Unknown Mozilla dev addon "Looking Glass 1.0.3" on browser

The major problem is that they installed an add-on without properly communicating what it was. A somewhat smaller problem but still a big problem is that was an utterly frivolous add-on that shouldn't have been pushed to people who didn't explicitly want it. But the biggest problem is that Mozilla seems to have trouble understanding why any of those two would be a problem, I want my browser vendor to be serious and not play silly games that can so easily backfire.

Yeah, add-ons from Mozilla merits the same trust as the browser. But this cuts both ways, this stuff undermines my and probably more people's trust in the browser.

Being serious is quickly becoming a lost art. I don't know if the majority of the userbase really enjoys it, but I can't wait till the current fashion of treating your users like 3-year-olds blows through.

The major problem was building a feature into the product that allowed for pushing add-ons without users knowledge much less active consent in the first place, there is no benign use for this kind of functionality.

You could use add-ons to manage optional functionality a la Atom. Users can enable and disable add-ons to customize their browser and some come enabled by default. If you were migrating to this method of customization it would absolutely make sense to push an enabled add-on that replaces functionality you took out of the main app.

you mean the automatic update process, which can change every single byte of every file in every directory under Firefox's control? Because unless you want to live in a world where your browser can't automatically apply security patches and upgrade critical components, the fact that the application can update itself is very much not the actual problem (and with the new web extension addon system rathern than the old XUL system, addons are actually way less security-compromising-in-potentio than updates to the actual browser itself)

> I want my browser vendor to be serious and not play silly games that can so easily backfire.

I would not care about silly stuff, like say a christmas easter egg. But this wasn't meant as a silly joke.

agreed. nothing is more frustrating to me than when my windows computer delivers an error message with a “ :( “

Indeed. I'm seeing people recommending Chromium (not Chrome) instead of Firefox because of this.

Automatically updating an already enabled add-on is hardly the same thing as silently pushing a new one.

Security updates were and still are configurable to be installed after prompting, also when they are installed automatically I am notified that this has happened. There is also an implicit trust in the vendor that only security-related functionality should be changed in a security update.

This. I love Mozilla, but between automatic change of default search engine in 57.0.1, pushing changes that broke most of my extensions and now this, I am starting to feel anxious...

I completely agree. A browser sits on a bit of a higher plane than most other pieces of technology these days, as it is so important. I have no reason to doubt the ability or intent of the developers involved with this add-on, but there is zero reason for it to be pushed to everyone without consent. I use Firefox because I want to trust my browser and not have to worry about it doing dumb shit behind my back. This goes against that very notion.

Why is this downvoted?

It sounds like a valid reason for being able to auto-install add-ons.

Because this is not the scenario that is being denounced here. A brand new add-on with functionality unrelated to the product is being installed without consent or even notification - that's capital M Malware peddling.

So this is the first response from Mozilla in the Gizmodo article:

“Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users. It’s especially important to call out that this collaboration does not compromise our principles or values regarding privacy. The experience does not collect or share any data,” Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said in a statement to Gizmodo. “The experience was kept under wraps to be introduced at the conclusion of the season of Mr. Robot. We gave Mr. Robot fans a unique mystery to solve to deepen their connection and engagement with the show and is only available in Firefox.”

This is horrible. They pushed out this crap under false pretenses as a study and obfuscated it. Don't talk the ethics talk if you're not prepared to do the ethics walk.

In Linux distributions you get it from the distribution repository, and automatic updates are disabled. So at least it's reviewed by a third party.

I've been using Firefox for 90% of my browsing for a few years now and really want to continue to do so but I really wish Mozilla would stop shooting themselves in the foot already. This once again gives the impression that they have some teams that aren't in touch with the reality on the ground, that these types of initiatives hurt their chances of gaining more users.

Let me suggest you a browser aptly named waterfox, that could be described as firefox without mozilla nonsense.

[1]: https://www.waterfoxproject.org/

Ever heard of waterfox ?

https://www.waterfoxproject.org/

The automatic update process fails because it does not have right to install software on my box. The power of setting permissions and not blindly trusting software just because it is floss.

I would not want it to have this kind of power as the security patches and critical updates are provided by the kind people managing the distro repositories, and if it could update itself it would remove the third party patches required because mozilla has been refusing for 15 years to integrate correctly in my desktop environment but did integrate in the main competitor.

Is this a thing ? History shows mozilla removing functionality but never replacing it. And then it's up to volunteers to make an extension to fill the gap, until mozilla breaks the extension or drops the extensions engine altogether.

For exemple australis and classic theme restorer.

Why not recommending waterfox[1] instead ? It's firefox without the mozilla nonsense.

[1]:https://www.waterfoxproject.org/

> Don't talk the ethics talk if you're not prepared to do the ethics walk.

Exactly.

> "The experience does not collect or share any data," Jascha Kaykas-Wolff, chief marketing officer of Mozilla, said

Looking in the sources of the extension, it adds additional HTML header to every HTML request to https://www.red-wheelbarrow.com/forkids/ pages. The activity of the users there could of course be tracked and the data dependent on the extension being active collected. Good try Mr. marketing officer of Mozilla delivering Mr. Robot ad using the mechanism for the "studies."

> "Firefox worked with the Mr. Robot team to create a custom experience that would surprise and delight fans of the show and our users."

Obviously fail. Surprise, yes. Delight? No.

The add-on only initializes itself (and thus sends the header) if the user has manually gone into about:config and flipped the `extensions.pug.lookingglass` preference: https://github.com/gregglind/addon-wr/blob/59659431fd2a75c33...

It was obviously not complete in the form it was delivered, the "turning on" was supposed to be added somewhere at some later moment.

The whole thing is still suspicious: it was delivered to everybody whereas if it was supposed to be used only by the users who are aware of it, as now Mozilla tries to spin it, i.e. only to those who decided to "play the game", then the hidden install, especially to every user, was unnecessary as the normal extensions to Firefox are easily installed by the user, a click or two are enough:

https://addons.mozilla.org/en-US/firefox/addon/tabby-cat-fri...

Waterfox is nonsense, no offense to the people behind it. Removing some stuff from Firefox and calling it a day does not make a better Firefox, it just makes for a preconfigured one. You might as well just run Chromium.

The problem is that Mozilla is a good company, that has had a true net positive effect on the world, especially in tech, and continues to do so today with wonderful projects like Rust etc.

If Mozilla were a shitty company, we could all simply dismiss Firefox and get on with our day. But Mozilla is not a shitty company and the fact they keep shooting themselves in the foot like GP said, the fact they are completely out of touch with their userbase, that they cannot see the OBVIOUS problems with this addon even after the Pocket debacle, is ridiculous.

I'd argue there's a vast difference between an automatic update for something that was already manually installed, by the user, and automatically installing something without any indication to the user that it was installed. Worse, it's impossible to argue that this was even a useful extension.

I don't watch television, and I don't keep up with any popular modern shows. I had no idea what Mr. Robot was until looking through this thread, and the description text for the addon was, at first glance, suspicious. This was a terrible idea and isn't even remotely analogous to applying security updates automatically. If I have something I specifically installed, fine, I can expect those addons to be updated automatically. I don't expect them to side load something I don't even want. "Delight fans" my ass. You have to be a fan first, and I'm not even sure most people who are fans of Mr. Robot would think this is a particularly good idea.

Funny enough, the only thing I can think of that's even remotely similar to this is the "Hell, Dolly" plugin for WordPress, and that's installed out of the box as part of the distribution.

I personally am fine with using Firefox (though after Looking Glass I've disabled the setting to allow experiments).

IIRC the person that advocated for Chromium (instead of a third-party Firefox rebuild) base it on performance (they were dubious Quantum is actually better, I personally find it fast enough except when loading Facebook), as well as the alternative versions of Firefox not keeping up with the official version. Also, supposedly Chromium (as opposed to Chrome) settings are reasonably privacy-friendly out of the box.

They did recommend installing uBO-Extra in addition to uBlock Origin on top of Chromium, which is revealing -- with Firefox, there is not even a need for uBO-Extra.

My original point (which I didn't elucidate clearly enough) is that this Looking Glass experiment is resulting in unwarranted backlash against Mozilla -- whereas from the standpoint of preserving an open web and protecting user privacy it's actually one of the better players.

What are the odds that [current] Chief Marketing Officer Jascha Kaykas-Wolff is also the highest-ranking person in the organization to have signed off on this?

If they'd decided to sneak in a Mr Robot-themed easter egg I wouldn't really care. The fact that they decided to use a debugging/telemetry permission to push out a stupid marketing gimmick makes me question the judgement of everyone involved.

Much like some other situations in the political arena over the past 2-3 decades, I don't care that much about what was done but the decision to do it makes me question the judgement of people that I'm supposed to trust to make good decisions.

This is bullshit and you know it. If you want to shittalk Mozilla, then at least try to be honest.

Heaven forbid the decisions about what features an application gives and takes away are decided by lowly users. The free in free software means libre still, right? So if someone forks over 1 change or 10 they are still libre to do it, or is that passe? Its free as in liberty, as in freedom of thought, or is that also passe?

Forking a project, and adding features and removing pulls that you don't want and/or need is kinda the idea behind the whole 'open source' thing.. cause what else would you do with the source code, but compile it.

Speaking of Firefox, a build or two ago, without warning, Firefox deprecated (broke) every add-on. Because [insert-old-architecture-security-justification]. It's not like anybody was doing anything real with a browser anyway.

The new extension system was announced years in advance, including the warning that XUL addons would eventually be deprecated.

This design decision is behind a large part of the performance improvement in 57.

Yes I'm sad, I lost some of my favourite addons as well. But this move was announced well in advance and it had a serious technical reason behind it.

In a difficult situation, Mozilla made a tough decision that is good in the long run and that benefits all its users. Crying "fork!" over it is so blind it leaves a bad taste in my mouth.

> So if someone forks over 1 change or 10 they are still libre to do it, or is that passe?

It's nonsense. Doesn't mean they can't do it, doesn't mean it's not nonsense. Furthermore, in some situations, forks can be harmful to the overall health of an already fragile ecosystem. They're not free of externalities.

> [...] The experience does not collect or share any data [...]

Wrong (unless proven otherwise).

From the Shield Studies FAQ[1]:

> What data do Shield Studies normally collect?

> [...]

> Mechanism:

>

> - at STARTUP, SHUTDOWN, INSTALL, UNINSTALL, - send a `shield-study` packet containing the Unified Telemetry Environment.

As was stated before, users report that they have had this extension pushed to their browser without their prior consent to sending any telemetry data.

[1]: https://wiki.mozilla.org/Firefox/Shield/Shield_Studies

The proof of the planned data collection, confirming my previous claims, found declared in the source of the extension itself:

"## Observed data

- Possible page view counts on SUMO

- Possible page view counts (with and without the special 'enrolled' header) on Partner pages."

I've also already explained the "special 'enrolled' header."

The turning on was obviously either planned for some special moment, which wasn't the moment of that the extension was actually delivered, or the extension was accidentally delivered in the unfinished state -- doesn't matter, it provably didn't get enough scrutiny, see my other comments here for the details, the damage it actually done is regarding "tracking" less than planned, but regarding annoyance of their users probably more.

Is there any reason to believe that one guy has sufficient resources to maintain a fork of firefox? Its not like he can keep backporting all fixes from what will increasingly be an incompatible browser.

It also wont get any of the improvements mozilla is in the process of making so it will ultimately be slower and with fewer features.

Actually an application being able to update itself is a security issue and terrible design. Strictly speaking it should have only have write access to say its cache files and a directory where you store downloads.

Its also moronic to have a different update policy per app that is achieved in 35 different UIs.

This is the norm on windows because they were late to the party as far as a central source of software and further managed to make it an unattractive proposition and didn't get much buy in from developers.

Totally aside from the implicit security issue the ui flow is also terrible. Either each of 35 different apps runs their own update checker process in the background wasting your resources and prompting you at annoying times or when you run an app one out of n times it will prompt you to update whereupon you will ultimately have to stop doing whatever you were actually doing and let it update itself and restart.

It is truly amazing that people not only put up with this ridiculous situation but defend this as a feature.

Your system should periodically on a schedule you set update every piece of software you own and never bother you otherwise.