Posts and replies

… but if you click the link, you just get this. A empty page with the modal saying “Please enter your password to get access.”

what, okay, fine, somebody's got something misconfigured.

So, this thing was supposedly open-source, right? Let's go find the source.

Easy, there's a GitHub! Great! https://github.com/positivesumnet/socialassistant

I mean, no activity in two years, and all the links in the README are broken, but it's a start.

Well, even if their bespoke site is down, it's probably still on the addon repositories, right?

Chrome has nothing, https://chromewebstore.google.com/search/whosum

but it _is_ on the AMO … with precisely one user. What? There's multiple blogposts about this thing around the web. https://addons.mozilla.org/en-US/firefox/addon/whosum-social-assistant/

sus.

Okay, let's look up the author; I can reach out on Masto (which they'll obviously be on, right? They wrote a whole-ass manifesto about switching to Mastodon.) and tell them that their website’s down; not to mention they'll probably be an interesting follow.

The GitHub committer for the project is https://github.com/scafaria; there's an e-mail address … at a domain which redirects to the same, empty website as we found at the start: https://positivesum.net

There's a LinkedIn link … to a 404. Ditto for YouTube.

There's no Mastodon handle listed, but there is a Twitter handle … also gone.

https://x.com/scafaria

some more OSINT yields https://toad.social/@scafaria as an old handle; gone.

The only thing I could find on the web, other than the GitHub, was a Medium account that _hasn't_ been deleted, https://scafaria.com/about - but only has one short post.

So, take a breath: who cares? People have an innate right to remove themselves. Hell, the EU enshrined that in law.

Here's the thing: this raises some serious alarm bells, for me.

Let’s talk about browser extensions.

Browser extensions sit in a strange position, security- and privacy-wise.

- They have unparalleled¹ access to parts of our lives that the average user is going to assume are fairly private.

- They’re much less audited² than other, similar software (non-web, non-extension software either has a higher barrier-to-entry, triggering users’ own trust expectations; or is less privileged in its access; or has a larger, less-niche userbase who are more focused on that particular piece of software itself.)

(1. modulo some admirable efforts by browser vendors that, to be honest, fall short of the mark)

(2. again modulo Mozilla doing their best; they do human-review some extensions, but only popular ones that are flagged first by an automated process. https://blog.mozilla.org/addons/2020/07/29/openness-and-security-a-balancing-act-for-the-add-ons-ecosystem/)

There have been numerous³⁺⁴⁺⁵ major security incidents related to browser extensions. My hackles skyrocket when something seems even a tiny bit fishy around one — and yours should too.

[^3]: https://www.cyberhaven.com/engineering-blog/final-analysis-chrome-extension-security-incident
[^4]: https://spin.ai/blog/browser-extension-risk-report/
[^5]: https://labs.guard.io/fakegpt-2-open-source-turned-malicious-in-another-variant-of-the-facebook-account-stealer-d00ef9883d61

So, while I do respect this person’s right to disappear, if they’re a real person — I’m also immediately concerned about whether this was even a legitimate tool in the first place.

A quick dig around in the source doesn't yield anything that's obviously suspicious to me; and both versions visible on the AMO match the contents of the respective git tags. o I'm closing this out believing that, yes, this person really did just opt to remove themselves from the Internet; and this really was just a project that died when they left.

But for me, the takeaway was still: the browser-extension ecosystem is a scary place.

We need both more automated tooling _and_ more user-education; because the potential for harm and ease of access are simply enormous.