Internet Drama: Adblock Plus vs. NoScript
When Software Updates Violate Your Trust
Generally speaking, when I install or update software, I don't expect it to modify other software behind my back.
A little internet drama over "warring" Firefox extensions just recently flared up around this issue. While it was quickly resolved (and since writing this article, the developer has apologized to the community), I think it highlights how third-party Firefox extensions users download and install are capable of modifying the behaviour of programs outside of their own "sandbox" - including other extensions - without requiring permission from the user.
(This is not the first incident of this kind: Some programs "silently" add extensions, eg. Microsoft suffered the wrath of a few nerds when a .Net update added an extension to Firefox that modified the browser's User-Agent string to include a .NET CLR identifier, and could not be normally disabled from the the add-ons menu.)
For those just joining, ABP is Adblock Plus - a free ad blocking program for Firefox. At time of writing, it is the most popular Firefox extension to date on the Mozilla Add-Ons site - presumably because the internet is stunningly different when ad-free. The individual who develops and maintains it also seems to have a pretty clear conscience, and has rejected numerous slimy commercial "integration" and bundling offers - allegedly even from a large search engine. (More power to him for being rebelliously independent, I say.)
NoScript is a similar, free extension which takes the cynical approach of blocking almost all Javascript by default, and helps protect against javascript-related security holes and the like - including ad services such as Google AdSense, analytics and tracking scripts and so on. It is similarly popular because it fills a slightly-different, more paranoid niche than Adblock Plus.
Irony, Defined: Ads On Your Ad-Blocking Extension's Site
The "drama" is not lessened by the fact that NoScript has advertising on its own site, and by default NoScript is configured to allow ads to run on its own website. This is probably "OK" given the extension is free and the developer could use a little support, etc.
Whenever the NoScript extension is updated within Firefox, it opens its homepage in your browser to show details about the latest version, updates etc., and also - conveniently, shows a number of ads. Given NoScript seems to be updated fairly regularly, this is a lot of potential revenue for them. I've always been a little cynical of this practice, given the obvious conflict of interest.
Obfuscated Evil
Where NoScript went "evil" and drew this storm of criticism was with a recent update where NoScript would effectively modify Adblock Plus if the latter were installed, where new rules (a "subscription", to use the product term) were added to ABP that also whitelisted the NoScript site, ensuring ads would show there. While profiting from your users because your own software whitelists your own program's homepage may be understandable, modifying the behaviour of other programs strictly for your own monetary gain (and trying to hide it, no less) is not cool. Software from vendor A should not overwrite or modify software from vendor B silently and without confirmation or opt-in from the user. (Perhaps a better approach would have said, "Would you like to whitelist the NoScript site in ABP, and help support NoScript development?")
Most incredibly, the code added within NoScript that did this dirty work was obfuscated; it's pretty clear the NoScript developer was trying to hide what he was doing to Adblock Plus. I would expect to see this sort of foul play only in adware/malware. The hypocrisy is quite stunning given this is a program that's supposed to be supportive in blocking "evil" and encouraging safe, secure browsing on the internets.
Given the little shitstorm presumably caused by the inter-nerds over this, the developer has published an update which undoes this ABP modification including the comment, and I quote, "no questions asked." (As though he caught you red-handed, stealing something.) Intentional or not, man, what an attitude!
Slashdot has a related discussion, which includes mention of the update and some insightful comments which cover some of the backstory.