NoScript Adds Subscriptions To Adblock Plus 408
hahiss writes "Apparently, NoScript has taken to adding its own whitelist updates to Adblock Plus — so that the ads on the NoScript page show up — without notifying users. (It is described on the NoScript addon page, however.) This was a part of the last update to NoScript. Wladimir Palant, the main developer of Adblock Plus, describes the situation in an informative blog post."
Update — 5/02 at 12:30 GMT by SS: Reader spyrochaete notes that "InformAction, makers of the NoScript extension for Firefox, have removed the recently introduced AdBlock exceptions which unblocked the revenue-producing ads on the NoScript homepage with little or no warning to the user. According to the changelog, InformAction pushed out an update specifically addressing this controversial decision 'permanently and with no questions asked.'"
Personally, I couldn't care less. (Score:2)
Re:Personally, I couldn't care less. (Score:5, Insightful)
Re:Personally, I couldn't care less. (Score:5, Insightful)
The bottom line is: don't install untrusted extensions.
It was always a risk.
By the way, you now know never to trust NoScript, and to warn anyone who tells you they're using it.
Re:Personally, I couldn't care less. (Score:5, Insightful)
Absolutely. What many programmers and companies do not realise is that there there needs to be a large amount of trust between users and themselves. Ultimately, by installing software, users are giving huge control of their systems and software to people they have never met and who will never meet them.
If find that most people are if anything, to trusting on the Internet. Hence botnets. But even cautious people do tend to give others the benefit of the doubt. But if they should be given reason to go back on that, it can mean a permanent end to that trusting relationship.
I know someone who recently installed Google Desktop(Something I would never, ever, do). They were happy at first, as they were happy to use a multitude of Google Apps. However, trouble struck when the geniuses at Google Desktop decided that when you search using their internet search, it should also bring up search results from your Desktop index.
Imagine someones surprise when their personal computer files appear on an internet search page. It wasn't pretty. The user wanted to uninstall Google desktop, sign out of Gmail, and stop using Google search forever. As I tried to explain that the page was linking to local files, not on the internet, I realised my words were in vain. This person had simply been too shaken my the incident. From their perspective, they had been betrayed. Their personal files had been cast online, or at least, they now recognised that outcome was possible due to the control they had given to a private company.
All trust in Google, and all its products, was lost forever. The trusting and confident relationship Google had with this person had been shattered by a single incident. I've seen this happen multiple times, with multiple pieces of software. Frustration, data loss, jarring incidents. Even the smallest thing can rupture the good feelings of people towards the people whom they entrust with their data.
This is such an incident. NoScript is forever tainted, never to rise again. Hundreds of thousands of people will likely uninstall it today alone. It will cease to be recommended, and ultimately another virtually identical extension will takes its place. A good lesson to all who would be so careless with their reputations. You need your users trust to survive.
Re:Personally, I couldn't care less. (Score:5, Insightful)
I would complain (Score:5, Insightful)
Re:I would complain (Score:5, Interesting)
The author of the article says this is a problem he predicted would happen if we didn't "give extension developers a way to make money".
Now it's our job to "give" developers a way to make money?
It amuses me when someone decides to use the "free" model of software development, making an application and then not charging for it, and then gets offended because he's not making money.
Dude, if you're smart enough to come up with a useful app, I bet you can figure out a way to monetize it.
I hear the same thing from artists who post all their work for free and then complain about being poor. Job 1 is survival, no matter how creative you are. You have to keep body and soul together if you're going to make a contribution. Same with guys who fix all their friends' computers and then get mad because they're fixing all their friends' computers. All passive-aggressive wearing "Don't Ask Me To Fix Your Computer" t-shirts. Grow some minerals and say "I'll have to charge you". You'd be surprised how reasonable people are when you're not a dick.
Re: (Score:3, Funny)
I think a new signature would reinforce your point :)
Re: (Score:3, Interesting)
No, it's not a user's job to give developers a way to monetise their product, but I also think we have a responsibility not to remove such methods.
I use NoScript and explicitly whitelist reputable advertising agencies. I had Adblock Plus installed for a time, but only to hide distasteful images. I rarely click on advertising, but every couple of months an advertisement will spark my curiosity. I have a hard time believing many users who install these types of addons never do the same thing. I also contribut
Re:Personally, I couldn't care less. (Score:5, Funny)
I'll repair your car for free, and as an added bonus I'm also going to change all of your saved radio stations, adjust your seats, replace your tires with a cheaper brand, and rape your lass.
I do it for free, so people aren't allowed to complain!
The parts in bold happen frequently in my experience. The part in italics happens frequently if you exchange "hit on" for "rape".
Re: (Score:3, Insightful)
Yes, clearly, directing me to a single web page (requiring a single mouse-click to close) that displays a couple of ads (which I've never actually noticed, to be honest) once every 5-14 days as part of updating an optional extension to an optional web browser is equivalent to vandalizing my automobile and forcibly raping my female companion as part of maintaining a very expensive and critical piece of equipment that I need to properly navigate the modern world.
Bravo on an analogy that is completely valid an
Re:Personally, I couldn't care less. (Score:5, Funny)
Comment removed (Score:5, Insightful)
Re:Personally, I couldn't care less. (Score:4, Interesting)
Really Smart (Score:5, Insightful)
Start a project that blocks ads that is funded by advertising on their website and donations.
Sounds real smart.
They have 3 AdSense ad units (the max) on their home page, a couple of small buttons and a set of sponsored links. The sponsored links also don't use the rel="nofollow" tag but I guess google doesn't penalize everyone for that or nobody has reported them.
Seriously, this is a business model that shoots itself in the foot.
Re:Really Smart (Score:5, Informative)
NoScript is not primarily an ad blocker. It manipulates AdBlock to allow ads on NoScript domains.
What happened: NoScript blocks scripts (which also catches some typical ad delivery scripts). NoScript exempts the domain of the NoScript authors from script blocking (bad). An AdBlock subscription list recently added entries to block ads on the NoScript domain. NoScript tried to evade that measure by manipulating the way AdBlock works. Now NoScript has changed again and only ads a visible exception subscription to the list of AdBlock subscriptions. This exception can not be removed, only deactivated, as it's added back in whenever Firefox starts.
As an extension author, I can sympathize with the NoScript authors: Firefox users are really stingy. Unless an extension is inherently intertwined with a business opportunity and not just a convenient stand-alone feature, working on a Firefox extension is a losing proposition, at least financially. However, an author should either accept that and find other motivations for continuing the work, try a transparent commercial approach or cut the extension loose. The dark side is big enough without Firefox extension authors joining it.
Re: (Score:3, Informative)
NoScript is not primarily an ad blocker.
That may not have been its intention, but a lot of people are using it for that purpose since many forms of advertising are served up through JavaScript.
Even the advertising on NoScript's site is primarily JavaScript based.
From reading the blog, he didn't just whitelist his own domain, but also the domains where Google AdSense ads are served.
Personally, I don't see the big deal in blocking advertising. Most good sites aren't too in your face about it and it helps keep them running. I haven't run ABP in year
Re:Really Smart (Score:5, Interesting)
Personally, I don't see the big deal in blocking advertising. Most good sites aren't too in your face about it and it helps keep them running. I haven't run ABP in years because of it and I've found some of the ads to be useful.
Following the same logic (sites need revenue from ads to stay operational) I too did not use the Adblock Plus add in.
Until one day when I was served the most annoying ad ever. I was attempting to read an lengthy article while listening to my favorite internet stream at the time, when my ears were assaulted with a sound that made GSM interference sound pleasant.
On the page with the lengthy article I was planning to read, I was presented with a "punch the monkey" type flash ad. Only this ad was hit some evil ninja villain. The Flash ad was the source of the horrendous noise. The Flash programmer had set the the thing to loop infinitely and disable all of the flash plug-ins controls. Every time I refreshed the web page the same ad was served up again.
That's when I changed my position. I loaded up NoScript and Adblock Plus, and this annoyance was no more. I've never looked back. I was pushed too far, and it won't happen again. Ever.
Re:Really Smart (Score:5, Insightful)
I beg your pardon?
The reason I started using extensions like Adblock Plus is because ads were so bad they were preventing my entire COMPUTER from working. The straw that broke the camel's back in my case was when I was trying to view artwork on Deviantart. They had these really badly coded Flash animations which took up 100% CPU on my (then) single-core desktop machine. It was IMPOSSIBLE to do anything - the entire machine was jamming up to the point where it took more than a minute for the task manager to appear when launched. This is bullshit - ads shouldn't do this, they shouldn't be so obnoxious.
My current machine is a bit more modern and would handle such ads, but it's the principle of the thing, and I don't see things getting any better. The only ads I can deal with are text-based, light image, non-flash/non-JS ads. If people only used these ads and were sensible about using them, then I wouldn't have been pushed into seeking out relief.
So stop painting us as stingy folk. Some of us just want to access the Internet without frustration.
Comment removed (Score:5, Insightful)
Re:Really Smart (Score:5, Interesting)
It's not actually illegal. It is, however, apparently against the Mozilla Addon ToU (https://addons.mozilla.org/en-US/firefox/pages/policy) - that was the original terms under which the ABP author asked the NS author to remove the code in NS that intentionally harmed ABP's operation.
Re:Really Smart (Score:4, Informative)
There is is. I do not find it sufficient:
v 1.9.2.3
======
+ A "NoScript development support filterset" gets added to AdBlock
Plus, whitelisting the noscript.net, flashgot.net, informaction.com
and hackademix.net web sites recently broken by an aggressive
EasyList campaign against sites sponsoring NoScript development.
ABP users are informed both on the install and on the release notes
pages, so they can easily disable the filterset if they whish to.
Re:Really Smart (Score:5, Insightful)
Altering Data without Consent *IS* a crime (Score:3, Interesting)
IANAL but in Australia we have laws which among other things makes it a crime to alter data without the owner's consent. There's a similar crime in Britain. I don't know the specific European Laws he'd be prosecuted under, but altering data without consent is one of the first things that cybercrime laws legislated against. Shop around, but this Giorgio Maone is treading on some shaky ground here and he did it with clear forethought. Unlikely Maone will be prosecuted - few people ever are, but if I were him
Re:Really Smart (Score:5, Insightful)
In a sense, AdBlock is acting as malicious software, because it's altering the site author's message, without their permission.
In what sense? Adblock doesn't modify anything on the server - the content remains unchanged. Once the bits are on my machine, I can do anything I want with them without permission from the author as long as I don't republish the modified version.
Re: (Score:3, Interesting)
"Copyright law says you don't have that right."
Citation, please.
Re: (Score:3, Insightful)
What if I'm browsing in text mode? What if I don't happen to have flash installed so I can't see flash adverts?
In order for a webpage to be seen on screen it has to be modified and translated into an image in my computers' memory. You seem to be claiming that I'm violating copyright law by not processing those instructions in the correct way but I'm not aware of any case law that interprets copyright law like that. If website operators want me to view their page in a specific way perhaps they should furnish
Re: (Score:3, Informative)
Copyright law says you don't have that right.
I know of no law, anywhere, that says that I can't legally obtain a copy of a copyrighted work then modify said copy as I see fit as long as it stays in my possession. If you do, please enlighten us all. Please be as specific as possible.
This is no more illegal than purchasing a copy of a book, writing notes in the margins, and crossing out sections you disagree with.
The issue is similar to that of mod chips for game consoles: contributory infringement.
Cont
Re: (Score:3, Informative)
So if I buy a newspaper I don't have a right to cut out the articles I like and post them on the wall and discard the ads? Don't be ridiculous. Copyright law absolutely allows me to manipulate content and long as I don't distribute it.
Re:Really Smart (Score:5, Insightful)
If you want to make sure people are looking at your ads, come up with a mechanism that ensure they are, and make them leave if they aren't. I don't feel like come up with the mechanism now, but it could be as simple as having the JavaScript for the ad set a variable in page. If the variable isn't set when the page finishes loading, redirect them to another page that tells them to go away.
If I opened a page in links or another text-mode browser I wouldn't see ads either, are you saying those browsers are illegal? If a site doesn't want me there because I'm not looking at their ads, fine, I'll leave. The fact is that advertisers are too greedy, with ads that move, some that even play sound. Internet Advertising is killing itself with bullshit like that, and blaming it on AdBlock Plus is ridiculous. People want to be able to browse the web and read without being constantly distracted by a moving ad on the side, and without worrying that their speakers will suddenly start blasting because they navigated to a page that has a jackass advertiser on it.
If your response is "well not all ads do that, AdBlock should only block the bad ones" then consider advertisers brought the block on themselves by allowing those advertisers to exist. If they want to save their industry, they need to stand up and say that obnoxious ads shouldn't exist, and that they won't do business with anyone who displays them. That means that Google shouldn't show ads for a company that also has obnoxious ads (IBM is a good example). Until serious self-regulation occurs, ABP will keep getting more users.
Re:Really Smart (Score:5, Insightful)
However, AdBlock is illegally manipulating the author's content to remove ads designed to produce revenue.
Bollocks. You must work in the advertising industry. Using your own logic it could be said that NoScript is "illegally" modifying the operation of a web site by disabling the scripting on it.
In reality, neither is illegal. Both practices (blocking script, blocking advertising) are users exercising control over their own computers and their own browsing experience.
Advertising on web pages can generate revenue for both the advertiser and the web page author, but they cost the viewers in terms of:
If advertising was subtle and all scripting was trustworthy then there would be no need to block either. Alas, that isn't the world that we live in.
Re:Really Smart (Score:5, Insightful)
Re: (Score:3, Funny)
Amen. Continuing on the same path, changing browser window width below 800 is probably borderline illegal: most websites aren't designed to work like that.
Re: (Score:3, Informative)
It is a difficult task to discriminate legally between the mode of display of a rendering means [browser] incapable of displaying visual ads /versus/ a mode of display of a rendering means modified so as not to display ads.
Stop making up law. It's well established that the user has fair use rights to do with content as they see fit, as long as they don't redistribute.
Fight noscript.net with NoScript (Score:3, Informative)
Just remove noscript.net and his other domains from NoScripts allow list and his own addon stops his Google adbars.
I am sure he will hard code around this in his next patch, that will be the point where I start adding firewall rules.
this is like Little Snitch (Score:4, Insightful)
Little Snitch on the Mac, which helps you identify when apps 'phone home, itself 'phones home, and you can't block it using Little Snitch itself.
I like to call this the Communism trait, for the Party elite always manage to make themselves more equal than others.
(Moderators: this isn't an anti-communism or pro-capitalism post. An important part of growing up is knowing that ideals are merely the primary colours, and life requires a mixture.)
Timeline of events (Score:4, Informative)
When the Easylist filter was made for Adblock Plus, it generically blocked ads for many websites, with some specific rules for other sites. Giorgio Maone (creator of NoScript) relies to a certain extent on ad revenue on his websites, without which he may spend less time working on the extension. He made a workaround on the ad blocking, and though the filter could have been updated to counter this, no attempt was made to update it.
When Rick Petnel died, they needed a new maintainer for the filter. Ares2 continued where Rick left off. He decided to fix the workaround made on Giorgio's sites.
What then followed was a game of cat-and-mouse. Giorgio would attempt a new workariound, and Ares2 would attempt to block the ads. It reached the stage where large parts of Giorgio's sites weren't working due to false positives [informaction.com].
Here, it seems clear that Ares2 has gone too far, and a compromise should have been reached. ABP and NoScript are a good pair when working together, though the people behind them have different philosophies. Unfortunately, things start to take a turn for the worse.
In an attempt to defend his site and ad revenue, he makes an update of NoScript to version 1.9.2. This version contains a file called MRD.js [adblockplus.org], which adds a CSS stylesheet rule to his websites that overrides the filter, by adding -moz-binding: none after the filter has loaded, which the filter depends upon. Furthermore, the file is obfuscated to hide what it does. No warning is given to Firefox users of what the extension has added in this tit-for-tat battle.
When this addition started breaking users ABP installations, version 1.9.2.3 instead adds his websites to the ABP whitelist, calling it a "NoScript development support filterset" [noscript.net]. The user isn't informed of what this is, and isn't given a choice on whether to accept it.
At present, the filter has removed its false positives, though leaves the ad blocking in place. The NoScript behaviour still remains in the latest version.
Ares2 was overzealous in attempting to block ads, and shouldn't have made Giorgio have to make excessive changes to his site. But the larger concern is that while Easylist is a filterset, which can be removed and updated by the user, NoScript went further and started to modify existing extensions, executing code without user's consent or awareness, and acting in a way that resembled malware, to display ads on his websites.
Extensions can be great for giving people freedom to control how they view the web. But creators of extensions need to be careful in what they do with them, especially with those with a large user-base like Adblock Plus and NoScript. If not handled correctly, Firefox extensions could become the next vector of malware, and that would be a shame for all.
Re: (Score:2, Insightful)
Abe Simpson, is that you?
Re:Timeline of events (Score:5, Insightful)
NoScript has no business injecting itself into the AdblockPlus-addon. PERIOD!
Re:Timeline of events (Score:4, Funny)
This IS a program on Windows.
Re:Timeline of events (Score:5, Informative)
I recall in an earlier version of noscript that had Giorgio's sites whitelisted, and you couldn't remove them from the UI. You had to edit the plugin files themselves. This isn't new behavior for him.
Re: (Score:2)
...he makes an update of NoScript to version 1.9.2...
I don't know how it happened, but I am glad I missed any updates after 1.9.1.91. I think I'll stick with that for the time being, if I don't remove NoScript completely.
Re: (Score:3, Interesting)
You would think someone who makes an add-on designed to block sites from forcing annoying shit with java would realize how silly it is to fight with the people who make an addon to block annoying shit done with ads. Does noscript whitelist java ads on sites of others? After all, they need to eat too, right?
We all know the reality is if the no script dev quit today the add-on would live on with minimal interruption. Hell, the surprising thing is it is still being actively developed so hard, it already pre
Re: (Score:3, Insightful)
"Of course that's just how I remember the whole thing. I never visit the AdBlock Plus page and I am deliberately blind to most ads anyway."
So, your entire post was based on a guess? You don't have any direct experience with AdBlock either? Are you kidding me? Why are you posting again?
Its GPL licenced, someone should fork it. (Score:5, Insightful)
Re: (Score:3, Interesting)
I imagine the cost of doing this would be quite high, especially considering the constant updates to the extension.
Re:Its GPL licenced, someone should fork it. (Score:5, Insightful)
Re: (Score:3, Informative)
user_pref("noscript.firstRunRedirection", false);
Re:Its GPL licenced, someone should fork it. (Score:5, Interesting)
Re:Its GPL licenced, someone should fork it. (Score:4, Informative)
If you haven't been following web security (or reading the changelog) these guys are extremely cutting edge when it comes to blocking various XSS based exploitation techniques.
Clickjacking, cross domain keyloggers, and javascript connect-back proxies, etc are all out there now. Even if you have a given site whitelisted, noscript will still filter out known attack methods. It will even detect heap spray attempts etc if someone is trying to break out of a browser plugin.
Re:Its GPL licenced, someone should fork it. (Score:4, Insightful)
Yes, please. If someone will fork it, I will happily donate five bucks every year. What I will not do is run code on my machine that's obfuscated or that attempts to mess with things it shouldn't mess with.
I'd never understood why NoScript had to have such frequent updates. It seemed like several times a week, sometimes even more than once in a day. It was a nuisance, but I figured the author must just be working really hard. Now I have a sneaking suspicion that it was because the author was playing cat and mouse with adblock.
Why is this even a nontrivial software project? Don't run javascript unless it comes from a site that's on a whitelist. That doesn't seem like it should be a big deal.
Re:Its GPL licenced, someone should fork it. (Score:4, Informative)
Why is this even a nontrivial software project?
Surrogates. The arms race is going on more than one front. From what I understand, on sites that use returns from ad-tracking scripts like google-analytics or yieldmanager to block access, NoScript has the ability to run surrogate scripts that give the appropriate return without the ad-tracking. This seems non-trivial.
However, now knowing how embroiled the author of NoScript is in getting his own ads viewed, users may lose their trust in his surrogate scripts.
Re:Its GPL licenced, someone should fork it. (Score:4, Insightful)
Interesting. I'd actually prefer that the site just fail to work in that situation. Then I can make the decision for myself: do I care enough about this site's content, and trust its owners enough, to run their javascript? I suspect that in most cases the answer would be no. I'd mosey on by, and they wouldn't get my eyeballs.
Re: (Score:3, Insightful)
And when the author didn't get the level of donations he was expecting, he lashed out like a child, adding obfuscated code to NoScript which modified, without the Firefox user's permission, AdBlock Plus's functionality -- although a later update reversed this, and played only a little nicer by adding new ABP whitelist rules without the user
I Would Have Allowed It (Score:5, Insightful)
Like many Slashdot users, I run both NoScript and AdBlock Plus.
Had NoScript asked me if I wanted to whitelist adds on their site (in my AdBlock preferences) to support NoScript development, I would have happily clicked "Yes."
As it is, I've left the NoScript whitelist intact in my AdBlock preferences, because I do want to support their development (NoScript leaves a comment in the AdBlock preferences indicating that this whitelist can be disabled easily). That said, I would have been much happier had my permission been asked!
Re: (Score:2)
That's all great. More power to you.
However, I'm trying to think of the last time I've been to the NoScript site. I think the last time I was there was when I installed NoScript. Ever since then, Iceweasel has updated the program without ever going to the site.
Re:I Would Have Allowed It (Score:5, Informative)
Currently you can't actually delete the list, only disable it. If you delete the list, it will come back the next time you load firefox. I have actually tried this myself and it is very obnoxious.
I was looking on the noscript forums, and I did find this [informaction.com]:
While I don't know if I believe this or not, it's at least the way it should have been from the start.
Re: (Score:3, Informative)
http://noscript.net/changelog [noscript.net]
Minutes after the suggestion, and it is already in the new version that was just pushed out.
Re: (Score:3, Insightful)
Had NoScript asked me if I wanted to whitelist adds on their site (in my AdBlock preferences) to support NoScript development, I would have happily clicked "Yes."
Exactly. The NoScript author has a point, and I understand he has to generate some revenue to fund his work, but going behind the users' backs is unacceptable.
As it is, I've left the NoScript whitelist intact in my AdBlock preferences, because I do want to support their development (NoScript leaves a comment in the AdBlock preferences indicating that this whitelist can be disabled easily).
I've immediately disabled the filter set, and prevented the NoScript site from being displayed. I will however re-enable it soon, because the next version of NoScript will ask for permission (even retroactively), and allow its modifications to ABP to be reset:
Stupid trick (Score:4, Informative)
It's a stupid trick, but the whitelist can be disabled easily. Go to Adblock preferences and disable the "NoScript Development Support" filter. It doesn't seem to re-enable the whitelist on restart. It may when it updates.
No it's not (Score:5, Insightful)
Sleazy and disgraceful (Score:5, Insightful)
If I have ad blocking software installed, that means I don't want to see ads (unless I explicitly approve them).
If I have script blocking software installed, that means I don't want to run scripts (unless I explicitly approve them).
How difficult is that to understand?
I don't care if the Noscript developer relies on ads for revenue. If I have ad blocking software installed, I don't want to see ads, period.. that doesn't mean "except on noscript's site, of course!". If the Noscript developer doesn't like that, it's too fucking bad.
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible? Or, at least, not hosted on their site..) because at this point, it's clearly malware.
Re:Sleazy and disgraceful (Score:5, Interesting)
This behaviour is disgraceful, and Noscript should be blocked by Mozilla (is this possible?...
Yes, read the Addons.Mozilla.Org policy page [mozilla.org]. All versions of add-ons are supposed to start out in the the Sandbox for review before they can go into the Public area. They can just as easily be kicked-back into the Sandbox if it's later shown that there's something wrong with them.
I heartily recommend that you file a complaint with the AMO editors, amo-editors_atsymbol_mozilla.org, since NoScript is clearly violating the following rule:
Do the add-on and add-on author both treat the user respectfully?
Your software should not intrude on the user unnecessarily, try to trick the user, or conceal any of its activities from the user.
How the obfuscated code in NoScript's content/noscript/MRD.js file got through the Sandbox review process is a question I'd like to see answered - perhaps only the initial add-on versions are reviewed and then updates get fast-tracked. AMO reviewers are all unpaid volunteers and are probably overwhelmed by the number of submissions, so this wouldn't surprise me.
Re: (Score:3, Insightful)
If you feel entitled to read someone's content, why do you feel entitled to read it without ads?
I feel entitled to read anyone's content that is published on the Net for everyone to view, in any way imaginable - from my desktop or from my laptop, while picking teeth or sitting on a crapper, with or without ads. In fact, scratch that - there's no "entitlement" in this, even. If content is published to be read, then don't complain when it's read, and don't try to shove your presentation of that content on me. I consider ad blockers in the same category as browser settings that let me override author's h
Re:Sleazy and disgraceful (Score:4, Insightful)
If you feel entitled to read someone's content, why do you feel entitled to read it without ads?
Because it's being displayed on my computer.
TV stations are free to broadcast all the ads they want. But in turn, I'm free to change the channel during a commercial break, or mute the sound and go fix myself a drink, or record the show and watch it later by fast-forwarding through the ads. They decide what to send me; I decide what to accept from them.
Web site operators are free to put all the ads they want on their page. But again, I'm free to pick and choose what I want to pay attention to, or spend my time, bandwidth, and CPU power downloading and rendering.
If the web site operators have a problem with that, then they have a problem with the design of the web itself. When they start paying for my computer and internet connection, then they can tell me how to use it, but not before -- and they still can't tell me what to pay attention to.
I used to read a website where behind the banners, the author had a simple text graphic worked into the background with text along the lines of "If you can read this, you are hurting my ability to pay for the hosting of this site".
See, that's fine. Don't force anything on your users, just be honest with them.
Scum. (Score:5, Insightful)
NoScript will no longer be permitted on any of my computers, period. This is unacceptable behavior. If I'd payed for the addon, I'd be demanding a refund. As it is, all I can do is try to take back the favorable word-of-mouth I've been giving the author, and try to find a version without the invasive behavior.
Re:Scum. (Score:5, Funny)
This suddenly explains a lot (Score:5, Insightful)
For some time now, I have been getting more and more annoyed with the regularity of NoScript updates, especially as it would ALWAYS open the home page after every update, this is after the nuisance of me already having been asked to restart Firefox for the addon update.
Now it makes sense, they clearly artificially make this happen just for adrevenue. The addon probably doesn't even need that many updates.
Anyway, even though I know I can change the option to not go to the homepage after each update, I am tired of having to restart Firefox once a week for software which is for the most part adware. I barely use noscript, except on 1 site, I'll wait for someone else to make an addon which doesn't piss me off, or simply tolerate the minor annoyance of that one site.
As for the real world security benefits of noscript, they are questionable at best. If a website codes itself so it needs javascript, one would likely turn on noscript, and then the website could run malicious code.
Re: (Score:3)
Where is said option. I looked in NoScript and was unable to find it. Maybe I've just had too many tonight though...
Re: (Score:2)
I've looked for it unsuccessfully also. I haven't had any tonight, so I don't think that is your problem.
I say we were lied to!
Re:Disabling NoScript Update Notificaions (Score:5, Informative)
Scroll down to: noscript.firstRunRedirection
Right click this value, and 'toggle' it to false.
Due credit goes to posts at http://adblockplus.org/blog/attention-noscript-users [adblockplus.org]
Good thing (Score:4, Insightful)
This is an exact example of why it's so important for source code to be freely viewed. The OSS model works - this demonstrates why and how. When developers are motivated by the wrong sources and use unethical means for obtaining their ends, users can be made aware of their digressions. Good work by the Adblock team.
Re:Good thing (Score:4, Insightful)
Funny, I thought that all Mozilla (Firefox/Thunderbird/Sunbird/etc) add-ons are already, in effect, open source.
The .xpi files that they come in are just .jar/.zip files containing all of their Javascript source code, styles and images. The NoScript author in this very case actually went out of his way to obfuscate the code in the content/noscript/MRD.js file just to make it harder for people to see what he was doing. Luckily, there's an easy way to decode it (credit to the Matt McCutchen who posted in the article's link):
mkdir tmp; cd tmp /dev/fd/3 3MRD.unescaped.js
s/\\\\x([0-9a-f]{2})/pack q{c}, hex(\$1)/ge
EOS
wget http//software.informaction.com/data/releases/noscript-1.9.2.xpi
unzip noscript-1.9.2.xpi
unzip chrome/noscript.jar
perl -np
less MRD.unescaped.js
It shows, unfortunately, that even open source software can be malicious. It's just easer for people to find the nasties.
Trust, once betrayed, cannot be mended. (Score:2)
NoScript will never be installed in my computer never again, alas, it has been disable for most of it lifetime in my profile.
I'd fork it if I actually cared for it, but still I invite people to down rate it in mozilla.org and uninstall it from their computers. In the FOSS world the only way to vote is with your feet.
Indicative of more serious problem? (Score:5, Interesting)
This highlights a security problem: if addons can affect/patch each other, how can you ensure the integrity of the browser?
Example: a malicious addon is released, and it takes some time before the malicious behaviour is discovered, and people delete the addon. But has it injected malicious code into other addons on the system? Now you have to remove all addons to be sure.
Is this outlandish or possible? Has Mozilla implemented any security against such an attack?
Re:Indicative of more serious problem? (Score:4, Interesting)
Thank you! Finally someone points out the real problem. If this was a story about a Windows app, it wouldn't have taken NEARLY as long for someone to point out that the real issue is lack of security with the platform.
Re:Indicative of more serious problem? (Score:4, Insightful)
What do you define as malicious behavior? A Firefox extension can modify the browser in almost regard. There's not much you can do to sandbox the extensions without removing the flexibility of the extensions feature altogether.
Bottom line: You, the user, take responsibility for any software you install on your computer, even Firefox addons.
Solution (I hope) (Score:3, Interesting)
Alternatively, look for another script control addon. Personally I've been getting rather pissed at the opening of new tabs on each update for a while now; not just NoScript either. Depending on whether my thinking will keep the block in place and how much longer I'm willing to accept the tab opening shit, I am close to removing it myself. There is YesScript and Controle De Scripts on the addon pages but I've not yet tried them.
It may help to let the NoScripts people know why their usage numbers are going down on their Mozilla addon feedback page. Perhaps if they see enough people are pissed off, it may change things.
NoScript's side of the story (Score:5, Informative)
Here's a post where the NoScript guy asserts his reasoning for it: http://forums.informaction.com/viewtopic.php?p=2777#p2777 [informaction.com] basically he says that the update to the filterset broke noscript.net making things like the menus unusable.
In this post http://forums.informaction.com/viewtopic.php?f=7&t=877&start=90#p3162 [informaction.com] he claims that the inability to remove the noscript filterset is a bug and that the next update to noscript will fix that and prompt users beforehand.
A word from a NoScript Forum Moderator (Score:5, Informative)
First, I'm not an anonymous coward, I'm Tom T., a Moderator at the NoScript Support forum. Just didn't need one more U/P login as probably a
one-time poster here. Having read only the top pages, just wanted to make sure that these points were covered:
1) Giorgio Maone himself has pointed out repeatedly, including at the thread in question, that anyone can disable his pages' ads with NoScript just by blocking the Google-Syndication scripts. NoScript itself cannot be circumvented in this blocking, even by NoScript. :)
2) For those who think the updates are a revenue-(ad-viewing)-generator, aside from the fact that the NS FAQ includes simple instructions for turning off the home-page redirect for each update (try reading the FAQ before criticizing), please look at the complete history and at how many times some new attack, e. g., XSS etc., has surfaced, and Giorgio has dropped everything -- wife, new baby -- and rushed to protect NS users with an update. Some of these updates turned out to prevent future attacks that weren't even known at the time of the update. Go to the Changelog, see the number of feature requests/bug reports, and tell us which ones were unnecessary. Go to the blog of world-class hakker Sirdarckhat, http://sirdarckcat.blogspot.com/2008/06/hacking-noscript.html, who has responsibly and privately reported his discovered vulnerabilities, and note his comment on Giorgio's response to such reports:
"Is important to say, that Giorgio fixes stuff in "hours", (or minutes in some cases), and he has done some crazy stuff, just so NoScript users can be safe, so if you dont use it, go get it."
Straight from the hakker's mouth there, peeps.
3) As a personal opinion only, and not speaking for Mr. Maone, NoScript, or the NS Support Forum, I have repeatedly recommended AdBlock Original, in which only I can set blocks or permissions, no one else, and with which I can affect or hose only my own machine, not anyone's else, nor can I affect anyone's web site. That is why NS does not offer "blacklists", despite repeated requests from users who don't want to be bothered with making their own decisions (the whole point of NS), and why, despite my great respect for Wladimir Palant and his product, I don't use ABPlus. True, I don't "have" to subscribe; I just don't want to open that door. The only exception would be the Hosts file, offered by http://www.mvps.org/winhelp2002/hosts.htm ,which has *specific criteria*: a site must drop tracking cookies or drive-by adware, spyware, or other malware; and the file is plain-text readable and editable by any user to remove any block-entry that they feel is unnecessary. I never have. They're all there for a good reason and are sites I don't want to allow my browser to connect to.
4) Anyone who thinks that scripting or other web executables are without danger and require no user attention probably shouldn't be using a computer, or is already pwned. Do some research. "If you aren't worried, you just don't understand the situation." Cheers!
Re:A word from a NoScript Forum Moderator (Score:5, Insightful)
As it is, Giorgio acted like a piece-of-shit, scumbag, newbie-hacker throwing a temper tantrum, should be ashamed of himself for embarrassing himself, YOU, and everyone on the project , and needs to make public apology for his misguided attempt. Here's a hint. If you put it in the documentation, README or changelog it WILL NOT BE READ. Get out an update which says, "SORRY! We've rolled back all the patches for this to version xxxxxx, and we will never make any changes outside our application without your PRIOR EXPRESS INFORMED CONSENT. And then learn from this mess -- and don't fuck up like this again.
NoScript 1.9.2.6 fixes it (Score:5, Informative)
Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5 [noscript.net]
It seems that he eventually got it right.
Re: (Score:3, Insightful)
Giorgio released version 1.9.2.6 which disables the filter. I quote from http://noscript.net/?ver=1.9.2.6&prev=1.9.2.5 [noscript.net]
It seems that he eventually got it right.
It seems that he eventually got caught.
Re:Links are helpful (Score:5, Informative)
First, noscript added code that disabled adblock plus if EasyList was used. Then, noscript auto-adds (no user prompting) an abp subscription whitelisting his sites. You cannot delete it (it readds upon FF restart), only disable it.
Re:Links are helpful (Score:5, Interesting)
I always thought the incremental updates to NoScript were too frequent to be entirely for the benefit of its users.
1) Involuntary web page visits after an update
2) serve ads
3) no step 3
4) profit
He probably looks for any typo that he can fix to get the next update out on time. At some point he needs to just call it adware, and I think we'd all agree that point has been reached. I'm now going find a way to avoid going to his page after an update, that way it won't matter if his ads were blocked or not.
Re:Links are helpful (Score:5, Informative)
about:config
set noscript.firstRunRedirection to false
Re:Links are helpful (Score:5, Interesting)
but the Mozilla Add-on Policy requires them to inform you in some detail of what is being changed by an update. Since you're in a browser, a web page seems the logical way to do it.
Maybe you shouldn't update them all at the same time?
Re:Links are helpful (Score:4, Insightful)
it desperately asks for an answer
So, begs the answer surely?
Re:Links are helpful (Score:5, Insightful)
You should have stopped right there.
Re: (Score:3, Interesting)
How's that going to stop nefarious scripts running?
Re: (Score:3, Funny)
Re:Shhhh! (Score:5, Insightful)
It's somehow okay now that an extension goes behind the users back and circumvents other plug-ins? Especially a plug-in that most users use presumably to protect themselves against malware and intrusive JavaScript driven ads?
I sure hope the community will step up and create a new open source plug-in that goes "back to the basics" (disable JavaScript per site + whitelist) and people ditch NoScript faster than you can say "WTF!"....
Apparently the NoScript developers (which is btw. the most obnoxious plug-in I currently have installed; re: updates...) heads have gotten a bit to big for their own good.
I can't wait to see the fallout from this one. Hopefully at the end NoScript in it's current form won't exist anymore!
Re:Shhhh! (Score:5, Funny)
Parent is correct; NoScript is EVIL. It will install malware, upload \My Pictures\ to a russian server and molest your children. The frequent updates the parent complains of are required to keep the NoScript's keylogger signature ahead of the anti-virus databases. NoScript was funded by Scientologists and developed by Sony. Users of NoScript are providing bandwidth to global botnets and have copies of all IM and email forwarded to the NSA.
STAY AWAY
Re:Shhhh! (Score:5, Informative)
(which is btw. the most obnoxious plug-in I currently have installed; re: updates...)
Set noscript.firstRunRedirection to False and it won't open the homepage after every update.
Re:Does this shock anyone? (Score:5, Insightful)
Re: (Score:2)
Or another solution is to just avoid visiting websites you don't trust. It's kind of like only using bathrooms that are cleaned often.
Re: (Score:2)
Re: (Score:3, Interesting)
I would expect most /. users would be smart enough to actually see what's being changed before updating something.
Except that the Update Add-ons dialog doesn't have a link to the Changes page for each add-on that's about to be updated (Mozilla is talking about adding that feature, by the way, not just because of this particular incident).
I doubt most NoScript users would bother to check the Changes page even if the link was there - it's already running on their browser and has probably earned the rank of Trusted Add-on in their minds. I'm not convinced that NoScript-using /. readers would be much different.
Re: (Score:3, Insightful)
I find it incredibly ironic that two ad blockers are at war with each other over blocking ads that support their service
NoScript is supported by ads, and maliciously tries to prevent them being blocked by AdBlock. However, AdBlock itself is not supported by ads, and does not try to block NoScript in a similar fashion. It may be a war, but it's pretty one-sided, and it's fairly clear who's being an asshole here.
I hope this isn't a preview of what's to come if the use of ad blocking software becomes widespread.
It is already widespread, even for IE users.
Re: (Score:3, Informative)
I find it incredibly ironic that two ad blockers are at war with each other over blocking ads that support their service.
They aren't. Adblock Plus isn't ad-supported (Wladimir doesn't even want donations),
and NoScript isn't (primarily) an ad blocker.