Hacker News new | past | comments | ask | show | jobs | submit login
Uninstall Nano Defender (resynth1943.net)
313 points by resynth1943 3 days ago | hide | past | favorite | 79 comments

I'm not a nano defender user, never have been. I've come across it several times but never ended up trying it.

This however makes me sad. We've got a champion who is maintaining a piece of software that's quite frankly pretty core to privacy and security in today's heavily tracked world.

Obviously it's not just gorhill either. It includes the many people who have raised PRs, lowered the ticket burden of uBO, but also the many people who maintain some amazing lists. For that, all of these people have my gratitude.

The reason this makes me sad is because this is the second time things like this happen. The second time gorhill's efforts are being shat on by some random person. This was completely reckless action by jspenguin2017. It's one thing to want to make money for your efforts, it's another to want to make money from the man hours spent by the uBO and list's maintainers.

If jspenguin2017 truly means what he says in his posts and regrets his action, I hope he considers donating all of the money to gorhill & co.

> Raymond inspected the modifications added by the new developers (which was not published to GitHub), revealing their dubious intentions.

and chrome will auto-update the extension for you transparently so you don't miss out on these new amazing features!

Auto-update is such a antifeuture. There is like no circumstances where it is beneficial since you can mever trust it wont break your stuff or add malicoius code. Since it is pushed instantly there is no chance anyone had the time to review it.

Eg. Steam ask if it should update a game. Windows just does it and adds Candy Crush and spyware. Two different takes on the same thing.

Windows tried manual updates for years, and even after switching to automated updates still received lots of bad press for security holes that were fixed years earlier. Home Edition taking away the ability not to update is the logical conclusion.

Also Microsoft controls the code they push on your computer, they paid the people who wrote it and they take liability for it. Browsers are automatically pushing other people's code to your computer

"Also Microsoft controls the code they push on your computer, they paid the people who wrote it and they take liability for it. Browsers are automatically pushing other people's code to your computer"

No, Microsoft does not take liability, they expressly disclaim any and all liability in the users agreement.

They are indirectly if not legally liable. If they tried something as damaging as Nano Defender here, it would be massive bad PR and they would be forced to backpedal or lose industry trust.

I agree that they’re liable for some things in the court of public opinion (which happens to have a very short attention span and limited agency), but I don’t see how they’re legally liable unless you’re implying that the EULA would be found to be unenforceable in court.

I don't care much about the bad press for holes that were patched years back, but I do care about those unupdated machines becoming zombies in a botnet. Those things are so disruptive and the mitigations only work so well.

Automatic updates from trusted first-party developers is pretty different than automatic updates from random Chrome 3rd party extension devs..

I agree, everyone who knows what they are doing can still disable windows auto update. The option is only gone for "normies" which is perfectly fine. If you don't know enough about how windows works to turn it off, you are the reason for it being enabled by default.

Then Microsoft can push security updates automatically but that in no way excuses them to push anything else.

> there is no circumstances where it is beneficial

Do we really need to be this hyperbolic? And Steam can auto update games just fine (I even remember it being the default, but not sure.)

It is a bit hyperbolic but I wrote "there are like no" which means "kinda" right?

Sure I get it. Autoupdates are fine if used wisely and I am not dogmatic really it is more that I am bitter. However a simple prompt just makes ones life so much easier so that I know why something breaks.

I think Steams delayed updates as default are to decrease bandwidth during covid lockdowns?

Pretty sure it's still the default. Updates are more frequently delayed now (shown as "scheduled" in the download list), but I believe that's for traffic shaping.

> There is like no circumstances where it is beneficial since you

the days before Windows auto update meant millions of unpatched machines running wild on the internet. I know it gets a lot of hate these days but its gotta be better than the alternative.

Auto-update is a good feature normally; I just wished there was a way to roll back when things go wrong.

If you can afford that it breaks stuff, like multiplayer games where a missed patch would make it unplayable anyway, maybe ye.

