This however makes me sad. We've got a champion who is maintaining a piece of software that's quite frankly pretty core to privacy and security in today's heavily tracked world.
Obviously it's not just gorhill either. It includes the many people who have raised PRs, lowered the ticket burden of uBO, but also the many people who maintain some amazing lists. For that, all of these people have my gratitude.
The reason this makes me sad is because this is the second time things like this happen. The second time gorhill's efforts are being shat on by some random person. This was completely reckless action by jspenguin2017. It's one thing to want to make money for your efforts, it's another to want to make money from the man hours spent by the uBO and list's maintainers.
If jspenguin2017 truly means what he says in his posts and regrets his action, I hope he considers donating all of the money to gorhill & co.
and chrome will auto-update the extension for you transparently so you don't miss out on these new amazing features!
Eg. Steam ask if it should update a game. Windows just does it and adds Candy Crush and spyware. Two different takes on the same thing.
Also Microsoft controls the code they push on your computer, they paid the people who wrote it and they take liability for it. Browsers are automatically pushing other people's code to your computer
No, Microsoft does not take liability, they expressly disclaim any and all liability in the users agreement.
Do we really need to be this hyperbolic? And Steam can auto update games just fine (I even remember it being the default, but not sure.)
Sure I get it. Autoupdates are fine if used wisely and I am not dogmatic really it is more that I am bitter. However a simple prompt just makes ones life so much easier so that I know why something breaks.
I think Steams delayed updates as default are to decrease bandwidth during covid lockdowns?
the days before Windows auto update meant millions of unpatched machines running wild on the internet. I know it gets a lot of hate these days but its gotta be better than the alternative.
If Windows only force pushed security updates in secirity labeled patches like in XP it would probably be fine in practice. But I never know what happens when I restart my work Win 10 laptop. Maybe wifi gives up. Or the docking station wont work. Who knows it happened to me and my collegues multiple times.
I actually wonder if the corparate IT is to blame since I don't have the same instability problems on my Win 10 gaming rig, or maybe laptops just are way more sensitive.
A tragedy of the walled-gardens.
Though the extension requests the webRequestBlocking permission, that permission is not required to perform the collection of data, including sensitive ones.
* * *
Except that it doesn't actually protect against security issues, because v3 manifests don't break the ability to read data, only modify requests. Also, since ads are a vector for malware, having an adblocker is a security benefit, not a loss.
 ex. https://www.extremetech.com/internet/220696-forbes-forces-re...
Is it possible that my outlook account could have been hacked through cookie hijacking?
uBo is getting good doing this job itself now, but there are still some gaps for Nano Defender to be useful.
Tangential, but that attitude prevents a lot of competition in the tech space. A lot of the reason tech companies can grow so large with so little competition is the problem of trust.
Before ublock, I had AdBlock and afterwards ABP on my machines. I started looking for alternatives when they introduced that "acceptable ads" crap.
That said, it's by far not the only reason leading to tech monopolies. Network effects (paired with a lack of interoperability) brings users to Instagram and MS Office alike.
I clearly knew what you meant, but it definitely reminds me of the decade(s)-old adage: "The day Microsoft makes something that doesn't suck is the day they make a vacuum cleaner."
I'd argue it's even vaguely on-topic, c.f. Windows 10 updates...
Granted, it isn’t drama free. But frankly, these people have one of the best longest running track records of trust in all of browser extensions. It is going to be an immensely sad day when things go sour.
That said, https://en.wikipedia.org/wiki/Robert_Hanssen was trusted too, and deliberately selling out isn't the only attack model. The extension ecosystem kinda terrifies me.
It might be short-lived, but the damage you could do with that install base and auto-updating extensions...
Now I have to delete stuff.
At this point, I no longer trust non-open source application and even open source stuff with low followers.
For my remaining non-recommended extensions, all of which are open source I think, I am considering some workflow where I just clone their repos and install the extensions locally, updating occasionally when I can review the resulting changes myself.
(It happens that I had disabled Nano Blocker in my purge months back. FWIW it never seemed to work for me. For those uninstalling, don't forget to uninstall the extension, the block lists, and the uBlock advanced "user resources" file.)
EDIT: Just realized I can turn off automatic updates for just some Firefox add-ons, so I did that for a bunch of add-ons. I'll update them when something breaks and I have time to review what's changing.
Since a Twitch update ~1 month ago uMatrix did not have a working solution except for the first few days, but maybe things have changed.
What confuses me is that the original author, jspenguin2017, has showed up, and is helping a bit with the backend. Since he's already sold the Chrome extension to some shady developers, why is he somehow also nice enough to help out? Gorhill did something similar with the original uBlock, but at least they weren't shady right from the start. What in the world is going on here? Why didn't jspenguin2017 just abandon the project?
As far as an NDA goes, that's signaling to the current open-source maintainer that something nefarious is afoot. How would an NDA work? The maintainer hands other their GH account for the new party to commit under? The extension suddenly goes closed source? The maintainer doesn't acknowledge the community at all and rubber stamps anything the new party wants to commit the repository?
It'd be far easier to publicly take over maintaince, do good for a month or so, then silently publish the malware. That was probably the best route here; the maintainer was going to donate most of the monry they received back to the Turkish developers if they did a good job) and they'd have passed the transitory wave of scrutiny from seasoned devs like gorhill.
> In the case of Nano Defender, users were not notified before control of the extension was transferred to a third-party. That's not the right way to handle this.
The whole browser extension ecosystem seems to be purposefully bloated with such loopholes allowing such backdoors.
I remember seeing a clg presentation, "a browser is a literal nuke you carry on yourself, whatever be the ... or claims as of sandboxing, you're already dead" - loosely quoted.
I've got them all off except ubo
That being said, I do like Firefox's built-in tracker protection. I'd like to see more efforts like Firefox's canvas permission in the future, it definitely helps fight fingerprinting.
I guess Epiphany's lack of extension support works to my advantage in some areas.
I’m at my 4th employee, and there are 2 things I’m downright intolerant with:
- People mixing their work cookies with their facebook cookies. There is a specific step in the onboarding where they have to create a chrome profile for their personal stuff, or it becomes waterboarding.
- A dozen browser extensions.
But some extensions are normally necessary (pretty-print the json for example) - I wonder what would be the right process.
edit: are the downvotes because you believe race matters in this case, or some other problem with the comment?
> But there is good news. A team of Turkish developers is in the process of acquiring Nano Adblocker and Nano Defender [...]