Slashdot Mirror

← Back to Stories (view on slashdot.org)

NoScript Awarded $10,000

Posted by CmdrTaco on from the useful-little-tools dept.

An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."

23 of 178 comments (clear)

  1. Should have been a default in browsers from day 1 by elrous0 · · Score: 5, Insightful

    The fact that this ever had to be an *add-on* is just shameful. The fact that IE and Safari still don't have it (or something very similar) is close to criminal. Okay, Chrome has NotScripts, but that apparently requires some weird hacking to use securely.

    And, no, the non-default ability to turn *all* scripts on or off isn't even close to the same thing. As the great Jules would say--it's not the same ballpark, not the same league, not even the same sport.

    --
    SJW: Someone who has run out of real oppression, and has to fake it.
  2. Did they also get a grant... by twocows · · Score: 3, Informative

    Did they also get a grant for messing with other addon settings so their ads show up on their homepage?

    1. Re:Did they also get a grant... by Anonymous Coward · · Score: 5, Insightful

      Yes, two fucking years ago the guy made a poor decision in the heat of the moment which he later apologized for. We should definitely crucify him for it forever.

    2. Re:Did they also get a grant... by twocows · · Score: 5, Insightful

      It certainly was a while ago and he did apologize (after the backlash), and I agree that we shouldn't hold it against him forever. Still, I tend to be wary of NoScript these days because of it. I'm not sure I would trust someone who abused his position like that with a $10k grant is all. Maybe I'm being unreasonable, but I don't think it's a big leap to think that someone who abused their position for monetary gain once might do so again. And it's definitely something that I think people who use NoScript should know about, old or not.

    3. Re:Did they also get a grant... by Baloroth · · Score: 3, Interesting

      Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

      Oh yeah, and why one addon is able to make changes to another in Firefox without notifying the user. I haven't used Firefox much (prefer Opera), but is this still possible? If it is, why? Seems like a pretty large security problem. The answer is obviously only to install trusted addons, but if even a major addon like this has a history of doing it, what can you really trust?

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    4. Re:Did they also get a grant... by Microlith · · Score: 4, Insightful

      So he has a stupid spat with the guys at AdBlock Plus. So what?

      People make stupid mistakes every once in a while. He apologized, and hasn't done anything dumb since. In the meantime, NoScript has continued to be a valuable tool that I add to every Firefox installation I use (well, all once he adds support for Firefox Mobile.)

  3. Recognition vs usefulness by DeHackEd · · Score: 4, Interesting

    Does this mean web designers will start making their web sites actually work when users without javascript try to use them?

    (The list of offenders is too long to name.)

    1. Re:Recognition vs usefulness by 6031769 · · Score: 5, Insightful

      JavaScript [...] is extremely helpful for making useful, clean, modern websites.

      I'll see your "useful, clean, modern" and raise you "glacial, bloated, bug-ridden".

      Both JS and non-JS sites can be written well or poorly, and I'm not averse to a little javascript where it demonstrably improves the user experience, such as auto-focus into form fields for example. However, the problem is that some designers/developers just don't know when to stop, and seemingly only test their results on a gigabit LAN with a browser on their quad-core monster. As a consequence they think nothing of pulling in scripts and libraries from half a dozen sources and then proceed to use only one tenth of that code in the page. Frequently I see JS code where the whole way through it keeps testing over and over again for specific user agents so that it can choose which hackish workaround to employ instead of testing once and pulling in a brower-specific library. I have a 10Mbps broadband connection here and some pages take longer to load and render than they did 15 years ago.

      Good designers and devs can produce excellent JS-based sites. But the other 99% are just a struggle to use and a good proportion of those are close to unusable.

      --
      Burns: We're building a casino!
      McAllister: Arrr. Give me 5 minutes.
    2. Re:Recognition vs usefulness by wwfarch · · Score: 3, Interesting

      I don't even think using Javascript is the issue. The problem is requiring Javascript for random crap. Graceful degradation is something most websites fail to adhere to even when it's easily possible.

    3. Re:Recognition vs usefulness by hedwards · · Score: 4, Insightful

      Javascript itself isn't the problem so much as the tendency to need to allow javascript from 20 or 30 sites just to view a page in its entirety. Typically they don't tell you what sites they genuinely use so if you don't recognize the domain name then you don't have any way of knowing if it's intended to be executed by the web devs.

    4. Re:Recognition vs usefulness by b4dc0d3r · · Score: 3, Interesting

      I leave sites when they require JS, and follow up by sending them a screenshot of me placing an order on a competitor's web site (with certain identifying information blanked out).

      Depending on their site design, I also point out how they spent more effort blocking script-less usage than it would have taken to have a graceful fallback. That's not always the case, but it helps.

      I never get a reply, but I don't expect one either.

  4. Re:Why I don't use NoScript by JBMcB · · Score: 4, Insightful

    That's too bad, because it's awesome. I haven't found anything else that comes close to how flexible and easy to use it is.

    As far as trust goes - I trust the developer of NoScript over the entirety of the javascript code injected by advertising and tracking agencies out there.

    By the way - did you read the NoScript developer's mea culpa?

    --
    My Other Computer Is A Data General Nova III.
  5. Re:Why I don't use NoScript by grommit · · Score: 3, Insightful

    Even though the author recognized his mistake, backed out the changes, and apologized profusely in a very public manner you still don't trust him? Harsh man, harsh.
    http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/
    I'd rather not blacklist somebody over a single incident. However, if you happen to know of other instances where he did something sketchy, please let us know.

  6. Re:Should have been a default in browsers from day by uigrad_2000 · · Score: 4, Informative

    Ghosteryexists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.

    --
    Free unix account: freeshell.org
  7. Re:Should have been a default in browsers from day by fast+turtle · · Score: 3, Interesting

    Well I love the Neutered web experience because I absolutely Hate flash/silverlight and iframes because they've been exploited to many times. As to the usability of a website, I feel that any site that absolutely depends upon flash/silverlight to be usable is one I don't need to visit again. For those business sites like Asus or HP, I've begun filing ADA (american disabilities act) complaints that the websites are no accessible to disabled users (flash doesn't support screen readers - nor does it work worth a damn for those who have even a mild vision impairment).

    Hopefully, we'll start seeing companies getting it right by sticking with Standards compliant HTML for their main pages with proper links to the various departments. There is absolutely no reason for a website to depend on anything except HTML for functionality, as it is the lowest common denominator.

    --
    Mod me up/Mod me down: I wont frown as I've no crown
  8. Re:Should have been a default in browsers from day by nabsltd · · Score: 5, Informative

    This, exactly. I would rather backup my machine properly and practice safe browsing habits then put up with NoScript's bullshit. Ive read for years people extolling its virtues, but i personally cannot stand the neutered web it presents.

    The whole point of NoScript is to allow you to control whether scripts run on a finer level than the "off/on" that browsers support natively, and it does that easily, with one click per domain.

    If you use NoScript to deny scripts globally, then you are using it wrong. Instead, you enable each domain (just once, as NoScript remembers the setting) that you deem safe. This makes browsing much more secure, although you can still be caught if a trusted domain starts serving malware scripts, but it's better than being open to attack from every domain.

  9. Re:Why I don't use NoScript by nabsltd · · Score: 3, Insightful

    I've tried to use it four or five times through the years, and I always end up removing it almost immediately. I find the UI to be confusing (and just plain bad) to the point of uselessness

    What, exactly, is confusing about clicking one time on a menu item that reads "Allow slashdot.org" (for example)?

    The only time I find there to be a problem is when a domain loads scripts from 5-10 other domains. That does make it difficult to figure out which scripts are required to make the site functional, but that's not a problem with NoScript...that's a problem with the site. And, it's exactly this "code from random sites" that makes NoScript important for browser security.

  10. Helps prevent trojan infections by madhatter256 · · Score: 4, Interesting

    No Script helped in stemming the amount of infected PCs I received. I'd install it on my customer's PCs and showed them how it worked and that they should turn it off only when doing stuff like online banking, otherwise leave it on.

    It was of tremendous help and a lot of repeat customers stopped coming back with the same infection.

    --
    Previewing comments are for sissies!
  11. Re:Not the holy grail of browser security by CCarrot · · Score: 4, Insightful

    There are plenty of vulnerabilities found that do not need scripts, lets not make NoScript out to be more than what it is.

    I'm sorry, I've got to call BS. That's like saying "There are plenty of illnesses out there that aren't virus-based or bacterial, so let's not make washing our hands out to be more important than it is."

    Fact is, NoScript is an invaluable resource, with a clear, easy-to-use interface, and even the less-than-tech-savvy user can use it to vastly reduce their chance of 'catching' something. Yes, it does not provide perfect protection from everything, but I'm afraid the only way you can achieve that is to pull the plug on teh interwebs and live in your own virtual 'bubble'.

    I for one applaud this award as well-deserved. Good on them!

    --
    "I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
  12. If nothing else, use it for speed. by dezert1 · · Score: 3, Informative

    Not having JS loading makes all pages load incredibly fast. Use it like a turbo button. That combined with Ghostery and Better Privacy make for a pretty good browsing experience (and shows you what each page is attempting to do). If you are looking for perfection, there is nothing stopping you from writing your own browser. NoScript is the biggest reason I stick with FF. Love it!

  13. Re:Why I don't use NoScript by 0123456 · · Score: 3, Interesting

    What NoScript really needs is a way of blacklisting domains manually so that I have to manually enable them if I decide I want them.

    You mean like 'mark as untrusted'?

    I'd like to see domain-based functionality, so for example I can allow Facebook Javascript when I'm actually using Facebook, but block if when I'm at any other site.

    Ah, I still remember the early days of Javascript when we were telling people what a horrible insecure pile of crap it would be and they were assuring us that nothing could possibly go wrong.

  14. Re:Should have been a default in browsers from day by Jah-Wren+Ryel · · Score: 4, Insightful

    Government. Is there anything it can do that does not hurt the economy? If it can, I haven't found one example yet so far.

    +5 ironic for writing that on the internet.

    --
    When information is power, privacy is freedom.
  15. Re:Should have been a default in browsers from day by Mister+Whirly · · Score: 3, Insightful

    This morning I was awoken by my alarm clock powered by electricity generated by the public power monopoly regulated by the US Department of Energy. I then took a shower in the clean water provided by the municipal water utility. After that, I turned on the TV to one of the FCC regulated channels to see what the National Weather Service of the National Oceanographic and Atmospheric Administration determined the weather was going to be like using satellites designed, built, and launched by the National Aeronautics and Space Administration. I watched this while eating my breakfast of US Department of Agriculture inspected food and taking the drugs which have been determined as safe by the Food and Drug Administration. At the appropriate time as regulated by the US Congress and kept accurate by the National Institute of Standards and Technology and the US Naval Observatory, I get into my National Highway Traffic Safety Administration approved automobile and set out to work on the roads built by the local, state, and federal Departments of Transportation, possibly stopping to purchase additional fuel of a quality level determined by the Environmental Protection Agency, using legal tender issued by the Federal Reserve Bank. On the way out the door I deposit any mail I have to be sent out via the US Postal Service and drop the kids off at the public school. Then, after spending another day not being maimed or killed at work thanks to the workplace regulations imposed by the Department of Labor and the Occupational Safety and Health Administration, I drive back to my house which has not burned down in my absence because of the state and local building codes and the fire marshal's inspection, and which has not been plundered of all its valuables thanks to the local police department. I then log onto the Internet which was developed by the Defense Advanced Research Projects Administration and post on Slashdot how the government can't do anything right.

    --
    "But this one goes to 11!"