If Windows only force pushed security updates in secirity labeled patches like in XP it would probably be fine in practice. But I never know what happens when I restart my work Win 10 laptop. Maybe wifi gives up. Or the docking station wont work. Who knows it happened to me and my collegues multiple times.

I actually wonder if the corparate IT is to blame since I don't have the same instability problems on my Win 10 gaming rig, or maybe laptops just are way more sensitive.

I’ve never had a problem with W10 updates in my household. All personal laptops / Surface devices

I want everyone else on auto-updates, but refuse to allow them myself, for exactly the reasons you specify.

A tragedy of the walled-gardens.

I trust Debian's automatic updates, since they are only about fixing security issues or other important issues.

Quite honestly I'm of the opinion that Google should strictly audit all transfers of ownership of popular extensions. The options for monetizing extensions are so limited that the only thing that can motivate someone to buy an extension is nefarious purposes.

I commented about this in the announcement thread[1]:


Though the extension requests the webRequestBlocking permission, that permission is not required to perform the collection of data, including sensitive ones.


* * *

[1] https://github.com/NanoAdblocker/NanoCore/issues/362#issueco...

How can google achieve this, realistically speaking?

I immediately wondered if the controversial Manifest V3 changes would render this a non-issue.



Manifest V3 breaks ad blocking without doing anything about extensions spying on the user. It provides read-only access to everything that previously was available and merely removes the ability to modify or block requests.

Unless I missed something, no. Extensions can still have full access to the data stream as long as it's read-only. Maybe it could help a little if you're extremely careful about permissions, but how many people are?

Yeah, I was wondering the same thing actually...

I was thinking the same thing. The reason that plugins like this, uBlock, and Stylish are so valuable is that they have access to everything on every site by nature. On one hand it sucks to have functionality taken away but on the other hand it protects against potentially large security issues.

> On one hand it sucks to have functionality taken away but on the other hand it protects against potentially large security issues.

Except that it doesn't actually protect against security issues, because v3 manifests don't break the ability to read data, only modify requests. Also, since ads are a vector for malware[0], having an adblocker is a security benefit, not a loss.

[0] ex. https://www.extremetech.com/internet/220696-forbes-forces-re...

Thanks for the clarification ;-)

How would that work? How would you know the new owners are bad until after they’ve pushed an evil update?

Other than removing extension and changing password? What else should one do? Is it possible to download malware to PC with extension and run it (Like keylogger)?

Is it possible that my outlook account could have been hacked through cookie hijacking?

I have never heard of nano defender, but I wonder why anyone ventures away from uBlock origin

Nano defender is an anti-anti-adblocker. It works along with uBO ("defend" it if you like), or author's fork of uBO (Nano ADBlocker).

uBo is getting good doing this job itself now, but there are still some gaps for Nano Defender to be useful.

uBlock Origin has an unbreak filter list to address this now. Coupled with EasyList, it's been sufficient to remove anti-adblock warnings for me.

> I wonder why anyone ventures away from uBlock origin

Tangential, but that attitude prevents a lot of competition in the tech space. A lot of the reason tech companies can grow so large with so little competition is the problem of trust.

Yeah, trust is earned slowly and lost quickly. Doesn't matter the industry. But it's hard to ignore the Lindy Effect: if a system is serving me for so long and so well, why do I need to worry about lack of competition?

Before ublock, I had AdBlock and afterwards ABP on my machines. I started looking for alternatives when they introduced that "acceptable ads" crap.

And the trust really comes down to observability. If I buy a vacuum cleaner it's easy to tell if it sucks and if I should recommend it to my friends. With software I might be able to judge functionality, but privacy and security usually come down to having a good track record.

That said, it's by far not the only reason leading to tech monopolies. Network effects (paired with a lack of interoperability) brings users to Instagram and MS Office alike.

> If I buy a vacuum cleaner it's easy to tell if it sucks

I clearly knew what you meant, but it definitely reminds me of the decade(s)-old adage: "The day Microsoft makes something that doesn't suck is the day they make a vacuum cleaner."

