Thunderbird update silently installs Test Pilot extension

[TheWindBringeth]

I manually updated one machine to 12.0.1 this morning, via Help->About->Check for updates. After restarting I found a new extension called "Test Pilot" had been silently installed without any notice. Based on a quick look, this appears to be a mechanism for automatically retrieving work orders from Mozilla, which are then executed to collect usage data, configuration data, and/or survey type responses. There is a new Tools->Test Pilot menu item which allows you to tweak it a bit. The default appears to be "participate and notify me when the study is ready to submit. At which time you can supposedly review it.

Searches turned up some folks reporting this elsewhere some months ago as well as a comment saying that not everyone would get it at the same time. I'm not yet sure if it was just my lucky day or if it is being dished up to everyone who installed 12.0.1.

I updated a second machine while running Wireshark. Again, Test Pilot was silently installed with the same settings. After restarting it established a secure connection with testpilot.mozillalabs.com which I'm not setup to sniff so I don't know if it was just trying to retrieve a work order or whether it was sending home some initial data.

A bit later right after some secure communications with addons.mozilla.org then production.mozillamessaging.com, I see something strange. It is Thunderbird issuing a get for -http://www.mozilla.org/thunderbird/legal/privacy/ without a referrer header. I was clicking around the Thunderbird interface at the time and didn't explicitly go there. I don't know what caused that. Sadly and ironically, that privacy page has WebTrends javascript (!) which my Thunderbird... not equipped with the protections that my Firefox is.. seems to have executed thus producing a brief info/ID passing exchange with that firm's servers

[mun]

The same happened to me yesterday - silently installed Test Pilot spyware when updating from 11 to 12. I no longer trust Mozilla and I'm looking for alternatives - do you know of any? I need a simple email client where I can code my own extensions. Not only is Mozilla spyware, it is also bloatware.

Ironically, uTorrent 3.1.3 update filled my PC yesterday with Conduit adware as well. Now should I be updating or not?

If I don't update I end up with malware like I did about a month ago, when I got Luckisel malware through Thunderbird 3 - how could it be, when there is no scripting etc.? I have an answer for that - Mozilla is a NWO subsidiary after our data.

I guess I downgrade to IE4 & Outlook Express and be safe.

[m00nbl00d]

Thanks for the info. I don't use it myself, but a relative of mine does and may not be aware of it. I'll have to check it out.


Thanks

-edit-

There was no such extension, but Thunderbird did have Google Update, Adobe Reader, Java and Silverlight plugins loaded. Why would an e-mail client need to check and load those plugins?

[Daveski17]

Quote:

Originally Posted by mun

The same happened to me yesterday - silently installed Test Pilot spyware when updating from 11 to 12. I no longer trust Mozilla and I'm looking for alternatives - do you know of any?

I have disabled the Test Pilot spyware for the moment (on Firefox) while I decide whether it is a good thing or not. If it helps Mozilla I reckon it's OK.

I'm pretty sure you wouldn't get this kind of behaviour with Waterfox & SeaMonkey.

If you are running 32 bit, not only is SeaMonkey a viable (Gecko) alternative to Firefox, but with this theme you can even make it look like Firefox. SeaMonkey has an internal mail client not unlike Thunderbird, although I don't use it myself.

[JohnBurns]

I am a little confused, I guess. I can't seem to find this on either Firefox or Thunderbird. I have Firefox 12.0 and Thunderbird 12.0.1. Can anyone tell me what I am missing here? Thanks.

[vasa1]

Quote:

Originally Posted by JohnBurns

... Can anyone tell me what I am missing here? Thanks.

Nothing much ... just the usual everyone is spying on me all the time.

[JohnBurns]

Quote:

Originally Posted by vasa1

Nothing much ... just the usual everyone is spying on me all the time.

Thanks for reply - I won't worry about it. If they are spying on me, they won't find much of interest, I'm afraid.

[Wallaby]

Updated Thunderbird from 12.0 to 12.0.1 through internal updater and no "Test Pilot" here

[Ranget]

I got a bad feeling About This :?

[Daveski17]

Quote:

Originally Posted by JohnBurns

I am a little confused, I guess. I can't seem to find this on either Firefox or Thunderbird. I have Firefox 12.0 and Thunderbird 12.0.1. Can anyone tell me what I am missing here? Thanks.

I have it in Firefox on my Win 7 (64 bit) PC, yet it hasn't manifested on my Vista 32 bit notebook.

[Daveski17]

Quote:

Originally Posted by vasa1

Nothing much ... just the usual everyone is spying on me all the time.

Everyone is spying on everyone all the time.

[ronjor]

In Thunderbird, tools, add ons, extensions, remove

[acr1965]

Is this it? https://addons.mozilla.org/en-US/fir...on/test-pilot/

[Daveski17]

Quote:

Originally Posted by acr1965

Is this it? https://addons.mozilla.org/en-US/fir...on/test-pilot/

I'm pretty sure that's it.

[ABee]

Quote:

Originally Posted by TheWindBringeth

I manually updated one machine to 12.0.1 this morning, via Help->About->Check for updates. After restarting I found a new extension called "Test Pilot" had been silently installed without any notice.

Perhaps you missed the notice, or missed it when previously installing 12.0?
I saw it when installing 12.0, and selected the 'disable' option. After using the internal updater to get 12.0.1, Test Pilot was still disabled. Yet I've now gone ahead and removed it completely anyway.

I expect you got a notice about it when installing 12.0 or 12.0.1, you just failed to pay close enough attention.

[TheWindBringeth]

@acr1965: That is surely it. Although I think the version I received might have been newer. I'm not positive; I uninstalled it from both machines right before I went to bed. Speaking of which, here are some links I could have posted earlier:

http://blog.mozilla.org/thunderbird/...rch-27th-2012/

https://wiki.mozilla.org/Thunderbird:UX:Test_Pilot

http://groups.google.com/group/mozil...rch+this+group

@Mun: For right now I'm just going to disable Thunderbird and Firefox checking for updates, add some software firewall rules, and switch to offline updates for both and their addons. This is but the latest in a string of things I've seen which make me question some of the developers and decision makers within Mozilla. I think there are many good apples in Mozilla and I don't know how we as users can drive out the bad ones.

@ABee: Both machines jumped from 11 whatever to 12.0.1. One is a backup for the other and thus uses a copy of the first one's profile, which may account for why both received Test Pilot at the same time essentially. I don't think I missed anything in the way of notice. I was a bit sleepy, granted, but I was watching that much more carefully the second time. Others have reported silent installation too.

[majoMo]

Quote:

Originally Posted by ronjor

In Thunderbird, tools, add ons, extensions, remove

A proactive and assertive information. Suitable, sharp, useful to users. Positive stance to overcome an emotional negativity negligible.

Thanks!

[TheWindBringeth]

Speaking of a being proactive, if you don't have it and don't want it I think adding this preference:

Code:

extensions.installedDistroAddon.tbtestpilot@labs.mozilla.com = true

will prevent it from being added to your install during future updates. Reference: http://mxr.mozilla.org/comm-release/...vider.jsm#2113

Edit: I'd have to study some more code to be sure but I'm going to stick with the above.

[siljaline]

Also on Google Groups. FAQ's Also Mozilla Wiki Test Pilot

[tlu]

Quote:

Originally Posted by TheWindBringeth

For right now I'm just going to disable Thunderbird and Firefox checking for updates, add some software firewall rules, and switch to offline updates for both and their addons.

No offence meant - but that's insane, IMHO. You should really look at the links presented by siljaline in post #19 before making such grievous decisions.

[vasa1]

Quote:

Originally Posted by tlu

No offence meant - but that's insane, IMHO. ...

The sad thing is that there are others who'll follow.

[Daveski17]

Quote:

Originally Posted by vasa1

The sad thing is that there are others who'll follow.

Maybe, but the really sad thing is all of the rhetoric emanating from the Nanny Cyber-State Police.

[Fox Mulder]

Sounds like I'll finally install Evolution for windows.

[tlu]

Quote:

Originally Posted by vasa1

The sad thing is that there are others who'll follow.

Yes, paranoia is all around ...

[TheWindBringeth]

Quote:

Originally Posted by tlu

No offence meant - but that's insane, IMHO. You should really look at the links presented by siljaline in post #19 before making such grievous decisions.

I would draw your attention to my sentence immediately after what you quoted: "This is but the latest in a string of things I've seen which make me question some of the developers and decision makers within Mozilla.". Yes, I read the material pointed to by siljaline, and other material, and contemplated its design. I don't like it. I certainly don't like the fact that a remotely configured data collection component was silently installed and enabled within the email client I use. An ability to review/approve the final step of phoning home certainly doesn't address all of my concerns. This comes just ten days after getting hit with the silent install and enabling of the new Maintenance Service which has security and will have other implications down the road. Which comes not that long after learning of Mozilla's intent to in the future push Firefox metrics reporting on users on an opt-out basis. I could keep going but I think that is sufficient to prove reasonable my opinion and motive.

Apart from that aspect which I expect you have a different opinion on, what do you consider insane and/or grievous about shifting to offline updates? Are you assuming that I will forget or fail to do so on a very regular and very timely basis? That I won't be automating things to the extent possible? I may very well run into technical issues and find it problematic in some way. If that is your point and there is a wall, I'll acknowledge it. If that isn't your point, I don't see how the terms insane and grievous apply.