Comments on: Extensions at War http://www.gnucitizen.org/blog/extensions-at-war/ Information Security Think Tank Sat, 02 Feb 2013 17:50:40 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: rwizard http://www.gnucitizen.org/blog/extensions-at-war/comment-page-1/#comment-127779 rwizard Thu, 20 Aug 2009 15:41:11 +0000 https://www.gnucitizen.org/?p=3171#comment-127779 One would like to believe that Giorgio learned his lesson. But I notice that we are slowly but surely creeping back toward his "new nano-update every five minutes" behavior. A behavior many believe was intended to drive ad revenue. And I found his apology to sound more like "I am sorry everyone is mad at me, but I really was provoked by the other guy" than "I was wrong, and there can be no justification for what I did". So, while there isn't a comparable alternative, and we are stuck with NoScript for now, I really hope that someone will come along and give us another option. I think the only things Giorgio learned is that we can't really do without NoScript, and as long as he is just a little more careful, he can probably get away with a lot. One would like to believe that Giorgio learned his lesson. But I notice that we are slowly but surely creeping back toward his “new nano-update every five minutes” behavior. A behavior many believe was intended to drive ad revenue. And I found his apology to sound more like “I am sorry everyone is mad at me, but I really was provoked by the other guy” than “I was wrong, and there can be no justification for what I did”. So, while there isn’t a comparable alternative, and we are stuck with NoScript for now, I really hope that someone will come along and give us another option. I think the only things Giorgio learned is that we can’t really do without NoScript, and as long as he is just a little more careful, he can probably get away with a lot.

]]> By: pdp http://www.gnucitizen.org/blog/extensions-at-war/comment-page-1/#comment-126808 pdp Sun, 03 May 2009 13:27:54 +0000 https://www.gnucitizen.org/?p=3171#comment-126808 I agree. Also, it is quite fascinating the way the whole situation spanned out. We live in very interesting times :) I agree. Also, it is quite fascinating the way the whole situation spanned out. We live in very interesting times :)

]]> By: mindcorrosive http://www.gnucitizen.org/blog/extensions-at-war/comment-page-1/#comment-126805 mindcorrosive Sun, 03 May 2009 11:39:58 +0000 https://www.gnucitizen.org/?p=3171#comment-126805 True, Giorgio managed to piss both users and devs with this ill-thought attempt to fund the NoScript development. However, the offending whitelist filters and obfuscation have been removed completely from NoScript as of version 1.9.2.6, together with appologies from Giorgio. I seriously doubt that the NoScript team had any harmful intent with pushing the filters to the users, but the way they present it to the users was less than ideal. In fact, I would gladly accept the whitelist filters if I am informed *in advance* what are they doing, together with an option not to install them. As for sneaking malicious code, it's a danger on virtually any platform that allows outside outside addons/plugins. I'm not sure how Mozilla deals with the situation, but AFAIK the extensions undergo testing and control before their acceptance in the official addon repository. But it's virtually impossible to test every version of every addon for malicious activity. It's just a matter of trust, the same trust that one gives to their FOSS provider, distribution vendor, or ISP. There's always a possibility that someone will go rogue, with so many people on the chain. But at some point you need to trust someone to get things done. Otherwise, the alternative is a closed and isolated platform -- and that's not going to work (just look how much flak Apple accumulates on rejecting third-party iPhone apps). True, Giorgio managed to piss both users and devs with this ill-thought attempt to fund the NoScript development. However, the offending whitelist filters and obfuscation have been removed completely from NoScript as of version 1.9.2.6, together with appologies from Giorgio.

I seriously doubt that the NoScript team had any harmful intent with pushing the filters to the users, but the way they present it to the users was less than ideal. In fact, I would gladly accept the whitelist filters if I am informed *in advance* what are they doing, together with an option not to install them.

As for sneaking malicious code, it’s a danger on virtually any platform that allows outside outside addons/plugins. I’m not sure how Mozilla deals with the situation, but AFAIK the extensions undergo testing and control before their acceptance in the official addon repository. But it’s virtually impossible to test every version of every addon for malicious activity. It’s just a matter of trust, the same trust that one gives to their FOSS provider, distribution vendor, or ISP. There’s always a possibility that someone will go rogue, with so many people on the chain. But at some point you need to trust someone to get things done.

Otherwise, the alternative is a closed and isolated platform — and that’s not going to work (just look how much flak Apple accumulates on rejecting third-party iPhone apps).

]]>