I've run as root since 1974. Still here. Never hacked. Never exploited. Been on the "Net" since it was ARPANET.
I've put myself and my machines out there now since my ALTAIR 680B was connected to a PDP-11/70 and I "explored" a major bank's systems in 1976. Still waiting for the NSA,KGB,CIA,FBI, BKA, GOOGLE, Facepuppet, the Russians, the Chinese, the Israelis and a thousand others to steal what's not there.
The way it is. Russians and Chinese do not sleep, do not eat, but only sit with pale faces and cold hands and think how to steal your SUPER SECRET files that you store on your HOME computer. And the Israelis generally dream of launching a trojan that will draw the Star of David and Menorah on your monitor screen and all this in pixel graphics. I don't know what Facepuppet wants 
Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.
rufwoof wrote: ↑Fri Jan 15, 2021 2:30 pmLinus doesn't even give too much regard to Linux security, prioritises userland over security, and there are just too many holes in Puppy security. Starting from your base of a browser in a chroot ... you'd more likely go on to just extend things until you ended up with something like EasyOS containment - not much point in reinvesting that wheel all over again.
It's worth studying how EasyOS does it but we might not always want to do things in the exact same way, and if we try on our own first we might be more original. Anyway, it looks like you ignored your own advice somewhat here and gave us a starting point on how we might code such a container. See post:
Fatdog unshare xephyr capsh container
I do appreciate your code and plan to study it soon
Is there a way that such files can be made write-only... no exec, no read?
Would that work?
Regards
8Geee
Money talks... no, it shouts, so that it doesn't have to hear common sense.
Not from root, from spot (or other users) potentially yes, but if spot can elevate to root easily! Sharing the same X session as root, setuid's, bugs ...etc. can all be used as a means to elevate to root permissions. i.e. the fundamental design of Puppy (it's not a real multi-user system) and its running as root policy makes spot largely pointless.
s243a wrote: ↑Sun Jan 17, 2021 12:34 amIt's worth studying how EasyOS does it but we might not always want to do things in the exact same way, and if we try on our own first we might be more original. Anyway, it looks like you ignored your own advice somewhat here and gave us a starting point on how we might code such a container. See post:
I tried running Fatdog's UML, but couldn't get it working, so opted to dig out that old code and found that with some updating it ran pretty well - so posted the code snippet more as a record/reference. I dual boot (concurrently) Fatdog and OpenBSD and use the OpenBSD side for browsing ...etc. UML or a container is a alternative to that. Increasingly however I'm more inclined to OpenBSD for its original Unix like style, opining that Linux is increasingly moving towards being more Windows like (systemD, pulseaudio, snaps, etc.) with all the issues that entails (such as not sourcing programs from a single central trusted repository, but from here/there/anywhere with differing standards/practices). Linux desktop is near/at a stage where you might as well just use Windows for better security and all-round polish. Or alternatively Mac, or BSD. Personally I have little desire/intent to use either Windows or Mac. Pushed and I'd probably opt for Mac (that said, I've never used one).
If we are so afraid for our safety... Well, why then use a small system in which root was originally incorporated into the concept?
Of course, we can patch the system all the time until we lose consciousness from perseverance (although who needs it VERY much - he will hack your system).
However, it will no longer be a carefree Puppy, but rather the Hound of the Baskervilles by Arthur Conan Doyle or even the Black Shuck. By the way, good names for future "safe" distros
Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.
What raises my hackles is the blurring of privacy and security. It seems to me lately, that the more of the former one has, the more of the latter one has. I really don't want third-parties and the glaring insecurity they may have. IMHO the only entities that need to know are me, the website, and maybe... if there's a financial transaction the gov't for tax purposes. No one else needs to know, really. And I do agree, banks are the worst, with credit-cards at coat-tail. Even the ubiquitous Amex Green card comes with "points" and an elevated fee of nearly US$200 annual. If you bank... paper statements, nuff said here. Write checks and balance the ledger. yah, old school. Covid-19 these days means ATM card and getting that receipt to rectify the check account.
JMH 18% credit
8Geee
Money talks... no, it shouts, so that it doesn't have to hear common sense.
