Open jspenguin2017 opened 4 years ago
jspenguin2017
commented
3 years ago @gorhill
the bulk of what they will be monetizing is thousands of hours of works invested by volunteers
That is not wrong. But I do not see a problem with that if the new developer(s) make meaningful contributions themselves. The goal of the GPL license that you chose when you started uBO is so that people can share and build on each other's work, is it not?
gorhill
commented
3 years ago I do not see a problem with that if the new developer(s) make meaningful contributions themselves
You have an actual, credible examples of monetized content blockers based on and contributing back to a non-monetized upstream repo? I don't believe you believe your own statement about (still unknown) developers -- with no track record of contributing to anything -- contributing back, it's just a necessary rationalization once you accepted the deal. I was too offered deals, and a specific one suggested how it could be "framed" to rationalize the deal to the outside world. It's what they do to convince you to go through the deal.
krystian3w
commented
3 years ago AdBlocker Ultimate?
https://github.com/adblockultimate/AdBlocker-Ultimate-for-Firefox
https://github.com/adblockultimate/AdBlocker-Ultimate-for-Chrome
That have paid app for Windows: https://adblockultimate.net/windows
And browser with paitment for Android: https://play.google.com/store/apps/details?id=s.sdownload.adblockerultimatebrowser
Only that it may be a mistake that AdGuard once had an open source code for extension/app - now both is hidden from world so possible see version after unzip crx / xpi and with reverse engineering only app for Windows/macOS/iOS.
gorhill
commented
3 years ago AdBlocker Ultimate?
Owner of AdBlocker Ultimate app is contributing code to its own Adblock Ultimate extension -- how is this even a valid example when both ends are the same owner? Adblock Ultimate is the worst example you could find because it proves my point, it's based on AdGuard's code (see https://twitter.com/gorhill/status/1165747661691064322) and it's just a pretend repo.
ameshkov
commented
3 years ago Owner of AdBlocker Ultimate app is contributing code to its own Adblock Ultimate extension
"Contributing" as in "syncing with the latest AdGuard code".
Only that it may be a mistake that AdGuard once had an open source code for extension/app - now both is hidden from world
Ehm? Extensions and iOS version were never hidden and are on GH as well as a lot of other software we make.
jspenguin2017
commented
3 years ago @gorhill
contributing back to a non-monetized upstream
By contributions, I meant contributions in the broader sense. From my past experience, I know that you are very strict about what code goes into uBO. So I agree that it would not be reasonable to expect the new developer(s) to "contribute back" with you being the gatekeeper. To be clear, I am not saying whether being strict is good or bad, I am simply stating what I have observed over the years. Anyway, I consider developing new features, creating new filter lists, triaging and resolving issues and bugs, among other things to be contributions.
Techman
commented
3 years ago Considering only a dozen people voiced their concerns here, so far it looked like I made the right decision.
@jspenguin2017 Honestly, after reading this and later comments about your receiving financial compensation for the project and the implied intent for the new party to monetize, I have lost pretty much all respect for you and the project. While @okiehsch may not raise much criticism for wanting to sell out, I will.
As the (then) owner and maintainer of an extension with such extensive permissions, you have an obligation to protect the privacy and security of users. Why should existing users be subject to monetization practices that compromise their privacy and security because you wanted to sell the project and make money off of it? You lose all integrity by doing this. If anything happens to end-users because of your sale of the project, that can almost certainly be traced back to you as putting users in harm's way, to begin with. I don't want to be so dramatic as to say that you have "blood on your hands" for this, but I see this as an irreparable violation of trust.
Selling the efforts of volunteers in the upstream project (uBlock Origin) is also ridiculous. This kind of practice is toxic to the open-source ecosystem. It discourages users to contribute because their good-faith contributions are then monetized. Downstream monetized projects rarely contribute in an effective way to make up for this, at least in this context.
PseudoResonance
commented
3 years ago I absolute agree with @Techman, even if you make your own contributions, I simply cannot see how it's okay to sell off something that isn't 100% your own work. Maybe if some people helped you bug test your own application or they contributed a few small fixes, but in this case, Nano is a relatively minor modification to uBlock. uBlock is what's been supplying Nano with the majority of its code for years now.
I found it especially funny though when you stated that "Nano is not a 'security and privacy' extension. It is an adblocker." If you haven't noticed, Nano is based on uBlock, but uBlock clearly states that it is "not an ad blocker", and that "uBlock Origin's main goal is to help users neutralize such privacy-invading apparatus", taken from the uBlock Origin Readme. So I guess Nano is indeed a "security and privacy" extension.
jspenguin2017
commented
3 years ago @PseudoResonance
So I guess Nano is indeed a "security and privacy" extension
It is baffling that some people try to tell me what my projects are.
Either way, I think I have provided enough information about the what and the why of recent changes. I have other things to work on so I might not keep monitoring this thread, but please feel free to continue the discussion below.
LiCybora
commented
3 years ago I would like to know whether the "Turkish developers" will take over the Firefox port as well or just the Chrome(ium)/Edge part.
After viewing many post about monetized, I decide not to port for "new developers" anymore because of the following reasons:
I am sorry for not keeping myself neutral anymore. I am not 100% against monetizing project, but it is too dangerous for a product converted from non-monetizing without proper notice (users not on GitHub never know change of ownership), especially the functionality of quick issue reporter. I cannot find whether the control of quick issue reporter and Nano Filters are also passed, but it will be horrible if the issue you report is read by unexpected person, or the filter you are using suddenly whitelist with "acceptable ads". You may also argue that non-monetizing project can still perform this evil thing, but it is much unlikely when compare to a monetizing scenario which profits override users. It is more suspicious when "new developers" keep themselves stealth to monetize a project with voluntarily phone home capability [1]. Who knows what are their purposes?
I think things are already out of former developer's control. Things are irreversible anyway, neither he can force the new developers reveal nor undo the acquisition. Whether his decision right or not, his past efforts and contribution should not be annihilated. Thanks for making that great extension from the past and guide me how to manage an addon project. I might not join GitHub and become a maintainer if this project never exist.
[1] It is voluntarily as no information will be sent until user click send button.
Update: Their Chrome Store privacy policy is here, but still no words from them. I overlook it before posting this comment. This means they are active but purposefully keep themselves stealth.
jspenguin2017
commented
3 years ago Looks like they registered a new domain and smashed together a generic privacy policy with a template.
Yuki2718
commented
3 years ago The new Privacy Policy: https://sites.google.com/view/nano-dev
krystian3w
commented
3 years ago But old - read all https://github.com/NanoAdblocker/NanoCore/issues/362#issuecomment-707445124
still based on stock template and no correct edited.
krystian3w
commented
3 years ago https://dev-nano.com (same as from "e-mail") have counter to 17 november 2020:
 |
|---|
Salin1810
commented
3 years ago So this project will continue after other devs take it? I don't care about privacy, I only want websites that don't harm my adblocker. I use two browsers one for work one for entertainment so I don't have a problem with privacy. I hope they won't drop this project.
PseudoResonance
commented
3 years ago @Salin1810 Personally, I think I will most likely switch to uBlock Origin. Without knowing what these new devs are doing, they may mess with the filters and let companies pay them to allow their ads or something. Even if you don't care about the possible privacy issues, I don't see how else these new developers plan to make their money back. Unless they're just genuinely really excited about working on this project, but it sure doesn't seem that way at the moment.
But ultimately, that's up to you I guess. You would lose Nano Defender, if you're also using that. I'm not sure how much of a difference it makes, but I'm assuming it does help, so not having it anymore could be disappointing and frustrating.
And @jspenguin2017, I apologize for being rude to you. I will not hide that I am extremely frustrated with your decision, but who knows, given that I also have no prior experience with this kind of situation, I could just as easily make a mistake as well. I guess I just hope that everyone here can learn something from this and move on with their lives.
gorhill
commented
3 years ago I don't care about privacy
A reminder that when the browser warns you that an extension can "read and change all your data on the websites that you visit", it's not just for privacy concerns, it's especially for security concerns (example). It all comes down to trust, and the most basic rule of browser extensions is simply to never install extensions you do not explicitly trust. Trust is to be earned, not given. Dismissing security concerns with "I don't care about privacy" is just silly.
gwarser
commented
3 years ago have counter to 17 november 2020:
I don't think so - it resets every time you reload the page :D
uBlock-user
commented
3 years ago https://sites.google.com/view/nano-dev#h.1cqsve3a47lk
Types of Data collected:
Social Media
Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party's consent to provide the Data to the Owner.
Is that part of the template ?
PseudoResonance
commented
3 years ago @gwarser Indeed, it appears they didn't even bother to set the countdown timer properly... They even left the default comments in. If the inputted date is before the current time, it defaults to a relative date instead of absolute. If this is the kind of care that they're going to put into working on Nano, I'd be concerned.
$('.cd100').countdown100({
// Set Endtime here
// Endtime must be > current time
endtimeYear: 0,
endtimeMonth: 0,
endtimeDate: 35,
endtimeHours: 18,
endtimeMinutes: 0,
endtimeSeconds: 0,
timeZone: ""
// ex: timeZone: "America/New_York", can be empty
// go to " http://momentjs.com/timezone/ " to get timezone
});Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
It was really worth selling users down the river, huh @jspenguin2017?
I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem.
okiehsch
commented
3 years ago Is that part of the template ?
@uBlock-user They used something like https://www.termsfeed.com, the part you quote is used in generic templates.
Look at https://mindsetdirect.com/privacy-policy/ for example.
novaz9
commented
3 years ago I am concerned. I have been using Nano for years. I even typed passwords with the extension on due to my complete trust in @jspenguin2017 and @gorhill . Now I just clean installed windows , noticed edge beta listings are gone and finally finding this . I am worried about my passwords. I have very little understanding of coding, but reading this discussion I find that : they can't change the license and they must add license to whatever code they add, that @jspenguin2017 was in charge of listings, repositories ecc 8 days ago and that the new devs still have to publish an update for the extension. So, should I change all my passwords or not?
tazihad
commented
3 years ago hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name.
https://sites.google.com/view/nano-dev/ana-sayfa https://sites.google.com/view/beemobileappsweightloss/ana-sayfa https://play.google.com/store/apps/developer?id=BeeMobileApps&hl=en
Welll, I already installed uBlock Origin. But this thread is pooping up on my mail.
gorhill
commented
3 years ago @novaz9 No worry since the packages have not been updated yet. Once they are updated, anybody will be able to look at their content to find out if there is anything wrong in them.
ekremparlak
commented
3 years ago hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name.
https://sites.google.com/view/nano-dev/ana-sayfa https://sites.google.com/view/beemobileappsweightloss/ana-sayfa https://play.google.com/store/apps/developer?id=BeeMobileApps&hl=en
Welll, I already installed uBlock Origin. But this thread is pooping up on my mail.
Actually "ana sayfa" means "home page" in English
krystian3w
commented
3 years ago Or another random girl - Ana maybe "=" Anna.
LiCybora
commented
3 years ago Finally they are here: https://github.com/nenodevs/uBlockProtector And their Chrome Store also update to 15.0.0.206
However, their update on Chrome Store does not match the one in their repository (not sure if forgot push or else). You can compare their GitHub and the below image.
Their Chrome Store version add a script call connect.js while do not reveal in their GitHub. Not sure if this violate GPLv3.
The new script they add seems minified (or maybe even obfuscated but I cannot sure now)(Thanks for uBlock-user answer). I am not a Chrome user and don't know whether there are so-call release note to explain why adding this. (Although I guess mostly not as they don't even have that on GitHub).
uBlock-user
commented
3 years ago 
liamengland1
commented
3 years ago I don't think it's malicious, looks like an older version of the socket.io library.
gorhill
commented
3 years ago You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier.
liamengland1
commented
3 years ago You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier.
Or this, by the same guy: https://robwu.nl/crxviewer/
gorhill
commented
3 years ago So here is what I am seeing in the new Nano Defender 15.0.0.206:
Code was added to detect that the dev console of the extension is being opened. If you open the dev console of Nano Defender 15.0.0.206, a notification named report is sent to https://def.dev-nano.com/, or in simple words the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing.
Now this is from reading the code, and I could probably understand better if I could investigate the extension using dev tools -- but given the above, in all likelihood the extension will modify its behavior once you open the dev tools. So here is what else I can see:
At launch, the extension fetch something from https://def.dev-nano.com/, called listOfObject. Minor correction: At launch the extension listen to https://def.dev-nano.com/ for messages to populate listOfObject.
The content of listOfObject is further used apparently, as far as I can understand the code, to test fields from the details object passed to webRequest.onBeforeSendHeaders(). If all looked up fields succeed, the whole content of the details object is sent to https://def.dev-nano.com/ under the name handleObject.
Note that the webRequest.onBeforeSendHeaders() listener is registered for all network requests:
chrome.webRequest.onBeforeSendHeaders.addListener(blockingHandler, {
urls: ["<all_urls>"]
}, ['requestHeaders', 'blocking', 'extraHeaders']); So which info ends up being sent is configured externally through the listOfObject, and I strongly suspect this would all stop if I were to open the dev tools.
There is a bit of silly attempt at obfuscation in part of the webRequest.onBeforeSendHeaders() handler:
var m = [45,122,122,122]
var s = m.map( x => String.fromCharCode(x) )
var x = s.join("");
var replacerConcat = stringyFy.split(x).join("");Which is equivalent to:
var replacerConcat = stringyFy.split("-zzz").join("");Purpose is not clear, it's meant to remove instances of -zzz from request headers, before they are being sent out.
So trying to figure an example of what the new code can do. Let's say it wants to get sensitive information about network requests to a specific bank, then the content of the listOfObject object could be:
{ url: 'bank\.example\.com\/' }Then the webRequest.onBeforeSendHeaders() handler would check whether details.url matches the regex bank\.example\.com\/. If so, then the whole content of the details object is sent to https://def.dev-nano.com/ as a handleObject packet.
The listOfObject can contain any number of conditions, I just gave an example with a single one above.
The extension is now designed to lookup specific information from your outgoing network requests according to an externally configurable heuristics and send it to https://def.dev-nano.com/.
