Easylist Vs. Noscript?!

Everything about using Adblock Plus on Mozilla Firefox, Thunderbird and SeaMonkey
Lyx

Post by Lyx »

1) How many users get exploited by "fat fingering a bad site"
2) how many users get exploited via "firefox exploits"?
3) how many users get exploited by getting tricked into doing something which they shouldn't do?

I'd estimate of those who do get hit, 99% fall on number three. Malware is there because of user-failure - the only effect which NS as well as ABP may have on that, is that they may in many cases prevent the misguiding messages to reach the user. But well, if the user is already able to competently decide which sites are trustworthy and which ones aren't, then why is he visting non-trustworthy ones? Is that the point? Shields up for visiting sites which aren't trustworthy? In that case, neither an adblocker nor a scriptblocker is enough... what you actually need for that, is a button to disable ANY potentially dangerous active content - so, i.e. plugins and similiar things as well - you'd need an "downgrade to web 1.0"-button.
Wladimir Palant

Post by Wladimir Palant »

Answer to your second question is - quite a few (maybe 10%). However, so far this affects exclusively users who are running an outdated Firefox version, and in this case NoScript will very often not help at all. So the emphasis for security is really making sure to install a Firefox update every time there is one instead of thinking that the difference between 3.0.9 and 3.0.10 is too small to really matter.
Alan
Posts: 289
Joined: Sat Feb 10, 2007 8:47 pm
Location: Colorado, USA

Post by Alan »

Thank you for emphasizing that, Wladimir. We may disagree as to the efficacy and purpose of NoScript, but do agree about the importance of staying patched against known, published vulnerabilities. I'll recommend users seeking NoScript support to upgrade their browser if I see them running with a vulnerable version.
Wladimir Palant

Post by Wladimir Palant »

Moving off-topic comments from the blog:
eldalie wrote:Instead of talking about ABP statistic, please be so kind to apology you too for your bad acting related to the ‘affaire’ Adblock Plus vs NoScript. We’ve read mr. Maone’s apology, but we’re still waiting for yours!
As an ABP user, I think I deserve to read you apologizing.
Wladimir Palant wrote:What exactly should I be apologizing for? For the fact that I think that Adblock Plus should work equally on all sites – no matter whether they are owned by Giorgio or not? Sounds like a very strange logic to me. See also http://hackademix.net/2009/05/04/dear-a ... ment-12355
ecjs wrote:According to me, M. Palant hasn’t done anything he should apologize for.
eldаlie wrote:Mr. Palant, I read your post on mr. Maone’s blog a few minutes after you published it. Your reasons are not believable and moreover they demonstrate that you acted in bad faith by forcing EasyList to blacklist all mr. Maone’s website.
This means that YOU are the wrong one, because ABP doesn’t blacklist any website by default, so due to that you have virtually obliged EasyList to add against-maone-websites filters even if the EasyList crew wasn’t totally convinced that it was a “right move”.
So, I ask you again for an apology. You did something wrong (as mr. Maone did too) but nobody has read yet you apologizing for your fault.
Wladimir Palant wrote:Adblock Plus doesn’t block anything by default, correct – that’s what EasyList is for. And I regularly supply EasyList with suggestions on what still needs to be blocked or what is being wrongly blocked – be it because I stumble upon that issue myself (yes, I am an EasyList user) or because it was reported to me by an Adblock Plus user. See http://forums.lanik.us/viewtopic.php?f=62&t=3460 or http://forums.lanik.us/viewtopic.php?f=64&t=3398 for recent examples. In this case it was a user report and I recommended that EasyList fixes the issue rather than waiting for a fix in Adblock Plus. I didn’t “oblige” anybody – otherwise the ads on noscript.net would have been blocked a year ago. So, once again, what exactly did I do wrong? Do you think I should stop reporting EasyList issues? What do you think should I do with user emails that I get then?
eldalie wrote:Okay, I see that you are continuously “turning the omelet upside down”. You’re wrong, you know you are wrong but you’re too arrogant to admit you’re wrong.

