Attention NoScript users · 2009-05-01 22:54 by Wladimir Palant

Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects. The recent events give an impression of the kind of effects we should expect here. This is going to be about the popular NoScript extension which happens to make its money from ads. And to make sure that somebody sees these ads it goes pretty far. For example, it opens the changelog webpage (full of ads of course) on every single update of the extension, even though the NoScript FAQ claim that it happens only on major updates (yes, if you dig into it you will find the preference to disable this behavior – but how many people do that?). And updates coming roughly each week ensure that this page is opened fairly often. A problem is of course that NoScript will usually disable scripting and consequently also most advertising. That problem is being worked around by putting NoScript’s domains, Google AdSense and a few others on NoScript’s default whitelist (again, the overwhelming majority of users won’t go hunting for bogus entries in their whitelist). Given that NoScript proudly calls itself a security extension this means putting users at risk — for example, a while ago I demonstrated how an XSS vulnerability on a NoScript domain can be used to run JavaScript from any website, despite NoScript. This was countered by implementing anti-XSS measures rather than removing anything unnecessary from the whitelist.

You get an impression for the business model here. Of course, this approach brings NoScript in conflict with another popular extension — Adblock Plus. For years, NoScript has been using a trick to prevent Adblock Plus from working on its domains. Fixing this issue was never particularly high on my list of priorities (though I finally came around and fixed it after the recent events) so at some point I suggested that EasyList should be extended by a filter to block ads specifically on NoScript’s domains. This finally happened two weeks ago.

What followed was a small war — the website would add various tricks to prevent Adblock Plus with EasyList from blocking ads, EasyList kept adjusting filters. Then, a week ago a new NoScript version was released. A few days later I noticed first bug reports — apparently, Adblock Plus “glitches” were observed with this NoScript version, especially around NoScript’s domains (but not only those). When I investigated this issue I couldn’t believe my eyes. NoScript was extended by a piece of obfuscated (!) code to specifically target Adblock Plus and disable parts of its functionality. The issues caused by this manipulation were declared as “compatibility issues” in the NoScript forum, even now I still didn’t see any official admission of crippling Adblock Plus. Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user’s expense at any cost.

Confronted with the facts and with the AMO policy NoScript author agreed to revert the changes. However, he put a different “solution” in place — the new NoScript version released yesterday adds a “filter subscription” to Adblock Plus meant to whitelist NoScript’s domains. A note about this “feature” has been added to extension description on AMO (I insisted), not without misrepresenting the cause of course. Supposedly, this is because of a “targeted attack from EasyList which broke functionality.” Which fails to mention that EasyList was just doing what it was created for (block ads) and the broken functionality is the result of attempts to avoid ads from being blocked (originally the filters didn’t break anything). So the real reason is not broken functionality, it is the ads on these sites.

Of course, adding a note to the description that almost nobody will read anyway wasn’t the only change I wanted to see. Adblock Plus allows other extensions to add filter subscriptions but that wasn’t supposed to happen without user’s consent. In case of NoScript, asking the user whether this filter subscription should be added was clearly required. But that would probably make too many people notice that something fishy is going on and decline. Note also that this filter subscription cannot be removed (will be re-added on next Firefox start), only disabled. Also, it stays there even after NoScript is uninstalled. Should I now make it harder for all extensions to integrate with Adblock Plus just because NoScript is misbehaving? I doubt that this will help much, any installed extension has the privileges to do anything and trying to stop it from misbehaving after installation is a lost cause.

While the current state of affairs (NoScript’s manipulation of Adblock Plus is visible to the user if he knows where to look, it is documented and even reversible) is better than what we had before I still think that extensions manipulating other extensions to prevent them from doing their job is not where we want to be. NoScript might be somewhat extreme but the “business offer” emails I occasionally see in my inbox make me think that we will see more of this. Companies start to recognize the potential of Firefox extensions and push extension authors into monetizing their extensions by questionable means — at the expense of the users.

Update (2009-05-02): Apparently, thanks to some pushing from AMO yet another NoScript version was released. This one supposedly no longer adds a filter subscription to Adblock Plus and also removes the one added by the previous versions. Also, a change to AMO policy is under discussion. Big thanks to everybody who made that happen!

Update 2 (2009-05-04): Sorry, I have to close the comments. I made the effort of reading each single comment but that’s getting too much for me. Especially now it seems that most commenters come from other articles misrepresenting the whole issue and don’t even bother to read my blog post.

Update 3 (2009-05-04): NoScript author made an official statement on the events.

Tags:

Comment [247]

  1. Adblock Plus Fan · 2009-05-01 23:22 · #

    I’m with you on this one Wladimir. Noscript has gone too far.

    One could argue that Noscript is now Breaking ABP features. “Deletion of a subscription” is a capability many users expects will work in ABP, a feature.
    In the event a user discovers this injected content, many will simply delete the subscription in good faith that ABP is capable of deleting this and believe that Noscript will now leave them alone. The users will be disappointed when/IF they find out that Noscript is re-injecting the content again and again, against their decision.

    Reply from Wladimir Palant:

    There is a bigger problem – I know too well that most Adblock Plus users never go to preferences. The install Adblock Plus and are happy that it works. If it fails to work correctly on noscript.net most of them won’t be able to find the reason.

  2. Ben Basson · 2009-05-01 23:42 · #

    FlashGot opens up the changelog for every trivial update as well. While I found that annoying, I’m certainly now a lot more concerned about what extra code might be bundled with the updates, and will therefore remove it immediately and permanently.

    There’s no justification for meddling with the operation of other extensions at runtime or otherwise, and I certainly wouldn’t recommend using extensions by an author prepared to go to these lengths.

  3. snake · 2009-05-02 00:09 · #

    Iam with u too Wladimir, hes gone down that road, where he out for himself, worried about his revenues before his user, well iam not giong to one of them users ever, good luck Giorgio Maone ur now messing withalot annoyed ad blcok plus users u will need it for messing with our adblocker.
    Too put it bluntly i don’t trust no-scrirt add on or its underhanded Giorgio Maone….
    he lost auy trust when he sneaked in stuff that mess with another addon ADP..

  4. lovelywcm · 2009-05-02 00:33 · #

    Commerce is invading the development of extensions.

    Will you give ABP the ability to inspect (and block if a filter matched) connections established by an extension in background?

    Reply from Wladimir Palant:

    You can inspect all outgoing connections with Live HTTP Headers. Attributing to a particular extension and blocking is a different thing and probably not possible at all.

  5. Kurt GLuth · 2009-05-02 00:43 · #

    I agree to all points Wladimir mentioned. It will be interesting (although sometimes surely everything than amusing) to see, how ‘hard’ every developer of AddOn’s will be against – let’s call it by it’s correct name – corruption. As I said in the forum, there are unwritten laws, limits a human should accept in EVERY situation. Of course we know enough about theory and practice… we should do what we can to keep a direction – the direction of fairness (against fair people, of course). Regarding software I act the same way as in my whole life: Rotten fruits I throw behind the next hedge. And I fear this will happen more and more often…
    To Giorgio Maone: He chose his way he seems to imagine to be the right one – ok, this is not my problem. I needn’t use NoScript or FlashGot and as a consequence of my point of understanding things I kicked them away.

  6. jonas · 2009-05-02 00:48 · #

    Could you add a dialogue when something tried to inject into ad block’s white list that the user has to accept/deny.
    Also a button like “remember this setting” would mean the user does not have to deal with the continuous injection on startup.

    Its easy to stop the injection, so do it. I’m not happy that its this easy for them to change the white list!

    Reply from Wladimir Palant:

    I can – but since we talk about another extension here it can just remove that question with not too much effort. And my impression is that it will. I cannot engage in a war with the NoScript extension, my releases are a lot less frequent than once a week.

  7. Christopher Finke · 2009-05-02 00:53 · #

    For ScribeFire, we open a “What’s New in [this version]?” page after every update, trivial or not. (For example: http://blog.scribefire.com/whats-new/3-1/ ) It saves tons of time and frustration for people who want to know exactly why the add-on was updated.

    Of course, the important distinction here is that there aren’t any ads on the ScribeFire website, so there’s no monetary incentive to get visitors there. I suppose it actually costs us in bandwidth with each release, but I think it’s worth it.

    Just wanted to chime in that there are legitimate reasons for a showing the changelog after even a minor update.

    Reply from Wladimir Palant:

    Your updates also come in more reasonable intervals. If that page opens every week like clockwork, there is no way it is going to be anything but annoying.

  8. David Naylor · 2009-05-02 00:56 · #

    Very interesting post!

    I find it disgraceful behaviour from Noscript’s side and will do what I can to enlighten any people using it.

    On a side note, I always thought NoScript was very overrated (and unnecessary).

  9. Ares2 · 2009-05-02 00:58 · #

    “In case of NoScript, asking the user whether this filter subscription should be added was clearly required. But that would probably make too many people notice that something fishy is going on and decline. Note also that this filter subscription cannot be removed (will be re-added on next Firefox start), only disabled.”

    According to Giorgio, this is going to be fixed: http://forums.informaction.com/viewtopic.php?p=3162#p3162

  10. Eido Cohen · 2009-05-02 01:13 · #

    It is elementary to block ads on the noscript.net site. All you do is block javascript via noscript’s own tool for googlesyndication.com. Voila! All the ads on the sidebar are now gone.

  11. SJS · 2009-05-02 01:17 · #

    The functionality of NoScript should not be in an extension, it should be an integral part of the browser, with an initial empty whitelist, of course.

    I never check to see if extensions are interfering with one another, I’m going to have to look into this. Until our browsers acquire the necessary functionality, is there a no-script type alternative that doesn’t suffer from NoScript’s faults?

    (At work, I’m required to enable Javascript, to enable the client-side authentication in the timesheet application. Everywhere else, I simply turn it off. If your page doesn’t work without Javascript, there’s no reason I need to do business with you.)

  12. DigDug · 2009-05-02 01:29 · #

    Maybe this is playing into their hand too much, but you (or they) can always add a “NoScript is not compatible with AdBlock Plus” dialog on first run, and offer the option to uninstall one or the other. On the other hand, its like 10 lines of javascript to fix a problem that doesn’t actually exist.

    Reply from Wladimir Palant:

    So if an extension is messing with Adblock Plus I “solve” it by messing with that extension in return? Sorry, I didn’t write that blog post because I want to act like this myself.

  13. Thomas · 2009-05-02 01:31 · #

    I just found that NoScript list and deleted it (I think I’ll have to just disable it when it gets reinstalled)

    Is there possibly a way that you could make something pop up when a new list is being entered(maybe integrate a captcha or something similar to make sure that NoScript can’t secretly inject one) then have it remember that it doesn’t want NoScript white lists.

    I dono just a guess.

    Reply from Wladimir Palant:

    I can – but since we talk about another extension here it can just remove that question with not too much effort. And my impression is that it will. I cannot engage in a war with the NoScript extension, my releases are a lot less frequent than once a week.

  14. James Cready · 2009-05-02 01:32 · #

    If your page doesn’t work without Javascript, there’s no reason I need to do business with you.

    Bwhahaha. Ok buddy, you do that. Wait ten years and tell me how many sites work for you. Hahahah. Wow, that’s classic.

  15. P. · 2009-05-02 01:43 · #

    This needs to be on Slashdot.

    By the way, exactly how do you prevent NoScript from loading the changes page after it updates? I don’t have that domain whitelisted anyway so I never see the ads but I’d like to disable it anyway. There are several dozen settings in about:config.

    And if this doesn’t stop it’s probably time for a fork. If Giorgio wants to run a business, okay but he should at least be honest about it and this is no gray area. This is just not acceptable.

    Reply from Wladimir Palant:

    See http://noscript.net/faq#qa2_5

    I have pity with anybody who tries to fork NoScript, the code is a huge mess. It is much better to rewrite it from scratch.

  16. Osman · 2009-05-02 01:50 · #

    It’s ironic that you have an extension which takes away his (and many other advertisers/websites) revenues, and you’re complaining that he’s trying to get the few ad-revenue that he can by going around your work arounds

  17. Matt McCutchen · 2009-05-02 01:56 · #

    For anyone who wants to read the obfuscated code in NoScript 1.9.2:

    mkdir tmp; cd tmp
    wget http://software.informaction.com/data/releases/noscript-1.9.2.xpi
    unzip noscript-1.9.2.xpi
    unzip chrome/noscript.jar
    perl -np /dev/fd/3 3<<EOS <content/noscript/MRD.js >MRD.unescaped.js
    s/\\\\x([0-9a-f]{2})/pack q{c}, hex(\$1)/ge
    EOS
    less MRD.unescaped.js

  18. Jesus · 2009-05-02 02:02 · #

    It goes without saying that people who dislike adblockers are usually resembling Hitler in some way or named after Hitler.

    Reply from Wladimir Palant:

    Note: the message this replies to got removed due to offensive language.

  19. Q · 2009-05-02 02:16 · #

    @Osman #16:
    The author of AdBlock Plus does not take away revenue from any website. It is me, the user. I don’t want to see ads and I’m glad there is a tool I can disable them with. It is purely my choice to disable ads.

  20. happy_abp_user · 2009-05-02 02:48 · #

    i’m with #20.
    the ads industry has overdone it (remember the blinky Flash ads?) and thats why ABP is the first extension I’ll always have in my Firefox setup.

  21. James · 2009-05-02 03:09 · #

    Disgusting, what a crock. He just locked out debate too, noscript is no longer welcome on any of my computers. This malware is not to be trusted.

  22. Dorothy · 2009-05-02 03:12 · #

    NoScript updated on my computer today, and while I understand (in part)the changelog webpage and the ads, I’m pissed; for today when it updated I had to op out of getting a ask.com toolbar. This trend of bundling toolbars has got to stop.
    It’s dirty. It makes me wonder what else they’re bundling into it. If I want a toolbar I know where to find it.

    Is there another tool that blocks all scripts until I allow them?

  23. web developer · 2009-05-02 03:18 · #

    I’m a web developer for an organization that advertises. How can I best block users that use adblockplus? Not trying to be mean spirited or anything, we just don’t want users viewing our webpages without advertisements and would not be offended if those users then did not use our webpages.. Thanks!

  24. BCK · 2009-05-02 03:23 · #

    I would have had no problem with adding the filter set, if I was asked in the first place. The extension is great but his tactics are terribly underhanded (namely whitelisting his personal site which has nothing to do with the extension).

    I’ve gone through and removed his sites from the whitelists, disabled the filter set, just wish I could find the option to disable opening the site on upgrade

    Reply from Wladimir Palant:

    See http://noscript.net/faq#qa2_5

  25. Mr. Add-on Developer · 2009-05-02 03:25 · #

    Wladimir,

    I’m a developer of a popular Firefox Add-on. I’m posting this comment anonymously.

    A while ago I was contacted by a guy named Lee Lorenzen from a company called KallOut, Inc. asking me if I wanted to do all sorts of aggressive stuff with my addon to promote their software. Other developers were contacted, too.

    Did they contact you? I wonder if they convinced the NoScript guys to go along with their plans.

    I think this sort of seedy business is just going to increase as the browser becomes the platform. The bigger the ecosystem the more room for bad actors.

    It’s blog posts like yours that bring it all to light. Thanks for writing it!

    Reply from Wladimir Palant:

    Yes, he contacted me as well. And when I explained that I’m definitely not interesting in anything that will harm the user experience he had the nerve to ask whether I would sell the project.

  26. P. · 2009-05-02 03:26 · #

    Just to answer my own question: to stop the changelog from coming up set noscript.firstRunRedirection to false.

  27. Sol · 2009-05-02 03:27 · #

    @web developer
    Just block anything that uses the Firefox UA. That should clear up any problems that you are having blocking users. Good luck with that.

  28. Alastair McDermott · 2009-05-02 03:37 · #

    I’m an SEO/online marketer/webgeek. AdBlock Plus is the first thing I install after Firefox (seriously: http://amdsoft.com/essential-software-for-new-windows-box/ )

    With the aggressive and malicious nature of many ads on websites I feel a lot more secure knowing 99% of that crap is being blocked. Companies doing legimate online marketing have long developed past pop-unders, punch the monkey and cring-worthy animated gifs. The vast majority of non-spammers are not using these techniques.

    I whitelist many websites that I want to support (for example the Irish community discussion forum www.boards.ie and several online newspapers). That’s what I’d like people to do on my websites if they find it valuable enough to visit more than once, and I’d urge every AdBlock Plus user to be more aggressive in the use of the whitelist option (choose “Disable on domain.tld” from the dropdown menu).

    Re: monetisation – what about having a “recommended whitelist”, and have companies pay to have their sites reviewed and voted on by ABP users?

    Regards,
    Alastair.
    WebsiteDoctor.com

  29. Unr3a1 · 2009-05-02 03:49 · #

    I think that what noscript has done crosses a major line. I will too be removing it from any computer that I have it currently on. Thanks for the info ABP!!

  30. mark · 2009-05-02 03:54 · #

    @Alastair McDermott

    Kudos – Sensible replies like yours are the sort of thing that lead me to whitelisting the author’s websites :) Those who bitch and moan whilst trying to send flash ads receive little attention.

    On topic, if no-script had been up front about what it was doing then I probably wouldn’t have minded. Sneakily doing it and reinstalling everytime makes me mind quite a lot.

  31. Adrian · 2009-05-02 04:04 · #

    I just finished uninstalling NoScript, and I will definitely make sure it no longer has a place in any further Firefox installations.

    I appreciate the insightful post.

  32. mrbene · 2009-05-02 04:05 · #

    @ web developer
    There’s a few methods.

    - You can honeypot, crawl the DOM with inline JavaScript and then use document.write to eliminate your content if the honeypot URLs haven’t rendered. You’ll end up with false positives (anyone on slow connections), and if your site is popular, the honeypot URLs will likely end up whitelisted. Not particularly effective – search forums for “Jack Lewis”. I think that went all the way to blocking all Firefox users.

    In terms of continuing to serve ads to users with ABP

    - You can serve ads from your own domain, which, if your site isn’t particularly popular, will result in the majority of subscriptions ignoring you.

    - You can encode the images you want to serve into the HTML directly, so that there aren’t additional requests. This makes the files really heavy, and can generally be blocked with element hiding. You’ll also have no idea what portion of ads are blocked.

    Finally, your best option:

    - You can ask your users to whitelist your site. You can make this a very easy process by providing a subscription so the user can just click on a link and get the whole set of your domains, if you have more than one that work together.

  33. Dave · 2009-05-02 04:15 · #

    Wladimir,

    I think it’s time to ask Mozilla Foundation to delist NoScript for all these MALICIOUS activities! This is has gone far enough! It’s time to remove them from mozilla.org directory until they clean up their act!

    Let’s do it people… start emailing Mozilla!!!

  34. Anonymous · 2009-05-02 04:22 · #

    When ABP is installed, have it auto-redirect them to this very post if it detects Noscript.

    Reply from Wladimir Palant:

    It was user’s choice to install NoScript, for whatever reason. I am not messing with that choice, an extension should not do that.

  35. Michael Kaply · 2009-05-02 04:31 · #

    I agree with everything you posted, but there is a larger issue here that needs to be solved.

    Extensions are going to start fighting over revenue models because there are so few ways to generate revenue.

    We’re seeing more extensions take over new tab, take over search without asking, etc.

    Someone needs to figure out a way to build an app store for Firefox…

  36. Delimitation · 2009-05-02 04:32 · #

    I block NoScripts domain on my border router. All other extension that routinely load websites after updates get the same treatment.

  37. DaveK · 2009-05-02 04:35 · #

    Hooray for open source; let’s just fork NoScript.

    Reply from Wladimir Palant:

    I have pity with anybody who tries to fork NoScript, the code is a huge mess. It is much better to rewrite it from scratch.

  38. Johnny f*g know it all · 2009-05-02 04:40 · #

    I am no fan of Adblock Plus or NoScript and I use neither.

    However the whole assumption of Giorgio Maone is wrong, people already chose NOT to see the ads on his sites when they installed Adblock Plus. Period.

  39. Sean · 2009-05-02 04:57 · #

    I used NoScript for about a week. I had a feeling something strange was going on with it. It was really pissing me off so I removed it. I’m glad I did. I knew soemthing wasn’t right about it.

    I love my ADB. It’s the first thing I add whenever I have to install Firefox on a machine. I do disable it on respectable sites I trust. Ads are what make things free. It sucks that 98% of them are crap. Thank goodness we have ADB.

  40. Daniel Macer · 2009-05-02 04:58 · #

    My immediate reaction is in agreement with post #6 and similar. Regardless of how you view this whitelist behavior, some addons (not necessarily NoScript) could add bad whitelists that the average user would never be aware of.

    The solution is as simple as the problem: when an addon tries to add a list to ABP, open a dialog warning the user that Addon X wants to add a list called List X. Display the icon of the addon in the dialog, and have the question be something like “Do you want to block this addon from adding rules to ABP?” so a user who blindly clicks YES will prevent said addon from adding rules.

    Reply from Wladimir Palant:

    I can – but since we talk about another extension here it can just remove that question with not too much effort. And my impression is that it will. I cannot engage in a war with the NoScript extension, my releases are a lot less frequent than once a week.

  41. Anonymous · 2009-05-02 04:59 · #

    I agree with #35.

  42. Harvey Birdman · 2009-05-02 05:01 · #

    In some countries (like the US) changing things on a computer without consent of the owner is a felony. It’s part of the DMCA. That’s one of the reasons why Microsoft, Adobe, and others have such long install terms.

    NoScript might be breaking the law where you live.

    At the very least, their behavior should be documented and reported to anti-spyware sites.

  43. Orbijx · 2009-05-02 05:21 · #

    NoScript was already being rather squirrely when I tried it a week ago.

    The last straw was drawn when I whitelisted the hell out of everything I would want to use with ABP disabled (live.xbox.com being a prime example), and only the ads were visible. I couldn’t use the rest of the site with that lump on. Disabled it, went back to ABP, and gave it a kiss on the cheek when it let me see that a game I wanted was finally on XBLA.

    I’m not an overly technical person, but I can troubleshoot myself out of my own issues.
    I knew that NoScript was at fault when I could go as far as telling it to enable JavaScript globally, and still couldn’t get sites I actually use to, you know… work.

    NoScript was already on the list, but this just sealed that.

  44. AKAJohnDoe · 2009-05-02 05:27 · #

    I deleted the filter subscription NoScript placed there. And I have Firefox set to ask me about updating add-ons, so NoScript will not get back there without my knowledge. Further, I added an entry into the ZoneAlarm firewall (ZA-AV product) to block all accesses to noscript.net.

  45. ant · 2009-05-02 05:27 · #

    If there were an extension that just added a straightforward scripts whitelist the same as the popups/images ones (you know… like IE’s been able to do for ten years…), I’d get rid of NoScript in a heartbeat.

    Failing that, this news is a good enough excuse. Maone Malware, no thanks.

  46. v.dog · 2009-05-02 05:40 · #

    I’ve got no problem with pages displaying ads per se, but annoying (pop-ups, flashing primary colours, eating up most of the screen), false (‘you’re the millionth visitor’), and malicious (‘has your credit card been stolen?’, fake windows dialogs, tracking cookies, XSS, etc) ads mean that ABP is a must have. It’s a great shield from a lot of the crap out there.

    I’m happy to whitelist your site, wed developer, but first you’ve got to prove that that your ads are honest, safe, easy on the eye, and don’t interfere with my browsing experience.

  47. snake · 2009-05-02 05:43 · #

    Heres a question do u trust this guy:

    if that does not try this:
    http://i41.tinypic.com/5dkq50.jpg

    thats him the guy who shut down the thread that was questioning him about his underhanded techniqes in crippling adblock plus, he tryed to squirl out of it, BEWARE OF THIS MALWARE – DO NOT DOWNLOAD IT MESSES WITH AD BLOCK PLUS

    IF u have it Unistall it right away.

    Iam not the only one beleves this check out here:
    https://addons.mozilla.org/en-US/firefox/reviews/display/722

    Beware of it people.

  48. Anonymous · 2009-05-02 05:45 · #

    A possibly solution might be to use priorities for the subscription lists. Perhaps require that subscriptions added via API by other plugins have lower priority than the ones added by user.

  49. Another anon · 2009-05-02 05:56 · #

    @49 That doesn’t really work since the addon adding the subscription could directly edit whatever you’re using to store the data if it wanted to bad enough. Might help set expectations for legitimate use of your APIs, and potentially AMO could create a policy that they de-list addons that deliberately bypass another addon’s published API for some task.

  50. Pseudonymous Coward · 2009-05-02 05:56 · #

    Thanks for the warning. I have uninstalled NoScript specifically for its shady tactics. Too bad though, it is a pretty good extension otherwise.

  51. Anne H · 2009-05-02 06:00 · #

    Your post raises some interesting questions. I should preface this by saying I’m not exactly a fan of your product as it can interfere with my revenue.

    In the case of your product, the user is making a determination they don’t want ads. I recognize that and I’m not going to interfere. I may if some 3rd party service or ISP were to inject their ads without a user’s consent. For now, I’m happy so long as my adsense revenue covers my expenses.

    I’m also a noscript user who made a donation. The reason I use the add-on is for security reasons. As someone who reviews products and sites, I often encounter sites that I know very little about and like the added protection. Your article has prompted me take a harder look at the author’s practices and policies.

  52. nickserte · 2009-05-02 06:03 · #

    Well, for some of you ignorant hotheads, together with ABP, NoScript is a very important add-on. I don’t agree with their actions in any way, and have disabled the filter subscription, but asking people to boycott it is childish and will just benefit the malicious attackers.
    Unless someone forks it, or creates a better alternative that is. Or maybe if the NoScript devs apologize and fix this themselves. I’ll keep donating of course.

  53. W^L+ · 2009-05-02 06:05 · #

    That is really sad. ABP and NoScript have long been the first (and sometimes only) extensions I install and recommend. I’ve always wondered why the Gecko engine doesn’t have NoScript’s functionality built into it.

    This would bring the positive parts of NoScript into K-meleon and other browsers that use the engine but not necessarily the full GUI from Firefox.

  54. bookemdano · 2009-05-02 06:09 · #

    What noscript domains should I put in my hosts file? Anyone have a handy list so I don’t have to research it myself?

    all I have is……

    127.0.0.1 noscript.net
    127.0.0.1 www.noscript.net

    any others?

    2) is noscript GPL licensed? If so, maybe someone will fork it.

    Reply from Wladimir Palant:

    informaction.com
    flashgot.net
    maone.net

  55. mongate · 2009-05-02 06:17 · #

    Uhm, wow.
    I just noticed everyone’s gone BATSHIT CRAZY on AMO.
    This is really a bad day for NoScript, huh? Overreaction much?
    You know that you could just make the devs apologize, fix it and move on. Now looks like you’ve bombarded the guy unto oblivion.

  56. AKAJohnDoe · 2009-05-02 06:25 · #

    I uninstalled NoScript.

  57. nerteacup · 2009-05-02 06:31 · #

    This is, perhaps, the most active and absurd “development” I’ve ever witnessed in the FF extension development world.
    People everywhere are boycotting NoScript, uninstalling it from every of their machine. Though not like 95% of them know how to use it in the first place ( #44 for example).
    Giorgio Maone is working on the code right now, so he won’t have time to post his apology, rebuttal or anything.
    Truly, the only way to vote in the FOSS world is with your feet.
    @23: truly, the people who use free software can be so arrogant and complain so much. Toolbars are part of why it’s still free… Unbelievable.

  58. TD · 2009-05-02 06:40 · #

    I don’t know anything about the internal workings of AdBlock Plus nor NoScript. I do find this unappealing though. If extensions are being allowed to add filters that disable certain ABP functionality, then that is not good at all.

    Perhaps what needs to be done is to adopt a sort of “deny takes priority” process behind how ABP works, similar to NTFS file permissions. This way, if something is blocked through the filters then something tries to unblock it by adding another filter to allow it, then the version that blocks it takes priority.

    If this is done, then additional filters could be added to block the elements that the NoScript-inserted rules are attempting to allow.

    That’s just how I see it. Sorry if I just confused everyone.

  59. Spade · 2009-05-02 06:40 · #

    @ #53

    I’m afraid you’re the one who’s being ignorant in this case. Or are you forgetting about the “malicious attackers” pressuring extension authors to aggressively monetize in this fashion? (Re-read the original post, along with comment #26.)

    We need to take a stand here, and show them that we will not stand for these kinds of aggressive tactics. Giving them a black eye here and now will go a long way toward convincing them (and other extension authors) that this heavy-handed approach won’t work.

    I recommend the RequestPolicy extension for anyone concerned about attacks from third-party scripts. I was already considering eliminating NoScript and using RequestPolicy alone, and this situation sealed the deal.

  60. Spade · 2009-05-02 06:43 · #

    @ #56

    Underreaction much? This is more than just a “bad day”, this is the reaction to an extension author who deliberately sought out to defeat the functionality of another extension, without the consent of the user. He went so far as to add obfuscated code (which made it past the AMO reviewers) to do so. If he’d gone about things openly and honestly in the first place (rather than being shamed into doing so), you wouldn’t be seeing this kind of reaction.

    Plus, I think a lot of the reaction we’re seeing has to do with the fact that we’ve always trusted these extensions without thinking too much about it. Now, because something like this was able to make it past the AMO reviewers, that trust has been thrown into doubt.

  61. kuza55 · 2009-05-02 06:44 · #

    shrug

    It’s bad, but I’m not an AdBlock Plus user, so this doesn’t effect me even though I do use NoScript.

    I just wanted to say that while you may think that Giorgio’s solution to xss-based attacks was not a good one, that additional functionality is the main reason I use NoScript, it may not stop everything, but it provides an extra hurdle.

  62. W^L+ · 2009-05-02 06:47 · #

    @58

    No, it isn’t that simple. NoScript is security software. Its job is to protect us against those sites that would misuse our computers / browsers for their own benefit. Deceptive disabling of another security product for their own financial benefit is not acceptable behavior for a security vendor.

    All that was needed was to clearly state what was going on and ask for consent. You need ad revenue? Say so! Just don’t sneakily change my settings to get that revenue.

    Reply from Wladimir Palant:

    I fully agree and that’s exactly why I wrote this blog post about NoScript and not any other extension using similar tactics.

  63. Xymor · 2009-05-02 06:52 · #

    Overreaction? The guy interferes with another plugin not to fix a technical issue but for commercial gain.

    There’s no overreaction. They went from a decent operation to a rogue one when they decided to do that.
    It’s the same as if your anti-virus updates started installing virus and adware in your PC.

  64. Robert Leland · 2009-05-02 06:54 · #

    I donated $100 USD to noScript about a 8 months ago because
    1) I felt safer from using it.
    2) I have dabbled in OSS and know how thankless a job it can be.

    However, this latest changes in policy is beyond irresponsible, its knowingly misleading, and more.

    No Script should just close up shop.

    -ROb

  65. ghendar · 2009-05-02 07:08 · #

    Thanks to noscript documentation, I know about his other domains and have the following entry in /etc/hosts:

    #bad noscript # http://adblockplus.org/blog/attention-noscript-users
    127.0.0.1 noscript.net
    127.0.0.1 flashgot.net
    127.0.0.1 informaction.com
    127.0.0.1 hackademix.net

  66. bob · 2009-05-02 07:18 · #

    You people are exaggerating. Forever uninstalling Noscript? So you’d rather have people xss/csrf/clickjack into your gmail?
    Giorgio understands that people don’t like this. He’s fixing it.
    http://forums.informaction.com/viewtopic.php?f=7&t=877&start=90#p3162
    Shut up about it.

  67. Gnomegarten · 2009-05-02 07:19 · #

    Alright, so that is pretty heinous.

    Unfortunately, with the way I browse I might have difficulty dropping NoScript – I routinely run with over a hundred tabs open in multiple windows. I’ve been allowing more scripts lately, but if I let everything run I’d most likely freeze out or just crash my sessions irretrievably. I have yet to see any other extension that provides this kind of fine tuned scripting permissions. I might have to live with this for a bit.

    Next question then. I use ABP without subscribing to any lists. I figure that blocking JScript keeps the most heinous ads out of my line of sight, so anything that plays nice is fine. I only block ads that still manage to annoy me. So, without any subscriptions, am I still vulnerable?

  68. JagsLive · 2009-05-02 07:23 · #

    Does anyone here know “how to make a feature request” for a NoScript replacement into next Firefox ??

    BTW I’ve created this post but not sure if I’m gonna get any help from there:

    http://forums.mozillazine.org/viewtopic.php?f=7&t=1226775

  69. Forrest Gump · 2009-05-02 07:29 · #

    This presents us with a new dilemma of sorts.

    It reminds me of the pre-virus days, where a program could do just anything it wanted. This is analogous to noscript being able to modify things to suit it’s needs.

    Therefore, what may be the next step is creating some security layer within the scripting mechanism to prevent these types of alterations from happening without your approval, or a permissions/policy based moderation.

    Easier said than done (and way more complex than that).

    In the end, security will win out – it’s the model everywhere else and Firefox isn’t exempt from it.

    All we need is some idiot to create an altered plugin for Firefox to do something malicious and … the rest will be history.

  70. drunkardert · 2009-05-02 07:36 · #

    #60, #61, #63, #64:
    “Fucking NoScript dev messed up my ABP so that when I visit his page after each update I’ll see a few ads. A FEW ADS? Oh Noooo, they must contain some uber-malicious spyware, the latest xxConfickersxx; they’re gonna blow up my car, rape my wife, burn down my house and [insert your own fantasy]. There’s no redemption, no. This is about our security, we must make a stand. For great justice! For our holy ancestors! For” Jesus Christ!
    NoScript’s behaviour is not acceptable in any way, but this is so fucking ridiculous that it totally classifies as an over-reaction.

    “Now he’s done it, who knows what he will do in the future? All my data is gonna be compromised, the greedy bastard will go so far as to sell it to all the hackers, oh NO!!!!”
    Free software users can be so arrogant. So arrogant, that they demand all sorts of stupid features. So arrogant, that they will whine about everything and call every feature a bug. So arrogant, that they make all sorts of empty threats to the developers if they don’t fix this particular “bug”. So arrogant, that they will come up with every kind of excuse like “It has an unacceptable logo” just to avoid donating… Just among 1000 reasons why so few people want to work in tech support.

    You want him to “clearly state what was going on and ask for consent” ? Release notes, does that ring a bell to you? And he’s working on a promt in the next release btw.

