Mozilla planting spyware in fresh SolydXK installs

[ilu]

1. On a newly installed SolydX10 system an addon named "Search Shield Study" showed up - did we do that (edit: no we didn't) or does mozilla force this upon random users? (Yes they do.) The search bar is gone and mozilla is collecting data - for whatever noble reason but without my consent.
The privacy and security tab has an option to "Allow Firefox to install and run studies" which is checked by default That's shitty behaviour and can result in support nightmares ("My searchbar vanished ...").
When I disabled the addon a survey showed up asking me about my firefox experience, using the usual marketing lingo. I answered that I would still consider firefox in the future. But after reading about no. 2 I'm not so sure anymore. All in all a very unpleasant experience.

2. Also firefox started to infect some of their browser downloads with an addon called "cliqz", which is spying on the user - for noble reasons, of course, see https://blog.mozilla.org/press-uk/2017/ ... n-firefox/. Mozilla promises that no individual data will be stored but big data techniques are detrimental in every way even if they concentrate on "big" instead of individual data. I haven't seen this version myself.

I think we should make sure that the browser delivered to our user is not infected with spyware or other troians. If we can't do that we'll have to at least warn the users about it. That's why I'm filing this in the bug section.
I'm not really sure how the addon from no 1 got into our repo. Maybe it got downloaded by firefox after installation? It was there on the first call and there was absolutely no information about it. I just noticed that the search bar vanished and started to investigate.

Maybe it could help to preconfigure dissent to telemetry and studies in about:config via user.js so that our users would need to opt in instead of opting out of something they don't even notice.

[kurotsugi]

I think it's doable but it's up to schoelje about the implementation. IIRC the script currently only download the files, repack and sign it, then send it to the repo.

[Arjen Balfoort]

I assume you installed FF from our repository?

Code: Select all

$ apt policy firefox
firefox:
  Installed: 56.0.1
  Candidate: 56.0.1
  Version table:
 *** 56.0.1 600
        600 http://repository.solydxk.com solydxk-9/main amd64 Packages
        100 /var/lib/dpkg/status

On a clean install of SolydK 9 with FF 56.0.1 I only see this new addon (which can be disabled):

Safe Browsing Version 4 (temporary add-on) 1.0.0

This temporary add-on enables the new version of the Safe Browsing API, which protects against dangerous and deceptive sites. It will be automatically removed once the roll-out of this feature is complete.

I confirmed that that's the only add extension in the firefox package.

I haven't seen anything that you described (searchbar is still there too).
It would be really odd if FF would single out a specific version of an OS.

Do you have any other addons installed that might have pulled in the others?

[kurotsugi]

btw, the ESR version seems haven't implement it yet. if you want to avoid these stuffs perhaps you should use the ESR version.

[Arjen Balfoort]

I see that more users are not happy with this addon. The addon page comments should warn FF that they're not doing it right: https://addons.mozilla.org/en-US/firefo ... eld-study/

According to the wiki these addons are installed for a randomly chosen selection of users and are installed for a given amount of time after which it is removed: https://wiki.mozilla.org/Firefox/Shield/Shield_Studies. The randomness and period makes it hard for me to do something against these kind of addons. I don't even know what that would do with FF's license (changing the package or changing its functionality).

[kurotsugi]

I thought it was build along the binary file. seems nothing we can do about it.

[ilu]

ESR is not affected.

Without any consequences to licensing I think you could preconfigure firefox via user.js. We are already doing that, right?
Mozilla says they won't pick your browser to install it if you opted out of studies. The relevant switches are:

user_pref("experiments.enabled", false); -- Opt out of experiments
user_pref("experiments.manifest.uri", ""); -- Opt out of experiments
user_pref("experiments.supported", false); -- -- Opt out of experiments
user_pref("experiments.activeExperiment", false); -- -- Opt out of experiments
user_pref("experiments.activeExperiment", false); -- Prevent Mozilla from opting you into tests silently.
user_pref("network.allow-experiments", false); -- Blocks the URL used for system add-on updates
user_pref("extensions.pocket.enabled", false); -- Disable Pocket
user_pref("dom.flyweb.enabled", false); -- Disable Flyweb
user_pref("extensions.shield-recipe-client.enabled", false); -- Disable Shield Telemetry system
user_pref("extensions.shield-recipe-client.api_url", ""); -- Disable Shield Telemetry system

from: https://www.ghacks.net/2017/07/30/contr ... r-js-file/. Those settings should not break any website. Why Pocket and Flyweb are involved in this I don't know.
There's more in https://github.com/ghacksuserjs/ghacks-user.js. I'm using a lot of their settings but the more you use the more it really breaks stuff.

[Arjen Balfoort]

I can add those settings to the firefox-solydxk-adjustments package, but that will only work for new users.

Shall I do that?

[ilu]

I'd vote yes. Maybe pocket needs some feedback - has anybody ever used that? And I don't even know what flyweb is - any users here?
That ghacks site is by a very knowledgeable guy on everything mozilla (Martin Brinkmann). I think whatever they recommend one can savely do.

[grizzler]

Anything blocking unwanted, disruptive junk has my vote. I don't know ghacks.net or Martin Brinkmann, but if ilu trusts him...
No idea about pocket or flyweb, but I'm definitely going to check out this user.js file.

I haven't noticed any effect on the search bar on my system (currently running FF 56.0.1), but I fully agree with the negative comments on the add-on page. You just don't do this kind of thing without asking people.

[Arjen Balfoort]

I've uploaded a new version of firefox-solydxk-adjustments (2017.10.25).
It contains the adjustments ilu posted here.
This will at least be useful for new users.

[Zero Angel]

I'd vote yes. Maybe pocket needs some feedback - has anybody ever used that?

I use pocket, but firefox's built-in pocket features are inferior to pocket extensions which do a much better job. As such, I disable the built-in pocket.

[ilu]

FlyWeb is a very simple idea at its core. Instead of phones interacting only with the cloud, they can discover and interact with electronics around them that are running empty web clients, such as TV's, projectors, game consoles, etc. The electronics come to life when connected to phones. The key here is that either the phones serve web apps to these electronics, or the electronics serve web apps to the phones.

https://wiki.mozilla.org/FlyWeb
This sounds like another marketing bs to me. Not to mention the security nightmare. So it's good that it's gone. Hopefully.

[Arjen Balfoort]

Blogged this for our users: https://solydxk.nl/mozilla-shield-studi ... ed-addons/

[ilu]

I'd like to add that I'm not against studies and customer surveys per se. I just think they need to be opt-in. Always. No exception.

[sdibaja]

I'd like to add that I'm not against studies and customer surveys per se. I just think they need to be opt-in. Always. No exception.

I agree 100%
Defaults are highly important in all software...
I am still thinking that this is some sort of alarmist fake news, but that is just my attempt at being optimistic.

Thanks for alerting us to this, I have not seen news of it anywhere else.

[patzy]

Blogged this for our users: https://solydxk.nl/mozilla-shield-studi ... ed-addons/

Thanks for this info Schoelje.
I agree that such data gathering should be opt in.

I recently got another machine and installed SolydK9 64bit.
I have altered my Firefox ESR profile file accordingly.