Blog for hpHosts, and whatever else I feel like writing about ....

Saturday, 2 May 2009

Open Source NoScript turns into Malware

Open Source has long had the reputation of being the absolute best in terms of software, specifically because the developers did it for the love of doing it, and gave it away in both binary (compiled) in some cases, and source code.

Sadly, recent events have shown this trend is changing. Developers are (and perhaps rightly?) wanting to be recompensed for the programs they are developing, but sadly, are going about it in completely the wrong fashion.

First we had the excellent PDFCreator force installing crapware, irrespective of whether you asked it not to install the toolbar or not (witnessed this myself and have since ditched it for an older version that didn't come with the crap), and now we've got the extremely popular NoScript developers going one step further.

Not only are NoScript apparently bundling the Ask crapware (* See update), according to the following comment on the AdBlockPlus blog;

22. Dorothy · 2009-05-02 00:12 · #

NoScript updated on my computer today, and while I understand (in part)the changelog webpage and the ads, I’m pissed; for today when it updated I had to op out of getting a toolbar. This trend of bundling toolbars has got to stop.
It’s dirty. It makes me wonder what else they’re bundling into it. If I want a toolbar I know where to find it.

Is there another tool that blocks all scripts until I allow them?

I've not got FireFox, and my test machine is down until I can replace the HDD, so I've asked the ladies and gents at Calendar of Updates to verify this for me.

However, this isn't the most disgusting part - it gets worse. NoScripts developers aren't satisfied that users are blocking adverts on their site, so not only are they displaying the changelog, filled with adverts, every time it updates - they are meddling with AdBlockPlus to forcibly prevent it from disabling the adverts on it's website.

What followed was a small war — the website would add various tricks to prevent Adblock Plus with EasyList from blocking ads, EasyList kept adjusting filters. Then, a week ago a new NoScript version was released. A few days later I noticed first bug reports — apparently, Adblock Plus “glitches” were observed with this NoScript version, especially around NoScript’s domains (but not only those). When I investigated this issue I couldn’t believe my eyes. NoScript was extended by a piece of obfuscated (!) code to specifically target Adblock Plus and disable parts of its functionality. The issues caused by this manipulation were declared as “compatibility issues” in the NoScript forum, even now I still didn’t see any official admission of crippling Adblock Plus. Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user’s expense at any cost.

Confronted with the facts and with the AMO policy NoScript author agreed to revert the changes. However, he put a different “solution” in place — the new NoScript version released yesterday adds a “filter subscription” to Adblock Plus meant to whitelist NoScript’s domains. A note about this “feature” has been added to extension description on AMO (I insisted), not without misrepresenting the cause of course. Supposedly, this is because of a “targeted attack from EasyList which broke functionality.” Which fails to mention that EasyList was just doing what it was created for (block ads) and the broken functionality is the result of attempts to avoid ads from being blocked (originally the filters didn’t break anything). So the real reason is not broken functionality, it is the ads on these sites.

The behaviour displayed by the NoScript developers is abhorrent, especially given the lambasting people dole out when told that Open Source isn't immune from the problems of their closed source counterparts. Hopefully Mozilla, as recommended in the AdBlockPlus blog, will remove NoScript from their website, and people using it will ditch it (though I doubt it) as developers/companies that employ this kind of behaviour need to be taught that we, the users, won't stand for it and will stop using their products if they do this.

The following also makes for interesting reading.

Update 03-05-2009

I'm happy to report, several people have checked the report of the inclusion of the Ask toolbar for me, and none have found this to be the case, so at this point, we're unsure where Dorothy's finding comes from.

1 comment:

N said...

Thanks for your work on making the web safer.
I do think that this particular issue needs more than a "not confirmed" update.
In particular, the smear about NS manipulating its own application to trap extra income has been answered very precisely by the developer in their own blog

Disclaimer: I use NS, and support it for its ground-breaking pre-emptive approach to web security.

Nan M