34 comments

[ 4.3 ms ] story [ 81.9 ms ] thread
I've had people email pitching me on embedding crypto-mining programmes in the games I sell on Steam. It's intensely sinister stuff.

I got an email just yesterday pitching me on a special 'credit card for gamers'. I was meant to push a special credit card to my customers. The website has zero information on what % interest this credit card has, but even if it's totally normal and above-board: eww. I make computer games, I don't want to push credit cards.

It's all so slimy.

The credit card angle is unpalatable, for sure.

Yet take a sitcom such as Seinfeld. Each product they joked about, junior mints, snapple, etc were ads.

The furniture is an ad. The appliances, the cereal on the shelf, etc. If no ads, generic boxes and unbranded products will appear instead, nothing is free.

I am not saying videogames should be this way, merely pointing out that this is old, old almost century old advertising behaviour. The trick is to made the product better for it (Seinfeld junior mints was an incredibly funny episode).

Of course, I think the CC thing you mention, was more just a "spam your users", so hardly subtle and non-intrusive.

EG, on TV typically they write the episode, then after marketing says "ah look, he's supposed to drink a soda here, let's see who wants to pay for someone drinking their soda."

This I can live with.

Assuming the rates weren't abusive on that credit card, I'd have no problem if it appeared in the game as product placement, even prominently.

I also have no problem with product placement in tv shows and movies. At least, so long as they don't force a change in the plot of the movie. Creative integrity has to be maintained.

Ads, on the other hand... Ugh. I hate them so much. They are incredibly manipulative and it seems like they all border on straight up lying now.

Actually using real products adds verisimilitude to media. I think of movies like "Back to the Future" where the branded products bring back memories.

Right now I am doing "corporate identity" for a shared kitchen and I'm using product logos (e.g. "Dawn", "Cuisinart") as much as I can because I think it will improve compliance with instructions. (Not getting paid by them though)

> " I've had people email pitching me on embedding crypto-mining programmes in the games I sell on Steam. It's intensely sinister stuff."

I had a "friend" (more of an acquaintance really) a while back that kept trying to convince me that this was a good idea and I (as the only programmer he knew) should help him do it. Couldn't for the life of me convince him that it was pretty much certain to backfire spectacularly in any number of possible dumpster fires he wouldn't want to be a part of. He just wasn't willing to see how sneaking crypto-mining software into other people machines without their knowledge could possibly be perceived as "bad" by anyone.

The only way they understand is if you propose they volunteer first e.g. by you running a crypto miner on their machine, with them seeing nothing of the money.
I remember a post a few months ago, on a similar topic of companies wanting their SDKs (really user tracking code so they could resell that data) included in extensions. So this is definitely a widespread experience.

As an aside: The justified text here looks awful on mobile (and I checked Chrome, same result): https://i.imgur.com/AZl06K9.png

I haven't seen others talk about this but given that I received these emails with a relatively small extension that doesn't surprise me at all.

Also, you're right about the text, just re-designed my site so I'll take a look at that.

> this has been a recurring problem over the past few years due to the incredible power granted to browser extensions and the poor vetting process that allows malware into official extension stores.

I am really surprised this is not a much bigger problem starting many more years ago. It's amazing that browser vendors let people hack the browser this way. I am very cautious about extensions I install. One I had been using was hacked this way. I found out only because I pay attention. Google never mailed me anything about it. What about people who aren't paying attention? Can't google email people to warn people since they know what extensions are installed and generally have an email address associated with the browser?

Google makes money with your data. When the extension is syphoning data, they win.
Not a new thing. In fact, a while back this guy[1] sold out the Nano extension to suspect elements and made money out of it. The new owners turned that extension into malware. The original author who sold it then started closing the github issues that were raised, made the repo read only and fled. Was discussed a while back here in HN https://news.ycombinator.com/item?id=24803740 and the malware details here https://github.com/NanoAdblocker/NanoCore/issues/362#issueco...

[1] https://github.com/jspenguin2017

Life's complexity constantly increases, but our available time is fixed... we need a community-run automated-- and user-reported addon analysis and checking service, provided though another addon, which notifies you when one of your installed (or currently page open) addons "goes to the darkside"... sigh
That is actually not a bad idea... but it does go to show the utter failure of Google's extension store that a community-run system would be necessary to police their platform.
The alternatives are either fully open repositories (although a slightly motivated programmer can easily view the source of any extension) or a walled garden a la Apple app stores. Am I missing something here?
I think the silent, automatic updates and wide-reaching permissions that aren't communicated in an understandable way to end users are the real issues.
A good sandbox with suitable access control would help too.
Extensions have sandboxing and permissions but to be able to do anything moderately useful you need access to literally everything.

For something as basic as an ad blocker or a theme loader you need full access to every page.

That's ok, as long as you don't phone home.
(comment deleted)
Well, this is not really true as the extension can still do a lot of damage in e.g. online banking.
This is not much of an issue on Linux distros where everything is done in the open.
All of the "recommended" addons for Firefox (and maybe the most popular ones too?) are regularly reviewed by Mozilla for malicious code. I haven't heard of any problems with those ( probably because most problems are caught before they get pushed to users)
That explains the couple of emails I received from random people asking if I want to sell my extension. Very enlightening.
This is important to be aware of, because with every browser extension you install, you are trusting one more person to continuously and forever say "no" to being offered essentially free money.
I tell people to not install browser extensions except for a tiny set of anti-track and and anti-ad extensions such as decentraleyes and ublock origin.

Anyone remember the AOL days when you’d visit your uncle and he’d have more space taken up by toolbars than content? Don’t let it happen to you!

Similarweb is the biggest buyer of these extensions and they use all this data to track the websites people are going. It’s a privacy mess and Google has done nothing about it. If anyone from a Google is reading this, I dare you to bring it up to upper management because it seems they don’t care.
My first thought on this is...wow, $4,000? The guy obviously isn't trying to monetize this extension but if he was that's insulting..he could make more money flipping burgers..

My second thought on this is...ouch, this is the same kind of stuff I'm tasked with working on in my present job. As I've mentioned elsewhere I work for a...fairly massive...corporate entity in the United States and I deal specifically with customer and member data. The majority of that data is highly protected and regulated, but the tiny little bit that isn't...we're working (and spending a ton of money) on "enriching" it from other data sources..and I absolutely hate it. This is a new direction for the company since there was a lot of executive leadership turnover in the past two years. But it makes me feel sick every time I see a new meeting pop up that involves Experian or Neustar or some other data broker. And the work on mining customer data from one part of the business to the other, people brushing off my objections because "look we already have legal approval, you need to get on the train before it leaves the station"...I hate every second of every day of it.

I hate to say it, but developing a browser extension and getting emails like these has made me terrified of installing extensions. I’m sad by this state of things, since the era of user scripts and site-specific extensions was the one time in the history of the web where it really felt like users were in control of their experience.