Grey wrote: ↑Mon Jan 18, 2021 1:20 amIf we are so afraid for our safety... Well, why then use a small system in which root was originally incorporated into the concept?
Of course, we can patch the system all the time until we lose consciousness from perseverance (although who needs it VERY much - he will hack your system).
However, it will no longer be a carefree Puppy, but rather the Hound of the Baskervilles by Arthur Conan Doyle or even the Black Shuck. By the way, good names for future "safe" distros
All Puppy's are safe. It's how you use them that makes it unsafe. Fundamentally installing software/programs from third parties whose primary objective is spyware - and how you do/run that is a personal choice. Puppy can be used as a hypervisor - running a browser in a 'container', or that is used to concurrently boot/run another contained OS/system. With later machines having kvm support and that in effect is like another cpu, 'dual/multi' boot has moved from being one at a time over to being concurrent. Why physically reboot hardware into another menu.lst/whatever boot choice when you can just fire up another iso/whatever directly. Cloud virtual machines are yet another choice, for example shadow.tech offers a high end 4K gaming windows system.
EasyOS is a nice choice of having two versions of the same system booted i.e. open the Buster container once booted and run the browser within that. Or alternatively you might boot one/any Puppy and then kvm/qemu boot another - set up primarily to use for browsing. Or boot Puppy to vnc into another system - that you might build/maintain yourself (perhaps even a small pi), or that you rent (cloud based). That perhaps is the better choice as if the vnc connection is encrypted such as through a ssh tunnel then your ISP only sees that, not you actual activities, and remote sites see the cloud based IP and hardware, not your actual device.
It doesn't require massive effort and continual updating etc. One of my boots for instance is perhaps one of the safest and is less than 20MB in size. Enough to boot, wifi net connect along with a framebuffer, ssh and vnc. My more regular boot is Fatdog, with OpenBSD kvm/qemu booted for browsing. I also have EasyOS on a stick as yet another choice. For mail and irc I use hashbang, ssh into a tmux session where both are available and can be accessed from anywhere using any device(s) that support ssh. If anything such a range of 'distributed' computing is more fun than using a single Puppy system alone.
GitHub has curated lists from the Awesome series. Among them is a large list of hypervisors, containers, sandboxes and related operating systems, utilities and tools:
https://github.com/Friz-zy/awesome-linux-containers
Apparently, work in this direction is being carried out quite intensively.
EasyOS hasn't been added yet. Perhaps in the future, BarryK will want to do this.
Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.
Grey wrote: ↑Tue Jan 19, 2021 1:11 amGitHub has curated lists from the Awesome series. Among them is a large list of hypervisors, containers, sandboxes and related operating systems, utilities and tools:
https://github.com/Friz-zy/awesome-linux-containers
Apparently, work in this direction is being carried out quite intensively.
EasyOS hasn't been added yet. Perhaps in the future, BarryK will want to do this.
This seems like a good starting point:
Bocker
Docker implemented in around 100 lines of bash.
Fatdog version in < 30 lines of bash
Code: Select all
#!/bin/bash
SHARED=/mnt/sda4/shared
CHANGES_LOC=/mnt/sda4/changes
MAIN_SFS=/mnt/sda1/FATDOG811-FINAL/fd64.sfs
XP="-fullscreen -title container -name Xephyr2 -dpi 144 -nolisten tcp"
PF="--keepenv --no-ipcns --no-netns --mount=bind:${SHARED}:/home/shared --mount=bind:/etc/resolv.conf:/etc/resolv.conf --mount=bind:/dev/snd:/dev/snd --mount=bind:/dev/mixer:/dev/mixer --caps=all,-sys_admin,-sys_boot,-sys_chroot,-sys_ptrace,-sys_time,-sys_tty_config,-chown,-kill,-dac_override,-dac_read_search,-fowner,-setfcap,-setpcap,-net_admin,-mknod,-sys_module,-sys_nice,-sys_resource --chroot=${CHANGES_LOC}/top"
if [ `ps -ef | grep Xephyr2 | wc -l` -ne 2 ];then
Xephyr :2 ${XP} &
else
exit
fi
[ ! -d $SHARED ] && mkdir $SHARED
cd ${CHANGES_LOC}
if [ -d top ] || [ -d sfs ] || [ -d changes ]; then
umount -f top sfs;rm -rf changes;rmdir top sfs
fi
mkdir top sfs changes
mount -r -t squashfs ${MAIN_SFS} sfs
mount -t aufs -o br=changes:sfs none top
cp /var/lib/dbus/machine-id top/var/lib/dbus/machine-id
ln -s top/var/lib/dbus/machine-id top/etc/machine-id
printf "#!/bin/sh\nlxqt-panel &\nopenbox" >top/init; chmod +x top/init
DISPLAY=:2 empty -f unshare -m pflask ${PF} -- /init
PID=$!;wait $PID;killall Xephyr;umount top sfs;rm -rf changes;rmdir top sfs
Just stumbled upon this, https://privacyangel.com/most-secure-pr ... eb-browser. Thought it did a good job of covering the basics: something we could advise newbie's to read just to 'get their head in the right place'.
