Slashdot Mirror
NoScript Adds Subscriptions To Adblock Plus
hahiss writes "Apparently, NoScript has taken to adding its own whitelist updates to Adblock Plus — so that the ads on the NoScript page show up — without notifying users. (It is described on the NoScript addon page, however.) This was a part of the last update to NoScript. Wladimir Palant, the main developer of Adblock Plus, describes the situation in an informative blog post."
Update — 5/02 at 12:30 GMT by SS: Reader spyrochaete notes that "InformAction, makers of the NoScript extension for Firefox, have removed the recently introduced AdBlock exceptions which unblocked the revenue-producing ads on the NoScript homepage with little or no warning to the user. According to the changelog, InformAction pushed out an update specifically addressing this controversial decision 'permanently and with no questions asked.'"
I only visit the site to update software, software they provide me free of charge, I'm not going to complain.
AnimePapers.org: Anime Wallpapers Handled With Care
Start a project that blocks ads that is funded by advertising on their website and donations.
Sounds real smart.
They have 3 AdSense ad units (the max) on their home page, a couple of small buttons and a set of sponsored links. The sponsored links also don't use the rel="nofollow" tag but I guess google doesn't penalize everyone for that or nobody has reported them.
Seriously, this is a business model that shoots itself in the foot.
Dual Opteron < $600
They need to make money too... Same as anyone else.
That's what the link is.
Little Snitch on the Mac, which helps you identify when apps 'phone home, itself 'phones home, and you can't block it using Little Snitch itself.
I like to call this the Communism trait, for the Party elite always manage to make themselves more equal than others.
(Moderators: this isn't an anti-communism or pro-capitalism post. An important part of growing up is knowing that ideals are merely the primary colours, and life requires a mixture.)
When the Easylist filter was made for Adblock Plus, it generically blocked ads for many websites, with some specific rules for other sites. Giorgio Maone (creator of NoScript) relies to a certain extent on ad revenue on his websites, without which he may spend less time working on the extension. He made a workaround on the ad blocking, and though the filter could have been updated to counter this, no attempt was made to update it.
When Rick Petnel died, they needed a new maintainer for the filter. Ares2 continued where Rick left off. He decided to fix the workaround made on Giorgio's sites.
What then followed was a game of cat-and-mouse. Giorgio would attempt a new workariound, and Ares2 would attempt to block the ads. It reached the stage where large parts of Giorgio's sites weren't working due to false positives.
Here, it seems clear that Ares2 has gone too far, and a compromise should have been reached. ABP and NoScript are a good pair when working together, though the people behind them have different philosophies. Unfortunately, things start to take a turn for the worse.
In an attempt to defend his site and ad revenue, he makes an update of NoScript to version 1.9.2. This version contains a file called MRD.js, which adds a CSS stylesheet rule to his websites that overrides the filter, by adding -moz-binding: none after the filter has loaded, which the filter depends upon. Furthermore, the file is obfuscated to hide what it does. No warning is given to Firefox users of what the extension has added in this tit-for-tat battle.
When this addition started breaking users ABP installations, version 1.9.2.3 instead adds his websites to the ABP whitelist, calling it a "NoScript development support filterset". The user isn't informed of what this is, and isn't given a choice on whether to accept it.
At present, the filter has removed its false positives, though leaves the ad blocking in place. The NoScript behaviour still remains in the latest version.
Ares2 was overzealous in attempting to block ads, and shouldn't have made Giorgio have to make excessive changes to his site. But the larger concern is that while Easylist is a filterset, which can be removed and updated by the user, NoScript went further and started to modify existing extensions, executing code without user's consent or awareness, and acting in a way that resembled malware, to display ads on his websites.
Extensions can be great for giving people freedom to control how they view the web. But creators of extensions need to be careful in what they do with them, especially with those with a large user-base like Adblock Plus and NoScript. If not handled correctly, Firefox extensions could become the next vector of malware, and that would be a shame for all.
It is a useful tool, it shouldn't be too hard to strip out all the dodgy code and host it on another site.
I must admit I don't have much expertise in this area. I've never used either Adblock or Noscript.
However...
From what I can see, this issue will only affect you if you have both Noscript (adware) and AdBlock (adblocker) installed on your machine. Everyone else will be unaffected.
Surely if you give an extension permission to run on your machine then you accept the terms & conditions that come with it. In this case, it means receiving ads. If you are a bit naive then you'll likely have some kind of adware scanner installed on your machine, which presumably alerts you to NoScript's adware status when you install it.
It's not like this is a website here, it's a specific extension that you have to specifically install on your machine! Should you really expect AdBlock to block more than just ads on websites, are you supposed to expect it to block ads from adware that you've installed voluntarily on your own machine?
From what I can see, it seems that AdBlock have been investing a lot of time and money in an arms race with Noscript. perhaps they should just accept that adware is out of their juristiction and concentrate on improving their software which is focussed on blocking ads on web sites?
Don't talk about NoScript, damn it.
It's a nice little sekret that even many reasonably knowledgeable people don't know about and those who do don't want it popularized. I don't care if a couple adds show up on NoScript's site, particularly if that means it remains free and updates continue. Stop talking about it.
Thanks.
