Friday, May 1, 2009

Why not to trust Firefox

I typed the name of this article very grudgingly, but a point must be made. Over the past week, the second-rated security extension for Firefox, NoScript, went behind its trusting users' backs and slipped malware into the code. They were quickly caught, of course, because like Firefox itself, the extensions are open source. More to the point, the .xpi files are really fancily-named .zip files and can be unpacked very easily, their code laid out plainly before anyone with the wit to understand what it does. Of course most of us don't, so we just trust our security software to keep us safe online.

NoScript is an interesting extension. As its name implies, it blocks scripts that can potentially harm your computer online. Scripts are used legitimately 99% of the time, so for sites that use them, you'll have to tell NoScript they're fine. Presumably, after a couple weeks of surfing, you should have your NoScript trained. Then, when you happen upon a site you don't know (in other words, you're surfing for porn or warez) and it tries to run a script to take over your computer. NoScript stops it, and makes it ask permission. Since you don't trust the site, you say no and it does nothing.

The #1 security extension is AdBlock Plus, which does that plus it blocks the regular ads, too. Before a week or so ago, they could be used together for extra protection. The authors of NoScript wish people wouldn't use AdBlock Plus at all, however, because their site is allegedly loaded with ads. Ads that make NoScript's developers money and fund development. And recently, the NoScript team has been pushing out updates left and right, sometimes unnecessarily, because when you update NoScript and restart Firefox, it loads up their page to remind you that you're protected. And as a coincidence you get to see all their ads, and they make more money.

Unless you're using AdBlock Plus, that is, in which case you see no ads, and since they never tried to justify the updates, you're probably just wasting your time and their bandwidth.

Until recently, however, when a new version of NoScript sabotaged AdBlock Plus by inserting a filter for ABP which allowed the ads on NoScript's site. (This is nothing new: the most popular filter for regular AdBlock back in the day was Pierceive's site, and he sold whitelisting to Yahoo!, which meant AdBlock/Pierceive users saw ads on Yahoo!.) Well, a lot of people threw a fit.

There's another, much lesser-known Firefox extension called GameFOX. If you've ever been to the GameFAQs forum, you know that besides it being a cesspool for everything that's wrong with the Internet, it's pretty ghetto by forum standards. Founder Jeff Veasey (username CJayC) famously coded it himself. It's not Invision, it's not vBulletin, it's not a paid forum package which is routinely updated, it's a hackjob which Veasey maintained and is now maintained under the guidance of his successor, SBAllen (I forget his real name). Though SBAllen is much more liberal, where CJayC was fairly conservative, it's still short on updates. Features users of other forums take for granted are unavailable, while, ironically, practices on most other boards are allowed. GameFAQs is one large contradiction. Anyhow, this extension basically modernizes it though scripting, and GameFAQs has been waging a cold war against its authors for a couple years now (basically, since it got popular). Among stunts which are too mind-numbingly stupid to name, they say in their Terms of Use that "third party modifications" or some such bull might "steal your account info". Trouble is, they're quite right. GameFOX could very well be programmed to do just that. And GameFAQs has reason to fear, because their little secret society, "Life, The Universe, and Everything" (rumored to have all sorts of illegal stuff, but also alleged to just be something people can say they're a part of for the sake of it) might be compromised, if a user with LUE access (or, presumably, worse, a moderator) were to have their account compromised, immeasurable havoc could be wreaked across the site.

And that's the thing about open source. It lowers the bar for new programmers. Before open source got big (thanks Firefox!) aspiring programmers had to write their own code and learn from examples which were just that - worthless examples that did a whole lot of nothing. "Hello world" for example. Now anyone can peek at the source and study it, and learn like that. A malicious user can take an open source program of some repute, alter it slightly, and offer this altered version. (Though, to prevent against this, Mozilla trademarked the Firefox name - an altered Firefox must be called something else - Iceweasel is a famous example of this - and Mozilla Firefox, Portable Edition by PortableApps.com is a famous exception.)

...Or at least that's what Microsoft and others would like you to believe. Internet Explorer 8 is newly released, and to some pretty generous fanfare. Internet Explorer is a professionally designed software application whose source code is not open to review, let alone malicious tampering. It's also no big secret that Microsoft has a cozy relationship with advertisers. For $30 you can buy a pass which will block some ads in Internet Explorer, but won't block all of them - I guess some pay a premium to keep their ads from being blocked, I suppose. And therein lies the problem with NoScript. They just decided to override the end users' choice and force their ads through in a quick grab for cash. But where Microsoft succeeds, apparently, NoScript failed. Hard.

Update: 4 May 2009: It would seem that NoScript couldn't take the heat, and have not only released a new version of NoScript which does not attack AdBlock Plus, it also removes the malicious whitelist, if you had one of the versions of NoScript in question. I'll proudly point out that I never said NoScript was a bad extension, only that it didn't do anything for me. I hope the authors have learned their lesson and have found a more honest way to make money for their hard work, and that if their apology is genuine, that those who previously found their extension useful will do so once again.

No comments: