I'd guess this is due to some Paypal fraud protection thing thinking that Linux on M1 is an "impossible" configuration to have and that anyone with that configuration must be spoofing their hardware.
If you click onto the bug she filed, it's also kind of sad/funny that the Mozilla employee responding to it ALSO assumes that nobody can actually run Linux on M1 and renames the bug to "paypal.com - Spoofing as Apple M GPU breaks the login process by triggering a block to the security challenge".
It's a shame because Asahi runs really well on M1 & M2. I hope that they're able to get this resolved and that other issues like this don't pop up in the future.
I think the real problem is that any website can get a ton of information on your GPU, including vendor, model, supported extensions etc. via WebGL/WebGPU.
I have Firefox set up to always ask for permission to play DRM protected content. This happens way more often than I ever expected. it seems that a lot of video ads have DRM. maybe that's what you're running into?
Not exactly on the backend, but I worked on the frontend (SDKs) at a previous employer whose product offering was fraud detection literally. Over the period of those years, I realised the team wanted "get whatever you can" and then just kept it and used it as needed. A few things I recall - heuristics, some matches with data sources they had of fraudulent actors, et cetera. I am talking about the time when "AI" as we know it was just picking up, and that company was actually calling these systems ML-backed. They pivoted to "AI" as soon as the term became more commonplace, and in the beginning it was just the name change, but I am sure they'd have changed the systems as well, or I hope so.
I can tell you that any kind of "abnormal" combination of system metadata (basically sysinfo) was technically frowned upon by that team, and of course, the system was designed by that team. So, say you had a rooted Android (we had solutions for all devices out there; pretty much) - naughty boy, the system suspected you of spoofing GPS - instant reject, disabling GPS - it was not a mandatory permission in the app (and we asked for it only for some clients) – but it didn't like it, you had changed the default resolution of the system - suspicious, we also captured typing/tapping speed (not only for text entry but also for interacting with the interface) - too fast was considered weird because you were not supposed to have known our interface (because it was interact once or twice in a lifetime or years, kind of thing).
I am speaking more from memory of new joinee intros and rare discussions with the team. The team was kinda "different," so other teams just wanted to avoid them and also wanted them to stay away from other teams. So a lot of things might not sound exciting, might not be accurate either and these are not technical observations anyway.
Another aspect I just remembered. Say you had an app list (oh, we read that too) that matched with known fraudulent actors datasets, you had app(s) that showed you were not well off (we served a lot of instant loan givers around the world), you had an old phone, your OS was very old – all these things were taken into account, along with your PII (which were of course mandatory), when their backend received the data and we gave the final reco/score to the client's system in the API response.
Probably tripping some client fingerprinting/fraud detection system because it thinks of it as an anomaly mistaking it for a bot or something. Unlikely to be intentional malice against Asahi users.
Yes but shit like this still means that if your hardware is in a minority category you will lose access to services.
For a time I couldn't access a number of website because Linux+Firefox was apparently too rare, with Linux+Chrome at least I could pass a captcha (was Akamai I believe).
With PayPal you don't need to imagine, you will get cut off randomly just by using it. Oh you have triggered fraud detection, let's waste a week of your time talking to customer support.
There are two ways in which that could happen. Someone entered that combination into the list without thinking it though. Or more likely, they use a self-learning or heuristic filter that finds the combination 'Linux' and 'Apple M1' unusual because of how rare it is. Either way, it's easier to assume a mistake here because such a dark pattern doesn't make any business sense - notwithstanding their ethical reputation.
This is just a guess, but maybe "inconsistent" identifiers are a good signal of being an attack bot instead of a user.
Not defending that btw. Auto-generated signals are likely a problem for any desktop Linux user, not just Asahi, since most bots will run on Linux VPSs.
Why would anyone use PayPal at the first place? I have only negative experiences with them. Constant blocking, freezing account and then unfreezing it with no explanation why it was frozen in the first place just panacea "fraud detection", chargebacks months after the purchase.
One click checkout vs filling in credit card info on yet another website. None of your issues apply to using PayPal as a form of payment; you don’t need to keep a balance at all.
Apple Pay, Google Pay, Amazon Pay, and various options across the world such as 'Link', iDEAL, Swish, etc. Paypal only still seems to be a major thing in the US where modern payment methods are still very much behind the rest of the world.
My experience in DigiKey (One of the biggest part store) on attempt to pay via PayPal it triggered fraud detection and DigiKey told me to wire up money via bank account. So from paying in few seconds I was waiting on transfer move for several days. Never using PayPal again, what a garbage service.
Shopping on DigiKey via debit card is absolutely without problem.
Revolut! There are also pretty high referral bonus (around 80 dollars per referral where I come from). You can ”charge” it using Apple Pay or Google Pay, and it’s very convenient.
I'd guess this is due to some Paypal fraud protection thing thinking that Linux on M1 is an "impossible" configuration to have and that anyone with that configuration must be spoofing their hardware.
If you click onto the bug she filed, it's also kind of sad/funny that the Mozilla employee responding to it ALSO assumes that nobody can actually run Linux on M1 and renames the bug to "paypal.com - Spoofing as Apple M GPU breaks the login process by triggering a block to the security challenge".
It's a shame because Asahi runs really well on M1 & M2. I hope that they're able to get this resolved and that other issues like this don't pop up in the future.
I think the real problem is that any website can get a ton of information on your GPU, including vendor, model, supported extensions etc. via WebGL/WebGPU.
They even query if the monitor is connected in a HDCP compliant way.
There is a bug in either that process, my monitor, or the DP protocol.
Sometimes when that detection happens, my monitor turns grey, which is what it's supposed to do when you play HDCP content over a non-HDCP link.
But I'm not doing that. I'm just visiting a website.
I have Firefox set up to always ask for permission to play DRM protected content. This happens way more often than I ever expected. it seems that a lot of video ads have DRM. maybe that's what you're running into?
Yeah, I understand it's probably part of their fraud protection, but feels weird that they get my GPU info when doing a payment.
Seems very unrelated.
Anyone who works on fraud protection who can explain how this info is used?
Not exactly on the backend, but I worked on the frontend (SDKs) at a previous employer whose product offering was fraud detection literally. Over the period of those years, I realised the team wanted "get whatever you can" and then just kept it and used it as needed. A few things I recall - heuristics, some matches with data sources they had of fraudulent actors, et cetera. I am talking about the time when "AI" as we know it was just picking up, and that company was actually calling these systems ML-backed. They pivoted to "AI" as soon as the term became more commonplace, and in the beginning it was just the name change, but I am sure they'd have changed the systems as well, or I hope so.
I can tell you that any kind of "abnormal" combination of system metadata (basically sysinfo) was technically frowned upon by that team, and of course, the system was designed by that team. So, say you had a rooted Android (we had solutions for all devices out there; pretty much) - naughty boy, the system suspected you of spoofing GPS - instant reject, disabling GPS - it was not a mandatory permission in the app (and we asked for it only for some clients) – but it didn't like it, you had changed the default resolution of the system - suspicious, we also captured typing/tapping speed (not only for text entry but also for interacting with the interface) - too fast was considered weird because you were not supposed to have known our interface (because it was interact once or twice in a lifetime or years, kind of thing).
I am speaking more from memory of new joinee intros and rare discussions with the team. The team was kinda "different," so other teams just wanted to avoid them and also wanted them to stay away from other teams. So a lot of things might not sound exciting, might not be accurate either and these are not technical observations anyway.
Another aspect I just remembered. Say you had an app list (oh, we read that too) that matched with known fraudulent actors datasets, you had app(s) that showed you were not well off (we served a lot of instant loan givers around the world), you had an old phone, your OS was very old – all these things were taken into account, along with your PII (which were of course mandatory), when their backend received the data and we gave the final reco/score to the client's system in the API response.
The problem is they have the ability to get it to begin with. The browser or OS should prevent this.
Very likely looking for VMs or other weird signals. Doesn't make it right for a regular user doing nothing wrong.
Probably tripping some client fingerprinting/fraud detection system because it thinks of it as an anomaly mistaking it for a bot or something. Unlikely to be intentional malice against Asahi users.
Yes but shit like this still means that if your hardware is in a minority category you will lose access to services.
For a time I couldn't access a number of website because Linux+Firefox was apparently too rare, with Linux+Chrome at least I could pass a captcha (was Akamai I believe).
That's disastrous, imagine getting cut off from financial services because of being an early adopter.
With PayPal you don't need to imagine, you will get cut off randomly just by using it. Oh you have triggered fraud detection, let's waste a week of your time talking to customer support.
As a rooted android user, I don't really have to imagine. It's been a constant fight for the last decade...
or using an old device, like one that is, you know, not supported by win 11...
PayPal is the only semi reliable payment method attached to my credit card that doesn't constantly fail payments on my desktop computer.
Glad to hear that's going to change as well.
Why?
My guess would be they're using some 3rd party library of "fake user agent detection", and this library just has a whitelist of what's "acceptable".
Given that the "fix" involves making the string reported "Possibly Apple, Possibly M1", I am going to say it's a blacklist.
There are two ways in which that could happen. Someone entered that combination into the list without thinking it though. Or more likely, they use a self-learning or heuristic filter that finds the combination 'Linux' and 'Apple M1' unusual because of how rare it is. Either way, it's easier to assume a mistake here because such a dark pattern doesn't make any business sense - notwithstanding their ethical reputation.
This is just a guess, but maybe "inconsistent" identifiers are a good signal of being an attack bot instead of a user.
Not defending that btw. Auto-generated signals are likely a problem for any desktop Linux user, not just Asahi, since most bots will run on Linux VPSs.
Why would anyone use PayPal at the first place? I have only negative experiences with them. Constant blocking, freezing account and then unfreezing it with no explanation why it was frozen in the first place just panacea "fraud detection", chargebacks months after the purchase.
One click checkout vs filling in credit card info on yet another website. None of your issues apply to using PayPal as a form of payment; you don’t need to keep a balance at all.
Apple Pay, Google Pay, Amazon Pay, and various options across the world such as 'Link', iDEAL, Swish, etc. Paypal only still seems to be a major thing in the US where modern payment methods are still very much behind the rest of the world.
Ironically, PayPal is the only one of those services that actually works pretty much everywhere in the world.
But of course, when people on here say "the rest of the world" they typically just mean "Europe".
My experience in DigiKey (One of the biggest part store) on attempt to pay via PayPal it triggered fraud detection and DigiKey told me to wire up money via bank account. So from paying in few seconds I was waiting on transfer move for several days. Never using PayPal again, what a garbage service.
Shopping on DigiKey via debit card is absolutely without problem.
If you need to split a bill across people from many different countries, there aren’t other options.
Revolut! There are also pretty high referral bonus (around 80 dollars per referral where I come from). You can ”charge” it using Apple Pay or Google Pay, and it’s very convenient.
Doesn’t work in South Africa, India or Singapore.
When you meet up with from people from enough places, there really aren’t many options.
Good news, PayPal works once from these places. then you will get 180 days lock on your account for suspicious transfers.
Cash. Monero.
I wish more sites would accept cash