I haven't fact checked it fully. For example, while it gives a good review of iridium, users of Linux won't learn that its last update for Linux was two year ago.
In discussing opera's free VPN, it said:
"Unfortunately, much of the hype is overblown – the VPN offers no encryption other than SSL/TLS (the same type of encryption used by regular HTTPS websites), making it more of a proxy than a full-fledged VPN. The lack of encryption means that while your location and IP address will be masked, none of the actual data you send or receive will be any more secure than it would be over a standard HTTPS connection". That's only part of Opera's VPN problems.
Similarly, I think it downplays Brave's intrusions.
The post mentions a couple web-browsers of which I previously was unaware, but I think of them only Dooble could be a candidate for Puppy. Well, maybe easily for Fossa, Buster and Slacko 7. Qt5.15 is a dependency of the recent version. For older Puppies, some compiling or building would be required. The only older version dates to 2018.
Maybe not so hard after all. I'm currently running bionicpup64 having packaged dooble as an SFS. Dooble is structured to run from and has packaged a lot of Qt5's in /opt using a wrapper in /usr/bin. The wrapper directs using those libs in a slightly different way, I think, than I'm used to. It will, however, either have to be run as spot or with the 'no-sandbox' argument. Might be easier to rebuild as a portable ala Mike Walsh/fredx181.
Just commenting to say that this is one of my favourite forum threads (albeit not much posted to it recently). rufwoof at his best here really, with lots of interesting and thought-provoking ideas. Similarly for mikeslr. My own take on logging in and operating as root is that I still am daft enough to do it often, but I think it is a crazy thing to do really and I am slowly moving away from that practice (and I never do it when online banking despite never having had any troubles thus far). Fact is, I do not find it particularly less convenient to login as a normal user; certainly a nuisance if using full Ubuntu, who make sudo use a real pain, but I don't use full Ubuntu so don't have such an issue.
Also up there amongst my favourite to read threads is:
Run an Almost Invulnerable Puppy
viewtopic.php?f=151&t=444
Not because of Puppy usage matters, since I don't myself use that, but because some of the posts discuss more general use of layered filesystems and save persistence in frugal installed systems more generally very well (albeit with Puppy aufs usage as an exemplar). Actually, some of the old Puppy documentation on how it works seems to have vanished more generally (at least I don't know where it is, and last time I checked the only description I could find was on Puppy Rus page, which my chromium browser kindly translated into English for me...). Union filesystems (and Copy On Write methodologies) have been around for many decades of course and not difficult to understand how to manipulate layers and save persistence mechanisms once you get your head round the basic principles (much like layers in graphics programs really...). rsync is certainly a quick/efficient utility for copying only those items that have changed, so I also use that all the time in practice.
https://www.tinylinux.info/
DOWNLOAD wd_multi for hundreds of 'distros' at your fingertips: viewtopic.php?p=99154#p99154
Αξίζει να μεταφραστεί;
@wiak I feel like it really doesn't matter if root or not. You can be any user and the dangers are the same. SUDO sucks across the board...any distros that forces me to be another user then requires admin level permissions for half of the operations I do BITES.