Lurking at the bottom of the gravity well, getting old
First, noscript added code that disabled adblock plus if EasyList was used. Then, noscript auto-adds (no user prompting) an abp subscription whitelisting his sites. You cannot delete it (it readds upon FF restart), only disable it.
what else does it do ?
trust once lost is rarely gained again
years ago people had dignity and having adverts on your site was seen as poor form, after all you just got people to your site and now you want to send them away to your competitors ?
i guess the lesson is advertising and the pursuit of advertising dollars is the biggest threat to your security, welcome to my firewall
Like many Slashdot users, I run both NoScript and AdBlock Plus.
Had NoScript asked me if I wanted to whitelist adds on their site (in my AdBlock preferences) to support NoScript development, I would have happily clicked "Yes."
As it is, I've left the NoScript whitelist intact in my AdBlock preferences, because I do want to support their development (NoScript leaves a comment in the AdBlock preferences indicating that this whitelist can be disabled easily). That said, I would have been much happier had my permission been asked!
It's a stupid trick, but the whitelist can be disabled easily. Go to Adblock preferences and disable the "NoScript Development Support" filter. It doesn't seem to re-enable the whitelist on restart. It may when it updates.
If I have ad blocking software installed, that means I don't want to see ads (unless I explicitly approve them).
If I have script blocking software installed, that means I don't want to run scripts (unless I explicitly approve them).
How difficult is that to understand?
I don't care if the Noscript developer relies on ads for revenue. If I have ad blocking software installed, I don't want to see ads, period.. that doesn't mean "except on noscript's site, of course!". If the Noscript developer doesn't like that, it's too fucking bad.
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible? Or, at least, not hosted on their site..) because at this point, it's clearly malware.
I am the maverick of Slashdot
Posting to remove moderation. Please ignore.
I have been using NoScript for a long time, and it proved to be a valid and good extension. However, as more and more sites move to Ajax based sites it is quite useless. What is the point of a little more security over total unusable websites. Now this extension is more of a nuisance than help. I disabled it about 6 month ago, and have not missed it. This report will make me uninstall it
NoScript will no longer be permitted on any of my computers, period. This is unacceptable behavior. If I'd payed for the addon, I'd be demanding a refund. As it is, all I can do is try to take back the favorable word-of-mouth I've been giving the author, and try to find a version without the invasive behavior.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
For some time now, I have been getting more and more annoyed with the regularity of NoScript updates, especially as it would ALWAYS open the home page after every update, this is after the nuisance of me already having been asked to restart Firefox for the addon update.
Now it makes sense, they clearly artificially make this happen just for adrevenue. The addon probably doesn't even need that many updates.
Anyway, even though I know I can change the option to not go to the homepage after each update, I am tired of having to restart Firefox once a week for software which is for the most part adware. I barely use noscript, except on 1 site, I'll wait for someone else to make an addon which doesn't piss me off, or simply tolerate the minor annoyance of that one site.
As for the real world security benefits of noscript, they are questionable at best. If a website codes itself so it needs javascript, one would likely turn on noscript, and then the website could run malicious code.
That's nice. Personally, I rather like my adblockers. I save bandwidth not downloading all those images, I save time in that it takes less time for a page to load, and everything is just...nicer. I disagree, though. I think it should be the user's choice as to whether they want to see ads or not, not yours, and not anyone else's.
This modification was right there plain as day under the "more information" section when the latest update rolled around. I would expect most /. users would be smart enough to actually see what's being changed before updating something.
"Without notifying users" my ass.
P.S. Used "y'all" in the title, and my CAPTCHA is "redneck".
The changelog says:
" ABP users are informed both on the install and on the release notes pages, so they can easily disable the filterset if they whish to."
I saw no suck information on the install. I just removed and reinstalled NS, and while the subscription is added, I don't see where in the install the user is informed.
People mostly look at me funny when I tell them I allways turn "automatic updates" off.
This story is, apart from the more known MS horror-updates, a good example why someone should not blindly accept them (and should never believe in software that changes quicker/gets updated more regular than some people clean their toilets).
Mod accordingly.
Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?
Sure you may not be bothered by some ads on their site, but it's a slippery slope they should avoid. Users place their trust in add-ons like AdPlus and NoScript when they allow a third party to filter content. They proved they're willing to cross the line for a few dollars in ad revenue. What would they do for a significant amount of money?
This is an exact example of why it's so important for source code to be freely viewed. The OSS model works - this demonstrates why and how. When developers are motivated by the wrong sources and use unethical means for obtaining their ends, users can be made aware of their digressions. Good work by the Adblock team.
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
NoScript will never be installed in my computer never again, alas, it has been disable for most of it lifetime in my profile.
I'd fork it if I actually cared for it, but still I invite people to down rate it in mozilla.org and uninstall it from their computers. In the FOSS world the only way to vote is with your feet.
But... the future refused to change.
everything except... i don't know, follow the rules for Mozilla's Addon policy? Everything except act as malware?
I find it incredibly ironic that two ad blockers are at war with each other over blocking ads that support their service. I hope this isn't a preview of what's to come if the use of ad blocking software becomes widespread.
A Magic the Gathering Article and Forum Aggregator
"I must admit I don't have much expertise in this area. I've never used either Adblock or Noscript."
You should have stopped right there.
While I appreciate the idea behind NoScript, the implementation has always bothered me, particularly with the fact that every time it pushes an update of the extension (and there are a lot of them...), when you restart Firefox it opens a focused tab to the extension's home page instantly.
At first I was only a tiny bit annoyed, but as they would do updates seemingly every other day, I started to get really irked. Eventually I wound up blocking access to their domain in my hosts file just to stop it. So they were already on my short list.
And now this. Fucking with someone else's plugin on purpose, particularly a well-known, respected plugin, is just a no-go, period. So maybe it's time that NoScript gets forked, by people slightly less dickish.
This highlights a security problem: if addons can affect/patch each other, how can you ensure the integrity of the browser?
Example: a malicious addon is released, and it takes some time before the malicious behaviour is discovered, and people delete the addon. But has it injected malicious code into other addons on the system? Now you have to remove all addons to be sure.
Is this outlandish or possible? Has Mozilla implemented any security against such an attack?
"(If I recall correctly)"
"Of course that's just how I remember the whole thing. I never visit the AdBlock Plus page and I am deliberately blind to most ads anyway."
So, your entire post was based on a guess? You don't have any direct experience with AdBlock either? Are you kidding me? Why are you posting again?
That was almost coherent...
If NoScript screws with AdBlock any more, I'm just deleting it, AdBlock is the more valuable of the addons to me. I definitely don't like a developer screwing with someone else's addon, and then when it can't be deleted claims it's a "bug". No way it's a bug, just an undocumented feature.
In the Firefox address bar, type : about:config
Scroll down to: noscript.firstRunRedirection
Right click this value, and 'toggle' it to false.
Due credit goes to posts at http://adblockplus.org/blog/attention-noscript-users
Create a new filter with a copy of the NoScript developer filter, add it below the pre-installed one and make sure both are disabled. Hopefully then if it's re-enabled by an update your manual copy will still be disabled, nullifying the effect....assuming it's read like CSS from top to bottom.
Alternatively, look for another script control addon. Personally I've been getting rather pissed at the opening of new tabs on each update for a while now; not just NoScript either. Depending on whether my thinking will keep the block in place and how much longer I'm willing to accept the tab opening shit, I am close to removing it myself. There is YesScript and Controle De Scripts on the addon pages but I've not yet tried them.
It may help to let the NoScripts people know why their usage numbers are going down on their Mozilla addon feedback page. Perhaps if they see enough people are pissed off, it may change things.
That's fine. That's your choice. Here's a question: As long as it does not do so nefariously or maliciously, do you believe the site owner has a right to do whatever they can to prevent you viewing the site if you block ads? (Note, I'm not asking about the feasibility, and by malicious, I'm referring to temporarily or permanently damaging solutions, I'm talking about their 'right' to do so.)
Ad-blockers forcing the users into viewing the ads on their own sites, and blocking the competition ad-blockers.
If those are such useful extensions, maybe they should charge a buck or two per month and avoid all of this circus ?
Just remove noscript.net and his other domains from NoScripts allow list and his own addon stops his Google adbars.
I am sure he will hard code around this in his next patch, that will be the point where I start adding firewall rules.
========
CINC, 4th Penguin Legion
well, i ain't a noscript user no more, if the developer can't tell where the line is when building a trustworthy application, why should i pay the price?
I always thought the incremental updates to NoScript were too frequent to be entirely for the benefit of its users.
1) Involuntary web page visits after an update
2) serve ads
3) no step 3
4) profit
He probably looks for any typo that he can fix to get the next update out on time. At some point he needs to just call it adware, and I think we'd all agree that point has been reached. I'm now going find a way to avoid going to his page after an update, that way it won't matter if his ads were blocked or not.
Those are my principles. If you don't like them I have others. -Groucho Marx
I wish you provided a username so i could add a personal +1 modifier to your comments. You are one of few people who have not posted a rabidly frothing/polar reply regarding this.
I've seen a few really annoying sites littered with ads which could induce a seizure in the most sedated of coma patients, but the majority of sites i see don't have horribly intrusive ads.. heck even hulu commercials are about 1.5 minutes total to a full episode.
Some people just can't be satisfied until all revenue is removed from free-to-visitor web-based content.
VLC FOR MAC IS DYING! IF YOU DEVELOP, PLEASE SAVE IT!!
I am not sure, but this has just set a precedent. Because of NoScript dev's moronic attitude (It is perfectly fine to protect revenue, but DO NOT mess with another program, and a well-reputed one, on the way), may others might have learned of that clever trick...regulations to avoid this will have to be ensured by Mozilla so no extension will fight with another negatively by blocking functionalities like this.
Expect more on this line in the future for sure. It's a really bad idea to make this kind of nasty trick public, others might learn and instead of a black egg in the basket we will have many. It's like idiots ramming demolition balls on their crotch just because they saw it on Jackass.
And precisely extensions are what make Firefox a winner, I won't like the idea of having to fear them like one of those IE toolbars.
Of course it's a worst case scenario, hopefully things will stay like this, and I hope they do.
If not because I need noscript to block JS files to make Internet usable with my slow dial-up, I'd have ditched it long ago. I have some kind of feeling it's blocking something in Ubiquity's last version, it stopped working right after a noscript upgrade for me.
Since NoScript recently put up a forum I figured I would go over to see what people on there had to say. Here's a thread which starts with a discussion of noscript breaking adblock and then turns into a discussion of the specific issue: http://forums.informaction.com/viewtopic.php?f=7&t=877
Here's a post where the NoScript guy asserts his reasoning for it: http://forums.informaction.com/viewtopic.php?p=2777#p2777 basically he says that the update to the filterset broke noscript.net making things like the menus unusable.
In this post http://forums.informaction.com/viewtopic.php?f=7&t=877&start=90#p3162 he claims that the inability to remove the noscript filterset is a bug and that the next update to noscript will fix that and prompt users beforehand.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
...but was curious what changes might have been made to ABP, I went exploring (I had NoScript installed for a very short time).
FAR more disturbing was all the stuff Microsoft injected (4 different plug-ins) when I opened the Netflix website. Two of them are simply labeled "Microsoft DRM" (like that's supposed to make warm and fuzzy inside) and the others are Silverlight and Dynamic Link Library.
How did all that get there without Firefox asking me about it? And more importantly, what EXACTLY do they do? Has anyone investigated what these plug-ins ACTUALLY do?
Anyone have any ideas, or am I reinstalling Firefox?
I'd rather continue to use IE7 to view Netflix and keep my Firefox clean/trustworthy then be able to view Netflix via Firefox.
How's that going to stop nefarious scripts running?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Sure! I doubt I'll go back, though.
Don't be an ass. This is not Wikipedia, it's just a forum.
...for the self response.
I just did a little testing and determined that ONLY the Silverlight plugin is required to play Netflix videos.
The two DRM plugins and the Link Library were added for undetermined reasons.
Anyone?
Which begs the question: Why can't I disable the automatic forwarding to the developer's page when I apply an update? I really hate it when a bunch of addons get updated and firefox hangs while opening all the pages (I have a lot of them).
A fool and his lamb are worth two in the bush.
Until my nose does something that harms my face, I am keeping it.
But you can all feel free to cut it clean off, just because its irritated.
Until 1 minute ago I had NoScript installed.
All the guy had to do was ask: "Do you want to whitelist the noscript webpage in adblock? I depend on these ads for revenue." I'd have damn well clicked yes.
It's unfortunate how the sleazy way out seemed appropriate to someone who's supposed to be developing software against malware...
Either NoScript should be forked at this point, or Adblock Plus should just merge the code in as extended features(preferable).
Hosts file.
Not a Twitter sockpuppet... but I wish I was.
about:config
set noscript.firstRunRedirection to false
It isn't a "stupid trick." I installed NoScript specifically to help prevent things running in FF that would screw with my system behind my back. This behavior, screwing with ABP's configuration WITHOUT ASKING ME FIRST is EXACTLY THE SORT OF SHIT I installed it to PREVENT. This has nothing to do with how "trivial" said screwing is, or how much money the author does or doesn't make from the damn plugin. It's a matter of trust and what the damn plugin was built to do. The author just used his plugin to do exactly what we all installed it to PREVENT. I (and apparently a lot of others) no longer feel that we can trust the author or his software since he's now stooped to the tactics used by the people and software his plugin was designed to prevent.
I would expect most /. users would be smart enough to actually see what's being changed before updating something.
Except that the Update Add-ons dialog doesn't have a link to the Changes page for each add-on that's about to be updated (Mozilla is talking about adding that feature, by the way, not just because of this particular incident).
I doubt most NoScript users would bother to check the Changes page even if the link was there - it's already running on their browser and has probably earned the rank of Trusted Add-on in their minds. I'm not convinced that NoScript-using /. readers would be much different.
[citation needed]
Actually, it raises the question.
There's an extension called requestPolicy that seems to be a viable alternative to those who are no longer willing to use NoScript: https://addons.mozilla.org/en-US/firefox/addon/9727/ As the addons page says, it's still experimental/not publicly vetted, so "take this with a grain of salt," "caveat emptor," etc...
but the Mozilla Add-on Policy requires them to inform you in some detail of what is being changed by an update. Since you're in a browser, a web page seems the logical way to do it.
Maybe you shouldn't update them all at the same time?
Those are my principles. If you don't like them I have others. -Groucho Marx
Any suggestions?
I've been expecting the name of this variable to change & be reset any day now, so that all users are once again directed to the noscript page daily until they can unearth the new variable name and toggle it off.
Is there any other way to whitelist javascript in Firefox? Over time I've built up a comprehensive list of the sites I need to use JS with, and I like the security I thought I was getting with Noscript. However, this little incident has me looking for a new extension.
That's your choice. Here's a question: As long as it does not do so nefariously or maliciously, do you believe the site owner has a right to do whatever they can to prevent you viewing the site if you block ads?
I am begging for just such a thing!
One possibility would be a META "noleeches" tag approach with an extension that honors the "noleeches" tag. A website owner simply adds the tag and all browsers/addons may honor a tag with a stock message, "This website does not want visiters with adblocking or disabling software installed."
I, content to browse elsewhere, say, "Fuck it, no problem!" and go elsewhere. This gives website owners a simple choice. If the leech+adblock is worth less than the host cost or whatever cost they place on the pageview, then they have a polite, non-intrusive way of asking them to leave. You can't put this in ToS or beg me where the ads go to enable them. I won't. I'll leave when asked to but you need to have the tech to do it. Many a website I close out because it won't render or only says "please enable javascript". I deadend right there and surf elsewhere.
Yes, I *know* they want me to see the ads, email/spam the page to friends, donate money, buy the products, or give them a blow job. The question is what is the price? Somewhere starting with ads and well before blowjob, my price limit is reached. Most sites will welcome my patronage for the mindshare or ego hits alone. I don't know where the price is set usually.
Already uninstalled it. I always thought it was weird how it opened its homepage at every (very frequent) update.
Fuck 'em. You're gone buddy and you won't get me back.
Ad Blockers suck, plain and simple.
No Advertisers suck plain and simple.
What message are we sending? We're sending the message that advertisers have to try harder to make money off of us.
The message I'm trying to send is I'M NOT INTERESTED IN YOUR GOD DAMN BONER PILLS, DATING SERVICES, PORN OR WHATEVER. IF I WANT SOMETHING FROM YOU THEN I WILL LOOK FOR YOU! IN OTHERWORDS DONT CALL ME I'LL CALL YOU!
If I could install AdBlock Plus on Real Life then I damn well would. 22 Minutes of Silence per hour of TV would be absolutely wonderful (thats about 1/3rd of your viewing time BTW and they're trying to sneak that up more). Not seeing billboards flashing and distracting drivers as they zip down the highway at 120km/h would be a nice bonus (now if only we could get them to get off their damn cell phones). Having a newspaper that doesnt have 20 flyers in it or a mailbox where 90% of the stuff coming in is junk mail (and the other 10% are bills).
Maybe just MAYBE Advertisers will have to target at the site-level rather than plastering their junk through google to every single damn webpage in the world. At least then I would know that such ads would be interesting, relevant (in some way) to what I'm looking at and most importantly HAND PICKED BY THE PERSON WHO OWNS THE SITE. Meaning you wont see annoying pop-ups or annoying flash ads which take up half the page for several moments.
The nice thing about AdBlock Plus is if one does get through you can always nail it with an exception.
PS: I leave ads on for sites that I believe worth while. Like Slashdot has earned an exception because they dont have annoying flash ads that take up half the screen.
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
First, I'm not an anonymous coward, I'm Tom T., a Moderator at the NoScript Support forum. Just didn't need one more U/P login as probably a
one-time poster here. Having read only the top pages, just wanted to make sure that these points were covered:
1) Giorgio Maone himself has pointed out repeatedly, including at the thread in question, that anyone can disable his pages' ads with NoScript just by blocking the Google-Syndication scripts. NoScript itself cannot be circumvented in this blocking, even by NoScript. :)
2) For those who think the updates are a revenue-(ad-viewing)-generator, aside from the fact that the NS FAQ includes simple instructions for turning off the home-page redirect for each update (try reading the FAQ before criticizing), please look at the complete history and at how many times some new attack, e. g., XSS etc., has surfaced, and Giorgio has dropped everything -- wife, new baby -- and rushed to protect NS users with an update. Some of these updates turned out to prevent future attacks that weren't even known at the time of the update. Go to the Changelog, see the number of feature requests/bug reports, and tell us which ones were unnecessary. Go to the blog of world-class hakker Sirdarckhat, http://sirdarckcat.blogspot.com/2008/06/hacking-noscript.html, who has responsibly and privately reported his discovered vulnerabilities, and note his comment on Giorgio's response to such reports:
"Is important to say, that Giorgio fixes stuff in "hours", (or minutes in some cases), and he has done some crazy stuff, just so NoScript users can be safe, so if you dont use it, go get it."
Straight from the hakker's mouth there, peeps.
3) As a personal opinion only, and not speaking for Mr. Maone, NoScript, or the NS Support Forum, I have repeatedly recommended AdBlock Original, in which only I can set blocks or permissions, no one else, and with which I can affect or hose only my own machine, not anyone's else, nor can I affect anyone's web site. That is why NS does not offer "blacklists", despite repeated requests from users who don't want to be bothered with making their own decisions (the whole point of NS), and why, despite my great respect for Wladimir Palant and his product, I don't use ABPlus. True, I don't "have" to subscribe; I just don't want to open that door. The only exception would be the Hosts file, offered by http://www.mvps.org/winhelp2002/hosts.htm ,which has *specific criteria*: a site must drop tracking cookies or drive-by adware, spyware, or other malware; and the file is plain-text readable and editable by any user to remove any block-entry that they feel is unnecessary. I never have. They're all there for a good reason and are sites I don't want to allow my browser to connect to.
4) Anyone who thinks that scripting or other web executables are without danger and require no user attention probably shouldn't be using a computer, or is already pwned. Do some research. "If you aren't worried, you just don't understand the situation." Cheers!
I know its a bit tacky to respond to your own post but looking at http://www.damnsmalllinux.org/ it seems like advertisers are already exploiting NoScript's implementation to let its ads slip by. Just visit it with ABP + Noscript then let the scripts run (for the damnsmalllinux.org and googlesyndication.com
Didnt take Google very long to exploit this now did they?
09F911029D74E35BD84156C5635688C0
+2 Troll is Slashdot's way of saying groupthink is confused
Here's the direct link:
http://software.informaction.com/data/releases/noscript-1.9.1.9.xpi
What alternative extensions would you guys recommend? I'm not sure it has decent substitutes.
This was one of the reasons I just uninstalled NoScript a few hours ago, but the main reason I did it is because this story made me check the NoScript source code, and it is a mess.
I decided to look for a replacement and found YesScript (it works as a sites blacklist), after looking the code I found that it uses Mozilla Configurable Security Policies. Too bad CSPs only allow or disallow javascripts by site, and the sameOrigin policy does not works for "*.javascript.enabled"
The first was the change from a plain html file for all bookmarks to what ever format they're now using, which occurred around 3.0.4. Didn't make me happy when I suddenly couldn't open the bookmark file to create a custom list for sharing with friends like I prefer.
Now that I'm hearing that a Firefox Plug-in is modifying another plug-in w/o user permission, I have to rate Firefox as Un-Secure on the computers that I'm the support tech (home computers). This means I now have to look into how much of the feature set of noscript I can enable - whitelisting by website for all plug-ins in IE. If it's not to much trouble for me, I may simply export the various user bookmarks from firefox to IE and uninstall firefox from all of the computers, which is going to shock the hell out of those users as I've been a rabid and vocal Opponent of IE.
Yes I've used IE7 and find that the tab mode works acceptably (not as refined as Firefox but it does work) and since my user base doesn't tend to open to many tabs (2 or 3 at most) IE should be able to handle things w/o to much of a system performance hit. Of course as I'm a Gentoo user, I've gradually moved from using firefox as my primary to a more limited role such as Ajax heavy websites and where I need a working flash. Otherwise, I've found that Konqueror works fine for 90 percent of my normal browsing needs due to being able to whitelist websites where javascript is useful such as here and a few others.
Mod me up/Mod me down: I wont frown as I've no crown
I gave up on no-script last year after getting sick of closing their homepage tab after each daily update. As an alternative, I recommend the PrefBar addon...no link, but search the addon pages. It will create a small toolbar with little checkboxes where you can instantly choose which firefox features you want enabled.
For instance, I surf all sites without javascript, java, flash, cookies, and send-referrer enabled. I find that I tend to avoid the sites that don't work to well with all these features disabled anyways...I surf for information and dialog, not for some corporate drivel packaged within some limiting interface.
can't recommend this plugin enough. It will appear/disappear with the F8 hotkey. I customize the toolbar to read: colors, images, javascript, java, flash, clear cache, clear all, send referrer, cookies, user-agent.
bonus points to slashdot for allowing this posting w/o cookies or send-referrer enabled...I choose to allow javascript b/c I am guessing the captcha won't work w/o it.
It's advertised as security add-on, yet it contains obfuscated code and it exposes the users to security risks on the very same domain you download it from?
Ugh, and it didn't even prompt me.
Goodbye noscript, never again will you be part of my Firefox.
There are a lot of comments I didn't see this one. Maybe Mozilla could add in a rule that addons can not affect other addons? *shrug*
https://www.speakservers.com/
Now that he's pissed off so many users I'd guess enough users that there will be a cliff-like drop in ad revenue for the NoScript site. I wonder if the AdBlock Plus will then be blamed or if the extension author will recognize the consequences of his own irresponsible behavior.
No, it desperately asks for an answer, thus it begs the question. It's not our problem that a lot of people who don't know what begging is translated the name of a circular logic fallacy improperly.
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
http://forums.informaction.com/viewtopic.php?f=7&t=877&start=105#p3223
He went through a couple versions, but this one just removes the whitelist item once and for all, no questions asked, fixing the result of any previous install. AdBlock is now unaffected. (And it also doesn't put the default whitelist back into NoScript, something that happened recently - I recently went back through and cleared out msn, googlesyndication, etc etc - this stayed clean through the update)
If all you want to do is block a handful of specific sites I would recommend YesScript https://addons.mozilla.org/en-US/firefox/addon/4922 its essentially the exact opposite of Noscript (blacklisting instead of whitelisting) without the constant annoying updates.
v 1.9.2.6
+ NoScript now automatically removes the controversial "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above on startup, permanently and with no questions asked.
v 1.9.2.5
+ One-time startup prompt to ask users if they wants to install/keep the AdBlock Plus "NoScript Development Support Filterset" deployed with NoScript 1.9.2.3 and above
While I'll most likely check the changelog before applying new NoScript version, I doubt I'll stop using it. I have mixed feelings about this situation but at least author warned us about what he was doing and broke nothing. Some of you may remember what happened with Fast Dial - it added some spam links, which completely broke user bookmarks. While its author also informed about this change in changelog, he forgot to mention that it will totally break your bookmarks.
Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5
It seems that he eventually got it right.
IANAL but in Australia we have laws which among other things makes it a crime to alter data without the owner's consent. There's a similar crime in Britain. I don't know the specific European Laws he'd be prosecuted under, but altering data without consent is one of the first things that cybercrime laws legislated against. Shop around, but this Giorgio Maone is treading on some shaky ground here and he did it with clear forethought. Unlikely Maone will be prosecuted - few people ever are, but if I were him I'd be apologising profusely now and promising never to do it again. Instead he's been pretty obnoxious over the whole affair and pretty much killed the NoScript brandname. He's also violated Mozilla's T&Cs.
http://www.aic.gov.au/publications/htcb/htcb006.html
http://www.aic.gov.au/publications/htcb/htcb005.html
http://www.saflii.org/za/other/zalc/dp/99/99-CHAPTER-3.html
http://en.wikipedia.org/wiki/Computer_Misuse_Act
http://en.wikipedia.org/wiki/Noscript#NoScript_exceptions_and_AdBlock_Plus
> MattHawk (215818): It's not actually illegal.
Well, yes it is. Either state IAAL and/or give links to support what you are saying.
it desperately asks for an answer
So, begs the answer surely?
Done, thanks!
Now to sit back and wait for version 1.9.2.7 that will add a noscript.secondRunRedirectionBecauseIKnowYouReallyMeantTrue value to the config.
Or here... http://noscript.net/faq#qa2_5
http://noscript.net/faq#qa2_6 is also useful
Mr. Maone: It is nice to see you frantically backpedaling (albeit perhaps just temporarily) on the incredibly arrogant, stupid, rude, and disappointing changes you made to NoScript to cause it to act like malware instead of security-ware. Unfortunately, though, trust, once lost, is difficult to regain. I expected better from you and NoScript; it is fundamentally a security product, and one that to be effective must be trusted to gate-keep an IMMENSELY vulnerable interface between user's PC / information security and the worst the internet can offer. The only responsible solution for such a product is to ALWAYS err on the side of caution and trustworthiness in any aspect of its maintenance. Even the semblance of impropriety of poor judgement in "by default" behavior is simply unacceptable.
This week I've forever blacklisted Acrobat Reader for betraying my trust too many times with its insecurity, and I'm afraid that after this incident your software will shortly follow. I sympathize with your need to make a living and desire to have your web sites be popular / uninhibited, but those personal desiderata are secondary to the need for maintaining ethics and integrity with respect to people who trusted you not to make any compromises with their security. You can't just ask for millions of people to trust you with everything and then start doing things like putting obfuscated code and back doors into trusted critical security software using the capital of your previously good reputation as a free pass to get away with such tactics. Although I've never donated money to support your projects, it is only due to a lack of means that I hadn't; I've cherished Noscript, recommended it widely, and installed it on every relative's / friend's PC that I manage over the past year. Now I feel insecure in that trust, wondering what else you might be willing to compromise in the future for the sake of a dollar or for personal convenience.
I do support AdBlock enthusiastically since it also protects several things that I prize and require -- my privacy, my PC's security, my productivity, and my efficiency (bandwidth / CPU time for all the unwanted media / ads / images / ....).
Had you not betrayed my trust as a security SW vendor, I'd have supported your continued development efforts directly when I was able to, but never through "ad revenue" on your site. When I pay you directly that is between me and you, and I know just what the transaction is costing me. When you sell me out to random 3rd party advertisers, it costs me something that I can NEVER regain or control -- my privacy. I've appreciated your group's freeware work, and I support it in principle and as much as possible otherwise. Advertisers that seek to create databases of my every habit, PC configuration, software version, IP address, site visited, et. al. do nothing whatsoever to earn my trust, respect, or appreciation. I'll never willingly click / decide to buy any of their web-advertised products, and I resent their collecting / selling my data. When I visit your site that's a transaction between me and you, and isn't intended as an opportunity for any infinity of third parties to be privy to. You probably wouldn't like it if some commercial entity followed your every real life move with a camera and a microphone, so I don't see why people expect that people will appreciate the equivalent happening to them online. So given that, and all the malware that is often vectored by off-site banners / scripts / style sheets, A/V media files, et. al. I most certainly do and shall block those at any opportunity -- whatever the site hosting them, however much I appreciate the "root" site. Nothing personal, but, again, me visiting a privately run site is like me visiting a privately run home; it isn't intended to be a public spectacle -- if I'm going to be fingerprinted, recorded, tracked, analyzed, sold out, and marketed to, I'll just leave and regret the effort in checking it out at all. If I have something to share freely with the wor
That NoScript does it shows up in or neaer the changelog that you get shown when you upgrade version.
So this isn't really news to me.
Hey don't blame me, IANAB
There is a new entry in the filter list of the Adblock preferences. One can disable the "Noscript development support filterset". The entry also shows textual documentation.
I clearly would prefer opt in though.
At this point I would like to point out that Opera's ad blocking does not have a whitelist and Opera does not have ads on it's page. :p
I usually surf with no-script off but I've made an exception for no-script.net. I now have scripts everywhere except for no-script.net. Anti-socials.
Knowledge is power. Knowledge shared is power lost.
By using sunshine. No. Privoxy can block scripts, or manipulate incoming traffic any way you like.
Yes. I thought I was the only one.
Grow some minerals and say "I'll have to charge you more vespene gas"
Starcrafted that for you.
I just see "Your ad here" which will appear when JavaScript is disabled, either via NoScript or just generally. One quick rule and those boxes are gone too (the "Element Hider Help" add-in is Adblock's friend...).
...well not the "doing something without telling the users" problem with NoScript, but unticking one box to stop AdBlock using the NoScript rules...
This brief examines the motives for hacking, in the sense of trespassing against another person's computer. [...] The modification or impairment of data is an offence if [...]
I think "modification of data" should be understood in the context of "trespassing against another person's computer".
My understanding (IANAL, TINLA): it's illegal for me to root your box and photoshop in a llama dick on your wedding pictures.
It's not illegal for me to run Registry Cleaner or something which modifies my own registry. Even if it interferes with the functioning of third-party software.
Similar in spirit, I don't think it's illegal for me to intentionally mis-render the HTML that's sent to me (which is the ultimate goal of ABP), nor mis-execute the javascript that's sent to me.
I'm having a hard time seeing how NoScript modifying ABP can be said to be illegal. If I intentionally install (or, possibly just store) a virus on my computer, and my anti-virus software destroys it against my wishes, wouldn't that be kinda' the same thing?
Noscript is a great add-on, and performs a valuable function. They made a mistake, and fixed it. So I am keeping Noscript, and also whitelisting it in ABP. For what they do, as well as for fixing their error, they maintain my trust.
This seems like a dirty game that noscript is playing. They are intentionally subverting the intention of the AdBlock plugin. Blocking ads is the intention of the user because the user installed the plugin. Therefore the noscript authors are subverting the intention of the user. Users (some) will put up with this for a while, however if it gets to bad a new "noscript" will be created. It will be a fork noscript is open source or it will be a complete rewrite. There only way this can end well for no script is to not "go too far with it" that it really pisses off users/developers. What "too far" is, is what is under debate. Since what is being blocked is mostly ads from ad servers, can it be claimed it is "part of the content of the page" as some here have described. With snail mail some companies place ads in with your bill. IMHO that does not make the ads part of the bill. However I think this can be a security risk, as ads servers can be a vector for attack. I was listening to a respectable internet radio station that required that I run IE (I know, I have to live in the dark side once in a while). I came back later and found avg saying it found a virus. After some investigation I noticed an ad on the internet radio page had the url, file://c:/windows/system32/. And when I visited that "url" exactly avg popped up again. Now I always block ads when I can (and try not to use IE) because the author of the page has not authorized each ad to be "part of the content". I would hate to live in a world where it was "part of the content" and sites where responsible for the ads that got served. Then again, maybe there would be less ads that way. Anyway, just my 0.02 cents
Who, exactly, is begging the question and what are they begging it for? What makes them think the question might be responsive to their pleas? Taken literally, "beg the question" is essentially a nonsense phrase. You could say that a situation begs for a question to be asked, or that it begs for an answer. But "Begs the question" has a specific meaning and it is being misused in ignorance. It might be a silly name for the logical fallacy, but that doesn't change the fact of the origin of the phrase.
...without any scripts at all? All you need is an image with a unique URL wrapped around it on the web page. Come up with a way to serve up 3rd party ads with all the elements coming from your own server. That can't be difficult.
Anyone wanna join a startup? I kid. But it doesn't seem like NoScript will be getting much advertising revenue anymore...
After spending some time looking into this, here's some info I've collected about a possible fork or alternative tool.
There are intros here and here on how to write extensions for Firefox. You use javascript and XUL (an XML grammar that describes GUI widgets).
TFA has comments by Wladimir Palant saying "I have pity with anybody who tries to fork NoScript, the code is a huge mess. It is much better to rewrite it from scratch."
NoScript is actually pretty complex. It does a lot of complicated stuff to try to guard against XSS attacks, etc. It also has something called "surrogates." The idea is that some sites serve up ads, and use javascript to detect whether the ads have been served. If the ads haven't been served, then it uses javascript to prevent the content of the page from being displayed properly. Surrogates are scripts that set the same flags or whatever that would have been set by the ad script, making it appear that the ad has been served. This requires that Giorgio Maone engage in an arms race with the people whose sites do this kind of thing.
So AFAICT the only sane thing to do would be not to fork NoScript but to write an alternative version from scratch. At least initially, the alternative version should be nothing more than a whitelisting mechanism for javascript. If that was done, then one could look at whether to go on and reproduce the security and surrogates stuff that NoScript has. My guess would be that that would simply be a bad idea. Better to avoid the bloat, and also to avoid the situation where one has to spend a huge amount of time actively maintaining it. I'm guessing that the reason Maone feels justified in his actions is that he really does have to devote a lot of time to actively tending all the bells and whistles, and that suggests that the OSS model may just not be well suited to biting off that much. Eliminating surrogates would break some sites, but only those that use aggressive measures to try to force you to view their ads.
If you look on the NoScript forums and FAQ, there seems to be a huge amount of support work involved. Someone reports that some feature on foo.com breaks, and then Maone has to look into it and see if that's really a bug in NoScript. The need for intensive support is probably another thing driving Maone's sense of entitlement to his ad revenue, and it's probably another good reason that an alternative project should avoid all the fancy stuff and just concentrate on making a simple and well-designed whitelist for javascript.
I've clicked around for a long time on the noscript site trying to find the source code, and I can't find it. I've seen posts by others here on slashdot saying the same thing. It must be publicly available somewhere, but I'm darned if I can find it.
Find free books.
Could someone offer an example of receiving little (as opposed to no) warning?
That ain't liver; that's beef kidney!
I'd offer a bounty for a competing product. I'm going to talk to the Adblock folks and see if they can't just take his code and make it their own but would like more options.
I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
It might be interesting to be able to disable automatic research of new versions of a specific addon in the preferences of FF.
This would help to prevent such things happend.
I don't know where you got the idea that Noscript is adware. Where exactly do you see these T&Cs that describe the ads that NoScript will show? As far as I know, they don't exist, as NoScript is not adware.
Information doesn't want to be anthropomorphized anymore.
it desperately asks for an answer
So, begs the answer surely?
No that is not what it means, however counter-intuitive it may seem. Look it up.
Doug Jensen
Forgive him. He was a regular, normal child till the age of 5. After a nasty incident when a monkey ran away with his candy, he overnight became an overzealous advocate of all the laws (and fantasies in) which monkeys are prevented from stealing candies from children. His this obsession is now manifested in a lot of different ways.
He will be fine once we take him back to the clinic and give him his medicines he has missed for two days.