[conspire] even though I install an add-on to create a tiny url in Firefox, the add-on is not available

Darlene Wallach freepalestin at dslextreme.com
Wed Dec 23 14:52:20 PST 2009


On Wed, Dec 23, 2009 at 2:44 PM, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Darlene Wallach (freepalestin at dslextreme.com):
>> I installed an add-ons to create a tiny url, TinyUrl Creator 1.0.5 and
>> TinyUrl Generator 1.0.12 to Firefox
> Near as I can tell, both of these are proprietary extensions.  Why go to
> the trouble of running an open-source browser on an open-source
> operating system, and then install unaudited extensions into it written
> (I assume) by someone you don't know and have no reason to trust with
> the security of your system?

Very good point!

> Pardon me if I seem to be picking on you, Darlene, which is not my
> intention, but I notice that people seem to be picking up the habit of
> installing software without bothering to attend to the basics of
> security.

I don't take your advice and comments as picking on me. I appreciate
your taking the time to read my email and respond.

> One of the worst offenders in this area is the Mozilla Organization,
> which encourages such behaviour through sites like
> https://addons.mozilla.org/ .  Notice that each extension entry has a
> big "Download Now" button, and absolutely no information about source
> code or licensing -- let alone any information about why that software
> foundry can be trusted with your user-level or system security.
> I'm about to publish an article in (probably) the January issue of
> _Linux Gazette_ about Firefox extensions, Firefox privacy, and security.
> It includes a brief reminder that you should _always_ try to get all
> software from maintained distro packages where humanly possible.  Maybe
> I should go back and revise the article, while I still can, to stress
> how dangerous going outside that regime is, and how poorly regulated the
> "add on" world is generally.
> The bad habit of installing any-old-damned-thing outside one's distro
> package regime is not only courting disaster, but that disaster is
> already starting to occur:  Note the distributions of Trojan Horse
> software in .deb "screensaver" packages in third-party downloads hosted
> by gnome-look.org .
> Looking at that situation, my immediate reaction is:
> 1.  Why the fsck does gnome-look.org encourage distribution of
> screensaver artwork inside .deb packages, which get installed with
> root authority and can include preinst and postinst scripts?
> 2.  Why the fsck do user browsing gnome-look.org trust software
> listed there by unknown third parties?

Thank you.

equal justice under law,
Darlene Wallach

More information about the conspire mailing list