[Open Source Development] The Fall of Nano Defender, aka when an ad blocker becomes malware overnight
TL;DR: Open source ad blocker sold to “Turkish developers” is almost immediately turned into malware and gains access to people’s Instagram accounts. Developer thinks this should be a “learning experience”, but doesn’t think they did too much wrong. —- I’m not sure if open source development counts as a hobby, but hey, people do it in their free time, so...
Nano Adblock and Nano Defender are open source ad blockers. You may not be familiar with them (the Chrome extensions have 250k+ users combined), but you may have heard of the project it’s based on, uBlock Origin. While the Nano projects have Chrome, Firefox, and Edge extensions, we’ll be talking about the Chrome one today. Open source projects, for the unaware, are projects that are made freely available for the public to modify and distribute. You can’t take Microsoft Word’s code and use it to make a new word processor, but you can make a new ad blocker from uBlock Origin or the Nano extensions. While big companies have open source libraries, a lot of work is done by small teams or individuals, which is the case for Nano. Due to the open source nature of the project, pretty much everyone who maintains it is working on it in their spare time and for free. This is a lot of work, and can put a lot of strain on someone. Which leads me to...
Part One: The Creator Departs
On October 3rd, the creator of the Nano projects (referred to as JS) announces on Github that due to the amount of time it was taking to maintain the project, they would be transferring it to new owners. In the open source world, this is normal. Maintaining enterprise-level software for free is a struggle. People (want to) have real lives. It happens. What was not normal was the vagueness of the statement. See, as an ad blocker, the Nano projects have vast access to what you see and do online. It’s important to know who is going to have access to that data (unless you’re a big tech company, apparently, but that’s a discussion for another day). Notably, some key information was missing:
The announcement didn’t actually say who was acquiring the projects.
Actually, the announcement didn’t seem to say how many people would be involved on the new team.
The announcement made no mention if this was a sale, or if the interested parties were members of the current community.
So obviously, this was going to go over well.
Part 2: It Doesn’t Go Over Well
The community was not happy with this announcement. Not one bit. JS makes things worse by solely referring to the new dev team as “a team of Turkish developers”, while being reluctant to divulge more information. Then they inform the community that they will “address [their] comments when they have more time”. Not great optics. Someone finds the new developers’ names. This isn’t doxxing, these people literally do not exist. That doesn’t bode well. At this point, the developer of uBlock Origin (Nano’s parent project), Raymond Hill, steps in with a rather prescient comment. JS responds to Mr. Hill with what is essentially, “well, this is a learning experience”. Probably not the attitude to have when you hold 250k+ users’ data. Also, it became abundantly clear that even higher profile community members had not been informed. The person who was in charge of the Nano project’s Firefox extension had no idea what was happening. You’d think you’d want to clue them in on that.
Part 3: Shit Hits the Fan
Given the number of folks affected, some news articles come out. JS is adamant this is all “something we should learn from”. Ars Technica confirms that the extension now has the ability to access affected users’ Instagram accounts and automatically like Instagram posts. More accounts may have been affected, but this isn’t confirmed yet. People try to explain why the way JS handled this wasn’t great. JS disagrees, though they do admit that maybe they should have consulted a professional. That being said, their official opinion seems to be since it’s a personal project, who cares how they handled things (they also appear to believe a majority of the dissenters are trolls, which isn’t great).
Part 6: Should I Be Checking My Extensions?
Yeah. This isn’t the first time something like this has happened, and it won’t be the last. The Great Suspender, which has two million users, may be setting up for a similar scenario. (Edit: It’s, uh, a bit more complicated.) The nature of open source projects is that they may break, or be acquired, or god knows what. So if you rely on them, make sure you’re aware of what you’re downloading. That’s all of the drama, for now. The Nano brand is irreparably damaged, and the extensions have been removed from Chrome and Edge. The future of the innocent Firefox extension is unclear. Check your extensions, folks.
I made a list...no wait...A LONG LIST of some Open source apps which MAY serve as an alternative. I wont be listing down any features or what this app does for those apps which are well known by most of the users. BTW, its gets easy to figure out what an app does by giving a quick read to the app’s description😺. The links that I’ll provide here will take you either to github, gitlab or F-droid. There are a few google playstore links though. Let me know if I have missed any good open source app. Here goes: BROWSERS🌏🌐🌎
AURORA STORE and AURORA DROID, this link will take you to auroraoss download section from where you can download both Aurora store(Playstore client without google tracking) and aurora droid(F-droid client).
?? There’s no link to warden here!! lol, I know.... Go back to the section ‘APP STORES’, tap on the aurora store and aurora droid link, warden will be there in the download section of aurora oss EDIT: (SUGGESTED APPS TAKEN FROM THE COMMENTS) 🌟🌟🌟🌟🌟 MAILS📧@:
VECTORIFY DA HOME, a very minimal wallpaper app to customize your homescreen. Doesnt need an internet connection because wallpapers are not downloaded instead we can create our own with a mixture of colors and simple icons. And If Im not wrong u/enricodortenzio is the developer of this cool stuff. Give it a go
A friend of mine made a list as well that contains open source applications, there are some apps here in his list which isn’t available in my post. And instead of listing them one by one here’s the link to his list, it will lead you to github. This is him: u/Petomeansfart
Pulse SMS, an open source Android SMS app has been acquired.
Pulse SMS, developed by Klinker Apps, Inc. with more than 1M+ downloads seems silently been acquired by Maple Media, a private firm that purchases apps. More about Maple Media:
Maple Media, has bought several undisclosed mobile apps already. They are generally looking at apps with thousands of users and some small amount of revenue. But the hope is that with their experience, along with cost efficiencies gained through sharing services across apps, can boost the value of each app.
[Open Source Development] The Great Suspender Saga, or, “If a Chrome extension is sold and no one’s around to hear it, is it malware?”
TL;DR: The developer of a Chrome extension with 2 million+ users sells the project to an unknown third party who proceeds to secretly add user tracking capabilities to the application. Mass deletions ensue, though most users are unaware they are being tracked. Recently, I made a post about how the developer of a relatively popular ad blocker sold their project to a group of unknowns who turned it into malware. 250k+ people being exposed to malware is bad. But it gets worse. First, it turns out the Nano projects weren’t the only malicious ad blockers out there. While a fair amount of these apps were obviously scams, it’s absolutely crazy that at least 80 million people have been exposed to malware. Second, I offhandedly mentioned that another extension, The Great Suspender (which has 2 million users on its own), looked like it was setting itself up to potentially be malware. Well, you’ve seen the title, so I think you know how this is going to go.
The Great Suspender is a popular Chrome extension that automatically suspends inactive tabs after a certain period of time. Why is this important? Well, as many a meme has mentioned, Chrome uses a lot of RAM. Putting tabs on ice when you aren’t using them helps ease that burden. The Great Suspender is an open source project. Copying from my last post, open source projects, for the unaware, are projects that are made freely available for the public to modify and distribute. You can’t take Microsoft Word’s code and use it to make a new word processor, but you can make a new extension based on The Great Suspender. While big companies have open source libraries, a lot of work is done by small teams or individuals, which is the case with TGS. Due to the open source nature of the project, pretty much everyone who maintains it is working on it in their spare time and for free. This is a lot of work, and can put a lot of strain on someone. Which leads me to...
Part 1: The Creator Departs
On June 19, the creator of TGS, after a long period of silence, announces that they will be transferring the maintainer role to a third party and have sold them the ownership rights. The reception is actually fairly neutral. Some folks ask questions, some are worried about the project being sold to a third party, but on the surface, things seem above board. The new maintainer is named, they have a GitHub account, they don’t immediately turn the extension into malware. Note I said “on the surface”, though. There’s a lot that’s...off: - The new account has no activity at all. - It’s a PRO account, which is unusual to say the least. You don’t need a PRO account to maintain a project (none of the maintainers had one). Not a red flag on its own, but it’s weird. - The original creator doesn’t want to reveal any information about this 3rd party. - The new creator doesn’t do anything for months. No community announcements, no changes, nothing. A bit odd, considering this is something they paid for. Community members are worried (there’s also a meager attempt to regain community control of the extension), but stuff doesn’t escalate until October.
Part 2: Wait, This Sounds Familiar
If you’ve read the previous post, I’m sure you’re noticing some...similarities...between the Nano disaster and the happenings here. A popular Chrome extension being sold with little warning or communication to an unknown, untraceable 3rd party? It seems awfully suspicious. The Great Suspender community thought so, too. So people do some digging, and it seems some hijinks are afoot. Turns out that the app had been stealth updated. The application was version 7.1.6 in the community GitHub repository, but was 7.1.8 on the Chrome App Store. For non-technical folks, imagine your were working on a group project on Google Docs, but one of your group members made their own copy of the file, drew a bunch of dickbutts on it, then turned it in to the professor as the group’s completed project. People, understandably, are not happy.
Probably. If you are addicted to The Great Suspender, I suppose you could just opt-out of tracking. In my own opinion, I don’t download extensions from shady developers, and I definitely don’t download extensions that stealth add permissions willy-nilly. There are several alternatives to TGS, it’s not as if it’s the only tab suspender in the world. The bigger picture thing though, is to be aware of what you’re downloading to your browser. A fair amount of Chrome extensions are made by individuals or small teams of people who can really screw you over if you aren’t paying attention. So if you do download an extension, check the reviews, check the change logs, see if they have a website or GitHub repository, and make sure you know what you’re downloading. Hopefully this is the last post I make on this subject. I love open source projects, so it makes me sad that so many people are impacted by this.
I'm Micah Lee, director of infosec for The Intercept, security and privacy enthusiast, open source coder, journalist, techie for the Snowden leak, etc. AMA!
I'm Micah Lee, director of infosec for The Intercept, security and privacy enthusiast, open source coder, journalist, techie for the Snowden leak. AMA! Hello, internet friends! I'm Micah Lee (micahflee). I'm in charge of information security for First Look Media (the parent company of the Intercept, where I also do investigative journalism and write privacy/security guides). I've been working in journalist security since 2013 when I helped facilitate the Snowden leak. I'm involved in organizations like Freedom of the Press Foundation and Distributed Denial of Secrets, and I also write a lot of open source code. Here are some of my recent projects that I'm happy to talk about:
I've been digging into BlueLeaks, a breach of hundreds of gigs of data from terribly secured US fusion centers and other US law enforcement websites.
I've been hard at work on a new version of OnionShare, a tool that lets you do cool things with Tor onion services like share files, turn your computer into an anonymous dropbox, quickly and easily host static darkweb sites, and soon host temporary, ephemeral chat rooms where nothing gets logged
I've been running an antifascist Twitter privacy service called Semiphemeral that automates deleting old tweets, likes, and DMs, but with the flexibility to choose what not to delete. There's also a slightly-harder-to-use open source version
I recently made an open source tool called Dangerzone that uses docker containers to convert sketchy Office documents or PDFs into PDFs that you can be sure are safe, basically a digital version of printing a document and then rescanning it
Also, this is probably more on my mind than anything else: Our civilization is crumbling, a plague is raging, climate disasters are getting more frequent and worse and science deniers have all the political power, police are murdering innocent black people and then beating activists in the streets for protesting them (not to mention surveilling their phones and social media), and in the US white supremacists are intimidating voters and threatening civil war. I don't have solutions, but I'd love to use my technical expertise in any way it can be most helpful. Finally, sorry this AMA is having a bumpy start... It turns out that Reddit is censoring posts that contain links to the DDoSecrets website because a website that published leaked police documents is clearly the worst offense thing that happens on Reddit. >:( AMA! Proof: https://twitter.com/micahflee/status/1314706583901949953 Update: I'm logging off for the night (Friday night) but I'll be back tomorrow. Keep the good questions coming! I'm back. Update: Alright, I’m logging off of the second day of the AMA. Thanks for all the questions everyone, this was fun!
My full fledged android PS3 emulator Trampoline managed to boot up to the health and safety warning, after months of crashes and a ridiculous amount of work, holding a steady FPS of about 1-3. Set to become open source before March.
Opensource-DVD 45.0 kostenlos in deutscher Version downloaden! Weitere virengeprüfte Software aus der Kategorie Tuning & System finden Sie bei computerbild.de! Open source software is made by many people and distributed under an OSD-compliant license which grants all the rights to use, study, change, and share the software in modified and unmodified form. Software freedom is essential to enabling community development of open source software. News . The .NET Foundation Joins the Open Source Initiative's Affiliate Program. Submitted by Deb Nicholson ... Open Source im Gegensatz zu Proprietärer Software. Die Form der Proprietäre Software, der eigentümlichen Software, steht dem Open-Source-Konzept im Unterschied dazu. Denn um eine proprietäre ... Machen Sie sich frei von Kaufprogrammen: Mit den richtigen Open-Source-Programmen ausgestattet, erledigt Ihr PC anfallende Aufgaben zum Nulltarif. COMPUTER BILD hat die 100 besten Downloads ... Opensource-DVD 45 Deutsch: Die "Opensource-DVD" bietet eine große Sammlung von Open-Source-Programmen.
https://twitter.com/socialsquare http://www.socialsquare.dk/ (BIT BLUEPRINT mentioned in the video is now known as Socialsquare) Have you ever wondered - Wha... Album, merch and tabs: https://kikoloureiro.myshopify.com/ - CD, tablaturas e outros produtos exclusivos: https://www.lojakikoloureiro.com/ 00:00 1- Overflow... Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube. For less than $50 you can build a low head, medium power, super low cost and low tech hydro turbine. Can be plugged into any appropriate waterway, uses only ... "Open Source" is Insureblocks' weekly chat on the Insureblocks Online Community. In it we talked about what we liked and what we thought was interesting. Par...