Slashdot Mirror
Apple, Microsoft, Google Attacked For Evil Plugins
nk497 writes "A Mozilla exec has attacked Apple, Microsoft and Google for installing plugins without users' permission. 'Why do Microsoft, Google, Apple, and others think that it is an OK practice to add plug-ins to Firefox when I'm installing their software packages?' Asa Dotzler asks. 'That is precisely how a Trojan horse operates... These additional pieces of software installed without my consent may not be malicious but the means by which they were installed was sneaky, underhanded, and wrong.' He called on them to 'stop being evil.'"
Yes...I should not have to check addons to firefox to make sure nothing dodgy has been installed. Of course, this behaviour will continue as long as it is technically possible, so why doesn't Mozilla simply make it impossible? Only allow installing addons through firefox, with explicit prompts.
If you ignore ACs because they are anonymous - you're an idiot.
But MS, G and A all have our best interests at heart. No program should be able to circumvent this explicitly allowable behavior!
When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
Warning: A third party plugin, PluginNameHere, has been installed without user consent:
DELETE KEEP
Just last night I was testing something that required Yahoo messenger. After accurately deselecting all the various optional bullshit software it still installed the fucking Yahoo toolbar and who knows what else. What a scam.
I installed Yahoo! Messager last week and it did not install anything I deselected. But since you posted as AC all I can say is you did it wrong.
Not that difficult to code in a startup screen "X addons installed since last restart. Should I remove?"
excitingthingstodo.blogspot.com
...why is your software so crappy that it allows anyone to install plugins without notifying the user?
One thing I've slowly come to realize is that most people do not mind a big company or other entity controlling their computers. They're quite happy to run javascript trackers, download web bugs, run any executable without knowing whether it's safe, and so on.
Many of us here have an aversion to these things. If we see a plugin installed without our permission, we'll figure out how to remove it. But most people do not place any value in having control over their own hardware, so they see no value in doing that.
The end result of this is going to be a highly controlled internet, because the number of people who care about its freedom and openness is very tiny compared to the number who don't. The market forces will decide, and those are clearly on the side of the "you may control my computer in any way you want, Mr Multinational Corporation".
PS - my CAPTCHA for this message was "disallow".
The Mint Linux distro installs a default custom search that not only removes a lot of functionality from google but also takes up half the page size on a 12.1 inch netbook with a plain ugly design, just to make some cash. Fixing it is possible but come on! I donate cash already to various projects, but Mint can kiss my hairy ass. I need that left column in Google search because else it gives me results from the beginning of the ice age on any query related to current events.
But companies just can't accept that we don't want their crap. Especially American companies. Please ATI, I know about WoW, if I wanted to play it, I would have played it by now. So stop trying to slip the trial on my gaming machine. No thanks MSI, I do NOT want a dumb virus checker with my windows, I do not even want windows. And if I want games I get the one with my ATI card not some god awful free game with god knows what installed along with it.
I would love to serve one of the execs.
Bill Gates: "One milk shake please"
Me: *FAP FAP FAP*. *HATCHOO*. *SPIT*.
Me: "Sure, and enjoy the free extra I added in regoniztion of the quality software you shovelled on me."
Anyone knows if the McD at Redmond is hiring?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
When I read the title I understood: "Apple, Microsoft, Google Attacked by Evil Penguins ". I should not have tried to read it again, it completely destroyed the original effect.
As a long time user of third party instant messaging clients, i was horrified to see just how much crap comes with most of the official clients for the various IM networks...
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
As a Mac user, I don't have to deal with Microsoft's stuff, and I haven't really noticed anything shady from Apple (maybe because my iTunes was grandfathered in?) but the fact that Google forces me to install a Google uploader daemon as part of Google Earth means I won't upgrade the software, and haven't for the past few years. Things like this need to be optional - don't make us choose between an unhappy version of software or none at all.
I live in constant fear of the Coming of the Red Spiders.
Maybe in his configured UI the Checkboxes were actually X's - and he thought an X beside the item means "Do Not Want" - a common mistake when using X-indicative checkboxes.
But really, it's no different than when I want to Install Adobe PDF Reader and work, and it's all "Hey, do you want the Google Toolbar? I'll just go ahead and check the box for you. I know that you waste a fraction of a second each time unchecking that box, and that frustrates a lot of IT professionals, but thats just how I roll. I mean, IE already has a built in "Search Bar" which most people who use Google will switch it to google instead of Live search, but the important thing is to find all the technically illiterate masses who use computers and make sure they have the Google Toolbar so they use Google more. God forbid if they don't like Bing as their default search provider they actually set Google as their home-page and just use Google anyways - THEY NEED THAT TOOLBAR.
Honestly, I used to be completely and utterly serenely happy with Google. They provided just the right services I wanted and genuinely stayed out of my way. I didn't really care if they were collecting information on me, they were so clever about it I didn't notice.
But nothing makes me angrier than this silly ridiculous "Add My Browser Toolbar" Bull that ALL these companies are working together on. I mean, if you already have the google Toolbar installed, instead of asking you if you want it again, Adobe Reader Installer knows that and will ask "Hey, do you want this free version of Norton?" Seriously? As if cramming 1 optional program down my throat was bad enough.
Has anybody tried uninstalling and Re-installing adobe reader with all of the Auto-Opted-In "Side Packages" to see exactly how many companies have kissed Adobes ass? I'm now curious but I wouldn't want to do it on my machine. (I totally need to virtualize my workstation...)
Because Adobe are extremely confident in the security of Adobe Reader?
Why is it called Adobe Reader anyway? Can it read PSD and AI files too?
Bill Gates: "One milk shake please"
Guys, it is time we quit picking on that pitiable guy. Was bad, was responsible for (what passes for) culture in Microsoft. But that was a long time ago. May be he did not know the evil he was unleashing on computers. But now he is mostly out of Microsoft and is trying atone for his sins by spending his money in charity.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
See no evil, Hear no evil, Speak no Evil
It is the fault of others for exploiting it?
Now, I am not saying Apple/Google/MS are in the right here, but Mozilla shouldn't allow just anyone to install extensions.
How about they fix their exploits instead of pointing fingers.
when you have 300 jillion people using your product, you can afford not to care. No it's not fair, but that's capitalism.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Quiet, you! OS X users have enough baggage to schlepp as it is, without your clueless rating.
Caveat Utilitor
Make it easier to remove them.
I'm repeating what someone has already said-- but why do we not have reasonable protection (security) against this, at the browser level?
Not really.
I installed skype the other day and I got a plugin for firefox automatically - no choice to not have it installed. Will I use it? Nope.
Remember the days when people would install toolbars on your PC? This is just like it. Plugins do help the experience - but only if I want them to. I don't want my browser checking for updates to Google Earth, or having quicktime stuff installed.
I have Google Chrome and Google Earth installed. I don't have any Google plugins installed in Firefox. So I'm not sure what he is talking about, unless something changed with Google Earth recently.
Adobe demands to install an extension just to let you download Flash, because downloading normally is out of the question.
Microsoft is the worst offender here, where they use Windows Update to push a Firefox .NET Assistant extension, don't ask your permission, and don't allow you to remove it.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
Ignore the dir, but use another one? And what will MS, A and G do next?
Non-standardisation as a way to make it harder for others to do something to your installation is... just not the way to go.
Others respecting the standards would be preferable. I shouldn't have to not pick up my phone until the third ring to make sure no telemarketers got through - telemarketers should stop calling.
IAIFARSIJDPOOTV - I Am In Fact A Reality Star; I Just Don't Play One On TV
Interestingly, from the PoV of a plug-in developer, I have found Firefox has possibly the most annoying environment to deploy plug-ins in. Granted it's open, and uses the NPAPI naturally - (as do Safari, Chrome and Opera) but how the browser handles installations and in particular upgrades makes it very annoying, even compared with MSIE and their ActiveX approach (and that's even given IE doesn't have a working navigator.plugins implementation).
Of all those browsers Firefox (on Windows) is the only one that requires that if you upgrade your plug-in it is not enough to increase the file version and rename the DLL and then register that with Firefox, you also have put your new DLL in a directory that has a name it hasn't seen before (e.g. including the file version in the directory name) because it refuses to look for a new DLL in a directory it thinks it's already looked in for plug-ins. You then need a JavaScript shim to refresh and check it's upgraded.
Even with MSIE all you have to do is give the control a new GUID (which is not unreadable).
Note: The official Firefox line on this is "you should always restart the browser after installing an upgrade to a plug-in". This is what their API for installing plug-ins does (or one of them, they have two, and have deprecated one in favour of combing it with the same installation method as for extensions now, but that and the quality of the documentation is a whole other issue).
Technically, no other browser documentation suggests or requires that and logically there is no good reason to need it. It listens to Restart Manager message (in Vista/Win 7) but you need to suppress those when upgrading because Firefox will invariably display a dialog then crash instead of restarting when it sees an upgrade is happening.
They also have odd rules like "the plug-in file name must begin with 'np' and the filename must be 8.3 format" (thought the documentation just seems incorrect on the latter - and would be super-inconvenient given you need to prefix it with 'np' and include a release number in the filename).
Lastly, Microsoft & Google both install "ClickOnce" and "GoogleOneClick" which, while not the same, perform not dissimilar functions, which kind of hints a market demand for a specific set of functionality.
That Microsoft include a ClickOnce plug-in is actually very helpful for Firefox in the enterprise. Apart from being a very cool and useful deployment mechanism on Windows (that in theory is a lot safer than having everyone always have to run apps with full user level privileges), Firefox doesn't current offer anything that could be an alternative (in either of it's two installation API's) and without it internal IT software teams would, I'm sure, just say "you need Internet Explorer to use that intranet app / HR tool / customer support tool / etc".
The best way to address the perceived problem of "sneaky plug-in installation" is for the Firefox team to come up with a decent, user friendly way of installing (& upgrading) and allowing plug-ins to work that doesn't suck (i.e. no yellow bar along the top [ awful usability ], and certainly no browser restart required). Something like a one-time dialog box displaying the digital signature details of the plug-in on first-run would work for everyone.
* I know most plug-ins, including Flash, suffer from requiring mandatory browser restarts and yellow bar popups, no I don't know why (other than they suck at writing installers). Especially in IE (which is evil in not supporting NPAPI, but *is* fairly well documented).
Really? I find that a bit surprising. In all my years I've never encountered a single person who was confused by what an X in a box means, not in computers or in the real world where the practice is just as common.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
Most users (99.99%) "want" the plugins...
No. They want the program that installed the programs against their wishes and without their consent.
The 0.01% who don't are either idiots or live in a mental institution with an aluminum foil hat on their head to keep out the alien and CIA transmissions from their brain.
People who do not want Windows Live Photo Gallery or the Google Update plugin are certifiably insane? Really?
If you think this stuff is evil, sell your computer and stay off the internet.
So I should stop using a phone altogether because I think telemarketers are bad? Or does your reasoning only extend to computers and/or stuff you personally happen to like and want?
IAIFARSIJDPOOTV - I Am In Fact A Reality Star; I Just Don't Play One On TV
Interestingly, seeing this reminded me that I had planned to install Adobe Reader X. I just went and did that and this time it didn't offer me or attempt to foist off on me any additional crap like the McAfee scan or any toolbars. It also didn't try to install any stupid down loader application. I thought perhaps Adobe was seeing the light for once. So I went back and checked again and found that they don't foist extra stuff off on you if you are using Chrome. If you are using Firefox or IE, they try to foist crap off on you (like the McAfee scan). Perhaps this just means they haven't developed any junk down loader add-ins for Chrome yet.
Common might have been too strong of a word.
I've seen it happen, more than thrice, lets just put it that way.
It's hard to fight Windows Update.
Neither Windows nor Linux has per-application compartmentalized security. In theory, you could use something like SELinux to give each vendor their own compartment, preventing an install from vendor A from affecting an install from vendor B. But the installers would have to be aware of this, and carefully stay in their own spaces, or installations would fail. Nobody does that.
(Someday, somebody is going to crack the signing key for Windows update, hijack a router to reroute Microsoft's IP address, and take over every Windows machine in the world.)
I installed iTunes on XP and ended up with about 4 services, a startup entry and an Outlook Add-in (that stops Outlook closing properly, incidentally). WTF does does iTunes need an Outlook Add-in for?
Let us look at some use cases -
System plugins in central directory, firefox starts. This is the case after creating a new user, or wiping the firefox local directory, or after a typical install. In this case you don't want endless nattering, because it is just too confusing.
If yum or apt is used to install new software, that software was usually installed with root privilege. It can just drop the new plugins into the central directory, and you are basically at the first point. And, as a "bonus", these plugins are system-wide and apply to all users.
If a local install installs a plugin into the local directory (without have firefox running -- there will not be an API), then the usual is to expect that this action was desired by the local user. However THIS can produce a popup if the local plugin was not installed by firefox.
Its just that most external installers will simply opt to drop the plugin into the system directory (I believe that's where the google toolbar goes -- I could be wrong though).
Or, an API could be generated to force the registration of plugins; the question still remains as to whether the local user should have any say about global plugins (actually, the current policy is to allow the local user to disable, but not delete). Now, the root user may not even exist in a normal Unix sense -- all root-ish stuff could be going through sudo... in which case how is the effective "root user" to be informed of these installations?
In a nutshell -- hard crypto to detect a plugin install EVEN IF DONE BY ROOT. Local comparisions to determine changes -- STILL NOT EFFECTIVE IF A FRESH INSTALL STATE IS ACHIEVED.
And a fresh install state? Assuming that you STILL want bookmark and history portability, this is simply the result of removing a few local files.
So -- if a new plugin is detected on startup, or a fresh install state is detected, a popup can be initiated that would allow enable/disable of plugins. Given, though, that the typical user won't know WHICH to select, it's a complete waste of effort. Might as well just have a script that looks at the plugin locations and reports (a GUI can add NOTHING of value here).
Which is exactly where we are today.
Just another "Cubible(sic) Joe" 2 17 3061
At least in regards to Google. I think they're getting too greedy with gathering information.
I was deploying a new website over the weekend and decided to run some stress tests on it to make sure everything's ok.
I used the record script on the web stress tool to record my interaction with the site using Google Chrome. When I analyzed the requests that were recorded I saw a bunch of requests to toolbarqueries.clients.google.com even though I've turned off all extra services that would require contacting google. I was even browsing in an incognito window.
I also routinely see googlebot trying to access content on some of my sites that isn't in my sitemaps, isn't linked to from anywhere. The only person that accesses those pages are me and I have them bookmarked in my browser. Yet somehow googlebot knew they were there.
Google might need to tone things down a bit.
This is not a problem that Mozilla has alone. Windows,Apple,Real Player and the list goes on and on have been doing this on the OS ever since windows 95. Nothing new here. It will never be a non issue until they are forced by laws and since no one likes more government intervention unless its against Microsoft nothing will ever change.
Jack of all trades,master of none
Here's an addon that claims to do just that. It's at version 0.2 and hasn't been updated in a year, but maybe worth a try (or worth helping the developer):
PluginChecker
https://addons.mozilla.org/en-US/firefox/addon/46214/
I am no fan of Microsoft. But their monumental screw-up is so big it is impossible to credit one man with all of it. May be he got bulk of the benefits and so should bear most of the blame, but still all those clueless CIOs of corporations, shills, contractors, brainless users, useless trade magazines... We should hold the feet of the present day honchos to the fire, instead of allowing them to feign innocence by blaming it all on Bill Gates. Saw him on CNN Christiane Ammanpour yesterday, he has earned Warren Buffet's approval in doing charity work. Give him a break.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
But, why don't browsers automatically detect when an addon has been installed from a non-approved way (i.e. through the browser's own plugin install system), disable it at app start, and prompt the user on what to do with it? Would seem a much easier, and better use, of resources, than complaining about people who take advantage of your broken system.
Here's Asa's blog post, so that you don't have to click through the "news" article, which is almost entirely a copy-and-paste of Asa's post.
Where was all the screaming when Adobe's PDF-making add-in for Office (Windows only, of course, since Apple did it right) turned out to force menus and a toolbar to appear in each Office app? There's no excuse for allowing an external app this kind of power. Under XP & Office2k/2003 (and maybe others, but I don't have a platform to check here), you can try deleting the toolbar&menus but they come right back next time you open Word/Excel/PPT.
https://app.box.com/WitthoftResume Code: https://github.com/cellocgw
This solution requires Mozilla to fix things on their end rather than complaining about big companies doing something Mozilla didn't bother to prevent.
"I'm sorry Dave, I can't do that...
there is no win in adobe reader."
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
He says these plug-ins install themselves like trojan horses.
If MS, Apple, and Google all decided to stop doing it, the real problem would still exist and be dangerous. What is to stop someone from coding up a malicious plugin, and a free, fun little game, and distributing them together, installing the plugin as a trojan horse.
This is a security issue with Firefox. Why isn't there any outrage this is even possible? If this were IE, everyone would be ripping on MS and complaining that MS made a product where something like this is possible and on the tactics to distract from the real issue. Why isn't that happening here?
For some reason, I hear Prof. Farnsworth's voice in my head.
I drank what? -- Socrates
Funny thing here is that F-Secure's Client Security does the same; it automatically installs an extension to Firefox that adds a toolbar reporting whether a particular site is safe.
OK, you can avoid that by choosing custom install and not installing the “browsing protection”, and even if installed you can turn it off from their GUI, but the installer does not explicitly tell you that it will install a Firefox extension.
(And yeah, others too. At least Skype and Nokia PC both do this.)
“Wait for Hurd if you want something real” –Linus
Why is it even possible to make a plugin/addon install without the user getting asked? I see it as a shortcoming of Firefox if that is possible at all. There are probably lots of other ways how FF could be made more modern and more secure (sandboxing, declarative plugin/addon rights, proper separated processes for plugins etc.) so how about stop bitching and get something done?
It used to be that every piece of shitware for Windows wants to install IE toolbars, but nobody tried to install trojans targeting Firefox because Firefox's market share was too small to be worth the effort. That has changed. Firefox is now relevant to malware coders, and therefore a target. Frankly, I think coattailware (unwanted software the rides the coattails of desirable or necessary software) like IE toolbars and unwanted FF extensions are nothing but malware, and should be opposed by any honorable means necessary.
I write sci-fi for metalheads
... can do little about.
Seriously, it's an arms race, and there's only so much time the average or even geeky type person has to find ways in blocking such crappitude while still having their machine able to work normally.
"We think you're gonna love it."
This adware is definitely a subset of malware, and seems to make the "desirable" programs that install this garbage the "trojans" -- ostensibly performing a useful (FSVO "useful") function but engaging in hostile activity in the background.
Java has ALWAYS been a badly managed language. Sometimes programs (not web sites) will only run correctly with an old version of Java.
Those who supply Java programs often have to deliver an entire Java run-time package to make sure their programs will run.
The quirky management of Java was extremely strong public relations for Sun. Notice that Sun no longer exists.
So, they want Quicktime to..... do what exactly? They downloaded Quicktime to be able to watch quicktime content and most of that is on the web which means that they probably wanted a plug-in for their browser. Being able to watch downloaded mov files is just gravy.
Jesus was a compassionate social conservative who called individuals to sin no more.
All I have to say in response to this is ".NET Framework Assistant". http://www.computerworld.com/s/article/9139459/Sneaky_Microsoft_plug_in_puts_Firefox_users_at_risk
I installed Skype about four days ago and after selecting custom install, disabled the install of various browser plugins. Most likely you just selected typical install.
.
The solution is simple, Mozilla needs to fix the security hole in FireFox, and while they are at it, provide a means to uninstall plug-ins that does not rquire me to go rummaging through the filesystem looking for oddly-named files and deleting them.
No, it doesn't. Encryption without authentication is always subject to terrible attacks. Always include an authenticator in an encrypted message. An attacker not being able to decrypt a message is no barrier to his being able to manipulate it for profit.
"I’ll tell you why I like the cigarette business. It costs a penny to make. Sell it for a dollar. It’s addictive. And there’s fantastic brand loyalty." —Buffett, quoted in Barbarians at the Gate: The Fall of RJR Nabisco (from wikipedia)
If you want me to like Bill Gates, saying he has Warren Buffet's approval won't do it.
Free Martian Whores!
Application using storage area should have delegated access as extended object methods.
Let's say Firefox need a storage area for user data and plugins, as it request some space to the OS/filesystem, it get extends on access methods and ACL for the required disk/or whatever device area.
Os has still the release unallocate as root rule but has to go through firefox to read/write/alter any data in that storage area.
Application B want to installs and request its own storage areas to the OS.
If Application B request access to Firefox own storage area, it does so transparently through Firefox methods extended from the base OS storage area object.
It cant access the storage area object belonging to Firefox by calling the base object methods from the OS.
Car analogy like : ...
- Please can I use that car here ?"
- Its John's car, asks John if he agree to drive it for you
- Don't even try to take it, This car operation is onwly known to John.
- What happend if you dont allow John's car parked here anymore ?
- I can throw the car away but it will throw John's as well.
Léa Gris
When an Automatic Update from Microsoft Update or Apples Software update installs a plugin, I have an issue with that like how .net was added to firefox without users knowing. When something installs from a users explicit decision such as installing iTunes or MS Live and it installs a plugin he's wrong. User initiated installs is the permission granted to Apple or Microsoft or Google to install whatever is being offered. If the user fails to read the finer details of what’s being installed or reads the installer options such as, include whatever plugin, it’s not their fault. There is a difference between Automatic non user initiated plugin installs from updates and user initiated software installs that include a plugin.
Firefox could easily just audit its plugins from last start to see if anything has been added in the unofficial way and warn the user or by default disable it and ask the user to enable it. Its in there power to do something about it but instead they take the lazy route or political route to complain about it instead. So one must ask what is the Agenda saying Microsoft, Apple and Google are evil when they have the power to code changes to prevent it vs saying the Maker of Internet Explorer and the Maker of Safari and the Maker of Chrome are evil. Oh I think I just answered the Political question with that last line.
Actually, the buck stops with him. When he claims to be in charge, let him take the credit. To put it another way, if HE wanted to have a different style of company, then he could. And charities or not, he could do things different and still affect Microsoft in some way, I think.
Hell, at the least he could fund Linux, or GNU Hurd until it compares to commercial software. Then, THEN I can leave him alone. Sure, he realizes how hollow his life was being the richest man because of what it took to get there, but if computers were freed, then that would probably be about the best good he could ever do. Maybe I am wrong, but I see the potential of computers, the real potential, not the locked down "selling my soul to the company store" half-broken, bloated POSes that we mainly use day to day.
Like a city whose walls are broken down is a man who lacks self-control.
I love linux and I've been using Ubuntu since 5.10 - but let's not forget that it's not just evil corporations that do this! Ubuntu has a plugin that's installed when you install firefox, without asking.
Well if it's the end user that has to be asked, it seems most of our favorite Linux distributions add things too:
openSUSE 11.3
openSUSE Firefox Extensions 1.2 (extension)
Fedora 14
iTunes Application Detector (plugin)
Ubuntu 10.10
Ubuntu Firefox Modifications 0.9rc2 (extension)
I don't expect that any of that is evil. Is the Apple extension really doing anything worse?
Other Apps add things too, I also noted some for Totem that I never got from Mozilla. Good stuff, yes?
You do have a point, however, I still agree with him not to use it. Making the choice available and having the option to say no by informing me whilst install is in progress are two different things. Only one is the "right" thing to do. This will cost them customers that say, "Man, I got this thing installed, I am just gonna uninstall Skype altogether!" And they do. When you do the right thing, you don't get backlash like that.
Like a city whose walls are broken down is a man who lacks self-control.
How the hell would you know that? Do you really ask that specific question to every single person you have met? If you are, which I doubt, then you must have some reason to ask them that question. More likely, you would rarely know if someone you have met knows about this or not. Lots of people manage to get away with believing crazy stuff for years.
Well... the Adobe Reader one with Norton makes sense. I mean, since having Adobe Reader on your computer is a good way to get viruses, you might as well have an antivirus program on there.
Also, as to why they picked Norton over the others... I suppose it's cause it's the crappy but strangely popular one just as Adobe Reader is the crappy but strangely popular one of the PDF readers.
Easily the worst offender for me is Sun, or should I say Oracle, then again Oracle is dumping Java, so I guess now no one?
Either way, each time it installs an update, I get a new fucking plugin installed. The old one isn't removed either. The result being a list of all the past versions. So fucking annoying.
This is my footer. There are many like it, but this one is mine.
This kind of crap is a problem with software in general, not just browser plug-ins.
Seems like many programmers think you bought the computer explicitly to run their software and nothing else.
Or at the very least, they figure they have every right to do whatever they want to your computer.
MS should (at the OS level) never have allowed this kind of behavior, but since they are also one of the offenders, it's not surprising.
That has a very simple follow up question.
Why can these companies do that?
Because Mozilla deliberately created a mechanism for them to use to do so, because it's easier on the end user.
You've never run into the Windows installers that look like this?
http://foundationphp.com/images/install04.jpg
At least on Windows, the plugins in question aren't "additional pieces of software" that are being installed secretly. They're part of the software package you chose to install, both conceptually and technologically.
This doesn't necessarily justify the fact that any particular software package doesn't make its browser add-on functionality optional and/or opt-in. It's just an observation.
Incidentally, I could swear that Firefox has been prompting me lately whenever a new add-on is discovered, and giving me the chance to disable it. Problem solved, I'd think, although I suppose you could argue that it should be opt-in rather than opt-out.
Can't the Mozilla dumbasses call the seatbelt API?
Sorry to be so blunt about this, and I'm not being an apologist, especially since I don't work at Apple anymore...
I must be missing something; there's an API for this already; why isn't Mozilla using it?
-- Terry
So, why does Firefox then enable and run those plugins, eh? If you really think they are evil, put your money where your mouth is, keep an internal list of enabled plugins, not editable from outside sources, and if a new plugin is detected, throw up a dialog asking the user if he wants it enabled or not.
If you provide the functionality, don't whine if people use it. If your browser will happily activate and use any plugins I throw into its plugin directory, stop crying if I do.
Assorted stuff I do sometimes: Lemuria.org
Disable All, Disable Incomplete, Enable All
Why is there no mechanism in place that demands a new plugin to be confirmed by the end user?
How would Firefox detect a plugin that had not been OKed by the user, if it was installed while Firefox wasn't running in order to be able to capture the event as it happens?
Some file flag? Won't fly - Apple/MS/Google/others will just set those flags as the files are put in place.
Digitally sign the files with a unique signing key (created first time the browser starts) when the user accepts them and check the signatures when the browser starts each time? No joy - the only way to do that would involve the signing key being on the client where other software could read it and use it to fake-sign their files.
Sign the files as above but password/passphrase protect the signing key such that the user must enter their password in order for an addon to get signed? This would work technically speaking (if properly implemented) but would irritate many users so they'd just turn the feature off (or complain loudly that they can't turn it off).
Mozilla needs to fix it.
There is an advantage in fixing it as it will set the stage for better dirt boxing and better security (enforced by SELinux for example). Today there is both system and ~/.mozilla or the windows equivalent that are in common... The search path for plugins and more keeps growing with no obvious way to narrow them.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
Agreed. People who download Quicktime probably want the plugin.
One case of a program installing what people wanted is no argument that other programs should install stuff people did not want or request, however.
I don't think people want the Windows Live Photo Gallery, unless they ask for it. That other people did click the "let me watch this video in my browser"-button simply is not relevant.
IAIFARSIJDPOOTV - I Am In Fact A Reality Star; I Just Don't Play One On TV