ReclaimPrivacy.org “provides an independent and open tool for scanning your Facebook privacy settings”…
… by making you run untrusted JavaScript in a Facebook browser context, just like lots of shady “automatically spam all your friends” copy-and-paste-this-code-to-get-a-cookie Facebook pages.
Of course, it’s easier to snipe from the sidelines than to do something myself…
Yes… like instead of complaining, you could go read the source code, and figure out whether or not it’s doing what it says it does.
This is like telling your readers “No one should run and/or trust NSS, because I’m too lazy to read the source code.”
I think someone has been told.
Preed: the problem is not that I don’t trust them, the problem is what they are teaching people is OK to do. This instance may be fine, but reinforcing the idea that it’s OK to run JS (which the user hasn’t personally audited) in a Facebook context is not cool.
People usually don’t trust NSS (or “Firefox’s security”, or whatever) because they’ve read the NSS source code, they trust NSS because we trust it, and they trust us, and they’ve got their build from us.
Oh, I totally agree that they’re generally teaching a poor behavior, but on the other hand, Facebook is engaged in pretty poor corporate behavior, so maybe the ends justify the means for a certain class of user who’s fed up with the shenanigans? I honestly can’t remember the last time a site asked me to run JS in another site’s context, so I don’t that’s a huge phishing/malware vector, but maybe it is?
Asking the question is entirely valid, and questioning the developer’s source code is too. But casting doubt on it and then effectively saying a sentence later “But, I really have no basis for my complaint” isn’t… credibility-inspiring.
Having said that: would you feel better if they packaged it up as an addon and distributed it that way?
If not, how would you have them distribute it?
Oh, I totally agree that they’re generally teaching a poor behavior, but on the other hand, Facebook is engaged in pretty poor corporate behavior, so maybe the ends justify the means for a certain class of user who’s fed up with the shenanigans? I honestly can’t remember the last time a site asked me to run JS in another site’s context, so I don’t that’s a huge phishing/malware vector, but maybe it is?
Asking the question is entirely valid, and questioning the developer’s source code is too. But casting doubt on it and then effectively saying a sentence later “But, I really have no basis for my complaint” isn’t… credibility-inspiring.
Having said that: would you feel better if they packaged it up as an addon and distributed it that way?
If not, how would you have them distribute it?
Preed: The final sentence was not me saying “I have no basis for my complaint”. I think it was a valid complaint. The sentence was a recognition of the need for humility when you complain about something without providing an alternative.
Packaging it as an addon and putting it on addons.mozilla.org would be a big improvement because it wouldn’t teach the bad behaviour, and addons.mozilla.org has an addon code review process.
I think you should suggest that to the author.
(Yes, I am 110% serious.)
It would be a substantive suggestion to your original complaint… and I don’t sense that you actually have a problem with the mission of the project itself.