Mathwiz

BTW, I do think PayPal is going a bit overboard here. Think about it: you (eventually) have to provide a correct user ID and password, then pass the 2FA challenge - so what's the point of a captcha? To make sure that, if anyone hacks into your account, at least it's a human? "Oh, thank goodness! All my money was stolen by a real person, and not a bot! What a relief!" And in my case, the captcha came up first, so all a hacker would have to do is solve the captcha and then turn on the bot! To be fair, perhaps the captcha comes up again after each unsuccessful login attempt, so that wouldn't work. But if so, you still don't need a captcha on the first login attempt! And it's not even one of Google's reCaptchas. If it were, I'd just guess that PayPal was getting paid by Google to put the reCaptcha up and help Google train their AI. I think some of these sites think that the more "security-adjacent" hurdles they throw in your path, the more "secure" they are - or at least, the more secure you'll think they are (security theater) - when in fact all it does is make them more inconvenient to use.

On this PayPal thing, I think everyone is making a lot of unwarranted assumptions here. First, I don't think the captcha is the same thing as the security challenge. From your description, it sounds to me like the captcha works, but then, PayPal tries to load the "security challenge," which fails. Second, I don't think either of those things has anything to do with the 2FA method you choose. In my case, the captcha is the very first thing to come up. Then comes the "security challenge," which, for me, fails on the latest St 55 (even with a clean profile). I never even get to a login screen, so PayPal doesn't even know for sure who I am or what my preferred 2FA method is. It just fails to load the security challenge. That's all that happens. Other people may get these things in a different order. I'm just pointing out that in my case, I can't possibly be getting the security challenge because PayPal thinks I chose an inferior 2FA method. I don't think anyone else is either. If PayPal thought that poorly of email 2FA, they wouldn't offer it in the first place. (BTW, there are ways to hack SMS 2FA too, such as by malware on the phone that forwards the 2FA text to the attacker. And the security of an email account can be anywhere from poor to very good, depending on everything from how good your password is, to whether you also have 2FA on your email account!) Keep in mind there could be other things blocking the security challenge besides the browser or browser add-ons, such as a hosts file, PiHole on the network, etc. So to be sure, you may need to try a more modern browser. In my case, I can log in successfully using r3dfox (Win 7+ only; if you're on XP, try Supermium instead), so I know in my case it's an issue with St 55 (at least, the latest version). And the captcha is still the very first thing to come up, before it even asks for my ID.

Thanks, both of you. As I don't use Supermium myself, I'd forgotten that it isn't "unGoogled" and, therefore, Google Sync is available to back up one's passwords with a somewhat reasonable level of security.

The discussion of "whether one should" use Supermium's password manager is sort of irrelevant to @kwisomialbert's question anyway. He "does" want to use it but it's not working for him. So, is password manager broken in the latest version? (I don't have Supermium myself so I can't check.) As for losing your passwords if the HDD crashes, I know; make regular backups, yada yada. But again, the computer is supposed to do some of the work for you, and storage isn't that expensive. So why doesn't the password manager make multiple copies of your passwords, ideally on different drives if you have them? For that matter, why isn't mirroring/RAID more common in PCs today, so if an HDD fails, you just replace it and let the PC take care of rebuilding everything? Two or even three 2.5" drives don't cost that much or take up much space.

Unfortunately the Thorium author has not released a new version of Thorium since v.122. But for a user agent to make Thorium "look" newer, you could try adding --user-agent="Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/132.0.5047.196 Chrome/132.0.5047.196 Safari/537.36" ... to the end of the command in your Thorium shortcut. Any Web server looking at that will think you're using Chrome 132 on Ubuntu Linux. That may get you past "please update your browser" pages or nags at some sites.

I no longer bother to determine Chase's minimum browser version, as there's very little point, once I find an SSUAO that works. But I used to. It never seemed to make any sense though. It would be just some random version or other that was "somewhat" older than the then-current ESR version for Firefox or Chrome. I always wondered if they chose minimum versions that had patched some specific security flaw they were worried about, but who knows? Still, the currently supported version should always work, at least as long as you remove the "R3dfox" bit, or any other clues that you aren't using genuine Firefox / Chrome.

This page explains what some of the "referer" prefs do: https://notepad.patheticcockroach.com/4256/tweaking-referer-settings-in-firefox-and-tor-browser/

And another surprise. I set referer.trimmingPolicy to 2 on my work PC, then went to do the same thing on my home PC - and my home PC was already set to 2! Where did that come from? Turns out it's in the "UOC Patch" - a set of preferences intended to improve performance, developed by @looking4awayout long ago. Since this particular setting has little to do with performance, I assume he set it for privacy reasons, and it found its way into his UOC Patch by accident. Apparently he was ahead of his time, since it's now the default setting in newer FF versions.

Fascinating. The setting was always there (since FF 28 or so); Mo just changed the default.

The "Phishing URL Blocklist" broke AVSForum.com today. I don't know why but suddenly it's blocking all CSS URLs with an ampersand (&), which made a complete mess of AVSForum.com. Weird. Turned it off in the UBO Legacy dashboard and AVSForum is good again.

The change to browser behavior makes some sense: The Referer header was always an information leak, so the change improves privacy when following links (the target doesn't know where you came from). But if you're right, CloudFlare is abusing that change to block older browsers. Hopefully either MCP or @roytam1 can develop a fix soon.

We seem to have drifted off topic a bit here. IIRC, the thread was originally about Micro$oft Copilot invading our privacy on PCs running Windows 11. I haven't even tried to use Copilot for anything, but for those of us forced to use Windows 11 at work, is there any way to avoid or block this BS?

I still use WMC, even in 2025, with EPG123: Of course I've been using it for a really long time, like ten years. I don't know how hard it would be to set it up again from scratch. I agree that it's a shame Microsoft abandoned this software. It was included in Windows 8, but you had to buy a key for $10 from Microsoft to unlock it, and there were no improvements between WMC 7 and WMC 8. Windows 10 abandoned it completely, although there are unofficial hacks to get it working on Windows 10. (Don't know for sure but they probably work on Windows 11 too.) As for tuners, I would probably go with a used SiliconDust HDHomeRun. That plugs into your home network, so you aren't locked into using it with just your PC, if you decide WMC isn't the solution for you. You would need the correct HDHR version for your country, since TV standards differ across the globe.

Interesting find. Can you narrow down the version that broke rt.com? There are only three versions in between. Also send a screen shot of the crash notification, so folks have some idea where the breakage is. And last but not least, if possible try rt.com on the latest official Basilisk (requires Win 7 so you may have to borrow a PC). Of course official releases are somewhat behind these test releases, so it may work there; but if it doesn't you can report it to @basilisk-dev and help more users.

We need a "benign exploit" page (a page that triggers the bug but doesn't do anything harmful) to test for this vulnerability. We had one for the WebP vulnerability.