I do not want to waste my and your time anymore writing you about this topic.

ABP is a very good piece of software and I’ll keep using it but I have lost the all confidence I had for you.

Adieu monsieur Palant.
Wladimir Palant wrote:The only thing that I’ve done wrong is making the whole affair public in that way. I should have expected that my blog post would be picked up by media – and then it isn’t about warning users any more, all the sudden it is “extension wars” and similar nonsense. Not to mention that while I think that Giorgio deserved some backlash, what really happened was extreme and just way too much. Unfortunately, I still don’t see how I could have done it better – at least now NoScript won’t do something that its users don’t want any time soon.
Tim wrote:While I don’t agree that you necessarily did anything “wrong”, I think that the method used to raise this issue was not well thought through on your end. You, as the maker of the most popular Firefox extension in the world, have a great deal of influence (whether you were aware or not) on the actions of the ABP users (or at the very least the readers of this blog). The reactions (particularly on addons.mozilla.org) to NoScript have been ridiculous since this all began. Take a moment to read virtually any random 3 “reviews” of NoScript posted for that extension since ~May 1st. Two out of three will go so far as to call NoScript “malware” and a “virus” alongside their obligatory 1 star reviews. This is, to put it bluntly, insanity. Where one could feasibly stretch the outer bounds of the dictionary definition of “malware” to make NoScript versions prior to 1.9.2.5 fit within that category, calling it a virus is absurd. To sit by and watch hundreds upon hundreds of these unfounded reviews pop-up day after day on a.m.o without taking the time to simply call a “cease-fire” from your more ravenous fans, I consider that irresponsible on your end. My biggest worry is that the falsely low rating might prevent people from installing the most important add-on one can add to Firefox. Don’t get me wrong, I use (and have for years) both ABP and NS, and consider BOTH to be of extreme value for all Firefox users. However, the simple fact remains that a default deny security approach (ie – NS) is far more secure to the day to day user than the proactive blacklisting approach of ABP. Where I work (on the network security, monitoring, side) I see at least 3-4 incidents a week that could’ve been prevented had NS’s default 3rd party script blocking been in place on the browser being used. The “user hassle” (actively allowing sites) that comes from having NS installed is far more valuable to the users of shared systems (our environment) than any complaints that might be received from them because the “windows wallpaper site that I tried to go to from that email didn’t work right”.

Again, thank you VERY much for all the work you’ve put into ABP over the years, I wouldn’t use Firefox without it. And I would say the same (still) of NoScript. NoScript’s author was certainly in the wrong, and has now apologized to the community at large, and changes are now evidently in the works in the Mozilla community to see that incidents like this don’t (or at least will be much less likely to) happen again, so I simply ask that you request anyone who is going to express their opinion/vitriol about NS on a.m.o do so based only on genuine facts and rational thought… not knee-jerk fan-boy reactionary rantings.

Thank you in advance, and keep up the good work.
Wladimir Palant wrote:See my reply to the comment above – I fully agree with you, this situation is far from perfect. I would have preferred to avoid it as well. Still, what other option did I have?

Note that I didn’t mention “malware” in my blog post – yet that’s exactly the term that came to mind when I found the malicious code in NoScript (I used it in the communication with Giorgio). While “virus” is really far stretched, his 1.9.2 release fits the “malware” definition perfectly since it covertly manipulates user’s configuration in a way the user wouldn’t approve to. And I can fully understand the users who are outraged now.

You really think that anything I say still matters at that point? I can call a “cease-fire” a hundred times – nobody will hear. My blog isn’t that popular, usually only a few hundred people read what I write. And all the news sites out there won’t be interested in amplifying my voice this time – because it isn’t as interesting as “extension wars.” Btw, other than those news sites I don’t consider myself in a war – what actually happened was NoScript going into a war against its own users. I brought their attention to that, they made it clear to Giorgio that they didn’t like it. At that point the whole affair was over for me. What is still happening now is just extremely unfortunate.
IceDogg wrote:Wladimir Palant has absolutely nothing to apologizes for!! He did nothing behind anyone’s back, that is for sure, unlike the other side of this did.

But this all belongs http://adblockplus.org/blog/attention-noscript-users not here. So, now I’d like an apology from you. Are you honorable enough? I doubt it!
eldalie wrote:Since mr. Palant has closed the comments @ http://adblockplus.org/blog/attention-noscript-users I wrote my remarks here.

Anyway, as per your request IcDogg, I apologize to YOU (not to mr. Palant. More, I ask him to open again the comment in the blog post http://adblockplus.org/blog/attention-noscript-users).
Wladimir Palant wrote:Sorry, I cannot open the comments again. I don’t like having comments on my blog that I didn’t have a chance to read and to respond to (if necessary) – but my time simply doesn’t allow me to read that many comments. It was more or less fine on the weekend (though my wife got very angry at me) but now I have to work rather than read blog comments.
IceDogg wrote:Eldalie, looks like I owe you an apology then, I didn’t realize the comments there had been close. But there is other places where they are still open including in the forums. And for suggesting your not honorable.. my apologies.

I still say Mr Palant has nothing to apologize for. IMHO
eupator wrote:> But it does make me think what can be done to make sure users
> upgrade sooner in cases like this. What if I change the
> compatibility info for version 1.0.1 on AMO to mark it as not
> compatible with Firefox 3.0.9/3.0.10, will it eventually give users
> some useful notification if they have it installed in Firefox 3.0.9?

Well, that’s exactly what this this feature is for, so I guess you should do so.
David Naylor wrote:Just feel I need to give my support to W.P. here.

He has done nothing wrong, other than telling users what was happening behind their backs.

Btw, I very much doubt Giorgio Maone would have sat back and watched while a website worked past his extension!

Giorgio Maone’s method was to go behind the users’ backs, and this is pretty much unheard of in the Mozilla community. Until now.

His apology didn’t appear until the issue was out in the open and he realized how much he stood to loose. I very much doubt that he actually does regret his actions towards the users. If he does, he regrets them for the (hopefully) huge loss of trust, popularity and income he has brought upon himself.
P. wrote:What David said. Thank you.
LorenzoC wrote:The funny thing is I am NOT an Easylist user but I have my own list of rules and I blocked Maone’s ads/scripts LOOONG ago (when I used to visiting the site of course, which I am not going to do in the future).

Here the point is “do Firefox users have the right to block any object they want from webpages?”

If the answer is YES, then Maone’s Website is not different than any other. It is pretty ridiculous that he tries to make his own site immune from content blocking.

If the answer is NOT, since I am reading here and there
that ADBlock users are criminals/thieves because they take away ads revenues from site owners, then even NoScript users should be accused for the same reason, since blocking scripts you stop lots of advertising as well.

That said, sorry Wladimir for the OT, maybe all those comments (included mine) should be removed.
Wel Smith wrote:Mr. Pallant has nothing to apologize for. It was not him that broke users’ trust. it was not him that sabotage (or tried to) other’s people extensions.

Mr. Pallant did the right thing. If it wasn’t for him perhaps nobody would have known of this.

NoScript, a, supposedly, security extension, broking users’ security and settings on purpose. No thank you!

Eldaie is trying very hard to changed peoples perception of what really happened. Why is that?
Giuliano wrote:>Here the point is “do Firefox users have the right to block any
>object they want from webpages?”

@LorenzoC: the answer is YES, of course. But it should be a free choice of the users.
So, as Maone didn’t get the right to “hack” ABP through NoScript, EasyList didn’t get the right to filter his whole sites just to block some ads too. It was not possible even download Maone’s extensions. I agree with eldalie when he/she say that this is because Palant requested to the EasyList staff to block those ads in any known way. There are proofs of that “request”.
So, IMHO, I feel that both, Palant and Maone, have their part of guiltiness.
I do not care to read Palant apologizing but I want to clearly state that he is in fault too.
In this moment, believe me, not Maone nor Palant are “so loved” by the Mozilla people because it is clear to everybody that the fault is sat on both their chairs…
Wladimir Palant wrote:“because Palant requested to the EasyList staff to block those ads in any known way” – where did that idea come from? I just asked to block these ads, period. I didn’t give any specific instructions, I trust EasyList maintainer to come up with a solution on his own.

Note that other than Giorgio implies the “block everything” filters worked correctly and blocked only the ads (because his sites use neither scripts nor frames other than for ads). The problem was with an element hiding rule – which was meant to hide text ads but turned out to hide the download link as well. False positives like this one happen, and it was fixed as soon as Ares2 became aware of it.
Old Pultney wrote:“EasyList didn’t get the right to filter his whole sites just to block some ads too.”

sighs wearily Yes it did have the right to block Maone’s sites because that’s what it is supposed to do. The clue is in the name: Ad-Block. To block Ads. Do you get it? I want AdBlockPlus to block all ads. That’s why I installed it. Messing with my computer without my permission is illegal. Thus, Wladimir/Ares2 = saints; Maone = sinner.
Sean Xavier wrote:I believe that your objectivity and neutrality ends at creating the addon without any built-in filters. By supporting, promoting and contributing to the EasyList, you are crossing the boundary of neutrality and are responsible for anything the list does wrong. So simply, unless you stop and forever refrain from interference with the EasyList, in any way, you are using the list as a scapegoat for bad acts that you can easily blame on the list and not yourself. This is piss poor and shameful behavior to hide behind something that is YOUR tool and yet say I have nothing to do with it. Who is being deceptive now?
Wladimir Palant wrote:While I do not determine the direction in which EasyList goes (that’s my approach to neutrality, EasyList maintainer has full control over the list and rejected my suggestions on more than one occasion before), I stressed on several occasions that Ares2 hasn’t done anything wrong here. He was blocking ads, that’s what he is supposed to do. The false positive was unfortunate but I see how it happened – it was a mistake that was easy to make. And it was fixed immediately as soon as Ares2 became aware of it.
JFW wrote:p.s.: I agree with post 17, by promoting EasyList, contributing to it, and specifically pointing out the NS site to Ares2 for your own reasons (not fixing the bug), you became a party in the little “code war” between Giorgio and Ares2 that resulted. Ares2 should apologise for the excessive filtering, but you were the one pushing Ares2 into action by requesting filtering instead of fixing the bug so a word from you wouldn’t go amiss either.
LorenzoC

Post by LorenzoC »

@Giuliano: I do not understand why there is all this hypocrisy around the topic. Maone wants as much people as possible to load the ads from his pages (which BTW aren't only on NoScript main site). That is because he gets money from that. It is THE SAME for any Web sites with ads.

Now I use ADBlock to block those ads. I do not use Easylist, yet I block Maone's ads the same.

Maone is not the first who tries to make it difficult to filter ads. The reason why Easylist went so hard with Maone was he made all his best to make it difficult to filter ads from his pages, like many others do.

The only news here are Maone, other than make it difficult on his site(s), can also "hack" ADBlock via his NoScript extension. And so he did. It does not matter what extension NoScript is, besides the fact that it should be about "security" adds LOTS of irony. If Maone made an extension for having forecast on your Firefox it would have been the same.

The clash here is not between two extensions, because NoScript and ADBlock are more or less in the same class (content filtering). The contradiction is that NoScript wants to generate revenues with ads and doing that it collides with ADBlock and ALSO WITH ITSELF, in fact Maone needs to whitelist his own sites in NoScript, as well as in ADBlock.

I do not need apologies since everybody followed the logic of their "commitment".
People who make a filter list will always try to block ads from ANY site, included Maone's sites. In case somebody want to unblock Maone's sites because he is a nice guy, there is always the option of create exceptions to the blocking list.
People like Maone who want to get revenues from ads will always try to fight against content filtering. In this case the only additional problem is the schizophrenic situation where Maone builds a tool for content filtering and in the same time he does fight against it.
Giuliano

Post by Giuliano »

LorenzoC: The only thing that comes up from your argumentation (here, on your blog, and everywhere you've written about this matter) is that you do not like Maone at all. You do not like him now, and you didn't like him in the past.
Can you accept with no problem that somebody may make a whole website unreachable just because of a few ads?
Yes you do!
What about if the same this were done against YOUR OWN site?

You're not a coherent person, you talk just prompted by your personal dislike for Maone.

I end here. I wont waste my time anymore writing about this topic.
Wladimir Palant

Post by Wladimir Palant »

Giuliano wrote:Can you accept with no problem that somebody may make a whole website unreachable just because of a few ads?
I already replied to that:
Note that other than Giorgio implies the “block everything” filters worked correctly and blocked only the ads (because his sites use neither scripts nor frames other than for ads). The problem was with an element hiding rule – which was meant to hide text ads but turned out to hide the download link as well. False positives like this one happen, and it was fixed as soon as Ares2 became aware of it.
Nobody made the "whole website unreachable". Blocking ads is what EasyList does for a living. And it doesn't make an exception for Giorgio just because he is a nice guy (yes, he really is - but you would be the first one to blame both EasyList and Adblock Plus if you noticed exceptions for individual websites).
LorenzoC

Post by LorenzoC »

And why should I like Maone?
Because he provides a "security" adware extension that does not add much security while annoying me or because he used that "security" extension to "hack" my Firefox?

Currently I've got some Web sites and NONE force you to see ads, neither those ads are loaded trying to make it difficult to block them like Maone's.

In case one day I see my sites blocked by Easylist I would ask the list maintainer to correct the problem.

My blog was shut down by Google as "spammer" for some weeks some time ago, due to a false positive generated by their robots.
I did not hacked Google's servers in retaliation, because, you know, even if I was able to do that, probably I would be jailed.
Giuliano

Post by Giuliano »

Wladimir Palant wrote: Nobody made the "whole website unreachable". Blocking ads is what EasyList does for a living.
I answer you with Giorgio's words:
Giorgio Maone wrote:About 2 weeks ago Wladimir decided this had been going on long enough: the Google boxes supporting NoScript had to be shut down for good. So, rather than fixing his Adblock Plus bug, he asked Ares2 (the new Easylist maintainer, after Rick752 passed away) to nuke them by specifically targeting NoScript sites. When I noticed this, I thought it was Ares2’s own initiative (new person, new mentality), but Wladimir finally clarified this point in his Friday’s post:
I suggested that EasyList should be extended by a filter to block ads specifically on NoScript’s domains. This finally happened two weeks ago.
All this time I couldn’t imagine that he had been behind Ares2 from the start, otherwise I would have just asked Wladimir why he was sniping my sites, rather than coding a more reliable Adblock Plus version. Instead I began tracking EasyList changes and counterreacting. Of course Ares2 didn’t stop, nor I did, so we engaged in an escalation through more than 30 EasyList updates (even 4-5 per day) specifically aimed at my sites, with filters like these (yes, stacked all together):

Code: Select all

/flashgot.net/*$script,subdocument,xmlhttprequest
    /hackademix.net/*$script
    /noscript.net/*$script,subdocument,xmlhttprequest
    /oss.informaction.com/*
    informaction.com/*$script,subdocument,xmlhttprequest,domain=flashgot.net|noscript.net|software.informaction.com
    flashgot.net#*(href*=informaction)(href*=com)(href*=%62)
    flashgot.net#*(href*=informaction)(href*=com)(href*=flashgot)
    flashgot.net#*(href*=oss)(href*=informaction)(href*=com)
    flashgot.net#ul(class=tla)
    noscript.net#*(href*=informaction)(href*=com)(href*=%62)
    noscript.net#*(href*=informaction)(href*=com)(href*=noscript)
    noscript.net#*(href*=oss)(href*=informaction)(href*=com) 
If you’ve got some familiarity with Adblock Plus filters, you’ll notice any standard web technology beyond basic HTML/CSS (scripting, frames, AJAX) was completely disabled.
They got to the point where users could no longer even see the regular links to install NoScript or FlashGot.
Do you assert that he's lying?

Anyway, I repeat, I end, I am tired of trying to get the truth coming on the surface of the mirror.
Wladimir Palant

Post by Wladimir Palant »

Giuliano wrote:Do you assert that he's lying?
No, he isn't lying. He is withholding some of the truth however - namely that his sites do not use scripting, frames, AJAX for anything other than ads. The links he talks about don't need any of this. But they are very similar to the ad links he is using all over his site - which is where the mistake came from. As I said, he is implying that Ares2 intentionally rendered his site unusable - this was definitely not the case however.
LorenzoC

Post by LorenzoC »

And he uses scripting, frames, AJAX etc only to make it difficult to block the said ads, because otherwise everybody knows how Adsense is usually loaded in Web pages.

All the said "escalation" between Maone and Ares2 has no other reason than Maone's will to bypass ADBlock and display his ads anyway.
tlu

Post by tlu »

Wladimir Palant wrote:Answer to your second question is - quite a few (maybe 10%). However, so far this affects exclusively users who are running an outdated Firefox version, and in this case NoScript will very often not help at all.
Well, this trick still works under FF 3.0.10 if JS if enabled. An example why Noscript is not worthless even for updated versions of FF.
Wladimir Palant

Post by Wladimir Palant »

tlu, NoScript doesn't help with this trick - you don't need JavaScript to use it. RSnake published an HTML-/CSS-only example a while ago: http://ha.ckers.org/blog/20070228/steal ... avascript/. There is a layout.css.visited_links_enabled pref in Firefox 3.5 which you might want to use - but I am pretty sure it will not be enabled by default. Private browsing mode in Firefox 3.5 also has the same effect. In the end however, this issue is pretty hard to fix without breaking more functionality than is worth breaking for it.

But we are talking about a privacy issue here, this is not an exploit. An "exploit" in my understanding is something that allows an attacker to execute code on your computer without user's help or similar - a security issue with "High" or "Critical" rating.
Wladimir Palant

Post by Wladimir Palant »

Wladimir Palant wrote:You really think that anything I say still matters at that point? I can call a “cease-fire” a hundred times – nobody will hear. My blog isn’t that popular, usually only a few hundred people read what I write. And all the news sites out there won’t be interested in amplifying my voice this time – because it isn’t as interesting as “extension wars.”
Anyway, looking at my site stats it seems that everything is almost back to normal again, that's is a good thing.
HeffeD

Post by HeffeD »

Wow, I'm a bit late to the party because I stopped using NoScript in favor of blocking third party scripts with AdBlock Plus.

I have to say that this whole thing just made my jaw drop when reading about what was going on. All I can say is that I'm glad I had already un-installed NoScript! If I hadn't, I very definitely would have after this went down. No matter how much someone would apologize for doing what Giorgio did, I just wouldn't be able to trust them. What is the phrase? "Fool me once, shame on you. Fool me twice, shame on me..."

I'm also still disgusted by the fact that he's still playing the victim due to a "virulent attack" from Ares2 on his sites. How is blocking his ads that he is already using workarounds to get them to display a "virulent attack"?? And he complains about destroying functionality, even going so far as to say,
"there's no point in asking them why, it's "because ads are inherently bad and we don't care if we ban every web technology from your sites in order to block them"."
Ummm... Isn't that exactly what your extension does Giorgio? I'm pretty sure the concept behind NoScript is that you feel Javascript and Flash is inherently bad, so you'll block that for us... Which of course is banning the very same web technology from every site your users browse! And no, your ban isn't something as simple as a false positive block due to more stringent filters instituted due to the lengths you were going to to ensure your ads were seen, your ban is a flat across the board honest to goodness block. No questions asked...

I'm convinced Giorgio is an unstable mind. Nothing he has his finger in will ever have a home on my machine.

Keep up the good work Wladimir and Ares2!
Post Reply