Slashdot Mirror

I am fair and just (some might say a fair bastard and just a cunt, what the army can teach you) and I use script blocker https://noscript.net/. So some ad networks and websites I block and some ad networks and websites I allow to run. Advertise junk and you script is blocked, advertise reasonably and your script will survive, don't like you site, all your scripts blocked including the advertisers scripts (do not subsidise crap and lies). Also I run a cookie blocker which can block sites or allow session only cookies (goggle cookies are all session only, each start of the browser clears their cookies and they start again, youtube logins, no searches).

Kind of have to be fair but part of being fair is forcing others to be fair as well.

I use mostly, but rarely, Google Chrome on Android to eventual "normal browsing" (I have FF configured to use SOCKS5 proxy, generated by https://play.google.com/store/..., to access remote addresses, or addresses filtered in some places WiFi, and with https://noscript.net/ [to access some paywalled content :P] - Google Chrome is a "dumb user" browser, I think...)

This is one of main reasons why I have NoScript installed on all my browsers, and if a browser isn't supported by NoScript I don't use that browser.

Well, I'll ignore you gray hairs and I'll do my own algorithm efficiency metrics, using https://noscript.net/. If you page is running a bit shite, I'll check out the scripts and start killing them off one by one, until the page loads smoothly with most of the content intact, even approved ad sources. Seems like a lot of work for one web site but many of those shite slow loading scripts are all over the place, kill it once to kill it many times and of course come back to that site in future and it will load real fast.

I found https://noscript.net/ to be the most efficient tool to make web sites load quickly and more important than the browser it is running on for speedy loading of pages.

Well, I'll ignore you gray hairs and I'll do my own algorithm efficiency metrics, using https://noscript.net/. If you page is running a bit shite, I'll check out the scripts and start killing them off one by one, until the page loads smoothly with most of the content intact, even approved ad sources. Seems like a lot of work for one web site but many of those shite slow loading scripts are all over the place, kill it once to kill it many times and of course come back to that site in future and it will load real fast.

I found https://noscript.net/ to be the most efficient tool to make web sites load quickly and more important than the browser it is running on for speedy loading of pages.

TFA is on a really bad website. Thank God for noscript. If you're one of the rare slashdotters who reads TFA, then get this add-on first.

So like, I have a hosts file and like most people I run an adblocker (ublock origin).

The page loaded instantly and isn't showing me any ads.
Last time I tried noscript not a single damn site I wanted to visit worked at all.

Thanks anyway.

TFA is on a really bad website. Thank God for noscript. If you're one of the rare slashdotters who reads TFA, then get this add-on first.

ADblockers do not block ads per se. They block scipts and elements of web pages. So Salon wants to be a dick, the adblockers will find the script and block it, good luck the morons at Salon. Can't run shit on a browser that is properly configured for example by https://noscript.net/ runs fine on https://www.waterfoxproject.or... (if you hate quantum and preferred the previous layouts easiest way to go.), excluding of course any browser out of M$, they control it and make no mistake and it will serve compulsory M$ ads, I waiting for the boot up ad, you now ad kicks in at boot and you have to interact with the add at the appropriate points for the next 10 minutes else the computer will complete the boot.

I've got NoScript running in Firefox right now.

It was broken for a day or two, and had UI issues for a couple days after that, but now I like it even better than I did before FF57's plugin apocalypse. Change was good for it.

Of course, I gave the author useful feedback and paypal'd him a donation to support the work, so I'm not surprised that the tool works fine for me.

Random users :
"OOH MY GOD !!! NO !!!! ALL MY PRECIOUS PASSWORDS!!!!"

Users of password managers :
"Phew !... at least they didn't log these".

Users of NoScript (and other such popular script blocking extensions) :
"...yeah... whatever...."

---

Bonus:

Users of links/elinks/lynx, curl/wget and straight telnet :
"Bwaaah.... we're left out of the fun once again!..."

Tell me again why Noscript isn't the default mode of every browser?

Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.

Tell me again why Noscript isn't the default mode of every browser?

Why does, for example, slashdot think that I want to run software provided by truste.com, janrain.com or pro-market.net? I don't know any of those sites, and while I appreciate that slashdot trusts those sites not to harvest my data or harm my computer, they aren't exactly the party with skin in the game.

If you want to see how fucked up the web is, how fucked up we've allowed it to become, install noscript and set your browser to treat OCSP failures as hard errors. We have the technology to fix this. We just don't care enough to use it.

