Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

> I'm not concerned that Mozilla might push malware into Firefox installations

Nobody is concerned about that, in my opinion. I'm concerned someone will push malware through Mozilla into Firefox installations. Pushing addon installs should not be possible at all.

I'm concerned about Mozilla pushing software written by the Mr Robot marketing department.

They can also push new browser releases though. They are also auto-installed by default.

The exception is that an addon can do slightly less damage than a compromised browser itself.

Is the plugin opensource, where can we vet it? I can't find it on github or anything like I can with the other plugins I use

The source lives at https://github.com/gregglind/addon-wr/

Looking over [the contributors list][1], looks like the plugin was written entirely by Mozilla employees. So, no "Mr Robot marketing department", as some commenters here have been speculating.

[1]: https://github.com/gregglind/addon-wr/graphs/contributors

I'm not entirely comfortable with how this all went, but it's at least worth noting that the add-on was written entirely by Mozilla engineers.

> I'm concerned someone will push malware through Mozilla into Firefox installations.

Mozilla installing a bunch of addons that look like viruses ends up preventing users from being able to identify actual viruses.

It's technicality. The description is still:

"Looking Glass is a collaboration between Mozilla and the makers of Mr. Robot to provide a shared world experience."

It doesn't matter who technically coded it. "Mr Robot marketing department" was obviously deciding about its existence, behavior and content -- if that description is true.

But looking at the source of the extension, I find the following URLs inside:

https://www.red-wheelbarrow.com/forkids/

https://red-wheelbarrow-stage.apps.nbcuni.com/forkids/activi...

So it seems it is some marketing, the question is which company now, and do they change?

This is the opposite of comforting

Well it is - one could expect this sort of crap pushed by marketing/bizdev via management but the fact that Mozilla engineers actively collaborated on this is a sign of deep normative inadequacy among the people who are supposed to be the last line of defense against this sort of thing.

You seem to either not understand or ignore that even in a company like Mozilla, there are decisions made by marketing that end up having to be implemented by engineers. It might be a non-profit, but it's a non-profit corporation with salaried employees, not a loose assembly of people purely in it for the love of a browser. If the incredibly high up people say X needs to happen, you make X happen.

I'm not sure why this is downvoted. I work in advertising as a conceptual creative. My entire career is about creating ideas like this for brands.

An art director and copywriter sat in a room together over two days and came up with lots of different ideas to generate PR for Mr. Robot. They presented the ideas to a creative director, who went through the work and picked the one he felt was most suitable. They presented it to the client, who supported the idea.

There would have been some line of communication from the creative agency, whoever owns Mr Robot, a media/PR agency and Mozilla. The idea was bought by the client, had the agency liaise with media/PR, got in touch with Mozilla with an undisclosed donation and the add-on was coded.

The biggest problem, for me, is that these extensions obviously get less scrutiny in Mozilla organization. The "core" is made with a lot of "eyes" taking care that not something "wrong" for the user enters the code base.

Then some marketing people both in and outside of Mozilla push something that is probably not passing the same strict reviews.

It points to the organizational problem in Mozilla.

Re: "not sure": don't worry, some people do this not for the content but for the author, some lack reading comprehension and some just press the wrong button. Just vote yourself, and if you reply, say that you agree, don't mention the word you mentioned.

I deeply hate this update methodology. Some hippster fresh from university decides that the gui, approach, functionality i use daily is no longer needed and pushes his rewrite into a release. One click later im stuck with this, because all the bundled crap is hijacking the "security" for a ride.

If any software developer would truely respect users, he would offer updates as seperate packages, where users can opt out of non-security ones- and those updates humanity votes with there feet against, vannish into the bin of useless software.

I understand it all too well, but when Mozilla is posing as a public benefit company with the "good of the Internet" as its mission this kind of stuff is inexcusable and should be called out all the louder.

Why would assume that it doesn’t pass through the same review process? None of your assumptions are obvious to me.

Why would you assume that it does? Have you ever seen how big products like core Firefox binaries are written, reviewed and tested? I took part in that, and this doesn't look at all as part of that process. I see it's even not in the same repository where the "serious stuff" is. It's not the part of that process.

This looks like "let's give litte Perry and these marketing departments something to play, whatever, it's just an extension, who cares." So little Perry writes a description of the extension "MY REALITY IS JUST DIFFERENT FROM YOURS", the extension gets silently pushed to all the US users(!) (Firefox has support for that) who freak out, and the first response from somebody involved with that was "it was not supposed to be seen." You see, it was planned to keep the extension also "invisible" to the users -- Firefox has support that too! The extension was obviously not formally reviewed or formally tested, if the "invisibility" was the goal. Of course, it being "invisible" wouldn't be better. It's a misuse of the whole mechanism, compared to what Mozilla explained to the users. The mechanism was supposed to allow making "studies" from the behavior of the users who agree to take part in them. Instead, it was an attempt to a "viral ad" that was delivered to the whole Firefox using US population. There are multiple wrong decisions in this story.

Now I hope Mozilla does get the idea that the users do care.

Well...

https://support.mozilla.org/en-US/kb/lookingglass

Imagine the complexity of maintaining the software when every patch must anticipate a fragmented mess of different pieces of patches being installed on target systems. Imagine the explosion of testcases required.

At that point, it’s probably better to just stop feature development and do nothing but security patches, which of course will lead to stagnation and which will also lead to fragmentation as many more incompatible releases of the same software will be out in use.

This will make it even harder for developers to adapt new technologies. Imagine how bad the already messy caniuse.com would look when every single browser version would be supported forever and could be individually configured feature by feature.

Especially as people somewhat versed in technology (I think it’s safe to call HN audience that), I think there is advantage in going with the flow and adapting to new releases and UI paradigms.

Otherwise we'd still be running on DOS and us developers would still have to support it.

Relevant XKCD: https://xkcd.com/1172/

Ever heard of debian ? Then maybe you've heard of debian backports ?

I'm asking because debian and backports are doig exactly that: separating security patches from the rest, not for a browser but for a whole OS and every applications including firefox.

also this xkcd is not relevant. the point here is that mozilla has quite a history of breaking userspace earning them the reputation of "making far-reaching and very short-sighted decisions in a vacuum."[1]

[1]: http://forums-test.mozillazine.org/viewtopic.php?p=14736466#...

I suspect it's a plan to make some functionality optional... Or opt out..

Ie. code spitting and reducing bloat, and speeding up development by providing some features as add-ons...

It's a non-profit with a duty specifically different from "make profits" and there are consequences to this.

To quote an ex-mozilla employee:

""

Because the Mozilla Foundation is a nonprofit corporation, it has a specific legal purpose for existing spelled out explicitly in its articles of incorporation: "The specific purpose of the Corporation [here meaning the Foundation] is to promote the development of, public access to and adoption of the open source Mozilla web browsing and Internet application software." If Mozilla Foundation were to ignore this mandate, it would jeopardize the nonprofit, tax exempt status of the foundation

""

In this case they are definitely ignoring the mandate, and this should never remotely have happened.

Source of the legalese: https://static.mozilla.com/foundation/documents/mf-articles-...

> Imagine the complexity of maintaining the software when every patch must anticipate a fragmented mess of different pieces of patches being installed on target systems.

...why imagine? That's life as a Windows/Linux/Android dev. (Apple is sort of a stand-out because it has vastly fewer installable parts and less versions in the wild such that it's actually possible to test every patch level of every supported version of macOS or iOS at any given time).

But none of that makes push updates right or wrong. The reality is that it's less of a push than it is a pull anyway - in this case the client is asking for updates on an interval, and the server says "yep, there's one for you." The client grabs it and installs it. And it's turned on by default because, for the most part, that's the right thing to do for your users: you'd rather them be on the newest patch level. Hell for IT admins though, which is why it's almost always a feature they can disable at will.

So here's where this case differs: it's an "experiment" that's actually just marketing trash pushed through the "experiments" channel which is also armed by default, rather than a security or product update (which anybody reasonable can argue should be on by default - secure by default is the goal, after all). The only "experiment" in this case is seeing how many users will put up with Mozilla continuing to pimp out Firefox to the highest bidder as a grab for a new revenue stream before they reluctantly switch back to Chrome.

And judging by the backlash on patches like this one, it's not going so well...

This thread needs to lighten up. It's one goofily named add-on pushed to a miniscule number of users in an opt in program. Firefox and their judgement are fine.

End users being users prevents them from identifying actual viruses.

> [...] the extension gets silently pushed to all the US users(!)

Non-US user here, my Firefox got it, too.

It's not what you are but what your settings are, please go here and check what your browser reports under ACCEPT_LANGUAGE. If it is "en-US" you are considered a "US user" enough:

https://www.whatismybrowser.com/detect/what-http-headers-is-...

BTW: the extension we all talk about here has exactly this site that is used for checking the headers hardcoded inside, obviously in order for the developers to test their newly coded functionality with which they add an additional header entry in the request to some specific sites, specifically, the "main target" is a brand (I've given the link earlier on in this thread). It's obviously an advertisement for the US as that "main target" site is only meaningful to the US public. But it's obviously not the whole story.

If your language is not en-US it's worse than what I've understood.

In my case the setting lists two languages, but "en-US" does appear to have a higher 'quality' factor, so there.

it was an opt-out program actually.

Studies are enabled by default.

See the dev's response on the "slippery slope" thread. You had to go into about:config to enable it.