A protracted war between authors of two of the most popular add-ons for the Firefox browser has prompted calls for changes in the way extensions are written, after one of them admitted he added camouflaged code that disabled features in the other's program. In a heart-felt apology posted Monday, Giorgio Maone admitted that he …
All I know is that in the last few weeks,
Firefox has been unstable as heck for me. There's one site in particular (work-related open-source project) that, about 10-20% of the time I visit it, Firefox crashes -- and this started after I upgraded a bunch of plugins. Mere correlation? or cause?
So yes, effing well cut this crap out. Software's buggy enough without this added nonsense.
Nerd Fight! After School Behind The Gym!
Disgusting turn of events, hopefully some oversight @ AMO will keep this chit from happening again. Read G's apology, I'll accept that. Where's Wlad's apology? I trust(ed) both for my Intertubes security, will be losing the ABP if it turns out he's just another prima donna programmer who can "do no wrong".
Mine's the one w/ the bulls-eye on the back.
Uninstall both, try RequestPolicy instead.
It won't protect you against malicious scripts on a website, but it blocks ads and 3rd party scripts.
Better security and far less annoying than NoScript.
Works for me - mostly. More stable than Safari or I.E., certainly. Main reason I use it is... NoScript and AdBlock. Until other browsers have similar functionality that allow me to control what gets onto my desktop, I'll probably stay with Firefox. I hate, despise and loath flashy adverts, and that seems to be the only kind that the insane running the asylum seem to understand. I occasionally try to surf with other browsers, and very quickly retreat behind my NoScript/AdBlock shields again to avoid the headaches caused by the epilepsy-inducing CRAP that the fucking morons want to spew at me.
Firefox addons....security nightmare
This is something I've never understood with FF addons. The hardcore FF fan bois bleat on about how secure their beloved browser is, yet to enhance it (and this is apparently what makes FF so great) you get to install 3rd party addons that you have absolutely no idea what they are doing. Sure it says it's going to block some flash adverts and make you a hit with the girls but what's it really doing.....? Opening up some lovely big security holes? Skimming your contact list for juicy email addresses? Who knows.....?
But that could never happen because it's all been vetted by some Mozilla flunkey's who approve addons and they never let anything get past them......oh hang on..... No wait they've got that covered now "..... each add-on would have to explicitly spell out all changes it makes to any other add-ons." A malicious code writer whould never lie would they!
Or how about just host your crummy 3rd party addon away from Mozilla. Whose going to check it's been certified by Mozilla? A large majority of users, who FF are trying to aim at, will go "Oh wow! This addon changes every occurence of the letter "P" on a webpage into an animated GIF of an ejaculating penis! I must have this addon!" Great they now have penile websites and a whole truck load of malware too. Hooray the great security of FF
Ego wars? In my Browser?
I'm sorry, but This Story Must Be Wrong (tm)
Everyone knows that open-source software authors never ever do anything bad or mean or stupid, unlike icky old profit-driven Microsoft. Therefore This Story Must Be Wrong (tm).
Well, good for Georgio to change his attitude and understand just how egregious and untrustworthy his actions were. As of last Friday he wasn't so willing to admit that anything he had done was wrong, and I'm glad to see he's now putting personal responsibility before his ego.
Here's hoping NoScript users and the Mozilla community give Georgio another chance. We all make mistakes, and I give him full credit for publicly admitting what he did was wrong.
>"Oh wow! This addon changes every occurence of the letter "P" on a webpage
> into an animated GIF of an ejaculating penis! I must have this addon!"
You could charge money for that. It'd sell.
"a bunch of plugins" might be the problem. Turn all the extensions off and see if it still crashes. This could be a good argument for requiring more disclosure of what plugins do, to help prevent conflicts. It's not a new issue; pre-OS X Macs had extension conflicts and installers that didn't version-check before overwriting existing ones, and Windows users have suffered through the similar 'dll hell'.
but while they were squabblibg ...
Peer Guardian kept on blocking. Thanks, PG.
El Reg, you need a middle digit icon.
Its true alright, but all this story demonstrates is that developers are human.
Oh, and if the source code is available others can find out any nasty little surprises an application might have.
>Palant has yet to admit that it was probably a bad idea for Adblock Plus to disrupt NoScript updates.
No one should down load extensions from a web site direct, they should be downloaded from AMO direct, cause anything else wouldn't be *secure*.
As another user on a different forum has said:
"1. NoScript quietly added a whitelist subscription to AdBlockPlus to enable supporting ads on the NoScript site. That was sneaky, underhanded and despicable. 2. NoScript _patched the AdBlockPlus code_ to enable supporting ads on the NoScript site. This goes _way_ beyond the pale. One plugin modifying the code of another."
AdBlock was blocking Advertising D'oh.
NoScript was hacking AdBlock!!!
The good guys and the bad guys are easy to see if advertising doesn't pay your wage.
Can't blame the guy...
Can't blame the guy for being pissed that someone else's plugin is preventing his from working properly. Petty bullshit though. think I'll stick to my NoScript/Proxomitron combination. It blocks 99% of the garbage on most sites.
Are not firefox plugin xpi files just zip files so that you can see the code within?
What's that? Oh...it's just Paul Barnfather, Andy and Mike Powers chirping out of their butts about what they can't fill a postage stamp with regarding browser security *yawn*
Yes of course this is a stupid little spat between OSS developers, but who the fuck are you lot to judge? Both NoScript and AdBlock have a long record of producing quality (as judged by the community, not some bean counter in Redmond) plug-ins that make a mass-market browser even more superior in comparison to its main (proprietory and standards-busting) competitor. In other words they've actually done something worthwhile for the rest of us. So: STFU.
To the matter in hand...I'm not really interested much in who did what when - nobody's perfect - the fact is that as one of the biggest (and fastest growing) on-line threats is legitimate websites that have been compromised, NoScript is important while AdBlock is just nice (yes I know - ad streams can be poisoned before some pedant points it out - but that's a less significant threat). So let's hope these two patch things up, but if they don't AdBlock is on a loser as it's just not as important as NoScript.
Everyone makes mistakes from time to time - perfection is to be striven for, but likely never attained. What differentiates the good from the bad is how one deals with ones mistakes. To accept the blame and work diligently to rectify the situation speaks of someone who is of the former rather than the latter class of person. Now, if everyone concerned will just take a breath, communicate, and figure out how to deal with the natural conflicts in a way that benefits all users of these add-ons, then we are all the better for it. FWIW, I use all of the mentioned Firefox add-ons except NoScript, which I stopped using a couple of months ago because it was causing the browser to hang too frequently.
agreed: William Boyle & Ian McNee et al
Nobody's perfect & at least one admitted their mistakes. Credit where it's due.
Problem lies deeper and I've said it before & say it again here because it has to be worked out - ads support sites. Without ads most sites will fail. Ads are scummy but if we remove them then we *must* have an alternative.
The only one I can think of is obligatory micropayments (for sites, and for services such as adblock)
That or a deeply impoverished web effectively owned by the big business that can exploit it.
That's my take but there likely others. Let's hear them. It *has* to be worked out.
I really don't want to propose iPhone Style Censorship, but existing model shows that something is not working as it should .... myabe "certified plugin" where certification comes from community would work
the honeymoon is finally over
Yanno, I expect petty shit like this from Microsoft or Google. How sad.
@raving angry loony
Konqueror: Settings->Configure Konqueror->AdBlock Filters: Block all ads, or block ads by source.
You can also use a user style sheet to fix the colours and layout of ugly websites, turn all cookies into session cookies, not install the flash plugin, change the browser id, and do all sorts of other fun things without using any plugins.
Re: I'm sorry, but This Story Must Be Wrong (tm)
I can see that you are confused here. But I can help. Open Source is perfect. However, some coders do lose their way and become unfaithful to The Revolution. A little re-education is all that is needed in this case. But I remind you that your criticism of The Revolution is even more dangerous and will be dealt with promptly.
Source argument (again!)
"Oh, and if the source code is available others can find out any nasty little surprises an application might have."
It's amazing how often this type of argument is trotted out, along with the if you don't like it you can change it kind of thing - the vast majority of people using firefox or anything else have no clue whatsoever about programming, nor should they need to. If any software actually expects users to do this, then it is simply not ready for mass market. I take it anyone that follows this of course will never, for example, use their own car unless they can take it apart piece by piece, understand exactly how every component in it works and then put it back together again (in a way that works)
Don't get me wrong, I love linux and firefox, but this sort of attitude is one of the things that holds back adoption of these platforms. Until there is a realistic understanding that users simply don't know, don't want to know and don't care about how something works then that will continue. If something doesn't work quite write on windows/mac, then users will generally either look for an alternative or wait for an update. If they got responses from telling them that if they don't like it then it's up to them to make the changes then they will just run away from that as fast as they can .
One other key point about this story - as the code was written in such a way to hide it from other developers, a casual glance by most people would not find anything anyway: "The code, which was obscured so it wouldn't be noticed by people who maintain the Adblock filter"
@Firefox addons....security nightmare
Andy i think I speak for everyone here when I say this.
Granted you havent stated if you hate macs and Jobs as well. But you put together a nicely worded rant against FF and OSS. You could feel the agression level rising with each sentence. Also I have no idea if he is still here, personally I don't think so seeing as I havent read anything from him in a long time. But I nominate you for the tital of Webster Phreaky the Second :)
But I do agree with you 100%
I operate a blacklist for ads
I'm OK with ads on a website - especially on topical sites they sometimes do show me something I'm interested in, and it's good they benefit for showing it to me.
However, I have absolutely zero mercy for ads that get in my way. Ways to get on my banlist are:
- resizing my browser. I scaled that browser for a reason, so thanks for f*cking it up
- playing music the moment I land on the site. First, a home page must be as small as possible, secondly you may make me disturb a quiet office. It's the same reason I disable all the logon and startup sounds from Windows - I'm not paid to advertise for them, thanks.
- popup and especially popunder: it means I have more to close and you get in my way.
- flash based home pages and overlays. Apart from the fact that it slows me down, I have yet to see any flash animation (and navigation) add something sensible to a site. An exception are (for me) fashion sites which are all about design and specific layout. And even there it's very annoying, pretty as it is. They're not all as talented as the Tokyoplastic guys with their drum machine.
- fronting videos with ads. This is one that is caused me to stop using BBC - fronting the video with an ad without the ability to skip it. Although it's quite lovely (in a sarcastic way) to see a major airline flaunt its stewardesses just before you then get the video of a major disaster zone, it slows things down. I have patience, but not for ads (a reason why I have stopped buying especially Disney DVDs as well).
As for installing a covert bypass, WTF? What happened to talking to each other, privately as well as via forum? The guy has ruined the most precious thing you can have as a coder and human being: trust. Mea culpa's come AFTER the facts, how could a user be certain he won't do this again some other time? More to the point, how come he could add code without the segment showing up as owned by someone else (and thus flag it for attention)?
We all make mistakes, but it will be a long time before someone trusts this guy again. That was a heroically moronic thing to do.
This explains a few things
Recently FF3 got very unstable for me to the point of being unusable and it caused me to spend many hours trying to resolve the problem. In the end I had to vape my system and restore entirely from a disk image I made some while back.
The problem was extension settings were being continually lost, preferences were being forgotten and my password database was being deleted.
I was unable to specifically pinpoiint the cause of the problem and it continued to afflict my sysem even with all extensions removed, but I had a feeling that it had something to do with NoScript or Adblock Plus. Sadly, I was unable to prove it and therefore was unable to mention this at the MozillaZine forums where I was getting a lot of help.
In the end a system rebuild was required which, I could ill afford the time for.
I suspect that somehow my system integrity, and more specificallly that of FF3 had been compromised.
It's a very very poor situation for Mozilla to find themselves in and the individual extension author ought to be ashamed of himself. I won't be using his add-on any longer despite the benefits it presents.
I use AdBlock and:
1) I am not a freetard.
2) I take showers.
3) I am not a hippie.
So, to summarise: 'Work it up your dirtbox, Michael'.
Good points, well made.
@andy / @robert
>>"Oh wow! This addon changes every occurence of the letter "P" on a webpage
>> into an animated GIF of an ejaculating penis! I must have this addon!"
>You could charge money for that. It'd sell.
I'd pay good money for it to be installed on the mother-in-laws computer...
I'm sure most of t'internet users would agree that non-invasive text adverts are fine.
But the ones that overlay adverts, blocking the actual site content (and even those that rearrange the text so it is disjointed and badly laid out), and those that constantly flash are worth blocking. Anyone that needs to grab that much attention isn't selling anything worth buying. There's a reason why i'll never visit Ryanair's website (aside from the naff service and hideous colour scheme of their flights).
Would you like it if when you opened a print newspaper someone kept putting a take-away menu over the article you were reading until you visited the restaurant? Ok, so not quite so inconvenient to close the ad, but the principal is the same.
Unless advertisers and content providers realise this, i'll continue to block ads.
Clearly NoScript is in the wrong. The Adblock guys were just making their extension do what it's supposed to do, but he was making his extension directly attack theirs. It is concerning -- and bad publicity for Mozilla, since it demonstrates that extensions are not sandboxed in any way and *can* interact with each other, even if they usually don't, because most developers have ethics.
But you don't need an "extension" for blocking unwanted content. Get a list of the real low-lifes and put them in your Hosts file. Then you won't have to look at their trash in *any* browser.
And Safari users should try this nice little Flash-blocker:
There's one detail that's kinda been glossed over, here. ABP is more or less a two-part extension - the ABP extension itself and the EasyList filter set that's typically used with it. These two parts are maintained by different people, and EasyList recently got a new maintainer after its original maintainer passed away.
The escalation was mainly between EasyList and NoScript, though I'm pretty sure ABP's maintainer was aware of what was happening on some level. It seems EasyList's maintainer got a bit ham-fisted in his attempts to block NoScript's ads, causing some non-ad parts of NoScript's websites to be blocked. AFAIK, though, these weren't active for very long - Giorgio (NoScript's dev) himself noted that EasyList was being updated around 5 times a day at one point.
Still, from a user's perspective, it was NoScript that crossed the line. Ham-fisted or not, EasyList was doing exactly what the user installed it to do - block ads. Giorgio decided to covertly sneak in and subvert other user-installed software to achieve his goals. He markets NoScript as security software, which generally implies a greater level of user trust than with more general-purpose software like ABP.
NoScript can 'fix' its code quickly. But this breach of user trust can't be fixed as easily.
Wladimir Palant apologise ? Why should he ?
His add-on is there to block adverts. Someone goes to extreme lengths to allow their adverts to get through so he takes extreme action in return to prevent them. That seems fair enough.
If someone else's business model for supplying their add-on relies on adverts then that's their problem. Almost any business relying on getting their adverts through can claim it's essential their advertising is seen and will do whatever they can to ensure they are seen. That too is fair enough in a dog-eat-dog world.
So it's a war of attrition, like the battle between those who impose DRM and those who try and circumvent it. Bottom line; state of play in the world, much the same as it was yesterday.
I decide what goes on my screen, not you.
This is one of the reasons why I distrust nerds. I fully understand why the US government had to keep all those WW2 nuclear scientists under armed guard. Nerds lie and obfuscate, and do things behind our backs. They are angry with society for spurning them, and so they set out to dominate a little part of the world from the safety of their bedrooms. They have a self-righteous rage, and an inflated sense of their own importance and worth. They are secretly plotting against us, and this little spat is further proof of that. They have to be watched and corralled.
So much anger... Or is it envy? Not to worry, IE is getting plugin support.
I'm taken by your implicit trust in commercial software vendors, considering their stellar track record in violating privacy, selling snakeoil and general ineptitude.
The reality is that zero day exploits appear for all browsers and traditional AV products are useless against them and of limited use in general. Disabling scripts is the logical action.
Well, let's see ... my computer, my money, my connection, my, my, my ad infinitum. But, that being the case, it's also my decision. And that being the case I choose to block, well, whomever I choose to block. Those sites that can't make without putting ads on my desktop just can't make it and they should be gone... let 'em die. One thing's for sure, if it's an idea worthy of existing as an internet site, some enterprising person will make it work no matter how I choose to operate my geeky possessions in my home, using my equipment, using my electricity, blah, blah, blah.
If you feel you have an obligation to keep the cyberworld afloat via your geeky possessions then more power to you. As for me, I'll do it my way. After all, I'm the boss of me.
.. end ..
I stopped using noscript when I found that even when I turn it off, it still breaks sites. I distrust software which doesn't have a working "off" button, strikes me the developer thinks he knows what's best for me, more than I do.
Regards ad block plus apologising, I don't see why they should, they're just following their remit to block advertising. Noscript's site was allegedly carrying the famous "You have a virus, install fake-av-which-asks-for-money" style adverts, which included pop ups.
... I thought 'Oh shit, this give ammunition to "open source is open to abuse" brigade' and then I thought what actually happened is that somebody tried to use a hidden function to gain market advantage, he was caught, lost credibility (the currency of open source work), and the code was quickly removed.
This happens all the time in the proprietary closed source software industry - except for the getting caught and fixing it part.
Whoa, chill out man.
NoScript and AdBlock are pretty wonderful. A little criticism and/or competition isn't going to do them any harm.
My problem with NoScript is that once I've enabled scripts on a page, I don't seem to have much control over what they actually do (and what sites they connect to). RequestPolicy gives me some of that control, which is the reason it is worth a mention. It also works fine with NoScript, if that's important to you.
ABP already inserts its own whitelists
This spat has prompted me to take a closer look at the ruleset actually installed by EasyList (the default ABP subscription). Hello, there's a reasonably large section devoted to whitelisting sites, some where blocking ads would presumably break the content, but others just seem to enable ads for the sake of it. I wonder what it takes to get on the EasyList whitelist? I have no doubt that there are some larger sites who'd pay good money to know that their ads won't get blocked.
Maone did some naughty things, but he's confessed and apologised. Palant and Ares2 seem to be playing a game that's a bit more sinister though.
You have merely re-stated the essence of the software problem.
The ultimate question is: whom do you trust with your data?
It has been a problem since Adam was a lad (or in IT terms since Ada was a lang...)
Yes, yes, the one with the wiring patches in the pocket, please...
"the vast majority of people using firefox or anything else have no clue whatsoever about programming, nor should they need to."
Actually I think you are completely missing the point. Joe Public maybe can't look into the guts of software that he uses, but the people that can, do. That sort of thing is called peer-review in other disciplines and it goes some way to freeing software from having fatal flaws suppressed for marketing reasons. Binary-only software is Thalidomide.
Ads? I think not.
Sorry to disappoint everyone, but I will cheerfully continue to block ads from websites, skip them in television, throw out the circulars I get in the mail, and hang up on any and all telemarketing calls. I too practice good hygiene and pay for (at least most of) the things in life worth having.
I wouldn't be so adverse (no pun intended) to viewing ads if there were some standards and/or rules to delivering them. I don't want to see an idiotic blinking ad stealing my attention from what I'm trying to read or watch. Do the marketing fools that generate these think they make their product stand out? Any product that advertises in an annoying fashion immediately loses points and most of its desirability to me by being displayed in this fashion. This goes quadruple for TV ads that have twice the audio volume of the program I'm watching, and anyone telemarketing anything.
If there were rules that advertisers were forced to follow, I could and would tolerate ads, but by being as annoying and intrusive as possible you guarantee that I'll go to the same lengths to block your idiocy. Most of us wouldn't hang around with people that are like this, why would we subject ourselves to it in any other portion of life if there's an alternative?
Re: Ads? I think not.
Obligatory "Ultimately I only have a job because of ads and so if everyone blocked them I would be on the streets with my dog and he's not really the street-dog type although in theory he would be quite charming and possibly bring in some decent wedge but still let's hope it doesn't come to that eh" comment.
@James O'Brien @foo_bar_baz
@James O'Brien - Yeah, it did get a bit ranty. To be honest it was just a bit of being tired of being told how wonderful FF is and how secure it is. Then opening up a big hole by saying "Hey plug whatever you want in here." Now don't get me wrong plugins for additional functionality\customization are nice, but this is what everyones been ranting on at Microsoft for years for by letting 3rd party stuff mess with your installed apps. To be honest FOSS, Microsoft, Apple, or whoever all make imperfect software to various extents. When it falls to the point of having the user clicking to install something there's noting anyone can do.
@foo_bar_baz - No, certainly not. As I say above no one makes perfect software. Whether companies or individuals have their own agenda or the software written is bad or intentionally malicous then I wouldn't give my implicit trust to anyone. This was more just a bit of dancing around after being told how holy FOSS. Bottom line is FOSS, Microsoft, Apple etc are all run by people. People are all governed by their own interests. Their interests may not match yours all or any of the time.
BTW the ejaculating penis GIF "P" substitution is my idea and I retain all rights to it ;p. There's obviosuly money to be made there :o)
"Regards ad block plus apologising, I don't see why they should, they're just following their remit to block advertising. Noscript's site was allegedly carrying the famous "You have a virus, install fake-av-which-asks-for-money" style adverts, which included pop ups."
Um, no, he had three Adsense ads. If what you say was on there actually was, then Google is to blame or someone/thing has redirected Adsense to something else on your machine (physician, heal thyself). Either way, Giorgio isn't responsible for the content.
I'm not defending Giorgio's actions, although I am shocked at the way he's been savaged by people who one minute thought his plugin was essential (it is. There are so many holes in Fx - all software sucks - that you have to mitigate at least the simple to implement attacks between updates) and the next thought that whitelisting his domains so the install and changelog links worked made him the antichrist. Ares2 has admitted, on NoScipt's own forum, that Easylist was, perhaps, a little too zealous and that those problems existed with the links. No, the hyperbole and exaggeration coming from the detractors is getting a little ridiculous and fail-worthy now.
And you can bet your Moon Macrosystem (still giggling, you bastards!) that Giorgio's code is going to be audited by many, many eyes for the foreseeable. Accepted, most users aren't code-monkeys , but there are a fair number (what's 0.01% of a metric arseload?) who are. NoScript may even have its trusted status removed and have to sit in the sandbox for approval in future. AMO has already noted this SNAFU (how could they not with all the torches and pitchforks?) and made some policy changes.
 Saw some really clever folks talking about forking NoScript, a very ambitious project that I wouldn't contemplate taking on, and asking all and sundry where the code repo is. There must be one to comply with the GPL, apparently, but the code was nowhere in sight. Christ on a bike, these people are so smart! I was so impressed...
And the winner is........
These two bruisers have been needling each other for quite some time now as you can see from this example on Maone's website.
Typically, the Italian Stallion issues a sincere and gracious apology to all the users of his software while the Russian Bear sits sulking in the woods because the frailty of his programming has been exposed. Hopefully the outcome of this childish feud will be that Wladimir strengthens the defences in his extension and Giorgio sticks to trading insults rather than sabotaging other people's code. If that happens then all 'Fox users will continue to benefit from the tranquil surfing experience of Adblock and the enhanced security of Noscript.
As others have indicated, the real bad boy on the block is Mozilla who have consistently failed to address the problem of extension validation and integrity. You would think that with all the Google money swilling around Mozilla at the moment some attention would have been paid to elephant in the room.
What a shame that there is no sign of anyone picking up on the fundamental problem here - Adverts pay for hosting. Very few sites get enough ad revenue to actually make serious money, but equally few could survive without it, and in that sense, both AdBlock and NoScript and their ilk are ultimately self-defeating.
Both Google and Mozilla itself depend on advertising, to pretend that it is only Microsoft, Viagra and Big Business that benefit from advertising is patent non-sense.
@AC: "I wouldn't be so adverse (no pun intended)"
No pun delivered, either. The word is 'averse' (with no D).
- Comment Renewable energy 'simply WON'T WORK': Top Google engineers
- All ABOARD! Furious Facebook bus drivers join Teamsters union
- Webcam hacker pervs in MASS HOME INVASION
- Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
- Useless 'computer engineer' Barbie SACKED in three-way fsck row