His methods caused a furor in the Mozilla community over the weekend because he did not provide clear notification about what his software was doing.

Thomas Claburn, Editor at Large, Enterprise Mobility

May 4, 2009

4 Min Read

The developer of the popular NoScript add-on for Firefox on Monday issued a sweeping apology for abusing the trust of those who had installed his software and for violating Mozilla's rules for add-on developers.

"I beg you to accept my most sincere apologies and believe in my shame and contrition," concluded Giorgio Maone, creator of the JavaScript-blocking extension NoScript, at the end of a lengthy statement of regret. "I know I've done something horrible, creating a scandal like the Mozilla community never had faced before and betraying the trust of many, many people. Please help me to repair the damage I've caused with my errors."

Maone's sin was to interfere with the operation of another popular Firefox extension, Adblock Plus, through JavaScript code added to his NoScript extension. He created a version of NoScript that altered Adblock Plus to whitelist the ads on his site, NoScript.net, so that they would not be blocked, thereby ensuring his continued ability to earn revenue from the ads.

Maone is not the first Web site owner to seek a way to prevent ads on his site from being blocked. But his methods caused a furor in the Mozilla community over the weekend because he did not provide clear notification about what his software was doing and because he did not seek user consent.

In so doing, Maone's actions became indistinguishable from those of a malware author. "Clearly, NoScript is moving from the gray area of adware into dark black area of scareware, making money at user's expense at any cost," observed Wladimir Palant, author of Adblock Plus, in a blog post about the incident.

Maone takes issue with Palant's claim that his code was obfuscated -- written to be difficult to read, a practice common among malware authors. But he states in his post that he wants to focus on apologizing rather than rebutting alleged inaccuracies.

It remains to be seen how much damage Maone's actions have done to the viability of NoScript. Many users posting about the incident promised to uninstall the extension. But some have accepted Maone's apology. Others took the opportunity to question the ethics of ad blocking.

"It must be particularly hard to have a lesson in ethics from Adblock, that charmingly unethical piece of software based on the principle that 'other people should look at ads so that *I* can enjoy content without inconvenience,' " reads one comment posted beneath Maone's mea culpa. Perhaps more significant than the conflict between two extension makers is the fact that AMO, the Mozilla add-on group, allows authors of popular extensions like NoScript to be "trusted," so their code can be posted without review.

Mozilla did not immediately respond to a request for comment.

Such absence of oversight becomes even more troubling in light of some of the comments on Palant's blog post that suggest attempts to corrupt extension developers may be widespread. One post, ostensibly from another Firefox extension developer, asks whether Palant has been approached by a company called KallOut, seeking a partnership to promote its software aggressively.

"I think this sort of seedy business is just going to increase as the browser becomes the platform," the anonymous developer suggests. "The bigger the ecosystem, the more room for bad actors."

The implication is that conflicts surrounding adware, spyware, Web page framing, and the user's ability to control his or her computer have returned with a vengeance. The battlefield this time is the browser ecosystem rather than the operating system.

KallOut's CEO, Lee Lorenzen, rejects the characterization that his company is promoting unethical software. "We believe our business tactics are completely fair and shouldn't be scary to anyone," he wrote in a post on the Mozilla add-on site. "While not every one of Firefox's 220 million users may agree with them or like them, those who don't can decide not to use our product. However, we don't believe that we have crossed any lines in a way that would be offensive to members of the Firefox community of developers and users."

Whether or not KallOut has been unfairly singled out, with a recession in full swing and ad revenue under pressure, further fights along these lines appear to be inevitable.


InformationWeek Analytics has published an independent analysis on what executives really think about security. Download the report here (registration required).

About the Author(s)

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights