

Apple, Microsoft, and Google called out by Mozilla to "stop being evil" - roadnottaken
http://www.pcpro.co.uk/news/363196/apple-microsoft-and-google-attacked-for-evil-plugins

======
swies
The solution of asking users if they want to install these plugins is
horrible.

The average user has no idea what a browser plugin is. Adding an option (or
even worse another screen in the installer) for this will only result in users
accepting the default anyway and also feeling confused/stupid/scared for not
understanding it.

This for-nerds-by-nerds hyper-configurable approach is a big waste of time.
Normals just want sensible defaults. This is the big idea we're pushing with
Ninite and it's frustrating to see someone fail to grasp this so publicly.

~~~
devinj
Every installer I've used that had any user-friendly implicit settings, also
had an "advanced" mode where you could override them, in addition to the
button that just installed the software with default settings. Why can't it be
put there?

~~~
swies
Putting the option in an advanced pane would be as good as not having it. The
sort of people who would see it are the same ones that already keep an eye on
their browser plugins and uninstall ones they don't like.

I guess my real issue here is that this guy is picking the wrong fight. It's
not about consent to install, it's about good or bad software.

Most of the stuff he calls out is probably a win for average users. They can
click a link to a song and buy it right away, for example. It's good software.

I get the feeling this guy would be fine with things like the Yahoo or Ask
toolbars (bad, horrible, terrible software) because if users stay on their
toes while installing stuff they could opt out. Normal people just take the
defaults though, and get stuck with a crapped up computer.

Adding choices to the installer feels like the smug, nerdy, you-need-my-help-
to-use-computers approach.

~~~
lukeschlather
I agree that putting it on the advanced pane would be as good as not having
it.

But I disagree that it's good software. Especially in the case of Windows
Live, this is Microsoft forcing proprietary extensions in in lieu of actually
developing tools for the open web. And in the case of Apple, I think the
assumption that people want third-party tools adding hyperlinks to web pages
is faulty. Mozilla puts out a solid product, and I haven't heard a lot of
people complaining that it needs more tacked-on features.

What it comes down to is that software packages that modify other software
packages are bad software. Packages should be self-contained.

~~~
contextfree
So plugin models are bad, period? No software should ever be extensible? What
about operating systems?

~~~
lukeschlather
There's nothing wrong with plugins. The problem is when I apply a plugin to
one package (in these cases the core OS) and it silently adds a plugin to
another package.

Unintended side effects are bad.

------
jeroen
Original post from Asa Dotzler:
[http://weblogs.mozillazine.org/asa/archives/2010/11/why_do_t...](http://weblogs.mozillazine.org/asa/archives/2010/11/why_do_they_think_th.html)

The linked pcpro article doesn't add anything of value.

------
mlni
In my opinion these examples are mere annoyances compared to the evil of the
skype plugin. It actively monitors and modifies all of your browsing so it can
inject those green skype "call" buttons in unexpected places. Now that I call
evil.

~~~
josh33
Funny thing though. Some people that aren't as aware have nothing but praise
about this plugin. I once built a web app that displayed customer phone
numbers. The client using the app called me one day to thank me for
integrating skype into the app. I had to convince him I was a good developer
even though I didn't put Skype into his app.

------
andreyf
Googler here. I can raise this on the internal [eng-misc] mailing list, but I
can't replicate his results: I have Chrome installed with no unwanted plugins
in Firefox, and when I downloaded Google earth, I get:

<http://dl.dropbox.com/u/404957/gearth.png>

Ditto for iTunes. Or is he talking about Windows?

~~~
vetinari
Yes, under Windows:

Google Earth Plugin File: npgeplugin.dll Version: 1.0.0.1 GEPlugin

I'm sure I didn't ask for it.

And while you are at it, please stop putting Google Earth icon on my desktop
after every update. I deleted it for a reason (no icons except Recycle Bin on
the desktop). Same about start menu entry (I moved it into another folder.
Stop recreating the original location).

------
sudont
This isn't evil. This is inconsiderate. Evil is spyware, data logging and
uninstallable plug-ins.

So, really, this is hyperbole.

~~~
archangel_one
My Firefox currently has a plugin named "Windows Activation Technologies". I
assume this was installed by Microsoft; presumably it's not spying on me
logging my data although I don't of course know that for sure. But there is no
option to uninstall it, so by your definition that is indeed evil.

~~~
halostatue
You get that if you do a Windows activation through Firefox instead of
Internet Explorer.

Would you prefer the alternative of only being able to activate Windows
through IE?

~~~
shadowfox
You can also choose to run an application each time and paste in a result, if
I remember right.

------
Steuard
Is this "called out by Mozilla" or "called out by Asa Dotzler"? After all,
Benjamin Smedberg just posted a reply that begins "Asa is wrong":

[http://benjamin.smedbergs.us/blog/2010-11-29/software-
integr...](http://benjamin.smedbergs.us/blog/2010-11-29/software-integration-
is-not-evil/)

If Asa's post represented official Mozilla policy, I would have expected that
to be more explicit.

------
alanh
He has a legitimate concern, but calling it evil is a bit trollish.

I’ve been ignoring Dotzler since his blog post on the IE7 beta, way back,
which was essentially “Microsoft sucks, Microsoft sucks and can’t innovate,
nothing of value in IE7, hmm here are some IE7 features I hope we clone at
Mozilla.”

I guess a nice way to put it is, he’s _rabidly devoted._

------
unshift
my 78 year old grandfather recently upgraded his copy of firefox and
mysteriously the Yahoo toolbar was installed, and his default search engine
and homepage were set to yahoo. firefox should stop being evil.

~~~
roadnottaken
The Yahoo toolbar gets installed almost every time I update Java or Flash. It
drives me crazy because (a) I want to update frequently to stay secure, but
(b) I don't want to get a bunch of crap bloatware and it seems like they use a
different "gotcha" technique every few months so I always get duped.

It's infuriating because it makes (some) users want to avoid these updates
which are, presumably, in the interest of the entire community.

Can't they get their ad-revenue somewhere else besides _critical_ security
patches???

~~~
jasonlotito
I've never had Firefox install Yahoo! toolbar or such on an update, or on
install.

~~~
SpikeGronim
The Java update system prompts me to install the Yahoo! toolbar each and every
time. You can click "no" but you need to be diligent. It's infuriating - I
don't want the toolbar!

------
naner
Why doesn't Firefox have protections against this?

~~~
archangel_one
These plugins have been installed by something running with root-level
privileges on that machine. It's pretty hard to protect against that since it
could (theoretically) replace firefox.exe entirely.

There are things you _could_ do but it'd turn into a ridiculous arms race; it
would be much easier if these companies just stopped doing it.

~~~
mishmash
Why couldn't they store a hash of the plugins of a given profile on the
server, and check that at startup? It wouldn't be much different than their
already existing malware checks.

~~~
aboodman
This would work reasonably well. It is still circumventable by "attackers" (eg
by replacing or patching firefox.exe, modifying /etc/hosts, etc), but the bar
is higher.

On the other hand, it also requires Mozilla running and maintaining a service,
which is a pretty resource intensive solution for such a minor feature.

Also some users do not like their browsers phoning home for any reason
whatsoever, so they would want a way to disable the feature. Of course, once
there's a disable switch, attackers can flip it as easily as users.

------
jsz0
Apple, Microsoft, Google, etc have a reasonable expectation the user who is
installing their software wants it to work properly with Firefox. Does Mozilla
offer any officially blessed way for third party applications to install
extensions? Why is it even possible to silently install extensions in the
first place?

~~~
aboodman
> Does Mozilla offer any officially blessed way for third party applications
> to install extensions?

Yes:
[https://developer.mozilla.org/en/Adding_Extensions_using_the...](https://developer.mozilla.org/en/Adding_Extensions_using_the_Windows_Registry)

> Why is it even possible to silently install extensions in the first place?

It isn't possible for a normal user-level program like Firefox to prevent
other programs from messing with its storage. Those programs would just modify
whatever on-disk state necessary to install their plugins.

The reason most browsers offer blessed ways to install plugins silently is
because developers who are going to install plugins silently are going to do
so one way or another. It's better to offer a maintainable, supportable,
stable way than have developers hack something that doesn't really work.

------
uast23
No browser fanboyism intended but on a related note, Firefox is showing me
popup ads on Justin.tv. It does not happen anywhere else (chrome). Surprising!

ps: I have been an ardent Firefox user always

~~~
postfuturist
Chrome is a little better at blocking pop-ups by default. Not perfect, just a
bit better.

------
konad
I agree _entirely_ with the sentiment, it would be one of the reasons I don't
use Windows if I didn't have better reasons already. However, when you agreed
to the EULA you gave permission to Microsoft to make any changes at likes at
any time it chooses. I don't have the other two bits of software but I expect
you gave them the same permission via the EULA too.