A note regarding what the extension is doing above. Though the extension requests the webRequestBlocking permission, that permission is not required to perform the collection of data, including sensitive ones. The permission is only necessary to remove instances of -zzz from the request headers, and I don't know the purpose of this -- maybe someone else knows.
Here the diff for the code change you won't find in their GitHub repo:
gorhill
commented
3 years ago Forgot to mention the obvious: uninstall now -- with those capabilities, it should be considered malware.
nicole-ashley
commented
3 years ago So @jspenguin2017's users have been sold to malware. Great.
I'm going to report this extension to the Edge team for urgent analysis.
hawkeye116477
commented
3 years ago I'm going to report this extension to the Edge team for urgent analysis.
For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected.
krystian3w
commented
3 years ago Maybe he reportead as "whisper" / private-message.
nicole-ashley
commented
3 years ago I'm going to report this extension to the Edge team for urgent analysis.
For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected.
As far as I'm aware you can't change owners with the Microsoft store, so @jspenguin2017 is most likely to just have given login details. It may very well already be submitted, awaiting review. I've asked the team to review this thread and look out for an update.
PseudoResonance
commented
3 years ago https://github.com/LiCybora/NanoDefenderFirefox/issues/187#issuecomment-708101527
This was posted on the Firefox port of NanoDefender on how to migrate from Nano Adblocker to uBlock Origin, for anyone that hasn't seen it.
Techman
commented
3 years ago Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
It was really worth selling users down the river, huh @jspenguin2017?
I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem.
So, what I suspected was correct. The extension has been modified to become malware, and outright compromises the privacy and security of users. You sold your users down the river and put them in harm's way to make a quick buck. That is actual blood on your hands now. Sure, you didn't write the code yourself, but you directly enabled the pathway for this to happen.
Nano has now become a historical example of why content blocking extensions should not be sold, and what happens when they are.
jspenguin2017
commented
3 years ago That is indeed a suspicious update, I will start analyzing it shortly. I will be archiving this repository, so let's head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues
jspenguin2017
commented
3 years ago @nikrolls
so @jspenguin2017 is most likely to just have given login details
No, I still control the Edge store listings.
@Techman
put them in harm's way to make a quick buck
Do not misrepresent facts. I was looking for a new maintainer. If I knew that the new developer(s) would do this, I would not have accepted the deal.
As I mentioned here [1], I planned to donate most of the money back to the new developer(s) if they do a good job. If I wanted to make a quick buck, I would sell the projects and disappear.
[1] https://github.com/NanoAdblocker/NanoCore/issues/362#issuecomment-706827428
Important updates and disclaimers: The WebStore listings are no longer under my control. I am not responsible for the actions of the new developer(s). If you feel concerned about the recent changes (please continue reading for more information), please remember that you can uninstall the extensions and/or find alternatives at any time.
As some of you might have noticed, Nano Adblocker is now months behind upstream. It became clear that I simply do not have enough time to properly maintain the Nano projects.
At the beginning, there were no backlogs. As the projects grow, I added a backlog system to better manage open issues. That was unfortunately not enough, so I added another level of backlog -- the triage queue. Then a third level. And a fourth one. Now the fourth level of backlog, the notification queue, has over 138 issues waiting for my attention. No matter how well I organize incoming issues, if I do not have enough time to look into them, I will simply fall further and further behind. With thousands of issues backlogged, it is only a matter of time that the Nano projects collapse.
And here comes the news. New developer(s) are in the process of acquiring Nano Adblocker and Nano Defender. Hopefully, they will be able to put an end to this backlog madness and finally give Nano Adblocker some real development time instead of constantly trying to catch up to upstream. The transition is still taking place, so I would like to ask for your patience. I will have more details about this in the upcoming days or weeks.
I would like to apologize for not being able to post an announcement earlier. I was extremely busy last week, and with all the additional things that I have to take care of to ensure a smooth transition, I fall quite a bit behind schedule. If you have any questions or concerns, please post them below. I am still trying to catch up, so please be patient while I find time to respond to your inputs.
Updates:
The new developer(s) said that they will create their own repositories and change links where appropriate.
The Edge store listings were changed to hidden.
NanoMeow/MDLMirrorhas been archived.NanoMeow/UltimateMirrorhas been archived, and its visibility has been changed to private.NanoMeow/MirrorEnginehas been archived.The Nano Defender repository has been archived.
Repositories in
NanoAdblockerandNanoAdblockerLaborganizations exceptNanoAdblocker/NanoCorehave been archived.The backend server running on
legacy.hugoxu.comwill no longer accept new reports from the Quick Issue Reporter.NanoAdblocker/NanoCoreandNanoMeow/QuickReportswill be archived on 2020-10-15.Please head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues