The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.
Nobody is concerned about that, in my opinion. I'm concerned someone will push malware through Mozilla into Firefox installations. Pushing addon installs should not be possible at all.
Mozilla installing a bunch of addons that look like viruses ends up preventing users from being able to identify actual viruses.
To quote an ex-mozilla employee:
Because the Mozilla Foundation is a nonprofit corporation, it has a specific legal purpose for existing spelled out explicitly in its articles of incorporation: "The specific purpose of the Corporation [here meaning the Foundation] is to promote the development of, public access to and adoption of the open source Mozilla web browsing and Internet application software." If Mozilla Foundation were to ignore this mandate, it would jeopardize the nonprofit, tax exempt status of the foundation
In this case they are definitely ignoring the mandate, and this should never remotely have happened.
Source of the legalese: https://static.mozilla.com/foundation/documents/mf-articles-...
"Looking Glass is a collaboration between Mozilla and the makers of Mr. Robot to provide a shared world experience."
It doesn't matter who technically coded it. "Mr Robot marketing department" was obviously deciding about its existence, behavior and content -- if that description is true.
But looking at the source of the extension, I find the following URLs inside:
So it seems it is some marketing, the question is which company now, and do they change?
An art director and copywriter sat in a room together over two days and came up with lots of different ideas to generate PR for Mr. Robot. They presented the ideas to a creative director, who went through the work and picked the one he felt was most suitable. They presented it to the client, who supported the idea.
There would have been some line of communication from the creative agency, whoever owns Mr Robot, a media/PR agency and Mozilla. The idea was bought by the client, had the agency liaise with media/PR, got in touch with Mozilla with an undisclosed donation and the add-on was coded.
Then some marketing people both in and outside of Mozilla push something that is probably not passing the same strict reviews.
It points to the organizational problem in Mozilla.
Re: "not sure": don't worry, some people do this not for the content but for the author, some lack reading comprehension and some just press the wrong button. Just vote yourself, and if you reply, say that you agree, don't mention the word you mentioned.
This looks like "let's give litte Perry and these marketing departments something to play, whatever, it's just an extension, who cares." So little Perry writes a description of the extension "MY REALITY IS JUST DIFFERENT FROM YOURS", the extension gets silently pushed to all the US users(!) (Firefox has support for that) who freak out, and the first response from somebody involved with that was "it was not supposed to be seen." You see, it was planned to keep the extension also "invisible" to the users -- Firefox has support that too! The extension was obviously not formally reviewed or formally tested, if the "invisibility" was the goal. Of course, it being "invisible" wouldn't be better. It's a misuse of the whole mechanism, compared to what Mozilla explained to the users. The mechanism was supposed to allow making "studies" from the behavior of the users who agree to take part in them. Instead, it was an attempt to a "viral ad" that was delivered to the whole Firefox using US population. There are multiple wrong decisions in this story.
Now I hope Mozilla does get the idea that the users do care.
Non-US user here, my Firefox got it, too.
BTW: the extension we all talk about here has exactly this site that is used for checking the headers hardcoded inside, obviously in order for the developers to test their newly coded functionality with which they add an additional header entry in the request to some specific sites, specifically, the "main target" is a brand (I've given the link earlier on in this thread). It's obviously an advertisement for the US as that "main target" site is only meaningful to the US public. But it's obviously not the whole story.
If your language is not en-US it's worse than what I've understood.
Studies are enabled by default.
The exception is that an addon can do slightly less damage than a compromised browser itself.
If any software developer would truely respect users, he would offer updates as seperate packages, where users can opt out of non-security ones- and those updates humanity votes with there feet against, vannish into the bin of useless software.
At that point, it’s probably better to just stop feature development and do nothing but security patches, which of course will lead to stagnation and which will also lead to fragmentation as many more incompatible releases of the same software will be out in use.
This will make it even harder for developers to adapt new technologies. Imagine how bad the already messy caniuse.com would look when every single browser version would be supported forever and could be individually configured feature by feature.
Especially as people somewhat versed in technology (I think it’s safe to call HN audience that), I think there is advantage in going with the flow and adapting to new releases and UI paradigms.
Otherwise we'd still be running on DOS and us developers would still have to support it.
Relevant XKCD: https://xkcd.com/1172/
...why imagine? That's life as a Windows/Linux/Android dev. (Apple is sort of a stand-out because it has vastly fewer installable parts and less versions in the wild such that it's actually possible to test every patch level of every supported version of macOS or iOS at any given time).
But none of that makes push updates right or wrong. The reality is that it's less of a push than it is a pull anyway - in this case the client is asking for updates on an interval, and the server says "yep, there's one for you." The client grabs it and installs it. And it's turned on by default because, for the most part, that's the right thing to do for your users: you'd rather them be on the newest patch level. Hell for IT admins though, which is why it's almost always a feature they can disable at will.
So here's where this case differs: it's an "experiment" that's actually just marketing trash pushed through the "experiments" channel which is also armed by default, rather than a security or product update (which anybody reasonable can argue should be on by default - secure by default is the goal, after all). The only "experiment" in this case is seeing how many users will put up with Mozilla continuing to pimp out Firefox to the highest bidder as a grab for a new revenue stream before they reluctantly switch back to Chrome.
And judging by the backlash on patches like this one, it's not going so well...
I'm asking because debian and backports are doig exactly that: separating security patches from the rest, not for a browser but for a whole OS and every applications including firefox.
also this xkcd is not relevant. the point here is that mozilla has quite a history of breaking userspace earning them the reputation of "making far-reaching and very short-sighted decisions in a vacuum."
Ie. code spitting and reducing bloat, and speeding up development by providing some features as add-ons...
Some of the comments are mentioning IT managers banning firefox, those will be the same IT managers doing all the other pennywise/pound foolish things that make you try not to work on their team in the first place.
Maybe it’s actually good to put something scary sounding in there to raise awareness. It could help people understand that scary phrases are not the most common sign of foul play. When the real hackers come for you, they usually dont look scary at all.
Firefox is bleeding market share and has been for a while. Despite this, revenue and profit is at an all time high for mozilla which is weird as the revenue comes from sending theirs users to google for being profiled and exposed to ads.
Meanwhile long time users lose faith and trust in mozilla and firefox.
Not exactly the best time to be caught having "a little fun" move showing that they will sneakily install stuff in your browser without asking.
Then again mozilla is "making far-reaching and very short-sighted decisions in a vacuum."
UC Browser 7.98%
Internet Explorer 3.88%
That all versions of firefox combined barely do better than obsolete unsupported browser that the manufacturer actively try to remove from the market is not a good sign.
even so to briefly chase your point, do you believe they are doing net good, and some things are looking more positive, like the servo work? my only point is that criticism works on a relative scale. i agree there are things they could do better, but i still prefer they exist.
If you are the good guy then your enemy is the bad guy but from the bad guy point of view he is the good guy and you are the bad guy.
No one is ever the bad guy in the movie of her own life.
servo, or whatever else they could come up with will never reach a net good for me as I need ALSA support and the extensions mozilla has dropped to make firefox useful to me.
I would rather have them disappear so there is room for something better to exist in its place. Right now there are occupying space and prevents an alternative to emerge.
The sad part of this is that by accumulating blunders, near sighted and far reaching decisions, with their attitude of not caring about user feedback or user freedom of choice they managed to turned me, a long time supporter (since netscape times) that has based part of my business on their browser, against them and wishing they would go away. This is quite a feat in itself.
I'm not sure there is another entity that managed to alienate me that much, not even canonical or gnome.
It seems like a lot of addons are being ported to the new apis too. Maybe you are too hasty?
There are distros, Void Linux (which I am using right now) for one, which ship without pulseaudio (or systemd for that matter) installed by default, thank goodness.
One potential downside is that now people might not pay close attention to the installed addons. "Oh, must be some Mozilla thing", as GoldenDwarf quietly consumes user CPU cycles to mine cryptocurrency for someone else.
who knows, you may totally change my mind, but as it stands it makes it difficult to disagree or agree with you.
I opted into FF telemetry and "studies" with the understanding that some extra data would be collected and experimental features or specialized debugging tools might get pushed to my browser (like the last "study" I saw for collecting JS errors).
This addon is none of those things. It is an advertisement. Call it an "alternate reality game" if you like, but it's an advertisement for a television show. It has nothing to do with making FireFox a better browser.
Using the Shield Studies program to deploy extensions and advertisements that have nothing to do with the original stated purpose is an abuse of the tool and a breach of trust.
That's all aside from the fact that there's been numerous reports of people receiving the addon who never opted in to Shield Studies in the first place.
Even if it's ostensibly about ideals I might agree with, this was a very poor decision and a breach of trust.
Nothing I can do about it. Can’t argue. Trust is very, very easily lost and incredibly hard to regain. And it can hit innocent third parties. It’s very, very wrong to do anything that could destroy trust.
Same here for looking glass, we do not want corporations to be in control of our stuff. Mozilla showing that they have built the capacity to auto install addons into your browser is quite the issue, you can rest assured that some are already working on ways to abuse this.
That they have done it as a promotional marketing trick and not or something useful or serious sends the wrong kind of message on top of it.
Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts both ways, this stuff undermines my and probably more people's trust in the browser.
“Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users. It’s especially important to call out that this collaboration does not compromise our principles or values regarding privacy. The experience does not collect or share any data,” Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said in a statement to Gizmodo. “The experience was kept under wraps to be introduced at the conclusion of the season of Mr. Robot. We gave Mr. Robot fans a unique mystery to solve to deepen their connection and engagement with the show and is only available in Firefox.”
This is horrible. They pushed out this crap under false pretenses as a study and obfuscated it. Don't talk the ethics talk if you're not prepared to do the ethics walk.
The problem is that Mozilla is a good company, that has had a true net positive effect on the world, especially in tech, and continues to do so today with wonderful projects like Rust etc.
If Mozilla were a shitty company, we could all simply dismiss Firefox and get on with our day. But Mozilla is not a shitty company and the fact they keep shooting themselves in the foot like GP said, the fact they are completely out of touch with their userbase, that they cannot see the OBVIOUS problems with this addon even after the Pocket debacle, is ridiculous.
Forking a project, and adding features and removing pulls that you don't want and/or need is kinda the idea behind the whole 'open source' thing.. cause what else would you do with the source code, but compile it.
Speaking of Firefox, a build or two ago, without warning, Firefox deprecated (broke) every add-on. Because [insert-old-architecture-security-justification]. It's not like anybody was doing anything real with a browser anyway.
This design decision is behind a large part of the performance improvement in 57.
Yes I'm sad, I lost some of my favourite addons as well. But this move was announced well in advance and it had a serious technical reason behind it.
In a difficult situation, Mozilla made a tough decision that is good in the long run and that benefits all its users. Crying "fork!" over it is so blind it leaves a bad taste in my mouth.
> So if someone forks over 1 change or 10 they are still libre to do it, or is that passe?
It's nonsense. Doesn't mean they can't do it, doesn't mean it's not nonsense. Furthermore, in some situations, forks can be harmful to the overall health of an already fragile ecosystem. They're not free of externalities.
It also wont get any of the improvements mozilla is in the process of making so it will ultimately be slower and with fewer features.
> "The experience does not collect or share any data," Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said
Looking in the sources of the extension, it adds additional HTML header to every HTML request to https://www.red-wheelbarrow.com/forkids/ pages. The activity of the users there could of course be tracked and the data dependent on the extension being active collected. Good try Mr. marketing officer of Mozilla delivering Mr. Robot ad using the mechanism for the "studies."
> "Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users."
Obviously fail. Surprise, yes. Delight? No.
The whole thing is still suspicious: it was delivered to everybody whereas if it was supposed to be used only by the users who are aware of it, as now Mozilla tries to spin it, i.e. only to those who decided to "play the game", then the hidden install, especially to every user, was unnecessary as the normal extensions to Firefox are easily installed by the user, a click or two are enough:
"## Observed data
- Possible page view counts on SUMO
- Possible page view counts (with and without the special 'enrolled' header) on Partner pages."
I've also already explained the "special 'enrolled' header."
The turning on was obviously either planned for some special moment, which wasn't the moment of that the extension was actually delivered, or the extension was accidentally delivered in the unfinished state -- doesn't matter, it provably didn't get enough scrutiny, see my other comments here for the details, the damage it actually done is regarding "tracking" less than planned, but regarding annoyance of their users probably more.
If they'd decided to sneak in a Mr Robot-themed easter egg I wouldn't really care. The fact that they decided to use a debugging/telemetry permission to push out a stupid marketing gimmick makes me question the judgement of everyone involved.
Much like some other situations in the political arena over the past 2-3 decades, I don't care that much about what was done but the decision to do it makes me question the judgement of people that I'm supposed to trust to make good decisions.
Wrong (unless proven otherwise).
From the Shield Studies FAQ:
> What data do Shield Studies normally collect?
> - at STARTUP, SHUTDOWN, INSTALL, UNINSTALL, - send a `shield-study` packet containing the Unified Telemetry Environment.
As was stated before, users report that they have had this extension pushed to their browser without their prior consent to sending any telemetry data.
I would not care about silly stuff, like say a christmas easter egg. But this wasn't meant as a silly joke.
I don't watch television, and I don't keep up with any popular modern shows. I had no idea what Mr. Robot was until looking through this thread, and the description text for the addon was, at first glance, suspicious. This was a terrible idea and isn't even remotely analogous to applying security updates automatically. If I have something I specifically installed, fine, I can expect those addons to be updated automatically. I don't expect them to side load something I don't even want. "Delight fans" my ass. You have to be a fan first, and I'm not even sure most people who are fans of Mr. Robot would think this is a particularly good idea.
Funny enough, the only thing I can think of that's even remotely similar to this is the "Hell, Dolly" plugin for WordPress, and that's installed out of the box as part of the distribution.
I would not want it to have this kind of power as the security patches and critical updates are provided by the kind people managing the distro repositories, and if it could update itself it would remove the third party patches required because mozilla has been refusing for 15 years to integrate correctly in my desktop environment but did integrate in the main competitor.
Its also moronic to have a different update policy per app that is achieved in 35 different UIs.
This is the norm on windows because they were late to the party as far as a central source of software and further managed to make it an unattractive proposition and didn't get much buy in from developers.
Totally aside from the implicit security issue the ui flow is also terrible. Either each of 35 different apps runs their own update checker process in the background wasting your resources and prompting you at annoying times or when you run an app one out of n times it will prompt you to update whereupon you will ultimately have to stop doing whatever you were actually doing and let it update itself and restart.
It is truly amazing that people not only put up with this ridiculous situation but defend this as a feature.
Your system should periodically on a schedule you set update every piece of software you own and never bother you otherwise.
It sounds like a valid reason for being able to auto-install add-ons.
For exemple australis and classic theme restorer.
Security updates were and still are configurable to be installed after prompting, also when they are installed automatically I am notified that this has happened.
There is also an implicit trust in the vendor that only security-related functionality should be changed in a security update.
IIRC the person that advocated for Chromium (instead of a third-party Firefox rebuild) base it on performance (they were dubious Quantum is actually better, I personally find it fast enough except when loading Facebook), as well as the alternative versions of Firefox not keeping up with the official version. Also, supposedly Chromium (as opposed to Chrome) settings are reasonably privacy-friendly out of the box.
They did recommend installing uBO-Extra in addition to uBlock Origin on top of Chromium, which is revealing -- with Firefox, there is not even a need for uBO-Extra.
My original point (which I didn't elucidate clearly enough) is that this Looking Glass experiment is resulting in unwarranted backlash against Mozilla -- whereas from the standpoint of preserving an open web and protecting user privacy it's actually one of the better players.
> Excited to share the launch of @mozilla @firefox Tiles program, the first of our user-enhancing programs
The problem there wasn't just the idea of putting ads in the browser, it was also the way in which they tried to present it as a useful addition just like every other ad company tries to defend ads
I don't know how far we got with it, but one of the ideas was to serve a generic bundle of ads, and then select which ones to display locally, based on an entirely private, client-side analysis of the browser's history. Now, that probably shouldn't have been on the new tab page, and probably not in Firefox at all, but if ads are going to be the way we fund the Internet, then that sounded like the best possible outcome: better targeting without remote tracking. Heck, even Brave ran with the idea for a while: https://brave.com/about-ad-replacement/
Serving ads is never a good idea, and no, ads are not the way we fund the Internet, commercial ads is what is destroying the WWW and the Internet.
Defining that as "spying" strikes me as a big reach. It's no more spying than (say) Windows observing what programs you use most and adding shortcuts to them in your Start menu. Software adapting itself to fit the user better is a good thing, as long as it's done in a way that respects the user's privacy, which keeping the data 100% local absolutely does.
Edit: we've had to warn you a lot. Continuing to break the guidelines ends in bannage, so please clean up your act.
Mozilla's job is to find ways to push the web forward in ways that respect humans, and ads are, well, how the web mostly gets funded. So it's entirely within bounds for them to try to figure out ways to make ads work without invading people's privacy.
And if Mozilla really are different, then they should communicate different - honest.
Sorry, but I'm uninstalling firefox. They have broken the basic trust I have in them as a user to not push arbitrary code to my machine against my interests.
Well maybe Safari, not because Apple wouldn't, but because they just don't care enough about ad revenue.
Chrome: They leech everything they can get away with, granted it goes only to Google, but you know it's just to feed their never-ending ad-revenue goal.
MS: They bypassed IE only ads, and went on to build ads into the entire OS.
I happen to like text-only browsers for viewing HTML (e.g HTML tables), tcpclients like netcat for making TCP connections, and my own software for generating HTTP requests. Almost all websites work[FN1], with zero "loading time" as one may experience when using "modern" browsers to do these tasks. I can easily get the content I want (text, with option to download images, PDF, video, etc.) and skip the stuff I dont want. No autoloading of resources. I choose what I want.
Surprisingly, the web is actually getting more, not less text-friendly. Today I can often get text encapsulated in JSON, Markdown, etc. instead of wrapped in HTML, making parsing even easier.
FN1. "work" means I get the body the page that contains the content.
I'm not sure I agree the web is getting more text-friendly.. it is getting more JSON friendly, mostly, but actually visiting web-pages where JS isn't required is becoming increasingly rare. I've yet to find a text/console browser that can actually run JS. (I know there have been some experiments, but none that actually work last I checked)..
In the distant past, I recall browsers used to hand off media files to other programs, based on Content-Type (see article on MIME posted earlier today). Today, these external programs have been subsumed by the "modern" browser.
Perhaps modern browsers can be useful as offline image viewers, document viewers and media players. As I am in text-mode, the graphical browser is on another computer, connected via crossover cable or LAN. After inspecting their contents in text-mode, I transfer the documents and media files to a fileserver.
The text-only browser OTOH makes all websites look more or less the same, regular, and if in text mode there is only one font, easy to read, IMO less eye strain on black background. It is perhaps better suited for the user that wants fast information retrieval, reliable, efficient file retrieval and cares little about graphical web design.
That said, I still use FF, but I do make sure I keep all the opt-in telemetry and stuff off, since it was one of these settings that "let them" get away with installing the add-on without consent.
Granted the add-on by default didn't do anything unless you enabled it, but still.....
So the only way this code would end up on my machine is one of two ways:
1. The Debian Firefox package is pulling code from Mozilla without the maintainer's review (which is definitely possible, given how complex Firefox is and how there's approximately one person packaging updates including timely security updates), which would of itself be seen as a serious problem
2. The Debian maintainer specifically picked up this code as part of the tarball from Mozilla, and shipped it without noticing (also definitely possible!) or decided it was worth including
For what it's worth, I do not have this plugin in about:addons, and Debian unstable hasn't picked up a Firefox update since December 1, so as far as I can tell the system is working properly.
Me, I keep it underground (qutebrowser at the moment) but I'm constantly in search of something better
When it got popular, smart people started bending it to make being a dick possible, which is how we got the Web of today. I don't doubt the same would have happened to Gopher, if it had been the one to get popular.
Truthfully, this is why I use Safari. Apple makes money by selling me devices and services, Mozilla and Google are both driven by ad revenue. Even good actors within these companies are working within a framework where the customer is the product.
.. also Safari saves like 15% on battery.
To cite some of the browsers you overlooked in your snarky comment.
As for all these browsers, all of them(unless I'm mistaken) are based off of one of the big 3(Chrome, FF, Safari) so you still have to trust the big 3 to run these, for the most part, as they are all single-developer or maybe a very small team, and would be very hard pressed to catch underhanded attempts from any of the big 3 to embed any nastiness.
+1 for mentioning Otter though - those guys are doing amazing work
Do you have any evidence of this?
Assuming their normal processes for SHIELD studies were followed, a _lot_ of different people have to review the plugin before it gets approved: https://wiki.mozilla.org/Firefox/Shield/Shield_Studies#Who_A...
Edit: Also, the contributors list on the plugin's GitHub repo lists exclusively Mozilla employees: https://github.com/gregglind/addon-wr/graphs/contributors
I worked at Mozilla for about four years (2011-2015), on MDN. It's built as a wiki, with wiki features open to everyone. The code is all open source and on GitHub. Its issues and tasks and roadmap are tracked in a public bug tracker. We operated in a public IRC channel. We didn't have to do that. We could have just built something targeted to only be used by the technical writing staff at Mozilla, and never bothered to open it up or make the code available or make it transparent about who wrote articles and when. In fact, it's much more work to do all the things we did (and not just in terms of implementing features, but also in terms of dealing with spammers and trolls and other malicious people who wouldn't have had access in a less open system), but we did it anyway because Mozilla is a radically open and transparent organization. But... in four years, not many people from outside Mozilla ever joined in and got involved with actually contributing (either code or articles or edits to articles or housekeeping or suggesting/arguing for ideas of how to improve MDN).
And I've been doing open source for much longer than that, and I see exactly the same pattern: a handful of folks do all that work, and go to the trouble of being open and transparent and providing ways for people to see what's going on and get involved... but people don't.
And then those same people willingly install the software and use it every single day, and complain that they were never consulted, or never got a chance to review, or never got to provide input. You had chances to look at the source code, to see what was being checked in, to read the referenced Bugzilla bugs on commits, to leave comments on them, to submit alternative ideas. You didn't. You did install Firefox, though (assuming your claim is correct that this was installed on your computer). By installing the software while not participating in the process, you absolutely gave your "review" of it, and your "review" was "just make a browser for me for free and don't bug me about how".
Now, if you want to be involved, go start watching Bugzilla and the Mozilla project wiki pages, and CC yourself on stuff and join mailing lists. Because it's Mozilla. You can do that. If you don't want to do that, or you don't think it's worth your time to do that, then don't do it. But don't then come charging onto HN to complain that nobody consulted you. People practically got on their hands and knees and begged you to join in the process of making Firefox and other open source software, and you decided not to.
However, when you decided that the source code I could review would be installed on my computer without my consent, then I do object. It's my computer. It runs things that I choose to run on it, not things your marketing/sales department thinks my computer should run.
Additionally I find your rant about "open source is for all of us to contribute and if you don't shut the fuck up" wholly ridiculous.
If you now decide you don't want to run that software anymore, that's perfectly fine and is your choice to make. But arguing that you didn't have an opportunity to know what was going on or review code before it landed on your computer, when you installed Firefox by your own choice, when you decided not to take advantage of the radically transparent and open way it's built, is just not going to fly. You had a million and one opportunities to "review" the code you were going to download and run. You just chose to do other things instead. You seem to regret that, but you also seem not to have learned any lesson from it.
As you'll see, this bug is marked as private (at least as of writing this comment). So, as a matter of fact, it does not appear that even the most diligent user had the option of reviewing what's going on. So far, it has not even been disclosed who among the Firefox peers signed off on this change; that information appears to be private as well.
"Access Denied You are not authorized to access bug 1423003."
This is not hard. Don't automatically install stuff on your users' computers. You're defending something every other software company has found themselves in trouble for previously. I really don't understand why. The fact that Firefox is open source in no way excuses it.
I didn't install and run anything on your computer. I don't work for Mozilla.
And you installed a piece of open-source software whose source code you could have audited at any time, but you chose not to. You delegated the auditing to someone else, and now you're upset at what they chose to do with the power you gave them. You're free to complain that you don't like what they did, and not to trust them in the future, but you don't get to say that you had no chance to give input or to see what would run. You had plenty of opportunities for that and did not do it.
If yes, then why would it be necessary for me to audit anything?
If no, then PLEASE elaborate on why?
This isn't the first time a piece of software, open source or not, has released a new version that did something users didn't expect or were angry about. The sole difference is that, in the case of open source software, you have the chance to review what it will do by looking at its source code prior to running it. The fact that you didn't review it doesn't mean it was impossible to (that would be the case with a proprietary browser like Chrome).
I WANTED TO REVIEW THE CHOICE OF INSTALLING AN ADD-ON ON MY COMPUTER, NOT THE DAMN SOURCE CODE!
By... paying attention to the source.
False dichotomy. I chose to opt into USER STUDIES because I trusted Mozilla. I use Firefox specifically because I do not want to use a browser from a company that makes its money off of advertising, meaning Chrome. I trusted Mozilla to hold to their word regarding what opting in to user studies meant, and they instead gave me exactly what I didn't want: advertising.
If your solution to this is to completely throw away my trust in Mozilla, replacing it with having to spend an extraordinary amount of time reviewing every wiki change, mailing list post, commit, and bug, then you're being ridiculous and showing extraordinary contempt for users -- especially the many users who aren't programmers. Firefox is supposed to be a browser that respects users, but this case shows that it doesn't.
Finally, I have both donated to Mozilla and helped resolve a bug, so I absolutely have participated in the process.
But you're not going to do that. Which is your right; it's just hard to complain about not being consulted/not getting to review/etc. when you're talking about a piece of open-source software with public repositories and trackers. Anyone on earth is allowed to see what's going on in there.
This has nothing to do with open source development at Mozilla or anywhere else, it has to do with what Mozilla the organization portrays itself as. If Facebook had pulled something like this, well, I don't think anybody would have been surprised. For Mozilla, I think it's inexcusable, and after the major marketing push on Quantum as 'Chrome without spying!' it's an amazing own goal. I really want Firefox to succeed, and marketing retards at Mozilla are going to sink the whole thing by garnering exactly the kind of publicity they don't need.
Firefox is not fully open source.
But so does Mozilla. They're a big enterprise when it suits them, and a scrappy upstart otherwise.
The Mozilla brand is looking mighty shabby. Privacy is the one thing they've consistently pushed, and yet I can't recall any serious innovation or stance they've taken on recent years that actually puts their money where their mouth is.
Private browsing was invented by Chrome. Brave shields you from script bloat. Safari's adding machine learning to that end.
Which leaves Mozilla... pushing adware onto its users. Qué?
It's disingenuous to say that users should be able to intuit how it's all organized and how they can contribute, when something like this clearly only happens because of privileged first party involvement with real revenue attached.
Unless you're suggesting that anyone who wishes to spam a campaign to Firefox users can just get that done by opening up an issue and submitting a patch...?
First of all, Firefox is a huge and complex project notorious for its legacy code and architecture. It's not a project that I would find pleasant to work on without getting paid. The only reason I might start working on it for free was if I wanted a job at Mozilla.
Second, it seems to me (as an outsider) that the biggest problem with Mozilla is its management. Any work I contribute to the browser will just be a feather in their cap, and they will still be making bad decisions that I can't meaningfully push back on. The solution for me then would be to fork the whole browser (which has already been done multiple times). However now I'm no longer working with Mozilla, I'm basically fighting them. Without paid, experienced engineers familiar with the Firefox codebase (or a PR budget), there's no reason to believe those forks can "win."
Third, Firefox is just so large that I could spend my whole life and have a negligible impact.
Fourth, as an outsider I'd always be "the wingnut who doesn't work at Mozilla." Perhaps if there were several companies sponsoring Firefox development, there would be more of a social place to fit in.
In conclusion, the state of the web today has left me feeling powerless. If I do nothing it's not necessarily because I'm lazy, but because I see nothing to be done.
Posts are being removed from bugzilla and threads being locked. The code itself comes from a random github repo, not affiliated with mozilla/firefox. (https://github.com/gregglind/addon-wr/)
people here were asking why normal process wasn't followed. No answer or links to resources.
another closed discussion here:
I appreciate your input as someone who knows the process, but this really wasn't followed this time.
edit: they've changed the repo now. so it's redirected to https://github.com/mozilla/addon-wr
Personally I build Firefox from source and maintain a set of patches largely based on these: https://aur.archlinux.org/packages/firefox-esr-privacy/
If you're looking for a browser with first-class vim compatibility qutebrowser is outstanding.
I've also found palemoon to be a perfectly boring/stable/functional variant of firefox without all the drastic/breaking changes (vim plugins work quite well also)
Pale moon is not as good as waterfox, at least for me.
No, it doesn't show PDFs or videos, but does that belong in the browser anyway?
Mozilla have presented "add-ons" as a line where users are supposed to be responsible for what to "trust", over and above the choice to install the browser in the first place. They can expect those users to be watching that line carefully.
(Incidentally, I would still dislike this functionality - moreso even - if it was in the browser core.)
"Well, I'm your bank. You already gave me authority to reinvest all your savings. Why are you mad now that I invested everything into bitcoin futures?"
What exactly does "trust" mean? We might have given mozilla such a widespread access exactly because we trust them not to abuse it. Stuff like this undermine that trust.
And no, they can't: In many countries there are regulations forbidding high-risk investments with regular savings accounts for exactly that reason.
How is that not what automatic updates are?
It's disheartening when the update is a marketing tie-in.
I'm using Firefox 57 heavily (typing this in it), and actually really like it for a change. This after years and years and years and years of wanting to like Firefox but finding it completely and absolutely unusable due to performance issues.
(Chrome has been ... faster, but insanely aggravating in all sorts of ways, including utter and complete contempt from Google and the Chrome devs for users. The frustrations are rapidly mounting.)
Mozilla have just cost themselves some portion of their advanced user test base through abuse of trust. I really wish they'd not do that.
An appropriate response here would be to decide that you no longer trust their browser at all.
It's hard to quantify trust exactly. I'm fine with trusting the partly-closed-source Google Chrome build, including the proprietary Chromecast, Hangouts, etc., plugins, because I believe that the people writing them are generally reasonable. I don't have a good formal proof that they're generally reasonable people, and I never will - that's why it's trust. If they start installing marketing gimmicks, certainly they have the technical ability to do that, but I will lose my trust that they're reasonable people.
Here's an analogy: I trust a small number of my friends with keys to my apartment because I think they'll make reasonable use of that access. If they decide to show up at 3 AM with a keg and three tubas without telling (let alone asking) in advance, I technically have no grounds to complain that they abused their access - but I'll certainly not be calling them friends any more.
I would argue that since they knew you were giving them access on the assumption that they would not do things like that, you would have grounds to complain. Similarly, I installed Firefox on the understanding that it would not phone home with opt-out telemetry, advertise third party products, or syntergise with acquired properties. Mozilla has, in the past few months, done all three.
I like Firefox, though, so I'd rather kick the tubas out of Mozilla than go kick them off my individual installation. Does the public have any power over Mozilla's governance?
Hence, as you said, the only way is to trust Google here, without much ability to verify.
It adds some css to a list of words:
I haven't figured out how that setting is exposed yet. Maybe they expect people to go to about:config and change it? Is there video footage suggesting that in the TV show?
@gregglind re-add 'fuck' to the word list
gregglind committed 3 days ago
mozilla is rapidly burning through over a decade of hard-earned trust and goodwill. i install firefox on other people's machines. i'm not a good user to piss off.
am i gonna have to wait for servo to mature and make an unmozillad servo? what a sad reality that would be.
this is not the browser we were looking for.
no, it is not, because i signed up for nightly a decade ago when mozilla still had my trust and admiration. i signed up to help mozilla find bugs before they hit end users. i signed up for new web platform features and bug fixes. i signed up to see the perf and ui improvements.
what i get force-fed now is an additional mystery platter of ad experiments, privacy erosion, forced third-party integration, random auto-addons and who knows what else at this point - they can literally push anything behind my back. the absence of all of these things is the exact reason i have stuck with firefox. i guess this relationship is not meant to last.
as another comment says in this thread, it's literally the "Windows 10 of browsers". Want faster perf and more security? Just sign up for the next version with more ads, less privacy and random third party services we auto-push to you. I know Chrome does this too, which doesnt make it ok for mozilla - it just leaves me with 0 options. if i had other viable options, i would leave quietly and never post this comment.
If your problem is with the actual _release_ version of firefox, that's a completely different complaint, and you have lots of choice in terms of getting the Firefox codebase but without some of the stuff that Mozilla feels is appropriate to put on top. If that's the level of control you want, then there are actually several options for you.
I have since found waterfox and have been very happy with it.
(It defaults to "false.")
I am genuinely astonished that somebody up the corporate tree at Mozilla thought this is a good idea. I mean, I get the appeal of getting the money and doing the cool IRL tie-in to the show, but that's not just how you do it. If I am a fan of a particular actor, I don't expect him/her to suddenly be in my bedroom when I come home one day. I would prefer to invite them first (if I am so inclined).
The trust here is specifically trusting them not to do such things. Which now has been violated. And the fact that CMO says anything else than "Man, did we screw up! We're so sorry, would never happen again!" is deeply sad and concerning.
I do not trust mozilla, they've repeatedly proven they cannot be trusted.
I do not trust firefox, because a piece of software is open source software does not mean it should be trusted.
You mean like when they set the default search to Bing?
For now, yes. Until someone finds a way to push a "study" through which is not from someone "trusted".
> If someone distrusts their add-ons, why trust their browser at all?
Well, trust is rather simple to break, and this - remote installing things - was not part of my original trust I put in Firefox 1.0.
I know things change. This is not one I tolerate, and you are right: I will not trust a browser after a step like this.
Besides the trust, it's unexpected data. Probably don't effect many on big data plans, and is probably a tiny extension this time, but it's still data I have not asked for.
This is a link to the GitHub issue:
There are several scary things about this:
- Unknown Mozilla developers can distribute addons to users without their permission
- Mozilla developers can distribute addons to users without their knowledge
- Mozilla developers themselves don't realise the consequences of doing this
- Experiments are not explicitly enabled by users
- Opening the addons window reverts configuration changes which disable experiments
- The only way to properly disable this requires fairly arcane knowledge Firefox preferences (lockpref(), which I'd never heard of until today)
"In related news, unknown website developers can distribute programs and run them in your browser. Additionally, it's been determined that browsers sometimes download changed versions of themselves without your permission. Worst of all, we've determined that sometimes the program you download and run yourself on your computer does stuff it didn't say it would do!"
In all seriousness, I understand this is an important issue, and needs to be addressed, but we've obviously gotten to the point as a society recently where no news can't be played up for hype by pundits and commentators for their own benefit (and probably without realizing they are doing it in a lot of cases).
The whole way this is being presented (by many here, not to pick on the parent) as a new chunk of the sky falling is what I find really troublesome. No, chicken littles, the sky isn't falling, but there is some interesting shit going on up there that deserves a look.
I fail to see how getting half the people frothing at the mouth and the other half downplaying it just to try to keep some sanity in the discussion helps for a good outcome.
No they can't, despite mozilla removing the option to prevent this, I have an extension preventing website to run code in my browser without my permission. it happens to be one of the most popular firefox extension: noscript. (also umatrix and request policy).
No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
> No the browsers do not download changed version of themselves, they do not have the administrative permissions required to install programs on my box. I get my update from the official distro repository on my terms.
Yes, they very often do. Currently, they generally ask if you want to restart using the new version and give you that choice, but they are often downloading newer versions of themselves ahead of time to speed up this process.
Whether they have permissions depends entirely how you installed the application. If it wasn't installed globally, user permissions are all that is needed.
> I do not download and run programs, they come from the distro repository. This is a matter of trusting the package maintainers but up until now this has served many people well.
Good! I hope you've also never ever piped wget output to a shell for some application's quick installer. I also hope you've never installed any programming language module through that language's package manager and not your distro's package system, because those are notoriously bad at making sure there's not holes through which bad stuff can happen either.
Regardless, it's possible that the package you downloaded, no matter the source, can do something other than stated.
> It seems you guessed wrong and it does not work the same for everybody, some of us have chosen to take the extra step required for this kind of misadventure to be unlikely.
Actually, I don't think I guessed wrong because I wasn't guessing anything, and I never said it works the same for everybody. I believe, since I was careful to qualify my statements, that each is easily proven correct, and I've done so.
1. Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
2. Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
3. What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
Mozilla (and other browser vendors) have the ability to push updates to their browsers outside of the normal release cadence. In many cases, these updates are distributed as add-ons, as they're cleanly separated from the rest of the browser internals, but that's just an implementation detail. If you visit about:support in Firefox, you should see a table of "Firefox Features," which are exactly that. Their source lives at: https://hg.mozilla.org/mozilla-unified/file/tip/browser/exte...
For example, we used a system add-on to control the gradual roll-out of multiprocess Firefox, and the New Tab page is also implemented as an add-on called "activity-stream."
> Can you explain what you mean by "unknown Mozilla developers?" Unknown to whom?
Unknown in the sense that this extension wasn't documented at all, there was no Bugzilla issue for it and it's not clear whether it was properly vetted by QA. Whether you argue that this kind of silent push updates is good or bad, I think they aren't tested as well as in-browser functionality. This is a necessary consequence of "let's try it and revert if something breaks or people complain".
More so, a rolled back Shield study will be invisible to the users, so any problems will be impossible to debug. This is made worse by the fact that most, if not all Shield studies are opt-out, so the user won't be notified.
> Can you provide more detail on what specific configuration changes are reverted when opening the add-ons window? That sounds like a fairly serious bug.
> What is the specific "this" you're trying to "properly disable?" You shouldn't have to dive into things like lockpref.
People have reported that extensions.ui.experiment.hidden reverts after viewing the add-ons list. I haven't tried it myself, but you can find details in that Reddit thread.
Others have noticed that the Shield studies checkbox sometimes (possibly on version bumps) reverts to enabled. I can't overstate how bad this is; it's basically cheating the users' trust. Lately, Mozilla has been doing some pretty nasty things for an organization that takes pride in caring about the privacy of its users.
Are you aware of the complaints regarding Windows telemetry? Edge, for example, sends full browsing history to Microsoft by default. Should Mozilla follow suit? Because that's exactly what Pioneer does and, while it's not opt-out yet, Firefox advertises enabling it.
As for the rest of the system add-ons, they're either poorly documented (if they are at all), poorly named ("Presentation"), or seem concerning from a privacy point of view (e.g. Activity Stream, Follow-on Search Telemetry, Photon onboarding, Presentation, Web Compat Reporter).
For anyone curious, Presentation seems to be an implementation of a proposed Web API that allows browsers to find and talk to devices in their neighbourhood. Does that include location/proximity beacons like this old proposal https://hacks.mozilla.org/2013/06/the-proximity-api/ ? Do users really want Firefox to tell advertisers where they're shopping? That's the same kind of "experience improvement" that the spyware of yore used to bring.
The comment about the visibility of the add-on (Bugzilla, QA process, documentation, etc.) is well taken, as are those regarding the naming of system add-ons, Pioneer, etc.
I've got an intercontinental flight coming up soon, and I'll do some grepping around to try to understand the prefs mentioned. If someone else beats me to it and posts a specific set of steps to reproduce a pref flip on those, I'd appreciate it.
I think for most people this is the stickiest point. Other commenters have said things along the lines of, "well if you trust their browser you should be able to trust their add-ons" and I do, mostly, trust their add-on here... but I really don't like how it slipped into my Add-Ons without telling me. For every other Add-On I have to click an explicit blue button, so I know what's in and what's out.
In today's landscape, Add-Ons have massive potential as security threats. For instance, would a savvy user who is security-aware (most users on HN, I assume) install an Add-On like Gmail Checker Plus? Without digging in, it's hard to be 100% certain what this Add-On is and isn't doing with my Gmail content (I have no reason to assume anything nefarious, it's just an example). My browser Add-Ons should be off-limits to any sort of tampering without my permission, as well should be my bookmarks and auto-fill info. If I broke into your house and changed your bedsheets, you'd rightly be creeped out... nothing was stolen, new bedsheets don't affect you in any significant way, but it's still wrong and weird and hurts trust.
> What's happening?
Are you a fan of Mr Robot? Are you trying to solve one of the many puzzles that the Mr Robot team has built? You’re on the right track. Firefox and Mr Robot have collaborated on a shared experience to further your immersion into the Mr Robot universe, also known as an Alternate Reality Game (ARG). The effects you’re seeing are a part of this shared experience.
EDIT: looking at this comment, perhaps it's not a promo?
Of course not.
Mozilla can install extensions if you have "shield studies" enabled. They use extensions it to run UI studies and things like that. I think you have to opt-in to each study individually if you want to be part of it. Enabling the studies in your settings only means "notify me when there's a new study I can participate in".
Now they have partnered with Mr Robot to use the same feature to offer some sort of "Alternate Reality Game".
It looks like Firefox auto-installs the studies though if you've enabled the feature. But it only activates the individual extensions for the studies once you've opted in to participate.
The extensions themselves need to be approved by a bunch of people at mozilla (at least for the normal studies). So I guess nothing bad can happen until you click "participate" or whatever they call it.
Still, I would also consider the notification itself to be an ad. This was obviously a bad idea and I don't want anyone to think I'm defending it. I guess they've chosen to abuse their shield studies for this because it's the only way for them to send notifications to the browser, but that's no excuse. I have the studies disabled anyway but now I'm not even going to consider ever turning them on.
I have the pug experience study active and I don't recall the browser asking about it.
From the studies about page linked from about:studies...
"When a study is available, you will automatically be enrolled if you meet the criteria. There will be occasions where we might prompt you for participation first."
Just saw also that if you opt-in for the "Allow Firefox Developer Edition to send technical and interaction data to Mozilla" then it automatically checks the studies checkbox for you. I would wonder if I checked the allow sharing at some point in the past, or during installation, with no mention of the studies option. So it was presumed to opt me into the studies automatically.
> No changes will be made to Firefox unless you have opted in to this Alternate Reality Game.
Also, from the same page for those that appreciate irony:
> One of the 10 guiding principles of Mozilla's mission is that individuals' security and privacy on the internet are fundamental and must not be treated as optional. The more people know about what information they are sharing online, the more they can protect their privacy.
That can't possibly be true. I had it installed, and I'm on my work machine using Firefox Developer Edition. I didn't opt in to any ARG.
To put it another way - if I discovered a rootkit sitting in the ~/Downloads directory on my Mac, that would be a problem. If the entity that surreptitiously placed it there said that I shouldn't worry about it because it hadn't been run, I wouldn't be inclined to trust them.
I've used FF since before it was FF, and I've installeded it on umpteen other people's computers; strongly advocating for it. Since they sacked that guy for not conforming to a specific liberal ideology they seem to have gone batshit crazy ... what happened? Was he their main privacy advocate or something?
By that definition, this would be unallowed modification of the computer of the user, and fall under the various hacking acts.
The more interesting thing is that this has also been rolled out to german government computers, which mostly used to use Firefox, but due to previous troubles with CliqZ and the Google Analytics in the addon menus, have already moved on to other browsers.
You mean like the TOS and EULA you agree to when you install the browser? That would qualify as "expected by the user" and "explained in plain text" both.
How does it not occur to them that this is a clear lie?
Mozilla has injected malicious-looking advertisement executable software into my process without my permission and then lied about it. I have no idea what this software is, what it does, or whether it is proprietary or free. I opted into nothing.
This is a huge, huge mistake by Mozilla.
Actually they do not. their revenue is at an all time high despite the market share reaching an all time low.
The whole partnership with google to put its search engine as default is about enabling google to profile firefox users and shows them ads.
They're a nonprofit; they're not allowed to just "make money". And, they already take donations.
I merely challenge the notion that a nonprofit -- which proudly tumpets its benevolence and non-profitness -- should get a free pass for covertly installing advertising arrangements, just because they need to "make money".
Their charter and marketing is all about defending the internet from the companies doing shady things to make money, so they can't have their cake and eat it.
Firefox gets most of its donations from corporate sponsors. That's why the default search and switched back and fourth between Yahoo and Google; it's all about the amount of money they contribute for that. I'm not sure, but Pocket might be another example.
User contributions are actually pretty low. They don't go out and request them though like NPR or Wikipedia.
I'm not sure mozilla even gets a significant amount of donations compared to their commercial contracts.
The addon itself does not advertise for Mr. Robot, Mr. Robot advertises for this addon.
I'd charitably call it "Augmented Memory", but it's definitely not "Augmented Reality".
There's really no game there, and it's pretentious to call it an "Alternate Reality Game", which is defined as "intense player involvement with a story that takes place in real time and evolves according to players' responses":
This extension just wraps all occurrences of a set of keywords (now including "fuck") in a span with some css animations and a tooltip that links to their web page.
But in terms of memory usage, CPU and battery consumption, it's not that small, either.
This extension isn't the best example of their technology for Mozilla to be promoting and distributing, if they're really serious about delivering a fast memory efficient browser.
Tax-exempt non-profit (especially charity) status is very much about both how money is made and how it is distributed/spent.
That's not a misconception I share. I understand Mozilla can and should make money to further its mission.
But unlike a for-profit, making money isn't the mission of Mozilla. So needing to make money can't be used as a justification for doing naughty things against the public good.
And money it makes, in the hundred of millions, for serving its users to the worst known worldwide privacy offender, collecting and profiling user to sell advertising.
The "good" non profit charity foundation is governing the "evil" for profit corporation giving away users to the worst opponent of the mission of the charity. Quite a contradiction in this.
Some people cry "free speech violation" but they can endorse a candidate, they just need to give up their tax privileges. This is why the ACLU is split into two parts. One you can donate to and get tax dedications for, but the other is their lobbying arm, and therefore cannot allow tax deductions for their donors.
The extension is for shield study, when you install Firefox for the first time it asks if you want to take part in it (it is enabled by default though)
It has been praised for its technical accuracy, basically the show warns us about exactly what mozilla did as this could be exploited to hack into computers.
From what I've heard (I work for Mozilla), this is promo for Firefox. As I just wrote elsewhere in this thread: I believe the idea is that Mr. Robot fans use Firefox to participate in the ARG, not that Firefox users suddenly start watching Mr. Robot. So if anything I'd expect that Mozilla pays Mr. Robot for this.
The irony is that Mr. Robot is owned by Universal, a subsidiary of Comcast. So much for that commitment to net neutrality.
So much for the advertised protection of user privacy.