL USERS" should be ticked ON (so that suggestion is good in the page referenced..) - that is usually located at the bottom left of the Task Manager window which pops up.

Piece of cake that way. :cake:

reference: Computer Forensics, or Preserving DATA - https://forensiccontrol.com/resources/beginners-guide-computer-forensics/

never delete logs if there are problems.. finding the right log to look at, security logs, network logs, etc. are essential in finding 'what went wrong'

Here is a list of tools that are usable in doing a FORENSIC analysis to see what went wrong. Understand why FORENSIC analysis should be performed in any specific or suspected or potential hacking issue. Potential damaging of one's machine, file system, IP theft, etc.
https://forensiccontrol.com/resources/beginners-guide-computer-forensics/

Hervé
7th October 2016, 00:47
[...]
Just a brief observation Herve', going to that page tells the user down the list of suggestions to DELETE (clear) the logs in Event Viewer which could be providing FORENSIC data on the machine, so doing that will remove the log traces of what went wrong. I would not recommend deleting logs.. [...]

Correct, if one is interested in forensic analysis (one can always "Save All Events as..." before clearing the logs)...

The advices given are to solve the high CPU usage... not a forensic analysis like you are interested in :)

Bob
7th October 2016, 01:40
[...]
Just a brief observation Herve', going to that page tells the user down the list of suggestions to DELETE (clear) the logs in Event Viewer which could be providing FORENSIC data on the machine, so doing that will remove the log traces of what went wrong. I would not recommend deleting logs.. [...]

Correct, if one is interested in forensic analysis (one can always "Save All Events as..." before clearing the logs)...

The advices given are to solve the high CPU usage... not a forensic analysis like you are interested in :)

Ya all that @Wide-Eyed needed was to go to Processes and turn off the 100% CPU use program. Done in a few moments. We solved that together in a few PM's back and forth. @Wide-Eyed only had this happen after trying the BraveBrowser, and did NOT have brave-browser able to work. The assumption then is the install failed, locked the computer into 100%. Had nothing to do with the other suggestions on that page except to go to PROCESSES, find the high CPU USE and stop that program from running.

For ANY REASON, forensics or whatever, DON'T go deleting log files, it is essential to know what went wrong.

Paul
7th October 2016, 05:20
For ANY REASON, forensics or whatever, DON'T go deleting log files, it is essential to know what went wrong.
If the cause of the excessive CPU usage was some unnecessarily inefficient processing of some log file, as apparently that article was considering a possibility, and if one has already looked into other solutions, perhaps as that article described, then it might make sense to delete, or at least move elsewhere, the log files that might be causing the problem.

On a separate matter ... Bob, the manner in which you are approaching this Beta of the Brave browser, still in the midst of its initial major development, is rather annoying (to me at least) and rather insulting (to Brave). You're inundating us with a blizzard of technical details, combined with numerous rather nasty insinuations. The technical details seem less offered to assist Brave developers, in ways they welcome, in analyzing what's happening, and more offered to impress the reader with your mastery of the situation. The result comes across as less supportive of genuine efforts to improve Brave or diagnose the issues you're reporting, and more intended to slander Brave and to impress us with your technical knowledge.

This is not how good software is developed.

I trust that the Brave developers have good intentions and substantial technical ability, and that Brendan Eich has good strategic vision ... as good or better than anyone. I know from experience that if it turns out that they don't have such, or that they do now, but turn to the dark side later, that it will take far more time than we have spent so far, for even those of us who are technically savvy, such as yourself or myself, to realize otherwise.

Meanwhile, I suggest looking more for opportunities to assist, in ways that might be welcome, rather than looking for opportunities to impress technically and to slander Brave.

Thanks.

Johnny
7th October 2016, 09:35
Not that I want to impress anybody with technical knowledge. !! :)

I have (Win 10 AU) 317 event log files on my machine, I clear them every day just to tease M$, and yes if something goes wrong before, I can't see that. They can be found here c:\windows\system32\winevt\logs

when you doubleclick on a file it will open (can take a little time before the result arrive), also remember, you can click on changedate to sort the files, so you can see the last written log/s.

To clear all the files follow the instruction here: http://www.tenforums.com/tutorials/16588-event-viewer-clear-all-event-logs-windows.html

:focus:

Johnny :)

Paul
18th December 2016, 06:21
From BraveSoftware Raises $4.5 Million in Seed Financing and Readies for 1.0 Launch (PRNewswire.com; August 1, 2016) (http://www.prnewswire.com/news-releases/brave-software-raises-45-million-in-seed-financing-and-readies-for-10-launch-300306641.html) :

==========


SAN FRANCISCO, Aug. 1, 2016 /PRNewswire/ -- Brave Software, a start-up reinventing the browser as a user platform for speed, privacy, and micropayments, announced today that it has raised a $4.5 million seed round investment from leading venture capital firms and angel investors. Participating in the round are Founders Fund's FF Angel, Propel Venture Partners, Pantera Capital, Foundation Capital, and Digital Currency Group. This round of funding will be allocated towards platform development and growth. This brings the total amount of funding to date to $7 million with previous angel funding from private investors.

Brave is a new open source browser for desktop and mobile that blocks invasive ads and online trackers to provide a faster and safer web experience. Unlike traditional browsers, Brave has a built-in ad-blocker (no extensions needed) which reduces page loading time, improves performance, and guards from ads infected with malware. On the desktop, Brave provides a 40% to 60% speed increase, and a 2x to 4x speed increase on mobile devices. Mobile users see a direct reduction in both battery and data plan consumption. Brave also protects users with leading privacy and security features such as HTTPS Everywhere (encrypted data traffic), fingerprinting shields, phishing protection, malware filtering, and script blocking.

Brave is partnering with BitGo and Coinbase to provide wallets and purchasing tools for the Brave Ledger, a new Bitcoin-based micropayments system that automatically and anonymously pays users' favorite websites. Brave also will allow users and publishers to opt into a better, privacy-preserving ad model that shares revenue with users as well as publishers.
==========

Paul
18th December 2016, 06:25
From CoinDesk and Brave Software Partner on New Content Revenue Model with Private Micropayments and Focus on User Privacy (PRNewsire.com; December 13, 2016) (http://www.prnewswire.com/news-releases/coindesk-and-brave-software-partner-on-new-content-revenue-model-with-private-micropayments-and-focus-on-user-privacy-300377307.html):

==========


NEW YORK and SAN FRANCISCO, Dec. 13, 2016 /PRNewswire/ -- CoinDesk, the leading media & events business in the bitcoin and blockchain industry, announced today a partnership with privacy-focused browser company Brave Software to phase out third-party banner advertisements from its website in 2017 and promote the innovative Brave browser to its audience.

In order to maintain revenue with the value of ad impressions dropping across the Internet, many media companies have found themselves increasingly pressured to allow networks to serve ads that trade their users' privacy and security for delivery guarantees. Rather than follow suit and chase additional pennies from third-party networks that serve intrusive ads that track and follow users as they browse the Internet, CoinDesk has committed instead to evaluate new revenue models with Brave that provide brand advertisers with significant returns on their investment while also providing users with a faster, cleaner, and more private experience.

==========

Omni
18th December 2016, 08:23
Wow great thread. Have downloaded brave and will be using it on an alternate twitter account(@NeuroWeaponry). What I would say is lacking in brave is a window for quick search engine searching like firefox. It seems very responsive so it is welcomed software to my arsenal :)

Paul
18th December 2016, 08:32
It seems that Brave Bitcoin payments are enabled now. I just deposited a few millibitcoin (mBTC) in a Brave Wallet to fund donations, to be spread amongst the sites I visit with Brave.

I then visited ProjectAvalon.net using Brave, and a few other sites. Those sites showed up as visited sites (on my Brave Settings ==> Payments screen), with an option on each site that I had visited to enable them in the monthly payout of the $5/month I was willing to pay, in total, over all the visited sites that I enabled.

Once enough of us do this and a total of $10 accumulates just for ProjectAvalon.net, then Bill will get an email, inviting him to verify that he's the owner of the site, so that he can collect the money each month that comes in, from Brave users visiting his site, who have funded monthly donations to be distributed amongst the sites they visit. There is a little more detail at https://brave.com/publishers.html

Paul
13th January 2017, 06:53
I have received the first Brave payments for ProjectAvalon.net, ProjectAvalonStatus.net and AvalonLibrary.net.

After subtracting my Amazon AWS S3 storage server costs (one cent per day <grin>) for AvalonLibrary.net from what I received, I have deposited the remainder in a Bitcoin Wallet that is earmarked for Bill, whenever it has enough to make it worth his picking up. I have now deposited 2.64 mBTC into Bill's wallet. One "mBTC" is one-thousandth of a Bitcoin, and worth about $US 0.80 on the market at present, so think of an mBTC is (roughly) a dollar.

Brave payments are just beginning to receive widespread exposure, so it's too early to know if this will develop into enough of an income stream to make a significant contribution to the monthly costs that Bill pays to keep this site going ... probably not, but worth a try.

Daozen
13th January 2017, 07:00
It'll probably take 1-5 years for this to build up steam... If websites offered special features for Brave users, it could incentivize use.

It's definitely a revolutionary technology, but it needs adjusting.

Paul
13th January 2017, 07:02
It'll probably take 1-5 years for this to build up steam... If websites offered special features for Brave users, it could incentivize use.

It's definitely a revolutionary technology, but it needs adjusting.

Yes - likely so :)

Paul
3rd February 2017, 08:34
I have received the second Brave payment, this time for a whole month, for the websites ProjectAvalon.net, ProjectAvalonStatus.net and AvalonLibrary.net.

After subtracting out about two cents per day for Amazon AWS S3 storage fees, since Bill started providing more material on AvalonLibrary.net towards the end of January, I deposited another 6.00 mBTC into Bill's bitcoin wallet.

Ewan
6th February 2017, 13:24
Finally got round to downloading this. Will try it out over the next few days.

The following is actually from Apr 7th 2016 but I found it interesting. (I wondered if the letter from the NAA was not so much about protecting advertisers but protecting tracking?)




Brave's Response to the NAA: A Better Deal for Publishers
authorBraveSoftware
April 7th, 2016

The NAA has sent a letter to Brave Software filled with false assertions, indicating that they have fundamentally misunderstood Brave. Here are a few misconceptions we’d like to clear up:

Brave is not, as the NAA asserts, “replac[ing] publishers' ads on the publishers' own websites and mobile applications with Brave's own advertising.” We do not tamper with any first-party publisher content, including native ads that do not use third-party tracking.

Brave is not trying to steal the “profits” from publishers as the NAA asserts. Here again, the NAA has fundamentally misconstrued what Brave does. Brave is building a better ad network with a bespoke browser tied anonymously to the network. We will actually pay the publishers more of the revenue shared through our system than most websites are getting now from third-party ads. (http://www.iab.net/media/file/PwC_IAB_Programmatic_Study.pdf)

The letter falsely asserts that Brave will share an "unspecified percentage of revenue", when our revenue share split has been public and fixed from our first preview release in January.

https://brave.com/assets/blog_images/image03.png

We give the lion's share (pun intended) to websites. With our ad-share model, the default money flow directs up to 70% of ad revenue to site publishers – far greater than the average percentage in the current programmatic display ad ecosystem. Brave keeps 15%, and allows the end-user to choose whether to donate or keep their 15% share. Keeping their share still results in 55% ad rev share to site owners – beating the current average of 45%. Take a look at our Brave User Paths from Browsing to Ad Rev sharing:

https://brave.com/assets/blog_images/brave_infographic_large.png

The news industry is in catastrophic decline and has been for years. Brave has a model to change this dire trend (http://mjperry.blogspot.com/2012/02/newspaper-ad-revenues-fall-to-50-year.html) by both funneling more ad revenue to publishers and allowing users to pay them directly:

https://brave.com/assets/blog_images/image01.png

Abusive (http://www.mercurynews.com/ci_18524333), excessive, and even dangerous online advertising is driving users to adopt ad blockers en masse, and this is a trend that will not be reversed by legal threats, server-side anti-blocker countermeasures, or harsh language. We note that malware has been distributed (https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising) on the websites of the New York Times and the BBC recently through the ill-designed, unregulated, and poorly-delegated third-party advertising technology ecosystem.

https://brave.com/assets/blog_images/image02.png

In sum, and contrary to the misstatements of the NAA letter, Brave is the solution, not the problem, for users and publishers. We provide speed, privacy, protection from malware, and a new, anonymous payment model that helps the whole industry and publishers in particular, compared to the status quo.

The privacy point is overlooked in the NAA’s attack on Brave and worth emphasizing. The violation of individual privacy has reached epidemic proportions (https://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising). The news industry has been an active participant in violating individual readers’ privacy by benefitting from non-consensual third party tracking and ads. Here is the before vs. after Ghostery tracking graph for just one popular site:

https://brave.com/assets/blog_images/image00.png

News industry leaders rightly decry the violation of privacy inherent in some NSA or FBI tactics, yet their own complicity in tracking individuals to even more invasive degrees is not addressed.

Furthermore, the NAA's letter misconstrues how Web standards and browsers work by design: the Web is a system that allows users to consume content in any combination and presentation that user-chosen software can achieve. Browsers do not "republish", copy, serve, syndicate, or distribute content across the Internet or to any computer other than the one on which they run.

Browsers do not just play back recorded pixels from the publishers’ sites. Browsers are rather the end-user agent that mediates and combines all the pieces of content, including third-party ads and first-party publisher news stories. Web content is published as HTML markup documents with the express intent of not specifying how that content is actually presented to the browser user. Browsers are free to ignore, rearrange, mash-up and otherwise make use of any content from any source.

If it were the case that Brave's browsers perform "republication", then so too does Safari's Reader mode. The same goes for any browser with an ad-blocker extension installed, or the Links text-only browser, or screen readers for the visually impaired.

Make no mistake: this NAA letter is the first shot fired in a war on all ad-blockers, not just on Brave. Though the NAA never reached out to us before firing this shot, we would be happy to sit down with them for an opportunity to discuss how the Brave solution can be a win-win for our users and the publishers they browse. We will fight alongside all citizens of the Internet who deserve and demand a better deal than they are getting from today's increasingly abusive approach to Web advertising.

Paul
10th March 2017, 12:08
I have received the third Brave payment for the websites ProjectAvalon.net, ProjectAvalonStatus.net and AvalonLibrary.net.

After subtracting out charges for Amazon AWS S3 storage fees, I deposited another 8.00 mBTC into Bill's bitcoin wallet.





Note from Bill: Although no huge riches here (8 mBTC converts (https://youmeandbtc.com/bitcoin-converter/convert-btc-mbtc-bits-satoshis-usd) to exactly $9.64), I'm very grateful for the donation.

Sammy
2nd June 2017, 00:25
Former Mozilla CEO’s ‘Brave’ Internet Browser Raises $35 Million in ‘Under 30 Seconds’ (http://www.breitbart.com/tech/2017/06/01/former-mozilla-ceos-brave-internet-browser-raises-35-million-in-under-30-seconds/)

Brave, a privacy-focused and open-source browser, raised $35 million from its initial coin offering (ICO) in under 30 seconds this week, according to a report.

The free browser, which automatically blocks advertisements and tracking cookies, has been growing in popularity since its 2015 release and is currently in open beta.

Daozen
2nd June 2017, 05:01
Good to see Brendan Eich raised some money. I was worried the Brave team were going to run out of development funds. The crypto market is full of scammers + incompetents. When someone with a good rep -like Brendan- comes along, trust and money will flow to them. I hope BATs stay stable.

Avalon's monthly Brave payouts may increase after the ICO. I wouldn't be surprised if you collected 100USD per month in 1-2 years time.

Paul, did you sign up through the publishers portal? How long did it take?

Paul
3rd June 2017, 08:33
Good to see Brendan Eich raised some money. I was worried the Brave team were going to run out of development funds. The crypto market is full of scammers + incompetents. When someone with a good rep -like Brendan- comes along, trust and money will flow to them. I hope BATs stay stable.

Avalon's monthly Brave payouts may increase after the ICO. I wouldn't be surprised if you collected 100USD per month in 1-2 years time.

Paul, did you sign up through the publishers portal? How long did it take?
I don't recall how long it took ... but I was an "early adopter", so likely it's changed some since then anyway. It was some variant of "Know Your Customer" (KYC), which has you sharing such things as your last tax return.

I had not noticed that they had done an ICO ... good news ... thanks.

Daozen
4th June 2017, 22:37
Don't thank me, thank Sam Hunter. It's the best news I heard in a long while. Amazing how a team of 5-10 coders can generate 30 million dollars of value- with a year's work. Hopefully the sign up flow for Brave is easier now.