When Add-Ons Wage War

Conflicts in the Open Source world — as in the proprietary world — are hardly a surprising phenomenon. Indeed, our community can't even agree over what to call one of its most popular projects — a fight we have no interest in entering, particularly not here. What is perhaps more surprising is when these disputes escalate like a deleted scene from Fatal Attraction — escalate so far that the powers-that-be must intervene.

One of the most popular Firefox add-ons — at least from the impression we gather from what we see and hear — is AdBlock Plus, developed by Wladimir Palant, which eliminates advertisements placed on websites from showing in the browser. Another popular add-on, and one widely advocated by security experts, is NoScript, which prevents JavaScript and other unwanted scripting from operating in the user's browser — this is considered a particularly useful security enhancement as script-based attacks become more and more popular. The two extensions could be described as having a similar purpose — to remove or disable objectionable content — though the types of content are quite different.

While NoScript surely has NoFriends among the attackers it helps to thwart, AdBlock Plus has a much less sinister group of opponents. Because it blocks advertisements, which site owners use to generate the funds that allow the site to continue operating, many site owners object to the extension's use, and some even make attempts to circumvent the extension. Giorgio Maone, the developer of NoScript, is one such site owner — his project is funded by donations, and by revenue from ads placed on the NoScript website. Frustrated with his ads being blocked by AdBlock Plus, and reportedly feeling that his project was at financial risk, Maone implemented measures to prevent AdBlock Plus from preventing his ads from displaying.

Palant, meanwhile, took exception to his extension being bypassed and instructed the individual who maintains AdBlock Plus' list of filters — the means by which the blocking is achieved — to add a new filter specifically designed to block ads on NoScript's domain. AdBlock filters are generally rather generic, blocking any images from URLs used by ad providers — users have the ability, though, to craft their own rules, and even to use the extension to block normal HTML elements on a page. Once Maone discovered that Palant was circumventing his circumvention, he introduced new methods to block the ads. The AdBlock Plus filter maintainer — known only as Ares2 — retaliated with more and more severe filters until eventually the NoScript website was inaccessible to users of AdBlock Plus.

Until this point, the dispute was fairly transparent — users are able to view, alter, and disable the filters enabled in their browser, and Maone's actions to circumvent the extension on his site would have been apparent to any AdBlock Plus user who visited the site. However, once Ares2 introduced filters that broke his site, Maone left transparency behind. He introduced new code into NoScript which disrupted the operation of AdBlock Plus — something made possible by the broad ability Firefox extensions have to alter not just the content of websites, but the browser itself, and any other add-ons that might be installed.

Generally, as is the case with most Open Source projects, extensions are scrutinized by hundreds, thousands, possibly more developers who ensure the extensions are safe for users to install — indeed, Mozilla maintains a formal process for approving extensions. To prevent the code from being discovered, Maone encoded it in a way that obscured it from other's inspection. No notice was given to NoScript's users, nor was there any option to prevent NoScript from affecting AdBlock Plus. What could not be obscured, however, was the user's experience, wherein it was obvious that something was disrupting AdBlock Plus' operations.

When users discovered the cause of AdBlock Plus' sudden malfunction, the reaction was swift and severe. They were outraged that one extension would deliberately be used to disable other add-ons with which the developer disagreed, were even more irate that it had been done with no notice or opt-out, and supremely enfrothed that the offending code was intentionally obscured — a cardinal offense if there is one in the Open Source world. Once brought to Palant's attention, he assailed the practice in an entry on the AdBlock Plus blog, an entry described as a "scathing" one "that excoriates NoScript." As one might expect, once the dispute was revealed to the greater public, an overwhelming amount of attention quickly followed.

As a result of the incident, the powers-that-be at Mozilla — or at least those responsible for keeping the peace among extensions — have proposed a new policy for add-ons to be accepted into the official addons.mozilla.org repository. Under the proposal, add-ons may only be approved if all changes to the user's home page and search preferences, as well as any changes to other extensions, can be justified as required by the core function of the extension. Once that test is met, the add-on must further disclose, in the add-on description, what changes will be made, and any changes must be opt-in rather than opt-out, requiring specific action by the user to enable them.

Finally, once the add-on is uninstalled, any settings that were altered must be returned to their original state — the proposal is not clear on whether this means the settings must be returned to a default state, that is, as the browser was shipped, or whether the extension will be required to keep a record of what settings it changed and their values, and restore them to their state before the extension was installed. The proposal is also quick to point out that the points set out are a minimum standard, and do not ensure that every extension that meets them will be approved. Community comment is requested, with indication that the Mozilla Development newsgroup is the preferred location.

As for the AdBlock Plus-NoScript feud, Maone issued an apology, acknowledging that using his extension to disrupt another was inappropriate, and asking that users "accept my most sincere apologies and believe in my shame and contrition." The offending code has been removed, with Maone writing that "I had this crazy idea of retaliating against EasyList 'from the inside', and in my blindness I did not grasp that I was really retaliating against my own users and the Mozilla community at large."

A cursory review of Palant's original entry shows three updates, the first noting the removal of the NoScript code and thanking users for helping to bring about the policy proposal at Mozilla. The second regards the closing of comments, and the third acknowledges and links to Maone's statement. Two additional entries to the blog, which appear to have drawn a great deal of comment, appear to propose a whitelisting system for AdBlock Plus, to give users more options of which ads to block. The relevant posts, which with their comments are quite lengthy, can be found on the AdBlock Plus blog.

For our part, we are deeply saddened by any schism, however quickly redressed, that affects our community. We would invite readers to share in the comments their thoughts, not only about the specific incident reported here, but also on the greater issue of how to maintain, if not community unity, then at a minimum a fair and civil environment for all Open Source projects.

______________________

Justin Ryan is a Contributing Editor for Linux Journal.

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Self healing OSS

Dan P.'s picture

That's why I love Open Source software, it has the self healing mechanism built in. It is about the pressure of a large community of people that would not allow anything to disrupt their good experience with the software they need.
Just try to imagine what would have been happen if this kind of war would have been created by private companies. All the it is accessible and last but not least it is educating people promoting a free spirit and sharing. Vive l'OSS!

Advertisers should pay for

Anonymous's picture

Advertisers should pay for the bandwidth of mine that they use that isn't content. It's a two way street.

Advertisers should NOT pay

Codalyzer's picture

Advertisers should NOT pay for our bandwidth. Just like advertisers don't pay for our cable subscription or our TV set, or our PC, or any other means that help them advertise. Should Ford refund you your car, for the mere fact that their logo is shining on its front?

Not a two-way street--not even a one-way street...

Anonymous's picture

Indeed. It isn't a two-way street--it isn't even a one-way street. When a person publishes content in an unrestricted, publically accessible environment, they are essentially giving anybody and everybody the right to render/view the content without restrictions. So there is no requirement to render/view all the content (whether it be ads, or images, or scripts [NoScript anybody?], or stylesheets, or whatever). Nobody is stealing from anybody else, under any circumstance, unless they are: a.) redistributing private intellectual property, or b.) violating an explicit contractual obligation. Neither the case of blocking some content (e.g., ads in an unrestricted website), nor of consuming bandwith with some content (e.g., ads in an unrestricted website), amount to theft--there is no IP infringement, and there are no contractual obloigations.

His prerogative to make evil software, mine to block ads

Anonymous's picture

It's Maone's prerogative to break the circle of trust (and it's also the community's prerogative to demand disclosure, to boycott, whatever).

Also, it's possible to require accepting a EULA to allow ads to be displayed before allowing your site's content to be viewed (javascript isn't required--there are several ways to do it server-side). Unless such an agreement has been reached, there is no obligation to allow ads to be displayed. I can stand on the side of the road with a sign, but I can't make anybody look at it--they can hold up their hand and block it from their view if they wish. The only way people are required to view ads is if they accept a license agreeing to view them. It's not my fault if more revenue would be lost by protecting content with a EULA than is lost by leaving the content open but also (legally) allowing ads to be blocked. I'm not stealing from McDonald's if they have to charge less than they would like to for a burger because the market can't support the higher price. INAL, but there is no expectation of privacy on a public website, and there is no de facto or de jure obligation for any viewer to view all parts of the content (e.g., the ads) on a public website.

i never ever have had the

costinel's picture

i never ever have had the need to use adblock. noscript + flashblock kills annoying things. the rest of adds that pass noscript+fb are ok, they should be left alone, they are not annoying.

Really?

Anonymous's picture

Remember the days when Opera had an ad supported version of their browser available? You could use it for free with ads displayed or you could register it and not have to see the ads. So what some of you are saying is that it would be ok to setup a proxy / adblocker so the ad server could not be reached? Is this really with keeping with the spirit of free (as in beer, not freedom) software? "Well as long as I didn't use some serialz or actually crack the software then it is ok." Really? You believe that?

Some sites have the same model. Google's one of them. I can use Gmail for free and they display ads. Or I can signup for a paid account in which they will not display ads. Is it right to use the free account with an adblocker? If enough people did this I can promise you that the Internet wouldn't be free (beer) anymore.

