It's not clear to me what "[dupe]" means on HN anymore
It is being used, e.g., by this commenter, where the URLs and the target page content for each submission differ
Moreover, HN allows duplicate submissions under some circumstances, where the URLs are exactly the same. If the submissions are relatively far apart in time sometimes the moderator or a commenter will reply with "Previous discussion". More recently, a "past" link was added. Many times however the duplicate submissions are close together in time and there are no comments
Perhaps "[dupe]" as used here means "duplicate topic". But that seems like a pointless label as there are multiple submissions about the same topic every week on HN
As someone who archives all active HN story URLs, titles, etc. in an SQL database daily, I can locate duplicate submissions very quickly. Most do not have any indication of "[dupe]" in the title or comments
Dupe isn't about the url (except when it obviously is), it's about the duplicate discussion. Just flipping through most of this thread here it's all the repeated comments and points from the rather large thread on the source from earlier in the month. In this url's case it was written the same week as the source, maybe it brings a bit more analysis to the topic, but it's from then. It's not fresh. If it had been shared then it probably would have been merged into the main discussion (or could have been shared there at the time).
Not pointless at all, keeps things fresh and rolling. Stops some of us having to see the same topic over and over, and directs those who missed things to where the main discussion happened or is still happening. Stuff moves pretty fast around here.
You might see multiple submissions (a regular offender of submitting a ton of duplicates yourself) but they don't go anywhere, don't make it to front page or eyeball traction (say >20 upvotes). Most don't need specific dupe flagging because there's no discussion forming. Sharing the link helps casual readers find the discussion. And directs the recognition and attention to the original posters and story especially when stories are barely hours old.
As if you haven't been around here for awhile enough to be clearer on this. Striving to keep the feed fresh and discussion together helps us all, you could do better to contribute that way.
There is more to HN than just discussion. It's been called a "news aggregator" but it could be different things to different people
I prefer to read the submitted stories ("news") more than the replies, if any. I enjoy reading multiple stories on the same topic as they may include different presentation of the facts and sometimes different perspectives. Not to mention there are sometimes technical differences in news websites, e.g., some news websites suck more than others. Before the internet, I would read several newspapers each day. I would intentionally read multiple news reports of the same story
Others may prefer HN _discussion_, which only occurs on a minority of stories
NB. Most HN users do not submit replies and engage in discussion. They are readers and/or voters only
A small number of HN commenters, or maybe the moderators, might try to preempt or redirect potential discussion, or otherwise manipulate it to meet their preferences or goals
C'est la vie. Have at it
But I think "dupe" means duplicate. As in duplicate URLs. Others seem to agree. I appreciate the clarification
Using that term to refer to something else related to _potential discussion_ is subjective and inaccurate, maybe even deceptive, an attempt to "dupe" the reader, pun intended
Dupe means duplicate, but that's normally if both links point to the same article or both articles are secondaries pointing to the same primary article
Yeah, the source I used is browsergate.eu. I do a lot of developing in the dev tools (browser fingerprinting protection tool on the same site) and so I was looking at the dev tools for linked in and saw the extension enumeration a few weeks ago. I didn't realize that's what was going on, but there was a repository from a few years ago that started tracking this. There's a HN link somewhere... nefariouslinkedin I think it was called.
Then, I saw the browsergate story drop on mastodon and thought "no way," lo-and-behold, there's a lawsuit in the works for it.
I found the audit to be a bit dense and hard to read, this is a response to that. I
"What is not a question is that a criminal investigation is now open."
Good. These companies deserve each and every stone thrown at them, and much more.
This is unfortunately common practice on the internet.
Browser fingerprinting is the new norm. LinkedIn just didn't disclose it in their privacy policy. They do mention canvas fingerprinting and collecting other signals, but not specifically this extension enumeration stuff.
It isn’t exactly. They created a list of known extensions by their id and a file which is known to exist in that extension. The site iterates over each pair and tries to load that file, if it doesn’t error it knows the extension is installed. It’s a clever and difficult manual process, but it does bypass the security trying to prevent this kind of thing.
I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that.
This is how I interpreted the original question and indeed it makes no sense, JavaScript from a website should not be allowed to interact with extensions like this.
It's actually the extension injecting itself into the webpage, often to interact with it. (I imagine much of this is just looking for global ExtensionName objects.)
Actually, the article is clear about what is happening technically, and it’s both. Chrome does, in fact, allow the page to make requests for resources stored in the extension bundle, and this is one of the two fingerprinting methods that the article describes.
I agree, and this is why I built 404. If you poke around the page a bit, you'll see a tool that prevents browser fingerprinting.
404 catches JS calls in JS proxies and returns mocked-up values (assigned by a profile), it also has protections against TLS fingerprinting, canvas fingerprinting, device enumeration, TCP/IP fingerprinting, HTTP header fingerprinting, and more.
The predatory practices that browser fingerprinting have enabled guised behind "fraud protection" are atrocious. Even with a VPN, even in incognito mode, a website can track me and see what I've been doing EVEN IF ITS NOT ON THEIR SITE.
Then a data broker buys all this data and uses an AI model to put it all into a pretty little package and sell it to Google, or the gov't, or something. It's scary.
Because extensions can and often do contain stuff like images or JS bundles that they inject into a target page's DOM. Not allowing a tab's context to load files from the chrome-extension:// namespace would break a lot of things.
True, but you'd expect the same CORS rules to apply for extensions.
Only pages originating from an extension are by default able to load resources from said extension.
Chrome exposes these files via a URL that you can fetch in javascript like you would any other file on a normal website. These local extension files usually contain code, styles or images that your browser needs to run the extensions.
CORS is a server setting to tell the browser not to load its data from potentially unsafe origins. If you set a server to send access-control-allow-origin: *, then your browser will happily load these resources for you regardless of where you currently are. And chrome extensions need to be loadable from everywhere to be able to inject code or images into pages, so enabling CORS for them would defeat their main purpose. The extensions themselves might even need to bypass an existing CORS setup for the website you are currently on to fetch additional data.
From the other end, yes extensions access all page data, but pages shouldn't access extension data at all; it feels like that should be the CORS violation.
You have it backwards. For an extension to work on a page, it's data/code needs to be accessible from said page. If your extension server in chrome enforced CORS to prevent access from tabs on other websites, extensions wouldn't work anywhere.
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
Is that information available to websites? I figured they were doing some kind of novel hackery to self-detect extensions based on behaviour that would only happen if X extension was installed.
But that would be a lot of work for 6,300 extensions. Unless someone offers that as a service?
Well, just because LinkedIn still tries to send the requests on Brave doesn't mean the blocking doesn't work. The question is whether any request will give a valid response.
That said, I can't find conclusive info on whether this is blocked exactly. Brave does block "plugins" (which is why I assumed this includes this specific kind of fingerprinting), and the getExtension() call (which is probably unrelated), according to this page: https://brave.com/privacy-updates/4-fingerprinting-defenses-...
But since they don't explicitly mention the chrome-extension URL, you might be right.
friends, WHEN you are asked to implement something like this at your job, which will you choose: object (& hold ground, loose job) OR comply (& keep job)
as practitioners, where do we hold the line between telemetry and surveillance?
I choose not to work at places like linked in, meta, or any place that accepts Saudi or Israeli funding. It makes it a little harder to find a job, but i sleep better at night.
For similar reasons, I have been working in the public sector (Australian state government) for the past 5 years and couldn’t be happier.
I’m lucky that I’m in a team which is hands on and does a lot of very interesting things. From building CRUD apps which are used in management and response to bushfires (wildfires) to more interesting things like building a datalake which amalgamates and stores weather data from multiple sources to building near real time CDC pipelines and making our transactional data available to our in house team of data scientists who then use that data to do fascinating stuff that eventually results in for example making sure that our response to bushfires takes into account the impact and safety of endangered species.
And when I look at the underlying data and the trends and and projections of just how bad bushfires are going to get in the next 30 years and how we must be so much nimbler and smarter just to survive, the work takes on a whole new level of meaning.
Don’t get me wrong, there are times the internal bureaucracy absolutely drives me mad. And I am aware that I could be earning much more in the private sector. But I get to work with a team who are really passionate and enthusiastic about their job, and I get to sleep at night knowing that unlike my previous jobs, this time I am not just making someone who is already uber rich, richer.
If you had told the teenage Utilitarian me that I would one day work for, and enjoy working for, government, I would have thought hell must have frozen over.
> and I get to sleep at night knowing that unlike my previous jobs, this time I am not just making someone who is already uber rich, richer.
You can provide value in the free market, or you can work in a public sector where the people paying your salary have no choice but pay their taxes to cover your salary or risk going to prison.
Agree, having a strong moral compass is a must have yet becoming more and more important. Very easy to say, incredibly hard to execute when the offer is big enough...
Anyway, for those in this situation, some anecdotes. I've outright refused to do questionable things and kept my job. I've also played incompetent so the sharks look elsewhere. Point being... options exist, don't negotiate [only] with yourself.
Would be remiss if I missed the opportunity to quote Louis Rossman: "don't accept the premise of assholes"
There have been several spywares developed in Israel and that have been used by them and other governments against civilians, below are just a few examples. Why wouldn't you lump Israel in?
If your criterion holds for spyware merely developed in a state, then that commits you not working in the US or UK as well. Something to think about.
Putting that aside, my moral positions about Israel are rooted in the righteousness of the Jews' cause and their historical struggle. My personal self-righteousness is inadequate in comparison.
I think it's also an option to anonymously tell the world what will happen. That way you keep your job and still people are at least aware. Unless if you are one of like 3 people who know about it and they would immediately know it was you.
I wonder the same. Maybe it's made by people who feel like they wouldn't easily find another job and need the job for healthcare or financial reasons (living paycheck to paycheck)? And it's ordered by managers in similar situations, whose managers want to see increased revenue and don't care how? Somewhere in the chain it feels like there should be someone who says 'wtf are we doing'. It's strange
To answer your question though: I'd object of course, I'm very lucky to be well enough off that I can currently make that choice without serious repercussions. Do you think someone would come out on HN and say "oh sure yeah I have no morals!", at least without it being a throwaway where you'd have no idea if it's real?
Here's the most relevant section I could find from the original source:
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
Hmm, can one fake-install extensions that randomly return yes/no to those queries ? It's pretty clear which files linkedin (and other sites doing the fingerprinting) is testing, one can observe it as the OP author points out.
It should also be interesting to see which other sites test those very same files, has anybody looked yet ?
Is this a hallucination? I can't find this quote anywhere else.
> According to browsergate, Milinda Lakkam confirmed this under oath, saying, "LinkedIn took action against users who had specific extensions installed."
This is fairly standard practice for device fingerprinting. LI is probably using this to protect its platform from scraping etc, and extension lists have sufficient enough entropy to help identify users and form a useful component of a fingerprint.
Its already pretty easy to oneshot an extension aiding scraping and LI can do nothing about it. I've seen people build and install a local chrome extension in a couple of days and have an AI inject itself into devtools and scrape pretty much any website. And that was a few months ago. I don't think there is an easy way to defend against such things anymore. Its a matter of time that defensive programming measures like this become useless.
None of our new hires the last few years had anything to do with Linkedin though. As for myself, I deleted my account around the time when it started to try to look like a Facebook feed.
I get why people without jobs need a LinkedIn, but I don't get why they post there constantly. Like reposting stuff, writing random thoughts, posting rocket ship emojis, has anyone ever gotten a job that way?
I've heard it makes you more visible on things like search results. Linkdin, of course, is trying to encourage interaction on their site so sounds believable that they'd do that, but i've been lucky enough to not need to care.
That makes sense. I'm curious if it's proven though. Guess I'm lucky to have a job and credentials, recruiters are contacting me despite 0 public LinkedIn activity.
> 1.5 Your Device and Location
> We receive data through cookies and similar technologies When you visit or leave our Services (including some plugins and our cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to and the time of your visit. We also get information about your network and device (e.g., IP address, proxy server, operating system, web browser and add-ons, device identifier and features, cookie IDs and/or ISP, or your mobile carrier). If you use our Services from a mobile device, that device will send us data about your location based on your phone settings. We will ask you to opt-in before we use GPS or other tools to identify your precise location.
This is re-posted article from the author's Substack that does a pretty bad job of explaining the situation. The second link in the article is supposed to take you to a "GitHub repository tracking the extension list" but it goes to a GitHub page for a plugin that hasn't been updated in 9 years.
It has a lot of hallmarks of LLM writings ("It's not this, it's that" and feeling like a lot of empty words rehydrated from an outline) while missing the real updates in the story like the German affidavit filed by a LinkedIn engineer who worked on these tools.
A key piece of information that this article omits is that the list of extensions being scanned for doesn't include anything you'd recognize or anything you'd even think to install. It's full of data extraction tools, scrapers, AI spam and recruiting tools (remember all those automated spammy LinkedIn messages you got?), and plugins masquerading as simple things that have been pulled from the extension store for violations.
A lot of articles have been trying hard to distract from this fact by highlighting that the list of extension includes things like a plugin designed to simplify web pages for neurodivergent users or an "anti-Zionist political tagger" to imply that they're trying to do fingerprinting based on those attributes, but they neglect to mention that those plugins were pulled from the extension store most likely because they were data exfiltrators dressed up as simple plugins to get people to install them.
But read that site carefully and actually try to click the links. In this section they're trying to direct your attention away from all of the AI spam and data extraction tools with this section:
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
But click the links. They've all been pulled from the store. Extensions like that are often bait to get people to install scrapers that will use your computer and LinkedIn login to extract data and send it back to their servers.
So regardless of where you stand on probing for the presence of these scammy extensions, you should at least understand the facts rather than the story that companies like this are trying to sell you to drive traffic to their product.
Aurornis, I appreciate your comment and want to step in to defend myself.
The LLM writing style is simply not true. I am a high-school English teacher and if my students caught me using AI to do my writing, they'd rip me to pieces.
I included the GH link as a source of proof. While I did read the browsergate piece and ended up publishing my article as a result of, I noticed this was happening months ago because I am a developer myself and saw this very strange behavior in the LinkedIn dev console. The nature of my work is that I spend many hours sometimes staring at the dev tools to debug my JS injection, CSP rewriting, and header modification that 404 does.
Is 404 a tool to stop this? Yes. But that's the point. The reason why this type of thing is allowed to happen, browser fingerprinting, is because the public is unaware of it, so trying to educate the public is a part of my outreach. There are almost no tools on the market that allow for browser fingerprinting protection. Mullvad and Tor are close options, but they're often met with their own levels of scrutiny just for using their tools. For example, my school blocks the Tor network from being accessed altogether. Some websites can block the Tor fingerprint.
The original source is more technical, of course, but I was also in communication with the Browsergate team and continue to be so this is not a one-off journalist just trying to peddle his project. This has been my life for the last 2 years and I don't appreciate you discounting the work that privacy advocates do by splitting hairs and mincing my words.
While it may not be things I would think to install, maybe they're not extensions someone with certain affiliations would think to install.
> But click the links. They've all been pulled from the store.
I did that with the first five extensions in the list; only one was removed from the store. So you should qualify this statement.
Maybe they are all scammy extensions, and maybe this is a weird LLM-driven astroturfing campaign, but let's try to at least root our arguments in a shared reality.
You're misunderstanding what that's in reference to. It's not about all of the extensions in the list being removed. It's about the 3 that are specifically called out in the text above the list to scare people into thinking they're being profiled for things that could put them in danger.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
Thanks for flagging this, I was literally seeing the same thing with protechts.net in my activity tab this morning as I was trying to understand why firefox was aggressively draining my battery.
A big part of its detection relies on finding known extension resources at URLs of the form `chrome-extension://{extension_id}/{file}`
An extension installed from the Chrome store has the same `extension_id` for every user. But, if you just extract the source for that extension, and then load it yourself, you'll get a NEW extension_id. Same extension with the same functionality, but its extension_id will be completely new so impossible for LinkedIn to query.
Granted this won't evade the second type of detection LinkedIn employs, it'll help you evade quite a bit. I often clone extension source code anyway since it mostly protects me from malicious extension updates (by effectively disabling updates).
Just as invasive as Akamai bot manager on every other site you visit. Akamai is so jam packed they can likely identify you from the mouse movement data alone. The LinkedIn discourse feels forced, the problem is so much worse than what you're seeing here.
Interesting, so would Safari prevent this? I tried moving to Safari and honestly loved everything except I use my google accounts now for authenticating with to many services and that was a pain compared to chrome.
I honestly kind of forget the exact annoyances because it has been some time. I want to say I had to reauth every time I wanted to SSO with my google account because it doesn't allow/deletes third party cookies.
So if you must use LinkedIn, the answer then is to use Firefox, and create a locked down profile with ublock origin installed with webrtc disabled in advanced mode and block everything be default. Then navigate to linkedin and only whitelist the minimum scripts needed to run the site.
But how is this supposed to help against scraping? This is ridiculously ineffective against scraping. Just pretend to have a standard set of extensions and you are good to go.
> Hundreds of job search extensions are in the scan list. LinkedIn knows which of its users are quietly looking for work before they've told their employer. … Extensions tied to political content, religious practice
Why are these even extensions to begin with? A legit job finding service can be a website, no extension required. If they are nefarious extensions that fake ad clicks or mine cryptocurrency, that they are job search, or political, or religious in name/nature only serves to get rubes to install them. This entire ecosystem is goofed up.
Same way they do it now. Cold applying, word of mouth/referrals, networking events, etc. Personally my first industry job in like 2012 originated from a networking mixer that I showed up to after seeing a promotional online. My unpaid internship/mentorship before that was a word of mouth from my mom asking her friend's husband which I suppose might count as a connection.
But that application goes to a recruiter. Guess if you mean the site shouldn't have recruiters doing the cold-calling, idk maybe, but then the game is in getting the recruiters to read your application. This is different from having connections.
I think OP was referring to applying direct with the company doing the hiring. This is how I landed my first several jobs in tech, no recruiters involved.
Gotcha. Ok the companies themselves reached out on LinkedIn to me. It wasn't those third-party recruiters like "I recruit for Tesla, Apple, Sigma, IBM..." I ignored those emails. But it was still a recruiter within the company, not a technical manager or IC.
Back in the day, CACM use to have job listings at the back. There was always DE Shaw advertising. Sending in printed CVs and cover letters was the slow and painful way to do it.
If you write a decent covering letter and enclose a CV (resume) and get it to my desk, I might be inclined to be interested in you.
That's how things used to be done. Recruiters did exist but you generally got off your arse and impressed a potential employer with a well laid out CV as an invitation to call to interview.
Nowadays it appears that people want to circumvent all that complicated effort bollocks. You simply spray yourself across some social media wankery and let's face it LinkedIn is the supreme example of wankery and some grateful employer will pick you up.
The next time you are considering buying a record player to engage with the past in some sort of misty eyed histrionics session, why not buy a pen and paper and write a letter and impress someone with your turn of phrase? Enclose a CV (resume) for maximum effect.
... "Nurse ... nurse ... my dried frog pills have started dancing on my eyeballs ... nurse ... "
It depends on the time of day, but #emacs, #nethack, #archlinux, #lobsters, #security, #openbsd usually have enough users for good convos. It depends on what you are into, really.
It's tough to generate revenue that isn't through ads.
That said, if the users could organize into special interest groups and create a walled-garden with default no ads, and then gate-keep advertisers to a permitted white-list.
You want the unemployed to pay? Or do you want the employers to pay? If you want the employers to pay, how do you attract enough attractive unemployed to your site?
Well I guess we have a possible reason why LI is still relevant.
This suggest then that the relevance of any solution would need to appease the employers... yet here we are trying to build/design something for employees first.
Right, the website being annoying doesn't really matter compared to the network quality.
One thing I've considered, what if there were a site where you could rep trusted people anonymously? Then employers (or buyers etc) can see if there's some path from themselves to the candidate, at least to know they aren't some total rando who could be a scammer. The thing is, it's hard to obfuscate the reps if you're answering those queries, and it all falls apart once someone can prove that they gave or received rep.
I really like the anonymous angle. Suspending the unspoken reality of bias and profiling by employers, the point of job postings is to fill a skill void, I think. The idea of embellishing the recommendations seems like it would require some sort of validation of the recommendation giver...so yeah, eventually there needs to be some verifiabilty.
There is one piece of non-anonymity, you know who you're repping. The system only cares if there's a path from you to the target, so there will never be a path from you to a bot unless a real person you indirectly know reps a bot. 1000 bots can rep each other and nobody will care.
If by some miracle someone managed to create this, and a critical mass of people somehow discovered it and used it, at some point they'd burn out, sell it, and it would turn into the same shit that we see everywhere else.
Friendster sounds like a great idea for a platform to take this on.
Is there anything else making a new start right now with as well-known a name? That could make a major difference in building critical mass fast enough.
Now Friendster is already moving in its own new direction [0], but it would still be a good portal to a separate new jobs board that only needs to start out with zero bullshit and one key thing a little bit better than Linkedin in some very important area, then gradually diverge further from there if necessary.
No need to even try to replace Linkedin (who wants another one of those?), the only thing that a better option needs to have to become sustainable, is to be better for a few million visitors on a regular basis. Maybe way fewer would be adequate if done right, IDK.
I don't think Friendster is going to stop short of that, so there you go.
Plus IIRC Friendster is already paid for and owes nobody anything. If it stays that way it could turn out to be a surprising advantage. No matter how big Linkedin is I can only imagine that it is "mortgaged" up the wazoo like anything else, it's a whale like no other.
Friendster could go into the kind of shallow water where it can thrive, and Linkedin would be effectively beached.
[0] Very cool the way their plan for physical contact or proximity looks like it will restrict bot activity just when it's needed most, while accepting the limitation to unbridled growth that this implies.
Yeah that's the thing, slight fee vs more annoying site doesn't matter that much. LinkedIn got me a job. Sure I had to give a burner email for them to ddos, but so what. If I were to use another site, it'd be because that's where recruiters are, not cause it's a nicer site.
Anyway if you magically copied the entire LinkedIn network to a clean, no-nonsense site and wanted $5/mo to be active on there during the time I'm seeking a job, I'd pay that. And it'd be more if it had better opportunities. I guess there's LinkedIn Premium, but eh not convinced on that.
Also a lack of LinkedIn account makes you more suspicious and less likely to get hired. So this is additional value in having an account. For appearances.
Yeah I recently heard about people working multiple jobs at once - I wasn't surprised - with work from home being a thing and many jobs at big companies being not overly strenuous, you can get away with it.
A previous coworker had been not especially good at his job and left after two months, and a little later I went looking for his LinkedIn to see where he'd ended up. Couldn't find him but didn't give it much thought. A friend told me that he was working at a company up the street but was also working another job at the same time, and the penny dropped - you can't have LinkedIn and be working two jobs at once and reasonably expect to get away with it or get hired again.
> Users who had no idea their software was being inventoried, no idea the inventory was being used against them, and no way to know it was happening because none of it appears in LinkedIn's privacy policy.
As if users are actually reading the privacy policy...
I use firefox with uBlock Origin's matrix turned on linked in and its cdn is explicitly black listed globally on it. I see links like ~`licdn` or some shit appear with a lot more frequency on webapps in the matrix now a days. I would recommend you all install it and block it actively.
> Update to our terms and data use As of November 3, 2025, we are using some of your Linkedin data to improve the content-generating Al that enhances your experience, unless you opt out in your settings. We also updated our terms. See what's new and how to manage your data.
Frankly, it is unacceptable to tell a user "oh we have been using your personal data for 5 months already and will continue to do so unless you explicitly opt out". Are there any transparent alternatives to LinkedIn (not the trust me bro variant)?
Call me crazy but both Google and MS started doing weird things like that since about the dinner at Trump. Did you know that Google Chrome now happily asks you to store your ID/Passport information on top of all the information they offered to store for the last 10 years or so? Why now? Why this crazy "enhanced" feature? (https://blog.google/products-and-platforms/products/chrome/e...)
I am far from conspiracy theorist but, god damn, if you take a few steps back from all the current madness and look at what's happening from a perspective, then YES, they're collecting all that data and it up to specific people and their IDs. I don't even want to guess how deep are Palantir and AI chat in this.
This is a good example of why post summaries are considered off-topic on HN. If it becomes the top comment (which it often does if people agree with it or are riled up by it) they'll reply to the summary rather than posting their replies as root comments to the main thread, creating a split between replies to the top comment and root replies.
Also, please don't use a title for the HN submission that's different from the title of the original post. The guidelines are specific about this.
I guess that's what they're hoping for. With my admittedly biased opinion of the average linkedin user, about 99% will have the default set of extensions installed and so will not be very useful. Those users might have other identifiers of course, so who knows.
i just don't open the main page with the feed. i practically don't notice it's there. i have the messages view open, and i check notifications. i also don't follow anyone (except my contacts)
What's the reason you asked this question? I mean, yeah, you could have stayed silent, and nowadays everyone assumes that pointing out obvious things in a condescending tone is kind of insightful, just because you used enough ellipses.
Back then we all knew: vague rhetorical questions aren't arguments.
Technically, it's not a big surprise at all that someone would restate "you are the product" like it's a revelation. There is nothing novel at all.
And non-technically, yeah, as you said... You tried to weather a paragraph of empty meaning. You know that this comment says absolutely nothing actionable. You've known since word one. Nobody can actually be stupid enough to not instantly see that. It's impossible to not understand it.
Your strategy so far was to just scold. Who of you has expected a productive outcome, given this "mediocre" contribution, to say it veeeeeery friendly?
> What's the actual problem? I mean, yeah, time passed by... And nowadays everyone assumes that all these services are kind of fine, just because time passed by.
I didn’t make an account on LinkedIn before, and I never will in the future either.
Hopefully, continuing to point out shady practices from sites will help more people stay away from them too as time goes on.
"What's the actual problem? I mean, yeah, time passed by... And nowadays everyone assumes that all these services are kind of fine, just because time passed by."
no no no no no no no, These sites go on the blacklist.
Either it was there since day 1, together with Facebook and some others, or your blacklist is a pointless show.
What nobody started discussing so far: Every user actively pushed these shady sites. They are/were all active parts of the problem. And usually they somehow knew it. They'll come with lame excuses, as if the issue ever was a technical one, and too difficult to get, but in fact, no, things cannot be more obvious. To everyone who ever got in touch with other human beings. It never was a tech problem.
I'm excited when this discussion will start. But we are far away from it yet.
Wasn't this specifically some lame-ass attempt to combat some click fraud or something these extensions were doing? And aren't these articles specifically coming from the person doing the fraud (which is why they know about the extension scanning)?
To be clear, LinkedIn shouldn't be scanning your browser extensions, but still. The ultimate problem is that browser extensions are a powerful malware vector and there's a huge market of people buying little utilities off of solo developers to enshittify them.
> Wasn't this specifically some lame-ass attempt to combat some click fraud or something these extensions were doing?
No. That you believed that was just an unfortunate consequence of HN's kneejerk tendency to upvote middlebrow dismissals to the top comment, which resulted in people rushing to craft apologetics for what is in reality bonafide scumminess on LinkedIn's part, which itself resulted in confabulations like the claim that, "It was all extensions related to spamming and scraping LinkedIn last time this was posted"—which is simply untrue.
Discussion: https://news.ycombinator.com/item?id=47613981
It is being used, e.g., by this commenter, where the URLs and the target page content for each submission differ
Moreover, HN allows duplicate submissions under some circumstances, where the URLs are exactly the same. If the submissions are relatively far apart in time sometimes the moderator or a commenter will reply with "Previous discussion". More recently, a "past" link was added. Many times however the duplicate submissions are close together in time and there are no comments
Perhaps "[dupe]" as used here means "duplicate topic". But that seems like a pointless label as there are multiple submissions about the same topic every week on HN
As someone who archives all active HN story URLs, titles, etc. in an SQL database daily, I can locate duplicate submissions very quickly. Most do not have any indication of "[dupe]" in the title or comments
Not pointless at all, keeps things fresh and rolling. Stops some of us having to see the same topic over and over, and directs those who missed things to where the main discussion happened or is still happening. Stuff moves pretty fast around here.
You might see multiple submissions (a regular offender of submitting a ton of duplicates yourself) but they don't go anywhere, don't make it to front page or eyeball traction (say >20 upvotes). Most don't need specific dupe flagging because there's no discussion forming. Sharing the link helps casual readers find the discussion. And directs the recognition and attention to the original posters and story especially when stories are barely hours old.
As if you haven't been around here for awhile enough to be clearer on this. Striving to keep the feed fresh and discussion together helps us all, you could do better to contribute that way.
I prefer to read the submitted stories ("news") more than the replies, if any. I enjoy reading multiple stories on the same topic as they may include different presentation of the facts and sometimes different perspectives. Not to mention there are sometimes technical differences in news websites, e.g., some news websites suck more than others. Before the internet, I would read several newspapers each day. I would intentionally read multiple news reports of the same story
Others may prefer HN _discussion_, which only occurs on a minority of stories
NB. Most HN users do not submit replies and engage in discussion. They are readers and/or voters only
A small number of HN commenters, or maybe the moderators, might try to preempt or redirect potential discussion, or otherwise manipulate it to meet their preferences or goals
C'est la vie. Have at it
But I think "dupe" means duplicate. As in duplicate URLs. Others seem to agree. I appreciate the clarification
Using that term to refer to something else related to _potential discussion_ is subjective and inaccurate, maybe even deceptive, an attempt to "dupe" the reader, pun intended
Then, I saw the browsergate story drop on mastodon and thought "no way," lo-and-behold, there's a lawsuit in the works for it.
I found the audit to be a bit dense and hard to read, this is a response to that. I
Some truly straight-shooters should be pointing the finger very accurately to where all this is coming from.
Anybody who has a team committed to non-below-average websites should be able to screen applicants against a roster of known enshittifiers.
It may be too late to nip it in the bud, but there's no reason to allow these individuals to continue unabated, much less keep growing so annoyingly.
What's wrong with some people anyway?
Browser fingerprinting is the new norm. LinkedIn just didn't disclose it in their privacy policy. They do mention canvas fingerprinting and collecting other signals, but not specifically this extension enumeration stuff.
But fingerprinting is used to track people even without cookies. Take a look at this for some further reading: https://404privacy.com/blog/browser-fingerprinting-is-the-ad...
I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that.
Agreed 100%.
404 catches JS calls in JS proxies and returns mocked-up values (assigned by a profile), it also has protections against TLS fingerprinting, canvas fingerprinting, device enumeration, TCP/IP fingerprinting, HTTP header fingerprinting, and more.
The predatory practices that browser fingerprinting have enabled guised behind "fraud protection" are atrocious. Even with a VPN, even in incognito mode, a website can track me and see what I've been doing EVEN IF ITS NOT ON THEIR SITE.
Then a data broker buys all this data and uses an AI model to put it all into a pretty little package and sell it to Google, or the gov't, or something. It's scary.
The browser needing access and a random website having access are quite different. Seems like a big ol' pile of vulns waiting to happen.
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
But that would be a lot of work for 6,300 extensions. Unless someone offers that as a service?
https://news.ycombinator.com/item?id=46904361
That said, I can't find conclusive info on whether this is blocked exactly. Brave does block "plugins" (which is why I assumed this includes this specific kind of fingerprinting), and the getExtension() call (which is probably unrelated), according to this page: https://brave.com/privacy-updates/4-fingerprinting-defenses-...
But since they don't explicitly mention the chrome-extension URL, you might be right.
Browser fingerprinting is massively valuable to Google's surveillance/advertising apparatus. This is all working exactly as intended.
Source:
as practitioners, where do we hold the line between telemetry and surveillance?
I’m lucky that I’m in a team which is hands on and does a lot of very interesting things. From building CRUD apps which are used in management and response to bushfires (wildfires) to more interesting things like building a datalake which amalgamates and stores weather data from multiple sources to building near real time CDC pipelines and making our transactional data available to our in house team of data scientists who then use that data to do fascinating stuff that eventually results in for example making sure that our response to bushfires takes into account the impact and safety of endangered species.
And when I look at the underlying data and the trends and and projections of just how bad bushfires are going to get in the next 30 years and how we must be so much nimbler and smarter just to survive, the work takes on a whole new level of meaning.
Don’t get me wrong, there are times the internal bureaucracy absolutely drives me mad. And I am aware that I could be earning much more in the private sector. But I get to work with a team who are really passionate and enthusiastic about their job, and I get to sleep at night knowing that unlike my previous jobs, this time I am not just making someone who is already uber rich, richer.
If you had told the teenage Utilitarian me that I would one day work for, and enjoy working for, government, I would have thought hell must have frozen over.
You can provide value in the free market, or you can work in a public sector where the people paying your salary have no choice but pay their taxes to cover your salary or risk going to prison.
As they say, better to be a poor master than a rich slave.
Anyway, for those in this situation, some anecdotes. I've outright refused to do questionable things and kept my job. I've also played incompetent so the sharks look elsewhere. Point being... options exist, don't negotiate [only] with yourself.
Would be remiss if I missed the opportunity to quote Louis Rossman: "don't accept the premise of assholes"
https://en.wikipedia.org/wiki/Pegasus_(spyware)
https://en.wikipedia.org/wiki/Paragon_Solutions
https://en.wikipedia.org/wiki/Cytrox#Predator
Putting that aside, my moral positions about Israel are rooted in the righteousness of the Jews' cause and their historical struggle. My personal self-righteousness is inadequate in comparison.
If that's the game you're playing tho, maybe time to find another job too ;)
To answer your question though: I'd object of course, I'm very lucky to be well enough off that I can currently make that choice without serious repercussions. Do you think someone would come out on HN and say "oh sure yeah I have no morals!", at least without it being a throwaway where you'd have no idea if it's real?
"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.
LinkedIn tests every extension in the list this way."
It should also be interesting to see which other sites test those very same files, has anybody looked yet ?
> According to browsergate, Milinda Lakkam confirmed this under oath, saying, "LinkedIn took action against users who had specific extensions installed."
https://browsergate.eu/the-evidence-pack/
Edit: nice! I just notice indent-formatted text is now wrapping on mobile browsers. (Or at least ffm.) I wonder how long that's been fixed...> 1.5 Your Device and Location > We receive data through cookies and similar technologies When you visit or leave our Services (including some plugins and our cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to and the time of your visit. We also get information about your network and device (e.g., IP address, proxy server, operating system, web browser and add-ons, device identifier and features, cookie IDs and/or ISP, or your mobile carrier). If you use our Services from a mobile device, that device will send us data about your location based on your phone settings. We will ask you to opt-in before we use GPS or other tools to identify your precise location.
"including some plugins" being the relevant bit.
It has a lot of hallmarks of LLM writings ("It's not this, it's that" and feeling like a lot of empty words rehydrated from an outline) while missing the real updates in the story like the German affidavit filed by a LinkedIn engineer who worked on these tools.
A key piece of information that this article omits is that the list of extensions being scanned for doesn't include anything you'd recognize or anything you'd even think to install. It's full of data extraction tools, scrapers, AI spam and recruiting tools (remember all those automated spammy LinkedIn messages you got?), and plugins masquerading as simple things that have been pulled from the extension store for violations.
A lot of articles have been trying hard to distract from this fact by highlighting that the list of extension includes things like a plugin designed to simplify web pages for neurodivergent users or an "anti-Zionist political tagger" to imply that they're trying to do fingerprinting based on those attributes, but they neglect to mention that those plugins were pulled from the extension store most likely because they were data exfiltrators dressed up as simple plugins to get people to install them.
An updated list is available here: https://browsergate.eu/extensions/
But read that site carefully and actually try to click the links. In this section they're trying to direct your attention away from all of the AI spam and data extraction tools with this section:
> The scan doesn’t just look for LinkedIn-related tools. It identifies whether you use an Islamic content filter (PordaAI — “Blur Haram objects, real-time AI for Islamic values”), whether you’ve installed an anti-Zionist political tagger (Anti-Zionist Tag), or a tool designed for neurodivergent users (simplify).
But click the links. They've all been pulled from the store. Extensions like that are often bait to get people to install scrapers that will use your computer and LinkedIn login to extract data and send it back to their servers.
So regardless of where you stand on probing for the presence of these scammy extensions, you should at least understand the facts rather than the story that companies like this are trying to sell you to drive traffic to their product.
I suggest cutting through the ragebait journalism and reading more directly from a recent source, like this affidavit filed in Germany by a LinkedIn engineer familiar with the project: https://browsergate.eu/downloads/Lakam-affidavit-redacted.pd...
The LLM writing style is simply not true. I am a high-school English teacher and if my students caught me using AI to do my writing, they'd rip me to pieces.
I included the GH link as a source of proof. While I did read the browsergate piece and ended up publishing my article as a result of, I noticed this was happening months ago because I am a developer myself and saw this very strange behavior in the LinkedIn dev console. The nature of my work is that I spend many hours sometimes staring at the dev tools to debug my JS injection, CSP rewriting, and header modification that 404 does.
Is 404 a tool to stop this? Yes. But that's the point. The reason why this type of thing is allowed to happen, browser fingerprinting, is because the public is unaware of it, so trying to educate the public is a part of my outreach. There are almost no tools on the market that allow for browser fingerprinting protection. Mullvad and Tor are close options, but they're often met with their own levels of scrutiny just for using their tools. For example, my school blocks the Tor network from being accessed altogether. Some websites can block the Tor fingerprint.
The original source is more technical, of course, but I was also in communication with the Browsergate team and continue to be so this is not a one-off journalist just trying to peddle his project. This has been my life for the last 2 years and I don't appreciate you discounting the work that privacy advocates do by splitting hairs and mincing my words.
While it may not be things I would think to install, maybe they're not extensions someone with certain affiliations would think to install.
I did that with the first five extensions in the list; only one was removed from the store. So you should qualify this statement.
Maybe they are all scammy extensions, and maybe this is a weird LLM-driven astroturfing campaign, but let's try to at least root our arguments in a shared reality.
All 3 of those have been removed.
recently while trying to decipher why computer was at 98% memory and 65% cpu
one of the culprits is https://li.protechts.net taking 2GB ram and 8% cpu.
DDG searches say this is something for linkedin. - I had two tabs for linkedin open but left behind as I opened other tabs to research.
So I had not reopened these tabs in over 9 hours and they are still just humming along sucking down almost 10% of cpu and a couple gigs of ram for what?
This is firefox with ublock origin - quick searches saw malwarebytes browser guard considered it (protechts.net) malware for a bit and then took it off the list of things it blocked / warned about.
Not sure this is related to the scan mentioned, but it may be related to the overall concerns about data and unknown usage of resources.
I'm considering blocking this at the dns hosts level at this point.
repost of my comment 28 days ago
A big part of its detection relies on finding known extension resources at URLs of the form `chrome-extension://{extension_id}/{file}`
An extension installed from the Chrome store has the same `extension_id` for every user. But, if you just extract the source for that extension, and then load it yourself, you'll get a NEW extension_id. Same extension with the same functionality, but its extension_id will be completely new so impossible for LinkedIn to query.
Granted this won't evade the second type of detection LinkedIn employs, it'll help you evade quite a bit. I often clone extension source code anyway since it mostly protects me from malicious extension updates (by effectively disabling updates).
Farrell v LinkedIn Corporation 4:26-cv-02953-KAW (N.D. Cal. Apr. 6, 2026)
https://ia601503.us.archive.org/33/items/gov.uscourts.cand.4...
Chrome for some reason (still!) gives extensions static ids. Firefox has the id change per firefox instance.
Having a lot of connections working at Microsoft and Western tech industry, I'm not surprised with the targeting of Muslims.
No idea if if LinkedIn has the same issue though.
Runtime of extensions should be blackbox to a website IMO
* I use Edge bcs of the vertical tabs — Safari's equivalent is a poor substitute. Firefox didn't seem to have vertical tabs last time I checked.
> tracks 6,278 extension
I just tried it and in 7 mins it got to 800 errors so that's like 50 minutes to do them all, using ~5% of cpu.
Why are these even extensions to begin with? A legit job finding service can be a website, no extension required. If they are nefarious extensions that fake ad clicks or mine cryptocurrency, that they are job search, or political, or religious in name/nature only serves to get rubes to install them. This entire ecosystem is goofed up.
1. Doesn't have the spam
2. That doesn't look like it's from 2008
3. That only developers / engineers / tech folks can join
4. Doesn't try to log into your email to steal your contact list
5. That doesn't track you or your extensions / browser fingerprint
6. That doesn't have a bunch of fake "linkedinmaxxing" garbage content
7. that doesn't have marketers and recruiters, etc.
8. ...
That's how things used to be done. Recruiters did exist but you generally got off your arse and impressed a potential employer with a well laid out CV as an invitation to call to interview.
Nowadays it appears that people want to circumvent all that complicated effort bollocks. You simply spray yourself across some social media wankery and let's face it LinkedIn is the supreme example of wankery and some grateful employer will pick you up.
The next time you are considering buying a record player to engage with the past in some sort of misty eyed histrionics session, why not buy a pen and paper and write a letter and impress someone with your turn of phrase? Enclose a CV (resume) for maximum effect.
... "Nurse ... nurse ... my dried frog pills have started dancing on my eyeballs ... nurse ... "
Applying to jobs posted in the newspapers
We have the ability to vibe these things over a weekend, yet getting to the critical mass/tipping point of adoption is something else.
Whatever happened to: if you build it, they will come?
- A professional profile page
- Contacts
- Introductions/referrals
- Ask my (sub-)network?
Anything else?
Exportable format so I can leave if needed.
That said, if the users could organize into special interest groups and create a walled-garden with default no ads, and then gate-keep advertisers to a permitted white-list.
I dunno, I'm just spit-ballin
This suggest then that the relevance of any solution would need to appease the employers... yet here we are trying to build/design something for employees first.
One thing I've considered, what if there were a site where you could rep trusted people anonymously? Then employers (or buyers etc) can see if there's some path from themselves to the candidate, at least to know they aren't some total rando who could be a scammer. The thing is, it's hard to obfuscate the reps if you're answering those queries, and it all falls apart once someone can prove that they gave or received rep.
Wishing Guido (gui.do) the best.
Only a Public Benefit Corporation will get the software to a usable state and refuse enshittification
Is there anything else making a new start right now with as well-known a name? That could make a major difference in building critical mass fast enough.
Now Friendster is already moving in its own new direction [0], but it would still be a good portal to a separate new jobs board that only needs to start out with zero bullshit and one key thing a little bit better than Linkedin in some very important area, then gradually diverge further from there if necessary.
No need to even try to replace Linkedin (who wants another one of those?), the only thing that a better option needs to have to become sustainable, is to be better for a few million visitors on a regular basis. Maybe way fewer would be adequate if done right, IDK.
I don't think Friendster is going to stop short of that, so there you go.
Plus IIRC Friendster is already paid for and owes nobody anything. If it stays that way it could turn out to be a surprising advantage. No matter how big Linkedin is I can only imagine that it is "mortgaged" up the wazoo like anything else, it's a whale like no other.
Friendster could go into the kind of shallow water where it can thrive, and Linkedin would be effectively beached.
[0] Very cool the way their plan for physical contact or proximity looks like it will restrict bot activity just when it's needed most, while accepting the limitation to unbridled growth that this implies.
Is at odds with
> 6. That doesn't have a bunch of fake "linkedinmaxxing" garbage content
Almost all of the shit-tier AI-generated AI evangelism has been from "tech folks" connections. It's all the exact same content.
Anyway if you magically copied the entire LinkedIn network to a clean, no-nonsense site and wanted $5/mo to be active on there during the time I'm seeking a job, I'd pay that. And it'd be more if it had better opportunities. I guess there's LinkedIn Premium, but eh not convinced on that.
They’re basically the only reason I’m there.
A previous coworker had been not especially good at his job and left after two months, and a little later I went looking for his LinkedIn to see where he'd ended up. Couldn't find him but didn't give it much thought. A friend told me that he was working at a company up the street but was also working another job at the same time, and the penny dropped - you can't have LinkedIn and be working two jobs at once and reasonably expect to get away with it or get hired again.
I didn't apply, because fuck that inside out.
As if users are actually reading the privacy policy...
Its disgusting.
> Update to our terms and data use As of November 3, 2025, we are using some of your Linkedin data to improve the content-generating Al that enhances your experience, unless you opt out in your settings. We also updated our terms. See what's new and how to manage your data.
Frankly, it is unacceptable to tell a user "oh we have been using your personal data for 5 months already and will continue to do so unless you explicitly opt out". Are there any transparent alternatives to LinkedIn (not the trust me bro variant)?
I am far from conspiracy theorist but, god damn, if you take a few steps back from all the current madness and look at what's happening from a perspective, then YES, they're collecting all that data and it up to specific people and their IDs. I don't even want to guess how deep are Palantir and AI chat in this.
This kind of tracking has been going on for decades
Also, please don't use a title for the HN submission that's different from the title of the original post. The guidelines are specific about this.
Both are concerns, but sending interpretable data is a more serious concern.
I scanned through the article and did not see an example of the header it added.
https://addons.mozilla.org/en-US/firefox/addon/linkedin-data...
I think 99% are identifiable
Back then we all knew: vague rhetorical questions aren't arguments.
Technically, it's not a big surprise at all that someone would restate "you are the product" like it's a revelation. There is nothing novel at all.
And non-technically, yeah, as you said... You tried to weather a paragraph of empty meaning. You know that this comment says absolutely nothing actionable. You've known since word one. Nobody can actually be stupid enough to not instantly see that. It's impossible to not understand it.
Your strategy so far was to just scold. Who of you has expected a productive outcome, given this "mediocre" contribution, to say it veeeeeery friendly?
But beyond that unhappy story, your comment actually made me smile. Linguistically, let's say. And there is no sarcasm at all. It was funny to read!!
I didn’t make an account on LinkedIn before, and I never will in the future either.
Hopefully, continuing to point out shady practices from sites will help more people stay away from them too as time goes on.
So, no, there is no chance. Whenever you think "this might now finally help to make enough people understand", they'll quickly prove the opposite.
no no no no no no no, These sites go on the blacklist.
What nobody started discussing so far: Every user actively pushed these shady sites. They are/were all active parts of the problem. And usually they somehow knew it. They'll come with lame excuses, as if the issue ever was a technical one, and too difficult to get, but in fact, no, things cannot be more obvious. To everyone who ever got in touch with other human beings. It never was a tech problem.
I'm excited when this discussion will start. But we are far away from it yet.
To be clear, LinkedIn shouldn't be scanning your browser extensions, but still. The ultimate problem is that browser extensions are a powerful malware vector and there's a huge market of people buying little utilities off of solo developers to enshittify them.
Correct
Yes there are other problems in the world and we can JAQ the messanger too.
No. That you believed that was just an unfortunate consequence of HN's kneejerk tendency to upvote middlebrow dismissals to the top comment, which resulted in people rushing to craft apologetics for what is in reality bonafide scumminess on LinkedIn's part, which itself resulted in confabulations like the claim that, "It was all extensions related to spamming and scraping LinkedIn last time this was posted"—which is simply untrue.