Mozilla planting spyware in fresh SolydXK installs

Post your bugs here.
User avatar
ilu
Posts: 2542
Joined: 09 Oct 2013 12:45

Mozilla planting spyware in fresh SolydXK installs

Postby ilu » 25 Oct 2017 03:01

1. On a newly installed SolydX10 system an addon named "Search Shield Study" showed up - did we do that (edit: no we didn't) or does mozilla force this upon random users? (Yes they do.) The search bar is gone and mozilla is collecting data - for whatever noble reason but without my consent.
The privacy and security tab has an option to "Allow Firefox to install and run studies" which is checked by default :evil: That's shitty behaviour and can result in support nightmares ("My searchbar vanished ...").
When I disabled the addon a survey showed up asking me about my firefox experience, using the usual marketing lingo. I answered that I would still consider firefox in the future. But after reading about no. 2 I'm not so sure anymore. All in all a very unpleasant experience.

2. Also firefox started to infect some of their browser downloads with an addon called "cliqz", which is spying on the user - for noble reasons, of course, see https://blog.mozilla.org/press-uk/2017/ ... n-firefox/. Mozilla promises that no individual data will be stored but big data techniques are detrimental in every way even if they concentrate on "big" instead of individual data. I haven't seen this version myself.

I think we should make sure that the browser delivered to our user is not infected with spyware or other troians. If we can't do that we'll have to at least warn the users about it. That's why I'm filing this in the bug section.
I'm not really sure how the addon from no 1 got into our repo. Maybe it got downloaded by firefox after installation? It was there on the first call and there was absolutely no information about it. I just noticed that the search bar vanished and started to investigate.

Maybe it could help to preconfigure dissent to telemetry and studies in about:config via user.js so that our users would need to opt in instead of opting out of something they don't even notice.

kurotsugi
Posts: 2240
Joined: 09 Jan 2014 00:17

Re: Mozilla planting spyware in fresh SolydXK installs

Postby kurotsugi » 25 Oct 2017 07:05

I think it's doable but it's up to schoelje about the implementation. IIRC the script currently only download the files, repack and sign it, then send it to the repo.

User avatar
Arjen Balfoort
Site Admin
Posts: 9333
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Mozilla planting spyware in fresh SolydXK installs

Postby Arjen Balfoort » 25 Oct 2017 07:07

I assume you installed FF from our repository?

Code: Select all

$ apt policy firefox
firefox:
  Installed: 56.0.1
  Candidate: 56.0.1
  Version table:
 *** 56.0.1 600
        600 http://repository.solydxk.com solydxk-9/main amd64 Packages
        100 /var/lib/dpkg/status
On a clean install of SolydK 9 with FF 56.0.1 I only see this new addon (which can be disabled):
Safe Browsing Version 4 (temporary add-on) 1.0.0

This temporary add-on enables the new version of the Safe Browsing API, which protects against dangerous and deceptive sites. It will be automatically removed once the roll-out of this feature is complete.
I confirmed that that's the only add extension in the firefox package.

I haven't seen anything that you described (searchbar is still there too).
It would be really odd if FF would single out a specific version of an OS.

Do you have any other addons installed that might have pulled in the others?


SolydXK needs you!
Development | Testing | Translations

kurotsugi
Posts: 2240
Joined: 09 Jan 2014 00:17

Re: Mozilla planting spyware in fresh SolydXK installs

Postby kurotsugi » 25 Oct 2017 07:13

btw, the ESR version seems haven't implement it yet. if you want to avoid these stuffs perhaps you should use the ESR version.

User avatar
Arjen Balfoort
Site Admin
Posts: 9333
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Mozilla planting spyware in fresh SolydXK installs

Postby Arjen Balfoort » 25 Oct 2017 07:32

I see that more users are not happy with this addon. The addon page comments should warn FF that they're not doing it right: https://addons.mozilla.org/en-US/firefo ... eld-study/

According to the wiki these addons are installed for a randomly chosen selection of users and are installed for a given amount of time after which it is removed: https://wiki.mozilla.org/Firefox/Shield/Shield_Studies. The randomness and period makes it hard for me to do something against these kind of addons. I don't even know what that would do with FF's license (changing the package or changing its functionality).


SolydXK needs you!
Development | Testing | Translations

kurotsugi
Posts: 2240
Joined: 09 Jan 2014 00:17

Re: Mozilla planting spyware in fresh SolydXK installs

Postby kurotsugi » 25 Oct 2017 08:24

I thought it was build along the binary file. seems nothing we can do about it.

User avatar
ilu
Posts: 2542
Joined: 09 Oct 2013 12:45

Re: Mozilla planting spyware in fresh SolydXK installs

Postby ilu » 25 Oct 2017 10:51

ESR is not affected.

Without any consequences to licensing I think you could preconfigure firefox via user.js. We are already doing that, right?
Mozilla says they won't pick your browser to install it if you opted out of studies. The relevant switches are:
user_pref("experiments.enabled", false); -- Opt out of experiments
user_pref("experiments.manifest.uri", ""); -- Opt out of experiments
user_pref("experiments.supported", false); -- -- Opt out of experiments
user_pref("experiments.activeExperiment", false); -- -- Opt out of experiments
user_pref("experiments.activeExperiment", false); -- Prevent Mozilla from opting you into tests silently.
user_pref("network.allow-experiments", false); -- Blocks the URL used for system add-on updates
user_pref("extensions.pocket.enabled", false); -- Disable Pocket
user_pref("dom.flyweb.enabled", false); -- Disable Flyweb
user_pref("extensions.shield-recipe-client.enabled", false); -- Disable Shield Telemetry system
user_pref("extensions.shield-recipe-client.api_url", ""); -- Disable Shield Telemetry system
from: https://www.ghacks.net/2017/07/30/contr ... r-js-file/. Those settings should not break any website. Why Pocket and Flyweb are involved in this I don't know.
There's more in https://github.com/ghacksuserjs/ghacks-user.js. I'm using a lot of their settings but the more you use the more it really breaks stuff.

User avatar
Arjen Balfoort
Site Admin
Posts: 9333
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Mozilla planting spyware in fresh SolydXK installs

Postby Arjen Balfoort » 25 Oct 2017 11:47

I can add those settings to the firefox-solydxk-adjustments package, but that will only work for new users.

Shall I do that?


SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2542
Joined: 09 Oct 2013 12:45

Re: Mozilla planting spyware in fresh SolydXK installs

Postby ilu » 25 Oct 2017 15:20

I'd vote yes. Maybe pocket needs some feedback - has anybody ever used that? And I don't even know what flyweb is - any users here?
That ghacks site is by a very knowledgeable guy on everything mozilla (Martin Brinkmann). I think whatever they recommend one can savely do.

User avatar
grizzler
Posts: 2180
Joined: 04 Mar 2013 15:45
Location: The Hague, NL

Re: Mozilla planting spyware in fresh SolydXK installs

Postby grizzler » 25 Oct 2017 18:18

Anything blocking unwanted, disruptive junk has my vote. I don't know ghacks.net or Martin Brinkmann, but if ilu trusts him...
No idea about pocket or flyweb, but I'm definitely going to check out this user.js file.

I haven't noticed any effect on the search bar on my system (currently running FF 56.0.1), but I fully agree with the negative comments on the add-on page. You just don't do this kind of thing without asking people.
Frank

SolydX EE 64 - tracking Debian Testing

User avatar
Arjen Balfoort
Site Admin
Posts: 9333
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Mozilla planting spyware in fresh SolydXK installs

Postby Arjen Balfoort » 26 Oct 2017 06:15

I've uploaded a new version of firefox-solydxk-adjustments (2017.10.25).
It contains the adjustments ilu posted here.
This will at least be useful for new users.


SolydXK needs you!
Development | Testing | Translations

User avatar
Zero Angel
Posts: 121
Joined: 01 Aug 2014 22:50

Re: Mozilla planting spyware in fresh SolydXK installs

Postby Zero Angel » 26 Oct 2017 06:27

ilu wrote:I'd vote yes. Maybe pocket needs some feedback - has anybody ever used that?
I use pocket, but firefox's built-in pocket features are inferior to pocket extensions which do a much better job. As such, I disable the built-in pocket.

User avatar
ilu
Posts: 2542
Joined: 09 Oct 2013 12:45

Re: Mozilla planting spyware in fresh SolydXK installs

Postby ilu » 26 Oct 2017 13:30

FlyWeb is a very simple idea at its core. Instead of phones interacting only with the cloud, they can discover and interact with electronics around them that are running empty web clients, such as TV's, projectors, game consoles, etc. The electronics come to life when connected to phones. The key here is that either the phones serve web apps to these electronics, or the electronics serve web apps to the phones.
https://wiki.mozilla.org/FlyWeb
This sounds like another marketing bs to me. Not to mention the security nightmare. So it's good that it's gone. Hopefully.

User avatar
Arjen Balfoort
Site Admin
Posts: 9333
Joined: 26 Jan 2013 19:36
Location: Netherlands
Contact:

Re: Mozilla planting spyware in fresh SolydXK installs

Postby Arjen Balfoort » 26 Oct 2017 15:07



SolydXK needs you!
Development | Testing | Translations

User avatar
ilu
Posts: 2542
Joined: 09 Oct 2013 12:45

Re: Mozilla planting spyware in fresh SolydXK installs

Postby ilu » 29 Oct 2017 15:04

I'd like to add that I'm not against studies and customer surveys per se. I just think they need to be opt-in. Always. No exception.

User avatar
sdibaja
Posts: 71
Joined: 13 May 2017 14:59
Location: Baja California, Mexico.

Re: Mozilla planting spyware in fresh SolydXK installs

Postby sdibaja » 29 Oct 2017 15:54

ilu wrote:I'd like to add that I'm not against studies and customer surveys per se. I just think they need to be opt-in. Always. No exception.
I agree 100%
Defaults are highly important in all software...
I am still thinking that this is some sort of alarmist fake news, but that is just my attempt at being optimistic.

Thanks for alerting us to this, I have not seen news of it anywhere else.
Peter E

User avatar
patzy
Posts: 410
Joined: 15 Dec 2013 08:32
Location: Australia

Re: Mozilla planting spyware in fresh SolydXK installs

Postby patzy » 29 Oct 2017 23:21

Schoelje wrote:Blogged this for our users: https://solydxk.nl/mozilla-shield-studi ... ed-addons/
Thanks for this info Schoelje.
I agree that such data gathering should be opt in.

I recently got another machine and installed SolydK9 64bit.
I have altered my Firefox ESR profile file accordingly.


Return to “Bug Control”

Who is online

Users browsing this forum: No registered users and 1 guest