Attention NoScript users · 2009-05-01 19:54 by Wladimir Palant
Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects. The recent events give an impression of the kind of effects we should expect here. This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.
You get an impression for the business model here. Of course, this approach brings NoScript in conflict with another popular extension — Adblock Plus. For years, NoScript has been using a trick to prevent Adblock Plus from working on its domains. Fixing this issue was never particularly high on my list of priorities (though I finally came around and fixed it after the recent events) so at some point I suggested that EasyList should be extended by a filter to block ads specifically on NoScript’s domains. This finally happened two weeks ago.
What followed was a small war — the website would add various tricks to prevent Adblock Plus with EasyList from blocking ads, EasyList kept adjusting filters. Then, a week ago a new NoScript version was released. A few days later I noticed first bug reports — apparently, Adblock Plus “glitches” were observed with this NoScript version, especially around NoScript’s domains (but not only those). When I investigated this issue I couldn’t believe my eyes. NoScript was extended by a piece of obfuscated (!) code to specifically target Adblock Plus and disable parts of its functionality. The issues caused by this manipulation were declared as “compatibility issues” in the NoScript forum, even now I still didn’t see any official admission of crippling Adblock Plus. Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user’s expense at any cost.
Confronted with the facts and with the AMO policy NoScript author agreed to revert the changes. However, he put a different “solution” in place — the new NoScript version released yesterday adds a “filter subscription” to Adblock Plus meant to whitelist NoScript’s domains. A note about this “feature” has been added to extension description on AMO (I insisted), not without misrepresenting the cause of course. Supposedly, this is because of a “targeted attack from EasyList which broke functionality.” Which fails to mention that EasyList was just doing what it was created for (block ads) and the broken functionality is the result of attempts to avoid ads from being blocked (originally the filters didn’t break anything). So the real reason is not broken functionality, it is the ads on these sites.
Of course, adding a note to the description that almost nobody will read anyway wasn’t the only change I wanted to see. Adblock Plus allows other extensions to add filter subscriptions but that wasn’t supposed to happen without user’s consent. In case of NoScript, asking the user whether this filter subscription should be added was clearly required. But that would probably make too many people notice that something fishy is going on and decline. Note also that this filter subscription cannot be removed (will be re-added on next Firefox start), only disabled. Also, it stays there even after NoScript is uninstalled. Should I now make it harder for all extensions to integrate with Adblock Plus just because NoScript is misbehaving? I doubt that this will help much, any installed extension has the privileges to do anything and trying to stop it from misbehaving after installation is a lost cause.
While the current state of affairs (NoScript’s manipulation of Adblock Plus is visible to the user if he knows where to look, it is documented and even reversible) is better than what we had before I still think that extensions manipulating other extensions to prevent them from doing their job is not where we want to be. NoScript might be somewhat extreme but the “business offer” emails I occasionally see in my inbox make me think that we will see more of this. Companies start to recognize the potential of Firefox extensions and push extension authors into monetizing their extensions by questionable means — at the expense of the users.
Update (2009-05-02): Apparently, thanks to some pushing from AMO yet another NoScript version was released. This one supposedly no longer adds a filter subscription to Adblock Plus and also removes the one added by the previous versions. Also, a change to AMO policy is under discussion. Big thanks to everybody who made that happen!
Adblock Plus Fan · 2009-05-01 20:22 · #
I’m with you on this one Wladimir. Noscript has gone too far.
One could argue that Noscript is now Breaking ABP features. “Deletion of a subscription” is a capability many users expects will work in ABP, a feature.
In the event a user discovers this injected content, many will simply delete the subscription in good faith that ABP is capable of deleting this and believe that Noscript will now leave them alone. The users will be disappointed when/IF they find out that Noscript is re-injecting the content again and again, against their decision.
Reply from Wladimir Palant:
There is a bigger problem – I know too well that most Adblock Plus users never go to preferences. The install Adblock Plus and are happy that it works. If it fails to work correctly on noscript.net most of them won’t be able to find the reason.
Ben Basson · 2009-05-01 20:42 · #
FlashGot opens up the changelog for every trivial update as well. While I found that annoying, I’m certainly now a lot more concerned about what extra code might be bundled with the updates, and will therefore remove it immediately and permanently.
There’s no justification for meddling with the operation of other extensions at runtime or otherwise, and I certainly wouldn’t recommend using extensions by an author prepared to go to these lengths.
snake · 2009-05-01 21:09 · #
Iam with u too Wladimir, hes gone down that road, where he out for himself, worried about his revenues before his user, well iam not giong to one of them users ever, good luck Giorgio Maone ur now messing withalot annoyed ad blcok plus users u will need it for messing with our adblocker.
Too put it bluntly i don’t trust no-scrirt add on or its underhanded Giorgio Maone….
he lost auy trust when he sneaked in stuff that mess with another addon ADP..
lovelywcm · 2009-05-01 21:33 · #
Commerce is invading the development of extensions.
Will you give ABP the ability to inspect (and block if a filter matched) connections established by an extension in background?
Reply from Wladimir Palant:
You can inspect all outgoing connections with Live HTTP Headers. Attributing to a particular extension and blocking is a different thing and probably not possible at all.
Kurt GLuth · 2009-05-01 21:43 · #
I agree to all points Wladimir mentioned. It will be interesting (although sometimes surely everything than amusing) to see, how ‘hard’ every developer of AddOn’s will be against – let’s call it by it’s correct name – corruption. As I said in the forum, there are unwritten laws, limits a human should accept in EVERY situation. Of course we know enough about theory and practice… we should do what we can to keep a direction – the direction of fairness (against fair people, of course). Regarding software I act the same way as in my whole life: Rotten fruits I throw behind the next hedge. And I fear this will happen more and more often…
To Giorgio Maone: He chose his way he seems to imagine to be the right one – ok, this is not my problem. I needn’t use NoScript or FlashGot and as a consequence of my point of understanding things I kicked them away.
jonas · 2009-05-01 21:48 · #
Could you add a dialogue when something tried to inject into ad block’s white list that the user has to accept/deny.
Also a button like “remember this setting” would mean the user does not have to deal with the continuous injection on startup.
Its easy to stop the injection, so do it. I’m not happy that its this easy for them to change the white list!
Reply from Wladimir Palant:
I can – but since we talk about another extension here it can just remove that question with not too much effort. And my impression is that it will. I cannot engage in a war with the NoScript extension, my releases are a lot less frequent than once a week.
Christopher Finke · 2009-05-01 21:53 · #
For ScribeFire, we open a “What’s New in [this version]?” page after every update, trivial or not. (For example: http://blog.scribefire.com/whats-new/3-1/ ) It saves tons of time and frustration for people who want to know exactly why the add-on was updated.
Of course, the important distinction here is that there aren’t any ads on the ScribeFire website, so there’s no monetary incentive to get visitors there. I suppose it actually costs us in bandwidth with each release, but I think it’s worth it.
Just wanted to chime in that there are legitimate reasons for a showing the changelog after even a minor update.
Reply from Wladimir Palant:
Your updates also come in more reasonable intervals. If that page opens every week like clockwork, there is no way it is going to be anything but annoying.
David Naylor · 2009-05-01 21:56 · #
Very interesting post!
I find it disgraceful behaviour from Noscript’s side and will do what I can to enlighten any people using it.
On a side note, I always thought NoScript was very overrated (and unnecessary).
Ares2 · 2009-05-01 21:58 · #
“In case of NoScript, asking the user whether this filter subscription should be added was clearly required. But that would probably make too many people notice that something fishy is going on and decline. Note also that this filter subscription cannot be removed (will be re-added on next Firefox start), only disabled.”
According to Giorgio, this is going to be fixed: http://forums.informaction.com/viewtopic.php?p=3162#p3162
Eido Cohen · 2009-05-01 22:13 · #
It is elementary to block ads on the noscript.net site. All you do is block javascript via noscript’s own tool for googlesyndication.com. Voila! All the ads on the sidebar are now gone.
SJS · 2009-05-01 22:17 · #
The functionality of NoScript should not be in an extension, it should be an integral part of the browser, with an initial empty whitelist, of course.
I never check to see if extensions are interfering with one another, I’m going to have to look into this. Until our browsers acquire the necessary functionality, is there a no-script type alternative that doesn’t suffer from NoScript’s faults?
(At work, I’m required to enable Javascript, to enable the client-side authentication in the timesheet application. Everywhere else, I simply turn it off. If your page doesn’t work without Javascript, there’s no reason I need to do business with you.)
DigDug · 2009-05-01 22:29 · #
Maybe this is playing into their hand too much, but you (or they) can always add a “NoScript is not compatible with AdBlock Plus” dialog on first run, and offer the option to uninstall one or the other. On the other hand, its like 10 lines of javascript to fix a problem that doesn’t actually exist.
Reply from Wladimir Palant:
So if an extension is messing with Adblock Plus I “solve” it by messing with that extension in return? Sorry, I didn’t write that blog post because I want to act like this myself.
Thomas · 2009-05-01 22:31 · #
I just found that NoScript list and deleted it (I think I’ll have to just disable it when it gets reinstalled)
Is there possibly a way that you could make something pop up when a new list is being entered(maybe integrate a captcha or something similar to make sure that NoScript can’t secretly inject one) then have it remember that it doesn’t want NoScript white lists.
I dono just a guess.
Reply from Wladimir Palant:
I can – but since we talk about another extension here it can just remove that question with not too much effort. And my impression is that it will. I cannot engage in a war with the NoScript extension, my releases are a lot less frequent than once a week.
James Cready · 2009-05-01 22:32 · #
If your page doesn’t work without Javascript, there’s no reason I need to do business with you.
Bwhahaha. Ok buddy, you do that. Wait ten years and tell me how many sites work for you. Hahahah. Wow, that’s classic.
P. · 2009-05-01 22:43 · #
This needs to be on Slashdot.
By the way, exactly how do you prevent NoScript from loading the changes page after it updates? I don’t have that domain whitelisted anyway so I never see the ads but I’d like to disable it anyway. There are several dozen settings in about:config.
And if this doesn’t stop it’s probably time for a fork. If Giorgio wants to run a business, okay but he should at least be honest about it and this is no gray area. This is just not acceptable.
Reply from Wladimir Palant:
See http://noscript.net/faq#qa2_5
I have pity with anybody who tries to fork NoScript, the code is a huge mess. It is much better to rewrite it from scratch.
Osman · 2009-05-01 22:50 · #
It’s ironic that you have an extension which takes away his (and many other advertisers/websites) revenues, and you’re complaining that he’s trying to get the few ad-revenue that he can by going around your work arounds
Matt McCutchen · 2009-05-01 22:56 · #
For anyone who wants to read the obfuscated code in NoScript 1.9.2:
mkdir tmp; cd tmp
wget http://software.informaction.com/data/releases/noscript-1.9.2.xpi
unzip noscript-1.9.2.xpi
unzip chrome/noscript.jar
perl -np /dev/fd/3 3<<EOS <content/noscript/MRD.js >MRD.unescaped.js
s/\\\\x([0-9a-f]{2})/pack q{c}, hex(\$1)/ge
EOS
less MRD.unescaped.js
Jesus · 2009-05-01 23:02 · #
It goes without saying that people who dislike adblockers are usually resembling Hitler in some way or named after Hitler.
Reply from Wladimir Palant:
Note: the message this replies to got removed due to offensive language.
Q · 2009-05-01 23:16 · #
@Osman #16:
The author of AdBlock Plus does not take away revenue from any website. It is me, the user. I don’t want to see ads and I’m glad there is a tool I can disable them with. It is purely my choice to disable ads.
happy_abp_user · 2009-05-01 23:48 · #
i’m with #20.
the ads industry has overdone it (remember the blinky Flash ads?) and thats why ABP is the first extension I’ll always have in my Firefox setup.
James · 2009-05-02 00:09 · #
Disgusting, what a crock. He just locked out debate too, noscript is no longer welcome on any of my computers. This malware is not to be trusted.
Dorothy · 2009-05-02 00:12 · #
NoScript updated on my computer today, and while I understand (in part)the changelog webpage and the ads, I’m pissed; for today when it updated I had to op out of getting a ask.com toolbar. This trend of bundling toolbars has got to stop.
It’s dirty. It makes me wonder what else they’re bundling into it. If I want a toolbar I know where to find it.
Is there another tool that blocks all scripts until I allow them?
web developer · 2009-05-02 00:18 · #
I’m a web developer for an organization that advertises. How can I best block users that use adblockplus? Not trying to be mean spirited or anything, we just don’t want users viewing our webpages without advertisements and would not be offended if those users then did not use our webpages.. Thanks!
BCK · 2009-05-02 00:23 · #
I would have had no problem with adding the filter set, if I was asked in the first place. The extension is great but his tactics are terribly underhanded (namely whitelisting his personal site which has nothing to do with the extension).
I’ve gone through and removed his sites from the whitelists, disabled the filter set, just wish I could find the option to disable opening the site on upgrade
Reply from Wladimir Palant:
See http://noscript.net/faq#qa2_5
Mr. Add-on Developer · 2009-05-02 00:25 · #
Wladimir,
I’m a developer of a popular Firefox Add-on. I’m posting this comment anonymously.
A while ago I was contacted by a guy named Lee Lorenzen from a company called KallOut, Inc. asking me if I wanted to do all sorts of aggressive stuff with my addon to promote their software. Other developers were contacted, too.
Did they contact you? I wonder if they convinced the NoScript guys to go along with their plans.
I think this sort of seedy business is just going to increase as the browser becomes the platform. The bigger the ecosystem the more room for bad actors.
It’s blog posts like yours that bring it all to light. Thanks for writing it!
Reply from Wladimir Palant:
Yes, he contacted me as well. And when I explained that I’m definitely not interesting in anything that will harm the user experience he had the nerve to ask whether I would sell the project.
P. · 2009-05-02 00:26 · #
Just to answer my own question: to stop the changelog from coming up set noscript.firstRunRedirection to false.
Sol · 2009-05-02 00:27 · #
@web developer
Just block anything that uses the Firefox UA. That should clear up any problems that you are having blocking users. Good luck with that.
Alastair McDermott · 2009-05-02 00:37 · #
I’m an SEO/online marketer/webgeek. AdBlock Plus is the first thing I install after Firefox (seriously: http://amdsoft.com/essential-software-for-new-windows-box/ )
With the aggressive and malicious nature of many ads on websites I feel a lot more secure knowing 99% of that crap is being blocked. Companies doing legimate online marketing have long developed past pop-unders, punch the monkey and cring-worthy animated gifs. The vast majority of non-spammers are not using these techniques.
I whitelist many websites that I want to support (for example the Irish community discussion forum www.boards.ie and several online newspapers). That’s what I’d like people to do on my websites if they find it valuable enough to visit more than once, and I’d urge every AdBlock Plus user to be more aggressive in the use of the whitelist option (choose “Disable on domain.tld” from the dropdown menu).
Re: monetisation – what about having a “recommended whitelist”, and have companies pay to have their sites reviewed and voted on by ABP users?
Regards,
Alastair.
WebsiteDoctor.com
Unr3a1 · 2009-05-02 00:49 · #
I think that what noscript has done crosses a major line. I will too be removing it from any computer that I have it currently on. Thanks for the info ABP!!
mark · 2009-05-02 00:54 · #
@Alastair McDermott
Kudos – Sensible replies like yours are the sort of thing that lead me to whitelisting the author’s websites :) Those who bitch and moan whilst trying to send flash ads receive little attention.
On topic, if no-script had been up front about what it was doing then I probably wouldn’t have minded. Sneakily doing it and reinstalling everytime makes me mind quite a lot.
Adrian · 2009-05-02 01:04 · #
I just finished uninstalling NoScript, and I will definitely make sure it no longer has a place in any further Firefox installations.
I appreciate the insightful post.
mrbene · 2009-05-02 01:05 · #
@ web developer
There’s a few methods.
- You can honeypot, crawl the DOM with inline JavaScript and then use document.write to eliminate your content if the honeypot URLs haven’t rendered. You’ll end up with false positives (anyone on slow connections), and if your site is popular, the honeypot URLs will likely end up whitelisted. Not particularly effective – search forums for “Jack Lewis”. I think that went all the way to blocking all Firefox users.
In terms of continuing to serve ads to users with ABP
- You can serve ads from your own domain, which, if your site isn’t particularly popular, will result in the majority of subscriptions ignoring you.
- You can encode the images you want to serve into the HTML directly, so that there aren’t additional requests. This makes the files really heavy, and can generally be blocked with element hiding. You’ll also have no idea what portion of ads are blocked.
Finally, your best option:
- You can ask your users to whitelist your site. You can make this a very easy process by providing a subscription so the user can just click on a link and get the whole set of your domains, if you have more than one that work together.
Dave · 2009-05-02 01:15 · #
Wladimir,
I think it’s time to ask Mozilla Foundation to delist NoScript for all these MALICIOUS activities! This is has gone far enough! It’s time to remove them from mozilla.org directory until they clean up their act!
Let’s do it people… start emailing Mozilla!!!
Anonymous · 2009-05-02 01:22 · #
When ABP is installed, have it auto-redirect them to this very post if it detects Noscript.
Reply from Wladimir Palant:
It was user’s choice to install NoScript, for whatever reason. I am not messing with that choice, an extension should not do that.
Michael Kaply · 2009-05-02 01:31 · #
I agree with everything you posted, but there is a larger issue here that needs to be solved.
Extensions are going to start fighting over revenue models because there are so few ways to generate revenue.
We’re seeing more extensions take over new tab, take over search without asking, etc.
Someone needs to figure out a way to build an app store for Firefox…
Delimitation · 2009-05-02 01:32 · #
I block NoScripts domain on my border router. All other extension that routinely load websites after updates get the same treatment.
DaveK · 2009-05-02 01:35 · #
Hooray for open source; let’s just fork NoScript.
Reply from Wladimir Palant:
I have pity with anybody who tries to fork NoScript, the code is a huge mess. It is much better to rewrite it from scratch.
Johnny f*g know it all · 2009-05-02 01:40 · #
I am no fan of Adblock Plus or NoScript and I use neither.
However the whole assumption of Giorgio Maone is wrong, people already chose NOT to see the ads on his sites when they installed Adblock Plus. Period.
Sean · 2009-05-02 01:57 · #
I used NoScript for about a week. I had a feeling something strange was going on with it. It was really pissing me off so I removed it. I’m glad I did. I knew soemthing wasn’t right about it.
I love my ADB. It’s the first thing I add whenever I have to install Firefox on a machine. I do disable it on respectable sites I trust. Ads are what make things free. It sucks that 98% of them are crap. Thank goodness we have ADB.
Daniel Macer · 2009-05-02 01:58 · #
My immediate reaction is in agreement with post #6 and similar. Regardless of how you view this whitelist behavior, some addons (not necessarily NoScript) could add bad whitelists that the average user would never be aware of.
The solution is as simple as the problem: when an addon tries to add a list to ABP, open a dialog warning the user that Addon X wants to add a list called List X. Display the icon of the addon in the dialog, and have the question be something like “Do you want to block this addon from adding rules to ABP?” so a user who blindly clicks YES will prevent said addon from adding rules.
Reply from Wladimir Palant:
I can – but since we talk about another extension here it can just remove that question with not too much effort. And my impression is that it will. I cannot engage in a war with the NoScript extension, my releases are a lot less frequent than once a week.
Anonymous · 2009-05-02 01:59 · #
I agree with #35.
Harvey Birdman · 2009-05-02 02:01 · #
In some countries (like the US) changing things on a computer without consent of the owner is a felony. It’s part of the DMCA. That’s one of the reasons why Microsoft, Adobe, and others have such long install terms.
NoScript might be breaking the law where you live.
At the very least, their behavior should be documented and reported to anti-spyware sites.
Orbijx · 2009-05-02 02:21 · #
NoScript was already being rather squirrely when I tried it a week ago.
The last straw was drawn when I whitelisted the hell out of everything I would want to use with ABP disabled (live.xbox.com being a prime example), and only the ads were visible. I couldn’t use the rest of the site with that lump on. Disabled it, went back to ABP, and gave it a kiss on the cheek when it let me see that a game I wanted was finally on XBLA.
I’m not an overly technical person, but I can troubleshoot myself out of my own issues.
I knew that NoScript was at fault when I could go as far as telling it to enable JavaScript globally, and still couldn’t get sites I actually use to, you know… work.
NoScript was already on the list, but this just sealed that.
AKAJohnDoe · 2009-05-02 02:27 · #
I deleted the filter subscription NoScript placed there. And I have Firefox set to ask me about updating add-ons, so NoScript will not get back there without my knowledge. Further, I added an entry into the ZoneAlarm firewall (ZA-AV product) to block all accesses to noscript.net.
ant · 2009-05-02 02:27 · #
If there were an extension that just added a straightforward scripts whitelist the same as the popups/images ones (you know… like IE’s been able to do for ten years…), I’d get rid of NoScript in a heartbeat.
Failing that, this news is a good enough excuse. Maone Malware, no thanks.
v.dog · 2009-05-02 02:40 · #
I’ve got no problem with pages displaying ads per se, but annoying (pop-ups, flashing primary colours, eating up most of the screen), false (‘you’re the millionth visitor’), and malicious (‘has your credit card been stolen?’, fake windows dialogs, tracking cookies, XSS, etc) ads mean that ABP is a must have. It’s a great shield from a lot of the crap out there.
I’m happy to whitelist your site, wed developer, but first you’ve got to prove that that your ads are honest, safe, easy on the eye, and don’t interfere with my browsing experience.
snake · 2009-05-02 02:43 · #
Heres a question do u trust this guy:
if that does not try this:
http://i41.tinypic.com/5dkq50.jpg
thats him the guy who shut down the thread that was questioning him about his underhanded techniqes in crippling adblock plus, he tryed to squirl out of it, BEWARE OF THIS MALWARE – DO NOT DOWNLOAD IT MESSES WITH AD BLOCK PLUS
IF u have it Unistall it right away.
Iam not the only one beleves this check out here:
https://addons.mozilla.org/en-US/firefox/reviews/display/722
Beware of it people.
Anonymous · 2009-05-02 02:45 · #
A possibly solution might be to use priorities for the subscription lists. Perhaps require that subscriptions added via API by other plugins have lower priority than the ones added by user.
Another anon · 2009-05-02 02:56 · #
@49 That doesn’t really work since the addon adding the subscription could directly edit whatever you’re using to store the data if it wanted to bad enough. Might help set expectations for legitimate use of your APIs, and potentially AMO could create a policy that they de-list addons that deliberately bypass another addon’s published API for some task.
Pseudonymous Coward · 2009-05-02 02:56 · #
Thanks for the warning. I have uninstalled NoScript specifically for its shady tactics. Too bad though, it is a pretty good extension otherwise.
Anne H · 2009-05-02 03:00 · #
Your post raises some interesting questions. I should preface this by saying I’m not exactly a fan of your product as it can interfere with my revenue.
In the case of your product, the user is making a determination they don’t want ads. I recognize that and I’m not going to interfere. I may if some 3rd party service or ISP were to inject their ads without a user’s consent. For now, I’m happy so long as my adsense revenue covers my expenses.
I’m also a noscript user who made a donation. The reason I use the add-on is for security reasons. As someone who reviews products and sites, I often encounter sites that I know very little about and like the added protection. Your article has prompted me take a harder look at the author’s practices and policies.
nickserte · 2009-05-02 03:03 · #
Well, for some of you ignorant hotheads, together with ABP, NoScript is a very important add-on. I don’t agree with their actions in any way, and have disabled the filter subscription, but asking people to boycott it is childish and will just benefit the malicious attackers.
Unless someone forks it, or creates a better alternative that is. Or maybe if the NoScript devs apologize and fix this themselves. I’ll keep donating of course.
W^L+ · 2009-05-02 03:05 · #
That is really sad. ABP and NoScript have long been the first (and sometimes only) extensions I install and recommend. I’ve always wondered why the Gecko engine doesn’t have NoScript’s functionality built into it.
This would bring the positive parts of NoScript into K-meleon and other browsers that use the engine but not necessarily the full GUI from Firefox.
bookemdano · 2009-05-02 03:09 · #
What noscript domains should I put in my hosts file? Anyone have a handy list so I don’t have to research it myself?
all I have is……
127.0.0.1 noscript.net
127.0.0.1 www.noscript.net
any others?
2) is noscript GPL licensed? If so, maybe someone will fork it.
Reply from Wladimir Palant:
informaction.com
flashgot.net
maone.net
mongate · 2009-05-02 03:17 · #
Uhm, wow.
I just noticed everyone’s gone BATSHIT CRAZY on AMO.
This is really a bad day for NoScript, huh? Overreaction much?
You know that you could just make the devs apologize, fix it and move on. Now looks like you’ve bombarded the guy unto oblivion.
AKAJohnDoe · 2009-05-02 03:25 · #
I uninstalled NoScript.
nerteacup · 2009-05-02 03:31 · #
This is, perhaps, the most active and absurd “development” I’ve ever witnessed in the FF extension development world.
People everywhere are boycotting NoScript, uninstalling it from every of their machine. Though not like 95% of them know how to use it in the first place ( #44 for example).
Giorgio Maone is working on the code right now, so he won’t have time to post his apology, rebuttal or anything.
Truly, the only way to vote in the FOSS world is with your feet.
@23: truly, the people who use free software can be so arrogant and complain so much. Toolbars are part of why it’s still free… Unbelievable.
TD · 2009-05-02 03:40 · #
I don’t know anything about the internal workings of AdBlock Plus nor NoScript. I do find this unappealing though. If extensions are being allowed to add filters that disable certain ABP functionality, then that is not good at all.
Perhaps what needs to be done is to adopt a sort of “deny takes priority” process behind how ABP works, similar to NTFS file permissions. This way, if something is blocked through the filters then something tries to unblock it by adding another filter to allow it, then the version that blocks it takes priority.
If this is done, then additional filters could be added to block the elements that the NoScript-inserted rules are attempting to allow.
That’s just how I see it. Sorry if I just confused everyone.
Spade · 2009-05-02 03:40 · #
@ #53
I’m afraid you’re the one who’s being ignorant in this case. Or are you forgetting about the “malicious attackers” pressuring extension authors to aggressively monetize in this fashion? (Re-read the original post, along with comment #26.)
We need to take a stand here, and show them that we will not stand for these kinds of aggressive tactics. Giving them a black eye here and now will go a long way toward convincing them (and other extension authors) that this heavy-handed approach won’t work.
I recommend the RequestPolicy extension for anyone concerned about attacks from third-party scripts. I was already considering eliminating NoScript and using RequestPolicy alone, and this situation sealed the deal.
Spade · 2009-05-02 03:43 · #
@ #56
Underreaction much? This is more than just a “bad day”, this is the reaction to an extension author who deliberately sought out to defeat the functionality of another extension, without the consent of the user. He went so far as to add obfuscated code (which made it past the AMO reviewers) to do so. If he’d gone about things openly and honestly in the first place (rather than being shamed into doing so), you wouldn’t be seeing this kind of reaction.
Plus, I think a lot of the reaction we’re seeing has to do with the fact that we’ve always trusted these extensions without thinking too much about it. Now, because something like this was able to make it past the AMO reviewers, that trust has been thrown into doubt.
kuza55 · 2009-05-02 03:44 · #
shrug
It’s bad, but I’m not an AdBlock Plus user, so this doesn’t effect me even though I do use NoScript.
I just wanted to say that while you may think that Giorgio’s solution to xss-based attacks was not a good one, that additional functionality is the main reason I use NoScript, it may not stop everything, but it provides an extra hurdle.
W^L+ · 2009-05-02 03:47 · #
@58
No, it isn’t that simple. NoScript is security software. Its job is to protect us against those sites that would misuse our computers / browsers for their own benefit. Deceptive disabling of another security product for their own financial benefit is not acceptable behavior for a security vendor.
All that was needed was to clearly state what was going on and ask for consent. You need ad revenue? Say so! Just don’t sneakily change my settings to get that revenue.
Reply from Wladimir Palant:
I fully agree and that’s exactly why I wrote this blog post about NoScript and not any other extension using similar tactics.
Xymor · 2009-05-02 03:52 · #
Overreaction? The guy interferes with another plugin not to fix a technical issue but for commercial gain.
There’s no overreaction. They went from a decent operation to a rogue one when they decided to do that.
It’s the same as if your anti-virus updates started installing virus and adware in your PC.
Robert Leland · 2009-05-02 03:54 · #
I donated $100 USD to noScript about a 8 months ago because
1) I felt safer from using it.
2) I have dabbled in OSS and know how thankless a job it can be.
However, this latest changes in policy is beyond irresponsible, its knowingly misleading, and more.
No Script should just close up shop.
-ROb
ghendar · 2009-05-02 04:08 · #
Thanks to noscript documentation, I know about his other domains and have the following entry in /etc/hosts:
#bad noscript # http://adblockplus.org/blog/attention-noscript-users
127.0.0.1 noscript.net
127.0.0.1 flashgot.net
127.0.0.1 informaction.com
127.0.0.1 hackademix.net
bob · 2009-05-02 04:18 · #
You people are exaggerating. Forever uninstalling Noscript? So you’d rather have people xss/csrf/clickjack into your gmail?
Giorgio understands that people don’t like this. He’s fixing it.
http://forums.informaction.com/viewtopic.php?f=7&t=877&start=90#p3162
Shut up about it.
Gnomegarten · 2009-05-02 04:19 · #
Alright, so that is pretty heinous.
Unfortunately, with the way I browse I might have difficulty dropping NoScript – I routinely run with over a hundred tabs open in multiple windows. I’ve been allowing more scripts lately, but if I let everything run I’d most likely freeze out or just crash my sessions irretrievably. I have yet to see any other extension that provides this kind of fine tuned scripting permissions. I might have to live with this for a bit.
Next question then. I use ABP without subscribing to any lists. I figure that blocking JScript keeps the most heinous ads out of my line of sight, so anything that plays nice is fine. I only block ads that still manage to annoy me. So, without any subscriptions, am I still vulnerable?
JagsLive · 2009-05-02 04:23 · #
Does anyone here know “how to make a feature request” for a NoScript replacement into next Firefox ??
BTW I’ve created this post but not sure if I’m gonna get any help from there:
http://forums.mozillazine.org/viewtopic.php?f=7&t=1226775
Forrest Gump · 2009-05-02 04:29 · #
This presents us with a new dilemma of sorts.
It reminds me of the pre-virus days, where a program could do just anything it wanted. This is analogous to noscript being able to modify things to suit it’s needs.
Therefore, what may be the next step is creating some security layer within the scripting mechanism to prevent these types of alterations from happening without your approval, or a permissions/policy based moderation.
Easier said than done (and way more complex than that).
In the end, security will win out – it’s the model everywhere else and Firefox isn’t exempt from it.
All we need is some idiot to create an altered plugin for Firefox to do something malicious and … the rest will be history.
drunkardert · 2009-05-02 04:36 · #
#60, #61, #63, #64:
“Fucking NoScript dev messed up my ABP so that when I visit his page after each update I’ll see a few ads. A FEW ADS? Oh Noooo, they must contain some uber-malicious spyware, the latest xxConfickersxx; they’re gonna blow up my car, rape my wife, burn down my house and [insert your own fantasy]. There’s no redemption, no. This is about our security, we must make a stand. For great justice! For our holy ancestors! For” Jesus Christ!
NoScript’s behaviour is not acceptable in any way, but this is so fucking ridiculous that it totally classifies as an over-reaction.
“Now he’s done it, who knows what he will do in the future? All my data is gonna be compromised, the greedy bastard will go so far as to sell it to all the hackers, oh NO!!!!”
Free software users can be so arrogant. So arrogant, that they demand all sorts of stupid features. So arrogant, that they will whine about everything and call every feature a bug. So arrogant, that they make all sorts of empty threats to the developers if they don’t fix this particular “bug”. So arrogant, that they will come up with every kind of excuse like “It has an unacceptable logo” just to avoid donating… Just among 1000 reasons why so few people want to work in tech support.
You want him to “clearly state what was going on and ask for consent” ? Release notes, does that ring a bell to you? And he’s working on a promt in the next release btw.
I was mad at NoScript. But now I’m mad at you guys instead, the sheer amount of immaturity, acts of faggotry at NoScript forum and AMO… Shame on you.
Pissed off · 2009-05-02 04:39 · #
Well then, NoScript just got uninstalled and all of my AdBlock whitelists have been reset, and a fresh copy of AdBlock re-installed. I will be blocking NoScript at the school’s firewall come Monday morning, and pushing an update message to inform all our users to stop using it and instead rely on ONLY adblock.
This sucks, because I felt for a long time giving both tools to my users made things better, but now…
Spade · 2009-05-02 04:46 · #
@ #71
I think your choice of language and epithets have adequately proven which of us is immature.
mathew · 2009-05-02 04:49 · #
This is why I think the functionality of NoScript should be a standard feature of the browser.
Unfortunately, the developers of Firefox will never do that, because it would annoy advertisers. Same reason you’ll never see cookie handling like CS Lite built in to Firefox.
Actually giving people a quick and easy UI so they could manage their privacy would annoy too many advertisers.
https://bugzilla.mozilla.org/show_bug.cgi?id=388963
Reply from Wladimir Palant:
No, Firefox developers will never do the because it will annoy users. Breaking the web is never a good choice when you are in the browser building business.
John Davis · 2009-05-02 04:49 · #
Wow, thats amazing dude!
RT
Spade · 2009-05-02 04:55 · #
@ #70
You raise some good points. I know I was initially quite surprised to discover that extensions could change pretty much anything in about:config. I’d assumed there was some kind of sandboxing preventing global prefs from being messed with.
I’d also assumed that extensions needed to have the “extensions.” prefix for every one of their prefs. Sure is messy in there when they don’t do that!
I have a feeling this oversight in the original design of how extensions work is indeed going to come back to bite us all, now that there’s a greater awareness of how extensions can mess with each others’ settings.
Anonymous · 2009-05-02 05:01 · #
This clearly shows how allowing the user to make the choice ultimately matters.
If he’d opened a message box asking whether or not the user wants to white-list NoScript, then things would go very differently. Now, he probably ruined the Addon and someone will fork it with a new name. Well, regardless of what happened, I’ve always used NoScript and I do pretend to keep using it, since it’s a great combo(NoScript + ABP).
However, I’ll no longer support it’s development with donations, it was too rude to continue.
drunkardert · 2009-05-02 05:13 · #
@ #73:
And while Spade was paying attention to my choice of language for an ad hominem reply, I was paying attention to your accusations, your complaints, your pointless rants and empty threats which are still visible on AMO, NoScript forum and hell, Slashdot…
If you’ve ever worked in tech support, or modded a particular forum before, you shouldn’t find these happenings unfamiliar at all. But still I’m just as amazed as ever.
Spade · 2009-05-02 05:20 · #
@ #74
For a while I assumed that nobody would dare put popup blockers in their browsers, for fear of angering advertisers. Yet now today, every browser I’m aware of has a popup blocker.
So it may take a while, but it’s certainly possible that the functionality of CookieSafe or NoScript could someday be built into the browser.
Kyle Sellers · 2009-05-02 05:23 · #
The problem, I believe, is that it is extremely for a novice user to add AdBlock Plus, but not so obvious as to how they can white list sites which they wish to support. Many people don’t realize how important those ads are to some of their favorite sites—even ones who have gone out of their way to be tasteful and discrete with their ad placement. I think many users would actually LIKE to support their favorite sites.
Wladimir, you have made a great tool, but I truly believe your next step is to show average non-savvy users how AdBlock Plus can negatively impact the sites they frequent and how to white list the sites which they wish to support.
Just my two cents on the issue.
Kyle
Twitter.com/kylesellers
tirso ramirez · 2009-05-02 05:41 · #
That means that Firefox is so popular now that is being targeted by this kind of people.
HAL · 2009-05-02 05:55 · #
Good morning Dave….
Aggressive Prefector · 2009-05-02 06:01 · #
I disabled noscripts new white list in adblock plus. I restarted firefox and it did not reset. That is good. I am shocked that an extension would sabotage another extension.
There is only way to win this fight. Adblock needs to add the features of NoScript. I also suggest having a switch to automatically allow scripts or automatically block them.
Justin · 2009-05-02 06:01 · #
Wow, I’m uninstalling noscript. I need to find a replacement.
YukonGuy · 2009-05-02 06:12 · #
This is the problem with extenstions. In particular the behaviour of extension developers. Good bye NoScript! Wladimir Palant, you’ve made a poor choice.
jarek · 2009-05-02 06:19 · #
so where’s you problem adblock guys?
noscript just messes with your addon the same way you mess with other people’s websites.
that’s the sweeeeet taste of your own medicine …
Ruined FOREVER · 2009-05-02 06:20 · #
So NoScript is Ruined FOREVER now, right? Personally, I think that both AdBlock Plus and NoScript should’ve been integrated into Firefox to begin with. Considering how many cocksuckers on the Internet like displaying pop-ups, pop-unders, utilising XSS, performing DNS poisoning, and phishing; it’s damn near becoming a necessity to have to operate purely off a whitelist with everything disabled by default.
I will admit that NoScript’s actions have been utterly moronic in this regard and their attempts to undermine ADP are inexcusable. If, however, the original aims of ADP or the EasyList subscription are no longer being adhered to (it was mentioned that it was originally to get around annoying/obnoxious/dangerous/etc. ads) then that is a mitigating factor. If Giorgio says he was under the mistaken impression that the aims of ADP and the EasyList subscription were originally different and have now changed, then I’m prepared to give him the benefit of the doubt. Just this once.
#78 gets it. Don’t throw the baby out with the bathwater because mum ‘n’ dad have had a lil’ spat over how best to clean their spawn.
Nonightsleep · 2009-05-02 06:25 · #
I’ve always wondered about how people could develop and maintain such great Fx add-ons. Looks like money is still important to (some of) them after all.
@ #87: A lot of people could have just quietly disabled the new whitelist, and moved on because I doubt the author would want to do anything sneaky after this. But it seems like they think each opinion counts, so they’re going all out on every site… People have so much free time.
And you could’ve warned me before linking tvtropes. Good thing I wasn’t doing anything productive this evening :)
Security First · 2009-05-02 06:32 · #
Good security policies begin with “deny all” and then proceed with selective allows. NoScript is far from perfect and there is some legitimate complaints about what its author has done, but it’s basic premise of denying all scripting from (almost) all websites makes it the single most important security extension I use. Those who think ABP is the first extension that should be installed clearly don’t have a grasp on good security. ABP does not begin with “deny all”. And those that think all scripted malware begins with third party ads also need to get educated. For me, ad suppression is a must have because I can’t stand ads, not because of security concerns. At best ad suppression is a not very good but nonetheless minimally helpful bonus layer in my security perimeter, but that’s being generous. I’m amazed at the commenters for this posting because no one seems to get this. Look, I’d be absolutely delighted to replace NoScript with a superior alternative, but unlike ABP, there isn’t one! I use Privoxy on a separate proxy server so that I needn’t bother with administering something like ABP on every profile on every computer. I’ve nothing against ABP… well, all the ranting and willingness to solve the NoScript problem with such venom does have me concerned now… but good security and practicalities demand I use NoScript – not so for ABP.
What I want is for NoScript-like functionality to be integrated into Firefox. That will never happen for ABP-like functionality. Instead of throwing tantrums about NoScript, try civility to move its author while simultaneously lobbying Mozilla for functionality that will make him irrelevant. I don’t see anyone here actually trying to solve the fundamental problem of default deny-all scripting security… except for the NoScript author. IMHO, that makes the ranters look awfully foolish.
Unhappy · 2009-05-02 06:34 · #
What is the last version of noscript that was not fubar’d in this manner? If I am to believe the changelog, 1.9.2.2 is a good one – is that a safe one? I will downgrade and not allow updates until noscript wises up.
Reply from Wladimir Palant:
Don’t believe the changelog. This code was introduced in 1.9.2 without mentioning it in the changelog.
Listen to me · 2009-05-02 06:38 · #
@ #84:
Wow I’m uninstalling Firefox, oops I mean NoScript. Looks like it’s evil and gonna blow up my computer. Huh? I can just disable the new whitelist? What’s that?
I’m posting because I want you guys to remember what I do with my software is very important.
Steven G · 2009-05-02 06:56 · #
why don’t we all do abp and noscript a favor … disabling the first run redirection to his page, how about them apples?
blah · 2009-05-02 07:10 · #
I always thought the Noscript guy was a douche. Just look at the logo on his site. F that ego maniac.
Listen to me · 2009-05-02 07:12 · #
@ #91: On second thought, I’ve decided to uninstall firefox completely.
I’ve lost trust in all extension developers. This guy has betrayed me for money, how do I know they won’t do it again? Trust, once lost, cannot be regained. It’s sad, I know, but Google Chrome should do a better job. I’ll never install firefox on any of my computers again.
What I do with my software is important, you see.
This isn't right · 2009-05-02 07:15 · #
NoScript & Adblock are SECURITY plugins. NoScript’s sneaky tactics are types of things we try to protect ourselves from.
That’s like subscribing to ADT Home Security, and when they get to your house to install, they remove the locks on your back door.
The fact that this is free software has nothing to do it. It’s unethical and bad business practice. If companies did business like that, they would be shut down.
Don’t take my word for it, just look at the response on Mozilla.org Addons
StillUnhappy · 2009-05-02 07:16 · #
So now the 1.9.2.5 version has come out that (according to the noscript developer) asks if you want to add the offensive behaviour or delete it forever.
What a fricken’ joke!! It pops up an utterly confusing window that basically says “do you mind if we protect you from the evil world out there” and then offers you an “ok” button and a “cancel” button. What does anyone suspect will be the result of that?!
That settles it that I am done completely for good. Thanks ghendar for the hosts entry. I am adding it as we speak.
Glam · 2009-05-02 07:19 · #
How dare they show us ads, how mean and degrading..
Seriously, until I saw today the option for disabling the loading of the NoScript on every update I didn’t at all notice anything on – just closed it. And is it such a great sin that the maker(s) of this great piece of software get some revenue? I’ve even considered donating.
I’d like to hear the story from NoScript’s side as well, but by default I’m on their side.
Reply from Wladimir Palant:
The problem is not with the ads – it is his choice how he wants to make money from his extension. The problem is how far he went to protect this revenue – even manipulating user’s system behind user’s back. That extension is supposed to be trusted with user’s security.
Eric Z. - An avid internet crawler · 2009-05-02 07:19 · #
I have read this, the posts in a forum redirecting me to this post, and nearly all the comments after this post and I must say. If he clearly said to his users, “I hope you enjoy noscript, but as it does take time to develope and test this add on for FireFox, now if you wouldn’t mind there is a very simple… blah blah blah etc” Asking the user if they could support him by seeing the Ads, he surely would have gotten quite a few ad “viewers” from those who understand or truly want to support him. But the way he had undergone getting people to see his ads, is really disgusting and he deserves to lose all the Addon users that he alienated in using such tricks.
Former NoScript User · 2009-05-02 07:20 · #
I have removed NoScript from my browser because of this.
There is no excuse for modifying the behaviour of other software on a computer without the user’s consent. There are words for that sort of behaviour, starting with “malware” and in many places ending in “illegal”.
It’s somehow okay now that an extension goes behind the users back and circumvents other plug-ins? Especially a plug-in that most users use presumably to protect themselves against malware and intrusive JavaScript driven ads?
NoScript is supported by ads, and maliciously tries to prevent them being blocked by AdBlock. However, AdBlock itself is not supported by ads, and does not try to block NoScript in a similar fashion. It may be a war, but it’s pretty one-sided, and it’s fairly clear who’s being an asshole here.
PeterSP · 2009-05-02 07:26 · #
I think there’s a bit of groupthink here that Giorgio just added the whitelist to keep ads— I believe that when he added the whitelist, some of the entries on EasyList were blocking most of the javascript on his sites, period (preventing things like turning off the “get it” button if you have “it” from working.) To say that this was “one-sided” is wrong. Of course, Giorgio should have been more scrupulous about this.
steve · 2009-05-02 07:47 · #
NS v1.9.2.6 just released cancels out the controversial filterset entirely. Now everybody move on.
zurk · 2009-05-02 07:51 · #
no extension should touch another extension. PERIOD.
i dont give a crap if you destroy yourself but dont destroy anything on my computer without my permission. noscript is entirely at fault here.
Winter Knight · 2009-05-02 07:51 · #
1) What is the latest safe version of NoScript?
2) If my Adblock Plus installation has been sabotaged, how can I fix it? Will uninstalling and reinstalling do it?
I think I already have the answer to #1. The first unsafe version was 1.9.2, so the last safe version was 1.9.1.91.
Reply from Wladimir Palant:
Supposedly, NoScript 1.9.2.6 both removes that behavior and repairs the damage done by the previous version (removes the whitelist again).
AMO Editor · 2009-05-02 07:53 · #
I’m author of several addons on AMO. I also contribute to AMO as an editor.
Your addon being the most popular addons has a huge fan-following. By making the issue public in this manner, you’ve attacked NoScript with all your fan-following. Could it have been better to report this issue to AMO Editors or AMO Admins? I believe that this issue in this version of NoScript that was approved by AMO could be reverted (or a suitable action may have been taken in time – after all the obfuscated code did slip through by one of the editors).
On the subject of monetisation… (and after reading your other posts/links you referred to), the wiser man knows that free software “sells” almost as well as the paid counterpart… the difference is in the way money exchanges hands… donations/ads etc… While your development work is a part-time affair there are others who are full time into it and they have to pay for the roof over their head. So understandably whatever the business model… ethics pave the foundation for a long-term relation with your software’s users. You also use the term “begging” (for donations – http://adblockplus.org/blog/the-monetization-dilemma) which is again offensive. If you have chosen not to earn through these streams doesn’t mean that others earning it is wrong (though you never said that). I agree on the point that monetisation options are being abused and are crossing the limits. I’d say this is not a misuse of addons as a way to earn money but an abuse of AMO for the traffic it throws your way and the visibility your product gets. Imagine if there were another 10-20 sites listing these addons? I’m sure addons wouldn’t have been that profitable to authors then. That’s the reason developers want to come out of experimental status… so they can get installed and the updates offered subsequently. AMO being the central place of about 3000 Firefox addons is the actual target.
Reply from Wladimir Palant:
I am sorry if you think that I should have acted differently – I thought a lot about that before publishing this blog post. In the end, I wouldn’t have done anything if NoScript wouldn’t be considered a security extension (meaning that it is trusted with user’s security). I also wouldn’t have done anything if NoScript’s current solution involved giving users a choice or even explaining properly what was going on. But going behind users back like that is unacceptable IMHO.
Oh, and the term “begging” was only meant to express how far some extension authors go to bring their “Please donate” button to attention. I don’t think there is anything wrong with donations or with making money – on the opposite, I would love seeing more add-on authors make money from their work. But I do think that there should still be limits.
click170 · 2009-05-02 07:59 · #
Coincidentally, I stopped applying NoScript updates a long time ago because of how it opened his freaking web page every time an update was released, and I really got the sense that he was releasing ‘updates’ weekly that didn’t have any measurable affect in browsing performance any more. I’m currently using 1.9.1.4, and after reading your blog post I’m looking for another script blocking plugin.
Until I find a suitable alternative, I’ve made sure to investigate all of the preferences and I’ve made sure that ads on noscript’s site don’t load. Regardless of whether or not I intend to visit there ever again, and in case your wondering, I don’t.
When a person starts writing malicious code, that person is a cracker. When you write good code that does what the documentation says, your a developer. When you have an app, and it works and people like it and you decide to turn that to your advantage by inserting code/properties into your app that YOU YOURSELF know the majority of users would object to (such that those alterations would be considered malicious by the community) you are not only a traitor to the community, you are below the Crackers in rank and respect. You had respect and you had followers and a community behind your app, and you chose to leverage it in an attempt at profit.
Congratulations on making it onto BBC, I’m sure that will spike NoScripts popularity. I’ll just have to make sure I do my best to inform everyone about how malicious your willing to be towards your own users just so that you can display some ads. For shame.
Bologous · 2009-05-02 07:59 · #
Thank you Wladimir for your investigations. I’ve deleted NoScript from my PC and have other people on Slashdot. Giorigio made a big mistake – you should never take advantage of someone’s trust particularly to do something it’s obvious they don’t want you to do (esp if they’ve installed AdBlock Plus!!!!)
TTB · 2009-05-02 08:24 · #
Wow what a well written post
Security First · 2009-05-02 08:31 · #
@94: “NoScript & Adblock are SECURITY plugins”. Ah for cryin’ out loud. Ad blockers are NOT security plugins! NoScript whitelists, ABP blacklists. Good security always starts with “deny all” and then whitelists as required. ABP is about suppressing annoyances, saving bandwidth, denying revenue, making political statements, et cetera, but when it happens to block malware it is almost certainly because you weren’t taking adequate security precautions and caught a lucky break. You are vastly more vulnerable running ABP without NoScript than you are running NoScript without ABP. If you don’t understand why then you’ve nothing to say on the subject of security.
Again, give me an alternative better than NoScript and I’ll switch immediately. Ranting and yelling “boycott” while providing no alternative to replace the critical security component that NoScript provides is gross irresponsibility by those that should know better and sheer stupidity by those that don’t. I recognize that most of the ranters are nothing but ignorant teens that hop up and down pretty much on command, but what’s up with those few of you that understand security?
Hurr · 2009-05-02 08:38 · #
OH NOES INTERNET DRAMA
Soupy007 · 2009-05-02 08:42 · #
This is disappointing, but not completely unexpected. It certainly explains Giorgio’s mindless whoring of it on nearly every freshly opened security bug on b.m.o and elsewhere in the blogosphere. It’s not about serving users anymore, it’s about one person: Giorgio. That combined with this ploy is more than sufficient for me to uninstall it. When “security” software pushes an obfuscated blob of code (was this even reviewed before going live on AMO!?) whose sole purpose is to interfere with/disable features of completely unrelated software without stating intent or asking my permision for no reason other than the author’s gain; any trust which may have previously existed is thrown out the window.
Everyone who develops software knows that finding a decent way to monetize a product without pissing off users or being falsely labeled as adware is a delicate balance – noscript however, completely deserves that and a much worse label: malware. Good riddance.
Reply from Wladimir Palant:
I think NoScript got excepted from AMO reviews like several other add-ons as well (e.g. Adblock Plus). The reason is that AMO review is a functional review, not a code review (AMO doesn’t have the resources for code reviews). And functional testing is already done with the development builds in case of NoScript.
AMO Editor · 2009-05-02 08:43 · #
wrt comment#103 and your reply…
I should have done similar but only after communicating with the AMO admins. You have brought up an interesting and a very important topic. We had been waiting to see these issues and discuss the topic… the sad part is that day is today.
By the way good post and good job with ABP.
Paolo · 2009-05-02 08:48 · #
I agree that NoScript made a big mistake and as a workaround I created a custom CSS with the Stylish extension to hide the ads on noscript pages:
div#google {display:none !important}
div#google2 {display:none !important}
div#main {margin-right:0 !important}
Luckily NoScript released version 1.9.2.6 which removes the controversial filter. If you check NoScript home page you can see that the author apologizes for what he did. I think we’ve got a happy ending.
Ross · 2009-05-02 08:54 · #
I’m keeping NoScript, but adding those 4 domains of theirs to my HOSTS file.
burris · 2009-05-02 09:14 · #
It’s tough for Wlad, the only people who use NoScript are ultranerdy paranoids and power users. The same people that use ABP. Maybe he should reconsider his business model.
dwards · 2009-05-02 09:15 · #
@ #107: Don’t worry, Security First. NoScript is here to stay on my machine (but of course as always, until something better arrives).
What you’re talking about is just the vocal minority. They’re usually full of fanboys, uninformed people with a righteous sense of justice, and bandwagon hoppers.
It is the silent majority that you should care about. Developers are doomed if they ever listen to those rowdy teens.
@ Wladimir Palant : Wladimir, your blog post might not have been ill-willed. But you have misjudged your average user. They are not the most intelligent, not very reasonable, not always sympathizing, but they are very fond of your add-on and whatever you may say. Just have a quick look at what they’ve done. Endless resulting remarks at NoScript forum that they have to temporarily lock it until the add-on’s been updated, 1000+ clueless people boycotting on Reddit and telling their friends to do the same, even Slashdotters are jumping on the bandwagon. It has totally gone out of control, one might say.
So you say you couldn’t just sit there and do nothing. You could’ve contacted the AMO editors and worked it out with Giorgio, or maybe in some different way and then make a quick post afterwards… But you had to make it all public like this. Even I feel bad for the guy. He had to push out an immediate update, and then, as that wasn’t enough for your users, another one that totally disabled the support filterset (which means no more ads ever). And even then more anonymous cowards, doomsayers would just come and continue spamming line after line of insult. Sorry, but IMO, you’re no better than Giorgio himself.
This event has taught me more about blocking ads. Maybe in the next post, you could tell your users how to support their favorite sites and call your personal army off, saying that everything has been resolved, people should get back to using NoScript or something. But of course now it’s gone this far, someone has probably forked the add-on already.
Reply from Wladimir Palant:
Please see http://adblockplus.org/en/getting_started#disabling
I have been observing questionable tactics from Giorgio for quite a while. He has been spreading FUD instead of informing users just for the sake of making his add-on more popular. He left no chance go of making Firefox developers look bad just because they prioritize bug fixing and take their time to fix low risk issues (which Giorgio “fixes” first of course – never mind breaking the web). This time he clearly went too far however. And I am just informing people that this “security extension” cannot be trusted with your security. I didn’t quite expect the response this prompted – but I still think it is well-deserved. Somebody who develops security software should have a better understanding of ethics.
Joe Fox · 2009-05-02 09:19 · #
The real concern for me is that firefox still does not have a proper sandbox for extensions.
It shouldn’t be possible for one extension to interfere with another without user consent.
Unfortunately without a large rewrite of the framework, this just isn’t going to happen…..but it needs to happen.
Reply from Wladimir Palant:
The problem is that having a sandbox always means largely restricting what extensions can do. Add-ons like NoScript will most definitely no longer be possible.
Jason · 2009-05-02 09:22 · #
If they implemented a filter set system. That would bring Noscript back to my machine. I hated having to investigate every site for what scripts I need to allow.
It would be really cool if They made (hypothetical) filter sets compatible with ABP.
P. · 2009-05-02 09:38 · #
@100: So if somebody steals from the store down the corner, gets caught and, having no other choice, decides to give the items back that weren’t his in the first place do you “move on” as well?
No, you don’t. You call the police because laws are useless if not enforced. This isn’t much different. No criminal act here but it speaks volumes about NoScript’s author that he even tried to get away with this. And now he’s backing down under public pressure (probably a good idea because Google doesn’t take too kindly to people who generate false ad impressions).
NoScript’s core functionality should be integrated into FF, the same ways tab handling is. It’s the same way with TMP/TBE/all the other tab extensions. They integrate nicely into FF, offer plenty of options for us power users and the average user doesn’t need to worry about them.
Reply from Wladimir Palant:
I agree with the last paragraph, I would like to see at least an extension implementing “NoScript’s core functionality”. The problem is that NoScript’s core functionality is not what NoScript is doing – instead NoScript is a huge conglomerate of various hacks, most of which users don’t know about (and don’t even want to have).
J · 2009-05-02 09:49 · #
So, is there another extension that matches NoScript’s capabilities? I don’t want to use it after the author has shown a complete misuse of his user’s trust.
Reply from Wladimir Palant:
From what I know, YesScript is the closest thing. But I guess it could use some improving to become a real alternative.
dwards · 2009-05-02 09:51 · #
The ignorant just keep coming I see.
Perhaps the next person will complain the logo sucks. Oh wait, they’ve ALREADY done that.
Please, if you’re thinking of adding your own wise words, why not read ALL the above comments, then head to NoScript forum to understand the situation a little more instead. Chances there are already 50 similar idiots with the same idea already.
Or perhaps the more the merrier? I need my Kool-Aid.
It is over people.
giantslor · 2009-05-02 10:03 · #
NoScript is garbage and people should dump it. JavaScript is becoming more and more integral to the web. Installing NoScript breaks just about every website in some way. It’s inevitable that you’ll have to whitelist a particular site. What’s the point? Even if a site has a javascript exploit, I bet most people would just whitelist it because it’s broken.
FutureAxeMurderer · 2009-05-02 10:12 · #
This has been put up on Reddit. Someone should see about getting it plastered over at SlashBot/Digg/etc. etc.
I’m unsintalling No-Script myself. #5 is right. Once trust has been lost it can’t be re-gained. Un-trustworthy practices show’s their true motives. I won’t ever use this plug-in again.
unsigned code · 2009-05-02 10:14 · #
@32
honeypot urls, like you mentioned, are not very effective.
blocking firefox is stupid (not to say useless, since it’s trivial to change the useragent string).
serving ads from your site may work if they are not overly annoying (people don’t even notice them).
encoding images into the html/js itself is inefficient and borderline assholeish (..and people wonder why others still use noscript).
asking people to whitelist you seems to be the more sensible/less dickish approach.
@23 you’re a “web developer”? seriously? then you surely know that this escalation/arms race between advertisers and users will simply result in your loss. you see, the computer is mine, so i choose what to run/display in it. if you don’t want people to look at your site, don’t allow public access and charge a fee for access; if, on the other hand, you prefer to act all self-righteous and pricky, don’t be surprised when some of your users start acting like you.
Daffyd K Jones · 2009-05-02 10:15 · #
dwards – how was this Wladimir’s ‘personal army?’
Nowhere in his blog posting was there a call to action. He didn’t ask anyone to boycott NoScript, to post on their forums, or to complain on slashdot or reddit.
Us readers have our own free will, you know. If we want to complain about one of our trusted extensions deliberately interfering with another of our trusted extensions then we will, it’s not Wladimir’s doing
Lukas Beeler · 2009-05-02 10:20 · #
Thanks for the heads-up.
I’ve uninstalled NoScript on both of my computers because of this post.
Glam · 2009-05-02 10:34 · #
I cannot agree heree.. NoScript developer gives other explanations and examples.. who should we believe (I’ve summed the links here http://bozhobg.wordpress.com/2009/05/02/noscript-and-adblock-plus-two-sides-to-every-story/ )
Reply from Wladimir Palant:
“Good luck to those in not getting infected” – so you believe the FUD NoScript is spreading. Good luck then, getting along on the Internet without knowing what the real risks are.
I don’t really care whether Giorgio wants to fight EasyList (or more correctly – his users’ choice) on his websites – it would be his (poor) choice, he wouldn’t be the first one. But he used his position as the developer of a popular extension, particularly of an extension supposed to protect users. That’s the line he shouldn’t have crossed.
markus · 2009-05-02 10:44 · #
I dont want to discuss who is wrong or who is right.
All I know is that I am using Adblock Plus since a long time and I am happy about it. I never used NoScript, and I dont really care what it does.
But I want to make ONE comment, about preferences – I am a “smart” user running Linux since 6 years, 99% compiled from source here.
But, I simply am too lazy to make manual changes to preferences of any kind. I think things should work out of the box, and the user should not need to change anything. :)
Hope that explains my attitude towards those things.
Of course I do change options in applications here or there, but this is always work which i try to avoid.
Intentionally Anonymous · 2009-05-02 10:50 · #
I work in the food service industry, and one of the things we’re taught there to remind us to keep customers happy is this:
It takes 10 outstanding experiences to make up for 1 bad one.
Better get working, Giorgio.
dwards · 2009-05-02 11:11 · #
@ #126: Sure we don’t have people on the internet claiming to be intelligent that often.
Or do we? Go to NoScript forum and see for yourselves.
No hard feelings, just pretty amusing.
Joe · 2009-05-02 11:20 · #
It’s quite funny to hear about “security” in the context of NoScript.
NoScript has always been a usability nightmare.
Unusable software can not give “additional” security.
mithra · 2009-05-02 11:36 · #
I’ve been annoyed by the unreasonably high number of noscript updates. Now this story explains why and a lot more.
Enough’s enough. Flush…
Be interesting (and amazing) to see noscript recover from what has to be a pr disaster, and if not, who/what will fill the gap.
Another Giergio · 2009-05-02 11:41 · #
More important than this petty squabble between two add-on authors, how does a piece of malware-like (yes, if it was obfuscated, and did not inform the user it was malware-like) add-on passed the review process. Does Firefox allow anyone to do anything with the add-ons? Hmmmm..maybe it is time to give Chrome a try.
HelenG · 2009-05-02 11:59 · #
Thank you for the heads up Wladimir, unfortunately I only found out last night when I was checking my ABP filters then a few minutes ago when NS updated and saw apologies did I realize what was going on!
I’m quite annoyed so I am sticking with ABP only (like I did when I first used Fx) and NS has been given the boot. I’ve had to delete the profile too as it will not get out of the config.
Thanks Wladimir and the ABP team.
WHAT · 2009-05-02 12:06 · #
> Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects.
WHAT!?!?!?!?!??!
Who is supposed to give you this way to earn money?
WHAT?
Do you realise how little sense you are making?
Bernhard Schulte · 2009-05-02 12:44 · #
Thanks, I’ll stay with NoScript. The roundtrip to their site after updates has the beneficial side-effect that you notice when add-ons-mozilla has pushed you an outdated version.
steve · 2009-05-02 13:11 · #
I’ll stick with NoScript thanks. The infighting between NS and ABP should be treated as dead now. I do use ABP too but only as backup to AdMuncher a superior adblocker overall that filters any browser I care to use (but not HTTPS).
GrailKnight · 2009-05-02 13:30 · #
Thank you for all of the information Wladimir.
I am sticking with Noscript as well.
Giorgio is not nor will be the last developer to make a bad decision based on good intentions. All sides learn from their mistakes or fail. Only time will tell.
GK
Dave · 2009-05-02 13:34 · #
Between CS Lite and NoScript , I feel MUCH safer surfing the web. I am happy to put up with their minor annoyances in order to partake in these products. However, NoScript stepped over the line with their attack on ABP in that they violated our trust. I surely wish I could take back my donation.
Glam · 2009-05-02 13:38 · #
@Wladimir
I am in the IT business for some time already and I have a good clue of threats and security. The principle of NoScript is what seems great to me, not some marketing slogans.
And I support what “Security first” wrote – let the teens uninstall whatever they want.
Reply from Wladimir Palant:
I didn’t tell anybody to uninstall NoScript. There are some features in there that do indeed help security (most of them are worthless still). However, I do think that you have to be very careful about what you do with users’ trust – especially if they trust you with their security.
Laurens Holst · 2009-05-02 13:47 · #
Scandalous. And this for an extension we are supposed to trust.
This also puts his blog posts on Planet Mozilla (I guess I should call them advertisements from now on) in a different light. Spreading FUD to get people to buy in to his extension, and earn him more money.
Nextnx · 2009-05-02 14:06 · #
/Uninstall NoScript
EOD
The Author and or devs as proven to be rotten (see op). Futher more they are in position do this again even though in a smaller degree. The mass of ppl ignoring this might trigger the author to still seek and push this gray area, in limit of mass ignorance.
So frankly I do not trust them to even improving.
What I would like to see, is the community to take NoScript and strip, rebuild and release a public safe extension of NoScript.
I do thank Wladimir Palant (and co?) for bringing this matter to light.
Nan M · 2009-05-02 14:15 · #
All the NS settings interpreted by Wladimir as corruption are as easily interpreted as support behaviours:
Firstly: The direct to the changelog page has been so since NS started up, and embedding the log in the developer’s full info page is standard practise across most well supported extensions. All developers want to show their stuff off – either for praise or for donations. I don’t like the implication (intended or not) by Wladimir that this has been somehow always intended for ad revenue in particular.
Secondly: NS is primarily a security app. And as such any responsible developer will respond to changes in the security environment as promptly as possible. For NS, this means a new version, not a simple definitions update as in client firewall apps.
The NS developer has, in my 3 years of using NS, always issued a revision in response to any security or usability problem; remember that much of plain web use is on the worst of malware’s playing fields – viz web2 social sites and webmail sites – and a plain user in difficulty with twitter, facebook, yahoo would have drifted away from the user base if their fixes weren’t delivered quickly. Support for security has to be instantaneous.
The point here is that new versions are indeed coming rapidly these days, but this is a function of the explosion in the user base – - and consequent bug reports – - and interpreting it as a venal grab for income is disingenuous; a couple of years ago I would have seen an update maybe once a month. Smaller user base, fewer bugs reported, fewer updates. Occams Razor should be applied unless Wladimir has other evidence.
Thirdly: for the default whitelist: Here’s a philosophical question:
NS is based on trust. The user who installs the extension has made the decision to trust NS. The developer has added a default set to the whitelist that flags his interpretation of what sites can be trusted by the novice user.
What message is the user getting if the NS site is not one to trust by default?
I smell an agenda in this campaign by Wladimir and so I have no trust that the argument as presented by this blog post is a full and transparent exposure of both sides of the issue.
I look forward to Wladimir posting otherwise.
In the meantime, NS for Fx and no thanks to Giorgio Maone appears to be the agenda.
I think it’s inevitable that NS becomes a core function of Fx.
But I wonder how much we long-time NS users will miss the rapid and generous response to bugs that Maone has provided all along.
Reply from Wladimir Palant:
Sorry, you are ignoring some facts. The changelog page is one major complaint points about NoScript. I have seen lots of complaints about it in Adblock Plus discussions. I don’t visit NoScript forums but I bet that this is one of the most common complains there. NoScript has options for just about everything, so why do you have to dig into about:config for this one?
Further: the idea behind security apps should always be “trust nobody.” That’s something that Giorgio has been telling himself often enough. Obviously, the whitelist should be as small as possible to keep users safe. Sure, Giorgio might have made the mistake of thinking that his own sites are guaranteed to be safe. But after I found an XSS vulnerability there and proved that he is putting users at risk — why did his sites stay on the whitelist? Is he that sure that he won’t make a mistake again? Or that his XSS protection is infallible? And that all even though his sites don’t even use JavaScript at all – except for ads of course.
The security playing field changes often – but not that often. Occasionally you need an emergency release. Most often that’s unnecessary and your changes can wait until more of them came together. Too frequent releases are another major NoScript annoyance – I’ve seen that in discussions many times before and you will see many people acknowledging this in the comments to this blog post. Given that, it hard to understand why they still happen (releasing more often while keeping same quality requires additional effort from the developer, that’s not something anybody would do without a reason).
You also ignored the most important fact: NoScript did include code to cripple Adblock Plus. You can download version 1.9.2 and look at MRD.js yourself (see comment 17 about de-obfuscating that file). Have a look at the changelog and try to find that change there. You can also see in the NoScript forum how Giorgio tried to cover up. That is what I am so upset about – is that what you expect from your security app?
Agenda? You must be joking. I wanted to go public with all that when I first saw this malware code of his. I mean, did he really think that he can get away with this? But instead I kept the discussion in a private EasyList forum, mailed Giorgio and waited patiently for his next release. I’ve seen however that he doesn’t feel being wrong on this. And that he doesn’t intend to respect users’ choice (or at least ask them for permission before changing their preferences). And even then it was still a tough choice.
EdmundGerber · 2009-05-02 15:27 · #
I’ll stick with noscript as well.
I’ve been an admuncher user since forever, so never needed to mess with adblock.
However, blocking ads is a nice trick, but noscript is a very important extension from a secutrity point of view. Good luck to all you FF users that choose to drop it for a very stupid reason. I’m sure botnets everywhere will be swelling with your numbers shortly. ;)
All because two guys on the internet got into a pissing match, and you all choose sides.
Steve D · 2009-05-02 15:35 · #
Where do creative types get the idea that they can do something and live off it indefinitely? Write your code, sell it for the hours you put in, then do something else to earn more money. If you can’t make enough money that way, get a regular job and write software for a hobby or a part time job.
Johnny f*g know it all · 2009-05-02 15:49 · #
> Thirdly: for the default whitelist: Here’s a philosophical question:
> NS is based on trust. The user who installs the extension has made
> the decision to trust NS. The developer has added a default set to
> the whitelist that flags his interpretation of what sites can be
> trusted by the novice user.
> What message is the user getting if the NS site is not one to
> trust by default?
ABP has nothing to do with trusting sites, it’s about not seeing ads (even on trusted sites).
No-one objects to NS whitelisting its own sites as trustable within NS which is what your “philosophical” question implies. That’s not the issue.
PeterSP · 2009-05-02 16:00 · #
Wladimir questioned Noscript’s default whitelisting of noscript.net (and google adsense? For some reason, I don’t recall that being in the default whitelist when I installed noscript) in Noscript, saying it exposed users to XSS. He further implied that since clearly this was done in order to make noscript.net’s ads work by default, this was improper behavior.
SP · 2009-05-02 16:23 · #
I was wondering why some ads mysteriously started reappearing a while ago…
It appears NoScript developers are just as bad as any other malware developers.
Also, I’ve never had a problem before installing NoScript, and I don’t see why I should have any after uninstalling.
What kind of sites do you NoScript advocates browse, anyway? Probably something you ought not be browsing to begin with.
Peace.
Anonymous Coward · 2009-05-02 16:28 · #
What Mozilla needs to do is technologically enforce its AMO policy. Suggestions:
1. A strong Javascript sandbox.
2. Why on earth do extensions have such raw power in Firefox? We need a strong add-ons sandbox too.
PeterSP · 2009-05-02 16:41 · #
> What kind of sites do you NoScript advocates
> browse, anyway? Probably something you ought
> not be browsing to begin with.
@146
What? I simply don’t care to execute arbitrary javascript/flash/whatever on sites I haven’t visited before and don’t trust yet. If I followed your philosophy I suppose I would stick to a handful of sites I know and never follow any link outside that handful?
SP · 2009-05-02 16:49 · #
@148
I figured someone would take the bait.
Toe · 2009-05-02 17:08 · #
Sigh…
Giorgio can ‘fix’ his code, but fixing this breach of trust is another matter. Uninstalled.
@ #103 AMO Editor & #114 dwards: Wladimir didn’t ‘make the issue public’, it’s been public on NoScript’s forum for over a week.
XP · 2009-05-02 17:09 · #
It’s time for a NoScript Fork!
Breco Pol · 2009-05-02 17:11 · #
Wladimir, your AdBlock+ is so indispensable in order to make “the Web” working. NoScript definitely overstepped the thick line by fiddling around with other extensions. NoScript destroyed credibility — not only its own but there is also the danger that this incident hampers the existing extension ecosystem.
thejynxed · 2009-05-02 17:14 · #
I have been using both extensions for years. That being said:
1) The author of NoScript should respect the authors of other extensions enough not to mess with their extensions, or the functionality thereof to the detriment of the security of the users of those extensions.
2) The author of AdBlock+ should seriously reconsider allowing other extensions not authored by him or other individuals explicitly authorized by him to directly interact with any AdBlock+ functionality (Chiefly: addition/subtraction/modification). Example: Subscription filtersets should not be allowed to be tampered with externally at all.
Who is to say some malicious individual or group will not program something to copy say the EasyList, modify it to unblock specific malicious ads/sites (and change the update URL) and enable it in AdBlock+ over the “correct” EasyList if this is allowed to continue?
Reply from Wladimir Palant:
As I said several times above already – an extension that is installed in your browser can already do anything. There are countless ways in which it can manipulate other extensions (like simply uninstalling them) and there is very little you can do to prevent that. Which is why it says “don’t install from sources you don’t trust” when you install an extension. The “official” way of changing Adblock Plus preferences is only there to make sure that the extensions that should be doing that do it in an ordered way that won’t break anything.
HelenG · 2009-05-02 17:15 · #
Now I’ve calmed down and assessed the situation poster #136 makes a point. See I love ABP the best then I like NoScript 2nd and happily do / did / will again surf with just those 2 extensions, it would be nice if Gorgio would work with ABP, as in teamwork not merging. I know it’s not your fault Wladimir. God bless you.
PS. To the big mouths on here who are playing “top dog” and throwing insults because their IQ is bigger than “the whole wide world” yes that is to you calling those of us sticking up for ABP i.e. #70 – not all free software users are thick and arrogant, I might not be the brightest crayon in the box but at least I’m not an arrogant thwait and people passionate about ABP are sticking up for it (same way as you are with your ego) – why would you call them? I’ve not been to AMO to complain and certainly not /. – others here have said “hey I don’t agree but…” and tried to calm the situation yet you have insulted all. I’m not even going to repeat what “Freud thought about persons like you…” We still have freedom of speech right now and if people want to sound off about it they can, yes it needs to be calmed down but hey we’re just humans that get p-worded off.
egal · 2009-05-02 17:22 · #
kindergarten!
Reply from Wladimir Palant:
I couldn't agree more. I still cannot believe I had to write that blog post.
Ned · 2009-05-02 17:46 · #
> What kind of sites do you NoScript advocates
> browse, anyway? Probably something you ought
> not be browsing to begin with.
Well aren’t you high and mighty!
Pull out that stick out get out for some fun, man.
Life is short.
Breco Pol · 2009-05-02 17:54 · #
#153 wrote:
> 2) The author of AdBlock+ should seriously reconsider allowing other
> extensions not authored by him or other individuals explicitly
> authorized by him to directly interact with any AdBlock+
> functionality (Chiefly: addition/subtraction/modification).
My personal opinion here is that I simple do not want any other extension to mess around with AdBlock+ or any other extension. The subscriptions as well as their exact content is nothing another extension has to worry about. No way around this. Am I in control here or any arbitrary add-on developer?
me@here.com · 2009-05-02 18:10 · #
Thanx for spreading the word.
I just uninstalled Noscript as I no longer consider it trustworthy. If anyone knows a good alternative please tell.
BTW: I just found out that my firewall webfilter can do the job for now…
nicozite · 2009-05-02 18:32 · #
Before my sense of justice kicks in, I’m reminded of the fact that, like lots of others, I’m just having information spoon-fed to me. Reading the forums didn’t really help. So I can’t get all high and mighty and say who’s wrong. However:
“Big thanks to everybody who made that happen!”
I think you understand what most of them were doing. I also think you’re encouraging that sort of behavior ( e.g. boycotting NoScript, uninstalling it, ‘spreading the words’, making defamatory posts full of profanities…)
And you also claim that most of the add-on is worthless, too. But of course, you didn’t tell anyone to uninstall it, right? It’s amazing how quickly you instill doubt in me, despite NoScript modifying your add-on.
But I guess it’s all over now. Good luck to everyone who was actually using NoScript effectively, up to this day. You’ll need it. The rest, I don’t really care. But wait, the add-on is worthless, isn’t it?
@ #150: public? Haha oh wow. Being covered on Slashdot, Reddit… That’s what I call public.
Anonymous · 2009-05-02 18:40 · #
This just goes to show that in any “business”, customers are the determining factor in the success of the business. Lose focus on the customers, and you’ll lose business.
1.9.2.6 is a nice gesture and all, but to me, it’ll take a lot more than that. His updates need to be more transparent, with CLEAR reasons behind every update to show that they are necessary, not just updates to boost up revenue.
He mentioned that he’s surprised how we missed “the information about it given on the AMO install page, on this site’s install page, on this very release note page and in the FAQ”. Most of us update NoScript when Firefox prompts us to, which means most users don’t bother going to one of the above three pages. He took an “opt-out” approach instead of “opt-in”, meaning that he took the same approach that malware authors take.
What he’s done is undermine the trust we have in Firefox add-ons. I don’t have the time to go through every add-on, so now it’s an act of blind faith almost.
I’m glad (most) of the debacle is over though. However, I can no longer recommend NoScript unless there’s more transparency regarding updates.
anonymous · 2009-05-02 19:21 · #
Wladimir = cry baby. Boohoo you broke my toy. Go find another sandbox to play in you whiny little child.
david · 2009-05-02 20:04 · #
I uninstalled noscript when I first heard of giorgio’s tactics. I recommend everyone to do the same if they value their privacy.
johnmurdoch · 2009-05-02 21:07 · #
Giorgio is a good actor lol:
http://forums.informaction.com/viewtopic.php?f=7&t=877&start=15
Ken Saunders · 2009-05-02 21:17 · #
I’d like to see how the developer of NoScript has responded to this publicly so please post a link (or several). You would not have put your name, reputation, and credibility on the line by addressing and posting this is you weren’t 100% sure that you are correct about the facts that you stated here, and I trust the feedback from your supporters so I’ve already decided what I believe and that is this post, but just to be fair and also out of curiosity, I want to hear what Giorgio has to say.
What has happened here is actually a great thing because the outcome will or at least should set a precedent and policies for how extension developers can and cannot solicit funds and target Firefox (and other Mozilla products) users with ads, and how their extensions are allowed to interact with other ones.
I strongly encourage those who have taken the time to voice their opinions here and in the NoScript reviews on AMO to continue this discussion until there are reasonable solutions and new policies put into place.
It’s one thing for a handful of developers (even if they have the most popular and downloaded extensions) to try and get major and new policies written and it’s another and far more effect one to have Firefox users ask for or demand changes. Mozilla will listen to their consumers which far outweighs the number of developers and they of course are the ones sustaining Mozilla’s products.
Perhaps Wladimir could contact Nick Nguyen or Justin Scott to get a discussion going on the Mozilla Add-ons blog.
In any event, don’t become complacent or this issue will arise again and perhaps with another one of your favorite add-ons. And you won’t just be helping yourself out, you’ll be contributing to the betterment of the add-ons ecosystem and community and the user experience for your friends, family, and other Mozilla’s product users.
For the record, I used NoScript for a while but no longer do. I’ve used Adblock Plus a few times on and off over the years but I currently do not. I have a great interest in marketing especially in browser marketing so I need to see the 8,000 Chrome and IE8 ads that appear on web pages daily to know what’s going on. But I fully support Adblock Plus because I support a person’s choice to view and interact with the Internet in any way that they’d like or need, and because it attracts new Firefox users ( ;) ).
I’m also a strong advocate for add-on developers and so I have no problems at all with them trying to make some money considering the amount of time and effort that it takes to develop an add-on as long as it is done tastefully, unobtrusively, honestly, and without interfering with a user’s Firefox (or other Mozilla products) experience. A link or suggestive make a donation button is cool, and post as much crap on your web pages as you’d like, but leave it out of Firefox.
I’d be greatly dissapointed to see all of the time and passion invested here go to waste so take advantage of this opportunity to contribute and give back to Mozilla for all that you get out of Firefox by making its strongest asset (add-ons) even better by participating in ways to make a difference.
Reply from Wladimir Palant:
Unfortunately, I didn’t see anything resembling an official statement yet. See for example http://forums.informaction.com/viewtopic.php?f=8&t=1081 – Giorgio keeps sending people to the thread where he blames everything on EasyList. Now I don’t even want to start discussing on whether EasyList was right or wrong blocking ads on his sites or whose should be blamed for the false positives resulting from this cat and mouse game – because it really doesn’t matter the least here.
I have been contacted by Justin Scott and Nick Nguyen already – and yes, I also want to keep this discussion going. I expected issues like this one to come up (as mentioned in my previous blog post), I just didn’t expect it to happen that soon and that bad. AMO really needs to set limits (see also the “Lee Lorenzen” comment above for another example).
bluh · 2009-05-02 21:23 · #
Really, who gives a rat’s ass. Extensions like NoScript are needed because ignorant fools use crap OSs like Windows.
Aside from that, Mozilla already HAS a builtin functionality to disable javascript, as someone noted here. Just enable it, you don’t need an extension for that.
Also, just gotta love all those website owners whining and calling people who use ABP “thieves”. As if someone should ever decide what content gets injected into my mind other than me. The OTHER way (without ABP) is the wrong one. If your site cannot live without spamming the crap out of me, just shut it down and rid the world of your greedy existence.
Security First · 2009-05-02 21:36 · #
Wladimir, in your reply to #125, you say:
‘“Good luck to those in not getting infected” – so you believe the FUD NoScript is spreading. Good luck then, getting along on the Internet without knowing what the real risks are’.
That clarifies things for me somewhat. It’s clear the kids following your lead don’t have a clue about security, but I just wasn’t sure whether you were wilfully ignoring the security implications of running without a scripting whitelisting solution like NoScript or whether you simply don’t understand good security practices. It turns out to be the latter. Go on then, tell us all “what the real risks are”. While you’re at it, explain to the kids what percentage of drive-by browser exploits work when JavaScript, Java, and Flash are disabled. The NoScript author was definitely wrong to do some of the things he did, but so are you. You’ve shovelled far more FUD than the NoScript author has. More importantly, you’ve done great damage to the browser security of your sheep-like followers and therefore indirectly to the rest of us too. The NoScript author’s tactics were wrong, but yours are actually dangerous and unlike him you’re still at it. The reason NoScript has long been a very highly regarded and highly recommended extension is because of the well-understood and huge improvement it makes to browser safety, not because of who the author is or how he tries to monetize it. You demonstrate no knowledge of the subject and certainly have no credentials to suggest that anyone should take your evaluation of NoScript security seriously. A large crowd of sheep willing to chant “uninstall” whenever you raise your arms is intoxicating but it doesn’t make you right. You are doing great harm. Please stop now.
CCCP · 2009-05-02 21:36 · #
anyway it is the beginning of the end for noscript
CCCP · 2009-05-02 21:46 · #
https://addons.mozilla.org/fr/firefox/reviews/display/722
henrik · 2009-05-02 21:47 · #
@161
161 = Giorgio ?
Reply from Wladimir Palant:
Please don’t accuse people. I know Giorgio well enough to know that he wouldn’t post anonymously (especially not in such a childish manner). He is a nice guy, just misguided.
dust · 2009-05-02 21:58 · #
please can you ad a functionality in adblockplus that blocks anything from a 3rd website?
for example: if i surf at adblockplus it blocks all from other websites. if i want i can allow a specific address in “open blockable items” or whitelist it in the preferences.
this would be a GREAT help! :)
about what happened:
the problem is firefox itself, it lacks a lot of functionality for power users. its nice for beginners but if you get used to the web you want more and get higher needs. functionality like abp, ns, flashgot, downthemall, styles and several others should be standard IN the browser and not an extra feature.
the other problem is the outdated security model or the lack of it. one tab can block the whole browser is only one result everyone mentions more or less often, even on new and quick pc. that one plugin can do anything with other plugins is another problem.
the future? we need a new browser. maybe a forked google browser? or a really improved firefox which focus on the roots of improving the code and not the version numbers.
thanks for all your work wladimir! :)
Reply from Wladimir Palant:
Already done: http://adblockplus.org/blog/third-party-javascript-yes-it-is-a-security-risk
Matt McCutchen · 2009-05-02 22:05 · #
Giorgio has apologized for the obfuscated code. As far as I am concerned, the matter is now closed and each of us can decide how he/she prefers to secure his/her browser. Firefox is intended to be secure out of the box, and vulnerabilities in it are fixed quickly; I personally have never been bitten by one. NoScript is an excellent defense in depth, but short of a necessity.
M.Corp · 2009-05-02 22:07 · #
While I fully agree with everything Wladimir has said, there is one key point that everyone is missing:
NoScript is a USELESS addon. It was great for Firefox 1, but not 2 and certainly not 3! With all FF 3’s security features, there is simply no need for it!
There are many other ways malicious code can be injected. Javascript is needed on loads of websites, and should not be disabled.
Ghost Hacking · 2009-05-02 23:08 · #
Indeed, the only reason to use noscript would be to block pop ups that come from “mouse over” javascript feature, other that it’s pretty useless.
Anyway, if i was desperate at the point of using that “adware done “ I would use the old versions.
regards
Si · 2009-05-02 23:49 · #
Modifying someone elses plugin is crossing the line in my book. Not in the slightest bit ethical.
I’ve removed NoScript from all my machines. Just can’t trust they will do something else.
Gray · 2009-05-03 01:01 · #
Let me recapitulate this: Because of your antipathy against advertising in the internets, you don’t like that the Noscript creator runs ads on his website to make some money. Especially you don’t like the default whitelist entries of NoScript – which isn’t really your business, but a point any advanced user can easily correct, right? So, instead of simply advising people not to use NoScript (which would be quite dumb, since its much more important than Adblock) or of forking NoScript (its GPL, after all), you chose to deliberately block that guy’s revenue. But now, you are totally flabbergasted that he retaliated in kind, and used his program to block your blocker.
Well, that’s really an interesting way to behave. Don’t you think the way you reacted just because another programmer didn’t adjust his own programm to your wishes is a bit, hmm, let’s say, passive aggressive? And don’t say he did the same. You started this simply because you didn’t want him to make a bit of money with his ads. Pathetic.
Xepol · 2009-05-03 01:14 · #
Sounds like your best solution to end the war is simply to reproduce the desirable functionality of NoScript into your AdBlocker so people do not have to run them in concert.
Sounds kinda like the IE vs Netscape days really.
Napier · 2009-05-03 01:23 · #
This is much ado about nothing. I’ll continue using both Adblock and NoScript.
nix · 2009-05-03 01:35 · #
How about forking noscript? Just a thought, please…
BigMKnows · 2009-05-03 01:38 · #
It’s interesting. In his zeal to make money at any cost, the NoScript author may have just destroyed his business.
yo · 2009-05-03 01:47 · #
i agree merge those products to create a super AI =)
mr.roboto · 2009-05-03 01:56 · #
we need addons developped by robots and AI who can always remain neutral and effective !!!
settnfires@hotmail.com · 2009-05-03 02:26 · #
“Your addon being the most popular addons has a huge fan-following. By making the issue public in this manner, you’ve attacked NoScript with all your fan-following. Could it have been better to report this issue to AMO Editors or AMO Admins?” – AMO Editor
what the hell? attacked noscript? wasnt it noscript that attacked adblockplus first? and how about saying “exposed noscript”? could it have been better to NOT expose noscript doing this stuff? OF COURSE NOT!
i m GLAD u exposed this, wladimir. it was necessary to let the public know whats going on. shame on u amo editor for even implying it maybe would have been better to keep this behind closed doors.
THANK YOU, WLADIMIR!
BigMKnows · 2009-05-03 02:56 · #
@35 “Someone needs to figure out a way to build an app store for Firefox…”
That’s a good idea. I personally wouldn’t mind paying $1/yr or something for my favorite extensions. With many extensions getting hundreds of thousands or millions of downloads a year, there’s plenty of money to be made there.
iwo · 2009-05-03 03:11 · #
Let us users know and should give us a choice
if any other time ABP would do something for your financial balance just BEFORE you really do it.
In this way there maybe 100 times better than an after-all nonsense noscript explain.
Synergy · 2009-05-03 03:22 · #
I’ve got to say, I stopped using NoScript in favor of ABP some time ago simply because of the incredibly frequent updates. You mention once a week, this was nearly every other day. In any event, this most recent news is just further proof that I made the right decision. ABP blocks nearly all ads and does so without harassing me in any way.
SomeGuy · 2009-05-03 03:42 · #
I noticed this piece of code in the main NoScript page. It sits under a button that asks if your PC is running slow. I can’t seem to block it AB and NS won’t allow me to restrict the script from running. Any help would be appreciated.
[script type=“text/javascript”]
Vertical1236922 = false;
ShowAdHereBanner1236922 = true;
RepeatAll1236922 = false;
NoFollowAll1236922 = false;
BannerStyles1236922 = new Array( “a{display:block;font-size:11px;color:#ccc;font-family:verdana,sans-serif;margin:0 4px 10px 0;text-align:center;text-decoration:none;overflow:hidden;}”, “img{border:0;clear:right;}”, “a.adhere{color:#888;font-weight:bold;font-size:12px;border:1px solid #ccc;background:#f7f7f7;text-align:center;}”, “a.adhere:hover{border:1px solid #999;background:#eee;color:#666;}”
);
document.write(unescape(”%3Cscript src=’”document.location.protocol“//s3.buysellads.com/1236922/1236922.js?v=”Date.parse(new Date())“’ type=‘text/javascript’%3E%3C/script%3E”));
[/script]
Note: Changed the <> to [] in case it tries to code itself to my post.
Mr. Add-on Developer · 2009-05-03 03:53 · #
A follow-up to my previous comment. Here’s the mail I received from Lee Lorenzen, with my personal information removed.
We need more legit ways to make money with Firefox add-ons, not more methods like this. Developers not making much money must be very tempted by his offers.
Dear XXX,
Congratulations on your success with your add-on name. ____ downloads and ____ daily active users is a HUGE accomplishment. A product like yours is clearly a labor of love and it benefits a great many people. It is our team at KallOut’s goal to one day reach a similar level of success on Firefox with our KallOut Accelerators for Firefox “selection-based search” product.
I’m Lee Lorenzen, CEO of Altura Ventures (see www.altura.com/managment.php ) and we work with a number of software companies (see www.altura.com/portfolio.php ). Some of these companies are just launching Firefox Add-ons like KallOut.com (see https://addons.mozilla.org/en-US/firefox/addon/10722 ) and some are more established.
I’d like to discuss the possibility of advertising KallOut as part of your add-on name (e.g. on a post-install welcome page as a “We Also Recommend” suggested Add-on) and also partnering with you in other ways (e.g., add-on monetization techniques that aren’t adware or spyware, advertising representation, acquisition of our Firefox add-on, etc.).
To discuss this, please e-mail me at (email removed) or give me a call at (phone number removed)
Thanks,
Lee Lorenzen
CEO, Altura Ventures
Yama · 2009-05-03 04:06 · #
Now,I uninstalled NoScript and I decided to use only Adblock Plus.
Maybe most of users will support you. Form Japan.
Satate · 2009-05-03 04:46 · #
ADP+ = not security software
NS = broken\useless\pointless security software
ADP+ is blacklist by design, which means you shouldn’t consider it for security use regardless of it’s purpose
NS fails because it breaks everything. to use the web you must allow scripts. would you use a firewall if it had to modes, on with no Internet and off? granted NS doesn’t work like that, but you can only allow or block whole scripts not parts of a script and even if you could how would you know when to. which brings up the following point, when you allow scripts with NS you don’t know if the script is safe, the best you would likely know is that it is necessary for the website to work. after all it’s trivially easy to make a script that is necessary for a website to work and for it to be malicious. one point still remains, many high risk bugs, eg the kinds that can be used to take over a PC, generally can’t be stop with a JavaScript plugin, eg buffer overflows and other exotic bugs that operate on a different level that JavaScript can’t access.
Television Spy · 2009-05-03 05:20 · #
Well they have to make money somehow, unfortunately Adblock encourages sloppy usage and poor responsibility. People use it as a means to block out all ads rather than just the ones that annoy them.
Without a doubt I think it is hurting legitimate sites that people find of use and value by depriving them of income or rewards for their work. On the other hand I do believe adblock is a great tool for users and is necessary in thwarting the many annoyances that some webmasters put their visitors through.
A happy medium is necessary, and unfortunately Adblock currently has higher or stricter settings for adblocking which often aren’t delved into too much by users. If adblock had a more lax setting in terms of the sites it blocks, while still allowing users to tighten up the settings to something more encompassing – it would allow users who are inclined to block all ads to do so, while still allowing websites to show their ads and turn a profit. I think that’s a much better solution, and will prevent more ‘eager’ developers from doing things like this in the future. I can’t say that I support Noscript developers but I can certainly understand the frame of mind they have by doing this, but again they shouldn’t have done it – and not at least notified their users of it.
Gregory Gleason · 2009-05-03 05:43 · #
It looks like the most recent update has removed the controversial filterset with ‘no questions asked.’ I’d be interested to see whose decision this was. Nonetheless, I’m glad to see that they see the errors of their ways.
Nan M · 2009-05-03 07:14 · #
Hi Wladimir, response to your reply at 141 follows:
I most respectfully assert that I have not ignored anything of substance in your ethical assertions about Giorgio’s setup and mode of delivering his application.
I regret to have to say that you’re simply repeating your unfounded assertions:
“The changelog page is one major complaint points about NoScript. I have seen lots of complaints about it in Adblock Plus discussions.”
Irrelevant. ABP users don’t constitute the main user base of NS.
“ I don’t visit NoScript forums but I bet that this is one of the most common complains there.”
You’ve lost the bet.
“ NoScript has options for just about everything, so why do you have to dig into about:config for this one?”
I’ve got to say you’re digging deep yourself to flog this dead horse with that one.
So to follow your lead, I’ll repeat myself too – - there’s been no need over the development of NS for the changelog direct to be toggled off. Most users appreciate knowing what’s been changed. And no amount of saying it’s an important priority for a rapidly developing UI, into which Giorgio has stuffed numerous important security items will make your assertion any more correct. There is as much value, if not more, in directing users to the changelog at every update, than there is in putting a toggle in the UI for the irritable few. There is plenty of access unimpeded by registration in the forums now that the user base has exploded in size, and the few but regular requests for access to the update frequency config have remained about constant. Not exactly a ringing set of data to support that part of your rather slim case for a venial Maone.
“Further: the idea behind security apps should always be “trust nobody.” That’s something that Giorgio has been telling himself often enough. Obviously, the whitelist should be as small as possible to keep users safe.”
You either just do not get the idea of “trust” with respect to navigating around the web, or you are again flogging that dead nag, and you’re not even drawing old maggots now.
Trust is a conditional state, where you research signs that you can trust a site to have a responsible and knowledgable approach to maintaining security. In the narrow sense of NS’s trusted whitelist, this means that a site is trusted to maintain itself free from exploits and is trusted to run scripts safely itself. Nothing more.
Nobody sane expects 100 percent safety. If a hole is found at a site, the ethical way to deal with it is for the finder – whoever they are – to quietly inform the site operator – whoever they are – and for the operator to patch it as promptly as possible. JS, or anything else. I suppose that’s what happened with the fault you found. Congratulations on being what anybody would expect you to be, and congratulations to Giorgio for doing what anybody who trusts him enough to use NS would expect him to do.
“Sure, Giorgio might have made the mistake of thinking that his own sites are guaranteed to be safe.”
Not even near the truth, and I’m sure you know it. No responsible site operator thinks they’re invincible – all the best ones make friends with the Sirdarkcats of this world for just that reason – - to keep testing it constantly for holes.
“ But after I found an XSS vulnerability there and proved that he is putting users at risk — why did his sites stay on the whitelist? Is he that sure that he won’t make a mistake again? Or that his XSS protection is infallible? “
Repeating that so many times doesn’t make it true. Giorgio is not falsely modest. He looks after his site with skill and responsibility. As I feel sure you do. He is proud of his coding skill and his approach to security and he lets the net know. Are you punishing your mate for being a loudmouth? For advertising himself?
What kind of crime is that? So without that misguided part of your argument, what exactly are you saying?
That Giorgio shouldn’t whitelist his own site because he is a careless site maintainer and leaves any holes unpatched? He isn’t careless. And he’s certainly not without expertise. Holes, if any, are watched for and patched. What’s not to trust in that respect?
I’d advise you to be certain you’re keeping that aspect of “trust” definition separate from your ethical fight about hacking each other’s apps.
Giorgio, in whitelisting Google, Yahoo images and a few of the more commonly used navigation aids is flagging that those operators are also responsible maintainers. Nothing more and nothing less.
With your standard of 100 percent security now and in the future, a web user would be frozen at about:blank for ever.
“The security playing field changes often – but not that often. Occasionally you need an emergency release. Most often that’s unnecessary and your changes can wait until more of them came together.”
Here, again, I can’t see that you appreciate the difference between security apps that operate on blacklisting and NS. The main AV and firewall apps certainly don’t get too frequent updates, but their definition lists sure do – sometimes as much as 3 times a day in my experience of one that had its definitions so carefully looked after that it missed a great big hack that left its users sending private data to the wild blue yonder for more than 2 weeks.
When NS does an update it is analagous to a definition update by a blacklisting application. Thankfully for us NS users, when security is managed in a whitelisting environment, the analogy of definitions is to usage bugs, and not to the never-ending ranks of baddies that have to be blacklisted, and always after the fact.
There have been, as a contrast to usage bugs, only a handful of major security threats around scripting and plugins this year – all of which were indeed swiftly covered by NS updates. Most, as far as we plain users can know, covered in plenty of time to avoid that bane of the blacklisting approach – the zero-day exploit.
Giorgio should be attacked for encouraging people to begin thinking about pre-emptive scripting security as a complementary approach to blacklisting security?
That’s not FUD in any acceptable sense of the term.
You’re just not right to assert that either, or if you are, then Giorgio isn’t Robinson Crusoe – with every security application vendor flogging the “it’s a jungle out there”, the totality of web security is FUD.
Is that what you’re saying? You don’t believe NS is a security app? Or that all web security advice is FUD?
“Too frequent releases are another major NoScript annoyance – I’ve seen that in discussions many times before and you will see many people acknowledging this in the comments to this blog post.”
Annoyance is a fairer term. I’m pleased you have moderated your language there.
But annoyance from a few of the user base? Irrelevant to either a claim that updates are too frequent or that they have an ulterior motive. All you’re claiming is that some NS users are annoyed by update frequency. Big whoop.
“ Given that,”
No, I regret that I can’t allow you to claim it as a given. You haven’t proved it and it’s irrelevant anyway.
“ it hard to understand why they still happen (releasing more often while keeping same quality requires additional effort from the developer, that’s not something anybody would do without a reason).”
There you go repeating a suggestion of unrevealed motive, for an unproven premise of unnecessary updates.
I assert that the update frequency is entirely justified within the security and usability needs of users and furthermore that Giorgio understands that NS would be shown as insecure if he didn’t keep ahead of the game all day every day.
I fancy he’d probably be quietly pleased to see Fx have to maintain NS eventually.
“You also ignored the most important fact: NoScript did include code to cripple Adblock Plus. You can download version 1.9.2 and look at MRD.js yourself (see comment 17 about de-obfuscating that file). Have a look at the changelog and try to find that change there. You can also see in the NoScript forum how Giorgio tried to cover up. That is what I am so upset about – is that what you expect from your security app?”
No, Wladimir, I have not ignored the central fight between both of you.
That’s nothing short of plain sad to see two intelligent mates lose it, however temporarily, over what’s a rather localised skirmish. You will I’m sure, find a way to step down eventually from your anger – each of you. But I have no need to umpire that little match, do I?
But that’s not what concerns me. Your being very angry is not any reason to now kick Giorgio with so far unfounded accusations of being a money-grubber.
That’s why I’m asking you to state your agenda.
Are you saying that your agenda was to get an apology? You said it was a tough choice to do this public accusation. Well, you did it. And still you aren’t backing up your accusations with fact.
Perhaps if all you want is a public apology, you would like to lay off now and stop repeating your rather one-eyed interpretations of motive as fact in these comments until you hear from the accused. Or you see sense and just walk away from the mess.
And, finally, what in all the gods’ names do you hope to achieve by screwing a colleague so publicly and viciously? FUD is equally a good description of all your accusations in here.
All it’s got you is what? Some of your supporters’ admiration. Not much advance in OSS development ethics, because everybody will always have an angle for making a buck no matter how the purists such as you call Uncle. And even if a small victory for you in a very small corner of the web, at what cost to your conscience when you obviously know you are running a poor argument for anything except that Giorgio lost it with your small part of the web.
It quacks like a duck, it walks like a duck.
You look like a killjoy.
Prove me wrong.
butthurt · 2009-05-03 07:36 · #
@Nan M
Wow, that is some master level trolling.
SadistiX · 2009-05-03 07:52 · #
bottomline: noscript sucks
how about suing them?
dust · 2009-05-03 08:04 · #
*$script,third-party
script is not anything! what is the problem with blocking anything from 3rd websites?
*$all,third-party
i hope this is right and it block all 3rd party
Ashish · 2009-05-03 08:16 · #
First I want to say that what Wladimir Palant has done is correct. Making such a thing public is the right thing to do.
AMO only does a functional testing: for all I know a extension can ship all my passwords stored in FF silently and still pass the functional tests.
When most people install extensions from AMO, they are trusting AMO for the content. Weather its wrong or right is a different discussion but it is a fact. AMO should be more proactive in this process.
sam · 2009-05-03 09:22 · #
I always wondered about noscript, now I know not to use it, thanks.
Adam Rezich · 2009-05-03 09:51 · #
Has anyone found anything resembling an official statement from Giorgio? Because I sure haven’t.
Adam Rezich · 2009-05-03 09:58 · #
Also, I found this to be extremely informative: http://news.slashdot.org/comments.pl?sid=1219425&cid=27794475
MMM · 2009-05-03 10:08 · #
Nan M, you sound like a bitter fanboy. Under the line Giorgio Maone did something wrong and no matter how much you talk now you can not talk yourself out of it. Facts matter and Noscript stepped over the line! It also brought to a wider audience that the Firefox addon concept poses a security risk.
Thanks Wladimir for going public!
I think transparency is the best policy for software developer, especially for security related software. How about making ABP less vulnerable to 3rd party manipulations or warn the user if something like that happens ever again, others might try? In any case I have informed my friends and will have a closer look on Noscript activities in the future. Perhaps it is time to look for alternatives…. or maybe ABP can be extended with a script blocker functionality? It might be out of scope from the original idea, but I would imagine that people who install ABP would also like an option for blocking intrusive/malicious scripts.
Best wishes from Sweden.
Adam Rezich · 2009-05-03 10:23 · #
So I decided to go to the NoScript homepage to see what all the fuss is about. Since I’m doing some memory-intensive stuff on my computer at the moment, I’m using a single-tabbed Google Chrome, for convenience. I had to laugh at how his apology came across, due to the advertisement appended at the end:
“Important update for Adblock Plus users: Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site’s install page, on the release notes landing page and in the FAQ. Not including a prompt asking for permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I’m sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience.
— Giorgio
Buy Computer RAM at Discounted Prices“
And I don’t like the phrasing “as a sign of good will.” A situation where that would work would be a cable company saying:
“Sorry for inconveniencing you by accidentally digging up your Ethernet line, cutting off your Internet access for seven days; as a sign of good will, we’ll give you half off your entire bill for this month.”
What he’s saying is basically:
“Sorry for inconveniencing you by accidentally digging up your Ethernet line, cutting off your Internet access for seven days; as a sign of good will, we’ll fix your Ethernet line, absolutely free!”
Alessandro Burato · 2009-05-03 10:27 · #
I am ashamed to be Italian, sometimes. What Giorgio did has no excuses. I don’t use FireFox anymore, but your AdBlock extension has been the best thing since sliced bread. Keep up the good job.
Nickertse · 2009-05-03 10:43 · #
Good job, Wladimir. But I’m not talking about NoScript. I’m talking about you and your users. You’ve showed me exactly how THANKLESS an FOSS job can be, and how one can manipulate the brainless masses to do one’s own bidding.
To everyone who still thinks that there are no 2 sides to this story and is about to add their wise words, I’ll tell you to hold your horses. I recommend everyone head over to NoScript forum and read the whole thread, also this should be helpful: http://news.slashdot.org/comments.pl?sid=1219425&cid=27794475
A few notable replies on this very page:
“what the hell? attacked noscript? wasnt it noscript that attacked adblockplus first? and how about saying “exposed noscript”? could it have been better to NOT expose noscript doing this stuff? OF COURSE NOT!
i m GLAD u exposed this, wladimir. it was necessary to let the public know whats going on. shame on u amo editor for even implying it maybe would have been better to keep this behind closed doors.
THANK YOU, WLADIMIR!”
(in short: “wladimir you’re a god and I’m sucking your c*ck, wasnt it noscript that attacked adblockplus first”)
“@Nan M
Wow, that is some master level trolling.”
(it’s lovely how that fine man was thought to be trolling)
“Nan M, you sound like a bitter fanboy. Under the line Giorgio Maone did something wrong and no matter how much you talk now you can not talk yourself out of it. Facts matter and Noscript stepped over the line! It also brought to a wider audience that the Firefox addon concept poses a security risk.”
(it’s lovely how he’s thought to be a bitter fanboy now. It seems like whether he’s a fanboy or not affects his credibility. Ad hominem. It goes like this “Giorgio is wrong, so it automatically makes Wladimir a god, everything about him is just and right, if you disagree you must be a bitter fanboy”.)
“bottomline: noscript sucks
how about suing them?”
(no matter how old you are, I’m amazed)
“Now,I uninstalled NoScript and I decided to use only Adblock Plus.”
(cool, I’m sure that everyone cares about whether you’re gonna mindlessly jump on the bandwagon or not)
“Sounds kinda like the IE vs Netscape days really.”
(WOW, just WOW)
“I uninstalled noscript when I first heard of giorgio’s tactics. I recommend everyone to do the same if they value their privacy.”
(oh sure, kids like to do anything that makes them sound cool nowadays)
“Giorgio is a good actor lol:
http://forums.informaction.com/viewtopic.php?f=7&t=877&start=15”
(wow of course he’s a good actor, I wonder if anyone is as good as him)
“I am ashamed to be Italian, sometimes.”
(I just don’t know what to say anymore)
So many things are wrong with the Firefox userbase (“Lol we got tabbed browsing and it’s perfectly secure”). I’ve hated them before, but now I’m totally SICK of them.
“I didn’t tell anybody to uninstall NoScript. There are some features in there that do indeed help security (most of them are worthless still).” – Wladimir
(you didn’t tell anyone to do anything, you didn’t…)
‘“Good luck to those in not getting infected” – so you believe the FUD NoScript is spreading. Good luck then, getting along on the Internet without knowing what the real risks are’. -Wladimir
Wladimir, I’m totally speechless. To think that…
BUT AT LEAST:
“That clarifies things for me somewhat. It’s clear the kids following your lead don’t have a clue about security, “ – Security First
At least there are still a few sensible persons around here.
webcrawler · 2009-05-03 11:44 · #
I never knew this one.I thought he has a skilled to displayed ads on his site although i used ABP.
He has fixed it; he did it wrong.Can we forgive him?? Money is so powerful these days.
Many wrong assumptions about us (ABP users) that we dont want ads displayed at ALL.We would like to support a site that we like but we would like the ADS to be non-intrusive and polite ;-).That was something Gorgio missed and did something terribly wrong to ABP and its users.
In the end thanks to Wladamir for the information and thanks again for ABP.
scheuer · 2009-05-03 11:54 · #
about:config
noscript.firstRunRedirection=false