I personally use the most powerful of the non-root users in Puppy Linux...who exists in every single one of them : webuser:webgroup. Probably included in every Puppy since version 1.0 that has Hiawatha built in. Why I couldn't stand Windows from version 1.0 on upwards. Reminds me of Time Sharing on mini-mainframes like the PDP-11 and the RSTS/E and VAX/VMS from the 70's and 80's. Login Logout, Login, Logout..........wax on wax off....paint the fence......
Web servers, MySQL servers, mail servers.......permissions SNAFU here anywhere is problematic and creates unexpected results on occasion.
I bet the guy who triggered the successful ransomware attack on Colonial Pipeline wasn't logged in as the root user.
What if they are using Puppy Linux to avoid paying Microsoft?! Heh. And next to each computer there is a shaggy shepherd dog and a sentry with a submachine gun and he repeats to the operator "do not open incoming mail, do not open". It's cheaper 
PS. From my post it is not clear how then operator was able to mess things up. The guard just turned away to feed the dog(he is very kind). And operator clicked where it shouldn't
Fossapup OS, Ryzen 5 3600 CPU, 64 GB RAM, GeForce GTX 1050 Ti 4 GB, Sound Blaster Audigy Rx with amplifier + Yamaha speakers for loud sound, USB Sound Blaster X-Fi Surround 5.1 Pro V3 + headphones for quiet sound.
I've always been, I guess, priv/sec concerned. I remember MySpace, and the millions that put their personal creds and numbers on the web WITHOUT ANY SECURITY. Even the signup was not secure (or even https). Since then I've seen many years of bad if not evil behavior of these 'soc-med' sites. Just a bully with coin in pocket. And no one has the cojones to pull their plug. Nope, all this pol-rant and election-rant, a run on the Capitol itself, and no real penalty.
When it comes to OS's theres not one outside of Linux I would trust. Unfortuneately, even some Linux distros are trying (too) hard to be like their 'big brothers'. Browsers seem to fade into OS's these days, with even simpler configs taken away from the end-user. And none of them OOB are worth their weight in salt sec/priv wise.I don't mind some work with this stuff, but editting 400+ lines of config is not for everyone, and a lot of it is phone-home or phone 3rd-party. Why is there developer stuff packed inside the DEFAULT browser? I'm an end-user, not a webby.
Frankly, I'm tired of the 'memory is cheap' attitude... if its so cheap, why does my experience slow down? Its a false arguement, almost non-sequitir. The less time needed, the less total bandwidth, and cost... and bandwidth is the real demon in the details. Just because I have X-Gb memory, that doesn't mean it HAS to be filled, NO it should be conserved for personal storage, and mathematical functions like security cryptos. This is true of OS and browser, the two major components.
At least at Puppy Linux, there is a chance at a good mix of small footprint, decent seurity and a choice of options, something that other major OS's are trying to or basically have already removed.
8Geee
Money talks... no, it shouts, so that it doesn't have to hear common sense.
Re: The Illusion of Privacy/Security using ANY Web-browser
This is a different slant more towards obsolescence...
Security and privacy should never be made obsolete. I understand that things like Spectre/Meltdown caused/causes major disruption in the OS/Browser, and indeed the CPU/MPU/SoC. In this case the overhead 'short-cut' had an ultimate price in security. However, I find major websites updating, and making obsolete 'default-standard' codecs such as mp4, mp3, aac, etc. Nothing IS really unique. Just monetization by bloatware. Even in Linux-land we are forced to use apulse, GTK3, glibc2.33, and their numerous dep's. And woof-CE HERE has basically obsoleted 32-bit, by lack of support. The latter is rather unfortunate, as the most secure chips are 32-bit ARM and intelAtom 1-2 core. A few ARM 64-bit are also good if based on the Cortex A53/55.
As we know in Pupppyville, mess with glibc and its the devil to upgrade. Browsers have done this as have websites. Thats not to say that glibc 2.10 is all thats needed, but having to migrate through 2.15, 2.17, 2.20, 2.25, and 2.33 gets beyond the scope of the kernel itself. And the real problem is incompatability between the versions, AND multiiple versions needed in some distros. So whats old and works just fine gets replaced with newer and not quite ready for the sake of basically two major functions in Linux. Its ditto for GTK2/3. I recall the schemes used for backgrounding the web, cairo, canvas, skia, etc. Canvas is just a monetization grab, and Google for one uses it to pilfer your whereabouts, and habits. Skia is just a repair job. I could say the same for WebRTC. But 'we gotta have'em' or our favorite websites kick us out. More bullying.
As I mentioned in the previous post if memory is so cheap, then the developers of these Browsers, OS's, and websites can spend little, and support some default settings, or even downstream sec/priv needs for older versions. In linuxland, thats not too easy as most of the work is done by volunteers that care, or want to keep indivual choice alive and well. It seems quite clear this is not the objective of major OS's and websites, and the browsers needed. Free hasn't been free for quite some time on the web, if not from the beginnings in the early 90's. And it broke once. Freedom, privacy, and security are more like necessary evils today as opposed to basic standards. Lets hope these three things do not become obsolete.
8Geee
Money talks... no, it shouts, so that it doesn't have to hear common sense.
Note that with google-chrome browser, ctrl o (letter o) opens a file - from anywhere on drive, even if under run-as-spot.
As can Ungoolged-Chromium and dissenter-browser and Mike Walsh's Google-Chrome.sfs.
Mike Walsh's Google-Chrome.sfs located the entire Google-Chrome folder in /home/spot.
I used that as a template for running dissenter-browser as spot.
However, I also tested Mike Walsh's Chrooted Iron. Using nic007's Utilities>Save2SFS I built a Bionicpup64 without a SaveFile which boots from sdb1, the first partition on a USB-Key. After booting, the Chrooted-Iron was SFS-loaded from sdb2, choosing the 'no-copy' option. So only sdb2 was mounted. [At the time of building, I didn't know that even mounted partitions were not accessible: so the OS and the Web-browser SFS are on different partitions.] sdb2 could not be unmounted without rebooting: Notice received that the 'file in use' was the kernel 'do I want to try to kill it' 
.
With the Chrooted-Iron opened, I executed a ctrl-o. As the attached screen-shoot reveals, although ctl-o "functions" it does not see any mounted partitions.
.
[Posted using unchrooted-palemoon to avoid having to copy/move screenshot to Chrooted-OS.
Will check if it can see any files on the 'base-not-chrooted' OS can be seen after breakfast].
Am back. This is by no means an exhaustive exploration. But AFAICT, chrooted-iron could not see beyond the chrooted OS. IIRC, /mnt is actually a symlink to /initrd-something. And occasionally some other folder serves as the mount point. Chrooted-iron>ctrl-o> only shows proc and pts folders [all of whose files were dated 2017, and thus part of the chrooted xenial and not bionic], and 'Computer'. Selecting Computer, reveals no /media folder; in fact, no initrd folder. All folders under /cont/mnt were empty, including /ram. Filing-browsing into the /tmp folder showed it also to be empty. The folders the Chrooted-iron find files in --such as those in /cont/opt from which portable-iron was launched-- are all parts of the Chrooted-OS, which exists only in RAM.
p.s. Using Mike Walsh's chrooted iron as a template I built a chrooted firefox-esr; actually just added portable firefox-esr to /cont/opt and used modified versions of the files Mike and watchdog developed to call it. chrooted-firefox-esr produced the same results.
Do be aware, however, that IIRC, rufwoof noted that this chrooting technique still permitted 'finger-printing' and had some other blemishes. I haven't taken the time to hunt-for & provide a link to that post --please do in replying-- as I'm unaware of any better and easier system using 'Puppys*' with the exception of EasyOS. See the privacy aspects which can be undertaken in building the chrooted-OS.
Perhaps EasyOS with a containerized OS running a web-browser. See attached EasyOS GUI for creating Container.
-=-=-=-
* I'm not suggesting there aren't or couldn't be. But my background isn't in technology. It's in 'sales'; albeit as a attorney the question was 'What arguments can be sold to juries and judges?' The reason for any computer's existence is to facilitate doing real world activities; preferably safely. "If you build it he will come", Field of Dreams. But don't ask him to devote a couple of years learning how and then build it.
Barry K's EasyOS and MIke Walsh/watchdog's chrooted browsers are 'plug & play'. If your computer has sufficient ram and adequate CPUs, a 'newbie' can do it. And my suspicion is that includes most computers sold in the last 5 years +/-.
@mikeslr :-
Just been taking a gander at your earlier recommendation, Mike - Dooble. It's gonna be a pig to turn into a 'portable'.....at least, in the normal way.
It's using a weird mix of Blink & QtWebEngine, built around the very newest Qt5 (5.15). This is newer even than Fossapup uses, and it bitches about multiple versions of Qt5 being found, and how this is NOT allowed. It can't "see" the 'xcb' plugin, even though it's staring right at it. The display, well; it uses Google's Material Design icon theme; the hamburger Menu is reminiscent of pre-Quantum Firefox, and the 'New tab' thing is reminiscent of SeaMonkey!
I'll keep playing around with it, but, er......don't hold your breath. This is where my lack of coding expertise shows, y'see; Fred, stemsee, Mochi, and a few others.....they're the guys that'll be able to make this work in portable format, if anyone can.
Posting from it now in Fossapup, installed via the .deb package.
T'other Mike. 
Puppy "stuff" ~ MORE Puppy "stuff" ~ ....and MORE! 
_______________________________________________________
Mike, not even I use dooble. Too great a learning curve. Read the additions to my last post, edited while/after you posted. I don't think portablizing dooble is worth the effort.
If you've got the time and interest I think further development of chrooted web-browsers would serve a broader market.
While the computer I'm posting from employs an Intel(R) Core(TM) i5-3470 CPU @ 3.20GHz --which might effect efficiency-- and has more RAM than I know what to do with, with both palemoon (from which I'm posting) and chrooted firefox-esr running, the actual RAM usage, per pupsys-info is:
Memory Allocation:
Total RAM: 15904 MB
Used RAM: 2543 MB
Emphasis supplied
Free RAM: 13361 MB
Buffers: 36 MB
Cached: 1674 MB
Total Swap: 0 MB
Free Swap: 0 MB
Actual Used RAM: 833 MB Used - (buffers + cached)
What computer sold in the last 5 years doesn't already have or can NOT be outfitted with 4 Gbs of RAM? I would think that any computer with 4 Gbs of RAM could run chrooted web-browsers comfortably.
With that thought in mind:
(I lacked the computer skills to even figure out why) I was not successful using EasyOS's GUI to build a containerized OS. But Barry K has published several. My exploration suggest that they can serve as the /cont folder in your chrooted web-browser. Before the update, I used xenialpup_xxx_amd64.sfs from here, https://distro.ibiblio.org/easyos/amd64 ... tu/xenial/.
However, I don't know if so used they will loose the security/privacy enhancements obtained during their creation. So, a more ambitious project would be to figure out which systems and folders could be removed while customizing a puppy_xxx.sfs for use as the /cont folder. What systems and information are actually required for a web-browser to run? Web-browsers' violation of security and privacy, after all, are the primary reason for not just running them as /root.
Still, as the previous post suggests, AS-IS, your chrooted Web-browser and technique does a good job in protecting information not within the /cont folder. 
And let me re-emphasis what 50 years experience 'in sales' tells me: If you build it --plug & play-- and advertise its existence-- 'people will come'.
Approaching the issue from a different direction, a containerized OS under EasyOS can't mount SFSes. But pets can be installed and any of your portables can be run from /opt of the containerized OS. So a pet to locate the portable in /opt and create menu entries would work. [My recollection is that running as them as spot also works as the containerized-os has /root/spot and /home/spot can be created].
The illusion of privacy/security is not just in browsers but in the home too. I know this for a fact because I am also a "handyman" (I can repair various home stuff) so with this knowledge I know that the home locks are an illusion of security because of many reasons...
One being "bump key"...
And also that the lock itself locks on a 1/2" piece of wood trim that you can kick open with your foot. lol I know this because I have repaired many from a boyfriend kicking the door open to her girlfriend house/apartment...
Not to mention that a window can be broken easy rather than going through the door...
regarding browsers, I am thinking why are they "FREE" but yet make millions of revenue? so it is advertisement...
There is an opportunity for a company to sell a browser and removing all of the advertising stuff? probably