You can decompile everything on the web pretty easy.

Not when all variable and function names are replaced by random strings. I'm unclear whether they do it to prevent code reuse or to hide their web site logic.

Rather than reboot ViewSource, I deploy NoScript

It seems you should be running https://noscript.net/. So advertising channels are OK and some really suck, use noscript to control which ones gain access to your browser. After running just a few weeks, you will find the most annoying undesirable ads gone and the OK ones remaining. So I had no problem with the site. Manage your own rules for ads, so for me, not too intrusive and not full of rubbish products and no gambling and do not kill load times. Other than those, the rest can stay, sometimes they are useful and besides https://adnauseam.io/ (I wonder if it can click ads I don't even see).

1. Classic Theme Restorer
   "This add-on will stop working when Firefox 57 arrives in November 2017."
   https://addons.mozilla.org/firefox/downloads/latest/classicthemerestorer/addon-472577-latest.xpi?src=dp-btn-primary
2. Cookies Manager+
   https://addons.mozilla.org/firefox/downloads/latest/cookies-manager-plus/addon-92079-latest.xpi?src=dp-btn-primary
3. Ghostery DON'T UPDATE. New versions don't allow sufficient user control.
   https://addons.mozilla.org/en-US/firefox/addon/ghostery/
   USE THIS: y-5.4.10-sm+an+fx.xpi Link: Version 5.4.10
4. Mozilla Archive Format
   http://maf.mozdev.org/
5. NoScript
   https://addons.mozilla.org/en-...
6. Nuke Anything Enhanced
   https://addons.mozilla.org/firefox/downloads/latest/nuke-anything-enhanced/addon-951-latest.xpi?src=dp-btn-primary
   
7. Open link in...
   https://addons.mozilla.org/en-US/firefox/addon/open-link-in/
8. Print Edit
   https://addons.mozilla.org/fir...
9. Session Manager
   https://addons.mozilla.org/en-US/firefox/addon/session-manager/
10. Snap Links Plus DON'T UPDATE. New versions don't have as many features.
    https://addons.mozilla.org/en-...
    USE THIS: snap_links_plus-2.4.3-sm+fx.xpi Link: Version 2.4.3
    Explanation:
    http://cpriest.github.io/SnapL...
11. uBlock Origin
    https://addons.mozilla.org/fir...
12. Video DownloadHelper
    https://addons.mozilla.org/firefox/downloads/latest/video-downloadhelper/addon-3006-latest.xpi?src=dp-btn-primary

Yes, Microsoft, very "innovative"... (*derisive snort*)

Great work by Mozilla and the Tor Project on the lighting fast (

And yes, NoScript did protect against this (the Tor Browser has it built-in, for users who know what they're doing).

There's another JavaScript framework I'd heartily recommend.

noscript is one in particular that is having a hell of a time working with e10s.

Based on what? The NoScript changelog lists only 8 changes related to e10s. Doesn't sound like a "hell of a time" to me. You're exaggerating.

Google's WOPR won't be online until spring.

Google, the only winning move is not to play.

StartPage
NoScript
Privacy Badger
AdBlock Plus

Once again proven that browsing the web is like going to a diner party in a world where the handshake has been replaced with unprotected anal sex.

Sure, many people you meet may be offended when you insist on a condom (plugins like requestpolicy, and noscript) and say its some right of theirs to not let you sit at their table because of it, or rant on about how they need to get paid....

but at the end of the day.... its basic security. Loading and running code from random third party sites is not safe. It doesn't matter if its inside a restricted environment, its a risk. Its a risk website owners are in the habbit of irresponsibly magnifying for all of their viewers without a second thought

You should protect yourself. Wear condoms unless you really know your partner. Get some here:
https://requestpolicycontinued...

https://noscript.net/

If you have a browser other than firefox, you will need something else, I don't know what they are but, bottom line...protect yourself.

what about noscript? https://noscript.net/

umatrix? https://github.com/gorhill/uMa...

NoScript does exist for Fennec (codename for Firefox for Android and less words). You have to download it from the author. I don't know what's going to happen when app-signing is enforced in Firefox. For now it works really well for me using whitelist mode. An alternative for desktops, uMatrix, also does not work in Fennec, unfortunately.

Not all adblockers are created equal. Adblock Plus is heavier on system resources than several alternatives. I suggest checking out uBlock Origin or Bluhell Firewall. Less memory used for the adblocker means more tabs you can open before your browser crashes!

