Forgot your password?
typodupeerror
Security IT

NoScript Awarded $10,000 178

Posted by CmdrTaco
from the useful-little-tools dept.
An anonymous reader noted an interesting bit of information about a tool a ton of Slashdot users make use of every day: "NoScript has been chosen as the recipient of the DRG Security Innovation Grant. This is a great honor and a spur to keep making the Web a safer place. I feel the urge to thank the committee for recognizing NoScript as a pioneering force in browser security, and the community of contributors, researchers, translators, beta testers, and loyal users who keep this project alive day after day. The grant will fund the effort to merge the current two development lines, i.e. 'traditional' NoScript for desktop environment."
This discussion has been archived. No new comments can be posted.

NoScript Awarded $10,000

Comments Filter:
  • by elrous0 (869638) * on Tuesday July 19, 2011 @10:10AM (#36811872)

    The fact that this ever had to be an *add-on* is just shameful. The fact that IE and Safari still don't have it (or something very similar) is close to criminal. Okay, Chrome has NotScripts [lifehacker.com], but that apparently requires some weird hacking to use securely.

    And, no, the non-default ability to turn *all* scripts on or off isn't even close to the same thing. As the great Jules would say--it's not the same ballpark, not the same league, not even the same sport.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      For safari: Glimmer blocker [glimmerblocker.org] is both an ad blocker and can deny and or rewrite scripts on the fly.

    • by Anonymous Coward

      The fact that this ever had to be an *add-on* is just shameful.

      As long as it's disabled by default. It'd make more sense for Adblock Plus to be integrated by default with ad/privacy lists added. NoScript is still a usability-destroying sledgehammer unfortunately. I haven't been able to find a reason as to why I should keep it installed and endure the headache.

    • by uigrad_2000 (398500) on Tuesday July 19, 2011 @10:45AM (#36812354) Homepage Journal

      Ghostery [ghostery.com]exists for Firefox/Chrome/IE/Safari, and can be taught to behave as noscript.

      • I use both. it makes the list of scripts that I should consider considerably shorter and also blocks confusing scripts I may otherwise allow in the process of trying to get a webpage to work. They all make life easier and more secure. Or at least I feel secure knowing so many things that used to happen now are blocked and I still have a usable web browsing experience.
      • by hitmark (640295)

        I see a potential improvement for Noscript, the identification of known tracking services.

    • by Pope (17780)
      It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        It was. Netscape up to version 3 had menu items that would turn JavaScript on and off, and images on and off. For NS4 those were buried in the settings dialog, and were therefore not easily switched on the fly.

        PrefBar [tuxfamily.org] restores this functionality. Single-click control of images (for those not-necessarily-SFW threads), colors (for that asshat on FailSpace who thought that red on a green background was a good idea), and of course, Javashit, Java, Flash, cookies, referrer-sending, and so on.

      • Safari still has menu items to turn images, JavaScript, and CSS on and off for the current web page. The point of NoScript is to give you a greater level of granularity (i.e. allow just these scripts on this site, but not those) and to make these persist across browsing sessions.
    • For a simple reason it isn't installed by default.
      Security isn't convenient.
      The best security tools make your experience seem like you are warden of a jail house. There is only so much you can do to make them easy. The rest the company will decide not to add because it will make the app too hard to use. Especially if you need to compete with Internet Explorer. Where you need to be more secure and show that it can run all the stuff that IE can.

    • by Tolkien (664315)
      I think, personally, that the fact that we even need NoScript is shameful.
    • by Ant P. (974313)

      IE had "zones" 10 years ago. Chrome has had per-site whitelisting for several major releases.

      Mozilla... Mozilla has an open bug from the previous millenium.

  • by twocows (1216842) on Tuesday July 19, 2011 @10:13AM (#36811906)
    • by improfane (855034)

      Yes, the author does not have a good track record.

      He apologized for it but you do have to wonder. Money blinds.

      • by melikamp (631205)
        As much as I loved NoScript, I uninstalled it the moment the story broke. But After reading Giorgio's apology [hackademix.net] I was totally convinced that he meant no harm and learned his lesson, so I reinstalled NoScript only a few days later.
    • by Anonymous Coward on Tuesday July 19, 2011 @10:26AM (#36812128)

      Yes, two fucking years ago the guy made a poor decision in the heat of the moment which he later apologized for. We should definitely crucify him for it forever.

      • Please.
      • by twocows (1216842) on Tuesday July 19, 2011 @10:39AM (#36812284)
        It certainly was a while ago and he did apologize (after the backlash), and I agree that we shouldn't hold it against him forever. Still, I tend to be wary of NoScript these days because of it. I'm not sure I would trust someone who abused his position like that with a $10k grant is all. Maybe I'm being unreasonable, but I don't think it's a big leap to think that someone who abused their position for monetary gain once might do so again. And it's definitely something that I think people who use NoScript should know about, old or not.
        • If you want people to be aware of Giorgio Maone's mentality and motivations, you should probably link them to his blog entry on the matter [hackademix.net]. He goes into great detail.

          Here are some snippits:

          I screwed up. Big time.

          Please let me apologize first, then briefly explain what happened from a slightly different point of view than Wladimir Palantâ(TM)s, then apologize again.

          ... I began tracking EasyList changes and counterreacting. Of course Ares2 didn't stop, nor I did, so we engaged in an escalation through more than 30 EasyList updates (even 4-5 per day) specifically aimed at my sites ... If you've got some familiarity with Adblock Plus filters, you'll notice any standard web technology beyond basic HTML/CSS (scripting, frames, AJAX) was completely disabled.
          They got to the point where users could no longer even see the regular links to install NoScript or FlashGot.

          If you're describing his actions only as "[abusing his] position for monetary gain", you are spreading a simplistic understanding of the situation. That is virtually misinformation.

          If anyone expects to have and share an opinion on this matter they really ought to read his blog post.

      • Re: (Score:3, Interesting)

        by Baloroth (2370816)

        Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

        Oh yeah, and why one addon is able to make changes to another in Firefox without notifying the user. I haven't used Firefox much (prefer Opera), but is this still possible? If it is, why? Seems like a

        • by tlhIngan (30335)

          Maybe not. But, it definitely raises questions about the guy's integrity. And, you can't help but wonder if this hadn't been noticed and created massive outcry, whether he would have apologized at all, or whether he was just imitating large corporations policy of "hope they don't notice, apologize if they do."

          Who cares about the guy's integrity? After all, NoScript is open-source and isn't that the important part?

          If you don't trust the guy, take the latest revision (it's GPLv2+ and the source is in the XPI

      • by drsmack1 (698392)

        Good thing you are posting anonymously, betcha don't want to get caught again!

      • Two years! Wow, they practically get a free ride in /. terms! If Microsoft could have had a two year grudge period, back when they did things wrong...

        • by hedwards (940851)

          If MS had only made one mistake 2 years ago, I doubt very much that we'd be after them to this extent.

          • I don't doubt it at all. People can take any problem no matter how unrelated and still blame Microsoft here.
    • by Microlith (54737) on Tuesday July 19, 2011 @10:49AM (#36812416)

      So he has a stupid spat with the guys at AdBlock Plus. So what?

      People make stupid mistakes every once in a while. He apologized, and hasn't done anything dumb since. In the meantime, NoScript has continued to be a valuable tool that I add to every Firefox installation I use (well, all once he adds support for Firefox Mobile.)

    • Dude writes one of the most useful extensions ever to most people who uses it, protecting millions, lets the world use it for free, makes one questionable move, apologizes for it a few days later, continues making useful product...

      And people act like he's a scumbag.

      If you feel hurt by his actions, you get a free year of using noscript. You can use it all you want and don't have to pay him a dime. If you've donated a reasonable amount in the past, you can whine about it. If you were using noscript f
  • by DeHackEd (159723) on Tuesday July 19, 2011 @10:15AM (#36811962) Homepage

    Does this mean web designers will start making their web sites actually work when users without javascript try to use them?

    (The list of offenders is too long to name.)

    • How dare you speak that kind of blasphemy against web 2.0! Do you not see how using javascript for everything is improving the user experience and making the world a better place?!
    • by Bengie (1121981)

      AJAX reduces server load by removing excess postbacks. Pretty much any interactive website.

      The problem are websites that don't require postbacks but use Javascript for random crap.

      • Re: (Score:3, Interesting)

        by wwfarch (1451799)
        I don't even think using Javascript is the issue. The problem is requiring Javascript for random crap. Graceful degradation is something most websites fail to adhere to even when it's easily possible.
        • by Anrego (830717) *

          Graceful degradation is something most websites fail to adhere to even when it's easily possible.

          Not enough return on investment to be worth the bother of even thinking about it for the tiny fraction of users you turn away having a site not work without javascript.

          Web accessibility is much like building accessibility. Totally not worth the owners money (from a purely business standpoint..). Unless it's done as a PR thing (someone whines loudly enough) or the law comes by and says "look, we know it's not financially worth it for you.. but do it anyway because it's the moral thing to do" .. probably won'

          • by b4dc0d3r (1268512) on Tuesday July 19, 2011 @02:35PM (#36815086)

            I leave sites when they require JS, and follow up by sending them a screenshot of me placing an order on a competitor's web site (with certain identifying information blanked out).

            Depending on their site design, I also point out how they spent more effort blocking script-less usage than it would have taken to have a graceful fallback. That's not always the case, but it helps.

            I never get a reply, but I don't expect one either.

            • This seems like a lot of time/effort/trouble for what you even admit doesn't get any result or feedback from the owners of the offending site.

    • by PPH (736903)
      lynx, is that you?
    • I've come to realise this was a huge blunder from the beginning of the web.

      Remember how we took so long to make a standard for moving fonts over the web? We could have done so much better if we only had invented a way for a page to contain the required fonts, and images, and scripts.

      Loading a web page basically means code injection. Even without javascript, every "src=" in a web page is code executed in your host, as commanded by an untrusted source.

      But alas, we were too concerned with net load. We had to,

    • by Mandrel (765308)
      My primary reason for using No Script is not security but to eliminate distracting content animations and auto-play videos.
  • by orange47 (1519059)
    its sad that we have to remove functionality to be more secure. I do like noscript and use it all the time, but the problem is more and more websites require js for simple tasks. wish there was a better way, for eg using user interaction to select which part of js are 100% ok or something like that. or perhaps whitelisting md5sums of common scripts (if that hasn't been already done). ironically, posting this comment seems to require some scripts turned on.
    • by hedwards (940851)

      It's a phase that's looking more and more like a new normal. We were lucky with those huge painterly sites of the late 90s that they eventually went away. Sure they looked cool, but on a dial up connection they'd take 20 minutes to fully load.

      Now, sites take 20 minutes to load because they've got to load content from all over the web and frequently the slowest things to load are the ads. Each hop from server to server takes more time and with the sites pulling in stuff from other sites it can easily stall o

  • Any excuse for those page hits. Good tool though, but I switched of the bit that opens the home page every time there is a new "important" update.

    • by psyclone (187154)

      I like watching changelogs, to see what holes were patched. With NoScript, the right pane shows the changes -- new attack vectors are blocked all the time. (At this point they are mostly minor, but still crazy that default browser security with respect to local and remote script invocation is nearly non-existent.)

  • by madhatter256 (443326) on Tuesday July 19, 2011 @11:07AM (#36812668)

    No Script helped in stemming the amount of infected PCs I received. I'd install it on my customer's PCs and showed them how it worked and that they should turn it off only when doing stuff like online banking, otherwise leave it on.

    It was of tremendous help and a lot of repeat customers stopped coming back with the same infection.

  • by dezert1 (964839) on Tuesday July 19, 2011 @11:25AM (#36812886) Homepage
    Not having JS loading makes all pages load incredibly fast. Use it like a turbo button. That combined with Ghostery and Better Privacy make for a pretty good browsing experience (and shows you what each page is attempting to do). If you are looking for perfection, there is nothing stopping you from writing your own browser. NoScript is the biggest reason I stick with FF. Love it!
    • by tunapez (1161697)

      And all the ad servers and affiliates! Fecebook, Twatter, Google, Google Syndication, Google Analytics, the 3rd party adverts that malware peddlers crack regularly. Fuck that.

      NS and Live Bookmarks is why I stayed through all the post 3.5 feature bloat. I could run any stripped browser in a sandbox, but what I can't find is a Live Bookmark equivalent...ie: just headlines, no pix, no diarrhea of the keyboard descriptions, no new windows, no muss. Just headlines to scan.

  • The author deserves this. I reported a small problem on Amazon and he had a release candidate ready for testing about six hours later.
  • by BlueCoder (223005) on Tuesday July 19, 2011 @01:38PM (#36814438)

    One feature I would love is if it supported whole lists. That is whole white and black lists from different people that are assigned at different priority levels.

  • I don't agree with this. I think awarding them for making the web safer by removing javascript is like awarding somebody for keeping children from hurting themselves by locking them in cages. Of course you're safer if you don't do anything. But the real goal should be to make things safer while still being able to use those features. they might as well give an award to Lynx for safe browsing.

There are never any bugs you haven't found yet.

Working...