    I was mad at NoScript. But now I’m mad at you guys instead, the sheer amount of immaturity, acts of faggotry at NoScript forum and AMO… Shame on you.

  71. Pissed off · 2009-05-02 07:39 · #

    Well then, NoScript just got uninstalled and all of my AdBlock whitelists have been reset, and a fresh copy of AdBlock re-installed. I will be blocking NoScript at the school’s firewall come Monday morning, and pushing an update message to inform all our users to stop using it and instead rely on ONLY adblock.
    This sucks, because I felt for a long time giving both tools to my users made things better, but now…

  72. Spade · 2009-05-02 07:46 · #

    @ #71

    I think your choice of language and epithets have adequately proven which of us is immature.

  73. mathew · 2009-05-02 07:49 · #

    This is why I think the functionality of NoScript should be a standard feature of the browser.

    Unfortunately, the developers of Firefox will never do that, because it would annoy advertisers. Same reason you’ll never see cookie handling like CS Lite built in to Firefox.

    Actually giving people a quick and easy UI so they could manage their privacy would annoy too many advertisers.

    https://bugzilla.mozilla.org/show_bug.cgi?id=388963

    Reply from Wladimir Palant:

    No, Firefox developers will never do the because it will annoy users. Breaking the web is never a good choice when you are in the browser building business.

  74. John Davis · 2009-05-02 07:49 · #

    Wow, thats amazing dude!

    RT

  75. Spade · 2009-05-02 07:55 · #

    @ #70

    You raise some good points. I know I was initially quite surprised to discover that extensions could change pretty much anything in about:config. I’d assumed there was some kind of sandboxing preventing global prefs from being messed with.

    I’d also assumed that extensions needed to have the “extensions.” prefix for every one of their prefs. Sure is messy in there when they don’t do that!

    I have a feeling this oversight in the original design of how extensions work is indeed going to come back to bite us all, now that there’s a greater awareness of how extensions can mess with each others’ settings.

  76. Anonymous · 2009-05-02 08:01 · #

    This clearly shows how allowing the user to make the choice ultimately matters.

    If he’d opened a message box asking whether or not the user wants to white-list NoScript, then things would go very differently. Now, he probably ruined the Addon and someone will fork it with a new name. Well, regardless of what happened, I’ve always used NoScript and I do pretend to keep using it, since it’s a great combo(NoScript + ABP).

    However, I’ll no longer support it’s development with donations, it was too rude to continue.

  77. drunkardert · 2009-05-02 08:13 · #

    @ #73:
    And while Spade was paying attention to my choice of language for an ad hominem reply, I was paying attention to your accusations, your complaints, your pointless rants and empty threats which are still visible on AMO, NoScript forum and hell, Slashdot…

    If you’ve ever worked in tech support, or modded a particular forum before, you shouldn’t find these happenings unfamiliar at all. But still I’m just as amazed as ever.

  78. Spade · 2009-05-02 08:20 · #

    @ #74

    For a while I assumed that nobody would dare put popup blockers in their browsers, for fear of angering advertisers. Yet now today, every browser I’m aware of has a popup blocker.

    So it may take a while, but it’s certainly possible that the functionality of CookieSafe or NoScript could someday be built into the browser.

  79. Kyle Sellers · 2009-05-02 08:23 · #

    The problem, I believe, is that it is extremely for a novice user to add AdBlock Plus, but not so obvious as to how they can white list sites which they wish to support. Many people don’t realize how important those ads are to some of their favorite sites—even ones who have gone out of their way to be tasteful and discrete with their ad placement. I think many users would actually LIKE to support their favorite sites.

    Wladimir, you have made a great tool, but I truly believe your next step is to show average non-savvy users how AdBlock Plus can negatively impact the sites they frequent and how to white list the sites which they wish to support.

    Just my two cents on the issue.

    Kyle
    Twitter.com/kylesellers

  80. tirso ramirez · 2009-05-02 08:41 · #

    That means that Firefox is so popular now that is being targeted by this kind of people.

  81. HAL · 2009-05-02 08:55 · #

    Good morning Dave….

  82. Aggressive Prefector · 2009-05-02 09:01 · #

    I disabled noscripts new white list in adblock plus. I restarted firefox and it did not reset. That is good. I am shocked that an extension would sabotage another extension.

    There is only way to win this fight. Adblock needs to add the features of NoScript. I also suggest having a switch to automatically allow scripts or automatically block them.

  83. Justin · 2009-05-02 09:01 · #

    Wow, I’m uninstalling noscript. I need to find a replacement.

  84. YukonGuy · 2009-05-02 09:12 · #

    This is the problem with extenstions. In particular the behaviour of extension developers. Good bye NoScript! Wladimir Palant, you’ve made a poor choice.

  85. jarek · 2009-05-02 09:19 · #

    so where’s you problem adblock guys?

    noscript just messes with your addon the same way you mess with other people’s websites.

    that’s the sweeeeet taste of your own medicine …

  86. Ruined FOREVER · 2009-05-02 09:20 · #

    So NoScript is Ruined FOREVER now, right? Personally, I think that both AdBlock Plus and NoScript should’ve been integrated into Firefox to begin with. Considering how many cocksuckers on the Internet like displaying pop-ups, pop-unders, utilising XSS, performing DNS poisoning, and phishing; it’s damn near becoming a necessity to have to operate purely off a whitelist with everything disabled by default.

    I will admit that NoScript’s actions have been utterly moronic in this regard and their attempts to undermine ADP are inexcusable. If, however, the original aims of ADP or the EasyList subscription are no longer being adhered to (it was mentioned that it was originally to get around annoying/obnoxious/dangerous/etc. ads) then that is a mitigating factor. If Giorgio says he was under the mistaken impression that the aims of ADP and the EasyList subscription were originally different and have now changed, then I’m prepared to give him the benefit of the doubt. Just this once.

    #78 gets it. Don’t throw the baby out with the bathwater because mum ‘n’ dad have had a lil’ spat over how best to clean their spawn.

  87. Nonightsleep · 2009-05-02 09:25 · #

    I’ve always wondered about how people could develop and maintain such great Fx add-ons. Looks like money is still important to (some of) them after all.
    @ #87: A lot of people could have just quietly disabled the new whitelist, and moved on because I doubt the author would want to do anything sneaky after this. But it seems like they think each opinion counts, so they’re going all out on every site… People have so much free time.
    And you could’ve warned me before linking tvtropes. Good thing I wasn’t doing anything productive this evening :)

  88. Security First · 2009-05-02 09:32 · #

    Good security policies begin with “deny all” and then proceed with selective allows. NoScript is far from perfect and there is some legitimate complaints about what its author has done, but it’s basic premise of denying all scripting from (almost) all websites makes it the single most important security extension I use. Those who think ABP is the first extension that should be installed clearly don’t have a grasp on good security. ABP does not begin with “deny all”. And those that think all scripted malware begins with third party ads also need to get educated. For me, ad suppression is a must have because I can’t stand ads, not because of security concerns. At best ad suppression is a not very good but nonetheless minimally helpful bonus layer in my security perimeter, but that’s being generous. I’m amazed at the commenters for this posting because no one seems to get this. Look, I’d be absolutely delighted to replace NoScript with a superior alternative, but unlike ABP, there isn’t one! I use Privoxy on a separate proxy server so that I needn’t bother with administering something like ABP on every profile on every computer. I’ve nothing against ABP… well, all the ranting and willingness to solve the NoScript problem with such venom does have me concerned now… but good security and practicalities demand I use NoScript – not so for ABP.

    What I want is for NoScript-like functionality to be integrated into Firefox. That will never happen for ABP-like functionality. Instead of throwing tantrums about NoScript, try civility to move its author while simultaneously lobbying Mozilla for functionality that will make him irrelevant. I don’t see anyone here actually trying to solve the fundamental problem of default deny-all scripting security… except for the NoScript author. IMHO, that makes the ranters look awfully foolish.

  89. Unhappy · 2009-05-02 09:34 · #

    What is the last version of noscript that was not fubar’d in this manner? If I am to believe the changelog, 1.9.2.2 is a good one – is that a safe one? I will downgrade and not allow updates until noscript wises up.

    Reply from Wladimir Palant:

    Don’t believe the changelog. This code was introduced in 1.9.2 without mentioning it in the changelog.

  90. Listen to me · 2009-05-02 09:38 · #

    @ #84:
    Wow I’m uninstalling Firefox, oops I mean NoScript. Looks like it’s evil and gonna blow up my computer. Huh? I can just disable the new whitelist? What’s that?
    I’m posting because I want you guys to remember what I do with my software is very important.

  91. Steven G · 2009-05-02 09:56 · #

    why don’t we all do abp and noscript a favor … disabling the first run redirection to his page, how about them apples?

  92. blah · 2009-05-02 10:10 · #

    I always thought the Noscript guy was a douche. Just look at the logo on his site. F that ego maniac.

  93. Listen to me · 2009-05-02 10:12 · #

    @ #91: On second thought, I’ve decided to uninstall firefox completely.
    I’ve lost trust in all extension developers. This guy has betrayed me for money, how do I know they won’t do it again? Trust, once lost, cannot be regained. It’s sad, I know, but Google Chrome should do a better job. I’ll never install firefox on any of my computers again.
    What I do with my software is important, you see.

  94. This isn't right · 2009-05-02 10:15 · #

    NoScript & Adblock are SECURITY plugins. NoScript’s sneaky tactics are types of things we try to protect ourselves from.

    That’s like subscribing to ADT Home Security, and when they get to your house to install, they remove the locks on your back door.

    The fact that this is free software has nothing to do it. It’s unethical and bad business practice. If companies did business like that, they would be shut down.

    Don’t take my word for it, just look at the response on Mozilla.org Addons

  95. StillUnhappy · 2009-05-02 10:16 · #

    So now the 1.9.2.5 version has come out that (according to the noscript developer) asks if you want to add the offensive behaviour or delete it forever.

    What a fricken’ joke!! It pops up an utterly confusing window that basically says “do you mind if we protect you from the evil world out there” and then offers you an “ok” button and a “cancel” button. What does anyone suspect will be the result of that?!

    That settles it that I am done completely for good. Thanks ghendar for the hosts entry. I am adding it as we speak.

  96. Glam · 2009-05-02 10:19 · #

    How dare they show us ads, how mean and degrading..
    Seriously, until I saw today the option for disabling the loading of the NoScript on every update I didn’t at all notice anything on – just closed it. And is it such a great sin that the maker(s) of this great piece of software get some revenue? I’ve even considered donating.
    I’d like to hear the story from NoScript’s side as well, but by default I’m on their side.

    Reply from Wladimir Palant:

    The problem is not with the ads – it is his choice how he wants to make money from his extension. The problem is how far he went to protect this revenue – even manipulating user’s system behind user’s back. That extension is supposed to be trusted with user’s security.

  97. Eric Z. - An avid internet crawler · 2009-05-02 10:19 · #

    I have read this, the posts in a forum redirecting me to this post, and nearly all the comments after this post and I must say. If he clearly said to his users, “I hope you enjoy noscript, but as it does take time to develope and test this add on for FireFox, now if you wouldn’t mind there is a very simple… blah blah blah etc” Asking the user if they could support him by seeing the Ads, he surely would have gotten quite a few ad “viewers” from those who understand or truly want to support him. But the way he had undergone getting people to see his ads, is really disgusting and he deserves to lose all the Addon users that he alienated in using such tricks.

  98. Former NoScript User · 2009-05-02 10:20 · #

    I have removed NoScript from my browser because of this.

    There is no excuse for modifying the behaviour of other software on a computer without the user’s consent. There are words for that sort of behaviour, starting with “malware” and in many places ending in “illegal”.

    It’s somehow okay now that an extension goes behind the users back and circumvents other plug-ins? Especially a plug-in that most users use presumably to protect themselves against malware and intrusive JavaScript driven ads?

    NoScript is supported by ads, and maliciously tries to prevent them being blocked by AdBlock. However, AdBlock itself is not supported by ads, and does not try to block NoScript in a similar fashion. It may be a war, but it’s pretty one-sided, and it’s fairly clear who’s being an asshole here.

  99. PeterSP · 2009-05-02 10:26 · #

    I think there’s a bit of groupthink here that Giorgio just added the whitelist to keep ads— I believe that when he added the whitelist, some of the entries on EasyList were blocking most of the javascript on his sites, period (preventing things like turning off the “get it” button if you have “it” from working.) To say that this was “one-sided” is wrong. Of course, Giorgio should have been more scrupulous about this.

  100. steve · 2009-05-02 10:47 · #

    NS v1.9.2.6 just released cancels out the controversial filterset entirely. Now everybody move on.

  101. zurk · 2009-05-02 10:51 · #

    no extension should touch another extension. PERIOD.
    i dont give a crap if you destroy yourself but dont destroy anything on my computer without my permission. noscript is entirely at fault here.

  102. Winter Knight · 2009-05-02 10:51 · #

    1) What is the latest safe version of NoScript?
    2) If my Adblock Plus installation has been sabotaged, how can I fix it? Will uninstalling and reinstalling do it?

    I think I already have the answer to #1. The first unsafe version was 1.9.2, so the last safe version was 1.9.1.91.

    Reply from Wladimir Palant:

    Supposedly, NoScript 1.9.2.6 both removes that behavior and repairs the damage done by the previous version (removes the whitelist again).

  103. AMO Editor · 2009-05-02 10:53 · #

    I’m author of several addons on AMO. I also contribute to AMO as an editor.

    Your addon being the most popular addons has a huge fan-following. By making the issue public in this manner, you’ve attacked NoScript with all your fan-following. Could it have been better to report this issue to AMO Editors or AMO Admins? I believe that this issue in this version of NoScript that was approved by AMO could be reverted (or a suitable action may have been taken in time – after all the obfuscated code did slip through by one of the editors).

    On the subject of monetisation… (and after reading your other posts/links you referred to), the wiser man knows that free software “sells” almost as well as the paid counterpart… the difference is in the way money exchanges hands… donations/ads etc… While your development work is a part-time affair there are others who are full time into it and they have to pay for the roof over their head. So understandably whatever the business model… ethics pave the foundation for a long-term relation with your software’s users. You also use the term “begging” (for donations – http://adblockplus.org/blog/the-monetization-dilemma) which is again offensive. If you have chosen not to earn through these streams doesn’t mean that others earning it is wrong (though you never said that). I agree on the point that monetisation options are being abused and are crossing the limits. I’d say this is not a misuse of addons as a way to earn money but an abuse of AMO for the traffic it throws your way and the visibility your product gets. Imagine if there were another 10-20 sites listing these addons? I’m sure addons wouldn’t have been that profitable to authors then. That’s the reason developers want to come out of experimental status… so they can get installed and the updates offered subsequently. AMO being the central place of about 3000 Firefox addons is the actual target.

    Reply from Wladimir Palant:

    I am sorry if you think that I should have acted differently – I thought a lot about that before publishing this blog post. In the end, I wouldn’t have done anything if NoScript wouldn’t be considered a security extension (meaning that it is trusted with user’s security). I also wouldn’t have done anything if NoScript’s current solution involved giving users a choice or even explaining properly what was going on. But going behind users back like that is unacceptable IMHO.

    Oh, and the term “begging” was only meant to express how far some extension authors go to bring their “Please donate” button to attention. I don’t think there is anything wrong with donations or with making money – on the opposite, I would love seeing more add-on authors make money from their work. But I do think that there should still be limits.

  104. click170 · 2009-05-02 10:59 · #

    Coincidentally, I stopped applying NoScript updates a long time ago because of how it opened his freaking web page every time an update was released, and I really got the sense that he was releasing ‘updates’ weekly that didn’t have any measurable affect in browsing performance any more. I’m currently using 1.9.1.4, and after reading your blog post I’m looking for another script blocking plugin.
    Until I find a suitable alternative, I’ve made sure to investigate all of the preferences and I’ve made sure that ads on noscript’s site don’t load. Regardless of whether or not I intend to visit there ever again, and in case your wondering, I don’t.

    When a person starts writing malicious code, that person is a cracker. When you write good code that does what the documentation says, your a developer. When you have an app, and it works and people like it and you decide to turn that to your advantage by inserting code/properties into your app that YOU YOURSELF know the majority of users would object to (such that those alterations would be considered malicious by the community) you are not only a traitor to the community, you are below the Crackers in rank and respect. You had respect and you had followers and a community behind your app, and you chose to leverage it in an attempt at profit.
    Congratulations on making it onto BBC, I’m sure that will spike NoScripts popularity. I’ll just have to make sure I do my best to inform everyone about how malicious your willing to be towards your own users just so that you can display some ads. For shame.

  105. Bologous · 2009-05-02 10:59 · #

    Thank you Wladimir for your investigations. I’ve deleted NoScript from my PC and have other people on Slashdot. Giorigio made a big mistake – you should never take advantage of someone’s trust particularly to do something it’s obvious they don’t want you to do (esp if they’ve installed AdBlock Plus!!!!)

  106. TTB · 2009-05-02 11:24 · #

    Wow what a well written post

  107. Security First · 2009-05-02 11:31 · #

    @94: “NoScript & Adblock are SECURITY plugins”. Ah for cryin’ out loud. Ad blockers are NOT security plugins! NoScript whitelists, ABP blacklists. Good security always starts with “deny all” and then whitelists as required. ABP is about suppressing annoyances, saving bandwidth, denying revenue, making political statements, et cetera, but when it happens to block malware it is almost certainly because you weren’t taking adequate security precautions and caught a lucky break. You are vastly more vulnerable running ABP without NoScript than you are running NoScript without ABP. If you don’t understand why then you’ve nothing to say on the subject of security.

    Again, give me an alternative better than NoScript and I’ll switch immediately. Ranting and yelling “boycott” while providing no alternative to replace the critical security component that NoScript provides is gross irresponsibility by those that should know better and sheer stupidity by those that don’t. I recognize that most of the ranters are nothing but ignorant teens that hop up and down pretty much on command, but what’s up with those few of you that understand security?

  108. Hurr · 2009-05-02 11:38 · #

    OH NOES INTERNET DRAMA

  109. Soupy007 · 2009-05-02 11:42 · #

    This is disappointing, but not completely unexpected. It certainly explains Giorgio’s mindless whoring of it on nearly every freshly opened security bug on b.m.o and elsewhere in the blogosphere. It’s not about serving users anymore, it’s about one person: Giorgio. That combined with this ploy is more than sufficient for me to uninstall it. When “security” software pushes an obfuscated blob of code (was this even reviewed before going live on AMO!?) whose sole purpose is to interfere with/disable features of completely unrelated software without stating intent or asking my permision for no reason other than the author’s gain; any trust which may have previously existed is thrown out the window.

    Everyone who develops software knows that finding a decent way to monetize a product without pissing off users or being falsely labeled as adware is a delicate balance – noscript however, completely deserves that and a much worse label: malware. Good riddance.

    Reply from Wladimir Palant:

    I think NoScript got excepted from AMO reviews like several other add-ons as well (e.g. Adblock Plus). The reason is that AMO review is a functional review, not a code review (AMO doesn’t have the resources for code reviews). And functional testing is already done with the development builds in case of NoScript.

  110. AMO Editor · 2009-05-02 11:43 · #

    wrt comment#103 and your reply…

    I should have done similar but only after communicating with the AMO admins. You have brought up an interesting and a very important topic. We had been waiting to see these issues and discuss the topic… the sad part is that day is today.

    By the way good post and good job with ABP.

  111. Paolo · 2009-05-02 11:48 · #

    I agree that NoScript made a big mistake and as a workaround I created a custom CSS with the Stylish extension to hide the ads on noscript pages:

    div#google {display:none !important}
    div#google2 {display:none !important}
    div#main {margin-right:0 !important}

    Luckily NoScript released version 1.9.2.6 which removes the controversial filter. If you check NoScript home page you can see that the author apologizes for what he did. I think we’ve got a happy ending.

  112. Ross · 2009-05-02 11:54 · #

    I’m keeping NoScript, but adding those 4 domains of theirs to my HOSTS file.

  113. burris · 2009-05-02 12:14 · #

    It’s tough for Wlad, the only people who use NoScript are ultranerdy paranoids and power users. The same people that use ABP. Maybe he should reconsider his business model.

  114. dwards · 2009-05-02 12:15 · #

    @ #107: Don’t worry, Security First. NoScript is here to stay on my machine (but of course as always, until something better arrives).
    What you’re talking about is just the vocal minority. They’re usually full of fanboys, uninformed people with a righteous sense of justice, and bandwagon hoppers.
    It is the silent majority that you should care about. Developers are doomed if they ever listen to those rowdy teens.

    @ Wladimir Palant : Wladimir, your blog post might not have been ill-willed. But you have misjudged your average user. They are not the most intelligent, not very reasonable, not always sympathizing, but they are very fond of your add-on and whatever you may say. Just have a quick look at what they’ve done. Endless resulting remarks at NoScript forum that they have to temporarily lock it until the add-on’s been updated, 1000+ clueless people boycotting on Reddit and telling their friends to do the same, even Slashdotters are jumping on the bandwagon. It has totally gone out of control, one might say.

    So you say you couldn’t just sit there and do nothing. You could’ve contacted the AMO editors and worked it out with Giorgio, or maybe in some different way and then make a quick post afterwards… But you had to make it all public like this. Even I feel bad for the guy. He had to push out an immediate update, and then, as that wasn’t enough for your users, another one that totally disabled the support filterset (which means no more ads ever). And even then more anonymous cowards, doomsayers would just come and continue spamming line after line of insult. Sorry, but IMO, you’re no better than Giorgio himself.

    This event has taught me more about blocking ads. Maybe in the next post, you could tell your users how to support their favorite sites and call your personal army off, saying that everything has been resolved, people should get back to using NoScript or something. But of course now it’s gone this far, someone has probably forked the add-on already.

    Reply from Wladimir Palant:

    Please see http://adblockplus.org/en/getting_started#disabling

    I have been observing questionable tactics from Giorgio for quite a while. He has been spreading FUD instead of informing users just for the sake of making his add-on more popular. He left no chance go of making Firefox developers look bad just because they prioritize bug fixing and take their time to fix low risk issues (which Giorgio “fixes” first of course – never mind breaking the web). This time he clearly went too far however. And I am just informing people that this “security extension” cannot be trusted with your security. I didn’t quite expect the response this prompted – but I still think it is well-deserved. Somebody who develops security software should have a better understanding of ethics.

  115. Joe Fox · 2009-05-02 12:19 · #

    The real concern for me is that firefox still does not have a proper sandbox for extensions.

    It shouldn’t be possible for one extension to interfere with another without user consent.

    Unfortunately without a large rewrite of the framework, this just isn’t going to happen…..but it needs to happen.

    Reply from Wladimir Palant:

    The problem is that having a sandbox always means largely restricting what extensions can do. Add-ons like NoScript will most definitely no longer be possible.

  116. Jason · 2009-05-02 12:22 · #

    If they implemented a filter set system. That would bring Noscript back to my machine. I hated having to investigate every site for what scripts I need to allow.

    It would be really cool if They made (hypothetical) filter sets compatible with ABP.

  117. P. · 2009-05-02 12:38 · #

    @100: So if somebody steals from the store down the corner, gets caught and, having no other choice, decides to give the items back that weren’t his in the first place do you “move on” as well?

    No, you don’t. You call the police because laws are useless if not enforced. This isn’t much different. No criminal act here but it speaks volumes about NoScript’s author that he even tried to get away with this. And now he’s backing down under public pressure (probably a good idea because Google doesn’t take too kindly to people who generate false ad impressions).

    NoScript’s core functionality should be integrated into FF, the same ways tab handling is. It’s the same way with TMP/TBE/all the other tab extensions. They integrate nicely into FF, offer plenty of options for us power users and the average user doesn’t need to worry about them.

    Reply from Wladimir Palant:

    I agree with the last paragraph, I would like to see at least an extension implementing “NoScript’s core functionality”. The problem is that NoScript’s core functionality is not what NoScript is doing – instead NoScript is a huge conglomerate of various hacks, most of which users don’t know about (and don’t even want to have).

  118. J · 2009-05-02 12:49 · #

    So, is there another extension that matches NoScript’s capabilities? I don’t want to use it after the author has shown a complete misuse of his user’s trust.

    Reply from Wladimir Palant:

    From what I know, YesScript is the closest thing. But I guess it could use some improving to become a real alternative.

  119. dwards · 2009-05-02 12:51 · #

    The ignorant just keep coming I see.
    Perhaps the next person will complain the logo sucks. Oh wait, they’ve ALREADY done that.
    Please, if you’re thinking of adding your own wise words, why not read ALL the above comments, then head to NoScript forum to understand the situation a little more instead. Chances there are already 50 similar idiots with the same idea already.
    Or perhaps the more the merrier? I need my Kool-Aid.
    It is over people.

  120. giantslor · 2009-05-02 13:03 · #

    NoScript is garbage and people should dump it. JavaScript is becoming more and more integral to the web. Installing NoScript breaks just about every website in some way. It’s inevitable that you’ll have to whitelist a particular site. What’s the point? Even if a site has a javascript exploit, I bet most people would just whitelist it because it’s broken.

  121. FutureAxeMurderer · 2009-05-02 13:12 · #

    This has been put up on Reddit. Someone should see about getting it plastered over at SlashBot/Digg/etc. etc.

    I’m unsintalling No-Script myself. #5 is right. Once trust has been lost it can’t be re-gained. Un-trustworthy practices show’s their true motives. I won’t ever use this plug-in again.

  122. unsigned code · 2009-05-02 13:14 · #

    @32

    honeypot urls, like you mentioned, are not very effective.

    blocking firefox is stupid (not to say useless, since it’s trivial to change the useragent string).

    serving ads from your site may work if they are not overly annoying (people don’t even notice them).

    encoding images into the html/js itself is inefficient and borderline assholeish (..and people wonder why others still use noscript).

    asking people to whitelist you seems to be the more sensible/less dickish approach.

    @23 you’re a “web developer”? seriously? then you surely know that this escalation/arms race between advertisers and users will simply result in your loss. you see, the computer is mine, so i choose what to run/display in it. if you don’t want people to look at your site, don’t allow public access and charge a fee for access; if, on the other hand, you prefer to act all self-righteous and pricky, don’t be surprised when some of your users start acting like you.

  123. Daffyd K Jones · 2009-05-02 13:15 · #

    dwards – how was this Wladimir’s ‘personal army?’

    Nowhere in his blog posting was there a call to action. He didn’t ask anyone to boycott NoScript, to post on their forums, or to complain on slashdot or reddit.

    Us readers have our own free will, you know. If we want to complain about one of our trusted extensions deliberately interfering with another of our trusted extensions then we will, it’s not Wladimir’s doing

  124. Lukas Beeler · 2009-05-02 13:20 · #

    Thanks for the heads-up.

    I’ve uninstalled NoScript on both of my computers because of this post.

  125. Glam · 2009-05-02 13:34 · #

    I cannot agree heree.. NoScript developer gives other explanations and examples.. who should we believe (I’ve summed the links here http://bozhobg.wordpress.com/2009/05/02/noscript-and-adblock-plus-two-sides-to-every-story/ )

    Reply from Wladimir Palant:

    “Good luck to those in not getting infected” – so you believe the FUD NoScript is spreading. Good luck then, getting along on the Internet without knowing what the real risks are.

    I don’t really care whether Giorgio wants to fight EasyList (or more correctly – his users’ choice) on his websites – it would be his (poor) choice, he wouldn’t be the first one. But he used his position as the developer of a popular extension, particularly of an extension supposed to protect users. That’s the line he shouldn’t have crossed.

  126. markus · 2009-05-02 13:44 · #

    I dont want to discuss who is wrong or who is right.

    All I know is that I am using Adblock Plus since a long time and I am happy about it. I never used NoScript, and I dont really care what it does.

    But I want to make ONE comment, about preferences – I am a “smart” user running Linux since 6 years, 99% compiled from source here.

    But, I simply am too lazy to make manual changes to preferences of any kind. I think things should work out of the box, and the user should not need to change anything. :)

    Hope that explains my attitude towards those things.
    Of course I do change options in applications here or there, but this is always work which i try to avoid.

  127. Intentionally Anonymous · 2009-05-02 13:50 · #

    I work in the food service industry, and one of the things we’re taught there to remind us to keep customers happy is this:

    It takes 10 outstanding experiences to make up for 1 bad one.

    Better get working, Giorgio.

  128. dwards · 2009-05-02 14:11 · #

    @ #126: Sure we don’t have people on the internet claiming to be intelligent that often.
    Or do we? Go to NoScript forum and see for yourselves.
    No hard feelings, just pretty amusing.

  129. Joe · 2009-05-02 14:20 · #

    It’s quite funny to hear about “security” in the context of NoScript.

    NoScript has always been a usability nightmare.
    Unusable software can not give “additional” security.

  130. mithra · 2009-05-02 14:36 · #

    I’ve been annoyed by the unreasonably high number of noscript updates. Now this story explains why and a lot more.

    Enough’s enough. Flush…

    Be interesting (and amazing) to see noscript recover from what has to be a pr disaster, and if not, who/what will fill the gap.

  131. Another Giergio · 2009-05-02 14:41 · #

    More important than this petty squabble between two add-on authors, how does a piece of malware-like (yes, if it was obfuscated, and did not inform the user it was malware-like) add-on passed the review process. Does Firefox allow anyone to do anything with the add-ons? Hmmmm..maybe it is time to give Chrome a try.

  132. HelenG · 2009-05-02 14:59 · #

    Thank you for the heads up Wladimir, unfortunately I only found out last night when I was checking my ABP filters then a few minutes ago when NS updated and saw apologies did I realize what was going on!

    I’m quite annoyed so I am sticking with ABP only (like I did when I first used Fx) and NS has been given the boot. I’ve had to delete the profile too as it will not get out of the config.

    Thanks Wladimir and the ABP team.

  133. WHAT · 2009-05-02 15:06 · #

    > Recently I wrote about how not giving extension developers a good way to earn money might lead to very undesirable effects.

    WHAT!?!?!?!?!??!

    Who is supposed to give you this way to earn money?

    WHAT?

    Do you realise how little sense you are making?

  134. Bernhard Schulte · 2009-05-02 15:44 · #

    Thanks, I’ll stay with NoScript. The roundtrip to their site after updates has the beneficial side-effect that you notice when add-ons-mozilla has pushed you an outdated version.

  135. steve · 2009-05-02 16:11 · #

    I’ll stick with NoScript thanks. The infighting between NS and ABP should be treated as dead now. I do use ABP too but only as backup to AdMuncher a superior adblocker overall that filters any browser I care to use (but not HTTPS).

  136. GrailKnight · 2009-05-02 16:30 · #

    Thank you for all of the information Wladimir.

    I am sticking with Noscript as well.

    Giorgio is not nor will be the last developer to make a bad decision based on good intentions. All sides learn from their mistakes or fail. Only time will tell.

    GK

  137. Dave · 2009-05-02 16:34 · #

    Between CS Lite and NoScript , I feel MUCH safer surfing the web. I am happy to put up with their minor annoyances in order to partake in these products. However, NoScript stepped over the line with their attack on ABP in that they violated our trust. I surely wish I could take back my donation.

  138. Glam · 2009-05-02 16:38 · #

    @Wladimir

    I am in the IT business for some time already and I have a good clue of threats and security. The principle of NoScript is what seems great to me, not some marketing slogans.

    And I support what “Security first” wrote – let the teens uninstall whatever they want.

    Reply from Wladimir Palant:

    I didn’t tell anybody to uninstall NoScript. There are some features in there that do indeed help security (most of them are worthless still). However, I do think that you have to be very careful about what you do with users’ trust – especially if they trust you with their security.

  139. Laurens Holst · 2009-05-02 16:47 · #

    Scandalous. And this for an extension we are supposed to trust.

    This also puts his blog posts on Planet Mozilla (I guess I should call them advertisements from now on) in a different light. Spreading FUD to get people to buy in to his extension, and earn him more money.

  140. Nextnx · 2009-05-02 17:06 · #

    /Uninstall NoScript
    EOD

    The Author and or devs as proven to be rotten (see op). Futher more they are in position do this again even though in a smaller degree. The mass of ppl ignoring this might trigger the author to still seek and push this gray area, in limit of mass ignorance.
    So frankly I do not trust them to even improving.

    What I would like to see, is the community to take NoScript and strip, rebuild and release a public safe extension of NoScript.

    I do thank Wladimir Palant (and co?) for bringing this matter to light.

  141. Nan M · 2009-05-02 17:15 · #

    All the NS settings interpreted by Wladimir as corruption are as easily interpreted as support behaviours:
    Firstly: The direct to the changelog page has been so since NS started up, and embedding the log in the developer’s full info page is standard practise across most well supported extensions. All developers want to show their stuff off – either for praise or for donations. I don’t like the implication (intended or not) by Wladimir that this has been somehow always intended for ad revenue in particular.

    Secondly: NS is primarily a security app. And as such any responsible developer will respond to changes in the security environment as promptly as possible. For NS, this means a new version, not a simple definitions update as in client firewall apps.
    The NS developer has, in my 3 years of using NS, always issued a revision in response to any security or usability problem; remember that much of plain web use is on the worst of malware’s playing fields – viz web2 social sites and webmail sites – and a plain user in difficulty with twitter, facebook, yahoo would have drifted away from the user base if their fixes weren’t delivered quickly. Support for security has to be instantaneous.
    The point here is that new versions are indeed coming rapidly these days, but this is a function of the explosion in the user base – - and consequent bug reports – - and interpreting it as a venal grab for income is disingenuous; a couple of years ago I would have seen an update maybe once a month. Smaller user base, fewer bugs reported, fewer updates. Occams Razor should be applied unless Wladimir has other evidence.

    Thirdly: for the default whitelist: Here’s a philosophical question:
    NS is based on trust. The user who installs the extension has made the decision to trust NS. The developer has added a default set to the whitelist that flags his interpretation of what sites can be trusted by the novice user.
    What message is the user getting if the NS site is not one to trust by default?

    I smell an agenda in this campaign by Wladimir and so I have no trust that the argument as presented by this blog post is a full and transparent exposure of both sides of the issue.
    I look forward to Wladimir posting otherwise.

    In the meantime, NS for Fx and no thanks to Giorgio Maone appears to be the agenda.
    I think it’s inevitable that NS becomes a core function of Fx.
    But I wonder how much we long-time NS users will miss the rapid and generous response to bugs that Maone has provided all along.

    Reply from Wladimir Palant:

    Sorry, you are ignoring some facts. The changelog page is one major complaint points about NoScript. I have seen lots of complaints about it in Adblock Plus discussions. I don’t visit NoScript forums but I bet that this is one of the most common complains there. NoScript has options for just about everything, so why do you have to dig into about:config for this one?

    Further: the idea behind security apps should always be “trust nobody.” That’s something that Giorgio has been telling himself often enough. Obviously, the whitelist should be as small as possible to keep users safe. Sure, Giorgio might have made the mistake of thinking that his own sites are guaranteed to be safe. But after I found an XSS vulnerability there and proved that he is putting users at risk&nbsp;&mdash; why did his sites stay on the whitelist? Is he that sure that he won’t make a mistake again? Or that his XSS protection is infallible? And that all even though his sites don’t even use JavaScript at all – except for ads of course.

    The security playing field changes often – but not that often. Occasionally you need an emergency release. Most often that’s unnecessary and your changes can wait until more of them came together. Too frequent releases are another major NoScript annoyance – I’ve seen that in discussions many times before and you will see many people acknowledging this in the comments to this blog post. Given that, it hard to understand why they still happen (releasing more often while keeping same quality requires additional effort from the developer, that’s not something anybody would do without a reason).

    You also ignored the most important fact: NoScript did include code to cripple Adblock Plus. You can download version 1.9.2 and look at MRD.js yourself (see comment 17 about de-obfuscating that file). Have a look at the changelog and try to find that change there. You can also see in the NoScript forum how Giorgio tried to cover up. That is what I am so upset about – is that what you expect from your security app?

    Agenda? You must be joking. I wanted to go public with all that when I first saw this malware code of his. I mean, did he really think that he can get away with this? But instead I kept the discussion in a private EasyList forum, mailed Giorgio and waited patiently for his next release. I’ve seen however that he doesn’t feel being wrong on this. And that he doesn’t intend to respect users’ choice (or at least ask them for permission before changing their preferences). And even then it was still a tough choice.

  142. EdmundGerber · 2009-05-02 18:27 · #

    I’ll stick with noscript as well.

    I’ve been an admuncher user since forever, so never needed to mess with adblock.

    However, blocking ads is a nice trick, but noscript is a very important extension from a secutrity point of view. Good luck to all you FF users that choose to drop it for a very stupid reason. I’m sure botnets everywhere will be swelling with your numbers shortly. ;)

    All because two guys on the internet got into a pissing match, and you all choose sides.

  143. Steve D · 2009-05-02 18:35 · #

    Where do creative types get the idea that they can do something and live off it indefinitely? Write your code, sell it for the hours you put in, then do something else to earn more money. If you can’t make enough money that way, get a regular job and write software for a hobby or a part time job.

  144. Johnny f*g know it all · 2009-05-02 18:49 · #

    > Thirdly: for the default whitelist: Here’s a philosophical question:
    > NS is based on trust. The user who installs the extension has made
    > the decision to trust NS. The developer has added a default set to
    > the whitelist that flags his interpretation of what sites can be
    > trusted by the novice user.
    > What message is the user getting if the NS site is not one to
    > trust by default?

    ABP has nothing to do with trusting sites, it’s about not seeing ads (even on trusted sites).

    No-one objects to NS whitelisting its own sites as trustable within NS which is what your “philosophical” question implies. That’s not the issue.

  145. PeterSP · 2009-05-02 19:00 · #

    Wladimir questioned Noscript’s default whitelisting of noscript.net (and google adsense? For some reason, I don’t recall that being in the default whitelist when I installed noscript) in Noscript, saying it exposed users to XSS. He further implied that since clearly this was done in order to make noscript.net’s ads work by default, this was improper behavior.

  146. SP · 2009-05-02 19:23 · #

    I was wondering why some ads mysteriously started reappearing a while ago…

    It appears NoScript developers are just as bad as any other malware developers.

    Also, I’ve never had a problem before installing NoScript, and I don’t see why I should have any after uninstalling.

    What kind of sites do you NoScript advocates browse, anyway? Probably something you ought not be browsing to begin with.

    Peace.

  147. Anonymous Coward · 2009-05-02 19:28 · #

    What Mozilla needs to do is technologically enforce its AMO policy. Suggestions:

    1. A strong Javascript sandbox.
    2. Why on earth do extensions have such raw power in Firefox? We need a strong add-ons sandbox too.

  148. PeterSP · 2009-05-02 19:41 · #

    > What kind of sites do you NoScript advocates
    > browse, anyway? Probably something you ought
    > not be browsing to begin with.

    @146

    What? I simply don’t care to execute arbitrary javascript/flash/whatever on sites I haven’t visited before and don’t trust yet. If I followed your philosophy I suppose I would stick to a handful of sites I know and never follow any link outside that handful?

  149. SP · 2009-05-02 19:49 · #

    @148

    I figured someone would take the bait.

  150. Toe · 2009-05-02 20:08 · #

    Sigh…

    Giorgio can ‘fix’ his code, but fixing this breach of trust is another matter. Uninstalled.

    @ #103 AMO Editor & #114 dwards: Wladimir didn’t ‘make the issue public’, it’s been public on NoScript’s forum for over a week.

  151. XP · 2009-05-02 20:09 · #

    It’s time for a NoScript Fork!

  152. Breco Pol · 2009-05-02 20:11 · #

    Wladimir, your AdBlock+ is so indispensable in order to make “the Web” working. NoScript definitely overstepped the thick line by fiddling around with other extensions. NoScript destroyed credibility — not only its own but there is also the danger that this incident hampers the existing extension ecosystem.

  153. thejynxed · 2009-05-02 20:14 · #

    I have been using both extensions for years. That being said:

    1) The author of NoScript should respect the authors of other extensions enough not to mess with their extensions, or the functionality thereof to the detriment of the security of the users of those extensions.

    2) The author of AdBlock+ should seriously reconsider allowing other extensions not authored by him or other individuals explicitly authorized by him to directly interact with any AdBlock+ functionality (Chiefly: addition/subtraction/modification). Example: Subscription filtersets should not be allowed to be tampered with externally at all.

    Who is to say some malicious individual or group will not program something to copy say the EasyList, modify it to unblock specific malicious ads/sites (and change the update URL) and enable it in AdBlock+ over the “correct” EasyList if this is allowed to continue?

    Reply from Wladimir Palant:

    As I said several times above already – an extension that is installed in your browser can already do anything. There are countless ways in which it can manipulate other extensions (like simply uninstalling them) and there is very little you can do to prevent that. Which is why it says “don’t install from sources you don’t trust” when you install an extension. The “official” way of changing Adblock Plus preferences is only there to make sure that the extensions that should be doing that do it in an ordered way that won’t break anything.

  154. HelenG · 2009-05-02 20:15 · #

    Now I’ve calmed down and assessed the situation poster #136 makes a point. See I love ABP the best then I like NoScript 2nd and happily do / did / will again surf with just those 2 extensions, it would be nice if Gorgio would work with ABP, as in teamwork not merging. I know it’s not your fault Wladimir. God bless you.

    PS. To the big mouths on here who are playing “top dog” and throwing insults because their IQ is bigger than “the whole wide world” yes that is to you calling those of us sticking up for ABP i.e. #70 – not all free software users are thick and arrogant, I might not be the brightest crayon in the box but at least I’m not an arrogant thwait and people passionate about ABP are sticking up for it (same way as you are with your ego) – why would you call them? I’ve not been to AMO to complain and certainly not /. – others here have said “hey I don’t agree but…” and tried to calm the situation yet you have insulted all. I’m not even going to repeat what “Freud thought about persons like you…” We still have freedom of speech right now and if people want to sound off about it they can, yes it needs to be calmed down but hey we’re just humans that get p-worded off.

  155. egal · 2009-05-02 20:22 · #

    kindergarten!

    Reply from Wladimir Palant:

    I couldn't agree more. I still cannot believe I had to write that blog post.

  156. Ned · 2009-05-02 20:46 · #

    > What kind of sites do you NoScript advocates
    > browse, anyway? Probably something you ought
    > not be browsing to begin with.

    Well aren’t you high and mighty!
    Pull out that stick out get out for some fun, man.
    Life is short.

  157. Breco Pol · 2009-05-02 20:54 · #

    #153 wrote:
    > 2) The author of AdBlock+ should seriously reconsider allowing other
    > extensions not authored by him or other individuals explicitly
    > authorized by him to directly interact with any AdBlock+
    > functionality (Chiefly: addition/subtraction/modification).

    My personal opinion here is that I simple do not want any other extension to mess around with AdBlock+ or any other extension. The subscriptions as well as their exact content is nothing another extension has to worry about. No way around this. Am I in control here or any arbitrary add-on developer?

  158. me@here.com · 2009-05-02 21:10 · #

    Thanx for spreading the word.
    I just uninstalled Noscript as I no longer consider it trustworthy. If anyone knows a good alternative please tell.

    BTW: I just found out that my firewall webfilter can do the job for now…

  159. nicozite · 2009-05-02 21:32 · #

    Before my sense of justice kicks in, I’m reminded of the fact that, like lots of others, I’m just having information spoon-fed to me. Reading the forums didn’t really help. So I can’t get all high and mighty and say who’s wrong. However:

    “Big thanks to everybody who made that happen!”
    I think you understand what most of them were doing. I also think you’re encouraging that sort of behavior ( e.g. boycotting NoScript, uninstalling it, ‘spreading the words’, making defamatory posts full of profanities…)
    And you also claim that most of the add-on is worthless, too. But of course, you didn’t tell anyone to uninstall it, right? It’s amazing how quickly you instill doubt in me, despite NoScript modifying your add-on.

    But I guess it’s all over now. Good luck to everyone who was actually using NoScript effectively, up to this day. You’ll need it. The rest, I don’t really care. But wait, the add-on is worthless, isn’t it?
    @ #150: public? Haha oh wow. Being covered on Slashdot, Reddit… That’s what I call public.

  160. Anonymous · 2009-05-02 21:40 · #

    This just goes to show that in any “business”, customers are the determining factor in the success of the business. Lose focus on the customers, and you’ll lose business.

    1.9.2.6 is a nice gesture and all, but to me, it’ll take a lot more than that. His updates need to be more transparent, with CLEAR reasons behind every update to show that they are necessary, not just updates to boost up revenue.

    He mentioned that he’s surprised how we missed “the information about it given on the AMO install page, on this site’s install page, on this very release note page and in the FAQ”. Most of us update NoScript when Firefox prompts us to, which means most users don’t bother going to one of the above three pages. He took an “opt-out” approach instead of “opt-in”, meaning that he took the same approach that malware authors take.

    What he’s done is undermine the trust we have in Firefox add-ons. I don’t have the time to go through every add-on, so now it’s an act of blind faith almost.

    I’m glad (most) of the debacle is over though. However, I can no longer recommend NoScript unless there’s more transparency regarding updates.

  161. anonymous · 2009-05-02 22:21 · #

    Wladimir = cry baby. Boohoo you broke my toy. Go find another sandbox to play in you whiny little child.

  162. david · 2009-05-02 23:04 · #

    I uninstalled noscript when I first heard of giorgio’s tactics. I recommend everyone to do the same if they value their privacy.

  163. johnmurdoch · 2009-05-03 00:07 · #

    Giorgio is a good actor lol:

    http://forums.informaction.com/viewtopic.php?f=7&t=877&start=15

  164. Ken Saunders · 2009-05-03 00:17 · #

    I’d like to see how the developer of NoScript has responded to this publicly so please post a link (or several). You would not have put your name, reputation, and credibility on the line by addressing and posting this is you weren’t 100% sure that you are correct about the facts that you stated here, and I trust the feedback from your supporters so I’ve already decided what I believe and that is this post, but just to be fair and also out of curiosity, I want to hear what Giorgio has to say.

    What has happened here is actually a great thing because the outcome will or at least should set a precedent and policies for how extension developers can and cannot solicit funds and target Firefox (and other Mozilla products) users with ads, and how their extensions are allowed to interact with other ones.

    I strongly encourage those who have taken the time to voice their opinions here and in the NoScript reviews on AMO to continue this discussion until there are reasonable solutions and new policies put into place.

    It’s one thing for a handful of developers (even if they have the most popular and downloaded extensions) to try and get major and new policies written and it’s another and far more effect one to have Firefox users ask for or demand changes. Mozilla will listen to their consumers which far outweighs the number of developers and they of course are the ones sustaining Mozilla’s products.
    Perhaps Wladimir could contact Nick Nguyen or Justin Scott to get a discussion going on the Mozilla Add-ons blog.

    In any event, don’t become complacent or this issue will arise again and perhaps with another one of your favorite add-ons. And you won’t just be helping yourself out, you’ll be contributing to the betterment of the add-ons ecosystem and community and the user experience for your friends, family, and other Mozilla’s product users.

    For the record, I used NoScript for a while but no longer do. I’ve used Adblock Plus a few times on and off over the years but I currently do not. I have a great interest in marketing especially in browser marketing so I need to see the 8,000 Chrome and IE8 ads that appear on web pages daily to know what’s going on. But I fully support Adblock Plus because I support a person’s choice to view and interact with the Internet in any way that they’d like or need, and because it attracts new Firefox users ( ;) ).
    I’m also a strong advocate for add-on developers and so I have no problems at all with them trying to make some money considering the amount of time and effort that it takes to develop an add-on as long as it is done tastefully, unobtrusively, honestly, and without interfering with a user’s Firefox (or other Mozilla products) experience. A link or suggestive make a donation button is cool, and post as much crap on your web pages as you’d like, but leave it out of Firefox.

    I’d be greatly dissapointed to see all of the time and passion invested here go to waste so take advantage of this opportunity to contribute and give back to Mozilla for all that you get out of Firefox by making its strongest asset (add-ons) even better by participating in ways to make a difference.

    Reply from Wladimir Palant:

    Unfortunately, I didn’t see anything resembling an official statement yet. See for example http://forums.informaction.com/viewtopic.php?f=8&t=1081 – Giorgio keeps sending people to the thread where he blames everything on EasyList. Now I don’t even want to start discussing on whether EasyList was right or wrong blocking ads on his sites or whose should be blamed for the false positives resulting from this cat and mouse game – because it really doesn’t matter the least here.

    I have been contacted by Justin Scott and Nick Nguyen already – and yes, I also want to keep this discussion going. I expected issues like this one to come up (as mentioned in my previous blog post), I just didn’t expect it to happen that soon and that bad. AMO really needs to set limits (see also the “Lee Lorenzen” comment above for another example).

  165. bluh · 2009-05-03 00:23 · #

    Really, who gives a rat’s ass. Extensions like NoScript are needed because ignorant fools use crap OSs like Windows.

    Aside from that, Mozilla already HAS a builtin functionality to disable javascript, as someone noted here. Just enable it, you don’t need an extension for that.

    Also, just gotta love all those website owners whining and calling people who use ABP “thieves”. As if someone should ever decide what content gets injected into my mind other than me. The OTHER way (without ABP) is the wrong one. If your site cannot live without spamming the crap out of me, just shut it down and rid the world of your greedy existence.

  166. Security First · 2009-05-03 00:36 · #

    Wladimir, in your reply to #125, you say:

    ‘“Good luck to those in not getting infected” – so you believe the FUD NoScript is spreading. Good luck then, getting along on the Internet without knowing what the real risks are’.

    That clarifies things for me somewhat. It’s clear the kids following your lead don’t have a clue about security, but I just wasn’t sure whether you were wilfully ignoring the security implications of running without a scripting whitelisting solution like NoScript or whether you simply don’t understand good security practices. It turns out to be the latter. Go on then, tell us all “what the real risks are”. While you’re at it, explain to the kids what percentage of drive-by browser exploits work when JavaScript, Java, and Flash are disabled. The NoScript author was definitely wrong to do some of the things he did, but so are you. You’ve shovelled far more FUD than the NoScript author has. More importantly, you’ve done great damage to the browser security of your sheep-like followers and therefore indirectly to the rest of us too. The NoScript author’s tactics were wrong, but yours are actually dangerous and unlike him you’re still at it. The reason NoScript has long been a very highly regarded and highly recommended extension is because of the well-understood and huge improvement it makes to browser safety, not because of who the author is or how he tries to monetize it. You demonstrate no knowledge of the subject and certainly have no credentials to suggest that anyone should take your evaluation of NoScript security seriously. A large crowd of sheep willing to chant “uninstall” whenever you raise your arms is intoxicating but it doesn’t make you right. You are doing great harm. Please stop now.

  167. CCCP · 2009-05-03 00:36 · #

    anyway it is the beginning of the end for noscript

  168. CCCP · 2009-05-03 00:46 · #

    https://addons.mozilla.org/fr/firefox/reviews/display/722

  169. henrik · 2009-05-03 00:47 · #

    @161

    161 = Giorgio ?

    Reply from Wladimir Palant:

    Please don’t accuse people. I know Giorgio well enough to know that he wouldn’t post anonymously (especially not in such a childish manner). He is a nice guy, just misguided.

  170. dust · 2009-05-03 00:58 · #

    please can you ad a functionality in adblockplus that blocks anything from a 3rd website?

    for example: if i surf at adblockplus it blocks all from other websites. if i want i can allow a specific address in “open blockable items” or whitelist it in the preferences.

    this would be a GREAT help! :)

    about what happened:
    the problem is firefox itself, it lacks a lot of functionality for power users. its nice for beginners but if you get used to the web you want more and get higher needs. functionality like abp, ns, flashgot, downthemall, styles and several others should be standard IN the browser and not an extra feature.

    the other problem is the outdated security model or the lack of it. one tab can block the whole browser is only one result everyone mentions more or less often, even on new and quick pc. that one plugin can do anything with other plugins is another problem.

    the future? we need a new browser. maybe a forked google browser? or a really improved firefox which focus on the roots of improving the code and not the version numbers.

    thanks for all your work wladimir! :)

  171. Matt McCutchen · 2009-05-03 01:05 · #

    Giorgio has apologized for the obfuscated code. As far as I am concerned, the matter is now closed and each of us can decide how he/she prefers to secure his/her browser. Firefox is intended to be secure out of the box, and vulnerabilities in it are fixed quickly; I personally have never been bitten by one. NoScript is an excellent defense in depth, but short of a necessity.

  172. M.Corp · 2009-05-03 01:07 · #

    While I fully agree with everything Wladimir has said, there is one key point that everyone is missing:

    NoScript is a USELESS addon. It was great for Firefox 1, but not 2 and certainly not 3! With all FF 3’s security features, there is simply no need for it!

    There are many other ways malicious code can be injected. Javascript is needed on loads of websites, and should not be disabled.

  173. Ghost Hacking · 2009-05-03 02:08 · #

    Indeed, the only reason to use noscript would be to block pop ups that come from “mouse over” javascript feature, other that it’s pretty useless.

    Anyway, if i was desperate at the point of using that “adware done “ I would use the old versions.

    regards

  174. Si · 2009-05-03 02:49 · #

    Modifying someone elses plugin is crossing the line in my book. Not in the slightest bit ethical.

    I’ve removed NoScript from all my machines. Just can’t trust they will do something else.

  175. Gray · 2009-05-03 04:01 · #

    Let me recapitulate this: Because of your antipathy against advertising in the internets, you don’t like that the Noscript creator runs ads on his website to make some money. Especially you don’t like the default whitelist entries of NoScript – which isn’t really your business, but a point any advanced user can easily correct, right? So, instead of simply advising people not to use NoScript (which would be quite dumb, since its much more important than Adblock) or of forking NoScript (its GPL, after all), you chose to deliberately block that guy’s revenue. But now, you are totally flabbergasted that he retaliated in kind, and used his program to block your blocker.

    Well, that’s really an interesting way to behave. Don’t you think the way you reacted just because another programmer didn’t adjust his own programm to your wishes is a bit, hmm, let’s say, passive aggressive? And don’t say he did the same. You started this simply because you didn’t want him to make a bit of money with his ads. Pathetic.

  176. Xepol · 2009-05-03 04:14 · #

    Sounds like your best solution to end the war is simply to reproduce the desirable functionality of NoScript into your AdBlocker so people do not have to run them in concert.

    Sounds kinda like the IE vs Netscape days really.

  177. Napier · 2009-05-03 04:23 · #

    This is much ado about nothing. I’ll continue using both Adblock and NoScript.

  178. nix · 2009-05-03 04:35 · #

    How about forking noscript? Just a thought, please…

  179. BigMKnows · 2009-05-03 04:38 · #

    It’s interesting. In his zeal to make money at any cost, the NoScript author may have just destroyed his business.

  180. yo · 2009-05-03 04:47 · #

    i agree merge those products to create a super AI =)

  181. mr.roboto · 2009-05-03 04:56 · #

    we need addons developped by robots and AI who can always remain neutral and effective !!!

  182. settnfires@hotmail.com · 2009-05-03 05:26 · #

    “Your addon being the most popular addons has a huge fan-following. By making the issue public in this manner, you’ve attacked NoScript with all your fan-following. Could it have been better to report this issue to AMO Editors or AMO Admins?” – AMO Editor

    what the hell? attacked noscript? wasnt it noscript that attacked adblockplus first? and how about saying “exposed noscript”? could it have been better to NOT expose noscript doing this stuff? OF COURSE NOT!

    i m GLAD u exposed this, wladimir. it was necessary to let the public know whats going on. shame on u amo editor for even implying it maybe would have been better to keep this behind closed doors.

    THANK YOU, WLADIMIR!

  183. BigMKnows · 2009-05-03 05:56 · #

    @35 “Someone needs to figure out a way to build an app store for Firefox…”

    That’s a good idea. I personally wouldn’t mind paying $1/yr or something for my favorite extensions. With many extensions getting hundreds of thousands or millions of downloads a year, there’s plenty of money to be made there.

  184. iwo · 2009-05-03 06:11 · #

    Let us users know and should give us a choice
    if any other time ABP would do something for your financial balance just BEFORE you really do it.

    In this way there maybe 100 times better than an after-all nonsense noscript explain.

  185. Synergy · 2009-05-03 06:22 · #

    I’ve got to say, I stopped using NoScript in favor of ABP some time ago simply because of the incredibly frequent updates. You mention once a week, this was nearly every other day. In any event, this most recent news is just further proof that I made the right decision. ABP blocks nearly all ads and does so without harassing me in any way.

  186. SomeGuy · 2009-05-03 06:42 · #

    I noticed this piece of code in the main NoScript page. It sits under a button that asks if your PC is running slow. I can’t seem to block it AB and NS won’t allow me to restrict the script from running. Any help would be appreciated.

    [script type=“text/javascript”]
    Vertical1236922 = false;
    ShowAdHereBanner1236922 = true;
    RepeatAll1236922 = false;
    NoFollowAll1236922 = false;
    BannerStyles1236922 = new Array( “a{display:block;font-size:11px;color:#ccc;font-family:verdana,sans-serif;margin:0 4px 10px 0;text-align:center;text-decoration:none;overflow:hidden;}”, “img{border:0;clear:right;}”, “a.adhere{color:#888;font-weight:bold;font-size:12px;border:1px solid #ccc;background:#f7f7f7;text-align:center;}”, “a.adhere:hover{border:1px solid #999;background:#eee;color:#666;}”
    );

    document.write(unescape(”%3Cscript src=’”document.location.protocol“//s3.buysellads.com/1236922/1236922.js?v=”Date.parse(new Date())“’ type=‘text/javascript’%3E%3C/script%3E”));
    [/script]

    Note: Changed the <> to [] in case it tries to code itself to my post.

  187. Mr. Add-on Developer · 2009-05-03 06:53 · #

    A follow-up to my previous comment. Here’s the mail I received from Lee Lorenzen, with my personal information removed.

    We need more legit ways to make money with Firefox add-ons, not more methods like this. Developers not making much money must be very tempted by his offers.

    Dear XXX,

    Congratulations on your success with your add-on name. ____ downloads and ____ daily active users is a HUGE accomplishment. A product like yours is clearly a labor of love and it benefits a great many people. It is our team at KallOut’s goal to one day reach a similar level of success on Firefox with our KallOut Accelerators for Firefox “selection-based search” product.

    I’m Lee Lorenzen, CEO of Altura Ventures (see www.altura.com/managment.php ) and we work with a number of software companies (see www.altura.com/portfolio.php ). Some of these companies are just launching Firefox Add-ons like KallOut.com (see https://addons.mozilla.org/en-US/firefox/addon/10722 ) and some are more established.

    I’d like to discuss the possibility of advertising KallOut as part of your add-on name (e.g. on a post-install welcome page as a “We Also Recommend” suggested Add-on) and also partnering with you in other ways (e.g., add-on monetization techniques that aren’t adware or spyware, advertising representation, acquisition of our Firefox add-on, etc.).

    To discuss this, please e-mail me at (email removed) or give me a call at (phone number removed)

    Thanks,
    Lee Lorenzen
    CEO, Altura Ventures

  188. Yama · 2009-05-03 07:06 · #

    Now,I uninstalled NoScript and I decided to use only Adblock Plus.
    Maybe most of users will support you. Form Japan.

  189. Satate · 2009-05-03 07:46 · #

    ADP+ = not security software
    NS = broken\useless\pointless security software

    ADP+ is blacklist by design, which means you shouldn’t consider it for security use regardless of it’s purpose

    NS fails because it breaks everything. to use the web you must allow scripts. would you use a firewall if it had to modes, on with no Internet and off? granted NS doesn’t work like that, but you can only allow or block whole scripts not parts of a script and even if you could how would you know when to. which brings up the following point, when you allow scripts with NS you don’t know if the script is safe, the best you would likely know is that it is necessary for the website to work. after all it’s trivially easy to make a script that is necessary for a website to work and for it to be malicious. one point still remains, many high risk bugs, eg the kinds that can be used to take over a PC, generally can’t be stop with a JavaScript plugin, eg buffer overflows and other exotic bugs that operate on a different level that JavaScript can’t access.

  190. Television Spy · 2009-05-03 08:20 · #

    Well they have to make money somehow, unfortunately Adblock encourages sloppy usage and poor responsibility. People use it as a means to block out all ads rather than just the ones that annoy them.

    Without a doubt I think it is hurting legitimate sites that people find of use and value by depriving them of income or rewards for their work. On the other hand I do believe adblock is a great tool for users and is necessary in thwarting the many annoyances that some webmasters put their visitors through.

    A happy medium is necessary, and unfortunately Adblock currently has higher or stricter settings for adblocking which often aren’t delved into too much by users. If adblock had a more lax setting in terms of the sites it blocks, while still allowing users to tighten up the settings to something more encompassing – it would allow users who are inclined to block all ads to do so, while still allowing websites to show their ads and turn a profit. I think that’s a much better solution, and will prevent more ‘eager’ developers from doing things like this in the future. I can’t say that I support Noscript developers but I can certainly understand the frame of mind they have by doing this, but again they shouldn’t have done it – and not at least notified their users of it.

  191. Gregory Gleason · 2009-05-03 08:43 · #

    It looks like the most recent update has removed the controversial filterset with ‘no questions asked.’ I’d be interested to see whose decision this was. Nonetheless, I’m glad to see that they see the errors of their ways.

  192. Nan M · 2009-05-03 10:14 · #

    Hi Wladimir, response to your reply at 141 follows:
    I most respectfully assert that I have not ignored anything of substance in your ethical assertions about Giorgio’s setup and mode of delivering his application.
    I regret to have to say that you’re simply repeating your unfounded assertions:
    “The changelog page is one major complaint points about NoScript. I have seen lots of complaints about it in Adblock Plus discussions.”
    Irrelevant. ABP users don’t constitute the main user base of NS.
    “ I don’t visit NoScript forums but I bet that this is one of the most common complains there.”
    You’ve lost the bet.
    “ NoScript has options for just about everything, so why do you have to dig into about:config for this one?”
    I’ve got to say you’re digging deep yourself to flog this dead horse with that one.
    So to follow your lead, I’ll repeat myself too – - there’s been no need over the development of NS for the changelog direct to be toggled off. Most users appreciate knowing what’s been changed. And no amount of saying it’s an important priority for a rapidly developing UI, into which Giorgio has stuffed numerous important security items will make your assertion any more correct. There is as much value, if not more, in directing users to the changelog at every update, than there is in putting a toggle in the UI for the irritable few. There is plenty of access unimpeded by registration in the forums now that the user base has exploded in size, and the few but regular requests for access to the update frequency config have remained about constant. Not exactly a ringing set of data to support that part of your rather slim case for a venial Maone.

    “Further: the idea behind security apps should always be “trust nobody.” That’s something that Giorgio has been telling himself often enough. Obviously, the whitelist should be as small as possible to keep users safe.”

    You either just do not get the idea of “trust” with respect to navigating around the web, or you are again flogging that dead nag, and you’re not even drawing old maggots now.
    Trust is a conditional state, where you research signs that you can trust a site to have a responsible and knowledgable approach to maintaining security. In the narrow sense of NS’s trusted whitelist, this means that a site is trusted to maintain itself free from exploits and is trusted to run scripts safely itself. Nothing more.
    Nobody sane expects 100 percent safety. If a hole is found at a site, the ethical way to deal with it is for the finder – whoever they are – to quietly inform the site operator – whoever they are – and for the operator to patch it as promptly as possible. JS, or anything else. I suppose that’s what happened with the fault you found. Congratulations on being what anybody would expect you to be, and congratulations to Giorgio for doing what anybody who trusts him enough to use NS would expect him to do.

    “Sure, Giorgio might have made the mistake of thinking that his own sites are guaranteed to be safe.”
    Not even near the truth, and I’m sure you know it. No responsible site operator thinks they’re invincible – all the best ones make friends with the Sirdarkcats of this world for just that reason – - to keep testing it constantly for holes.
    “ But after I found an XSS vulnerability there and proved that he is putting users at risk&nbsp;&mdash; why did his sites stay on the whitelist? Is he that sure that he won’t make a mistake again? Or that his XSS protection is infallible? “

    Repeating that so many times doesn’t make it true. Giorgio is not falsely modest. He looks after his site with skill and responsibility. As I feel sure you do. He is proud of his coding skill and his approach to security and he lets the net know. Are you punishing your mate for being a loudmouth? For advertising himself?
    What kind of crime is that? So without that misguided part of your argument, what exactly are you saying?
    That Giorgio shouldn’t whitelist his own site because he is a careless site maintainer and leaves any holes unpatched? He isn’t careless. And he’s certainly not without expertise. Holes, if any, are watched for and patched. What’s not to trust in that respect?
    I’d advise you to be certain you’re keeping that aspect of “trust” definition separate from your ethical fight about hacking each other’s apps.
    Giorgio, in whitelisting Google, Yahoo images and a few of the more commonly used navigation aids is flagging that those operators are also responsible maintainers. Nothing more and nothing less.
    With your standard of 100 percent security now and in the future, a web user would be frozen at about:blank for ever.

    “The security playing field changes often – but not that often. Occasionally you need an emergency release. Most often that’s unnecessary and your changes can wait until more of them came together.”
    Here, again, I can’t see that you appreciate the difference between security apps that operate on blacklisting and NS. The main AV and firewall apps certainly don’t get too frequent updates, but their definition lists sure do – sometimes as much as 3 times a day in my experience of one that had its definitions so carefully looked after that it missed a great big hack that left its users sending private data to the wild blue yonder for more than 2 weeks.
    When NS does an update it is analagous to a definition update by a blacklisting application. Thankfully for us NS users, when security is managed in a whitelisting environment, the analogy of definitions is to usage bugs, and not to the never-ending ranks of baddies that have to be blacklisted, and always after the fact.
    There have been, as a contrast to usage bugs, only a handful of major security threats around scripting and plugins this year – all of which were indeed swiftly covered by NS updates. Most, as far as we plain users can know, covered in plenty of time to avoid that bane of the blacklisting approach – the zero-day exploit.
    Giorgio should be attacked for encouraging people to begin thinking about pre-emptive scripting security as a complementary approach to blacklisting security?
    That’s not FUD in any acceptable sense of the term.
    You’re just not right to assert that either, or if you are, then Giorgio isn’t Robinson Crusoe – with every security application vendor flogging the “it’s a jungle out there”, the totality of web security is FUD.
    Is that what you’re saying? You don’t believe NS is a security app? Or that all web security advice is FUD?

    “Too frequent releases are another major NoScript annoyance – I’ve seen that in discussions many times before and you will see many people acknowledging this in the comments to this blog post.”

    Annoyance is a fairer term. I’m pleased you have moderated your language there.
    But annoyance from a few of the user base? Irrelevant to either a claim that updates are too frequent or that they have an ulterior motive. All you’re claiming is that some NS users are annoyed by update frequency. Big whoop.

    “ Given that,”
    No, I regret that I can’t allow you to claim it as a given. You haven’t proved it and it’s irrelevant anyway.

    “ it hard to understand why they still happen (releasing more often while keeping same quality requires additional effort from the developer, that’s not something anybody would do without a reason).”

    There you go repeating a suggestion of unrevealed motive, for an unproven premise of unnecessary updates.
    I assert that the update frequency is entirely justified within the security and usability needs of users and furthermore that Giorgio understands that NS would be shown as insecure if he didn’t keep ahead of the game all day every day.
    I fancy he’d probably be quietly pleased to see Fx have to maintain NS eventually.

    “You also ignored the most important fact: NoScript did include code to cripple Adblock Plus. You can download version 1.9.2 and look at MRD.js yourself (see comment 17 about de-obfuscating that file). Have a look at the changelog and try to find that change there. You can also see in the NoScript forum how Giorgio tried to cover up. That is what I am so upset about – is that what you expect from your security app?”

    No, Wladimir, I have not ignored the central fight between both of you.
    That’s nothing short of plain sad to see two intelligent mates lose it, however temporarily, over what’s a rather localised skirmish. You will I’m sure, find a way to step down eventually from your anger – each of you. But I have no need to umpire that little match, do I?

    But that’s not what concerns me. Your being very angry is not any reason to now kick Giorgio with so far unfounded accusations of being a money-grubber.
    That’s why I’m asking you to state your agenda.
    Are you saying that your agenda was to get an apology? You said it was a tough choice to do this public accusation. Well, you did it. And still you aren’t backing up your accusations with fact.
    Perhaps if all you want is a public apology, you would like to lay off now and stop repeating your rather one-eyed interpretations of motive as fact in these comments until you hear from the accused. Or you see sense and just walk away from the mess.

    And, finally, what in all the gods’ names do you hope to achieve by screwing a colleague so publicly and viciously? FUD is equally a good description of all your accusations in here.
    All it’s got you is what? Some of your supporters’ admiration. Not much advance in OSS development ethics, because everybody will always have an angle for making a buck no matter how the purists such as you call Uncle. And even if a small victory for you in a very small corner of the web, at what cost to your conscience when you obviously know you are running a poor argument for anything except that Giorgio lost it with your small part of the web.

    It quacks like a duck, it walks like a duck.
    You look like a killjoy.
    Prove me wrong.

  193. butthurt · 2009-05-03 10:36 · #

    @Nan M
    Wow, that is some master level trolling.

  194. SadistiX · 2009-05-03 10:52 · #

    bottomline: noscript sucks
    how about suing them?

  195. dust · 2009-05-03 11:04 · #

    *$script,third-party

    script is not anything! what is the problem with blocking anything from 3rd websites?

    *$all,third-party
    i hope this is right and it block all 3rd party

    Reply from Wladimir Palant:

    Sure, “*$third-party” will work as well. However, you will find that you won’t be able to use most sites (even blocking third-party scripts renders many sites useless simply because they keep their scripts on a different domain).

  196. Ashish · 2009-05-03 11:16 · #

    First I want to say that what Wladimir Palant has done is correct. Making such a thing public is the right thing to do.

    AMO only does a functional testing: for all I know a extension can ship all my passwords stored in FF silently and still pass the functional tests.

    When most people install extensions from AMO, they are trusting AMO for the content. Weather its wrong or right is a different discussion but it is a fact. AMO should be more proactive in this process.

  197. sam · 2009-05-03 12:22 · #

    I always wondered about noscript, now I know not to use it, thanks.

  198. Adam Rezich · 2009-05-03 12:51 · #

    Has anyone found anything resembling an official statement from Giorgio? Because I sure haven’t.

  199. Adam Rezich · 2009-05-03 12:58 · #

    Also, I found this to be extremely informative: http://news.slashdot.org/comments.pl?sid=1219425&cid=27794475

  200. MMM · 2009-05-03 13:08 · #

    Nan M, you sound like a bitter fanboy. Under the line Giorgio Maone did something wrong and no matter how much you talk now you can not talk yourself out of it. Facts matter and Noscript stepped over the line! It also brought to a wider audience that the Firefox addon concept poses a security risk.

    Thanks Wladimir for going public!

    I think transparency is the best policy for software developer, especially for security related software. How about making ABP less vulnerable to 3rd party manipulations or warn the user if something like that happens ever again, others might try? In any case I have informed my friends and will have a closer look on Noscript activities in the future. Perhaps it is time to look for alternatives…. or maybe ABP can be extended with a script blocker functionality? It might be out of scope from the original idea, but I would imagine that people who install ABP would also like an option for blocking intrusive/malicious scripts.

    Best wishes from Sweden.

  201. Adam Rezich · 2009-05-03 13:23 · #

    So I decided to go to the NoScript homepage to see what all the fuss is about. Since I’m doing some memory-intensive stuff on my computer at the moment, I’m using a single-tabbed Google Chrome, for convenience. I had to laugh at how his apology came across, due to the advertisement appended at the end:

    “Important update for Adblock Plus users: Version 1.9.2.6 automatically and permanently removes the cotroversial NoScript Development Support Filterset deployed with NoScript 1.9.2.4. I sincerely apologize with those ABP users who missed the information about it given on the AMO install page, on this site’s install page, on the release notes landing page and in the FAQ. Not including a prompt asking for permission beforehand from the start has been a very bad omission, and I want all the ABP users who felt betrayed to know how much I’m sorry for that. As a sign of good will, current NoScript 1.9.2.6 completely removes the filterset itself, if found there, on startup with no questions asked. Thanks for your patience.
    — Giorgio
    Buy Computer RAM at Discounted Prices

    And I don’t like the phrasing “as a sign of good will.” A situation where that would work would be a cable company saying:

    “Sorry for inconveniencing you by accidentally digging up your Ethernet line, cutting off your Internet access for seven days; as a sign of good will, we’ll give you half off your entire bill for this month.”

    What he’s saying is basically:

    “Sorry for inconveniencing you by accidentally digging up your Ethernet line, cutting off your Internet access for seven days; as a sign of good will, we’ll fix your Ethernet line, absolutely free!”

  202. Alessandro Burato · 2009-05-03 13:27 · #

    I am ashamed to be Italian, sometimes. What Giorgio did has no excuses. I don’t use FireFox anymore, but your AdBlock extension has been the best thing since sliced bread. Keep up the good job.

  203. Nickertse · 2009-05-03 13:43 · #

    Good job, Wladimir. But I’m not talking about NoScript. I’m talking about you and your users. You’ve showed me exactly how THANKLESS an FOSS job can be, and how one can manipulate the brainless masses to do one’s own bidding.
    To everyone who still thinks that there are no 2 sides to this story and is about to add their wise words, I’ll tell you to hold your horses. I recommend everyone head over to NoScript forum and read the whole thread, also this should be helpful: http://news.slashdot.org/comments.pl?sid=1219425&cid=27794475

    Reply from Wladimir Palant:

    Rest of this comment has been removed for offensive language. You are free to voice any opinion in this blog but please keep it civil.

  204. webcrawler · 2009-05-03 14:44 · #

    I never knew this one.I thought he has a skilled to displayed ads on his site although i used ABP.

    He has fixed it; he did it wrong.Can we forgive him?? Money is so powerful these days.

    Many wrong assumptions about us (ABP users) that we dont want ads displayed at ALL.We would like to support a site that we like but we would like the ADS to be non-intrusive and polite ;-).That was something Gorgio missed and did something terribly wrong to ABP and its users.

    In the end thanks to Wladamir for the information and thanks again for ABP.

  205. scheuer · 2009-05-03 14:54 · #

    about:config

    noscript.firstRunRedirection=false

  206. Joe · 2009-05-03 16:14 · #

    Wladimir,

    Thanks for making this issue public.

    I think the main problem is AMO itself.
    Nobody knows how, when or why extensions get “approval” and
    why some extensions are rotting in the so called sandbox.

    I’ve been very sceptical about AMO since it was established.

    What we are seeing now is the not working centralization
    of extensions. AMO tries to give the user confidence, without ensuring it.

  207. yea · 2009-05-03 16:28 · #

    @107: Oh please, ABP & NS are security plugins, what else would you call them? “Ad blocking & script removing Plugins?” No, they would fall under the general category of security plugins, they make your browser more secure.

    Most users have no idea wtf they are clicking most of the time and ABP protects them from clicking stuff they shouldn’t. In most cases, users stumble upon garbage sites because they ACCIDENTLY followed a breadcrumb trail of ads until they landed on a script-loaded sites…

  208. zaidgs · 2009-05-03 17:19 · #

    @196
    +1, I second that.

    Thanks Wladimir for making the issue public. It is the right choice. You cannot go wrong by telling the truth.

    I have uninstalled NoScript, albeit I am hoping for a replacement\fork very soon. A security tool is only as credible as its developer(s).

  209. kallin · 2009-05-03 18:33 · #

    A quick Google search regarding the whole KallOut situation reveals that Stylish downloaded from the official homepage comes bundled with KallOut, wheres the one from addons doesn’t seem to include it. Sadly theres probably a lot more extensions that have gone to the dark side.

  210. Lyx · 2009-05-03 18:42 · #

    I may in the past not always have been supportive of the design-choices how vladimir continued to develop ABP (not security/whitelisting related – i just consider dropping of certain features as a big mistake), but in the case of the noscript-desaster, i fully agree with everything which he said in the original post and in comments.

    A developer of an app which gets entrusted with managing the security of a user, secretly enforced something on the user against the users will.

    That is a by-the-book description of “abuse of trust”, and there is no “but”. The point isnt primarily what that dev did, but how he did it: he did it via abuse. That way, he ruined the trust-relationship between him and the user. Since he did that to a high amount of users, it is only fair that a high amount of users mistrust him for that. The dev fully deserves his reputation to be nuked into oblivion.

  211. Donna · 2009-05-03 20:08 · #

    @Dorothy,
    Giorgio Maone, the author of NoScript said there is no toolbar or any 3rd party bundling with his software. I’m wondering why you reported that there is Ask.com Toolbar offering when you are updating NoScript. Did you updated another add-on together with NoScript that is maybe the one that have Ask.com Toolbar instead from NoScript? I’ve tried few times to repro your report but could not. There’s no Ask.com Toolbar on NoScript after my few tries to update different builds to the latest.
    See the post of Giorgio at http://msmvps.com/blogs/donna/archive/2009/05/03/1691768.aspx

  212. JoUser · 2009-05-03 20:20 · #

    I too think it absurd that in today’s age one must install and extend trust (or rather faith) to any let alone multiple third party addons in order to achieve some reasonable level of control over Javascript, HTTP Referrer, LSOs, request filtering, and such. We’re talking about core functionality that significantly affects privacy and in some scenarios security. Users shouldn’t have to fight with browser developers to have such features integrated into the browser or surfaced through convenient user interfaces. Users shouldn’t have to turn to potentially risky third party extensions in order to effectively patch deficient browsers.

  213. nobody · 2009-05-03 20:31 · #

    Don’t wash your dirty linen in public… For the sake of transparency AMO would have come up with a statement. But now all the illiterate guys who couldn’t read the notice in noscript FAQ.. AMO page etc have suddenly become wise after being slapped out of sleep. The show is public now and while you and I participate the rest of the traffic enjoys. Lolz.

  214. rsimark · 2009-05-03 20:39 · #

    As they say there is more than one way to skin a cat. I see many sides and multiple interpretations.

    I’d also say a line was crossed and trust broken. This will make many users re-evaluate Add-ons used with FF.

    Is there a mozilla bug with what I see as a security issue. One extension should not be able to update another, and without warning? I see no fault here with ABP, more with the Add-on model in FF.

    Thanks for bringing this into the open. Good discussion will ultimately lead to better browsers and add-ons.
    Thanks Wladimir

  215. Stupid · 2009-05-03 21:09 · #

    So the NoScript guy wanted to protect a revenue stream, and used some tricks. Adblock guy was mad that NoScript guy found a way around his extension, so he fought back. NoScript guy created a new workaround. Adblock guy gets more pissed, tries really hard to prevent it again. NoScript guy easily circumvents that too. Adblock guy then makes a blog post to express how butthurt he is, crying of security implications and everything else. Entire internet believes this one-sided account of the story.

    Try checking the NoScript site and you’ll have a better idea of the situtation. The guy let you easily disable this new functionality, but you are all too stupid to read anything, and just expect to be able to use an ad-free internet blindly and on your terms.

    In a nutshell, you all need to grow up and learn that not everything is free. Casual ads never hurt anyone, and if it’s a particularly annoying one, you can probably block it with NoScript, making Adblock completely useless in the first place. You should also learn to not take everything for face value, and wait until you can a.) hear a rebuttal from the other said, or b.) hear it from an independent source.

  216. LorenzoC · 2009-05-03 21:43 · #

    “In a nutshell, you all need to grow up and learn that not everything is free”
    You are wrong. In fact I am FREE to not use NoScript and any other software that tries to put things in my rear entrance without asking.
    Not considering the said unfair behavior, I quit using NoScript long ago because the “blacklist/whitelist” approach to blocking scripts in Web pages is nonsense in my opinion, while I could not browse the Web without ADBlockPlus, that just block ads.

  217. Not 215 · 2009-05-03 22:12 · #

    #215 you start out with a legitimate point about there being two sides to every story. A bit vulgar and subjective, but hey, we’re on the Internet.

    Your post goes downhill quickly thereafter. Your point is no longer about bias in observing a situation, it’s about condemning those who disable advertisements.

    It’s ironic you’re taking sides when condemning others for doing so.

  218. Pablo Z. · 2009-05-03 22:24 · #

    After reading 50% of the comments (which is a lot) I can’t believe none of them mentioned the political intelligence with which Wladimir managed this situation.

    Although this may be influenced by the fact that I was under a somehow similar situation with a client recently, I find this post as one of the most cleverer posts written to deal with an ongoing conflict I ever read in life.

    See how the article first focuses on giving the extension devels some more organized way to get some revenue. Then it explains the origins and the current state of the conflict. All the relevant info seems to be there, and is written in such a way that I think even my granny could understand what was going on (ok, maybe not she, but my mother?).

    Personally, I always thought NoScript was a 14 yo. guy’s project and logo and never installed it (as a matter of fact I don’t even remember it’s purpose, but I trust I had good reasons for not installing it).

    Kudos.
    Pablo

  219. Not 215 or 218 · 2009-05-03 22:32 · #

    #218, I feel the same way toward your post as I do toward #215. Starts good, ends bad.

  220. W^L+ (Walt Hucks) · 2009-05-03 22:42 · #

    @215

    This “new functionality” was inserted behind my back. I only knew about it because of this blog post. That is the issue. I have no issue with voluntarily whitelisting his site, since I’m a user of his software. I just wish he’d been upfront and opt-in about it.

    I will continue to use NoScript as well as AdBlockPlus. I’m not 100% anti-ad. I’m against annoying ads, the ones that flash, move, open pop-ups and pop-unders, obscure the page I’m trying to view, and take longer to load than the rest of the page. Ubiquitous advertising, unfortunately, makes all ads less effective, which tilts advertisers toward less ethical techniques. We need ABP and NS and probably more content-restricting extensions to restore sanity and balance to the Web.

    Using a browser (or an extension, for that matter) is making the choice to trust the developer and distributor of that software not to secretly undermine your privacy or security for his/her own benefit. It doesn’t surprise me that someone made a mistake. (How many of us have “Genuine Advantage” snoopware running right now? Installing it as a “critical update” is a similar ethical lapse.) Now is the time to try to learn how to prevent similar lapses in the future. Giorgio made a mistake. It is over. How do we prevent others from making similar mistakes?

    I agree with Wladimir that developers like Giorgio need to be able to make enough money to support their families. If they cannot, they will either cease development, go paid-only (d/l from own site instead of the Mozilla add-ons site), or succumb to pressures from commercial interests such as the search company mentioned @187. I look forward to a model in which such extensions are able to garner enough financial support without compromising their users’ interests.

  221. Byakushin · 2009-05-03 22:49 · #

    Ooo. I always thought my homedir sync was mysteriously broken when FF kept popping up Noscript updates every time I started it. I never saw the famous changelog page either for some reason. In any case an implementation of a plugin is less than optimal if the code keeps needing to be changed so often and the user pestered about it – that’s what configuration feeds are for.

    Newsflash: No, security isn’t about who can post the most popups at the user, although I can see why people might make that mistake. ;)

    This post has been very educative. It took hours just to read the comments here. Wladimir, I lift my hat at the cool-headed way you present matters that would (and clearly do) send many others ranting and raving. I was just mildly amused at the explanation you’ve written about the relationship between Adblock and ABP, but after wading through this thread I’m just impressed.

    If I had to pick someone to give the power to “manipulate” a flock of feral fans aching to pick a fight with other feral anythings, you’d have my vote.

    The existence of mobs on the Internet does not mean that we must never speak up on anything that might agitate them. It means that we should speak up responsibly, like was done here. If a netizen doesn’t have the ability to stop and think about their own interpretations and actions, they won’t suddenly grow one from reading even the most carefully-written post in the world.

    Thanks to Adblock Plus and a regional list, sites I was unable to use because they sucked my laptop cpu dry on flash ads I barely even saw (let alone paid attention to) are usable again. It’s why I recommend it. I notice occasionally that an ad is gone from where I have mentally skipped it before, but mostly I just see the vastly more smooth browsing experience. I feel sad for the advertisers I fail to get actively annoyed at now though, I know it’s my duty to carefully read and marvel at absolutely everything I run into on the net, after all. ;) But all in all I’m more glad to have the Internet back, even if it must fall soon from my selfishness. :)

    Kudos & peace.

  222. Lyx · 2009-05-04 00:14 · #

    The road from fairware to malware, and from mutuality to parasitism:

    1. “Hi, i have this and that feature and do it this and that way. If you are looking for something which does this and that, then i can do that. I can however not to this and that and there are better solutions for such cases. Anyways, if what i can do is useful for you, then you can manually download and install me here…”

    2. “Hi, i’m really cool, because i can do this and that. Regardless of your actual needs, its certain that you benefit from using my services, because i’m good for ANYBODY. Download and install here…”

    3. “Hi, i won all those awards, have a colorful and blinky website and offer these totally awesome features. YOU NEED ME! Click here to install fully-automated!”

    4. “Hi, i’m like totally awesome and automatically run as a webapp with access to the operating system. Did i mention already that you should buy me, because i’m like totally awesome, regardless of what you need or want? Oh, and also try our other like totally awesome products, because else you will be a total loser and your computer will explode. DO WHAT I SAY DAMNIT!”

    5. “Hi, i’m your new crap-adviser, buy…” “WTF? How did you get installed?” “Shutup, i have just downloaded these like totally great offers, based on your usage-stats, and installed them. Now, click here to register them! No, forget it, you wont remove me. Your decision doesnt matter! Do what i say damnit!”

    6. “Hi, i just turned your machine into a remote control which can be commanded however we like. Of course, you wont be able to read this message, because i made sure to integrate into the OS as deep as possible so that i’m not only unremovable but also invisible.”

    7. “Can you say ‘Hypervisor-Mode’?”

  223. Tim Clark · 2009-05-04 01:06 · #

    Well, I must say I finished reading this sad state of affairs yesterday, and am about to read more today I’m sure.

    Personally I don’t care about ads in general, it’s how folks make money for the good work they do.

    Given a choice of using AdBlock and NoScript I’d pick NoScript any day of the week. It blocks most ads that use JavaScript and Flash anyway and the sites that supply them unless I choose to allow it. I wish you had not specially targeted it’s site and started all of this.

    While the actions taken by NoScipt to bypass your targeted treatment may have displeased you you should not have written your filters to do ANYTHING more than block Ads, thus not requiring them to restore the sites functionality by other measures. While I think the addition to the white list should have had a prompt, the actions themselves did not bother me.

    Respectfully submitted

    Reply from Wladimir Palant:

    Just pointing out a few things:

    1) I do not make decisions for EasyList. I sometimes recommend something to the EasyList maintainer (as I do with other filter lists as well) but the decision is always his.

    2) Blocking ads was the intention on EasyList’s side, nobody wanted to break site functionality. Giorgio tried to make blocking his ads harder, the breakage is the direct result of that (note that the false positives would surely have been fixed – if anybody knew about them). Also, he was the one who made the “targeted treatment” necessary in the first place.

    3) Note that EasyList is meant to block ads, that’s what is expected of it. NoScript however was made to ensure user’s security – not go and make changes to his configuration behind his back (behavior reserved for malware).

  224. Lyx · 2009-05-04 01:28 · #

    Tim Clark, are you trolling or do you have any clue how the web works? A pure advertisement filter does NOT restrict the site’s functionality, UNLESS the siteowner intentionally made the site not work properly if the ads are blocked (which IMO, even though not wise, he has the right to do).

    Phrased differently: Not adblock disables site functionality – site owners disable site functionality. And in the case of noscript, the site owner not only choosed to disable his site’s functionality if ads are blocked – which he is free to do (but then may not put the blame on others) – he also invasively and covertly disabled functionality of another application.

    The noscript autor neither offered his app and site under clear conditions (a mutual contract), nor did he optionally, openly and unbiasedly ask the user to do something. He instead decided for himself, that the user probably will not like his conditions, yet he wanted the user to accept anyways – and the only way to do that, is via nonmutual enforcement and obfuscation. He cheated the user while at the same time advertising his software as “making you more secure”. The term for that is “hypocricy”.

    Reply from Wladimir Palant:

    Offensive language removed, please keep the discussion civil.

  225. Transcontinental · 2009-05-04 01:37 · #

    Forget ABP, choose Ad Muncher and keep NoScript.

  226. Tim Clark · 2009-05-04 01:52 · #

    Wladimir, I would like to thank you for removing the “Offensive language” unfortunately I already got to see it :(

    @Lyx : Trolls generally do not use their real names, they hide behind fake names … like Lyx?

    I see how disagreement is treated in this forum, sorry for having wasted my time and yours, I won’t do it again.

    Regretfully submitted

    Reply from Wladimir Palant:

    Unfortunately, the discussion got quite heated – on both sides :-(

  227. $$$ · 2009-05-04 02:11 · #

    What kind of features are in NoScript that cannot already be replaced with the features in ABP?
    I know that ABP itself can already block scripts, objects, images and more.
    Is it the XSS features or something?
    Or maybe the information bar at the bottom?

    Reply from Wladimir Palant:

    Adblock Plus only blocks external scripts, it won’t prevent execution of scripts that are embedded in the web page. Also, if you add rules to Adblock Plus that correspond with NoScript’s default settings you will see mostly each website being broken – which is why NoScript user interface has a strong focus on reverting blockage (temporary or otherwise), something that currently isn’t a priority for Adblock Plus.

  228. Lyx · 2009-05-04 02:11 · #

    I agree with you: You do not seem to be a troll, but simply unexperienced, and therefore handicapped in verifying which statements technically can be true, and which statements technically cannot be true. And don’t understand this as an insult: There is nothing wrong with being inexperienced – there is however something wrong with making judgements about things, which one doesnt understand.

  229. Lyx · 2009-05-04 02:15 · #

    @ $$$:

    I would say that the main feature not available in ABP, is something which many site owners which rely on advertising have already requested often: An easy and quick way, to whitelist sites.

  230. Lyx · 2009-05-04 02:18 · #

    I correct myself. I just noticed that ABP DOES provide such a feature already.

  231. anon · 2009-05-04 02:34 · #

    personally, i believe this defines noscript as adware/malware
    it causes ads to appear unwantedly
    masquerades as adblocking and security software while opening a clear channel to allow it’s ads and security issues to pass through
    and disables through malicious code the capabilities of similar software
    it should be classified as malware/adware now

  232. CranBeary · 2009-05-04 04:19 · #

    Ah, so that’s why my Firefox Portable install started crashing on me and my normal Firefox install was unaffected; I only have (had :P) NS installed on the portable install.

    Lyx: Whitelisting sites is simple in ABP. Just click the ABP stop sign and it will turn into a green circle indicating that the site you are viewing is whitelisted.

  233. BigMKnows · 2009-05-04 04:34 · #

    Well, the more I read into this, the more I learn. Here’s my assessment so far.

    EasyList used to take a conservative approach to ad blocking. For example, they implemented filters for Hulu, and Hulu responded by forcing a 30 second wait time. Since many of Hulu’s commercials are only 10 or 15 seconds, this ended up being more troublesome than simply allowing the ads. So EasyList (under Rick752) removed the filters. Rick752’s justification was that NOT breaking a site was more important than ad blocking. (EasyList includes a whitelist for many other sites, too)

    Unfortunately, Rick passed and Ares2 took over, and Palant (by his own admission) wanted to target Maone’s web sites. Ares2 then engaged in an “arms race” of filters and countermeasures, until Ares2 ended up breaking many parts of Maone’s web sites.

    Ares2 (on the NoScript forum) said these were temporary measures because of Maone’s attempts to get around the filters, but how could Maone know that at the time? All he saw was that someone was targeting and BREAKING his site at any cost, even though Hulu and many other sites are left alone — they ALLOW ads on those sites so as not to break functionality, but they broke Maone’s sites.

    So he responded by crippling ABP. I don’t defend that in any way, but Palant has been sitting here for the last few days talking high and mighty about how one extension shouldn’t interfere with another. What about your own historical view that ad blocking should not interfere with site functionality?

    While I defended you before, my current view is that you are both about equally at fault. Ares2 stepped over the line by breaking Maone’s sites at any cost, and Maone stepped over the line by interfering with ABP.

    BTW, this isn’t the first “arms race” between EasyList and ad-supported sites by any means. Hulu responded and EasyList capitulated, and other sites have responded as well, and EasyList has capitulated.

  234. Lyx · 2009-05-04 05:17 · #

    The ironic aspect is that from a mutualistic POV, what COULD be questioned about ABP is not that some sites (typically by their own choice) break, but instead that ABP goes a long way to AVOID breakage!

    How? Its quite easy: Visiting a website is an interaction between two sides: The site and the users pc – in an extended scope, the two interacting entities are the user and the site owner. Now, from a mutual POV, the consent of BOTH parties is necessary for a free and fair interaction: Either both agree on a set of conditions and interact, or they do not agree on a set of conditions and do not interact. Together, or not at all. All other alternatives to this simple scheme by necessity involve doing something without the others consent.

    Regarding advertisements, the free choice which the user can make, is if he is willing to download and see the ads. The owners free choice on the other hand is if he wants to provide the sites service, if the user does not agree to receive ads. BUT: To do this efficiently, adblock would have to identify itself. The website should clearly identify the ads, and adblock should clearly identify its actions – and then both sides either agree, or disagree. I think that wladimir knows very well what would happen if ABP would play with open cards here, instead of acting covertly.

    So, from a mutual POV, i think that it is exactly the opposite way as BigMKnows argues it is: It is not ABP to blame if a site intentionally makes it difficult to block ads without breaking functionality. That is the site owners free choice and responsibility, and as i already said before, IMO he is free to block ABP users (if that is an efficient reaction, is an entirely different question), just as ABP is free to block certain content. The point however here is: That wasn’t the goal of the NS autor! The intention of the NS autor was not to say “use it under the following conditions, or not at all” – rather it was “i know you probably dont want it, yet i still want an interaction based on conditions against your will”.

    Its plain logic: Its difficult to fight against something (ABP), yet at the same time want an interaction with it… going such a contradictory route has to end up ugly. Same for the website: If you make it difficult to block ads, BY increasing the risk of breakage (that is how ad-countermeasures work: obfuscation and making it difficult to distinguish ads from normal content)… yet at the same time complain about the breakage when it happens, then something seriously went wrong in your mind.

  235. Giorgio Maone · 2009-05-04 07:24 · #

    Dear Adblock Plus and NoScript Users, Dear Mozilla Community…

  236. JoUser · 2009-05-04 07:33 · #

    I’m very disappointed to hear that EasyList ever capitulated to anyone. I would like it to behave in a consistent manner – blocking all ads without exceptions and with as few falses as possible.

    I don’t block ads because I don’t want to see ads. I block ads because the mere act of retrieving them usually presents a risk to one’s privacy and sometimes security. The sophisticated, often concealed and/or misrepresented, unverifiable and potentially unbounded, profile based targeted advertising systems of today are far too great a threat. As much as I might like the idea of supporting sites through ad views, it simply isn’t a risk worth taking. The ads are usually served by third party ad networks and they have proven to be some of the worst offenders. Even when the URL suggests that the ad is served from the site you are visiting, the site may be using DNS, routing, proxying, etc techniques in an attempt to hide what is going on.

    People will cross lines to acquire, maintain, and/or enhance their [advertising] income. Even some of those who start far from the edge one day find themselves down the slippery slope. It is really a shame that there are so many bad actors and they have created a climate in which across the board ad blocking is the most prudent and practical solution for those who value privacy/security. That’s the way it is though.

  237. _george_ · 2009-05-04 08:05 · #

    I will continue to support NoScript even after all of this hype, it was a bad mistake on Giorgio’s part, but I am not going to go crazy like everyone else.

    keep up the good work AdblockPlus and NoScript.

  238. Security First · 2009-05-04 08:38 · #

    It had become painfully clear to me that Wladimir and Ares2 had some kind of hate on for the NoScript author prior to his wrong actions and poor judgement in recent days. And then I read this posting by Alan Baxter:

    http://forums.informaction.com/viewtopic.php?f=7&t=877&start=255#p3668

    From other sources and older forums, it does appear that Baxter has been on the inside, or at the very least closer to ABP developers than almost all of us. He also seems to be a fairly balanced and reasonable fellow. Baxter’s posting finally brings some context to your otherwise inexplicable behaviour, Wladimir. Given that we’ve now all had a chance to read the NoScript author’s official apology posting on Hackademix, is there any chance that you could cool down enough to respond to Baxter’s posting? I would honestly like to know why you were lobbying Rick752 to target Giorgio’s websites a year ago already. What was Giorgio doing a year ago that so earned your wrath? If Baxter is correct, it surely looks like you bear an awful lot more responsibility for this firestorm than you’ve let on. My perception of Giorgio’s official apology posting and his most recent postings leading up to it is that he’s been most civil, sincere, and honestly regretful for his wrong behaviour. Until demonstrated otherwise, I’m willing to take that at face value because I believe that’s the right thing to do. But, Wladimir, when will we see this from you? Giorgio has extended his hand and come clean. Will you?

  239. whatever · 2009-05-04 09:52 · #

    This probably won’t show up, but while everyone has been dissecting this debate left and right, it really comes down to two individuals who have demonstrated less than the stereotypical maturity of junior high school girls. In short, this is a pissing match between two Europeans who apparently HAVEN’T learned anything from their history of warfare (ie: big pissing matches). Indeed, they’re both hiding behind this “cultured” veneer, attempting to use their programming prowess in that passive-aggressive way that only programmers can do so well, when it’s clear that they are actually not above the fray, they’re hip deep in the BS.

    Would you trust them to code anything on the most important program your computer runs? I think it’s time to ask mozilla to incorporate the functionality of these immensely popular extensions, and put the development and management where it belongs: In the light, where transparency can ensure we can actually trust what goes on. Both ABP and noscript have managed to recreate Berlin from the Cold War, what with secret meetings and secret attacks.

    If these extensions imply anything more than other extensions they implicitly tell users, “You can Trust Us, we’re the Good Guys”. It’s very clear, that they’ve long since abandoned that implication in favor of hurling mud at each other and pulling each other’s hair.

    Simply pathetic.

  240. Knightsofni · 2009-05-04 10:05 · #

    The community needs AdBlock AND NoScript. Both parties handled the situation poorly. It seems Eeasylist and ostensibly ABP started the real trouble by getting carried away trying to block ads on NoScript’s page and disabled it’s propper functioning. Why make such a big deal about ad’s appearing on that one site? Sure they weren’t being blocked by your add on but they weren’t particularly irritating and NoScript is a great tool and a boon to the community, couldn’t you have just left it alone? On the other hand NoScript’s author definitely should NEVER have added a filter to ABP to unblock his site without asking user permission up front. He has apologized, it would be nice to hear some admission from you that perhaps you need not have been so aggressive in the first place. We need these tools, we don’t need a lot of drama and in my eyes you lot are just as much to blame for that as he is. At the end of the day his extension is actually a better security measure than yours is. If you both set your add-ons to interfere with each other and I had to pick one it would be NoScript, and I’m sure I’m not the only one that feels that way. So keep that in mind, as you go forward.

  241. LorenzoC · 2009-05-04 12:18 · #

    After reading this:
    “my hacker attitude led me to dig directly in the low level Adblock Plus internals where filters are enforced”
    I wonder who ever would install Maone’s extensions any more.
    The point here is his “hacker attitude” leads him to “hacking” my computer, not EasyList or Wladimir’s server and since I don’t want to be “hacked”, why should I allow him to play?

  242. JoUser · 2009-05-04 12:34 · #

    As soon as it was learned that he was exploiting an Adblock Plus bug to defeat the generic EasyList rules… which apparently was a very long time ago… EasyList should have explicitly targeted the ads on his site(s) AND the Adblock Plus bug should have been fixed AND the whole thing should have been widely publicized. There can be no delays or playing favorites or cutting folks some slack when privacy or security are involved.

  243. RNiK · 2009-05-04 14:12 · #

    As a Mozilla Firefox user, a NoScript and ADP user, an EasyList subscriber, I’m really pissed off disappointed by this “war” between extension developers.

    I think you did a bad thing blocking advertisement on Giorgio sites without discuss/notify anything to him.

    I think Giorgio did a worst think modifying ADP code via NoScript.

    I hope some day you two will find a way to cooperate than to fight each other.

    Now I’m going to donate some money to both of you for your excellent work in developing Firefox extensions Giorgio since you don’t have a donate mechanism for ADP.

  244. Giuliano · 2009-05-04 14:17 · #

    I don’t know or care WTF you’re talking about, sounds like a nerd fight.

    IMO the comment I’m quoting above is the one which is better resuming all this “extension wars” saga…

    Anyway, my own opinion is that both the parts (Giorgio and Wladimir) made their own mistakes. Now I have read here http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/ Giorgio’s apology but I’m still waiting to read Wladimir’s apology which is in my opinion equally needed…

  245. Errant · 2009-05-04 14:20 · #

    YOU are to blame here (and Ares2) for escalting the witch hunt on the Noscript site to the point it removes all scriptable and usable features.

    Giorgio made a bad choice when angry at the treatment he got.

    YOU went on a cold calculating hunt after him without taking the time to see what you were doing could only end badly.

    I have removed easylist2 in disgust and hopefully others will too now!

    I TRUST the maintainer of that list to provide blocking against malicious ads and annoying content. You’ve broken that trust a LOT more than Giorgio ever has done and I am done with it.

  246. Tom · 2009-05-04 14:22 · #

    While he was wrong to resort to such hacks, you sir, are the douche bag in this situation. Specifically targeting a competing product’s websites rather than fixing a bug in your software is a just as childish and pathetic.

    And LorenzoC: please look up the original definition of the word “hacker”.

  247. LorenzoC · 2009-05-04 15:03 · #

    I’ve read the “apologies” from Maone. Those apologies not only are useless but basically confirm two main issues:
    1. the whole extension mechanism in Firefox is catastrophically flawed. Extensions can do what ever they want and even those over AMO cant’ be “certified” to be safe, either from involuntary bugs or “evil hacks” made on purpose.
    2. Maone thinks he has the right to install malaware on my computer as source of revenues for him. This sort of things don’t happen by accident and have been quite common on the Web since the beginning of time. How many “free” software are out there that once installed drop some “surprise” or another on your computer?

    Of course, there are many people who say nonsense like:
    “I don’t know or care WTF you’re talking about, sounds like a nerd fight.” They are those who complain their computer does not work after they installed the said above “free” stuff.

    On a side note: because of the way it works, NoScript does not add any real “security” to your Firefox, unless you want to surf the Web with JS disabled, that nowadays is pretty much impossible.

Commenting is closed for this article.