Slashdot Mirror
NoScript Adds Subscriptions To Adblock Plus
hahiss writes "Apparently, NoScript has taken to adding its own whitelist updates to Adblock Plus — so that the ads on the NoScript page show up — without notifying users. (It is described on the NoScript addon page, however.) This was a part of the last update to NoScript. Wladimir Palant, the main developer of Adblock Plus, describes the situation in an informative blog post."
Update — 5/02 at 12:30 GMT by SS: Reader spyrochaete notes that "InformAction, makers of the NoScript extension for Firefox, have removed the recently introduced AdBlock exceptions which unblocked the revenue-producing ads on the NoScript homepage with little or no warning to the user. According to the changelog, InformAction pushed out an update specifically addressing this controversial decision 'permanently and with no questions asked.'"
Start a project that blocks ads that is funded by advertising on their website and donations.
Sounds real smart.
They have 3 AdSense ad units (the max) on their home page, a couple of small buttons and a set of sponsored links. The sponsored links also don't use the rel="nofollow" tag but I guess google doesn't penalize everyone for that or nobody has reported them.
Seriously, this is a business model that shoots itself in the foot.
Dual Opteron < $600
Little Snitch on the Mac, which helps you identify when apps 'phone home, itself 'phones home, and you can't block it using Little Snitch itself.
I like to call this the Communism trait, for the Party elite always manage to make themselves more equal than others.
(Moderators: this isn't an anti-communism or pro-capitalism post. An important part of growing up is knowing that ideals are merely the primary colours, and life requires a mixture.)
When the Easylist filter was made for Adblock Plus, it generically blocked ads for many websites, with some specific rules for other sites. Giorgio Maone (creator of NoScript) relies to a certain extent on ad revenue on his websites, without which he may spend less time working on the extension. He made a workaround on the ad blocking, and though the filter could have been updated to counter this, no attempt was made to update it.
When Rick Petnel died, they needed a new maintainer for the filter. Ares2 continued where Rick left off. He decided to fix the workaround made on Giorgio's sites.
What then followed was a game of cat-and-mouse. Giorgio would attempt a new workariound, and Ares2 would attempt to block the ads. It reached the stage where large parts of Giorgio's sites weren't working due to false positives.
Here, it seems clear that Ares2 has gone too far, and a compromise should have been reached. ABP and NoScript are a good pair when working together, though the people behind them have different philosophies. Unfortunately, things start to take a turn for the worse.
In an attempt to defend his site and ad revenue, he makes an update of NoScript to version 1.9.2. This version contains a file called MRD.js, which adds a CSS stylesheet rule to his websites that overrides the filter, by adding -moz-binding: none after the filter has loaded, which the filter depends upon. Furthermore, the file is obfuscated to hide what it does. No warning is given to Firefox users of what the extension has added in this tit-for-tat battle.
When this addition started breaking users ABP installations, version 1.9.2.3 instead adds his websites to the ABP whitelist, calling it a "NoScript development support filterset". The user isn't informed of what this is, and isn't given a choice on whether to accept it.
At present, the filter has removed its false positives, though leaves the ad blocking in place. The NoScript behaviour still remains in the latest version.
Ares2 was overzealous in attempting to block ads, and shouldn't have made Giorgio have to make excessive changes to his site. But the larger concern is that while Easylist is a filterset, which can be removed and updated by the user, NoScript went further and started to modify existing extensions, executing code without user's consent or awareness, and acting in a way that resembled malware, to display ads on his websites.
Extensions can be great for giving people freedom to control how they view the web. But creators of extensions need to be careful in what they do with them, especially with those with a large user-base like Adblock Plus and NoScript. If not handled correctly, Firefox extensions could become the next vector of malware, and that would be a shame for all.
It is a useful tool, it shouldn't be too hard to strip out all the dodgy code and host it on another site.
i'm not so much concerned about what money who makes from what as I am as extensions, without ample notification, acting as malware against other software/extensions i have installed in order to make a buck. I moved to linux long ago b/c i was tired of having to run scans once a week. I switch to FF b/c i prefered a more secure browser (made even more secure by extensions). Now basically, this guy, has managed to get malware in both firefox and linux. Seriously, total douchebag move.
First, noscript added code that disabled adblock plus if EasyList was used. Then, noscript auto-adds (no user prompting) an abp subscription whitelisting his sites. You cannot delete it (it readds upon FF restart), only disable it.
It's somehow okay now that an extension goes behind the users back and circumvents other plug-ins? Especially a plug-in that most users use presumably to protect themselves against malware and intrusive JavaScript driven ads?
I sure hope the community will step up and create a new open source plug-in that goes "back to the basics" (disable JavaScript per site + whitelist) and people ditch NoScript faster than you can say "WTF!"....
Apparently the NoScript developers (which is btw. the most obnoxious plug-in I currently have installed; re: updates...) heads have gotten a bit to big for their own good.
I can't wait to see the fallout from this one. Hopefully at the end NoScript in it's current form won't exist anymore!
I'll repair your car for free, and as an added bonus I'm also going to change all of your saved radio stations, adjust your seats, replace your tires with a cheaper brand, and rape your lass.
I do it for free, so people aren't allowed to complain!
The parts in bold happen frequently in my experience. The part in italics happens frequently if you exchange "hit on" for "rape".
Dual Opteron < $600
Like many Slashdot users, I run both NoScript and AdBlock Plus.
Had NoScript asked me if I wanted to whitelist adds on their site (in my AdBlock preferences) to support NoScript development, I would have happily clicked "Yes."
As it is, I've left the NoScript whitelist intact in my AdBlock preferences, because I do want to support their development (NoScript leaves a comment in the AdBlock preferences indicating that this whitelist can be disabled easily). That said, I would have been much happier had my permission been asked!
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
If I have ad blocking software installed, that means I don't want to see ads (unless I explicitly approve them).
If I have script blocking software installed, that means I don't want to run scripts (unless I explicitly approve them).
How difficult is that to understand?
I don't care if the Noscript developer relies on ads for revenue. If I have ad blocking software installed, I don't want to see ads, period.. that doesn't mean "except on noscript's site, of course!". If the Noscript developer doesn't like that, it's too fucking bad.
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible? Or, at least, not hosted on their site..) because at this point, it's clearly malware.
I am the maverick of Slashdot
NoScript will no longer be permitted on any of my computers, period. This is unacceptable behavior. If I'd payed for the addon, I'd be demanding a refund. As it is, all I can do is try to take back the favorable word-of-mouth I've been giving the author, and try to find a version without the invasive behavior.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
For some time now, I have been getting more and more annoyed with the regularity of NoScript updates, especially as it would ALWAYS open the home page after every update, this is after the nuisance of me already having been asked to restart Firefox for the addon update.
Now it makes sense, they clearly artificially make this happen just for adrevenue. The addon probably doesn't even need that many updates.
Anyway, even though I know I can change the option to not go to the homepage after each update, I am tired of having to restart Firefox once a week for software which is for the most part adware. I barely use noscript, except on 1 site, I'll wait for someone else to make an addon which doesn't piss me off, or simply tolerate the minor annoyance of that one site.
As for the real world security benefits of noscript, they are questionable at best. If a website codes itself so it needs javascript, one would likely turn on noscript, and then the website could run malicious code.
Sure you may not be bothered by some ads on their site, but it's a slippery slope they should avoid. Users place their trust in add-ons like AdPlus and NoScript when they allow a third party to filter content. They proved they're willing to cross the line for a few dollars in ad revenue. What would they do for a significant amount of money?
Parent is correct; NoScript is EVIL. It will install malware, upload \My Pictures\ to a russian server and molest your children. The frequent updates the parent complains of are required to keep the NoScript's keylogger signature ahead of the anti-virus databases. NoScript was funded by Scientologists and developed by Sony. Users of NoScript are providing bandwidth to global botnets and have copies of all IM and email forwarded to the NSA.
STAY AWAY
The bottom line is: don't install untrusted extensions.
It was always a risk.
By the way, you now know never to trust NoScript, and to warn anyone who tells you they're using it.
(which is btw. the most obnoxious plug-in I currently have installed; re: updates...)
Set noscript.firstRunRedirection to False and it won't open the homepage after every update.
"I must admit I don't have much expertise in this area. I've never used either Adblock or Noscript."
You should have stopped right there.
This highlights a security problem: if addons can affect/patch each other, how can you ensure the integrity of the browser?
Example: a malicious addon is released, and it takes some time before the malicious behaviour is discovered, and people delete the addon. But has it injected malicious code into other addons on the system? Now you have to remove all addons to be sure.
Is this outlandish or possible? Has Mozilla implemented any security against such an attack?
In the Firefox address bar, type : about:config
Scroll down to: noscript.firstRunRedirection
Right click this value, and 'toggle' it to false.
Due credit goes to posts at http://adblockplus.org/blog/attention-noscript-users
I always thought the incremental updates to NoScript were too frequent to be entirely for the benefit of its users.
1) Involuntary web page visits after an update
2) serve ads
3) no step 3
4) profit
He probably looks for any typo that he can fix to get the next update out on time. At some point he needs to just call it adware, and I think we'd all agree that point has been reached. I'm now going find a way to avoid going to his page after an update, that way it won't matter if his ads were blocked or not.
Those are my principles. If you don't like them I have others. -Groucho Marx
Since NoScript recently put up a forum I figured I would go over to see what people on there had to say. Here's a thread which starts with a discussion of noscript breaking adblock and then turns into a discussion of the specific issue: http://forums.informaction.com/viewtopic.php?f=7&t=877
Here's a post where the NoScript guy asserts his reasoning for it: http://forums.informaction.com/viewtopic.php?p=2777#p2777 basically he says that the update to the filterset broke noscript.net making things like the menus unusable.
In this post http://forums.informaction.com/viewtopic.php?f=7&t=877&start=90#p3162 he claims that the inability to remove the noscript filterset is a bug and that the next update to noscript will fix that and prompt users beforehand.
http://www.popularculturegaming.com -- my blog about the culture of videogame players
Absolutely. What many programmers and companies do not realise is that there there needs to be a large amount of trust between users and themselves. Ultimately, by installing software, users are giving huge control of their systems and software to people they have never met and who will never meet them.
If find that most people are if anything, to trusting on the Internet. Hence botnets. But even cautious people do tend to give others the benefit of the doubt. But if they should be given reason to go back on that, it can mean a permanent end to that trusting relationship.
I know someone who recently installed Google Desktop(Something I would never, ever, do). They were happy at first, as they were happy to use a multitude of Google Apps. However, trouble struck when the geniuses at Google Desktop decided that when you search using their internet search, it should also bring up search results from your Desktop index.
Imagine someones surprise when their personal computer files appear on an internet search page. It wasn't pretty. The user wanted to uninstall Google desktop, sign out of Gmail, and stop using Google search forever. As I tried to explain that the page was linking to local files, not on the internet, I realised my words were in vain. This person had simply been too shaken my the incident. From their perspective, they had been betrayed. Their personal files had been cast online, or at least, they now recognised that outcome was possible due to the control they had given to a private company.
All trust in Google, and all its products, was lost forever. The trusting and confident relationship Google had with this person had been shattered by a single incident. I've seen this happen multiple times, with multiple pieces of software. Frustration, data loss, jarring incidents. Even the smallest thing can rupture the good feelings of people towards the people whom they entrust with their data.
This is such an incident. NoScript is forever tainted, never to rise again. Hundreds of thousands of people will likely uninstall it today alone. It will cease to be recommended, and ultimately another virtually identical extension will takes its place. A good lesson to all who would be so careless with their reputations. You need your users trust to survive.
May the Maths Be with you!
about:config
set noscript.firstRunRedirection to false
It isn't a "stupid trick." I installed NoScript specifically to help prevent things running in FF that would screw with my system behind my back. This behavior, screwing with ABP's configuration WITHOUT ASKING ME FIRST is EXACTLY THE SORT OF SHIT I installed it to PREVENT. This has nothing to do with how "trivial" said screwing is, or how much money the author does or doesn't make from the damn plugin. It's a matter of trust and what the damn plugin was built to do. The author just used his plugin to do exactly what we all installed it to PREVENT. I (and apparently a lot of others) no longer feel that we can trust the author or his software since he's now stooped to the tactics used by the people and software his plugin was designed to prevent.
But he did use a car analogy... points for that, anyway.
(There is supposed to be a Sarcmark® here, but my $1.99 check hasn't cleared, yet...)
but the Mozilla Add-on Policy requires them to inform you in some detail of what is being changed by an update. Since you're in a browser, a web page seems the logical way to do it.
Maybe you shouldn't update them all at the same time?
Those are my principles. If you don't like them I have others. -Groucho Marx
The problem is NOT seeing ads on the Noscript website. Like many of the others here that didn't faze me one bit. The problem is he is hijacking OTHER software to shovel his ads. Now THAT is a problem.
It says on the Noscript website it is software under the GPL, that means the source code is available, yes? Can we get a fork please? I mean we seem to have a bazillion OO.o forks now, and there wasn't anything wrong with OO.o that I could see to begin with(that said I prefer to give out oxygen office as it has all the clip art and slideshow presets to make it useful like MS Office) and here we do have something seriously wrong.
Until we get whichever group is responsible for JavaScript to actually fix the security in it, or get websites to dump it like they did ActiveX, we are going to need a way to filter it selectively. Unfortunately just like ActiveX in the 90s you can't just kill JavaScript dead because there are too many websites like banks(WTF?) that need to have JavaScript to be useful. I don't mind making money, and if the guy would have asked nicely I would have been happy to add his little whitelist so he could keep making the tool I use, seems fair to me. But pulling this backdoor install BS just don't cut it. But frankly I haven't seen any other tool that does the job so this jerk kinda has us over a barrel. Proxies and fiddling all day with HOSTS files is frankly a royal PITA.
So does anybody know of ANY software that can give us roughly the same functionality as Noscript without being a PITA? Because those of us that have to use Windows really need the extra protection.
ACs don't waste your time replying, your posts are never seen by me.
First, I'm not an anonymous coward, I'm Tom T., a Moderator at the NoScript Support forum. Just didn't need one more U/P login as probably a
one-time poster here. Having read only the top pages, just wanted to make sure that these points were covered:
1) Giorgio Maone himself has pointed out repeatedly, including at the thread in question, that anyone can disable his pages' ads with NoScript just by blocking the Google-Syndication scripts. NoScript itself cannot be circumvented in this blocking, even by NoScript. :)
2) For those who think the updates are a revenue-(ad-viewing)-generator, aside from the fact that the NS FAQ includes simple instructions for turning off the home-page redirect for each update (try reading the FAQ before criticizing), please look at the complete history and at how many times some new attack, e. g., XSS etc., has surfaced, and Giorgio has dropped everything -- wife, new baby -- and rushed to protect NS users with an update. Some of these updates turned out to prevent future attacks that weren't even known at the time of the update. Go to the Changelog, see the number of feature requests/bug reports, and tell us which ones were unnecessary. Go to the blog of world-class hakker Sirdarckhat, http://sirdarckcat.blogspot.com/2008/06/hacking-noscript.html, who has responsibly and privately reported his discovered vulnerabilities, and note his comment on Giorgio's response to such reports:
"Is important to say, that Giorgio fixes stuff in "hours", (or minutes in some cases), and he has done some crazy stuff, just so NoScript users can be safe, so if you dont use it, go get it."
Straight from the hakker's mouth there, peeps.
3) As a personal opinion only, and not speaking for Mr. Maone, NoScript, or the NS Support Forum, I have repeatedly recommended AdBlock Original, in which only I can set blocks or permissions, no one else, and with which I can affect or hose only my own machine, not anyone's else, nor can I affect anyone's web site. That is why NS does not offer "blacklists", despite repeated requests from users who don't want to be bothered with making their own decisions (the whole point of NS), and why, despite my great respect for Wladimir Palant and his product, I don't use ABPlus. True, I don't "have" to subscribe; I just don't want to open that door. The only exception would be the Hosts file, offered by http://www.mvps.org/winhelp2002/hosts.htm ,which has *specific criteria*: a site must drop tracking cookies or drive-by adware, spyware, or other malware; and the file is plain-text readable and editable by any user to remove any block-entry that they feel is unnecessary. I never have. They're all there for a good reason and are sites I don't want to allow my browser to connect to.
4) Anyone who thinks that scripting or other web executables are without danger and require no user attention probably shouldn't be using a computer, or is already pwned. Do some research. "If you aren't worried, you just don't understand the situation." Cheers!
Ironically, people install NoScript for the specific reason of not trusting others on the internet.
Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5
It seems that he eventually got it right.