Open deanoemcke opened 4 years ago
joshmanders
commented
4 years ago Maybe try running without a suspending extension for a bit?
I couldn't find one I liked after uninstalling TGS and just been running 3 windows with about 60 tabs combined open for 4 days now and my machine seems to be running quieter and less RAM utilization
alexbudin
commented
4 years ago I have removed the extension from my browser :( the lack of communication and transparency makes it really hard to continue using this. Its been a good run.
maxxyme
commented
4 years ago What a shame!!! after Nano Defender, now The Great Suspender... sold to some random people with a set-up account without any history... seriously!?
jimmylad
commented
4 years ago I have uninstalled TGS and installed Auto Tab Discard instead. I'm finding speed and RAM use is much better on my older Mac.
ScottRFrost
commented
4 years ago I have uninstalled TGS and installed Auto Tab Discard instead. I'm finding speed and RAM use is much better on my older Mac.
I have similar findings on Windows 10 v2004, Intel i7 7700K, 32GB RAM. RAM usage is about the same on Firefox and seems to be maybe even a little better on (Newer, Chromium-Based) MS Edge.
I, personally, recommend Auto Tab Discard FF | Edge to anyone who found this GitHub issues in search of a replacement.
calumapplepie
commented
4 years ago I'm not terribly supprised about the improved preformance, as this does provide some features lacking in Auto Tab Discard (eg, the screenshots mechanism).
I like those features, and would appreciate it if this extension were to survive. Is anyone aware of licensing issues that might prevent me from posting a new version on the Chrome store?
nfultz
commented
4 years ago Is anyone aware of licensing issues that might prevent me from posting a new version on the Chrome store?
Google specifically disallows duplicate extensions in the Chrome Store in their spam policy - https://developer.chrome.com/webstore/program_policies#spam - and once their review team makes an adverse decision it can be extremely slow and difficult to get a rereview.
I'd recommend just writing a completely new extension - if there's specific code or functionality you want to reuse from this repository, it's licensed under GPL-2.
rgalonso
commented
4 years ago @TheMageKing, you may want to refer the Google review team back to this thread if you run into issues. That said, I don't think we have a "smoking gun" here yet that conclusively shows the new owner has malicious intent. They may just be a terrible communicator.
XxX-Force
commented
4 years ago @TheMageKing, you may want to refer the Google review team back to this thread if you run into issues. That said, I don't think we have a "smoking gun" here yet that conclusively shows the new owner has malicious intent. They may just be a terrible communicator.
I don't mean to be argumentative, so please don't take the tone of this text that way. I just don't see how anyone can reach a conclusion like that. Anyone aware of this current situation who has not disabled/removed this extension (or altered their setup/router or modified the extensions code on their own) to help mitigate the dangers these new developments have placed them in, is taking quite a risk based on an entity who has not done ONE thing to earn that level of trust, or any trust whatsoever, from anyone. This entity has no prior GitHub history to consider, no way to look at other projects they may have worked on, NOTHING.
They pushed a version change to 7.18 to the Chrome Web Store on October 27, 2020, fully a week ago, and have still not updated the GitHub (which he purchased.. because.. that's totally normal for a free Chrome Extension). Has refused to even announce him/herself, pass any kind of Turing test to demonstrate they are even human, or address ANY of the many, numerous issues and requests for comment regarding all of this.
They have added code to the extension that calls on remotes scripts that at the very least adds new analytics/telemetry/tracking .. who knows really, that gets sent to destinations (trckingbyte.com, trckpath.com, owebanalytics.com) that are not authorized or compliant with the extension's Privacy Policy. All of this done without the users knowledge, control, or consent.
This is FAR beyond "poor communication skills". If all of the above doesn't show malicious intent, especially with ZERO communication, then I don't know. I guess someone has to actually have their bank account compromised or something before we can conclude it's malicious. I'm more than willing to give the benefit of the doubt, but this person clearly has no intention of availing themselves of the (misplaced) trust and opportunities we've afforded them, and that in itself is malicious behavior.
