Firefox users are howling that a widely-used browser add-on designed to protect them from unwanted cookie tracking has been automatically updated with what they see as overly intrusive "bloatware". On June 14, after it was acquired by a software outfit known as Abine, a new version of the TACO behavioral-ad–blocking add-on was …
If they wanted to promote their tools they could have popped up a 1-shot welcome / advertorial to that effect. Conning people into install things they never wanted is just low. Not just regular people, but those most likely to be riled by an intrusion into their privacy. I'm glad to see the project has almost instantly branched. I hope Mozilla get in on the act and suspend the orinal add on before any more damage can be done.
Anybody who doesn't check and manually authorize updates is a fool.
Re: Auto update?
"Anybody who doesn't check and manually authorize updates is a fool."
We did manually authorize the update. There was nothing to distinguish it from previous updates to TACO. Previous versions simply updated the opt-out cookie list.
This update, while having the same appearance as all previous updates, instead pulled in a whole bloatware suite.
Not a brilliant way to establish trust on the part of Abine.
Re: Auto Update?
Wot spatulasnout said.
In fact, the TACO 3.0 update (because that was how it was presented, no mention of extra code, nor even addon size) came out rather earlier than this week.
I binned it two weeks ago. Going to give Beef a try.
muttermutter small screen don't want it covered with popups and extra toolbars and other crap.
You really do deserve it.
You think that manually approving an update means reading the release notes? Ha. If you're talking multiple computers then you test the updates, a VM is useful as a testbed. If you only have the one computer or maybe a couple then you probably don't have a dedicated testbed. So what you do is wait a few days for other people to test the update for you, keep your eye on the relevant forums to make sure other users are happy and there no major problems.
Sorry, but to do any less is to invite problems. You'll be telling me next you have Windows updates set to download and install automatically...
Sorry, but this sort of holier-than-thou attitude irritates me no end. The majority of people, including those such as myself with an intense interest in software, whose core function is not that of test applications for deployment on large corporate networks, do not have time to research each and every software update. Yes, we have Windows auto-updated, because it's the only realistic option for us in terms of time. And for this reason we're rightfully indignant when windows/mozilla/ubuntu updates don't work or install stuff they shouldn't.
Just stop with the tech snobbery. All it says is you either occupy a rather narrow niche in the corporate IT landscape - software testing - or have loads of time on your hands to micro-manage your personal network.
Mr Kuznetsov, eh? Any relation to the Admiral?
The Admiral Kuznetsov was designed to project the power of the Soviet union in the Cold War. Wonder if it's namesake has similar ambitions for his software?
Kuznetsov is the Russian equivalent of Smith - ie, both someone who works metal, and the most common surname.
Tell you what I have just noticed though.....
Bloody google and yahoo in the search drop down menu.
Deleted now, but Clusty does me fine.
Have to say, I thought it was a pretty good edition.
Was surprised I have to say, when it did pop up, but, now that I've lived with for a couple fo days, I'm not so pissed off as some seem to be.
Beef TACO though ?
What about veggie TACO for those of with ethics other than pure FOSS....!?
Yep there's always something else to use anyway, even a different browser. lol Another extension joins the blacklist, w00t!
Hooray for Beef Taco
I wasn't really pissed about the upgrade - until I learned that the new plugin blocks my webmail. I had to revert to 2.0, and I'm very pleased to see this fork.
Let things set all the cookies they like, make new entries on theie database, excited as they think they've found a new sucker. Then let your browser delete all private data on exit. Everything works, and you contribute to the noise in the tracking DBs.
..doesn't need a dodgy addon to manage it either. FFox+noscript+adblock=great justice.
... except the next time you visit a site in a new session, that would have /usefully/ stored some data in a cookie last time you were there ... do people really think that all cookies are bad?
Funny thing is...
I don't need to log in to El Reg every time I want to comment, nor YouTube, nor...
I remember PC users of iTunes got Safari pushed to them in a very similar way...
Bloat = more attack surface
Any code, no matter how well-written, has a chance to contain a security vulnerability. The more code there is, the more likely there is to be a vulnerability. The more features, the more likely there is to be a vulnerability.
So a complex 3MB addon with loads of features is far more likely to have vulnerabilities than a simple 8KB one. This is especially worrying in the context of a web browser, which is exposed to malicious sites.
(And I don't trust their marketing claims about modules being "disabled". If they're loaded or loadable then they're exploitable. If they really wanted to provide a way to disable them properly, they'd have made them separate addons - the Firefox addon manager is trusted and well-tested).
Points taken, and all that...
And they are all true, but I don't *think* I mind the thing.
Have already got fed up with its pop up, though, and turned it off.
Dark, heavy and leaden
That UI is garish as hell. Dark, heavy and leaden - where'd they get that? Although heavy is appropriate for this 3MB whopper.
Ugly, isn't it?
It looks very iPhone-ish to me.
Where have I heard that before?
"..asks users for their approval before downloading.."
"..we think of it as a legitimate upgrade.."
"..turned off by default.."
"..collects no user information.."
Never used this extension before
I'm happy with requestpolicy extension for firefox. It helps me keep creeps away from my personal data.
Remind me again
Why firefox fanboys love extensions again?
This is surely another reason why it's better to have the essential functionality already included (like Opera)
You know Opera has extensions right? They're called Widgets.
Opera is a great browser for browsing the web - Firefox is what I use mostly because of some of those "non-essential" extensions. Web developer toolbar, HTML Validator, Colorzilla, Httpfox and a few that I'd argue ARE essential (for me), NoScript, mouse gestures, and Table2Clipboard (in the office, people want spreadsheets).
Now while Opera has many good things built in (or readily available) mouse gestures and Dragonfly for instance - it doesn't have the same stuff that I use in Firefox; even as "widgets" (and the difference between widgets and extensions is what, exactly?)
So opera implements every extension by default?
Firefox "fanboys" love extensions because they allow the browser to be customized in interesting and useful ways while keeping the core browser clean and stable. Turning a browser into a kitchen sink just increases the number of bugs that everyone is exposed to.
Besides, there are thousands of extensions, with highly specific, orthogonal or complementary functionality that is not critical for browsing. Not everyone wants or needs an integrated JS debugger, or an extension that launches Skype when you click on a phone number, or opts out of ads, or integrates with Twitter, or plays radio etc etc etc. That's what the extension framework is there for to provide for people who need these things.
As for Opera, it contains plenty of things that are not "essential functionality" by any reasonable definition. Things such as voice control, gestures, widgets, sticky notes (wtf?), cloud / web integration etc. If Opera had a proper extensions framework, these things should be the first things to get moved out. Sooner or later Opera will just such a framework and it will be better for it too. In fact, Widgets could be seen as the first step in that direction and I'm sure it won't be the last.
well it seemed OK
but as a matter of general principle I uninstalled it when I saw how much unwanted stuff came with it, going to give beef TACO a try
furtling away on a new Firefox add on.
TACO takes the view that you can trust marketing people to respect opt outs.
I don't. I don't see why I should opt out of third party tracking at all, particularly using something as flimsy as a cookie.
So my effort attempts to identify suspect tracking cookies heuristically (according to source/value/name/expiry), and then... actively corrupts them instead.
So far its working rather nicely, no significant effect on browsing, and just a little message in the bottom right of the browser... as another tracking cookie gets overwritten with crap. Sadly, not ready yet for general consumption .
In particular, one problem is a philosophical conflict with TACO. It identifies TACOs cookies as a threat (source/expiry), and 'gets medieval' on them.
A plugin that muddies the cookie data collection database of websites you don't want tracking you?
Sign me up! (when it's ready that is)
A tiny slip of code gives you:
Allow for session.
Allow for site, and other options.
including deletion or editing of cookies already on system.
There's no place like 127.0.0.1
A suuitablly modified hosts file is useful as well, just direct all ad traffic to 127.0.0.1
I do not know how things work in the USofA But surely this comes under misrepresentation of goods or services..
It said it was Taco I wanted Taco but what i got was Abine the only simularity is they both have an A in the names..
If you're really just the good guy so desperately keen to help people with their privacy, why dress your plugin up about as tastefully as a 70s Starsky and Hutch TV pimp? It just reeks of 'we want your money just like the ad-pimps and we don't care how we get it'.
On the other hand
I see a lot of shouting about something new and unexpected arriving via the update but very little assessment on how well it helps Joe User resist the ploys of the marketing departments. I don't care about 3 measly MB and my perception is that FireFox runs at the same speed now as it did last week.
I agree that it's reasonable to be asked before installing significant updates, but please people, get some perspective.
If FireFox really is slower on your PC I suggest you spend the time constructively by picking up the toys you threw out of the pram.
Way to miss the point.
Some cowboy outfit took over a trusted and useful Firefox add-on, bundled it with scumware and released that scumware by stealth in an update. What's more, they somehow conned Mozilla into authorizing it.
The Firefox community is pretty tech-savvy and I would like to know how on earth these people thought they would get away with it.
Er... Okay, so I was surprised by the changes to TACO.
But it took me all of 2 minutes to get it how I wanted it - silent, no toolbars, no popups, just an Abine icon down next to the ABP and NoScript ones.
Firefox seems to me to be running at the same speed as it did beforehand.
Can't quite see what all the fuss is about really.
Astroturf.. at least I hope so.
If you're installing security-targeted add-ons, yet have such a total disregard for your own security, and furthermore are happy to shout about it on a public forum, then you might want to contact me about a bridge I've got to sell.
RE: Big Al
"But it took me all of 2 minutes to get it how I wanted it - silent, no toolbars, no popups, just an Abine icon down next to the ABP and NoScript ones."
But how can you tell it's not doing any nefarious? They've taken an OSS project and closed the source:
The fact remains, what was once a very, very slimline and well liked Add-on has been hijacked by these cnuts for their own personal gain.
As someone pointed out on the Add-on reviews section on the Mozilla site:
Scroll down to "Our Advisory board" (right at the bottom) and you'll see this:
"Eric Jung, leading FireFox add-on developer, board member of Mozilla Add-Ons governing board, author of FoxyProxy and PasswordMaker (~7 million downloads) "
So, *that's* how the managed to sneak this past the Mozilla approval process, they had someone on the inside.
Unfortunately this isn't just about Abine...
...we now need to think of the validity of the Mozilla update system in its entirety. I don't know how much it was worth in monetary terms, but way to go for making a mockery of the principles of the updater, the review process, and the trust employed by hundreds of thousands of tech savvy people who are going to be rightfully pissed - not just those who were duped into Abine, but anybody who has dealings with the update process.
I'm not a Reg Ranter, trust is hard to gain and easily lost...
Love the look of it, where have I seen it before?
I love their unique interface design!
That makes the app look incredibly professional and original, showing that these are entirely honest devs who would never stoop to something as crass and n00bish as directly copying someone else's interface.
They don't look at all like those losers who spend months getting their Windows XP install to look just like OSX.
What I want to know...
is how many of the people who think Abine is ok and hasn't done anything wrong publically on this board actually works for them or is affiliated with them. I *hope* none, but I doubt it.
At the end of the day they did one thing wrong, and it's a whooper - they took a tool which had a specific (and simple) purpose, and hijacked it for a load of crap that was in no way related to original spec and knew that many people wouldn't download otherwise, kinda-like when you try to install a useful app and it asks you if you want the Yahoo toolbar - of course I don't! I didn't ask for it! But at least it asked, unlike Albine.
It took me 10 minutes to realize that my computer hadn't been infected with malware and Albine had been installed because it was mislabled as TACO. Uninstalled, and I'll live with the ad tracking until someone writes another pure TACO addon.