Funny, I thought that all Mozilla (Firefox/Thunderbird/Sunbird/etc) add-ons are already, in effect, open source.
The.xpi files that they come in are just.jar/.zip files containing all of their Javascript source code, styles and images. The NoScript author in this very case actually went out of his way to obfuscate the code in the content/noscript/MRD.js file just to make it harder for people to see what he was doing. Luckily, there's an easy way to decode it (credit to the Matt McCutchen who posted in the article's link):
mkdir tmp; cd tmp
wget http//software.informaction.com/data/releases/noscript-1.9.2.xpi
unzip noscript-1.9.2.xpi
unzip chrome/noscript.jar
perl -np/dev/fd/3 3MRD.unescaped.js
s/\\\\x([0-9a-f]{2})/pack q{c}, hex(\$1)/ge
EOS
less MRD.unescaped.js
It shows, unfortunately, that even open source software can be malicious. It's just easer for people to find the nasties.
I would expect most/. users would be smart enough to actually see what's being changed before updating something.
Except that the Update Add-ons dialog doesn't have a link to the Changes page for each add-on that's about to be updated (Mozilla is talking about adding that feature, by the way, not just because of this particular incident).
I doubt most NoScript users would bother to check the Changes page even if the link was there - it's already running on their browser and has probably earned the rank of Trusted Add-on in their minds. I'm not convinced that NoScript-using/. readers would be much different.
The scripting problem is not that simple, unfortunately. Allow me to present a scenario...
You like to visit yourlocalnews.com to get your daily dose. The owners are nice and hard-working people - you talk to them every day in the coffee shop or the bakery - but they don't have a lot of time to do web development themselves so they only write a little bit of Javascript on their own web site to glue together a bunch of scripts hosted on other sites, like googleapis.com, someothersite1.com, and someothersite2.com. Now your news guys don't have any control over these other three sites. Google preaches "don't be evil" and generally follows their own advice, but the other two sites are unknowns. What happens if they are malicious sites and start updating their Javascript with malicious code and exploits, downloading content to your computer and installing ZombieNet(tm) services?
And cross-site scripting attacks are a whole other ball of wax.
The "avoid visiting websites you don't trust" argument isn't valid, I'm sorry to say. Even if you trust the origin site, you can't easily know what other sites they are referencing and what kinds of reputation those might have.
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible?...
Yes, read the Addons.Mozilla.Org policy page. All versions of add-ons are supposed to start out in the the Sandbox for review before they can go into the Public area. They can just as easily be kicked-back into the Sandbox if it's later shown that there's something wrong with them.
I heartily recommend that you file a complaint with the AMO editors, amo-editors_atsymbol_mozilla.org, since NoScript is clearly violating the following rule:
Do the add-on and add-on author both treat the user respectfully?
Your software should not intrude on the user unnecessarily, try to trick the user, or conceal any of its activities from the user.
How the obfuscated code in NoScript's content/noscript/MRD.js file got through the Sandbox review process is a question I'd like to see answered - perhaps only the initial add-on versions are reviewed and then updates get fast-tracked. AMO reviewers are all unpaid volunteers and are probably overwhelmed by the number of submissions, so this wouldn't surprise me.
However, AdBlock is illegally manipulating the author's content to remove ads designed to produce revenue.
Bollocks. You must work in the advertising industry. Using your own logic it could be said that NoScript is "illegally" modifying the operation of a web site by disabling the scripting on it.
In reality, neither is illegal. Both practices (blocking script, blocking advertising) are users exercising control over their own computers and their own browsing experience.
Advertising on web pages can generate revenue for both the advertiser and the web page author, but they cost the viewers in terms of:
money - because the ads have to be downloaded to end-users and that bandwidth has to be paid for, and
time - because ads are generally garish and/or animated and so distract the viewers from their whole reason of being on the page: to read the actual content.
If advertising was subtle and all scripting was trustworthy then there would be no need to block either. Alas, that isn't the world that we live in.
And then you put apple in the position of dictating what you are and are not allowed to run on your mac.
It's Apple's OS - they already have control over what gets installed on it or not, those controls are just "loose" at the moment. That doesn't mean they won't "tighten-up" those controls later on - will you be able to do anything about it if they do?
This is the same tactic used by MS to enforce it's little PVP in Vista...require drivers to be signed by MS and revoke any drivers that don't pander to MS's DRM regulations.
Any chance you run a Debian-based Linux? Ever installed anything on it? You know those installation packages are signed using GPG, right? Does that make the Linux community as evil as MS for pandering to DRM? No, because DRM has nothing to do with code signing.
Plus, nothing stops Apple from using its new monopoly in refereeing your software from then abusing that monopoly to enforce draconian rent-seeking functionality.
We've already seen Apple disable 3rd party applications on the iPod/iPhone platform and that's running a cut-down version of OSX.
Regardless of what operating system you're on, there's this little feature called code signing.
If Apple actually signed everything they make, including the Setup/Installer packages, and drummed just that one little piece of security into their users then this type of malware-embedded-in-Apple-software attack just wouldn't be possible.
Earth's radius is 6,371km presenting an effective (disc) area of 127,567,443km2 to the sun.
If you want to block out a huge 10% of the incoming solar radiation you need to occlude an effective area of 12,756,744km2 and with something of radius 2,015km. That's slightly bigger than the moon. A difficult task.
If you only want to block out a small 1% of the incoming solar radiation, on the other hand, (which is probably all that's needed) you need to occlude an effective area of 1,275,674km2 and with something of radius 637km. That's somewhat more manageable.
It doesn't have to be an asteroid, either. An array of solar panels could be used, for example, to gather their own power and maintain their own position.
It's somewhat more controllable (and reversible) than injecting a whole bunch of pollutants into the atmosphere - something that is supposedly what's caused this whole mess in the first place I might point out.
Most of these Dire Global Warming predictions are based on computer models which are known to be flawed.
Any measure taken to counteract perceived Global Warming must be reversible if found ineffective (or worse, a hindrance). Injecting more particulate pollution into the atmosphere to counteract Global Warming doesn't sound to me like an easily reversible thing. Far safer and easier to do, me thinks, to park a large asteroid in synchronous orbit between the Earth and Sun to occlude solar radiation. If it's "too effective" then it can be (comparatively) easily moved or removed, if it's "not enough" then more can be gathered.
It's not like you can't finish exploring a dungeon (special area) if you run out of Action Points part way through. You can continue explorations at a later date. For example, the current map I'm in is showing three special areas that I've previously discovered and can continue exploring whenever I want.
The introduction of the patent concludes: "With this arrangement, software upgrades can be effected in an efficient and automatic manner, without resort to any external resources."
If I'm not mistaken, the internet forms a pretty significant resource. Automatic upgrades of objects that require the internet to store newer versions of the objects gets around the patent by default, don't they?
And the concluding introductory statement also goes against the body of the patent which requires access to "resources" in the form of "storage... in remote memory."
Re-reporting news with attributions has always been acceptable in the past. This new behaviour amounts to nothing short of censorship. It's censoring as a source of revenue, however, instead of censoring "to protect the people" as governments try to do.
I'd like to see governments step in and step on these guys to end this now.
The size of the Banks Orbitals could be somewhat less than what you outlined as they themselves have a non-zero weight and so exert a gravitational force on objects placed on their surfaces.
Good Science is all about putting science theory and practice under scrutiny and peer review. This promotes proper investigation and revision and kills-off Bad Science through attrition.
I think the O3 article and the parent have missed the real point. It's not the length of the URL's that's wasting bandwidth, it's how they're being used.
A lot of services append useless query parameter information (like "ref=logo" etc. in the Facebook example) to the end of every hyperlink instead of using built-in HTTP functionality like the HTTP-Referer client request headers to do the same job.
Twenty years ago or so, when I was working as a tech in an Apple Service Centre, we were using a leather softening agent for saddlery called "Gee-Y" (or "Gee-Why" depending on what part of the world you're from) to clean the ABS cases of hardware like this. A rag dipped in Gee-Y used to polish the burn out.
Worked brilliantly for restoring the original colours of computer equipment that had been getting browned from sitting in direct sunlight, and it wouldn't affect the printing on cases and key caps.
I'd usually applaud any OEM's decision to sell their kit with Linux installed, but I'm seriously questioning whether this particular implementation style is going to help Linux or not.
Why?
PHB's, that's why. Already articles like the one linked to are setting-up Linux as a "light duty OS" by saying things like:
The Linux OS provides a quick boot for checking email and other "light" computing duties while the Windows side allows "heavier duty" computing like running Microsoft Office applications.
Taken out of context that's a complete load of crap, but it's something Microsoft must be just loving to see.
You and I would understand that, in this case, it's because Linux is installed and running on an ARM-based subsystem with less memory and less bandwidth to play with, but PHB's will get this light-duty reference stuck in their heads. And this will be reinforced when they try to do something "difficult" with it, and it happens slowly or not at all, and they'll come away thinking "Linux is crap" when they really should be thinking "Windows is crap, why does it need so many resources?"
Why should I care? Because it's the PHB's, unfortunately, that sign the cheques to get new hardware and if they get the wrong ideas about Linux then Microsoft with their Windows and other software will continue to dominate the market.
Why couldn't Dell just quick boot into Linux and then run Windows apps under Wine, or even VM the whole Windows installation?:(
On Earth, Axel might assist in search-and-rescue operations in locations where people might not be able to reach.
Bollocks! It's a pair of wheels on a tether. It's not going to be any better than a human abseiling down a cliff face. It won't even be able to walk along ledges it encounters on the way down.
Pulling apart the extensions chrome code in chrome.jar!/content/contentyype.js shows that this extension also futzes with FFClickOnce, with the once-again-presumptuous comment from Microsoft:
// If the user has both this addon and FFClickOnce installed show only our button
This is the first file in the extension I've looked at. I wonder what else they're mucking about with?:(
Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.
You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?
Slashdot Mirror
Funny, I thought that all Mozilla (Firefox/Thunderbird/Sunbird/etc) add-ons are already, in effect, open source.
The .xpi files that they come in are just .jar/.zip files containing all of their Javascript source code, styles and images. The NoScript author in this very case actually went out of his way to obfuscate the code in the content/noscript/MRD.js file just to make it harder for people to see what he was doing. Luckily, there's an easy way to decode it (credit to the Matt McCutchen who posted in the article's link):
mkdir tmp; cd tmp /dev/fd/3 3MRD.unescaped.js
s/\\\\x([0-9a-f]{2})/pack q{c}, hex(\$1)/ge
EOS
wget http//software.informaction.com/data/releases/noscript-1.9.2.xpi
unzip noscript-1.9.2.xpi
unzip chrome/noscript.jar
perl -np
less MRD.unescaped.js
It shows, unfortunately, that even open source software can be malicious. It's just easer for people to find the nasties.
I would expect most /. users would be smart enough to actually see what's being changed before updating something.
Except that the Update Add-ons dialog doesn't have a link to the Changes page for each add-on that's about to be updated (Mozilla is talking about adding that feature, by the way, not just because of this particular incident).
I doubt most NoScript users would bother to check the Changes page even if the link was there - it's already running on their browser and has probably earned the rank of Trusted Add-on in their minds. I'm not convinced that NoScript-using /. readers would be much different.
The scripting problem is not that simple, unfortunately. Allow me to present a scenario...
You like to visit yourlocalnews.com to get your daily dose. The owners are nice and hard-working people - you talk to them every day in the coffee shop or the bakery - but they don't have a lot of time to do web development themselves so they only write a little bit of Javascript on their own web site to glue together a bunch of scripts hosted on other sites, like googleapis.com, someothersite1.com, and someothersite2.com. Now your news guys don't have any control over these other three sites. Google preaches "don't be evil" and generally follows their own advice, but the other two sites are unknowns. What happens if they are malicious sites and start updating their Javascript with malicious code and exploits, downloading content to your computer and installing ZombieNet(tm) services?
And cross-site scripting attacks are a whole other ball of wax.
The "avoid visiting websites you don't trust" argument isn't valid, I'm sorry to say. Even if you trust the origin site, you can't easily know what other sites they are referencing and what kinds of reputation those might have.
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible?...
Yes, read the Addons.Mozilla.Org policy page. All versions of add-ons are supposed to start out in the the Sandbox for review before they can go into the Public area. They can just as easily be kicked-back into the Sandbox if it's later shown that there's something wrong with them.
I heartily recommend that you file a complaint with the AMO editors, amo-editors_atsymbol_mozilla.org, since NoScript is clearly violating the following rule:
Do the add-on and add-on author both treat the user respectfully?
Your software should not intrude on the user unnecessarily, try to trick the user, or conceal any of its activities from the user.
How the obfuscated code in NoScript's content/noscript/MRD.js file got through the Sandbox review process is a question I'd like to see answered - perhaps only the initial add-on versions are reviewed and then updates get fast-tracked. AMO reviewers are all unpaid volunteers and are probably overwhelmed by the number of submissions, so this wouldn't surprise me.
Somebody mod parent +1 Funny :)
However, AdBlock is illegally manipulating the author's content to remove ads designed to produce revenue.
Bollocks. You must work in the advertising industry. Using your own logic it could be said that NoScript is "illegally" modifying the operation of a web site by disabling the scripting on it.
In reality, neither is illegal. Both practices (blocking script, blocking advertising) are users exercising control over their own computers and their own browsing experience.
Advertising on web pages can generate revenue for both the advertiser and the web page author, but they cost the viewers in terms of:
If advertising was subtle and all scripting was trustworthy then there would be no need to block either. Alas, that isn't the world that we live in.
And Debian-based Linux as well. Lest we forget that packages are signed with GPG?
And then you put apple in the position of dictating what you are and are not allowed to run on your mac.
It's Apple's OS - they already have control over what gets installed on it or not, those controls are just "loose" at the moment. That doesn't mean they won't "tighten-up" those controls later on - will you be able to do anything about it if they do?
This is the same tactic used by MS to enforce it's little PVP in Vista...require drivers to be signed by MS and revoke any drivers that don't pander to MS's DRM regulations.
Any chance you run a Debian-based Linux? Ever installed anything on it? You know those installation packages are signed using GPG, right? Does that make the Linux community as evil as MS for pandering to DRM? No, because DRM has nothing to do with code signing.
Plus, nothing stops Apple from using its new monopoly in refereeing your software from then abusing that monopoly to enforce draconian rent-seeking functionality.
We've already seen Apple disable 3rd party applications on the iPod/iPhone platform and that's running a cut-down version of OSX.
Regardless of what operating system you're on, there's this little feature called code signing.
If Apple actually signed everything they make, including the Setup/Installer packages, and drummed just that one little piece of security into their users then this type of malware-embedded-in-Apple-software attack just wouldn't be possible.
Earth's radius is 6,371km presenting an effective (disc) area of 127,567,443km2 to the sun.
If you want to block out a huge 10% of the incoming solar radiation you need to occlude an effective area of 12,756,744km2 and with something of radius 2,015km. That's slightly bigger than the moon. A difficult task.
If you only want to block out a small 1% of the incoming solar radiation, on the other hand, (which is probably all that's needed) you need to occlude an effective area of 1,275,674km2 and with something of radius 637km. That's somewhat more manageable.
It doesn't have to be an asteroid, either. An array of solar panels could be used, for example, to gather their own power and maintain their own position.
It's somewhat more controllable (and reversible) than injecting a whole bunch of pollutants into the atmosphere - something that is supposedly what's caused this whole mess in the first place I might point out.
Most of these Dire Global Warming predictions are based on computer models which are known to be flawed.
Any measure taken to counteract perceived Global Warming must be reversible if found ineffective (or worse, a hindrance). Injecting more particulate pollution into the atmosphere to counteract Global Warming doesn't sound to me like an easily reversible thing. Far safer and easier to do, me thinks, to park a large asteroid in synchronous orbit between the Earth and Sun to occlude solar radiation. If it's "too effective" then it can be (comparatively) easily moved or removed, if it's "not enough" then more can be gathered.
s/Green/Red/
No, Legend of the Red Dragon was first. http://en.wikipedia.org/wiki/Legend_of_the_Red_Dragon
It's not like you can't finish exploring a dungeon (special area) if you run out of Action Points part way through. You can continue explorations at a later date. For example, the current map I'm in is showing three special areas that I've previously discovered and can continue exploring whenever I want.
The introduction of the patent concludes: "With this arrangement, software upgrades can be effected in an efficient and automatic manner, without resort to any external resources."
If I'm not mistaken, the internet forms a pretty significant resource. Automatic upgrades of objects that require the internet to store newer versions of the objects gets around the patent by default, don't they?
And the concluding introductory statement also goes against the body of the patent which requires access to "resources" in the form of "storage ... in remote memory."
Re-reporting news with attributions has always been acceptable in the past. This new behaviour amounts to nothing short of censorship. It's censoring as a source of revenue, however, instead of censoring "to protect the people" as governments try to do. I'd like to see governments step in and step on these guys to end this now.
The size of the Banks Orbitals could be somewhat less than what you outlined as they themselves have a non-zero weight and so exert a gravitational force on objects placed on their surfaces.
I agree with the "how is this not-go-good news?"
Good Science is all about putting science theory and practice under scrutiny and peer review. This promotes proper investigation and revision and kills-off Bad Science through attrition.
I think the O3 article and the parent have missed the real point. It's not the length of the URL's that's wasting bandwidth, it's how they're being used.
A lot of services append useless query parameter information (like "ref=logo" etc. in the Facebook example) to the end of every hyperlink instead of using built-in HTTP functionality like the HTTP-Referer client request headers to do the same job.
This causes proxy servers to retrieve multiple copies of the same pages unnecessarily, such as http://www.facebook.com/home.php and http://www.facebook.com/home.php?ref=logo, wasting internet bandwidth and disk space at the same time.
We're already seeing Flash drives that are bottlenecked on SATA bus speed limits. Why do you think things like the Fusion-IO IODrive exist?
Review of the Fusion-IO IODrive 80GB Solid State Drive (SSD)
http://www.dvnation.com/Fusion-IO-IODrive-SSD-Solid-State-Disk-Drive-Review.html
Twenty years ago or so, when I was working as a tech in an Apple Service Centre, we were using a leather softening agent for saddlery called "Gee-Y" (or "Gee-Why" depending on what part of the world you're from) to clean the ABS cases of hardware like this. A rag dipped in Gee-Y used to polish the burn out.
Worked brilliantly for restoring the original colours of computer equipment that had been getting browned from sitting in direct sunlight, and it wouldn't affect the printing on cases and key caps.
Ah, you've never tried to edit a 16-bit image I see.
I'd usually applaud any OEM's decision to sell their kit with Linux installed, but I'm seriously questioning whether this particular implementation style is going to help Linux or not.
Why?
PHB's, that's why. Already articles like the one linked to are setting-up Linux as a "light duty OS" by saying things like:
The Linux OS provides a quick boot for checking email and other "light" computing duties while the Windows side allows "heavier duty" computing like running Microsoft Office applications.
Taken out of context that's a complete load of crap, but it's something Microsoft must be just loving to see.
You and I would understand that, in this case, it's because Linux is installed and running on an ARM-based subsystem with less memory and less bandwidth to play with, but PHB's will get this light-duty reference stuck in their heads. And this will be reinforced when they try to do something "difficult" with it, and it happens slowly or not at all, and they'll come away thinking "Linux is crap" when they really should be thinking "Windows is crap, why does it need so many resources?"
Why should I care? Because it's the PHB's, unfortunately, that sign the cheques to get new hardware and if they get the wrong ideas about Linux then Microsoft with their Windows and other software will continue to dominate the market.
Why couldn't Dell just quick boot into Linux and then run Windows apps under Wine, or even VM the whole Windows installation? :(
FTA:
On Earth, Axel might assist in search-and-rescue operations in locations where people might not be able to reach.
Bollocks! It's a pair of wheels on a tether. It's not going to be any better than a human abseiling down a cliff face. It won't even be able to walk along ledges it encounters on the way down.
It's interesting that you mention FFClickOnce.
Pulling apart the extensions chrome code in chrome.jar!/content/contentyype.js shows that this extension also futzes with FFClickOnce, with the once-again-presumptuous comment from Microsoft:
This is the first file in the extension I've looked at. I wonder what else they're mucking about with? :(
Anybody remember when Windows "Genuine Advantage" validation software was getting slipped in as part of "critical updates" for things like the Microsoft Flash Player patch? It wasn't really that long ago.
You don't seriously expect Microsoft to *not* do these sorts of things on what they consider to be *their* systems, do you?