In addition to its add-ons, one great perk Fennec has is its security updates are actually up to date. If you use an Android 4.x or earlier phone, your version of WebView has a lot of known security holes that will never be patched. So any WebView-based browsers you use aren't secure. Fennec is not WebView based and you get security updates for it by updating the app in the normal way.

Now, if you're not concerned about WebView exploits, an alternative browser I would recommend checking out is Naked Browser. It's a speed demon with some brilliant power user settings to fiddle with. The main problem: no adblocking. To fix this run a standalone adblocking app. I've used AdAway (available from F-Droid) and it works well enough.

All-in-all I'm not impressed with mobile browsers. I was far more excited about Opera Mini on my flip phone 10 years ago. Today it is still very cumbersome for me to use mobile browsers in any serious way (I'll do lazy browsing on my phone but it's such a relief to hop on my laptop). And now I have to look at the phone vs touch typing from memory using the physical buttons on the flip phone. I used to be able to text from my pocket or at least look around me when typing. I hate having my face glued to my phone's screen. I wish chording or other portable one-handed keyboards took off and there were good, affordable options out there. Where did the cyborgs go who strapped bulky electronics to themselves decades ago? It's great we have powerful computers in our pockets now with remarkably pretty screens, but the inputs suck. Does it not bother other geeks or proficient touch typists? Jabbing or swiping at a touch screen is slow and requires your eyes to be glued to the screen, voice recognition is better than ever but its inaccuracy makes it frustrating for serious use. Do we really have to wait for some sort of neural interface for precise mobile input that doesn't require complete visual focus? Er, end of rabbit trail.

Firstly, thank you immensely for the positive changes recently instated to revive this noble community of intellectual exchange from a critical state. I am excited to see where things progress, but I feel compelled to bring up a related series of egregious architectual faults with the site design.

I speak of nonlibre Javascript software embedded into every page, a good deal of which is not even hosted on your own domain.

Slashdot unfortunately falls prey to the very same ills that plague nearly every modern website these days: a deep level of user tracking outsourced to thirdparty corporations. This is for any reason unethical, be it for financial gain or otherwise. That it happens on a technology enthusiast site with such a large quantity of intellectual commentary on the systemic ethical quandries inherent in mass surveillance is a tragic irony.

Using the GNU LibreJS extension for Firefox-based browsers to prevent falling into the Javascript trap is an eyeopener. This page alone currently has 79 unique pieces of Javascript code that is detected and blocked by LibreJS. Javascript can be an ethical way to extend website functionality only under the following conditions:

0) All Javascript code must be Free/Libre Software. 'AGPLv3 or later' preferred.

1) Javascript must NEVER be loaded from a server not under the site administrator's direct control.

2) Javascript code must not be doing something unethical, like user tracking without consent.

3) All pages must retain core functionality when Javascript is disabled.

Please respect these rules, as running software on our machines as a website administrator puts you in a very powerful position. That most site admins abuse this position of power through either malicious intent or neglect is why many of us choose to disable Javascript entirely. Right now none of these points are being met, so Slashdot has a lot of work to do to ethically implement Javascript functionality into the site. It is quite depressing that 2) even needs to be mentioned, but Google Analytics code is embedded directly into all Slashdot pages that allows 3rdparty tracking even for users who arent logged in.

As for point 0), you can follow the instructions here for an effective way to license all Javascripts code under a GPL-compatible license.

As for 1), there is no excuse for executing code on all of your users' machines that you are not even in control of. On this page alone, Javascript files are attempted to be loaded from googleadservices.com, cdn-social.janrain.com, cdn.taboola.com, s.ntv.io, googletagservices.com, google-analytics.com and rpxnow.com. Stop this immediately. And stop hosting images from thirdparty servers, as they can contain malicious exploits as well. This page loads images from gstatic.com, doubleclick.net, amazonaws.com, & scorecardresearch.com.

It displays an ineptitude in website administration on an embarassing level if admins cannot create and host all of the images, code, and css on their own website. Even advertisements, if they must exist, should be selfhosted (although accepting subscriptions & donations would be a great alternative!).

For point 3), we should at the very least be able to change our comment viewing threshold without logging in, post a comment as AC, and create accounts & login without Javascript. Please test the website with GNU LibreJS, NoScript, and uMatrix browser extentions to ensure functionality. This site has enough techsavy users who care and use some (or all) of these extensions. Please do not make our lives hardware to participate in making this community better.

And fina

Matey there are entire web sites that are nothing but ads pretending to be content, fucking hundreds of thousands of the shitty things and very often one shit head controls hundreds of them, same shitty ads, wrapped around the same shitty content (more often than not straight up scrapped off other web sites) and just presented with a different schema and name. Yes, you can be attacked by a random link on a random page because those web sites operators where not careful enough and that link lead you straight to a malvertisement site and those are often buried in ads. I prefer https://noscript.net/ as it lets pick and choose whose scripts are allowed to run and whose scripts are blocked https://addons.mozilla.org/en-... (if you are naughty no cookies for you).

My experience is that most ads are abusive in some way. I use these add-ons in Firefox: uBlock Origin ad blocking, NoScript, and Ghostery.

It amazes me that, when I go to the Ally Bank web site to see my accounts summary at the following URL, Ghostery says "Ghostery found 8 trackers":
https://securebanking.ally.com/#/accounts/summary

The Ally Bank URL contains the words "secure banking"!

Here are the trackers:
Advertising.com
Google DoubleClick Floodlight
Google DoubleClick Spotlight
Google Dynamic Remarketing
MediaMath Advertising
Omniture (Adobe Analytics)
Qualtrics
RUN (https://match.rundsp.com/)

There is nothing "secure" about notifying other companies that I am looking at a summary of my bank accounts!

In a way, that's bad because it means advertisers have already started looking for ways to get around ad-block.

FTFY.

Googling "block adblock" comes up with a link dated December 16, 2011. We're already 4 years beyond this. And we're also 10 years beyond the in-kind response, showing that the advertisers are more than just a little bit behind the curve. (Noscript was first released on May 13, 2005.)

Personally, I've been blocking ads, scripts, trackers, and other assorted shit from my browser since about 2007. I haven't had any significant malware problems since then. A few minor scares, but nothing major. And it's somewhat jarring to see ads on YouTube videos. That's how rarely I see ads.

We used to have applications run locally. They used to have a lot more freedom - any and all apps could know exactly who you are and what your computer's UUID was, not only how your battery's doing. Today most of what you use - the obvious examples being your mail and to a lesser extent office suite - is at least sandboxed inside your browser.

This is not to say there hasn't been a rise in tracking, but the story just got me thinking that maybe it's a good thing it's being done in a browser.
(And you should be whitelisting the use of cookies and javascript - and blocking unnecessary trackers).

Choosing whose ads you allow to run and whose you block is the reason why I use https://noscript.net/ in preference to adblock, a bit more work but it lets me choose who ads to run and whose to block. So blocks for intrusive ads (Content first then ad), blocks for just hinting at blocking volume control (seriously how big an asshat are you), blocks for auto running videos (my choice not yours whether or not to watch the video), blocks for shitty product advertisements (be selective in whose products and services you will promote) and, blocks for supporting nasty web sites (don't support bad web sites with advertising revenue). Some of this stuff should be regulated and bad ads and ad agencies should be prosecuted.

One common thing they do is grey out the background so the box draws your attention. Can we stop that somehow?

Sounds like a job for the NoScript extension.

Amen to that. I finally had to make the switch, too. The ads and Javascript everywhere were just too much to bear on my tiny screen. There's even a version of NoScript for mobile Firefox .
I tried AdBlock Plus but it broke updates for MedScape and a couple other apps that I need. The Firefox addon version works like a charm, though.

NoScript Anywhere for Android (NSA++).

Yes, use the NoScript add-on for Firefox.

But the subject is about Comcast abuse. Here is just one example, from Comcast's "Automatic Payment Terms & Conditions", retrieved a few minutes ago:

"6. COMCAST SHALL BEAR NO LIABILITY OR RESPONSIBILITY FOR ANY LOSSES OF ANY KIND THAT YOU MAY INCUR AS A RESULT OF A PAYMENT MADE ON ITEMS INCORRECTLY BILLED..."

Most people don't have time to read legal language. Many would not understand it fully. It is overly broad. And, in my experience, Comcast often tries to over-bill.

My opinion? Chairman and CEO Brian L. Roberts (The page jumps around if you move the mouse over the menu.), and Tom Karinshak, Senior Vice President of Customer Experience at Comcast (See the bottom of the page.), should be removed from office.

Another example: The Login page has a link at the bottom left, Contact Us. As of Tuesday, September 9, 2014, 4:18 am Pacific Time, it is a dead link.

NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection .

Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence).

Furthermore, NoScript 2.6.8.37rc2 introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.

NoScript Options>Advanced>HTTPS> Forbid Active Content unless it comes from a secure (HTTPS) connection .

Painful, yes, but it should take care of this kind of attacks, as long as you can trust HTTPS (e.g. with Convergence).

Furthermore, NoScript 2.6.8.37rc2 introduce an experimental "Allow HTTPS scripts globally on HTTPS documents" mode (in Advanced>HTTPS>Permissions) if you value convenience over finer grained security.

I don't know about "Internet.org" specifically but as for using anything tied to Facebook, Instagram, and similar services: Try watching any of his recent talks, from the most recent talks to the talks dating back about a year or three. He tells you right at the top of the talk what he thinks of Facebook, Instagram, and the like—he dares to call them by their proper name: surveillance engines—and he asks users to not participate by not uploading copies of his talks and photos with him to these services. You can also read his personal website on Facebook detailing many reasons to avoid Facebook. I imagine any other service that works similarly ("Google+", for example) will receive a comparable critique.

It seems unlikely to me that any program started by these organizations will be anything other than come-ons to lose one's privacy to these data collection companies.

There are free software web browser add-ons you can install on your free software web browser: Priv3, NoScript, and various cookie editors/filters which will help you deal with the monitoring various services use when you get an offer to be tracked with a "like" button or similar thing. There's more work to be done on this ground, to be sure, but this is a good start.

http://noscript.net/

But it still is a bit of a kludge, compared to your broader insightful point. Chrome has something similar, but I don't think it is as good.

http://noscript.net/

Not sure if joking...

http://noscript.net/features#o...
https://www.eff.org/https-ever...

A lot of the sslstrip stuff is based off of people not noticing the page has changed to insecure, modern browsers try to address that by making it more visible than it was in the pre-FF3 era, e.g.:
https://support.mozilla.org/en...

Neither is NoScript

There's a beta product that I use; it seems a little buggy when I have to change permissions.

http://noscript.net/nsa/

Does Jah-Wren Ryel work for the Times and is trying to increase subscription numbers? A link to a paywall is no citation whatever.

I use a combination of plugins that have the side-effect of making most paywalls disappear, I don't even know it is there.
I recommend you do it too:

CookieSaver Lite - Set to block the NYTimes cookies
RefControl - Set to spoof the referrer when reading all NYTimes pages as "http://google.com/"
NoScript - The NY Times does not need javascript for most pages. This may be optional for the NY Times but there are some paywalls like foreignpolicy.com that do rely on javascript.

FYI - the NY Times article is the definitive citation as they are the ones who broke the story.

What paywall? I don't see a paywall.

It also seems you have no idea about the various scammy face book hooks scattered all over the internet. You can often end up on facebook with no desire to go there and the only reason it happened is you haven't blocked the various facebook scripts with a tool like http://noscript.net/. So a little bit knee jerk there depending upon how you have set up your company machines and the base software running upon startup of the machine and startup of particular applications.

For Firefox fans there is an add on called "no script" that prevents Javascript from running automatically. There should be an equivalent for Chrome folks too.

It's called NoScript.

And there's no "NoScript equivalent" for Chrome folks, sadly.

Enter NoScript

Does the NSA app come pre-installed, or do I have to download it?

I wish.

Unfortunately, it looks like Mozilla is heading in a different direction.
You did mean this, right?

There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.

In what ways is NoScript more advanced than ScriptSafe?

Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)

There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.

In what ways is NoScript more advanced than ScriptSafe?

Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)

There is ZERO chance I'm going to use a browser which doesn't allow me to default JS to being disabled. NoScript is also FAR advanced beyond other similar tools, so it would REALLY SUCK to have to use Chromium's lame equivalent, but I will if it is the only choice. At least in other respects Chromium is pretty good.

In what ways is NoScript more advanced than ScriptSafe?

Besides some "minor" features first introduced by NoScript, which advanced the state of the art of browser security (such as the most effective in-browser XSS filter, the ClearClick anti-Clickjacking technology and the Application Boundaries Enforcer module), NoScript holds a modest advantage over all its Chrome-based "clones": basic script blocking which actually works ;)

http://noscript.net/