Competing and Cooperating (Don't Attack the Customer)

In the security industry there is fierce competition. At least in the anti-malware segment there is also tremendous cooperation. I am writing from the 3rd annual CARO workshop where researchers from several anti-malware companies are sharing important information with their competitors.

Quite a while back there both PCTools and ESET had false positives on each other’s products. Some users thought that there was a fight going on between the two companies. Behind the scenes ESET and PCTools employees engaged in friendly conversations to get the problems fixed. We don’t like to false positive and we certainly don’t want to harm our users. Disabling a competitor’s product is a really stupid and probably illegal activity. When a security company triggers on a competitor’s product, the only people who know about it are the company’s own customers. You don’t attack your customers, it should be obvious.

Well, to most people it is obvious, but two developers of Firefox extensions missed the obvious and took their battle to their users. The two Firefox extensions are NoScript and Adblock Plus, with Easylist taking sides with Adblock Plus. For a summary I recommend reading Dan Goodin’s article at http://www.theregister.co.uk/2009/05/04/firefox_extension_wars/

In a nutshell, Giorgio Maone, the developer of NoScript modified Wladimir Palant’s Adblock Plus (APB) add-on so that APB would not block the ads on the NoScript website. This was a really bad thing to do as it was done on user’s computers without their knowledge or consent. Effectively, NoScript behaved as malware. In retaliation APB enlisted the aid of Easylist to block access to the NoScript web site, ensuring that users of both ABP and NoScript could not update their version of NoScript. Where NoScript’s “damage” was causing users to see advertisements, ABP actually prevented users from getting security updates. Palant has his explanation of the events at http://adblockplus.org/blog/attention-noscript-users. Maone has his explanation and profuse apologies at http://hackademix.net/2009/05/04/dear-adblock-plus-and-noscript-users-dear-mozilla-community/

Both authors really messed up big time and only one has admitted wrong doing. In reading the comments in response to Maone’s apology I found something truly unexpected. Several comments were made about making donations to one or both of the authors. These two guys take their personal differences out on their mutual users and the victims reward them with PayPal donations!!! I think I’ll put a link to donate to my PayPal account up on the blog and pick a fight with a competitor :)

I really appreciate working in an industry where competitors are friends and help each other, rather than taking squabbles out on their customers.

Randy Abrams
Director of Technical Education

UPDATE: I was notified by Giorgio Maone that my timeline is a little off. The sequence of events is according to Giorgio...

1. AdBlock Plus had a publicly known bug, which allowed any web site to work-around is blocking and which I often indicated as the main reason why Adblock Plus could not be considered a security tool, opposite to what Wladimir Palant advertised (spreading on his part the notion that NoScript was not a security tool)
2. At a certain point my web sites (not my program) started to exploit this bug to work-around Easylist's filters, while still allowing end-user to block my ads using their own custom filters.
3. This pissed off Palant, who retaliated as soon as the new Easylist maintainer proved to be more malleable to adopt extreme techniques against relatively small sites than the previous one (who passed away some weeks ago)
4. When Easylist's retaliation came to disable essential functionality such as installing NoScript builds from my sites, I retaliated in the mindless way I did, and the rest is known