Slashdot Mirror
Apple, Microsoft, Google Attacked For Evil Plugins
nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"
Yes...I should not have to check addons to firefox to make sure nothing dodgy has been installed. Of course, this behaviour will continue as long as it is technically possible, so why doesn't Mozilla simply make it impossible? Only allow installing addons through firefox, with explicit prompts.
If you ignore ACs because they are anonymous - you're an idiot.
Just last night I was testing something that required Yahoo messenger. After accurately deselecting all the various optional bullshit software it still installed the fucking Yahoo toolbar and who knows what else. What a scam.
Why does the Adobe Reader update install McAfee Security Scan automatically...
But MS, G and A all have our best interests at heart. No program should be able to circumvent this explicitly allowable behavior!
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
That has a very simple follow up question.
Why can these companies do that?
Why is there no mechanism in place that demands a new plugin to be confirmed by the end user?
Maybe I'm missing something, but at least on the Mac, Apple/MS/Google all install plugins in /Library/Internet Plug-Ins. These work for Safari, Firefox, and I believe Opera. If Mozilla thinks this is evil, then they could just ignore plugins in that directory... but that would be a huge step backward in usability on their part.
Come on Mozilla... stop coming out once a month or two and saying something dumb. "Stop being dumb!".
Warning: A third party plugin, PluginNameHere, has been installed without user consent:
DELETE KEEP
But I would rather see the browser detecting externally installed plugins and not enable it on first start, and maybe ask user if it's wanted or not.
Not that difficult to code in a startup screen "X addons installed since last restart. Should I remove?"
excitingthingstodo.blogspot.com
...why is your software so crappy that it allows anyone to install plugins without notifying the user?
One thing I've slowly come to realize is that most people do not mind a big company or other entity controlling their computers. They're quite happy to run javascript trackers, download web bugs, run any executable without knowing whether it's safe, and so on.
Many of us here have an aversion to these things. If we see a plugin installed without our permission, we'll figure out how to remove it. But most people do not place any value in having control over their own hardware, so they see no value in doing that.
The end result of this is going to be a highly controlled internet, because the number of people who care about its freedom and openness is very tiny compared to the number who don't. The market forces will decide, and those are clearly on the side of the "you may control my computer in any way you want, Mr Multinational Corporation".
PS - my CAPTCHA for this message was "disallow".
The Mint Linux distro installs a default custom search that not only removes a lot of functionality from google but also takes up half the page size on a 12.1 inch netbook with a plain ugly design, just to make some cash. Fixing it is possible but come on! I donate cash already to various projects, but Mint can kiss my hairy ass. I need that left column in Google search because else it gives me results from the beginning of the ice age on any query related to current events.
But companies just can't accept that we don't want their crap. Especially American companies. Please ATI, I know about WoW, if I wanted to play it, I would have played it by now. So stop trying to slip the trial on my gaming machine. No thanks MSI, I do NOT want a dumb virus checker with my windows, I do not even want windows. And if I want games I get the one with my ATI card not some god awful free game with god knows what installed along with it.
I would love to serve one of the execs.
Bill Gates: "One milk shake please"
Me: *FAP FAP FAP*. *HATCHOO*. *SPIT*.
Me: "Sure, and enjoy the free extra I added in regoniztion of the quality software you shovelled on me."
Anyone knows if the McD at Redmond is hiring?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
When I read the title I understood: "Apple, Microsoft, Google Attacked by Evil Penguins ". I should not have tried to read it again, it completely destroyed the original effect.
As a Mac user, I don't have to deal with Microsoft's stuff, and I haven't really noticed anything shady from Apple (maybe because my iTunes was grandfathered in?) but the fact that Google forces me to install a Google uploader daemon as part of Google Earth means I won't upgrade the software, and haven't for the past few years. Things like this need to be optional - don't make us choose between an unhappy version of software or none at all.
I live in constant fear of the Coming of the Red Spiders.
Bill Gates: "One milk shake please"
Guys, it is time we quit picking on that pitiable guy. Was bad, was responsible for (what passes for) culture in Microsoft. But that was a long time ago. May be he did not know the evil he was unleashing on computers. But now he is mostly out of Microsoft and is trying atone for his sins by spending his money in charity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
See no evil, Hear no evil, Speak no Evil
It is the fault of others for exploiting it?
Now, I am not saying Apple/Google/MS are in the right here, but Mozilla shouldn't allow just anyone to install extensions.
How about they fix their exploits instead of pointing fingers.
when you have 300 jillion people using your product, you can afford not to care. No it's not fair, but that's capitalism.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Make it easier to remove them.
Use a trustworthy operating system that doesn't do things behind your back and you won't have these problems.
I'm repeating what someone has already said-- but why do we not have reasonable protection (security) against this, at the browser level?
Go to: ftp://ftp.adobe.com/pub/adobe/reader/win/
Not really.
I installed skype the other day and I got a plugin for firefox automatically - no choice to not have it installed. Will I use it? Nope.
Remember the days when people would install toolbars on your PC? This is just like it. Plugins do help the experience - but only if I want them to. I don't want my browser checking for updates to Google Earth, or having quicktime stuff installed.
I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.
Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.
Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Interestingly, from the PoV of a plug-in developer, I have found Firefox has possibly the most annoying environment to deploy plug-ins in. Granted it's open, and uses the NPAPI naturally - (as do Safari, Chrome and Opera) but how the browser handles installations and in particular upgrades makes it very annoying, even compared with MSIE and their ActiveX approach (and that's even given IE doesn't have a working navigator.plugins implementation).
Of all those browsers Firefox (on Windows) is the only one that requires that if you upgrade your plug-in it is not enough to increase the file version and rename the DLL and then register that with Firefox, you also have put your new DLL in a directory that has a name it hasn't seen before (e.g. including the file version in the directory name) because it refuses to look for a new DLL in a directory it thinks it's already looked in for plug-ins. You then need a JavaScript shim to refresh and check it's upgraded.
Even with MSIE all you have to do is give the control a new GUID (which is not unreadable).
Note: The official Firefox line on this is "you should always restart the browser after installing an upgrade to a plug-in". This is what their API for installing plug-ins does (or one of them, they have two, and have deprecated one in favour of combing it with the same installation method as for extensions now, but that and the quality of the documentation is a whole other issue).
Technically, no other browser documentation suggests or requires that and logically there is no good reason to need it. It listens to Restart Manager message (in Vista/Win 7) but you need to suppress those when upgrading because Firefox will invariably display a dialog then crash instead of restarting when it sees an upgrade is happening.
They also have odd rules like "the plug-in file name must begin with 'np' and the filename must be 8.3 format" (thought the documentation just seems incorrect on the latter - and would be super-inconvenient given you need to prefix it with 'np' and include a release number in the filename).
Lastly, Microsoft & Google both install "ClickOnce" and "GoogleOneClick" which, while not the same, perform not dissimilar functions, which kind of hints a market demand for a specific set of functionality.
That Microsoft include a ClickOnce plug-in is actually very helpful for Firefox in the enterprise. Apart from being a very cool and useful deployment mechanism on Windows (that in theory is a lot safer than having everyone always have to run apps with full user level privileges), Firefox doesn't current offer anything that could be an alternative (in either of it's two installation API's) and without it internal IT software teams would, I'm sure, just say "you need Internet Explorer to use that intranet app / HR tool / customer support tool / etc".
The best way to address the perceived problem of "sneaky plug-in installation" is for the Firefox team to come up with a decent, user friendly way of installing (& upgrading) and allowing plug-ins to work that doesn't suck (i.e. no yellow bar along the top [ awful usability ], and certainly no browser restart required). Something like a one-time dialog box displaying the digital signature details of the plug-in on first-run would work for everyone.
* I know most plug-ins, including Flash, suffer from requiring mandatory browser restarts and yellow bar popups, no I don't know why (other than they suck at writing installers). Especially in IE (which is evil in not supporting NPAPI, but *is* fairly well documented).
Most users (99.99%) "want" the plugins...
No. They want the program that installed the programs against their wishes and without their consent.
The 0.01% who don't are either idiots or live in a mental institution with an aluminum foil hat on their head to keep out the alien and CIA transmissions from their brain.
People who do not want Windows Live Photo Gallery or the Google Update plugin are certifiably insane? Really?
If you think this stuff is evil, sell your computer and stay off the internet.
So I should stop using a phone altogether because I think telemarketers are bad? Or does your reasoning only extend to computers and/or stuff you personally happen to like and want?
IAIFARSIJDPOOTV - I Am In Fact A Reality Star; I Just Don't Play One On TV
It's clearly Adware, not trojans... Trojans are running in the background to open the door to infect further while Adware show Advertisement for the one who pays the hacker who designed the program...
Shouldn't Adobe be in this list, too?
It's hard to fight Windows Update.
Neither Windows nor Linux has per-application compartmentalized security. In theory, you could use something like SELinux to give each vendor their own compartment, preventing an install from vendor A from affecting an install from vendor B. But the installers would have to be aware of this, and carefully stay in their own spaces, or installations would fail. Nobody does that.
(Someday, somebody is going to crack the signing key for Windows update, hijack a router to reroute Microsoft's IP address, and take over every Windows machine in the world.)
I installed iTunes on XP and ended up with about 4 services, a startup entry and an Outlook Add-in (that stops Outlook closing properly, incidentally). WTF does does iTunes need an Outlook Add-in for?
Let us look at some use cases -
System plugins in central directory, firefox starts. This is the case after creating a new user, or wiping the firefox local directory, or after a typical install. In this case you don't want endless nattering, because it is just too confusing.
If yum or apt is used to install new software, that software was usually installed with root privilege. It can just drop the new plugins into the central directory, and you are basically at the first point. And, as a "bonus", these plugins are system-wide and apply to all users.
If a local install installs a plugin into the local directory (without have firefox running -- there will not be an API), then the usual is to expect that this action was desired by the local user. However THIS can produce a popup if the local plugin was not installed by firefox.
Its just that most external installers will simply opt to drop the plugin into the system directory (I believe that's where the google toolbar goes -- I could be wrong though).
Or, an API could be generated to force the registration of plugins; the question still remains as to whether the local user should have any say about global plugins (actually, the current policy is to allow the local user to disable, but not delete). Now, the root user may not even exist in a normal Unix sense -- all root-ish stuff could be going through sudo... in which case how is the effective "root user" to be informed of these installations?
In a nutshell -- hard crypto to detect a plugin install EVEN IF DONE BY ROOT. Local comparisions to determine changes -- STILL NOT EFFECTIVE IF A FRESH INSTALL STATE IS ACHIEVED.
And a fresh install state? Assuming that you STILL want bookmark and history portability, this is simply the result of removing a few local files.
So -- if a new plugin is detected on startup, or a fresh install state is detected, a popup can be initiated that would allow enable/disable of plugins. Given, though, that the typical user won't know WHICH to select, it's a complete waste of effort. Might as well just have a script that looks at the plugin locations and reports (a GUI can add NOTHING of value here).
Which is exactly where we are today.
Just another "Cubible(sic) Joe" 2 17 3061
At least in regards to Google. I think they're getting too greedy with gathering information.
I was deploying a new website over the weekend and decided to run some stress tests on it to make sure everything's ok.
I used the record script on the web stress tool to record my interaction with the site using Google Chrome. When I analyzed the requests that were recorded I saw a bunch of requests to toolbarqueries.clients.google.com even though I've turned off all extra services that would require contacting google. I was even browsing in an incognito window.
I also routinely see googlebot trying to access content on some of my sites that isn't in my sitemaps, isn't linked to from anywhere. The only person that accesses those pages are me and I have them bookmarked in my browser. Yet somehow googlebot knew they were there.
Google might need to tone things down a bit.
This is not a problem that Mozilla has alone. Windows,Apple,Real Player and the list goes on and on have been doing this on the OS ever since windows 95. Nothing new here. It will never be a non issue until they are forced by laws and since no one likes more government intervention unless its against Microsoft nothing will ever change.
Jack of all trades,master of none
Here's an addon that claims to do just that. It's at version 0.2 and hasn't been updated in a year, but maybe worth a try (or worth helping the developer):
PluginChecker
https://addons.mozilla.org/en-US/firefox/addon/46214/
I am no fan of Microsoft. But their monumental screw-up is so big it is impossible to credit one man with all of it. May be he got bulk of the benefits and so should bear most of the blame, but still all those clueless CIOs of corporations, shills, contractors, brainless users, useless trade magazines... We should hold the feet of the present day honchos to the fire, instead of allowing them to feign innocence by blaming it all on Bill Gates. Saw him on CNN Christiane Ammanpour yesterday, he has earned Warren Buffet's approval in doing charity work. Give him a break.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
You can add Sun to that list with their 'Java Console' that I now have several disabled entries for since you can't even uninstall them and it adds a new one with every Java update.
But, why don't browsers automatically detect when an addon has been installed from a non-approved way (i.e. through the browser's own plugin install system), disable it at app start, and prompt the user on what to do with it? Would seem a much easier, and better use, of resources, than complaining about people who take advantage of your broken system.
Here's Asa's blog post, so that you don't have to click through the "news" article, which is almost entirely a copy-and-paste of Asa's post.
Warning: a plug-in is requesting permission to be installed:
[ALLOW] [DENY] [ALLOW BUT INSTALL DISABLED]
Where was all the screaming when Adobe's PDF-making add-in for Office (Windows only, of course, since Apple did it right) turned out to force menus and a toolbar to appear in each Office app? There's no excuse for allowing an external app this kind of power. Under XP & Office2k/2003 (and maybe others, but I don't have a platform to check here), you can try deleting the toolbar&menus but they come right back next time you open Word/Excel/PPT.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
This solution requires Mozilla to fix things on their end rather than complaining about big companies doing something Mozilla didn't bother to prevent.
"I'm sorry Dave, I can't do that...
there is no win in adobe reader."
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Normal users want shit to just work without being bothered with installing crap.
I realize slashdot doesn't understand this, but its true.
Apple does a lot of things not only without asking, but without even giving you an option if you wanted to ask ... and people freaking LOVE them.
This is one of those times when you're arguing technical reasons for not doing something and completely ignoring the practical reasons and target audience.
NORMAL USERS DON'T GIVE A SHIT ABOUT THE THINGS SLASHDOT USERS CARE ABOUT.
Once you guys actually get that into your heads you'll probably get a lot further along. Normal users don't give a fuck about your agenda, they care about theirs. Theirs doesn't revolve around tinkering constantly with their computer to make sure everything works in only the way they determine. They just want to browse the web and do shit and most are happy to have someone else automate the tedious retarded bullshit like installing browser plugins
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
He says these plug-ins install themselves like trojan horses.
If MS, Apple, and Google all decided to stop doing it, the real problem would still exist and be dangerous. What is to stop someone from coding up a malicious plugin, and a free, fun little game, and distributing them together, installing the plugin as a trojan horse.
This is a security issue with Firefox. Why isn't there any outrage this is even possible? If this were IE, everyone would be ripping on MS and complaining that MS made a product where something like this is possible and on the tactics to distract from the real issue. Why isn't that happening here?
Funny thing here is that F-Secure's Client Security does the same; it automatically installs an extension to Firefox that adds a toolbar reporting whether a particular site is safe.
OK, you can avoid that by choosing custom install and not installing the “browsing protection”, and even if installed you can turn it off from their GUI, but the installer does not explicitly tell you that it will install a Firefox extension.
(And yeah, others too. At least Skype and Nokia PC both do this.)
“Wait for Hurd if you want something real” –Linus
Why is it even possible to make a plugin/addon install without the user getting asked? I see it as a shortcoming of Firefox if that is possible at all. There are probably lots of other ways how FF could be made more modern and more secure (sandboxing, declarative plugin/addon rights, proper separated processes for plugins etc.) so how about stop bitching and get something done?
It used to be that every piece of shitware for Windows wants to install IE toolbars, but nobody tried to install trojans targeting Firefox because Firefox's market share was too small to be worth the effort. That has changed. Firefox is now relevant to malware coders, and therefore a target. Frankly, I think coattailware (unwanted software the rides the coattails of desirable or necessary software) like IE toolbars and unwanted FF extensions are nothing but malware, and should be opposed by any honorable means necessary.
I write sci-fi for metalheads
... can do little about.
Seriously, it's an arms race, and there's only so much time the average or even geeky type person has to find ways in blocking such crappitude while still having their machine able to work normally.
"We think you're gonna love it."
True enough, but encryption works as a digital signature. (The converse is false, naturally.)
One point to mention however, is that if the plugin installer can access your 'public' key it can simply modify that key and supply a plugin list that has their app signed by that key. You might notice when you lose all access to your other plugins, but many wouldn't.
Like the GGP said, you can't really win this fight without OS involvement. On windows, good luck getting Microsoft to stop allowing themselves to be evil.
Java has ALWAYS been a badly managed language. Sometimes programs (not web sites) will only run correctly with an old version of Java.
Those who supply Java programs often have to deliver an entire Java run-time package to make sure their programs will run.
The quirky management of Java was extremely strong public relations for Sun. Notice that Sun no longer exists.
So, they want Quicktime to..... do what exactly? They downloaded Quicktime to be able to watch quicktime content and most of that is on the web which means that they probably wanted a plug-in for their browser. Being able to watch downloaded mov files is just gravy.
Jesus was a compassionate social conservative who called individuals to sin no more.
All I have to say in response to this is ".NET Framework Assistant". http://www.computerworld.com/s/article/9139459/Sneaky_Microsoft_plug_in_puts_Firefox_users_at_risk
Normal users don't care. Normal users also don't seem to have any problems with Quicktime or iTunes on windows. Why is that? Because normal users have not screwed up their systems with registry hacks and other crapware that "leet" users do which is why their systems seem to still work fine even with Apple software running on it.
I used to be a windows user and I used to hack my resource files on windows to make it more like OS X but guess what? It ran like crap because of the size of the larger resources and the other hacks running in the background.
Jesus was a compassionate social conservative who called individuals to sin no more.
You guys complain about auto installing software and the lack of control over it, AND you complain about Windows's User Account Control telling you when something is happening on your computer without its own warning. So which is it? Pick one. Or write your own operating system and make it do what you want.
No sig for you. YOU GET NO SIG!
I installed Skype about four days ago and after selecting custom install, disabled the install of various browser plugins. Most likely you just selected typical install.
.
The solution is simple, Mozilla needs to fix the security hole in FireFox, and while they are at it, provide a means to uninstall plug-ins that does not rquire me to go rummaging through the filesystem looking for oddly-named files and deleting them.
If Apple, Microsoft, and Google can add "evil" plug-in's it's a security bug. Fix the bug. Stop whining, and do your job.
"I’ll tell you why I like the cigarette business. It costs a penny to make. Sell it for a dollar. It’s addictive. And there’s fantastic brand loyalty." —Buffett, quoted in Barbarians at the Gate: The Fall of RJR Nabisco (from wikipedia)
If you want me to like Bill Gates, saying he has Warren Buffet's approval won't do it.
Free Martian Whores!
Application using storage area should have delegated access as extended object methods.
Let's say Firefox need a storage area for user data and plugins, as it request some space to the OS/filesystem, it get extends on access methods and ACL for the required disk/or whatever device area.
Os has still the release unallocate as root rule but has to go through firefox to read/write/alter any data in that storage area.
Application B want to installs and request its own storage areas to the OS.
If Application B request access to Firefox own storage area, it does so transparently through Firefox methods extended from the base OS storage area object.
It cant access the storage area object belonging to Firefox by calling the base object methods from the OS.
Car analogy like : ...
- Please can I use that car here ?"
- Its John's car, asks John if he agree to drive it for you
- Don't even try to take it, This car operation is onwly known to John.
- What happend if you dont allow John's car parked here anymore ?
- I can throw the car away but it will throw John's as well.
Léa Gris
When an Automatic Update from Microsoft Update or Apples Software update installs a plugin, I have an issue with that like how .net was added to firefox without users knowing. When something installs from a users explicit decision such as installing iTunes or MS Live and it installs a plugin he's wrong. User initiated installs is the permission granted to Apple or Microsoft or Google to install whatever is being offered. If the user fails to read the finer details of what’s being installed or reads the installer options such as, include whatever plugin, it’s not their fault. There is a difference between Automatic non user initiated plugin installs from updates and user initiated software installs that include a plugin.
Firefox could easily just audit its plugins from last start to see if anything has been added in the unofficial way and warn the user or by default disable it and ask the user to enable it. Its in there power to do something about it but instead they take the lazy route or political route to complain about it instead. So one must ask what is the Agenda saying Microsoft, Apple and Google are evil when they have the power to code changes to prevent it vs saying the Maker of Internet Explorer and the Maker of Safari and the Maker of Chrome are evil. Oh I think I just answered the Political question with that last line.
Actually, the buck stops with him. When he claims to be in charge, let him take the credit. To put it another way, if HE wanted to have a different style of company, then he could. And charities or not, he could do things different and still affect Microsoft in some way, I think.
Hell, at the least he could fund Linux, or GNU Hurd until it compares to commercial software. Then, THEN I can leave him alone. Sure, he realizes how hollow his life was being the richest man because of what it took to get there, but if computers were freed, then that would probably be about the best good he could ever do. Maybe I am wrong, but I see the potential of computers, the real potential, not the locked down "selling my soul to the company store" half-broken, bloated POSes that we mainly use day to day.
Like a city whose walls are broken down is a man who lacks self-control.
I love linux and I've been using Ubuntu since 5.10 - but let's not forget that it's not just evil corporations that do this! Ubuntu has a plugin that's installed when you install firefox, without asking.
Don't know about PSD files, but Adobe Illustrator AI files seem to be in PDF format. Ghostscript can read them too.
Well if it's the end user that has to be asked, it seems most of our favorite Linux distributions add things too:
openSUSE 11.3
openSUSE Firefox Extensions 1.2 (extension)
Fedora 14
iTunes Application Detector (plugin)
Ubuntu 10.10
Ubuntu Firefox Modifications 0.9rc2 (extension)
I don't expect that any of that is evil. Is the Apple extension really doing anything worse?
Other Apps add things too, I also noted some for Totem that I never got from Mozilla. Good stuff, yes?
You do have a point, however, I still agree with him not to use it. Making the choice available and having the option to say no by informing me whilst install is in progress are two different things. Only one is the "right" thing to do. This will cost them customers that say, "Man, I got this thing installed, I am just gonna uninstall Skype altogether!" And they do. When you do the right thing, you don't get backlash like that.
Like a city whose walls are broken down is a man who lacks self-control.
These dumped extensions can be disabled and uninstalled only from a root account. If you are using a lower privilege account for day to day ops, the uninstall button is grayed out. These extensions are assumed to be installed for "all users" and one low privileged user would/should not be able to take them out. It is a pain to log out, and log in as superuser just to disable one extension that some corporate creep decides to shove on my machine.
College-Pages.com - Online Colleges, Degrees, and Programs
Easily the worst offender for me is Sun, or should I say Oracle, then again Oracle is dumping Java, so I guess now no one?
Either way, each time it installs an update, I get a new fucking plugin installed. The old one isn't removed either. The result being a list of all the past versions. So fucking annoying.
This is my footer. There are many like it, but this one is mine.
This kind of crap is a problem with software in general, not just browser plug-ins.
Seems like many programmers think you bought the computer explicitly to run their software and nothing else.
Or at the very least, they figure they have every right to do whatever they want to your computer.
MS should (at the OS level) never have allowed this kind of behavior, but since they are also one of the offenders, it's not surprising.
At least on Windows, the plugins in question aren't "additional pieces of software" that are being installed secretly. They're part of the software package you chose to install, both conceptually and technologically.
This doesn't necessarily justify the fact that any particular software package doesn't make its browser add-on functionality optional and/or opt-in. It's just an observation.
Incidentally, I could swear that Firefox has been prompting me lately whenever a new add-on is discovered, and giving me the chance to disable it. Problem solved, I'd think, although I suppose you could argue that it should be opt-in rather than opt-out.
Can't the Mozilla dumbasses call the seatbelt API?
Sorry to be so blunt about this, and I'm not being an apologist, especially since I don't work at Apple anymore...
I must be missing something; there's an API for this already; why isn't Mozilla using it?
-- Terry
So, why does Firefox then enable and run those plugins, eh? If you really think they are evil, put your money where your mouth is, keep an internal list of enabled plugins, not editable from outside sources, and if a new plugin is detected, throw up a dialog asking the user if he wants it enabled or not.
If you provide the functionality, don't whine if people use it. If your browser will happily activate and use any plugins I throw into its plugin directory, stop crying if I do.
Assorted stuff I do sometimes: Lemuria.org
Disable All, Disable Incomplete, Enable All
http://yro.slashdot.org/comments.pl?sid=1884962&cid=34351598 [slashdot.org] see that, & whoever "modded you up" as informative is an utter dolt, no questions asked. That link uses a quote from my ORIGINAL POST you responded to, and it covers what you stated... so how the hell did you get up modded as "informative"?
You said this:
"And when the server gets bushwhacked instead of the domain, and they move to a new host - but you're still getting the old IP from your hosts file - then what? How about if - rather than an FBI warning or whatever - the site is replaced by a clone that sniffs your info or installs trojans?" - by phorm (591458)
on Friday November 26, @01:29PM (#34351528) Homepage Journal
from http://yro.slashdot.org/comments.pl?sid=1884962&cid=34351528
To which I replied this:
"& if they change it again? Re-Ping (with a double verifying WHOIS) said site & the TLD that does NOTHING but resolve hosts/domains to their correct IP will give you a correct IP address (provided you're NOT being "man-in-the-middle" attacked) to reinsert into your hosts file to update it..." - by Anonymous Coward on Friday November 26, @12:36PM (#34351132)
from http://yro.slashdot.org/comments.pl?sid=1884962&cid=34351132
Additionally, IF the site you go to is KNOWN as "bushwhacked"? It gets added to my custom HOSTS file because it gets updated daily from around 15 reliable & reputable sources as to what sites/servers are KNOWN to be serving up exploits - once blocked in a local HOSTS file? You can't get burned when you can't go into the malware kitchen, in other words.
(Until said site "cleans itself up"? It stays blocked too, until it proves clean: Plus, most security sites that provide a way to block out known bad sites also have "removal lists" once said sites either disappear (which I don't trust because malware makers "recycle" domainnames they use (the "Russian Business Network" (RBN) recently in fact had its domain/host names reused & into ANOTHER botnet no less as an example thereof, and they own those domainnames, & that's a lot more reliable than using IP addresses (those get "taken down" by authorities once a site's found out to be serving up exploits))
After all that? That's WHY I can't figure out who "modded you up" there...
APK
P.S.=> So, how'd you get "modded up" there, when I covered the point you made, and further covered it here? apk
Mozilla needs to fix it.
There is an advantage in fixing it as it will set the stage for better dirt boxing and better security (enforced by SELinux for example). Today there is both system and ~/.mozilla or the windows equivalent that are in common... The search path for plugins and more keeps growing with no obvious way to narrow them.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Agreed. People who download Quicktime probably want the plugin.
One case of a program installing what people wanted is no argument that other programs should install stuff people did not want or request, however.
I don't think people want the Windows Live Photo Gallery, unless they ask for it. That other people did click the "let me watch this video in my browser"-button simply is not relevant.
IAIFARSIJDPOOTV - I Am In Fact A Reality Star; I Just Don't Play One On TV
Another awesome site Thanks for the information. hearing aids india