Slashdot Mirror
NoScript Adds Subscriptions To Adblock Plus
hahiss writes "Apparently, NoScript has taken to adding its own whitelist updates to Adblock Plus — so that the ads on the NoScript page show up — without notifying users. (It is described on the NoScript addon page, however.) This was a part of the last update to NoScript. Wladimir Palant, the main developer of Adblock Plus, describes the situation in an informative blog post."
Update — 5/02 at 12:30 GMT by SS: Reader spyrochaete notes that "InformAction, makers of the NoScript extension for Firefox, have removed the recently introduced AdBlock exceptions which unblocked the revenue-producing ads on the NoScript homepage with little or no warning to the user. According to the changelog, InformAction pushed out an update specifically addressing this controversial decision 'permanently and with no questions asked.'"
I have been using NoScript for a long time, and it proved to be a valid and good extension. However, as more and more sites move to Ajax based sites it is quite useless. What is the point of a little more security over total unusable websites. Now this extension is more of a nuisance than help. I disabled it about 6 month ago, and have not missed it. This report will make me uninstall it
I imagine the cost of doing this would be quite high, especially considering the constant updates to the extension.
There's no -1 for "I don't get it."
Perhaps you shouldn't be cheering on a developer losing their income? Granted he went too far, but so did the new maintainer of Easylist.
And if the guy who made NoScript for free finds he can't make any money from it, maybe his next project will be proprietary, with a license fee.
Be careful what you wish for.
People mostly look at me funny when I tell them I allways turn "automatic updates" off.
This story is, apart from the more known MS horror-updates, a good example why someone should not blindly accept them (and should never believe in software that changes quicker/gets updated more regular than some people clean their toilets).
Yes, I'm a rabid NoScript fan and will defend this awesome piece of software to my death if need be.
Then how about you and the other NoScript fans fork over a few bucks now and then to fund development so that the rest of us don't have to deal with him dicking around with ABP?
This highlights a security problem: if addons can affect/patch each other, how can you ensure the integrity of the browser?
Example: a malicious addon is released, and it takes some time before the malicious behaviour is discovered, and people delete the addon. But has it injected malicious code into other addons on the system? Now you have to remove all addons to be sure.
Is this outlandish or possible? Has Mozilla implemented any security against such an attack?
Create a new filter with a copy of the NoScript developer filter, add it below the pre-installed one and make sure both are disabled. Hopefully then if it's re-enabled by an update your manual copy will still be disabled, nullifying the effect....assuming it's read like CSS from top to bottom.
Alternatively, look for another script control addon. Personally I've been getting rather pissed at the opening of new tabs on each update for a while now; not just NoScript either. Depending on whether my thinking will keep the block in place and how much longer I'm willing to accept the tab opening shit, I am close to removing it myself. There is YesScript and Controle De Scripts on the addon pages but I've not yet tried them.
It may help to let the NoScripts people know why their usage numbers are going down on their Mozilla addon feedback page. Perhaps if they see enough people are pissed off, it may change things.
Why does noscript need to be updated that often, if ever? What happens in these updates anyway? I honestly cannot tell the difference in functionality in noscript now and when I first downloaded it a few years ago. Someone should fork it, strip out the crap, and then never update it again (except security fixes, etc.)
The author of the article says this is a problem he predicted would happen if we didn't "give extension developers a way to make money".
Now it's our job to "give" developers a way to make money?
It amuses me when someone decides to use the "free" model of software development, making an application and then not charging for it, and then gets offended because he's not making money.
Dude, if you're smart enough to come up with a useful app, I bet you can figure out a way to monetize it.
I hear the same thing from artists who post all their work for free and then complain about being poor. Job 1 is survival, no matter how creative you are. You have to keep body and soul together if you're going to make a contribution. Same with guys who fix all their friends' computers and then get mad because they're fixing all their friends' computers. All passive-aggressive wearing "Don't Ask Me To Fix Your Computer" t-shirts. Grow some minerals and say "I'll have to charge you". You'd be surprised how reasonable people are when you're not a dick.
You are welcome on my lawn.
I always thought the incremental updates to NoScript were too frequent to be entirely for the benefit of its users.
1) Involuntary web page visits after an update
2) serve ads
3) no step 3
4) profit
He probably looks for any typo that he can fix to get the next update out on time. At some point he needs to just call it adware, and I think we'd all agree that point has been reached. I'm now going find a way to avoid going to his page after an update, that way it won't matter if his ads were blocked or not.
Those are my principles. If you don't like them I have others. -Groucho Marx
I am not sure, but this has just set a precedent. Because of NoScript dev's moronic attitude (It is perfectly fine to protect revenue, but DO NOT mess with another program, and a well-reputed one, on the way), may others might have learned of that clever trick...regulations to avoid this will have to be ensured by Mozilla so no extension will fight with another negatively by blocking functionalities like this.
Expect more on this line in the future for sure. It's a really bad idea to make this kind of nasty trick public, others might learn and instead of a black egg in the basket we will have many. It's like idiots ramming demolition balls on their crotch just because they saw it on Jackass.
And precisely extensions are what make Firefox a winner, I won't like the idea of having to fear them like one of those IE toolbars.
Of course it's a worst case scenario, hopefully things will stay like this, and I hope they do.
If not because I need noscript to block JS files to make Internet usable with my slow dial-up, I'd have ditched it long ago. I have some kind of feeling it's blocking something in Ubiquity's last version, it stopped working right after a noscript upgrade for me.
It's not actually illegal. It is, however, apparently against the Mozilla Addon ToU (https://addons.mozilla.org/en-US/firefox/pages/policy) - that was the original terms under which the ABP author asked the NS author to remove the code in NS that intentionally harmed ABP's operation.
How's that going to stop nefarious scripts running?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible?...
Yes, read the Addons.Mozilla.Org policy page. All versions of add-ons are supposed to start out in the the Sandbox for review before they can go into the Public area. They can just as easily be kicked-back into the Sandbox if it's later shown that there's something wrong with them.
I heartily recommend that you file a complaint with the AMO editors, amo-editors_atsymbol_mozilla.org, since NoScript is clearly violating the following rule:
Do the add-on and add-on author both treat the user respectfully?
Your software should not intrude on the user unnecessarily, try to trick the user, or conceal any of its activities from the user.
How the obfuscated code in NoScript's content/noscript/MRD.js file got through the Sandbox review process is a question I'd like to see answered - perhaps only the initial add-on versions are reviewed and then updates get fast-tracked. AMO reviewers are all unpaid volunteers and are probably overwhelmed by the number of submissions, so this wouldn't surprise me.
I would expect most /. users would be smart enough to actually see what's being changed before updating something.
Except that the Update Add-ons dialog doesn't have a link to the Changes page for each add-on that's about to be updated (Mozilla is talking about adding that feature, by the way, not just because of this particular incident).
I doubt most NoScript users would bother to check the Changes page even if the link was there - it's already running on their browser and has probably earned the rank of Trusted Add-on in their minds. I'm not convinced that NoScript-using /. readers would be much different.
but the Mozilla Add-on Policy requires them to inform you in some detail of what is being changed by an update. Since you're in a browser, a web page seems the logical way to do it.
Maybe you shouldn't update them all at the same time?
Those are my principles. If you don't like them I have others. -Groucho Marx
Personally, I don't see the big deal in blocking advertising. Most good sites aren't too in your face about it and it helps keep them running. I haven't run ABP in years because of it and I've found some of the ads to be useful.
Following the same logic (sites need revenue from ads to stay operational) I too did not use the Adblock Plus add in.
Until one day when I was served the most annoying ad ever. I was attempting to read an lengthy article while listening to my favorite internet stream at the time, when my ears were assaulted with a sound that made GSM interference sound pleasant.
On the page with the lengthy article I was planning to read, I was presented with a "punch the monkey" type flash ad. Only this ad was hit some evil ninja villain. The Flash ad was the source of the horrendous noise. The Flash programmer had set the the thing to loop infinitely and disable all of the flash plug-ins controls. Every time I refreshed the web page the same ad was served up again.
That's when I changed my position. I loaded up NoScript and Adblock Plus, and this annoyance was no more. I've never looked back. I was pushed too far, and it won't happen again. Ever.
I'm going to go back in my box and will think within the limits of my box: MS Sucks Linux Good I read too much Slashdot.
I've work in interactive advertising, and we simply don't care about people who block ads.
When you run ABP or NoScript, you drop out of the stats. Your hit doesn't count and we don't pay for the impression. Your traffic is meaningless unless someone is looking at OS/browser stats.
The people who do care about ad blocking tend to be porn webmasters and other people running affiliate sites.
You would think someone who makes an add-on designed to block sites from forcing annoying shit with java would realize how silly it is to fight with the people who make an addon to block annoying shit done with ads. Does noscript whitelist java ads on sites of others? After all, they need to eat too, right?
We all know the reality is if the no script dev quit today the add-on would live on with minimal interruption. Hell, the surprising thing is it is still being actively developed so hard, it already pretty much accomplishes exactly what it set out to do, and adding any new features will almost certainly be to it's detriment (and should probably be spun off into a new add-on). No-script was not the only java-script whitelisting add-on early on, the others probably quit because they felt it was a duplication of effort. Honestly in my opinion it's clearly time to fork it and get it out of the control of this jerk-off. Maybe then I won't have an incredibly minor update to install every morning.
As firefox grows this kind of thing will definitely increase. It's only a matter of time in my mind before people start trying to pass off malware in their plug-ins as updates. After all, when you are giving away something for free, and see the chance for some easy money, it's easy to be tempted. Here's hoping mozilla can revoke this guys ability to push updates. I like noscript, but I will be removing it from my work pc first thing Monday morning after seeing this, and my personal pc's as soon as I can find a decent replacement. He's crossed the line firmly into malware-author territory (deliberately interfering with another application/extension and overriding the user's express wishes without permission, while being deliberately deceptive about it.
It's really sad when a tool I use to give me greater control over my browsing experience becomes a lever to be used to hijack that same experience.
IANAL but in Australia we have laws which among other things makes it a crime to alter data without the owner's consent. There's a similar crime in Britain. I don't know the specific European Laws he'd be prosecuted under, but altering data without consent is one of the first things that cybercrime laws legislated against. Shop around, but this Giorgio Maone is treading on some shaky ground here and he did it with clear forethought. Unlikely Maone will be prosecuted - few people ever are, but if I were him I'd be apologising profusely now and promising never to do it again. Instead he's been pretty obnoxious over the whole affair and pretty much killed the NoScript brandname. He's also violated Mozilla's T&Cs.
http://www.aic.gov.au/publications/htcb/htcb006.html
http://www.aic.gov.au/publications/htcb/htcb005.html
http://www.saflii.org/za/other/zalc/dp/99/99-CHAPTER-3.html
http://en.wikipedia.org/wiki/Computer_Misuse_Act
http://en.wikipedia.org/wiki/Noscript#NoScript_exceptions_and_AdBlock_Plus
> MattHawk (215818): It's not actually illegal.
Well, yes it is. Either state IAAL and/or give links to support what you are saying.
No, it's not a user's job to give developers a way to monetise their product, but I also think we have a responsibility not to remove such methods.
I use NoScript and explicitly whitelist reputable advertising agencies. I had Adblock Plus installed for a time, but only to hide distasteful images. I rarely click on advertising, but every couple of months an advertisement will spark my curiosity. I have a hard time believing many users who install these types of addons never do the same thing. I also contribute to the websites statistics, which may or may not help a webmaster negotiate with advertisers.
I routinely ask the question, "what if everyone did it?". In the case of ad removal, there would be quite serious ill-effects: I would much prefer to consume ad-supported content than pay subscription fees.
I'm a little uncomfortable with what the NoScript author has done, but as far as I'm aware, there is no viable alternative.
It must also be pointed out that, if Microsoft were to behave in a similar fashion, many here at Slashdot would find it hard to contain their disgust.
"Copyright law says you don't have that right."
Citation, please.
According to TFA (check out the comments of Wladimir), the codebase of NoScript is a mess, and the author recommends that one starts from scratch in stead of forking out. JavaScript also does have its uses, most notably it allows for a lot of stuff to be handled clientside, speeding up the user experience and reducing the load on the servers of the website. The FF addon closest to NoScript is NoFlash, but it only blocks flash applications.
The truth may be out there, but lies are inside your head
This seems like a dirty game that noscript is playing. They are intentionally subverting the intention of the AdBlock plugin. Blocking ads is the intention of the user because the user installed the plugin. Therefore the noscript authors are subverting the intention of the user. Users (some) will put up with this for a while, however if it gets to bad a new "noscript" will be created. It will be a fork noscript is open source or it will be a complete rewrite. There only way this can end well for no script is to not "go too far with it" that it really pisses off users/developers. What "too far" is, is what is under debate. Since what is being blocked is mostly ads from ad servers, can it be claimed it is "part of the content of the page" as some here have described. With snail mail some companies place ads in with your bill. IMHO that does not make the ads part of the bill. However I think this can be a security risk, as ads servers can be a vector for attack. I was listening to a respectable internet radio station that required that I run IE (I know, I have to live in the dark side once in a while). I came back later and found avg saying it found a virus. After some investigation I noticed an ad on the internet radio page had the url, file://c:/windows/system32/. And when I visited that "url" exactly avg popped up again. Now I always block ads when I can (and try not to use IE) because the author of the page has not authorized each ad to be "part of the content". I would hate to live in a world where it was "part of the content" and sites where responsible for the ads that got served. Then again, maybe there would be less ads that way. Anyway, just my 0.02 cents