That's all I have to say, for whatever it's worth. I apologize for the long post.
rgalonso
commented
4 years ago No offense taken. I had actually already uninstalled the Chrome store version and am using the last known good one, 7.16, until I decide on next steps[^1]. I like to give the benefit of the doubt, but I'm not going so far as to let myself be a guinea pig either.
I've been loosely following the thread, but my read of recent comments from zanglang and TheMageKing seem to show that nothing bad is in there yet, but I definitely agree that the whole thing stinks of possible, even likely, ill intent. The only point I was trying to make was that I don't know if that's a high enough bar for the Google folks to ban the old extension in favor of a replacement forked from 7.16.
[^1]: Can anyone provide an argument against using 7.16 in the short term? I'm not a JS developer and don't particularly want to spend the time right now to analyze the extension in detail myself, but I don't think I've read anything here that says I should abandon TGS completely.
Jim78324279
commented
4 years ago @deanoemcke Please note that the Google Extensions Web store has not been updated with ownership.
Everyone looking there would still think that you are the owner of the extension. This is a very bad oversight (being charitable here) on the part of the new owners, and does not bode well.
If you expand the Overview, all references of who to contact are YOUR web link. The last update that you refer to is version 7 in 2018.
According to the privacy page - which google still links to. "The Great Suspender extension is owned and operated by Dean Oemcke - a programmer from New Zealand ". The new owners have had more than 4 months to change that - but haven't.
Please note that the "Website" it links to is STILL "https://github.com/deanoemcke/thegreatsuspender". That includes your name.
You really need to get that sorted unless you relish being forever tainted.
ossilator
commented
4 years ago let's not jump to conclusions; there are numerous ways to interpret the evidence. here's just what i can come up with; not all options are mutually exclusive:
regarding @greatsuspender's silence:
why they may have bought the github pro account:
regarding the sneaked in code fragment:
regarding the outdated information in the web store:
so to sum up, however one twists it, they are an obviously abysmal maintainer, but any ill intent is plausibly deniable.
regarding @deanoemcke's obvious refusal to reveal any insider information:
ossilator
commented
4 years ago aside from all the speculation, i need to make a factual observation about the "sneaked in" code:
marcospgp
commented
4 years ago Yea this definitely doesn't smell good, let's report the extension on the chrome store citing this thread as evidence.
calumapplepie
commented
4 years ago This entire issue and our discussion is a bit hard to find: I noticed some people filing new issues (eg, #1260 ) that make it clear they haven't seen this. So I made that issue, #1263, just to make it more visible.
XxX-Force
commented
4 years ago let's not jump to conclusions; there are numerous ways to interpret the evidence. here's just what i can come up with; not all options are mutually exclusive:
....[humongous list of baseless assumptions]
I respectfully disagree. Let's all jump to a conclusion as quickly as possible. I strongly urge everyone to IMMEDIATELY remove this extension from their device(s) and report it for the numerous violations of both GitHub's terms and the policies of the Chrome Web Store.
If you find yourself saying "gee, maybe the guy's just autistic", after seeing that they have added code that calls remote scripts to send data to three different domains (trckingbyte.com, trckpath.com, and owebanalytics.com), maybe it's time to take a nap.
calumapplepie
commented
4 years ago If you find yourself saying "gee, maybe the guy's just autistic", after seeing that they have added code that calls remote scripts to send data to three different domains (trckingbyte.com, trckpath.com, and owebanalytics.com), maybe it's time to take a nap.
@XxX-Force When I summarized this entire thread, I didn't say security was definitely compromised. I did so for a reason.
You appear to have misunderstood @zanglang's first post, and not seen his second. The extension is not directly connecting to the trck.... domains. It lacks the permissions to do so, AFAIK. Those sites are definitely malicious: they are hosted via a bitcoin hosting company, and were found in malicious extensions.
This extension is not those. It doesn't connect to those sites: instead, it connects to owebanlytics.com. That site appears to be a legitimate alternative to google analytics. Now, the JavaScript is at the same path: however, that appears to simply be the design of the service. That is why @zanglang initially found those other malicious extensions, but later dismissed the similarity. The fact that malicious extensions appear to be reusing parts of the Open Web analytics system doesn't indicate that Open Web is malicious: just that the hackers know that tracking is similar to analytics, and reused open-source code.
As my other post said, there is not yet evidence that the extension is malicious. And you don't need to be autistic to mess this up.
XxX-Force
commented
4 years ago @TheMageKing, my comment was in reply to @ossilator's comment here, not to you. Regardless:
... The extension is not directly connecting to the trck.... domains. It lacks the permissions to do so, -=-=-= AFAIK =-=-=-. Those sites are definitely malicious: they are hosted via a bitcoin hosting company, and were found in malicious extensions. ...
Honestly, it's nothing personal, but this is exactly the problem. You DO NOT KNOW.
-=-=-=-=- On a completely unrelated note, I received an email notification at 7:51 Eastern Time that @danupo had commented :
"It looks like there is a "keypressEventHandler" defined that tries to steal the password with external javascript. In addition, the "getPassword" function and other functions are defined.
As Japanese law prohibits putting any part of the malware code on it, could someone please check this?"
But, for some reason, I cannot find that comment here. @danupo, what's up?
nfultz
commented
4 years ago @danupo I also got the email notification about getPassword; the comment has since been deleted. Did you delete it yourself?
EDIT
it looks like getpassword is part of thei OWA URL parser - https://github.com/Open-Web-Analytics/Open-Web-Analytics/blob/2170d3d0b878d17105a12a8fb1660a89a5b4d4fc/modules/base/js/owa.js#L722
For the tracker in general, it isn't reading passwords out of forms, but if you are using HTTP basic auth, those passwords would probably be leaked. In hte context of a chrome extension, there's no basic auth to check the settings page.
danupo
commented
4 years ago @XxX-Force @nfultz Yes. The comment was deleted by me to avoid misleading. It was a default feature of the OWA. I mistakenly thought it was a malicious addition.
Originally, getPassword and bindKeypressEvents is defined.
niutech
commented
4 years ago As an alternative, I would suggest Lazy Tabs, which uses the built-in tab discarding API.
Poopooracoocoo
commented
4 years ago Anyone know of some tab management (as opposed to discarder) extensions? I use Tabli with TGS. There's also Session Buddy.
quackduck
commented
4 years ago I recommend Tabs Outliner. There's also OneTab
Did anyone else discover TGS through WaitButWhy?
mikewaters
commented
4 years ago The entity that bought the extension almost certainly did so to make money, and a reasonable first step toward this is to add analytics so they can see utilization metrics. I can almost guarantee that those metrics are in a PowerPoint deck somewhere in the world, as a basis for revenue projections. Now whatever happens next will be the interesting part.
quackduck
commented
4 years ago @greatsuspender the lack of communication is hurting those utilization metrics.
calumapplepie
commented
4 years ago @mikewaters There were already analytics in the extension. They just added new analytics and an opt-out.
mikewaters
commented
4 years ago @mikewaters There were already analytics in the extension. They just added new analytics and an opt-out.
I would guess then that the new analytics are more invasive; if they need an opt-out, there is some legal framework they are bound by (like CAN-SPAM).
nfultz
commented
4 years ago I recommend Tabs Outliner. There's also OneTab
OneTab also has privacy issues + an AWOL maintainer just like TGS. But it is decent for a small-medium # of tabs.
I'd really recommend people just write their own extensions, it's pretty easy and there's plenty of good references.
evg-zhabotinsky
commented
4 years ago For anyone who is concerned by the "stealth tracking" (i.e. it not being mirrored on Github for some reason), you can always install from source. It is easy: go to chrome://extensions, enable developer mode, click "Load unpacked extension" and point it to the src folder from this repo. Done!
HOWEVER, I DON'T SEE THE CURRENT ISSUE (in itself) AS A REASON TO FREAK OUT:
var owa_baseUrl = 'https://cdn.owebanalytics.com/';
var owa_cmds = owa_cmds || [];
function loadOpenWebAnalytics(version) {
owa_cmds.push(['trackPageView']);
(function () {
var _owa = document.createElement('script');
_owa.type = 'text/javascript';
_owa.async = true;
_owa.src =
owa_baseUrl +
'owa/modules/base/js/owa.tracker-combined-latest.minified.js?siteId=klbibkeccnjlkjkiokjodocebajanakg&apikey=2cf3d852ab70d359456ce3a0aac237a3&v=' + version;
var _owa_s = document.getElementsByTagName('script')[0];
_owa_s.parentNode.insertBefore(_owa, _owa_s);
})();
}function init() { if (!gsStorage.getOption('trackingOptOut')) { loadGoogleAnalytics( window, document, 'script', 'https://www.google-analytics.com/analytics.js', 'ga' );
let details = chrome.runtime.getManifest();
loadOpenWebAnalytics(details.version);} gsAnalytics = gsAnalytics(); }
This is from the actual extension installed from the chrome store, 'trackingOptOut' option is set by that checkbox, and `loadOpenWebAnalytics()` isn't referenced anywhere else. Also, that opt-out disables Google analytics too, which was force-enabled before, so you could say it is an improvement?
Yes, this is weird that they "hid" it like that. Might have to do with the hardcoded siteId and apikey, or maybe they "just wanted to experiment with it" (on users' machines, yes, but how else do you experiment with tracking?)
Yes, they handled their PR horrendously, but that doesn't mean they are automatically malicious! (And actually, "any PR is good PR". If it spreads and then it gets proven they did nothing malicious, then more people might use the extension and more would donate to them.)
Personally, I'm going to use the "developer mode install" option, but not to avoid that tracking. Mostly because of #1259 and other autoupdate-related issues, as developer-mode extensions don't get autoupdated.@evg-zhabotinsky The summary I wrote in #1263 is pretty clear about the causes of suspicion. Basically, as long as they fail to communicate with us, we have to assume the worst. OpenAnalytics has the ability to conduct highly invasive tracking: and the permissions requested are such that the system could stop using that CDN and instread execute from other sources.
I agree that some of us are overreacting, but the problems here can't be dismissed out of hand.
lucasdf
commented
4 years ago
- The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:
The script is loaded from owebanalytics.com which is a domain registered last month and it is not an official OpenWebAnalytics CDN.
mikewaters
commented
4 years ago
- The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:
The script is loaded from
owebanalytics.comwhich is a domain registered last month and it is not an official OpenWebAnalytics CDN.
That’s huge. I can’t find very much about that site, besides that their web server runs CentOS, they use Letsencrypt on their cdn subdomain, and they are hosted in the US (EIG/maybe Hostgator).
If this is not an official OWA property, then this is intentionally deceptive. I am generally open to commercial usage of open source but this stinks to high heaven.
ossilator
commented
4 years ago right. so they do in fact already control the "metrics" domain, and they hid the code because it's only seemingly legitimate (so much for "face value" ...). the script served by the domain looks like real OWA code, but i can't possibly do a full analysis. but even if it's legit for the time being, we must assume that it's on stand-by for an attack. i now also reported this to google. let's hope they react in time, as that's the only way to actually protect unaware users. everyone else should disable the tracking option, or better use code from git.
calumapplepie
commented
4 years ago
- The third-party JS is loaded from OpenWebAnalytics CDN, so it should not be able to do anything bad? I'm not 100% sure, but:
The script is loaded from
owebanalytics.comwhich is a domain registered last month and it is not an official OpenWebAnalytics CDN.That’s huge. I can’t find very much about that site, besides that their web server runs CentOS, they use Letsencrypt on their cdn subdomain, and they are hosted in the US (EIG/maybe Hostgator).
I would call this beyond huge, and would like to formally retract all my claims that this was "possibly innocent". That CentOS homepage indicates nothing about the server's OS: every link on that page just points to the real one. The only thing I can really discover (beyond what you said about Hostgator) is that they are running a 2018 version of nginx, configured to never return a 404 Not Found. Also, they have an SSH server, if anyone wants to try passwords randomly.
Open Web Analytics doesn't provide hosting solutions (yet), so it is plausible that the new maintainer needed to get a domain and self-host. But that doesn't explain the old nginx, the weird homepage, or the fact that the domain name clearly masqurades as legitimate.
If this is not an official OWA property, then this is intentionally deceptive. I am generally open to commercial usage of open source but this stinks to high heaven.
Commercial usage would not be done in this way. BlueHost is a webpage hosting provider. Anybody hoping to commercially offer an analytics service would use a more specialized cloud compute provider, and save money. This screams "trap".
Their trap worked, too. I never actually checked to see if owebanalytics.com was a legitimate website, because the cdn subdomain seemed silent, and I never noticed that the real openwebanalyitics.com had a few extra characters.
I will probably actually do some work on my "thesecretsuspender" fork now that there is decent evidence that the developer is malicious. My goal is to make a version that can never touch the outside world. I'll update the other issue with this smoking gun before I go to bed.
Poopooracoocoo
commented
4 years ago this is helpful for anyone wanting to remove it: https://github.com/greatsuspender/thegreatsuspender/issues/526
oddhack
commented
4 years ago Does anyone know the right people at OWA to contact? While they're not responsible for someone posing as them, they may be concerned about it, aware of this or similar instances, and have advice.
(Edited: opened https://github.com/Open-Web-Analytics/Open-Web-Analytics/issues/703).
dan86603
commented
4 years ago Just chiming in that I uninstalled and reinstalled the v7.1.6 from github source with no problem. I had never done anything like this before and it was super easy: (writing this was more work)
oddhack
commented
4 years ago The OWA people have confirmed in https://github.com/Open-Web-Analytics/Open-Web-Analytics/issues/703 that the new "analytics" site from which TGS is loading code, is completely unaffiliated with them.
TheCleric
commented
4 years ago The OWA people have confirmed in Open-Web-Analytics/Open-Web-Analytics#703 that the new "analytics" site from which TGS is loading code, is completely unaffiliated with them.
While I completely agree that everything that has occurred up to this point has been questionable at best, one thing worth noting is that it seems this is how OWA is supposed to work. I don't believe they have any centralized server or CDN. It's a tool you are supposed to spin up your own server and domain for, so this answer isn't unexpected.
It's still sketchy, and I'm not reinstalling it anytime soon, but this may not be the evidence of shadiness in and of itself.
evg-zhabotinsky
commented
4 years ago @TheCleric Not quite. Normally you have a website to use tracking on, and you put your OWA there too, no second domain needed. In this case, the extension doesn't have its own website, so OWA has to be hosted somewhere else. That, however, isn't a valid reason to misrepresent that hosting as OWA-affiliated using such misleading name.
sjain882
commented
4 years ago Just chiming in that I uninstalled and reinstalled the v7.1.6 from github source with no problem. I had never done anything like this before and it was super easy: (writing this was more work)
- Make a backup of your tabs, many options out there. One way is from the The Great Suspender > Options > Session Management > Save to a text file with url of all tabs.
- Save whitelist from The Great Suspender options, make note of your settings.
- Unsuspend all tabs (MOST IMPORTANT)
- Uninstall The Great Suspender
- Download zip https://github.com/greatsuspender/thegreatsuspender/archive/v7.1.6.zip
- Unzip to folder in saved location
- Tools > Extensions > Turn-on Developer Mode at top-right corner
- In new option at top-left, "Load unpacked" > find & select the SRC folder where you saved it
- Update settings to old preference > DONE
Does this work fully for you btw? I just did exactly this - unsuspended all tabs, loaded them, then installed 7.1.6, and suspended a bunch.
Then I come back and all of my tabs are broken, it just says this:
dan86603
commented
4 years ago @sjain882 - yes the source loading of TGS still works for me, reviewing the extension details in chrome shows loaded from local source folder. Sorry to hear not working for you, I don't have any ideas
XxX-Force
commented
4 years ago @sjain882 What other Chrome Extensions do you have installed? Have you tried disabling them one at a time to try to find which one may be causing the problem? Do you by chance have the EFF's 'HTTPS Everywhere' extension installed? If you do, is the "EASE (Encrypt All Sites Eligible) Mode" setting enabled?
I can confirm that on Chrome Version 86.0.4240.183 (Official Build) (64-bit), that TGS version 7.16 installed 'unpacked' from from the 'src' folder as described above does work.
ossilator
commented
4 years ago the trick is keeping the application id constant between updates/reinstallations. you need to insert "key": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWu7+3vUaUm2vuJZQsiPeciQbO5hpq8/Z2o6zP/Kv7I5+rI1ZfDhjsuz6jw2Efi23YwkAGPpXewhKnrmGXAgRSPIq1EHZUTwVwqo1SFWGCyEzywvXjpPiLaP3DsJCHT2wJE0KcWvt/aKeREtFCpvZ3b5vnupYh1oMlSryqBiINewIDAQAB", (taken from the release package) into the manifest.json file (after "incognito", to keep alphabetical order and logical nesting intact).
note that doing just that will, of course, change the id one last time.
stamstamNitzan
commented
3 years ago If you want to report the extension you can simply write this: @TheMageKing
The extension was sold to an unknown party. This entity has "updated" the extension to v7.18 w/o publishing changes to Github. It is calling remote scripts and using remote tracking analytics, sending user information somewhere w/o user knowledge. PLEASE SEE: #1175 (comment) AND ALSO: #1175 (comment) .. Owner refuses to communicate or respond to anyone. Can only be considered as malicious/malware at this point. We have no idea what the full changes are to the code, or the ramifications of said changes.
github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717656189
github.com/greatsuspender/thegreatsuspender/issues/1175#issuecomment-717656189
wylie39
commented
3 years ago Just confirming that v7.1.6 is the last stable release before it all went down Hill. I was thinking about making a branch and publishing to the store.
stamstamNitzan
commented
3 years ago Just confirming that v7.1.6 is the last stable release before it all went down Hill. I was thinking about making a branch and publishing to the store.
That would be great!
NextDev65
commented
3 years ago Do we have a conclusive response from the dev yet?
XxX-Force
commented
3 years ago Do we have a conclusive response from the dev yet?
No response whatsoever.
NextDev65
commented
3 years ago Do we have a conclusive response from the dev yet?
No response whatsoever.
We do, but its vague and inconclusive https://github.com/greatsuspender/thegreatsuspender/issues/1263
Hi everyone. I'd like to announce some changes to the administration of The Great Suspender project.
It's been almost 8 years since the first release of The Great Suspender to the Chrome Web Store. I've seen the extension turn from a hobby project to an indispensable chrome add-on, all due to an enthusiastic community of users that promoted the extension on my behalf.
The contribution of both code, and feedback from everyone here on GitHub has been critical to the success of the project. You have helped me detect and resolve bugs, given me ideas for UX improvements and new features, and provided technical assistance when I have found myself struggling with some code. I honestly couldn't have got to this point without you.
However, as the user base for The Great Suspender has continued to grow, so have the commitments in my private life. And I've found I'm increasingly incapable of meeting the demands that this project requires. I've therefore decided to take a step back, and let others lead the development.
I have found a new dedicated owner for The Great Suspender who has the capacity to see the extension actively maintained into the future. The new GitHub administrator for this project will be @greatsuspender. They have also purchased the rights to publish the extension to the Chrome webstore and will be managing the public release process going forwards. Big thanks for taking on this project and continuing its development!
Thanks again for all of your support here on GitHub. You're the best!