I'd argue it's even vaguely on-topic, c.f. Windows 10 updates...

I've encountered it before. I believe its made it to HN front page a few times.

I mean, I agree, but it's not like this couldn't happen there, too.

Given that Raymond Hill is one of the persons helping to expose this mess, at least we can get a good idea of the motivations behind the uBlock Origin maintainers.

Granted, it isn’t drama free. But frankly, these people have one of the best longest running track records of trust in all of browser extensions. It is going to be an immensely sad day when things go sour.

I use uBlock Origin, and I share your feelings about the team.

That said, https://en.wikipedia.org/wiki/Robert_Hanssen was trusted too, and deliberately selling out isn't the only attack model. The extension ecosystem kinda terrifies me.

It could, but after what happened to the original uBlock it's unlikely that uBlock Origin would be sold to unnamed developers.

Virtually everyone has their price.

It might be short-lived, but the damage you could do with that install base and auto-updating extensions...

Unlikely, given the history of uBlock (Origin).

does it exist on android? i have adguard

Yes, it does. As long as you use a browser supporting extensions, like Firefoxu or Kiwi for example.

Yes with Firefox Nightly.

Anyone know what the uninstall steps should be for those of us who used Nano Defender with uBlock Origin [0]? I've disabled Nano Defender and removed NanoResources.txt [1] from my UBO advanced settings, but I'm not sure if there is anything else I should be worried about. I also disabled the Nano Defender Integration and Nano filters lists, but I don't know whether those are safe to use.

[0]: https://jspenguin2017.github.io/uBlockProtector/#extra-insta...

[1]: https://gitcdn.xyz/repo/NanoAdblocker/NanoFilters/master/Nan...

I removed Nano Defender and then reset uBO to default settings which should do it.

Nano blocker was awesome.

Now I have to delete stuff.

At this point, I no longer trust non-open source application and even open source stuff with low followers.

Even larger open-source projects aren't immune. FileZilla has had an issue of adware a few times. I don't think there's any way to ensure that an application of any sort will remain trustworthy.

Nano Defender was open source prior to the sale, with 150 stars on github


As it happens, earlier this year I came to the conclusion that browser extensions are too high-risk, and I disabled everything I could possibly do without. Now I'm limiting myself to just Firefox "recommended" extensions, under the hope that Mozilla is doing something to make sure they stay aboveboard, and a few non-recommended ones that I just can't live without, like Vimium. I lost some functionality due to disabling extensions, but so be it. The browser is far too important these days.

For my remaining non-recommended extensions, all of which are open source I think, I am considering some workflow where I just clone their repos and install the extensions locally, updating occasionally when I can review the resulting changes myself.

(It happens that I had disabled Nano Blocker in my purge months back. FWIW it never seemed to work for me. For those uninstalling, don't forget to uninstall the extension, the block lists, and the uBlock advanced "user resources" file.)

EDIT: Just realized I can turn off automatic updates for just some Firefox add-ons, so I did that for a bunch of add-ons. I'll update them when something breaks and I have time to review what's changing.

Unfortunately it blocks Twitch ads while others don't. Did the Firefox version suffer the same fate?

Since a Twitch update ~1 month ago uMatrix did not have a working solution except for the first few days, but maybe things have changed.

Thankfully - article update - since the Firefox version is maintained separately by LiCybora, that maintainer has split off[1].

What confuses me is that the original author, jspenguin2017, has showed up, and is helping a bit with the backend. Since he's already sold the Chrome extension to some shady developers, why is he somehow also nice enough to help out? Gorhill did something similar with the original uBlock, but at least they weren't shady right from the start. What in the world is going on here? Why didn't jspenguin2017 just abandon the project?


The Dev version of uBlock Origin has been updated recently to fix that

Ok ty for the info!

I suppose if there was ill intent, they would have silenced the seller with a NDA. It would be silly to let the seller sink your nefarious plan by letting the world know that ownership has transferred.

There's plenty of people that simply won't know ownership has changed because they just consume the published extension. They're clearly maintaining two sets of code, one for github and one for publishing extensions; nefarious is a strong word, it is at least suspect.

As far as an NDA goes, that's signaling to the current open-source maintainer that something nefarious is afoot. How would an NDA work? The maintainer hands other their GH account for the new party to commit under? The extension suddenly goes closed source? The maintainer doesn't acknowledge the community at all and rubber stamps anything the new party wants to commit the repository?

It'd be far easier to publicly take over maintaince, do good for a month or so, then silently publish the malware. That was probably the best route here; the maintainer was going to donate most of the monry they received back to the Turkish developers if they did a good job) and they'd have passed the transitory wave of scrutiny from seasoned devs like gorhill.

> Remember to audit your extensions frequently, and remove any unused extensions.

> In the case of Nano Defender, users were not notified before control of the extension was transferred to a third-party. That's not the right way to handle this.

The whole browser extension ecosystem seems to be purposefully bloated with such loopholes allowing such backdoors. I remember seeing a clg presentation, "a browser is a literal nuke you carry on yourself, whatever be the ... or claims as of sandboxing, you're already dead" - loosely quoted.

best reason to use firefox is the ability to disable updates for extensions

I've got them all off except ubo

That could introduce security issues, though. I guess auto-update is a two-sided coin?

Thank you for mentioning, I went to my addon options to disable auto updates.

The only adblocker I trust is uBlock from gorhill. I used Adblock way back in 2013-14 and jumped ship when they started allwoing some ads.

Whew, for a minute there I thought this was about Unix text editor "nano"

Haha, well I doubt that's turning into malware anytime soon ;-)

The only way anyone would have installed this trash in the first place is if their infosec threat model is complete nonsense. You're so worried about ad companies stealing your soul that you turn over full browser control to a bunch of randos? It does not and has not ever made sense.

I use AdGuard DNS. Not perfect (they can still log your DNS history), but it definitely prevents any interception or malicious code stealing passwords. DNS is a lot simpler than blocking extensions.

That being said, I do like Firefox's built-in tracker protection. I'd like to see more efforts like Firefox's canvas permission in the future, it definitely helps fight fingerprinting.

I guess Epiphany's lack of extension support works to my advantage in some areas.

Or if they are employees.

I’m at my 4th employee, and there are 2 things I’m downright intolerant with:

- People mixing their work cookies with their facebook cookies. There is a specific step in the onboarding where they have to create a chrome profile for their personal stuff, or it becomes waterboarding.

- A dozen browser extensions.

But some extensions are normally necessary (pretty-print the json for example) - I wonder what would be the right process.

Noticed this a few times, where race is associated with some bad behaviour as if it made matters any worse. What does it matter if the developers were Turkish?

edit: are the downvotes because you believe race matters in this case, or some other problem with the comment?

I didn’t downvote you, but “Team of Turkish developers” is just how original author of the extension refers to the new owner in his original announcement.


The author probably quoted it like that because it was the literal wording of the original, unedited, GitHub issue[1]:

> But there is good news. A team of Turkish developers is in the process of acquiring Nano Adblocker and Nano Defender [...]

[1]: https://github.com/NanoAdblocker/NanoCore/issues/362

...and I'm relatively certain they wanted to communicate that the new owners are based in Turkey, not that their developer team is strictly of Turkish ethnicity. They probably didn't check whether there might be Kurds or Circassians on the team.

My impression was that Turkish referred to nationality, not race in this case. The impression is that electronic law and order in Turkey are different than in California.

What does California have to do with all this?

CCPA exists.

I just read it as Turkish= out of the country + basically unreachable. Based on the due diligence (or lack thereof) they could actually be from anywhere. He has no idea.

Definitely wasn't being racist, just quoting the author of the extension.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact