W.E./U.S. are very much against T.H.E.M. (they called our M.O.M. "fat" at one point), but we know for certain that they have spies in our ranks, just as we have in theirs. We just don't know who said spies are.

Warning: Wall of Text because it's curteous to reply (and I'd rather do it in one post than spam the forum with each one separately). Also, helps to switch mental gear from "work" to "things I should be doing right now." Erm. Somewhat, anyway.

I do hope people will get informed on the subject before it comes to bite the society, as a whole, in the ass.

If you think STASI was bad, imagine a private corporate entity with the technological capability beyond STASI's wildest dreams at their fingertips. Or, don't imagine, because that's already in place - consider what can be done with that, especially in the areas of sociology and politics. I am slowly coming to accept that the distopian books I grew up on ended up treated as "how-to" manuals by some.

Any pull from Amazon network can (and according to back-room discussions is) used to grown their own mega-database. Amazon is very much trying to catch up to Google now that it turned out inconsequential details of people's lives (which most of the population is willing to share often without even being baited with some "freebie" service) is the hottest commodity around.

For that matter, I'm not even sure what is transferred to cloudfront.net when you pull the script from them. Your IP and the hosting website are pretty much a given, but it could also include "optimization" details such as browser fingerprints.

Might end up toying with this on the weekend when I have some spare time.

As Facebook proved, though, even a simple image from a third-party server can be used to generate a tremendous amount of data about an individual access point (which can rather easily be linked to a specific person). Hell, that's the major vehicle of Facebook's data-mining method (the prolific "f" buttons you see on most major web-sites actually do actively track you - whether you are a facebook user or not).

If you are genuinely curious, there is a metric ton of reading material on the intertubes related to just how little online privacy you are allowed nowadays. There's usually some serious article on the subject coming out pretty much every other day without even any related major event occurring. EFF, ACLU, and your favorite tech news site are probably the best places to start.

Unfortunately, while a lot of effort is focused on fighting government's access to private data outside of the established legal channels, people tend to ignore the growing corporate databases that the government can easily tap into (also, any restrictions on THAT would be totally against FREE MARKET©™!)

For lulz (and that's just the tip of the iceberg): https://www.yahoo.com/news/belgium-officials-warn-against-using-190000193.html

You hardly explained. Given how you yourself state that the actual code transmitted to a user machine is
you examined source code from a depository that may, or may not, be modified for Amazon's use. And I certainly do not believe for a moment that you did a full security audit of even the source code from github, much less the one transmited from cloudfront.net.

They still get your IP through the request, along with the website that you accessed. And only-Amazon-knows what else, since they can shape the pull request to include whatever browser fingerprints they want.

To... erm... "optimize" the experience. Yeah.

Amazon very much wants your data. They have no legal obligation to avoid gathering it when YOU ask for something from them. Do the math.

Somebody with factual knowledge of the subject... what are you doing in this thread? XD

"Security audit of the code in memory or GTFO." Basically.

Every bloody Defcon has challenges related to self-referencing coding or less complex methods of obfuscating code doing something else than it appears to do. It's not that difficult, a bunch of unis with security curriculum offers courses in writing these things for freshmen.

Though the above is more theoretical than actual accusation against Amazon. Things aren't so lax yet that they can pull this kind of a stunt without major public outcry (and there are, thankfully, still people around that would inform the public were that to take place). Doesn't mean they can't change things around when they so desire. Hey, stick an EULA on it, and nobody reads those anyway, right? Especially if you can blame somebody else (GOG in this case) for not informing the end user about the changes to data collection.

Most glaringly for somebody claiming to be a professional working with Java Script (or JScript, or whatever the flavor of it you prefer), you fail to even recognize that a simple invocation of the file transmits the IP address of the requesting machine, along with additional information that may further be expanded to accommodate online "fingerprints."

I mean, hello. Forest, trees.

Bottom line - I should not be required to run a third-party script (hello, potential attack vector) that is used for internal testing to be able to access my account hosting my purchases.

Facebook, Google, Twitter, Amazon are the ones that pretty much exist on all the pages of GOG.

Well, and Ghostery in your case - sorry, but those guys also monetize your information, though they claim it's only non-identifiable one, "cross my heart and die." A definition which, of course, does not include your IP address or browser fingerprinting since that's totally non-identifiable. Well, legally speaking, anyway. For real, just check their own Privacy Statement (conveniently linked below).

http://lifehacker.com/ad-blocking-extension-ghostery-actually-sells-data-to-a-514417864

http://www.extremetech.com/internet/212476-is-it-safe-to-use-the-ghostery-privacy-extension

https://www.ghostery.com/about-us/privacy-statements/ghostery-product/Ghostery-Product-Privacy-Statement/

***

It's extremely discouraging to see, with the rare occurrence or two, even those treating this subject with the seriousness it deserves display a glaring lack of basic knowledge.

At least somebody was interested enough to perhaps learn more, though.

"It's something"

(Edited because Heil Spellcheck)

You do realize that if there's malicious code in the library and GOG (or any other site for that matter) hosted it, it would do exactly the same crap, right? Also, no code from browser-based js libraries runs server-side. It all runs on your computer. Figuring out whether or not there are calls made to a third party website is not difficult even without a single glance at said code.

You mean kinda like every single request you ever make on the internet? If you're worried about this use tor for crying out loud, gog could just as easily have been running the .js library from their servers and you'd know nothing. You're telling me I'm missing forest for the trees, yet what you're complaining about is relatively easy to do without you even knowing it's happening - the only way for personally identifiable information to not be obtainable for a third party is when you're not sending out such information in the first place.

mining CRAP!?!

that sounds MESSY and STINKY

Okay, I've put garlic cloves around my tower. I should be safe now.

Data is imaginary. Burritos are real. I could go for a burrito.

Besides, even if Google is spying on us, what useless information and trivia could they glean?

There is a group of people A, who dislike DRM. There is also a group of people B, who dislike being the tracked on the Net. There is a very high chance that if you belong to group A, you also belong to group B, and vice versa.

GOG have always been trying very hard to attract people from group A as customers. Suddenly, GOG are trying to repel people from group B, who usually are also part of group A. That is, GOG are trying to make themselves disgusting for their core customers.

What's next GOG, start selling games with DRM?


Just for the record, the front page of gog.com is more than 600KB. An average page for a game is half this size. The JS file hosted on cloudfront.net - and without which the site loses most of its functionality - is about 70KB. The games themselves are often several gigabytes.

It seems it is very, very, very hard to fit a 70KB JS file on gog.com and it is much, much easier to load it from cloudfront. Who cares about annoyed customers anyway, the Cloud-centered Web developers know best.

I agree gog needs to stop this third party nonsense crap. I avoid coming here now because of this. GOG I would like access to my files without having to use third party access!

So....have you considered just how colorful the front page has been as of late? You've got a colorful spread of Witcher 3, a background, the rotating kiosk, static sales and features, the news bar, and a games listing with dynamic interactive elements, both of which can be expanded well beyond 500 units. Sure, GOG could take a page from google and load elements from a spritesheet to minimize load, but that'd only make so much difference.

You won't post anything more on this topic? But that's censorship!

Ah... the eternal "next step".

GOG started selling recent indie games. What's next, Games with DRM???
GOG introduced Galaxy. What's next, Games with DRM???
GOG put In Development in its store. What's next, Games with DRM???
GOG's CEO goes to take a shit. What's next, Games with DRM???

It's 8+ years now, and the "games with DRM" just refuses to come, despite always being next on the list.

You claim to be a programming professional, and your work practice does not include security check of code you are adapting from other sources?

As to checking, sure. Because obviously it makes more sense to require from me running a connection check for all elements on even a single web site I access every time I do so (since things may easily change in between the visits) than for anybody to have a reasonable expectation of not having their information peddled left and right, particularly by services that said person is a paying customer of.

I choose to interact with GOG. I choose to provide them with my data. I will even overlook them gathering and using data that genuinely helps them improve the service (though in the imaginary ideal world I would have an option to opt-out from such a practice).

That said, when GOG starts introducing, without any announcement whatsoever, third-party participation from companies heavily into data-mining, that is unacceptable to me. Speaking of third-parties, today their web site also includes scripts from newrelic.com. Yes, really - these guys: http://highscalability.com/blog/2011/7/18/new-relic-architecture-collecting-20-billion-metrics-a-day.html

Perhaps I'm missing something, but I don't exactly see what is so difficult in internalizing an open-source runtime library such as Node.js that forces them to run monitoring code from third-party servers. I guess it could be legalese, for all I know, but then another pertinent question arises - why is GOG's intent on improving their site trumping the presumption of confidentiality existing between them and their customers?

Just to reiterate - providing information to GOG is my choice when I interact with them. Having GOG sneak in another party into the equation without my say-so, and adding insult to injury one well known for data-mining is, to me, unacceptable.

I have gog.com whitelisted, so I'm not exactly concerned about whatever data they obtain from me. But it was my decision to do so.

Meanwhile, unless I allow Amazon's servers to interact with my computer, I cannot even access my GOG account with all the purchases I had made. I'm pretty sure what contractual obligations I entered into was between myself and GOG, with Amazon completely out of the picture.

And all in the name of internal monitoring? Not a valid excuse in my eyes.

Thank you for this post. I began harboring suspicion that everybody else inhabited some alternative dimension where monopoly- and control-seeking corporations were doing it for the overall good of society. Or something.

Yes, and if you are a Facebook user, you also get free games, at the low, low price of becoming a data point in a quickly growing database that can be used for oh so many fun things.

No, thank you. The old GOG website was pretty damn sufficient for me to drop however much I had already spent on a large portion of their game catalog.

Security is good.

That stuff below is bad. Real bad. Bad as in actually harmful.

Paranoia is a thought process believed to be heavily influenced by anxiety or fear, often to the point of delusion and irrationality. Paranoid thinking typically includes persecutory, or beliefs of conspiracy concerning a perceived threat towards oneself (e.g. "Everyone is out to get me"). Paranoia is distinct from phobias, which also involve irrational fear, but usually no blame. Making false accusations and the general distrust of others also frequently accompany paranoia. For example, an incident most people would view as an accident or coincidence, a paranoid person might believe was intentional.

Define old. There's been at least three versions of the site.

That's exactly what THEY want you to believe.

Now I'm confused, I was kind enough to waste my time doing just that for you (because... Well yes, I do) and your response was, aand I quote,
After the fact you're also using your insecurities to attack my professionality, which ... I don't actually much care about to be honest, but it is kind of rude.

And no, checking all outgoing data won't help. As soon as any website receives any data from your browser they're free to do with it whatever they please server-side and you can't see shit. But wait, you have tools to prevent any website from seeing any such information, so again: Why on earth aren't you using them?

There are two kinds of people: Those who agree with you and those who are wrong :-P