Most active commenters
  • bigbugbag(7)
  • acqq(4)
  • WhitneyLand(3)
  • (3)
  • ackalker(3)

←back to thread

Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

(support.mozilla.org)
757 points shak77 | 60 comments | 15 Dec 17 13:47 UTC | HN request time: 2.951s | source | bottom
Show context
blauditore ◴[15 Dec 17 16:23 UTC] No.15932880[source]
Many people seem to be shocked because Mozilla installed an add-on automatically. In my opinion, it doesn't really matter since the code is coming from Mozilla - they're building the whole browser, so they could introduce functionality anywhere. If someone distrusts their add-ons, why trust their browser at all?

The main question is what behavior is being introduced. I haven't researched deeply, but apparently the add-on does nothing until the user opts-in on studies.

replies(16): >>15932942 #>>15932953 #>>15932998 #>>15932999 #>>15933001 #>>15933342 #>>15933599 #>>15933649 #>>15933656 #>>15933806 #>>15933901 #>>15934475 #>>15934693 #>>15935133 #>>15935703 #>>15941934 #
1. skymt ◴[15 Dec 17 16:32 UTC] No.15932953[source]
Speaking for myself here, but I'm not concerned that Mozilla might push malware into Firefox installations. I'm concerned about the lack of judgement in pushing an extension with a vague, scary-sounding name and description simply for a cross-marketing tie-in, and I'm worried that it could have damaged the trust ordinary users have in Firefox.
replies(5): >>15933006 #>>15933291 #>>15934516 #>>15934671 #>>15935418 #
2. pmlnr ◴[15 Dec 17 16:37 UTC] No.15933006[source]
> I'm not concerned that Mozilla might push malware into Firefox installations

Nobody is concerned about that, in my opinion. I'm concerned someone will push malware through Mozilla into Firefox installations. Pushing addon installs should not be possible at all.

replies(4): >>15933118 #>>15933239 #>>15933501 #>>15936753 #
3. kibibu ◴[15 Dec 17 16:52 UTC] No.15933118[source]
I'm concerned about Mozilla pushing software written by the Mr Robot marketing department.
replies(3): >>15933277 #>>15933394 #>>15937337 #
4. pilif ◴[15 Dec 17 17:11 UTC] No.15933239[source]
They can also push new browser releases though. They are also auto-installed by default.

The exception is that an addon can do slightly less damage than a compromised browser itself.

replies(1): >>15934388 #
5. y_u_no_rust ◴[15 Dec 17 17:16 UTC] No.15933277{3}[source]
Is the plugin opensource, where can we vet it? I can't find it on github or anything like I can with the other plugins I use
replies(1): >>15933336 #
6. jotux ◴[15 Dec 17 17:17 UTC] No.15933291[source]
I'm worried my work Security/IT department will see it, freak out, and blanket ban Firefox on all machines for 6 months.
replies(2): >>15933683 #>>15936703 #
7. callahad ◴[15 Dec 17 17:22 UTC] No.15933336{4}[source]
The source lives at https://github.com/gregglind/addon-wr/
replies(1): >>15933355 #
8. Ajedi32 ◴[15 Dec 17 17:25 UTC] No.15933355{5}[source]
Looking over [the contributors list][1], looks like the plugin was written entirely by Mozilla employees. So, no "Mr Robot marketing department", as some commenters here have been speculating.

[1]: https://github.com/gregglind/addon-wr/graphs/contributors

replies(3): >>15933504 #>>15935757 #>>15936168 #
9. callahad ◴[15 Dec 17 17:28 UTC] No.15933394{3}[source]
I'm not entirely comfortable with how this all went, but it's at least worth noting that the add-on was written entirely by Mozilla engineers.
replies(1): >>15933756 #
10. elil17 ◴[15 Dec 17 17:42 UTC] No.15933501[source]
> I'm concerned someone will push malware through Mozilla into Firefox installations.

Mozilla installing a bunch of addons that look like viruses ends up preventing users from being able to identify actual viruses.

replies(1): >>15938940 #
11. acqq ◴[15 Dec 17 17:42 UTC] No.15933504{6}[source]
It's technicality. The description is still:

"Looking Glass is a collaboration between Mozilla and the makers of Mr. Robot to provide a shared world experience."

It doesn't matter who technically coded it. "Mr Robot marketing department" was obviously deciding about its existence, behavior and content -- if that description is true.

But looking at the source of the extension, I find the following URLs inside:

https://www.red-wheelbarrow.com/forkids/

https://red-wheelbarrow-stage.apps.nbcuni.com/forkids/activi...

So it seems it is some marketing, the question is which company now, and do they change?

replies(1): >>15934230 #
12. 45h34jh53k4j ◴[15 Dec 17 18:01 UTC] No.15933683[source]
your work security team loves mr robot, it will be fine...
replies(1): >>15935612 #
13. UmmNope ◴[15 Dec 17 18:10 UTC] No.15933756{4}[source]
This is the opposite of comforting
replies(1): >>15934029 #
14. UmmNope ◴[15 Dec 17 18:45 UTC] No.15934029{5}[source]
Well it is - one could expect this sort of crap pushed by marketing/bizdev via management but the fact that Mozilla engineers actively collaborated on this is a sign of deep normative inadequacy among the people who are supposed to be the last line of defense against this sort of thing.
replies(1): >>15934141 #
15. TheRealPomax ◴[15 Dec 17 19:01 UTC] No.15934141{6}[source]
You seem to either not understand or ignore that even in a company like Mozilla, there are decisions made by marketing that end up having to be implemented by engineers. It might be a non-profit, but it's a non-profit corporation with salaried employees, not a loose assembly of people purely in it for the love of a browser. If the incredibly high up people say X needs to happen, you make X happen.
replies(2): >>15934520 #>>15936758 #
16. rhys91 ◴[15 Dec 17 19:13 UTC] No.15934230{7}[source]
I'm not sure why this is downvoted. I work in advertising as a conceptual creative. My entire career is about creating ideas like this for brands.

An art director and copywriter sat in a room together over two days and came up with lots of different ideas to generate PR for Mr. Robot. They presented the ideas to a creative director, who went through the work and picked the one he felt was most suitable. They presented it to the client, who supported the idea.

There would have been some line of communication from the creative agency, whoever owns Mr Robot, a media/PR agency and Mozilla. The idea was bought by the client, had the agency liaise with media/PR, got in touch with Mozilla with an undisclosed donation and the add-on was coded.

replies(1): >>15934336 #
17. acqq ◴[15 Dec 17 19:29 UTC] No.15934336{8}[source]
The biggest problem, for me, is that these extensions obviously get less scrutiny in Mozilla organization. The "core" is made with a lot of "eyes" taking care that not something "wrong" for the user enters the code base.

Then some marketing people both in and outside of Mozilla push something that is probably not passing the same strict reviews.

It points to the organizational problem in Mozilla.

Re: "not sure": don't worry, some people do this not for the content but for the author, some lack reading comprehension and some just press the wrong button. Just vote yourself, and if you reply, say that you agree, don't mention the word you mentioned.

replies(1): >>15934795 #
18. Parcissons ◴[15 Dec 17 19:37 UTC] No.15934388{3}[source]
I deeply hate this update methodology. Some hippster fresh from university decides that the gui, approach, functionality i use daily is no longer needed and pushes his rewrite into a release. One click later im stuck with this, because all the bundled crap is hijacking the "security" for a ride.

If any software developer would truely respect users, he would offer updates as seperate packages, where users can opt out of non-security ones- and those updates humanity votes with there feet against, vannish into the bin of useless software.

replies(1): >>15935869 #
19. WhitneyLand ◴[15 Dec 17 19:54 UTC] No.15934516[source]
I don’t see the harm in a good organization contributing lot of value to this world having a little fun.

Some of the comments are mentioning IT managers banning firefox, those will be the same IT managers doing all the other pennywise/pound foolish things that make you try not to work on their team in the first place.

Maybe it’s actually good to put something scary sounding in there to raise awareness. It could help people understand that scary phrases are not the most common sign of foul play. When the real hackers come for you, they usually dont look scary at all.

replies(4): >>15934551 #>>15934851 #>>15935743 #>>15936139 #
20. TooFastIndeed ◴[15 Dec 17 19:54 UTC] No.15934520{7}[source]
I understand it all too well, but when Mozilla is posing as a public benefit company with the "good of the Internet" as its mission this kind of stuff is inexcusable and should be called out all the louder.
21. pavel_lishin ◴[15 Dec 17 19:58 UTC] No.15934551[source]
> I don’t see the harm in a good organization contributing lot of value to this world having a little fun.

One potential downside is that now people might not pay close attention to the installed addons. "Oh, must be some Mozilla thing", as GoldenDwarf quietly consumes user CPU cycles to mine cryptocurrency for someone else.

replies(1): >>15934718 #
22. code_duck ◴[15 Dec 17 20:12 UTC] No.15934671[source]
Hopefully this helped people who were scared by it learn how to analyze add-ons for trustworthiness.
23. flamedoge ◴[15 Dec 17 20:18 UTC] No.15934718{3}[source]
This calls for.... anti mining extension. like adblock, miningblock.
replies(1): >>15935134 #
24. jonathankoren ◴[15 Dec 17 20:28 UTC] No.15934795{9}[source]
Why would assume that it doesn’t pass through the same review process? None of your assumptions are obvious to me.
replies(1): >>15934909 #
25. ryanisnan ◴[15 Dec 17 20:35 UTC] No.15934851[source]
I don't look to my browser's implementation to "have a little fun". This is a foolish decision on Mozilla's part.
replies(1): >>15935961 #
26. acqq ◴[15 Dec 17 20:42 UTC] No.15934909{10}[source]
Why would you assume that it does? Have you ever seen how big products like core Firefox binaries are written, reviewed and tested? I took part in that, and this doesn't look at all as part of that process. I see it's even not in the same repository where the "serious stuff" is. It's not the part of that process.

This looks like "let's give litte Perry and these marketing departments something to play, whatever, it's just an extension, who cares." So little Perry writes a description of the extension "MY REALITY IS JUST DIFFERENT FROM YOURS", the extension gets silently pushed to all the US users(!) (Firefox has support for that) who freak out, and the first response from somebody involved with that was "it was not supposed to be seen." You see, it was planned to keep the extension also "invisible" to the users -- Firefox has support that too! The extension was obviously not formally reviewed or formally tested, if the "invisibility" was the goal. Of course, it being "invisible" wouldn't be better. It's a misuse of the whole mechanism, compared to what Mozilla explained to the users. The mechanism was supposed to allow making "studies" from the behavior of the users who agree to take part in them. Instead, it was an attempt to a "viral ad" that was delivered to the whole Firefox using US population. There are multiple wrong decisions in this story.

Now I hope Mozilla does get the idea that the users do care.

replies(1): >>15939820 #
27. ◴[15 Dec 17 21:08 UTC] No.15935134{4}[source]
28. TylerH ◴[15 Dec 17 21:41 UTC] No.15935418[source]
What's scary about "Looking Glass"? It's not named something like "PrivacyRemover" or "SpamEmailer" or anything.
replies(1): >>15935803 #
29. chris_wot ◴[15 Dec 17 22:02 UTC] No.15935612{3}[source]
No, it really will not. My workplace saw that OpenOffice had a security issue, and banned it AND LibreOffice.

Nothing I can do about it. Can’t argue. Trust is very, very easily lost and incredibly hard to regain. And it can hit innocent third parties. It’s very, very wrong to do anything that could destroy trust.

replies(1): >>15935792 #
30. bigbugbag ◴[15 Dec 17 22:21 UTC] No.15935743[source]
What do you mean having a little fun ?

Firefox is bleeding market share and has been for a while. Despite this, revenue and profit is at an all time high for mozilla which is weird as the revenue comes from sending theirs users to google for being profiled and exposed to ads. Meanwhile long time users lose faith and trust in mozilla and firefox.

Not exactly the best time to be caught having "a little fun" move showing that they will sneakily install stuff in your browser without asking.

Then again mozilla is "making far-reaching and very short-sighted decisions in a vacuum."[1]

[1]:http://forums-test.mozillazine.org/viewtopic.php?p=14736466#...

replies(2): >>15935865 #>>15935917 #
31. bigbugbag ◴[15 Dec 17 22:23 UTC] No.15935757{6}[source]
Well...

https://support.mozilla.org/en-US/kb/lookingglass

32. franga2000 ◴[15 Dec 17 22:29 UTC] No.15935792{4}[source]
Have they seen the shit that's been found in Microsoft Office? It seemed like there was a new RCE every week for while.
replies(1): >>15938301 #
33. bigbugbag ◴[15 Dec 17 22:31 UTC] No.15935803[source]
What was wrong about apple automatically adding a U2 album to itunes library ?

Same here for looking glass, we do not want corporations to be in control of our stuff. Mozilla showing that they have built the capacity to auto install addons into your browser is quite the issue, you can rest assured that some are already working on ways to abuse this.

That they have done it as a promotional marketing trick and not or something useful or serious sends the wrong kind of message on top of it.

34. TAForObvReasons ◴[15 Dec 17 22:39 UTC] No.15935865{3}[source]
> Firefox is bleeding market share and has been for a while.

http://gs.statcounter.com/

    Chrome            54.98%
    Safari            14.79%
    UC Browser         7.98%
    Firefox            6.09%
    Internet Explorer  3.88%
    Opera              3.79%
In all fairness, Firefox has overtaken IE.
replies(2): >>15936528 #>>15936626 #
35. pilif ◴[15 Dec 17 22:40 UTC] No.15935869{4}[source]
Imagine the complexity of maintaining the software when every patch must anticipate a fragmented mess of different pieces of patches being installed on target systems. Imagine the explosion of testcases required.

At that point, it’s probably better to just stop feature development and do nothing but security patches, which of course will lead to stagnation and which will also lead to fragmentation as many more incompatible releases of the same software will be out in use.

This will make it even harder for developers to adapt new technologies. Imagine how bad the already messy caniuse.com would look when every single browser version would be supported forever and could be individually configured feature by feature.

Especially as people somewhat versed in technology (I think it’s safe to call HN audience that), I think there is advantage in going with the flow and adapting to new releases and UI paradigms.

Otherwise we'd still be running on DOS and us developers would still have to support it.

Relevant XKCD: https://xkcd.com/1172/

replies(2): >>15936577 #>>15937224 #
36. WhitneyLand ◴[15 Dec 17 22:51 UTC] No.15935917{3}[source]
non sequitur. either it’s right or it’s wrong, whether or not you like the org as a whole doesn’t change that.

even so to briefly chase your point, do you believe they are doing net good, and some things are looking more positive, like the servo work? my only point is that criticism works on a relative scale. i agree there are things they could do better, but i still prefer they exist.

replies(1): >>15936686 #
37. WhitneyLand ◴[15 Dec 17 22:57 UTC] No.15935961{3}[source]
poor argument. ostensibly the only reason to separate business from pleasure is out of practical concerns. without stating practical concerns there’s no way consider the validity of your comment.

who knows, you may totally change my mind, but as it stands it makes it difficult to disagree or agree with you.

replies(1): >>15936141 #
38. ◴[15 Dec 17 23:20 UTC] No.15936139[source]
39. Crespyl ◴[15 Dec 17 23:20 UTC] No.15936141{4}[source]
How about this:

I opted into FF telemetry and "studies" with the understanding that some extra data would be collected and experimental features or specialized debugging tools might get pushed to my browser (like the last "study" I saw for collecting JS errors).

This addon is none of those things. It is an advertisement. Call it an "alternate reality game" if you like, but it's an advertisement for a television show. It has nothing to do with making FireFox a better browser.

Using the Shield Studies program to deploy extensions and advertisements that have nothing to do with the original stated purpose is an abuse of the tool and a breach of trust.

That's all aside from the fact that there's been numerous reports of people receiving the addon who never opted in to Shield Studies in the first place.

replies(1): >>15936186 #
40. ◴[15 Dec 17 23:26 UTC] No.15936168{6}[source]
41. harshreality ◴[15 Dec 17 23:29 UTC] No.15936186{5}[source]
Raising awareness about security and privacy relevant issues from a TV show seems to me like it (indirectly) makes Firefox a better browser. An AR game does nothing to improve the browser by itself, but think of the big picture. Cultural awareness is a big part of it.
replies(1): >>15936227 #
42. Crespyl ◴[15 Dec 17 23:35 UTC] No.15936227{6}[source]
If you want to take an ideological perspective, the big picture of this is that the browser maker is willing to push advertising software to people who didn't ask for it, over a channel that wasn't built for it, to further a political agenda.

Even if it's ostensibly about ideals I might agree with, this was a very poor decision and a breach of trust.

43. basicplus2 ◴[16 Dec 17 00:30 UTC] No.15936528{4}[source]
Not really.. Microsoft is killing off internet explorer
44. bigbugbag ◴[16 Dec 17 00:43 UTC] No.15936577{5}[source]
Ever heard of debian ? Then maybe you've heard of debian backports ?

I'm asking because debian and backports are doig exactly that: separating security patches from the rest, not for a browser but for a whole OS and every applications including firefox.

also this xkcd is not relevant. the point here is that mozilla has quite a history of breaking userspace earning them the reputation of "making far-reaching and very short-sighted decisions in a vacuum."[1]

[1]: http://forums-test.mozillazine.org/viewtopic.php?p=14736466#...

45. bigbugbag ◴[16 Dec 17 00:51 UTC] No.15936626{4}[source]
Actually chrome and microsoft are responsible for IE hitting the bottom. Look at the following chart from stat counter:

https://andreasgal.files.wordpress.com/2017/05/alldevices-e1...

That all versions of firefox combined barely do better than obsolete unsupported browser that the manufacturer actively try to remove from the market is not a good sign.

46. bigbugbag ◴[16 Dec 17 01:04 UTC] No.15936686{4}[source]
right/wrong or good/bad are concept derived from organized religions to control populations' beliefs and they are inappropriate in most cases if not all because they are relative to your own beliefs.

If you are the good guy then your enemy is the bad guy but from the bad guy point of view he is the good guy and you are the bad guy.

No one is ever the bad guy in the movie of her own life.

servo, or whatever else they could come up with will never reach a net good for me as I need ALSA support and the extensions mozilla has dropped to make firefox useful to me.

I would rather have them disappear so there is room for something better to exist in its place. Right now there are occupying space and prevents an alternative to emerge.

The sad part of this is that by accumulating blunders, near sighted and far reaching decisions, with their attitude of not caring about user feedback or user freedom of choice they managed to turned me, a long time supporter (since netscape times) that has based part of my business on their browser, against them and wishing they would go away. This is quite a feat in itself. I'm not sure there is another entity that managed to alienate me that much, not even canonical or gnome.

replies(1): >>15938512 #
47. bigbugbag ◴[16 Dec 17 01:07 UTC] No.15936703[source]
If this does not happen at your workplace, it will certainly happen at some other workplace around the world.
48. jopsen ◴[16 Dec 17 01:21 UTC] No.15936753[source]
I suspect it's a plan to make some functionality optional... Or opt out..

Ie. code spitting and reducing bloat, and speeding up development by providing some features as add-ons...

49. Mithaldu ◴[16 Dec 17 01:23 UTC] No.15936758{7}[source]
It's a non-profit with a duty specifically different from "make profits" and there are consequences to this.

To quote an ex-mozilla employee:

""

Because the Mozilla Foundation is a nonprofit corporation, it has a specific legal purpose for existing spelled out explicitly in its articles of incorporation: "The specific purpose of the Corporation [here meaning the Foundation] is to promote the development of, public access to and adoption of the open source Mozilla web browsing and Internet application software." If Mozilla Foundation were to ignore this mandate, it would jeopardize the nonprofit, tax exempt status of the foundation

""

In this case they are definitely ignoring the mandate, and this should never remotely have happened.

Source of the legalese: https://static.mozilla.com/foundation/documents/mf-articles-...

50. awalton ◴[16 Dec 17 03:18 UTC] No.15937224{5}[source]
> Imagine the complexity of maintaining the software when every patch must anticipate a fragmented mess of different pieces of patches being installed on target systems.

...why imagine? That's life as a Windows/Linux/Android dev. (Apple is sort of a stand-out because it has vastly fewer installable parts and less versions in the wild such that it's actually possible to test every patch level of every supported version of macOS or iOS at any given time).

But none of that makes push updates right or wrong. The reality is that it's less of a push than it is a pull anyway - in this case the client is asking for updates on an interval, and the server says "yep, there's one for you." The client grabs it and installs it. And it's turned on by default because, for the most part, that's the right thing to do for your users: you'd rather them be on the newest patch level. Hell for IT admins though, which is why it's almost always a feature they can disable at will.

So here's where this case differs: it's an "experiment" that's actually just marketing trash pushed through the "experiments" channel which is also armed by default, rather than a security or product update (which anybody reasonable can argue should be on by default - secure by default is the goal, after all). The only "experiment" in this case is seeing how many users will put up with Mozilla continuing to pimp out Firefox to the highest bidder as a grab for a new revenue stream before they reluctantly switch back to Chrome.

And judging by the backlash on patches like this one, it's not going so well...

51. mshenfield ◴[16 Dec 17 03:35 UTC] No.15937337{3}[source]
This thread needs to lighten up. It's one goofily named add-on pushed to a miniscule number of users in an opt in program. Firefox and their judgement are fine.
replies(1): >>15941636 #
52. chris_wot ◴[16 Dec 17 07:19 UTC] No.15938301{5}[source]
I didn’t say it was logical.
53. michaelmrose ◴[16 Dec 17 08:35 UTC] No.15938512{5}[source]
Pulse seems pretty functional now. Did you know it was still possible to build firefox with alsa support?

https://github.com/Monsterovich/firefox-fuckpa

It seems like a lot of addons are being ported to the new apis too. Maybe you are too hasty?

replies(1): >>15939855 #
54. ryanlol ◴[16 Dec 17 10:52 UTC] No.15938940{3}[source]
End users being users prevents them from identifying actual viruses.
55. ackalker ◴[16 Dec 17 15:04 UTC] No.15939820{11}[source]
> [...] the extension gets silently pushed to all the US users(!)

Non-US user here, my Firefox got it, too.

replies(1): >>15939984 #
56. ackalker ◴[16 Dec 17 15:12 UTC] No.15939855{6}[source]
There would be "rioting in the streets" of the internet if Mozilla ever decided to drop support for ALSA in Firefox.

There are distros, Void Linux (which I am using right now) for one, which ship without pulseaudio (or systemd for that matter) installed by default, thank goodness.

57. acqq ◴[16 Dec 17 15:42 UTC] No.15939984{12}[source]
It's not what you are but what your settings are, please go here and check what your browser reports under ACCEPT_LANGUAGE. If it is "en-US" you are considered a "US user" enough:

https://www.whatismybrowser.com/detect/what-http-headers-is-...

BTW: the extension we all talk about here has exactly this site that is used for checking the headers hardcoded inside, obviously in order for the developers to test their newly coded functionality with which they add an additional header entry in the request to some specific sites, specifically, the "main target" is a brand (I've given the link earlier on in this thread). It's obviously an advertisement for the US as that "main target" site is only meaningful to the US public. But it's obviously not the whole story.

If your language is not en-US it's worse than what I've understood.

replies(1): >>15940216 #
58. ackalker ◴[16 Dec 17 16:33 UTC] No.15940216{13}[source]
In my case the setting lists two languages, but "en-US" does appear to have a higher 'quality' factor, so there.
59. siimtalvik ◴[16 Dec 17 20:00 UTC] No.15941636{4}[source]
it was an opt-out program actually.

Studies are enabled by default.

replies(1): >>15945920 #
60. mshenfield ◴[17 Dec 17 14:46 UTC] No.15945920{5}[source]
See the dev's response on the "slippery slope" thread. You had to go into about:config to enable it.