Slashdot Mirror
Mozilla Bans Popular Firefox Add-On That Tampered With Security Settings (softpedia.com)
An anonymous reader writes: Mozilla has banned the popular (250,000+ installs) YouTube Unblock add-on that allowed users to view YouTube clips blocked in their country. The reason for this move is because the add-on was caught disabling a Firefox security setting (code signing) which the allowed it to silent-install another add-on, which Avast (antivirus software) was detecting as malware. Earlier in 2015, the same plugin was again caught cheating when it was using an self-contained update system that was bypassing Mozilla's add-on review process.
Please publish the names of the authors, so we know not to ever install anything written by them ever again.
Well, on the one hand, it's good to know that there was possible bad behavior, but on the other, the trend of vendors locking down their ecosystems is hurting those who do not wish to accept whatever they're willing to push through the needle.
What, are you a malware author or something? Remove this backdoor garbage from official add-on repositories.
It should not have been possible that an add-on can change security settings to begin with.
and youtube-dl makes this simple so you don't use insecure flash or html5. youtube-dl supports a ton of sites with videos and always downloads the best quality version of the video.
don't download the older versions of youtube-dl in your Linux repository, instead, just download the newest version @ youtube-dl website:
http://rg3.github.io/youtube-d...
When I read the first sentence, I thought to myself that reasoning behind this was some corporate/copyright bullshit. But looks like Mozilla did a good job on this!
If you post as an AC, don't expect me to spend a mod point on you.
"The add-on remains available through its homepage."
The user still can decide. Mozilla only removed it from their add-on marketplace, which is IMO the correct action and certainly not any kind of overreach. That's like saying Google is wrong for banning Android apps from the Play Store which root your phone - it's not, they have policies and those apps knowingly violated them; if you still want those apps side loading is available.
Now I want it. Except without crippling my security.
Is there an alternative?
127.0.0.1
That's what will happen once mandatory addon signing is implemented.
As the smartest guy on the internet you probably already have my patented corporate overreach blocker installed. As you probably know it has been banned from freedom hating corporate repositories, meaning my elite followers are forced to download it from my exclusive website. What you may not know is that I just finished uploading the new version. The new version of the banned plugin can now shrink corporate overreach from the most powerful multi-nationals in the world down to the size of Donald Trump's fingers. It's really important that you and all your loved ones download the latest version NOW!!!! - My corporate spy team are telling me that the censors at google are about to delist my website, not sure when that will happen, it could be hours or days, but when it does happen I will be forced to move operations onto the dark web.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.
They could do that too. They have blacklist functionality which I'm sure includes the ability to block apks. And who's to say they won't use it if the add-on is a malware vector.
The FA says you are still allowed to infect your pc with all the malware you want from the addon homepage. Did you try to RTFA but were stopped by ad popups?
this post contain no useful information, no need to mod it down
The user CAN NOT decide if the probably unwanted stuff is slipped to him secretly.
It would be different if the user was warned during plugin installation "Hey, we're going to mess with your browser security setting and will install stuff that would trigger your virus alert, but - just to avoid that confusion - we will disable your antivirus while we're at it. OK?"
THAT would be "let the user decide".
bickerdyke
Try a Firefox clone like Palemoon http://www.palemoon.org/ . The flexibility of Firefox but without the would-be Chrome UI crap.
Haha, ok, well, that's the end of Firefox, then. I've just read the signing process and nope, nope, nope. I used to write and maintain extensions for a local site I was involved with and there is no way in hell I'm submitting shit to them and waiting for them to approve what already works and my users already trust me with.
Although I might just work out how to get everyone installing a developer certificate or recomend that they install one of the Firefox forks.
DownThemAll is a must have add-on to me, and it's not available for Chrome (since long time, now): it was the primary cause that made me stick with Firefox over Chrome :P
I recommend Opera Mini over "normal Opera": it has a much minor size and memory footprint (by been very light, it works very well on old phones and tablets)
Or you could just install Classic Theme Restorer, since palemoon isn't 100% compatible with firefox addons and made by amateurs.
From a security point of view, Palemoon failed even at step one, installation. Its Linux installer *requires* that the system is set up for gratuitous sudo. Anything that asks for a system password during installation is something I will not install. And a system password that for an account that is set up to have root access for any command when the account password is given? No, just no.
(And never mind that they can't be bothered to list the prerequisites either.)
I think downthemall.com is an unfortunate name. I thought it was for 14 year olds who wanted to hang out down the mall.
Why not Chrome? I know everyone claims it spies but nobody has provided any kind of Wireshark logs or further information to prove it.
Only the State obtains its revenue by coercion. - Murray Rothbard
I think this naming problem is is a consequence of o major problem, that relates to all open-source community: poor "marketing" decisions (it's not natural?)
A reputation built through a web of trust is the best possible system.
A single centralised decider of who counts as trustworthy - particularly one so incompetent and obviously lacking in decent direction as Mozilla - is the worst possible system.
So, you're the polar opposite of correct.
Heh, I guess you're not a Windows user or you'd be pretty used to elevating to Administrator during installs!
That is predominantly to allow writing to the registry and a few locked folders during installation. These days the number of applications which actually require to be *run* as administrator are near enough to zero that it's not an issue.
However Linux never had this peculiarity in the first place. If you download a program that is standalone and doesn't have some deep hooks into the OS there's no reason you need elevated privileges on Linux, which makes me even MORE cautious when a Linux program asks for it.
Hmm, could it be that because it logs you automatically on all google sites (search, youtube, ad network and so on)?
With Firefox/Opera I can choose when I want to be logged in and when not.
They offer the source so you should DIY...isn't that the Linux way? The Palemoon team has ZERO to do with the Linux branch, its made by a volunteer using the source. if you don't like the way he does it? You are free to take the source and come up with your own installer.
ACs don't waste your time replying, your posts are never seen by me.
the censors at google are about to delist my website
Your corporate overreach blocker can't block that? Garbage.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
You're also free to use seamonkey, waterfox, iceweasel or any of the other forks that aren't 10 versions out of date.
Waterfox is available for Linux now? That's news.
It really is too bad that Windows doesn't really have a concept of an /opt directory or installing to user folders.
It does.
Programs that aren't written by morons should ask you if you want to install it for the current user only (no UAC required) or for the whole system (UAC required).
For the user, HKEY_CURRENT_USER\Software in the registry is like the opt directory.
But so is %USERPROFILE%\AppData\. And in AppData you have Local, LocalLow, and Roaming.
The %APPDATA% variable points to Roaming by default, while the Local directory is for shit specific to the PC (shouldn't roam), or is too big to roam. LocalLow is a "low integrity" directory. Allegedly things like plugins and add-ons should store their shit there and not be able to write to the Local directory.
For the system, you have HKEY_LOCAL_MACHINE and %ProgramData%.
The problems are:
1 - Morons write programs and demand full access to the whole system regardless of whether or not they need it.
2 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the registry, in both HKLM and HKCU. Even when it's documented, it's fucking wrong (I'm looking at you, Adobe).
3 - Morons write programs and store a whole mess of bizarre, indecipherable shit in the the various %USERPROFILE%\AppData\ folders and the %ProgramData% folder .
4 - Morons write programs and store even more configs in the program's installation folder or other random places (like the Documents library).
Any one of these things alone is annoying, but programs often do all 4. This makes figuring out configs even harder - does the registry override settings.ini in the program folder? Or perhaps the profile in %AppData% wins out. What about the settings in %ProgramData%? Which registry settings are in HKLM vs HKCU? Why isn't anything in %AppData% or %ProgramData% or even the fucking registry cleared out when I uninstall?
It's a mess because developers are morons and Windows lets morons make a mess of things in several ways.
The mere fact that the address bar and search bar are the same qualifies.
You can't type in an address without it being sent off to Google to deliver suggestions when they're the same bar.
n/t
"When I first heard Daydream Nation it quite frankly scared the living shit out of me." -- Matthew Stearns
Even MSWind95 did that. When I installed Squeak and Python on MSWind95 there were no files installed outside the application directory, which I located in a custom place segregated from all system files.
The problem isn't that MSWind doesn't allow that, the problem is that it doesn't (didn't?) require that.
FWIW, I generally prefer /usr/local to /opt, but in either case the files should be those that you trust, and the locations should require root permission to allow installation. Files with any doubt as to their provenance should be installed in a place like /home/apps/ with write permission only to the apps user (not a real user) and execute permission as desired. If you can't control where it installs itself, don't trust it.
I think we've pushed this "anyone can grow up to be president" thing too far.
The last time I tried to use Seamonkey it wouldn't run. I didn't devote a whole lot of effort into trying to figure out why, but it did compile without errors (that I remember). I was trying to install it to use its html editor, but I found another one that looked like a fork and worked without problem. (Can't remember its name.)
I think we've pushed this "anyone can grow up to be president" thing too far.
I agree, remove this backdoor garbage from OFFICIAL add-on repositories, but still allow me to install whatever the fuck I want. I'm seriously tired of how arrogant Mozilla developers have become.
I agree. They fuck with Java non-stop which I require for internal applications. Who cares if my Java is out of date when I use one specific browser on one applications. Stop disabling my shit Mozilla.
I've been frustrated with the fact I can't use anti-container (a wonderful extension to downthemall) on Pale Moon. It's the only reason I keep a copy of FF around. Chrome is right out.
Socialism: a lie told by totalitarians and believed by fools.
You need to read more carefully. For the kind of add-ons you mention -- that is, ones not hosted on Mozilla's servers -- the signing process is automatic. You can even use a commandline tool to automate submission of the file for signing, and generally get a signed version back within a few seconds.
But can your corporate overreach blocker do everything that hosts files can?
Socialism: a lie told by totalitarians and believed by fools.
And it will die in a few firefox releases. Mozilla deprecates (and removes) XUL and XPCom and addons as powerful as DTA will not be possible, the DTA author wrote he will probably need to discontinue it.
A sad news to me :/
If you are installing into the standard directories then you must use root privileges. That is the way Linux is designed. If you want to install it in your home directory I guarantee that it will not require it.
If you are installing into the standard directories then you must use root privileges.
Using root privileges to do something specific is not the same as granting a program gratuitous privilege escalation to root, or giving an installer a password.
That is the way Linux is designed.
No, it isn't. If the documentation states what it needs write permissions to, or the installation script reports problems and then rolls back, you can temporarily give the required access.
Either through group permissions or ACLs.
If it installs under, say, /opt/palemoon, it is FAR better to create that directory as root, and give the installing user temporary write access, and change the ownership/access of the directory afterwards. Similar for other directories it may want access to.
sudo isn't needed for this. Or for much else that sudo is abused for.
Let me get this straight. Are you saying that the install script is somehow giving the program root permissions that it can use after it has been installed? Otherwise in order to write to the /bin, /usr/bin, or any other directory that is not in your home directory you must have root permissions. You can temporarily give a user write permissions for a folder, but that also involves using root to give that permission.