Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content
This repository has been archived by the owner on Mar 23, 2018. It is now read-only.

[Updated] Chrome extension has changed ownership #528

Closed
ParticleCore opened this issue Jul 11, 2017 · 54 comments
Closed

[Updated] Chrome extension has changed ownership #528

ParticleCore opened this issue Jul 11, 2017 · 54 comments

Comments

@ParticleCore
Copy link
Owner

ParticleCore commented Jul 11, 2017

As of today the Chrome extension ownership has been changed and I am unable to make any further changes or updates to it. For now the temporary solution for anyone that wants it is to use the userscript version with a userscript manager extension, such as Tampermonkey. Remember to first backup your settings before changing.

I will try to post an update when I have more information.


Update

After trying to find out what happened since the other user came to me with #527 I can only assume that the intentions were not made by mistake and as a result I will now do what was suppose to have been done before all of this started.

The extension has been sold, but only the Chrome extension. Everything else remains intact and on life support.
I was approached with a business proposal to either run ads on the extension or sell it. My first reply was that no matter what conclusion the business could lead to, the users would have to be informed prior to the change and unrelated feature changes would have to be opt-in by default, and I quote:

Hi, <redacted>

I am sorry but my extension makes no collection of user data. The only available stats are the ones available from the webstore, which does not include any geo distribution or similar telemetry other than extension installation/uninstallation and total current users data.

On top of this, the extension is currently at its end of life status due to the upcoming new YouTube layout, meaning that when that layout goes live officially the extension will no longer work, and I am currently developing a fresh and new replacement to work just with the new layout.

Knowing all of this I don't know what interest you might still have in this extension, but whatever the case could be, anything would have to be disclosed to the users previous to any changes and anything unrelated to the extension features (such as data collection or advertisements, for example) will have to be opt-in by default or acceptable during install/implementation.

Cheers

Due to certain conditions I agreed on I cannot share more of the conversation out of fear of violating these conditions.

I did research the entity that contacted me and found no warning signs, which is why I decided to trust it at the end.

I was assured that their services are Google compliant and, to a certain extent, they are, from what I have seen in their code, but the current changes are way, way ad aggressive. The extension also warns users of the new changes, but not how I wanted. Asking for new permissions is not the same thing as explaining why those are being requested and what changes the extension would contain. Also turning off the support tab was not a good sign.

I was also caught somewhat off guard because I wanted to make this announcement at least one day prior to the changes, but that's also something that didn't went according to what I expected. The changes that were suppose to be made never went through; the extension description is still unchanged and are still linking to this repository, the extension options are also still linking here and the donation button is still linking to my account. It was all suppose to be changed accordingly at a certain time.

As of now there is nothing I can do, the Chrome extension version is no longer mine. I know very well how the users feel betrayed without an hint before all of this, but I was under a condition that would not allow me to go into detail about the transaction, that is until after what went through today.

I have sold the extension because of two big reasons, both some of you that have been following this extension close know of:

1 - The current extension will die. With the new YouTube layout coming up, the extension will simply not work, it already does not if users try the new YouTube layout. I am already working on an entirely new version just for the new layout, but this one is just at a basic bug fix support stage.

2 - The income is very important during the period that my life is currently on. I do appreciate all the donations that have been made and keep being made since the birth of this project, but with just around $8 average per month (if I recall correctly) there's just not enough, not even to pay the ISP. However, I only went through with the proposal because I asked for quite a high price that I was willing to sell, assuming that it would be rejected. As it happens it was not.

With that said, I most sincerely apologize. This was suppose to be way more transparent, I think the few that know me know that I never had any trouble speaking my mind when I wanted or being honest when needed, but as it happens this whole situation went off rails without me realizing it in time. Once it started there was nothing I could have done to stop it other than trying to find out what was going on and why.

The Chrome users can still use the original version, the userscript is untouched and will continue receiving bug support. To install the userscript version you will need a userscript manager, like Tampermonkey, and then click on one of the available hosts located here: https://github.com/ParticleCore/Particle/wiki/Download#userscript and your userscript manager will do the rest for you.

@knisshoku
Copy link

Hi,

Did you sell the ownership to a new developer?

@ExorcistF1
Copy link

you fucking idiot

@mreweilk
Copy link

How many times will this happen to good extensions? Shake my head.

@ariefpizzuti
Copy link

I wish you could make the announcement sooner ,thank god I remove the extension .from what I've seen from the other extensions from the new dev ,many people complaint about their browser got inject with adware and such .

@mreweilk
Copy link

mreweilk commented Jul 11, 2017

And by looking at the updated extension, it has indeed been hijacked.

Here's the new manifest.json

Everyone should report the extension to google for abuse.

@pep0w
Copy link

pep0w commented Jul 11, 2017

What was the reason of this "change" of ownership...
If it's anything like Stylish and Userstyles.org, it's goodbye forever (or at least I'll stick with an older version until a better alternative comes along).

@theorist-complex
Copy link

How is it possible that you were unaware of this "change of ownership"??

I assume by "change of ownership" you mean that you sold it to someone?

If thats true, then why was there no notice beforehand?

If none of the above is correct, then I apologize for sounding accusatory, but something doesn't seem right here.

@LB--
Copy link

LB-- commented Jul 12, 2017

@theorist-complex their account could have been compromised and it was transferred before they regained control of their account. No need to assume malicious intent.

@SingularityRS
Copy link

Well, this sucks. There's not really a better alternative out there for YouTube.

@CyberMew
Copy link

CyberMew commented Jul 12, 2017

Just curious, how much were you paid to sellout your users?

Also, how can we migrate the settings from the chrome extension over to the userscript version? Or are we SOL again?

@theorist-complex
Copy link

@LB-- Which is exactly why I said: "If none of the above is correct, then I apologize for sounding accusatory, but something doesn't seem right here."

But frankly, the specific verbiage used - a "change of ownership" is much different than saying that "the account was compromised", or "taken over", or "I lost control of" or"hacked" or, etc, etc...

Now, if that is simply a language barrier issue, then the apology is already there - my mistake, my bad - but if it's not, then I don't think my questions are too much to ask.

@pepablock
Copy link

@q1k Care to elaborate on Stylish? I'm using the latest version, should I be worried?

@ExpHP
Copy link

ExpHP commented Jul 12, 2017

For those looking at the source, any estimation of the impact of this on users who accepted the permissions for the hijacked version? What on earth is it doing exactly with the permission to "manage extensions"?

@mreweilk
Copy link

It seems to have been infected with a modified version of this, https://crx.dam.io/source/crxviewer.html?crx=https://crx.dam.io/files/gobbnicjoijcfndfmmfjnfgldgcnjibl/4.1.9.0.zip

@ExpHP
Copy link

ExpHP commented Jul 12, 2017

For ease of purview, this source file appears to be the meat of the above. I'm a dufus with a trigger finger on the Download Zip button. mreweilk's link is unminimized (in the preview pane)!

To sort of answer my own question, then; this seems to be the only use of the management permission. Not 100% sure yet but I think it's just scrubbing your extensions for keywords to send to advertisers.

@alphapapa
Copy link

Not 100% sure yet but I think it's just scrubbing your extensions for keywords to send to advertisers.

Oh, is that all...

@ParticleCore It's imperative that you provide a complete explanation ASAP. As it stands, your wording seems vague and evasive, which suggests that you knowingly transferred ownership to a hostile entity, against your users' interests. If this is not the case, you should make this clear immediately.

@ParticleCore
Copy link
Owner Author

I am going to post an update of this situation later today, I sincerely apologize for what happened. For any user that might still want to keep using the extension you can use the userscript version with the help of the Tampermonkey extension or a similar userscript manager, the result is literally the same. For the users that haven't had the chance to backup their settings you can always install the extension temporarily, export your settings and then remove it once your settings have been exported with success to import them into the userscript version.

These recent changes only affect the Chrome extension version.

@pep0w
Copy link

pep0w commented Jul 12, 2017

@pepablock Read here, this change was only on Chrome, not Firefox. But one could say the change is coming there too. You can use an alternative for Chrome called Stylus, and just not update it on Firefox (it still works fine on FF 54).
The kicker is that this data collection is turned on by default and who knows what else is under the hood. But the biggest concern is that you can't really disable automatic updates on Chrome extensions...