His right to make evil extensions, mine to block his ads

Anonymous's picture

It's Maone's prerogative to break the circle of trust (and it's also the community's prerogative to demand disclosure, to boycott, whatever).

Also, it's possible to require accepting a EULA to allow ads to be displayed before allowing your site's content to be viewed (javascript isn't required--there are several ways to do it server-side). Unless such an agreement has been reached, there is no obligation to allow ads to be displayed. I can stand on the side of the road with a sign, but I can't make anybody look at it--they can hold up their hand and block it from their view if they wish. The only way people are required to view ads is if they accept a license agreeing to view them. It's not my fault if more revenue would be lost by protecting content with a EULA than is lost by leaving the content open but also (legally) allowing ads to be blocked. I'm not stealing from McDonald's if they have to charge less than they would like to for a burger because the market can't support the higher price. INAL, but there is no expectation of privacy on a public website, and there is no de facto or de jure obligation for any viewer to view all parts of the content (e.g., the ads) on a public website.

I have no no problems with

Anonymous's picture

I have no no problems with static adds on web pages, and I would think most users wouldn't. I can understand why someone would get upset with AdBlocker interfering with those though (but please tell me whoever thought up adwords? I'd like to give him a big smack.). As long as the adds don't interrupt your web browsing experience they should be allowed. That said, my main operating system is linux which I don't use either on. I now use both on Windows, which I use to play WoW, after I got hacked from a script. Oddly enough NoScript interferes with displaying of ads just as much as addblock. 95% of the web pages I visit have google adds blocked from NoScript. He doesn't have a lot of room to complain in this situation.

no

Anonymous's picture

blocking ads is not stealing that is crap. people need to go and read up on the term stealing. stealing is when you take something away physically like a car or a pizza.

It may not be

Don Pierce's picture

It may not be Stealing. But it is crazy to think that you have the right to view the page. If the owner of the page wants to make some money then you have to pay. Now they can start charging you for the use of their site/software or fund it by ads. As I see it I don't mind ads if it means I can use there site/software for free. Well I guess I believe people should be paid if they want to be paid for their work.

> If the owner of the page

Tuxly_Tuxford_McTuxtington's picture

> If the owner of the page wants to make some money then you have to pay

No. I don't *have* to pay anybody to see a publicly available web page.

Some software comes with spyware/adware, which ends up earning the developer money. Do you not mind this as well? It lets you use it for free, and the developer gets paid for his work. Of course, it comes at the price of your privacy, but you're using something for free.

If ads are the only source of income, developers of software or websites need to get a new (and less annoying) business model.

Perhaps a good thing?

CharlesH's picture

The way this problem was revealed was almost harmless. Now a major vulnerability is known about, and can be fixed. Indeed, if you're using only Mozilla approved plug-ins it seems well on it's way to *being* fixed. It could have been much worse.

The question remains "Is there anything that can prevent worse than this from happening with plug-ins that HAVEN'T been vetted. My off-the-top-of-my-head answer would be no. Which means that wariness is needed...because everybody slips occasionally. (*How* to be wary is a quite difficult question. I haven't got any answers that are generally applicable.)

I see nothing wrong with ads

Anonymous's picture

I see nothing wrong with ads in and of themselves, But due to security and privacy I have been forced to use ad blocking software. In todays webcioty to many places take advantage of people, you can barely go anywhere withou being bombarded by ads, many of which with just one malicious group you can become infected with malware spyware, and a whole host of other things. not to mention the increased load and poor responsiveness of many sites due to the ads that they may have. The laziness of site developers also has increased this by going with ads generated by 3rd party sites where they dont even have direct control over what is shown on their site. Services like adblock plus are a necessary evil. If I feel something is worth advertising on my own site then I will create the ad on my site (most blocking software is desgined to block ads from 3rd party ad generators) and keep it neat an unobtrusive to my users tailoring it to my sites needs. If the site owner is THAT reliant on ads to support them then perhaps they should have a section dedicated to such a thing instead of plastering it everywhere you go. If I find that a site is informative and useful and they are promoting something of value then I will check it out. There are other ways to get support other then ad services. If that is all you have to rely on you have a very poor business model to begin with.

Who's going to pay?

Anonymous's picture

Mistakes were made on both sides, by all three parties involved (including Ares2).

My question is to LinuxJournal (I know Shawn Powers will respond): If 100% of your LinuxJournal.com visitors used a product like AdBlock or Junkbuster, how long could the LinuxJournal.com site run? How long until the powers that be would shut it down?

I used to use products like Junkbuster and AdBlock, but then I realized that I was stealing the content. Someone has to pay for the content and thankfully the advertisers are willing to do it. I agree that many of the ads have gotten obnoxious, so if I visit a site that uses a float-over or some other very intrusive ad I don't go back to the site. It's their right to use those ads and if that's the way they feel they need to get my attention, then it's my right not to go back. Just like television, I can't stand the 8 to 10 minute marathon of commercials during every break. So I stopped watching it. It costs real money to operate a website and develop content for readers to absorb. If you're blocking the ads and reading the content for free, essentially your stealing, but if that terminology offends you then at the very least you're a drain on the site and making the site you like struggle that much more to remain viable.

Seriously, how long would LinuxJournal.com last if 100% of their visitors used some sort of adblocking tool?

I use an adblocker

Tuxly_Tuxford_McTuxtington's picture

I block ads, even on LinuxJournal.com. I also subscribe to the print edition, so they're getting my money.

If a company can only stay afloat by annoying its users with flashing or distracting ads, then maybe they need a better business model. Now that I'm used to a "clean" net, I can't even surf without an adblocker. It's like every page has a flashing monkey or something that wants to be clicked.

I'm curious. Would you be

Webmistress's picture

I'm curious. Would you be willing to pay for an additional subscription to LinuxJournal.com?

Katherine Druckman is webmistress at LinuxJournal.com. You might find her on Twitter or at the Southwest Drupal Summit

I'm not here to subsidize every Tom, Dick & Harry...

Zeke Krahlin's picture

that wants to cop a dollar off the 'net. I'm totally anti-capitalist, and believe in socialized democracy to give everyone that is born, quality of life...not advertisements shoved in our faces and ears wherever we turn...whether in cyberspace or real space. As a result of my sane ideology, I aggressively eliminate any ads from my Internet activities. People _do_ make money off my cyber browsing, but it's not because they advertise (if they do at all).

To accuse anyone of stealing, because s/he blocks ads, is simply buying into the zombie mentality of a hyper capitalised and materialistic culture that has absolutely no sense of value or concern for human dignity, freedom, and meaning. Essentially, capitalism is an enemy of the state: it is UNAMERICAN. And as a responsible citizen, I take up arms of ad-blockers in order to abate the enemy.

Now that I've said all this...do me a favor and buy me a subscription to Linux Journal. I'd most appreciate that, from someone who joyfully kisses *ss to the Molech of Moolah.

Maone did nothing wrong.

Anonymous's picture

Maone did nothing wrong. There is nothing wrong in trying to prevent someone else's software from interfering with your software. Take the emotive issue of adware out of it for the moment. Companies that sell anti-virus and anti-adware software wouldn't *exist* if the virus and adware writers did not exist. It would be in their own interests to *support* the virus writers. It's far from a black/white issue.

Like I said

Anonymous's picture

Like I said about this issue in another forum: Back before the adds on web pages got so obnoxious, obtrusive, and annoying, I didn't mind them. I still wouldn't today, if they were text only, not obtrusive, not floating, and had no graphics. Sadly, that is almost never the case today. I see nothing wrong with blocking all adds on web sited. Since I never clivk on them anyway, its no loss to the web site owner if I don't see their adds. In fact, it makes it more likely that I will visit the site again.

While I don't have much income these days, I DO support several web sites that offer services that use regularly.

It was totally wrong for Maone to try to interfere with Adblock Plus blocking his site's adds. Not that I visited the site anyway, and I object to my browser opening the site after I installed NoScript.

I think that the Mozilla folks are on the right track with their proposed new policy.

Mea culpas....

fest3er8's picture

It's fairly easy for one man meekly to say, "I was wrong." Even the Fonz was able to go so far as to say, "I was wrzzzzhhh." At least he tried. But it is impossible for a company of tens, hundreds or even thousands to say, "I was wrong" or "we were wrong." Admitting error requires a humanizing aspect, a trait foreign to nearly all companies.

self-correcting open source

quixote's picture

Agreed that Maone needs to get himself checked out for early-onset dementia, but other than that several things happened that I think the open source community can be proud of. 1) The problem was quickly found and identified. 2) The community and the Mozilla folks reacted appropriately. 3) Maone came back to his senses.

Compare that with remote control "features" in Windows or the Kindle or iPhones or some of the Symantec software. Some of that stuff has been around for years, and the only reaction seems to be, "Problem? What problem?"

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix