[mightyglydd]

Amen to that VM! Couldn't have been better put. Folks really need to start at Page 1.

[thyristor]

Maybe a new topic could be started (or edit the first post on this one) with all the conclusions and facts gathered here during the last 3 months. It's almost reaching 500 posts, so it's not easy to read it all or even get some sense out of it. It would be handy to filter out all the off-topic / misunderstandings.

[DonGato]

What do you think of this?
Anyway, I would like a mod's opinion about making this a new thread (and most probably closing the current one).
----------------------------------------------------------

The purpose of this thread is to make people aware of some tactics used in extensions considered by some people not worth of the AMO (addons.mozilla.org) "trust" seal. It has also the purpose of discussing the AMO quality standards and the views on these and other extensions that might be considered harmful for common users.

At the end of September meatus brought to light to the mozillaZine community the actions made by a set of extensions build upon the same code base. Those extensions were collecting data and uniquely identifying users without notifying them. This caused some stir into the community as most of the people thought that AMO had a high quality standard and sought to protect users from such tactics, thing that we realized wasn't true. AMO doesn't even have a policy for extension submitting.

After that a lot of discussion was done (you can read the full thread here). Some people treating them as Spyware and some others saying they weren't doing anything wrong. AMO stand on this was mostly ignoring it.

The issue took heat again at the end of November when the developers submitting these extensions abused the system because of an AMO code bug (we can't call it a real bug but they put too much trust into developers). They started to bump their extensions into a daily basis effectively hijacking the AMO newest listing. This brought more people concerned about the issue and made some, like me, start a deep review of the extensions inners as well as learning about all the facts about it. The findings are posted at the end of this post (Analysis of a Conduit based extension).

A list of the extensions being driven by Conduit code was made (attached next to this introduction). Conduit has a tool for development ignorant people to be able to make toolbar-like Mozilla extensions. With this service they can build a tool integrated into Mozilla related to an already existing community (as they state). Some people say this is a benefit for people and some say they don't serve any useful purpose. AMO doesn't judge the usefulness of an extension.

After days passed the dissatisfaction with AMO admins was growing larger as they weren't doing anything to stop the mess, and some heated accusations were issued. To cut down the rage and start moving forward we started to fill bug reports about the extensions that still weren't warning users about the data collection. A policy draft was posted and a talk back page linked so the community can help build the AMO extension policy. A description of an improved review process for extensions to be added to Remora (the next iteration of AMO codebase) was also posted at a personal blog. fligtar, an AMO developer and admin, was the one posting at the original thread as a spokesperson for AMO.

Regretfully, there weren't further comments by AMO admins and fligtar told the community that they wouldn't be participating anymore in the thread. They said they would use a blog, that until today is empty, for further communication. This effectively cut down the nexus between the community and the people administering addons site.

JohnM555 posted a Greasemonkey user script that hides these toolbars from AMO. A solution for people that really hate to see them listed at AMO.


List of extensions (93 extensions, updated to November 26)

Abandonia Toolbar by SupSuper: Version 1.0.1.18, released on Jun 12, 2006
All Yours Chat Toolbar by Admin: Version 1.0.1.18, released on Jun 12, 2006
Anderson Tech Club Toolbar by Kuru Oujou: Version 1.0.1.18, released on Jun 12, 2006
Atom-Sounds Toolbar by Atom Sounds: Version 1.0.1.18, released on Jun 12, 2006
Australia-Radio Toolbar by Joni: Version 1.0.1.29, released on Nov 1, 2006
BBC Bar by Adams: Version 1.0.1.29, released on Nov 4, 2006
Bibirmer Toolbar by David Gordon: Version 1.0.1.29, released on Nov 9, 2006
BobDawgs Pad Toolbar by Robert LaFont, Jr: Version 1.0.1.18, released on Jun 12, 2006
BX Toolbar by Shaggy Software: Version 1.0.1.26, released on Oct 3, 2006
CaresforKids Toolbar by Terry Ballantini: Version 1.0.1.20, released on Jul 25, 2006
Casino Free Money Toolbar by Sergiy Zapisniy: Version 1.0.1.19, released on Jul 15, 2006
Celebs Toolbar by ToolooT Promotions: Version 1.0.1.29, released on Nov 10, 2006
Cengoo.de Toolbar by dersimli: Version 1.0.1.25, released on Sep 28, 2006
CGToolbar by amit: Version 1.0.1.18, released on Jun 23, 2006
Cowgirl Image Toolbar by Cowgirl Image: Version 1.0.1.19, released on Jul 15, 2006
Cowgirl Model Toolbar by Cowgirl Model: Version 1.0.1.19, released on Jul 10, 2006
Dating & Personals Toolbar by Nancy: Version 1.0.1.29, released on Nov 9, 2006
Deutschland Radio by Guy Levy: Version 1.0.1.30, released on Nov 13, 2006
digg.com extension Toolbar by Gareth Poole: Version 1.0.1.28, released on Oct 21, 2006
DVDEmpire Toolbar by Erik Truby: Version 1.0.1.30, released on Nov 12, 2006
EMail_Notifier Toolbar by Shay Refaely: Version 1.0.1.29, released on Nov 7, 2006
ezPharmacyFinder Toolbar by Stuart: Version 1.0.1.18, released on Jun 12, 2006
Forecaster by Arvi: Version 1.0.1.30, released on Nov 1, 2006
Free The Dog Toolbar by FreeTheDog: Version 1.0.1.24, released on Sep 24, 2006
GameSpot Deluxe Toolbar by CorporatBologna: Version 1.0.1.18, released on Jun 12, 2006
GAVSGUIDANCE HELPER Toolbar by Gavin Davies: Version 1.0.1.18, released on Jun 13, 2006
Grigor's_Blog Toolbar by Gregory: Version 1.0.1.18, released on Jun 13, 2006
H2Press Toolbar by Mike Riess: Version 1.0.1.18, released on Jun 13, 2006
Holy Land Radio by Guy Levy: Version 1.0.1.29, released on Nov 3, 2006
HOT-IL Toolbar by Shay Refaely: Version 1.0.1.18, released on Jun 27, 2006
HotWildMisty Toolbar by Hot Wild Misty: Version 1.0.1.18, released on Jun 12, 2006
iasec Toolbar by gerald: Version 1.0.1.18, released on Jun 26, 2006
Indian Radio ToolY Toolbar by Arpit Arora: Version 1.0.1.30, released on Nov 13, 2006
international football Toolbar by steve: Version 1.0.1.29, released on Nov 11, 2006
isr Toolbar by Sharon Steiman: Version 1.0.1.29, released on Nov 1, 2006
Israel Radio (Hebrew Version) by Guy Levy: Version 1.0.1.29, released on Nov 3, 2006
Israel Radio by Guy Levy: Version 1.0.1.29, released on Nov 3, 2006
Jazz Radio by yotam mazar: Version 1.0.1.29, released on Nov 1, 2006
krenar Toolbar by krenar: Version 1.0.1.18, released on Jun 12, 2006
MailMan by Adams: Version 2.0, released on Nov 7, 2006
marvz14 Toolbar by Marvin: Version 1.0.1.18, released on Jun 12, 2006
Michad Computer Consulting Toolbar by Wolf Windshadow: Version 1.0.1.28, released on Oct 30, 2006
MikeAndPetra Toolbar by Petra Richardson: Version 1.0.1.18, released on Jun 12, 2006
MillBar Toolbar by Pelle: Version 1.0.1.14, released on May 12, 2006
Mojabosna Toolbar by Ado: Version 1.0.1.30, released on Nov 12, 2006
Movie Toolbar by Guy Malachi: Version 1.0.1.18, released on Jun 21, 2006
My Informational Toolbar by John: Version 1.0.1.14, released on May 14, 2006
myCampusDates Toolbar by Terry Ballantini: Version 1.0.1.20, released on Jul 25, 2006
myDirtyDates Toolbar by Terry Ballantini: Version 1.0.1.20, released on Jul 25, 2006
myMatchDates Toolbar by Terry Ballantini: Version 1.0.1.20, released on Jul 25, 2006
MyOrkut Toolbar by Arvi: Version 1.0.2.28, released on Nov 1, 2006
myVegasBets Toolbar by Terry Ballantini: Version 1.0.1.20, released on Jul 21, 2006
Nederland Radio by Guy Levy: Version 1.0.1.29, released on Nov 3, 2006
neoaddict Toolbar by Brian: Version 1.0.1.24, released on Sep 26, 2006
NewYork Radio Addon by Ronen Chen: Version 1.0.1.29, released on Oct 31, 2006
Nifty Gifts Toolbar by Tyler Munder: Version 1.0.1.18, released on Jun 12, 2006
night life Toolbar by ToolooT Promotions: Version 1.0.1.29, released on Nov 10, 2006
Online Games Toolbar by Guy Malachi: Version 1.0.1.29, released on Nov 1, 2006
Online Video by Shay Refaely: Version 1.0.1.29, released on Nov 7, 2006
Partnerprogramme Toolbar by Karsten Windfelder: Version 1.0.1.18, released on Jun 12, 2006
PartyPokerBar Toolbar by Richard gold: Version 1.0.1.19, released on Jul 9, 2006
Podcast Search Toolbar by Alex: Version 1.0.1.19, released on Jul 10, 2006
Poker Bar Toolbar by Richard gold: Version 1.0.1.18, released on Jun 16, 2006
profadi Toolbar by Radarette O'Reilly: Version 1.0.1.18, released on Jun 13, 2006
Radio & Gobierno de Puerto Rico - ApoyoTecnico.Com by Magallanes: Version 1.0.1.29, released on Nov 8, 2006
Radio DE Toolbar by dersimli: Version 1.0.1.24, released on Sep 27, 2006
Radio Denmark Toolbar by Ehud Z.: Version 1.0.1.30, released on Nov 12, 2006
Radio Russia by Guy Levy: Version 1.0.1.29, released on Nov 3, 2006
Radio UK by Guy Levy: Version 1.0.1.29, released on Nov 10, 2006
RadioMan by Arvi: Version 1.0.1.29, released on Nov 1, 2006
ralphtips Toolbar by Amer: Version 1.0.1.18, released on Jun 12, 2006
Reel New Media Toolbar by Roula Eatrides: Version 1.0.1.27, released on Oct 12, 2006
Runescape Toolbar by Chris Cunliffe: Version 1.0.1.21, released on Aug 12, 2006
ServMap Toolbar by ServMap: Version 1.0.1.20, released on Jul 19, 2006
SETI-HOME Toolbar by Sharon Steiman: Version 1.0.1.29, released on Nov 1, 2006
SK Software Toolbar by SK Software: Version 1.0.1.18, released on Jun 13, 2006
SparkleBox Toolbar by SparkleBox Teacher Resources: Version 1.0.1.18, released on Jun 12, 2006
Subliminal Directions Toolbar by Subliminal Directions: Version 1.0.1.28, released on Oct 20, 2006
Tbtoyl Toolbar by Massimo DAmico: Version 1.0.1.20, released on Jul 22, 2006
Telliss Toolbar by Terry Ballantini: Version 1.0.1.20, released on Jul 25, 2006
The Fuller Brush Place Toolbar by LadyPzaz: Version 1.0.1.29, released on Nov 1, 2006
Torrent Search by Guy Levy: Version 1.0.1.30, released on Nov 13, 2006
Torrent-Bar Toolbar by Joni: Version 1.0.1.30, released on Nov 14, 2006
torrentools Toolbar by Francesco Passantino: Version 1.0.1.24, released on Sep 27, 2006
trovando Toolbar by Francesco Passantino: Version 1.0.1.24, released on Sep 27, 2006
Turkije.Org Toolbar by Turkije.org: Version 1.0.1.18, released on Jun 12, 2006
webpedia Toolbar by Francesco Passantino: Version 1.0.1.24, released on Sep 27, 2006
Wikipedia Toolbar by Arvi: Version 1.0.2.28, released on Nov 1, 2006
WineZap Toolbar by Enos: Version 1.0.1.18, released on Jun 27, 2006
Worldgroups Toolbar by Playful: Version 1.0.1.29, released on Nov 3, 2006
Ynet News RSS (Hebrew Version) by Guy Levy: Version 1.0.1.17, released on May 31, 2006
Ynet RSS English by Guy Levy: Version 1.0.1.29, released on Nov 3, 2006
YOUTHERE1.com's Toolbar by YOUTHERE1.com: Version 1.0.1.19, released on Jul 10, 2006

NOTE: if you find one not listed here please tell me so and also, if there is one listed that isn't related to the issue please tell me so I can remove it and I give the developer my advanced apology for including it.


Analysis of a Conduit based extension

Well, I did the check of the Torrent Search 1.0.1.30 Conduit on a sandbox installation with an Open Source network protocol analyzer (ethereal, last version). First I have to say that when you start Firefox without this Conduit (my normal setup has 14 different extensions) you have 0, that means zero, outgoing/incoming traffic. There is some traffic after a while because of the phishing feature associated with Google that you can disable if you prefer but no more than that.

After I installed this Conduit I had a lot of traffic at startup. Of course, this could be only each time you start up Firefox but I didn't test it much so I can't say for sure. That might be why some people said these Conduits slow down their Firefox installation. I'm not saying this is wrong (if you are aware of it), just that it bothers me.

The first packet is of course the resolution of users.conduit.com that leads to IP 212.150.236.80. Then we have an HTTP connection on port 80 doing a post to /iis2ebs.asp with this data:

Code: Select all

<EBXML>
   <EBMSGID>CT_LOGIN_RQ</EBMSGID>
   <EBMSG>
      <CT_ID>CT329536</CT_ID>
      <USERID>UN20061126141726390</USERID>
      <VERSION>1.0.1.30</VERSION>
      <TIMESTAMP>11-26-2006 14:17:26</TIMESTAMP>
      <PLATFORM>FIREFOX</PLATFORM>
      <BROWSER_VERSION>2.0</BROWSER_VERSION>
   </EBMSG>
</EBXML>

It's suspicious that they use a USERID so I reviewed the code and got this:

Code: Select all

if(!strUserId || strUserId.length != EBServerCommunicationConsts_CT329536.USER_ID_LEGAL_LENGTH)
{
   strUserId = this.GenerateUserId();
   //save it to pref
   EBToolbarPreferenceManager_CT329536.SetPref(EBPreferenceConsts_CT329536.UserID,strUserId);
}

The GenerateUserId() function is based on the date to the millisecond level. Of course there could be duplicates but how much people would install the toolbar at the same millisecond?

As you see in the code, they are identifying each one of us with a single ID. They can track you between different IPs this way and you have that number stored in your PC. Moving on the next packets we see another POST telling them we need to update their Conduit #CT329536 (the given number for the Torrent Search Conduit) an because LAST_UPDATE_TIME is empty they know this is the first time we launch it.

Code: Select all

<EBXML>
   <EBMSGID>CT_THIRD_PARTY_COMPONENTS_RQ</EBMSGID>
   <EBMSG>
      <CT_ID>CT329536</CT_ID>
      <PLATFORM>FIREFOX</PLATFORM>
      <LAST_UPDATE_TIME></LAST_UPDATE_TIME>
   </EBMSG>
</EBXML>

The next POST is a request for settings. I assume this brings the last data for each of the Torrent sites supported by the Conduit (that is logo images and last RSS feeds from the Torrent site URL), but I might be wrong.

Code: Select all

<EBXML>
   <EBMSGID>CT_SETTINGS_RQ</EBMSGID>
   <EBMSG>
      <CT_ID>CT329536</CT_ID>
      <VERSION></VERSION>
      <XML_TYPE>NORMAL</XML_TYPE>
      <PLATFORM>FIREFOX</PLATFORM>
      <LAST_UPDATE_TIME></LAST_UPDATE_TIME>
   </EBMSG>
</EBXML>

After this there is a lot of traffic of images and rss feeds (for each of the supported Torrent sites). And the last packet to users.conduit.com is a request for translated strings.

Code: Select all

<EBXML>
   <EBMSGID>CT_TRANSLATION_PACK_RQ</EBMSGID>
   <EBMSG>
      <CT_ID>CT329536</CT_ID>
      <VERSION>1.0.1.30</VERSION>
      <LOCALE></LOCALE>
      <LAST_UPDATE_TIME></LAST_UPDATE_TIME>
      <TRANSLATION_KEYS>
         <KEY_ID>CTLP_STR_ID_GLOBAL_OK</KEY_ID>
         <KEY_ID>CTLP_STR_ID_GLOBAL_CANCEL</KEY_ID>
         <KEY_ID>CTLP_STR_ID_GLOBAL_YES</KEY_ID>
         <KEY_ID>CTLP_STR_ID_GLOBAL_NO</KEY_ID>
         <KEY_ID>CTLP_STR_ID_GLOBAL_BROWSE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_PERSONAL_COMPONENTS_TAB_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_PERSONAL_COMPONENTS_TAB_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_EMAIL_NOTIFIER_COMP_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_EMAIL_NOTIFIER_COMP_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_EMAIL_NOTIFIER_SETTINGS_BUTTON</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_POPUP_BLOCKER_COMP_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_POPUP_BLOCKER_COMP_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_WEATHER_COMP_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_WEATHER_COMP_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_PREDEFINED_COMPONENTS_TAB_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_PREDEFINED_COMPONENTS_TAB_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_USEFUL_COMPONENTS_TAB_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_USEFUL_COMPONENTS_TAB_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_OPTIONS_DLG_AUTO_UPDATE_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_INNER_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_INNER_DESCRIPTION</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_LIST_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_LIST_CUL_NAME</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_LIST_CUL_ADDRESS</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_LIST_CUL_TYPE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_LIST_CUL_AUTOLOGIN</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_BUTT_ADD_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_BUTT_EDIT_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_BUTT_DELETE_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_CHECK_EVERY_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_PLAY_SOUND_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_DEFAULT_SOUND_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_DIFFERENT_SOUND_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_BUTT_PLAY_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_FEEDBACK_LINK_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_SETTINGS_DLG_BUTT_TBOPTIONS_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_INNER_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_TYPE_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_HOTMAIL</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_YAHOO</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_GAMIL</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_POP3</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_SUPPORTED_DOMAINS_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_EMAIL_ADDRESS_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_PASSWORD_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_NAME_ACCOUNT_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_INCOMMING_SERVER_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_PORT_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_OPEN_DEFAULT_CLIENT_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_AUTO_LOGIN_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ADD_DLG_BUTT_TEST_MAIL_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_INNER_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_CUL_TASKS</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_CUL_STATUS</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_ESTABLISH</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_FIND_SERVER</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_LOGINTO</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_FAILED_TESTING</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_COMPLETED</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_FAILED</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_PLEASE_LOGOUT_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_TEST_DLG_COMPLETED_SUCC_TEXT</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_PASSWORD_DLG_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_PASSWORD_DLG_DESC</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_PASSWORD_DLG_PASSWORD</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ALERT_MESSAGE_BOX_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ALERT_MESSAGE_ACCOUNT_ALREADY_EXISTS</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ALERT_MESSAGE_EMAIL_NOT_SUPPORTED</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ALERT_MESSAGE_INCCORECT_ADDRESS</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ALERT_MSG_WRONG_PASSWORD_TITLE</KEY_ID>
         <KEY_ID>CTLP_STR_ID_EMAIL_NOTIFIER_ALERT_MSG_WRONG_PASSWORD</KEY_ID>
      </TRANSLATION_KEYS>
   </EBMSG>
</EBXML>

After that there is no more outgoing traffic for users.conduit.com but there is traffic with other sites, and not only to get RSS feeds. It has this call for example, that I don't know for what it is:

Code: Select all

http://www.googleadservices.com/pagead/conversion/1071730303/?random=1164561462437&value=1&label=PURCHASE&hl=en&gl=US&fmt=1&bg=FFFFFF

I checked the BBC toolbar and it has a similar behavior, but just created another unique ID (UN20061126154548937).

I should say that the uninstalling procedure of these Conduits is not bad. It removes everything included the unique ID and I didn't see any side effect. I didn't have any crash but granted I didn't use it much and I was working with an almost clean installation.

[old zmanzero]

i suggest to keep this thread to hash out stuff before it is posted here - http://forums.mozillazine.org/viewtopic ... 41#2655241

[DonGato]

This way I can't edit/update the data and I didn't see any mod's opinion yet.
I don't like your rather jumpy ways zmanzero and this is like the third time I say it.
I'm sorry but I won't continue in these threads either.

[old zmanzero]

DonGato, i can eliminate that thread in the blink of an eye. it is up to you to continue or not, i will be happy to edit it if you want to start one. months have passed, this has turned into a tea party. i like your post, i like your words. the mods have nothing to do with this. waiting for them? why? we're the one's running this thread, all of us who are sick of what amo is. if you want to crap out, go ahead. you are one of the most logical and valuable people in this discussion. you can pm me or whatever, i do not care. i will edit that thread and you can start the new one, it matters not to me. if you quit we lose a very valuable person in this endeavor. dude, mods have nothing to do with the direction of this subject. get a grip.

chris

edit - i do apologize for saying this thread has become a tea party. to be frank, i'll quit this thread too. nothing is gonna change, they don't care, the site's a farce, and it's just the way it is. funny, the people in power turn a deaf ear to reality. go ahead and download those toolbars to the unsuspecting user. later.

edit - DonGato, the other thread is eliminated. please continue to post on this subject, your contributions are many many more times important than mine. i'm outta here.

[DonGato]

Well, I would like to hear mod's opinion on two things:

- opening a new thread for an issue that is already being discussed in another thread (this one)
- the closing of this thread to avoid duplicated discussions

I don't think mods have nothing to do with this.

And I also wanted some initial feedback from people as my view of some parts of the thread can be limited or wrong. Maybe including technical information is not really needed for such a post. Telling me what is missing or what should be modified in the proposed post is what I expected from community collaboration. I don't want o give Conduit supporters any basis to discredit us, so being civilized is what I think should be practiced by all people participating in the discussion.

[thyristor]

DonGato:
you made an excellent post, with which I agree entirely. I would just add 3 more issues to it.

1- these toolbars used to be called " Effective Brand toolbars " and their site http://www.effectivebrand.com/
this could help searching more info about it on the web.

2- the authors have also abused AMO by placing their toolbars in every extension category, effectively spamming the site.

3- some authors are using these toolbars to make a profit (by means of tracking usage data) at the expense of AMO hosting services.

the code review is a good point. the googleadservices link is too long and it forces me to use horizontal scroll so I (and everyone else with a small screen) can read the post.
perhaps some suggestions presented here to temporarily solve the problem could be mentioned: create an extension section on AMO, stop accepting new toolbars until the new AMO site is working or even removing the toolbars. of course, AMO people rejected these ideas (I guess).
thanks

[VanillaMozilla]

DonGato,
Just edit your post to break that last line of code. It's messing up the whole page. Thanks.

[Daifne]

DonGato,

I would have no problem with a new topic for a summary of this. This topic is a bit difficult to wade through now. If you would also like this one locked, let me know.

[DonGato]

Added those changes and opened the new thread ( http://forums.mozillazine.org/viewtopic.php?t=500994 ).
Feedback and new information would be appreciated. Maybe the topic name should be changed.

Daifne, if you think (a me) that is better to concentrate the discussion in only one thread close this one.

[Daifne]

It's up to you.

[DonGato]

That last line should be:

Daifne, if you think (as me) that is better to concentrate the discussion in only one thread close this one.

So, yes I think so. Having two threads about the same discussion can only bring chaos to it.

[RenegadeX]

What do you think of this?
----------------------------------------------------------

.. The issue took heat again at the end of November when the developers submitting these extensions abused the system because of an AMO code bug (we can't call it a real bug but they put too much trust into developers). They started to bump their extensions into a daily basis effectively hijacking the AMO newest listing.

This is not entirely accurate. I had been monitoring the 'Newest Extensions' RSS Feed for months and observed incessant bumping, finally making made a complaint(/suggestion for the new version of AMO called Remora) about the SPAM-bumps on the Wiki Remora 'Idea Dump' on 18th September. I mentioned 2 toolbar extensions in particular that I observed to be updating most frequently, but there were plenty of other toolbars (note: toolbars specifically) that had been bumping unnecessarily for quite some time.

Conduit has a tool for development ignorant people to be able to make toolbar-like Mozilla extensions.

'development ignorant' -- hmm... I think you mean "Conduit offers simple template-built toolbar extensions for Firefox which can be made in a matter of minutes by anyone - no programming know-how required."

After days passed the dissatisfaction with AMO admins was growing larger as they weren't doing anything to stop the mess, and some heated accusations were issued.

See previous comment, this had been going on for months.

Analysis of a Conduit based extension
First I have to say that when you start Firefox without this Conduit (my normal setup has 14 different extensions) you have 0, that means zero, outgoing/incoming traffic. There is some traffic after a while because of the phishing feature associated with Google that you can disable if you prefer but no more than that.

After I installed this Conduit I had a lot of traffic at startup. Of course, this could be only each time you start up Firefox but I didn't test it much so I can't say for sure. That might be why some people said these Conduits slow down their Firefox installation. I'm not saying this is wrong (if you are aware of it), just that it bothers me.

This whole section is kinda pointless as it's inconclusive.

The first packet is of course the resolution of users.conduit.com that leads to IP 212.150.236.80. Then we have an HTTP connection on port 80 doing a post to /iis2ebs.asp with this data:

Code: Select all

<EBXML>
   <EBMSGID>CT_LOGIN_RQ</EBMSGID>
   <EBMSG>
      <CT_ID>CT329536</CT_ID>
      <USERID>UN20061126141726390</USERID>
      <VERSION>1.0.1.30</VERSION>
      <TIMESTAMP>11-26-2006 14:17:26</TIMESTAMP>
      <PLATFORM>FIREFOX</PLATFORM>
      <BROWSER_VERSION>2.0</BROWSER_VERSION>
   </EBMSG>
</EBXML>

It's suspicious that they use a USERID so I reviewed the code and got this:

Code: Select all

if(!strUserId || strUserId.length != EBServerCommunicationConsts_CT329536.USER_ID_LEGAL_LENGTH)
{
   strUserId = this.GenerateUserId();
   //save it to pref
   EBToolbarPreferenceManager_CT329536.SetPref(EBPreferenceConsts_CT329536.UserID,strUserId);
}

The GenerateUserId() function is based on the date to the millisecond level. Of course there could be duplicates but how much people would install the toolbar at the same millisecond?

As you see in the code, they are identifying each one of us with a single ID. They can track you between different IPs this way and you have that number stored in your PC. Moving on the next packets we see another POST telling them we need to update their Conduit #CT329536 (the given number for the Torrent Search Conduit) an because LAST_UPDATE_TIME is empty they know this is the first time we launch it.

<.. and a whole lot of code & comments snipped

At risk of certain users calling me an idiot again, all you proved was that Conduit toolbars identify a user's computer so they can track usage. It is still "anonymous" as they claim because other than this unique identifier, there is no information read or passed to Conduit servers that is private. Ok, so they know your IP address as well, but that is a given (as long as it is stated on their AMO page that the toolbar connects to their server -- which it seems the extension-posters are now including in their AMO extension description). Do they know your name? Your address? Your bank account #? Your income? Your SSN? Your birthdate? Anything? All they know is 'user_123' has browser abc.com/whatever.html followed by def.com/somethingelse.php and so on.

After that there is no more outgoing traffic for users.conduit.com but there is traffic with other sites, and not only to get RSS feeds. It has this call for example, that I don't know for what it is:

Code: Select all

http://www.googleadservices.com/pagead/conversion/1071730303/?random=1164561462437&value=1&label=PURCHASE&hl=en&gl=US&fmt=1&bg=FFFFFF

I checked the BBC toolbar and it has a similar behavior, but just created another unique ID (UN20061126154548937).

This is obviously something to do with Google AdWords - I installed the Torrent Search bar to see when it comes up but after 30 mins still hadn't seen it being called in my monitoring app. If it's to do with the bar, I'd guess it's just a "hey don't forget to pay me for that click"-type thing from the bar to Google. Is that considered a 'privacy' issue?

[Daifne]

OK I'm locking this one. RenegadeX, if you want to continue, use the new topic.
Here: http://forums.mozillazine.org/viewtopic.php?t=500994