Here's what natalieg wrote on the forum after people complained about "anonymous" data collection being enabled by default.

every time a browser navigates to a new page, the extension queries the servers for saved and available styles. The data collected includes the current, previous and referrer pages and for each new install a random user ID is created.

That data collection is not so anonymous either, they save the first 3 bytes of the ip (ie. of let's say 12.34.56.78, they will save 12.34.56.--- which is not very anonymous, besides, they could be lying about this, they could just save the whole thing, and even sell the data to third party).

So I have disabled updating stylish on chrome, and I'm not updating it on firefox either (if/when that comes).


I'll stop here, this topic is about youtube+ (or particle for youtube if you will), so let's not turn it into something else.

@RayKoopa
Copy link

@ParticleCore Thanks for at least keeping the userscript "alive". Though that really should've been communicated better. Then again I don't know what kind of narrow-minded idiot the new "owner" is, but according to the privileges, just another ad-junk crap company not wanting you to communicate the userscript alternative too openly.

@pepablock
Copy link

@q1k Thank you for the info, much appreciated!

@ParticleCore ParticleCore changed the title Chrome extension has changed ownership [Updated] Chrome extension has changed ownership Jul 12, 2017
@ParticleCore
Copy link
Owner Author

I am replying to let users know that the main topic has been updated.

@Caraxi
Copy link

Caraxi commented Jul 12, 2017

You are an idiot. that is all

@Eisys
Copy link

Eisys commented Jul 12, 2017

Hmmm
Quite a d1ck move but I can understand. Everyone needs money.

So if I understand correctly, you only sold the current as-is chrome extension?
Meaning, you still own Iridium and can post that on the Chrome store as a brand new extension, once it's finished?
I adore Youtube+ and would hate to see it die completely. No alternative out there that's as good.

I use the userscript version so I'm fine, but I had to let a friend know to delete it asap and run an MBAM scan.

Also, there are a few other extensions owned by the same 'roberthawkinsg'. Those were updated recently and they too, have recent 1 star reviews stating adware/malware/excessive permissions.

@ParticleCore
Copy link
Owner Author

@Eisys That is correct, this only affects the Chrome extension Particle for Youtube, nothing else. Iridium is clear and will reach the Webstore as a brand new extension, which was always the plan because I never meant to "replace" YouTube+. That also means the userscripts and AMO versions will be brand new once Iridium goes live.

Regarding the owner, I was made aware of that only after I read the recent extension reviews, which was not disclosed until the extension was transferred.

@alphapapa
Copy link

alphapapa commented Jul 12, 2017

@ParticleCore Okay, so you have tacitly admitted that you did sell the extension to a hostile party without regard for the safety or privacy of your trusting users.

This is inexcusable. You have now demonstrated that you are untrustworthy, and none of the other forms in which you are making this project available (userscript, Iridium, etc) can be trusted either.

The only answer for users who desire safety and privacy is for this project to be forked. This repo must be blacklisted, and this author must be forever distrusted. (Of course, since you conveniently hide your identity behind "ParticleCore", this will not be as easy as it could be.)

For anyone who's interested, I have forked the repo and opened an issue to discuss the project's future, if there can be one. Interested users and/or developers are welcome. https://github.com/alphapapa/Particle/issues/1

@ExpHP
Copy link

ExpHP commented Jul 12, 2017

The extension has been sold, but only the Chrome extension. Everything else remains intact and on life support.
...

Er, uhh...

...wow. I was about ready to invoke Hanlon's razor or something towards the generally hostile attitude in this thread, as I just couldn't understand where it was coming from. And I suppose the razor still applies in some way, but... uh...

This is awful. You're a nincompoop, this 'roberthawkinsg' guy is capitalizing on trust like a goddamn Trojan Horse, and the Chrome store lets it all happen! To be honest, when I first saw the permissions request, I was puzzled, but could have accepted it anyways because I knew this project had a github and I knew there was a detailed version history where I would be able to find out exactly what crazy, new and unusual circumstances required the permissions.

But lesson be learned: trust can't come so cheap.

@aelfwyne
Copy link

aelfwyne commented Jul 14, 2017

Not only why would they want to hide, but more importantly:

Why were they even interested in buying a dead-end product that as you yourself said wasn't even going to support the new Youtube layout very soon? Obviously it was worth money to them, and as it wasn't profitable to you, and it wouldn't be able to be monetized due to upcoming changes to Youtube...

I think it was pretty obvious why they wanted to pay you for it.

@Caraxi
Copy link

Caraxi commented Jul 14, 2017

and of course your research about them came up clean. They make every silly dev they trick sign an NDA to not tarnish their name they built up so that they can trick more silly devs

@error161
Copy link

error161 commented Jul 14, 2017

Did you have a written/signed/etc contract with them for the transfer, and did they breach the terms? If so, I'm curious if you'd still be required to withhold the company's name. Gladly it has been removed from the webstore, but the buyer's reputation needs to be tarnished and found out.

It's understandable if you cannot, as you don't want to put yourself in a worse situation than you are already in.

Though, IMHO it does seem fairly clear that a company wanting to buy a dead-ending extension likely does not have good intentions. Still yet, the outrage-happy internet is probably still going to come after you for this and it's unnecessary.

Good luck with Iridium and the new extension.

Repository owner deleted a comment Jul 14, 2017
@ParticleCore
Copy link
Owner Author

Just a warning: I am leaving this open for discussion related to the topic. Any further insults will lead to this issue being locked. This is not a place for this kind of behavior.

@ParticleCore
Copy link
Owner Author

@bscottx I am sorry, but I think you can assume the answer for that by my inability to comment further on it. I appreciate the understanding, it has not been easy being in this position not knowing what I can or cannot say.

@LB--
Copy link

LB-- commented Jul 14, 2017

If anything I wish someone else was doing this project and the other new one too, because that way I would not have to sacrifice my time to dedicate it here to try and fix all the problems that pop up, to add more features when possible, to help users that don't know how something works, in some cases resulting in all-nighters

I really appreciate that you feel a strong obligation to maintain these projects, but if you feel it is no longer worth your time and it is having this kind of effect on your health, please step away and take a break. Your work is appreciated but you shouldn't burn yourself out on this, and you absolutely shouldn't pull all-nighters for less than minimum wage. If you step down, the forks will step up, so there's no need to feel like you are the only one who can do this - that's the good thing about open source.

I wish you the best.

@ohohohoo
Copy link

I switched from the Chrome extension into userscript version long ago — when you announced that Google removed the Chrome version and you didn't get an explanation for it, so I may not be feeling what others are experiencing.

Unlike those that hate you for selling your extension to another person/company, I have totally no problem at all. You're free to sell your product to an adware maker or whatever else coming your way because it's your product afterall and you said that you really need the money (so I assume that the situation is quite bad and you truly need the money for something important).

2 - The income is very important during the period that my life is currently on. I do appreciate all the donations that have been made and keep being made since the birth of this project, but with just around $8 average per month (if I recall correctly) there's just not enough, not even to pay the ISP. However, I only went through with the proposal because I asked for quite a high price that I was willing to sell, assuming that it would be rejected. As it happens it was not.

But there's one thing that I disagree with your decision, and that is to not inform your users beforehand. You could've made an update to your extension and show a page explaining that in a few days this extension will be sold to another party that could potentially cause harm to the users. That's all you need to give so the users can make proper decision.

I know you said that you've researched the buyer before, but let's be blunt here, whenever a company/someone buy a browser extension it could only mean two thing. Either they want to make money from your product or they want to kill your product because they don't want another competitor. This is not a perfect world where the buyer would suddenly take charge of your product and making it into something better.

I hope that you learnt from this and won't make similar decision in the future.

@chrcoluk
Copy link

I had this installed then it vanished, I then installed the userscript version, but I discovered it didnt vanish at all but instead it changed name and chrome had auto disabled it.

I am pretty angry, its sad that what turns out to be a good project always tends to get ruined by a need for money.

@ghost
Copy link

ghost commented Jul 16, 2017

Well, you did what you had to I suppose. Dev life is hard. Best of luck for the future, but please don't do something like this again.

@BooBerry
Copy link

BooBerry commented Jul 17, 2017

@ParticleCore Honestly, thanks to your blind incompetence I won't be recommending Particle/Iridium or anything else you develop ever again. Since you've "sold-out" once already, what's stopping you from doing it again in the future because you're in need of money? As such in my eyes you've lost ALL trust with this blunder. There was several obvious red flags including; the party accepting the high price, the desire to obtain a "dead" extension with a healthy fanbase and the use of a non-disclosure agreement.

But hey, I guess money blinds all judgement. I really hope it was worth it... I'm sure the users infected with the adware would disagree.

@ParticleCore
Copy link
Owner Author

@BooBerry You misunderstand me, I never cared about popularity, ratings or anything of the sort. This is my hobby that I do with pleasure and decided to share it publicly. If it happens to generate income then even better. As such was the case I had a good opportunity and went with it. Did not go as well as I wanted. Hindsight is 20/20, but during the exchange what is obvious for everyone after it already happened did not cross my mind while it was taking place.

Make no mistake, if I am offered another deal I will take it again, but this time I will post the emails publicly for the duration of the exchange (with sensitive information redacted, such as names and emails) so that this won't catch users by surprise again.
Until then I will try to see if I can make donations work better without making them annoying, which is something I also hate.

Also don't try to pin adware on me as if I was the one who deliberately did it with full knowledge of the actions, that's just a blatant lie. The owner of the extension during those changes was not me, so blame the right person for the right reasons, call me sell-out all you want but never blame me for what happened after I was no longer responsible for the extension.

I lost the users trust? When did I ever asked for it? I had users threatening my life because I wouldn't help them make a custom userscript, I had users threatening to down-rate the extensions if I wouldn't implement features they demanded, some even went ahead and just did it (#522 (comment)).

This is just my hobby, nothing more. If you do not like it then there are other options available (although the most popular are heavy on data mining, so that's a trade-off) or, if you want, you can do what I did, build your own to your own liking, just the way you want it to be.

I know it sucks, I hated that this happened this way, but I am not here for you, I am here because I enjoy doing this project, not serving others. If it happens to satisfy what others seek then great, if not then nothing is lost. If it happens to generate income then great, if not then that's life.

@ParticleCore
Copy link
Owner Author

As per the previous information I decided to leave this open for another day, but I will be closing it tonight because I believe there is nothing more to add to this subject. The topic will not be locked, just the issue will be closed.

@theorist-complex
Copy link

@ParticleCore Can't say that I'm exactly happy the way this was handled, but I understand mistakes happen. Money is a real thing and it IS a driving force in our lives. Having the money available to work on the things you want to work on is a blessing. So again, while I think this could have definitely been handled better on your end, I wish you luck and hope that you continue to grow, learn, prosper, and have the ability to prioritize the work in your life that gives you a sense of pride and contentment.

@Shigeto1
Copy link

A bit late to the party but I'd just like to say I'm grateful that somebody is maintaining this script even if the extension has been hijacked. All that matters in the end is that I don't have to use YouTube's horrible flat material layout design now or (hopefully) going forward.

I've really no interest in questioning the dev's handling/mishandling of the situation or speculating about their intent, all I really care about is that this project doesn't get squashed by Google/YouTube. Particle/YouTube+/Iridium is essential to my YouTube viewing experience thanks to their clueless design team and I would rather have donation popups etc than see this project die off.

@brad-x
Copy link

brad-x commented Jul 19, 2017

Hate to try to bump a closed issue but though it's EOL it was useful. A re-upload to the chrome webstore under a new-new name would be great.

@alphapapa
Copy link

@ParticleCore

Also don't try to pin adware on me as if I was the one who deliberately did it with full knowledge of the actions, that's just a blatant lie. The owner of the extension during those changes was not me, so blame the right person for the right reasons, call me sell-out all you want but never blame me for what happened after I was no longer responsible for the extension.

At best, you're guilty of very poor judgement here. You're not an Internet newbie. You know about adware and malware and that the people who make it are underhanded and deceptive. You were tempted by some amount of money. Maybe that blinded you to the risks, but that's still your doing.

I lost the users trust? When did I ever asked for it? I had users threatening my life because I wouldn't help them make a custom userscript, I had users threatening to down-rate the extensions if I wouldn't implement features they demanded, some even went ahead and just did it (#522 (comment)).

Those idiots threatening you are irrelevant to this. You made an implicit agreement with your users when you went to the trouble to make a fancy name and logo and package and upload your extension to the Chrome store. You have their trust whether you asked for it or not, and you have a responsibility to protect them from being exploited through your software (which is auto-updated in their browsers). You abdicated this responsibility when you sold-out. If you were naive instead of malicious, so be it, but you still messed up, big time.

I maintain several software packages here on GitHub with quite a few users. It's not nearly on the scale of a browser extension, but I take the trust of my users very seriously, because I also trust and depend on other developers of software I use. I view maintaining software as stewardship, and since I benefit from the stewardship and generosity of others, I have a duty to do the same.

This is just my hobby, nothing more. If you do not like it then there are other options available (although the most popular are heavy on data mining, so that's a trade-off) or, if you want, you can do what I did, build your own to your own liking, just the way you want it to be.

Well, I guess it's not just your hobby anymore, since you have profited a tidy sum from it, at the expense of the safety of your trusting users. (Again, that may not have been your intent, but the end result is the same.)

Make no mistake, if I am offered another deal I will take it again

I appreciate your honesty. It sounds like you haven't learned your lesson after all. Now I know with certainty to avoid your software. Hopefully you will figure it out before something worse happens and more people get hurt. Next time, who knows, people might lose data, get infected with ransomware, have their credit cards stolen, etc.

Really, if you're unwilling to take these risks seriously, I encourage you to stop developing or stop packaging your software. Let someone else do it, someone who takes these issues seriously.

@ParticleCore
Copy link
Owner Author

@brad-x That is something I simply cannot do, it would be illegal. The only option is to use the userscript version, if you want.

@alphapapa
Copy link

BTW, if this whole ordeal hasn't made it clear enough, you should be really careful what you sign. If it would violate your contract for you to upload this software under a different name, that makes me wonder whether you signed away all rights to your software, period. The license on this repo was already unclear; can it even be forked? Can this repo even remain online? What a mess. And what a shame, it was really nice software.

@aelfwyne
Copy link

Ultimately, if people are threatening you personally, they're taking this WAY too seriously. Business is business. I will take mine elsewhere.

Just like when I used to be a manager and would fire an employee I will tell you "Good luck on your next job. Don't make the same mistake."

@DAOWAce
Copy link

DAOWAce commented Jul 27, 2017

Well, I checked my addon list today and had noticed this message over particlecore:

"This extension violates the Chrome Web Store policy."

Found this thread.. made 16 days earlier.

I guess I'm glad I switched to the userscript version some time ago, which I disabled updates for.

Shame; damn shame. Why's every single youtube addon seem to just.. get destroyed in one way or another?

@ssvx
Copy link

ssvx commented Aug 12, 2017

Oh, thanks for the heads-up. So is this why I'm getting pop-under ad windows on unrelated websites all the time lately? ;D

Good thing you've got compensated. Don't let those insults get to you - that's a very poor way to thank you for your work so far. I'd rather say: THANKS so much for the wonderful time YouTube+ allowed us to have. Without it YouTube is just a useless heap of garbage and without YouTube... wait... I'd have way more spare time each day? Huh... anyways, switched to the userscript version. Very curious if I'll still get pop-under ads =)

<3 m8

@Caraxi
Copy link

Caraxi commented Aug 12, 2017

Guy sells you to adware and you thank him... Seems legit. I'd rather not have the extension at all than use anything made by this idiot again.

@ParticleCore
Copy link
Owner Author

If the purpose of this issue is for others to further more lies, like claiming that I sold users to adware after I have clearly explained the entire situation as best as I can, then there is no use in leaving it open any longer.

I also warned about making more insults #528 (comment) and as a result of @Caraxi contribution this issue will be locked.

Repository owner locked and limited conversation to collaborators Aug 12, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests