I am one of the developers of a popular Chrome extension and we've been approached by malware companies that have tried to buy us. AMA!

Name and shame em!

These are shadowy companies that use aliases and shell companies to contact us. Naming them will have no effect. This is what keeps them safe.

Malware inc

In a world where companies give themselves honest names~

Yeah, we all know you guys aren't actually selling honey

^{Aren't you}

Of course we sell Honey. Why else would we call ourselves Honey?

PM me your address and we'll send you a sampler kit!

Edit: This was a joke but I got a bunch of addresses. We're going to follow through and put some honey packages together. Sorry we can't afford to send them overseas because the shipping will kill us!

OP you better deliver

We will! Brb, going to go buy some Honey.

What do you have to show us that you received all these approaches by malware companies or data collection companies? How do you know they were malware companies? Did they say, "Hi, we're a malware company. Can we buy your shit?"

What were the data collection companys' names?

There's got to be some kind of paper trial trail.

Because all I'm seeing is a lot of BS and someone doing a marketing ploy right now.

Over on the right side, it says proof is required. In this case, in addition to proof of you being you, we need proof that this actually happened.

If you don't give that, then you or the mods need to remove this AMA.

Let's see those emails with the shadowy aliases. Naming them WILL have an effect. For US.

If you don't, again, I'll just chalk you up to another marketing ploy.

I posted this lower down the thread but I'll post it here again:

If I point the finger at a specific company, we could get hit with a defamation lawsuit. Please understand that we're not an anonymous person on the internet and we can't get away with something like that.

The point of this AMA is to bring some transparency to the mechanics of how the whole "malware in extension" system works. It's far more useful than posting the names of a few non-public facing companies.

If the mods want to verify, I am happy to forward a few of the emails to them.

These are shadowy companies that use aliases and shell companies to contact us. Naming them will have no effect. This is what keeps them safe.

Ugh. This AMA already reeks of fedoras

Ah, good. I am so glad I'm not going it alone, which often happens in thest type of situations. :)

"They are so shadowy, that's how they contact us. We look up at the ceiling and there are shadows there. The shadows move around into letters, and that way, we can understand these shadowy companies' communications."

Fucking douchebags.

This AMA is not an AMA at all... it's blatantly exploiting the anti-malware sentiment to endorse the Honey app, all while posting circlejerk comments about shady corporations, Gandalf's beard, "not being shady" and "refusing to sell out."

I haven't seen a single insightful comment on the actual app or the business model for monetizing a "cracked" extension. This is a "Rampart" tier AMA and I can't believe people are lapping this up...

How did you miss this?

http://www.reddit.com/r/IAmA/comments/1vjj51/i_am_one_of_the_developers_of_a_popular_chrome/ceswmvw

Why don't you try to ask an insightful question? I promise I'll do my best to answer it.

So in other words you're just taking advantage of the situation to push your extension.

This morning's post about malware companies buying extensions raised a lot of awareness and concern. However, the thread was filled with conjecture and misinformation. As a developer who has poured thousands of hours into building a legitimate extension, I don't want to see a few bad apples ruin it for the rest of us.

How do I know you are not actually a malware company that bought honey, and is using this AMA to trick people into downloading your extension and then infecting them with malware?

edit: fixed grammer

That's pretty meta.

Well the team here at Honey isn't hard to find. You can find out who we are and where we live pretty easily. People running malware companies are not going to use their real identity.

We turned them all down.

Just AWESOME

I'm going to try it out just because you guys rock.

Haha I'm actually a little sad. We shouldn't be awesome because we refuse to be shady. That should be expected.

Keep talking, the more you say, the more i like you.

If you are as magnificent as Gandalf's beard, we should be BFFs.

What are malware companies' motivations? As in, why install malware? What are they getting from buying an extension, and what will the malware do? In general terms, I mean.

I'll give you more specific. Most are generating $ from advertising or data. Approaches I've seen include:

• replace you default new tab contents their search
• replace existing links with affiliate links
• add new affiliate text links all over the place that look similar to the double underline ones used by some publishers
• replace ads across the internet
• generate phantom traffic to websites a user never sees (similar to botnet)
• capture ALL browsing data including post data (many uses I could speculate on but wont get into here)

What do they offer an extension developer? Depends on the mix of where the users are but it easily adds up to a few cents per active user per day. Or they just buy the whole thing. Which makes you wonder how much more they are really making....

Favorite piece of malware?

Favorite piece of malware?

We were approached by a company that wanted us to replace all Google ads you see with their ads that look just like Google ads. You wouldn't be able to tell the difference. That one's pretty clever.

Something weird about me is that I have never clicked an ad on a website. Back when I first used the internet there was real danger that those ads were viruses and I was told by my dad not to even think if clicking them. I'm sure ad companies hate people like me.

Bro, adblock.

What were these Malware Companies' method of contact? Email? Cold Calls?

If you actually spoke with one, did they sound 'Obviously Evil', or just 'Business Evil'?

Usually start with an email and progress to a call. I've spoken to a few on the phone and they sound just like normal people proposing a business deal. I'm sure they've justified what they do in their own mind so they don't sound shifty or unsure at all. Mental gymnastics is an amazing thing.

What was the biggest offer you have had to try to buy you out?

We didn't even entertain the concept of it so we never went far enough to get a price.

But the data collection company did throw a dollar figure our way. It's over 6 figures a month.

And you said no? Why?

We believe Honey can become the de facto software that every online shopper use when they buy things online. That's a much larger opportunity and doing anything shady will kill that potential.

Also because we're not shady people. :)

I have a lot of respect for you guys turning down big bucks like that. Not everyone else does apparently. I get it. You see the bigger picture and dont want to make money off of people like that. Wish more people were like that. I never heard of your extension but it sounds great. Will download. How many people are on your team and was it a unanimous decision to turn it down?

There are 6 of us right now. 2 full time and 4 part time. I guess like minds are attracted to each other because the decision was unanimous.

I'm not shady either, but I'm also not gonna turn down 6 figures a month. Have them write a shitty contract, then use your coding skills to write a new extension that blocks that.

LOL this is probably how antivirus companies got started.

I'm not gonna lie, if I made a free extension and got a 6-figure monthly offer to sell out, I'm taking it.

It was tempting for sure because the data they wanted isn't personally identifiable and it's mainly for research purposes. But then again we all have skills that will make us a decent living if we wanted so our primary motivation for building Honey isn't money. It was an easy call to make.

this is surprising.

If you have 700,000 users and the company offered $100,000 they would need to make 15c per user per month on average just to break even, Probably a whole lot more to make a profit.

1.2 million (could be a lot more depending on what the offer actually was) a year just to see what 700,000 people do online just sounds crazy to me.

The detailed behavior of 700K people is worth a lot more than $1.2M a year. Think about Nielsen and how many people they collect data from. The data they own makes them a $17B company.

This is the type of data I'm talking about: http://en.wikipedia.org/wiki/Clickstream

From the wikipedia page: "Use of clickstream data can raise privacy concerns, especially since some Internet service providers have resorted to selling users' clickstream data as a way to enhance revenue. There are 10-12 companies that purchase this data, typically for about $0.40/month per user."

Oh, don't you know it.

I've been in the Nielsen's now for 15 years - in their 'Homescan' survey which is now called the National Consumer Panel..these people know exactly what America buys, thinks and eats for breakfast.

Being in the survey for as long as I have, I've become REAL adept at avoiding a lot of the fads that are marketed to the public, though that's only as I see the questions related to the marketing of goods beforehand.

Omega-3's? Saw that 6 months before everyone started using it to pitch products. Gluten? Yup, knew that one was coming as well. Same for 'pro-biotics'.

It's all in the pipeline, all waiting to be launched by marketers.

One thing to note, that as we have, in the last 5 years really made an effort to move away from industrially produced food products and shift to second-hand goods, the survey questions have dropped off noticeably. What that tells me, is that NCP, which does aggregate and sell consumer data to the manufacturers, doesn't have any producers that are marketing towards the local, small markets or the downwardly-mobile.

I wonder how long before some concern tries to work out how to go after this segment of the population. Given the absolute shit state the economy is for the 90 million that have dropped out of the workforce, it's no small target for any business that can sell to this demographic.

The one thing I've learned in the 15 years in this survey is businesses are whores who'll do anything for customers, it won't be long before they start to show up and NCP starts sniffing around asking questions on their behalf.

Damn this sounds fascinating as hell. You should do an AMA!

How do you tell a malware company from a legitimate one?

It's pretty easy to find the legitimate companies w/ a little Google-fu. We can also tell by looking at what they want us to do. Malware companies usually want to include their code in our extension and it's impossible to see what their code will do. Legitimate companies are ok with leaving us with the control.

Sometimes it's immediately obvious. Sometimes it takes a few exchanges to figure out what they are proposing. They also don't want to waste their time so they usually get to the point pretty quickly.

Has any company been so to the point as to just straight up say "Hey, can we put some of our malware code into your extension?" or are they usually not so blunt?

haha obviously none of them will refer to themselves as malware. Here's a snippet from an actual email I got:

"Hello, we're interested in potentially buying data from your browser extension userbase. We buy anonymous clickstream and browsing behavior data from browser extensions which we use for market research."

So I emailed back and asked what kind of data they want to buy. The answer was that they need us to install a small snippet of code in our extension that will do all the data collection automatically.

Just want to say you guys are the only extension I run.

Try out RES. You'll never get off Reddit.

Do you accept donations or anything like that? After reading this I would definitely donate towards you guys.

Thanks for the offer! We do a pretty good job conserving cash so we're doing ok financially. If you are feeling generous, give some money to this awesome charity that is out feeding the homeless: Sean's Outpost

What do you think of the extension HoverZoom and the whole situation with it's developer including code that collected user data in the extension?

This is incredibly dangerous for the extension ecosystem in general. This kind of activity will force the platforms (Chrome store and Mozilla store) to be more and more restrictive, in turn taking away browser extension's ability to do anything meaningful. Everybody loses at the end.

It's kind of a microcosm of the Internet and its evolution: It went from people having a good time, to people trying to monetize it, to people having to wear hazmat suits to get through it safely.

Dammit that's depressing.

How many extra downloads have you seen since you've done this AMA?

~10K downloads today.

You guys are awesome and honey is awesome.

Thanks for not being dickbags!

+/u/dogetipbot 200 doge verify

Such kindness

Much generosity

Wow

EDIT: One day I'm going to look back at this comment the same way I look at my baggie jeans from the '90s.

Ever thought about doing the same with dogecoin in addition to bitcoin for amazon purchases?

The altcoins are a little tricky because there's no payment processors that handle them. It'll be interesting to automate some type of exchange between the altcoin to btc in real-time and then push the btc through the payment processor. We'll definitely explore that.

Have any online retailers tried to get you to remove coupons? For example: If they only wanted to offer the coupon to certain customers, or delivered it through a mailing list.

Nope. Online retailers understand that it's much better to keep you on the site instead of having you go off searching for a coupon. Our extension answers the "is there a coupon for my order" question for you so the chance you'll go through with the purchase is higher.

Coupons used to be a way for retailers to attract people to their site. But these days it's also a way for them to close the deal. Sites like Gap will often plaster coupon code all over their site to motivate you to buy something.

Oh my god I've been searching for website for that for months, do you have a Firefox plug in?

Yup, go to joinhoney.com w/ FF and you'll see the install button.

How tempting was it to take big offers from malware companies and have you ever thought about doing it in the future

Not tempting at all. 1) we hate that as users, 2) we have far bigger plans for things we can build with Honey to make shopping better. So no chance it ever happens in the future.

What's the chances of an opera or firefox extension?

We have a firefox version at our website. Opera will still be a while unfortunately - working on other things like this

Is the extension useless for those outside of US borders?

Yes for now. :(

Supporting stores internationally is a top priority and we want to get it done in 2014.

From your FAQ:

In the future we may make money through affiliate programs similar to coupon and rebate sites or through other innovative programs that help you save even more time and money.

On some sites there is a limit to the amount of promo codes that can be used at any given time. If Honey got into the rebate affiliate business, would you have the extension use your own rebate codes instead of others even if yours is not the best?

Also, what are you doing with the cookies you collect? And what are you doing to safeguard all the information you're gathering? I'm very tempted to give this extension a try, and I know there's only so much you can do with what I assume to be a limited budget, but I'm kind of wary of willingly or unknowingly giving you the keys to my kingdom (so to speak).

We will always prioritize the deal that saves people the most money even if we don't get paid on it. It might cost us in the short term but it will pay off in the long term.

We don't collect or drop any cookies. We don't require any registration info to start using the extension either.

We don't collect or drop any cookies.

But from your FAQ...

We collect automatically generated information such as log data, cookies, device information, data about the success or failure of codes applied to your cart, and some other information collected by Google Analytics.

When we wrote the FAQ we were told to be as broad as possible with what we declare. This is supposed to cover all the basis so that we don't get in trouble if we try something new and it's not covered in the privacy policy. We don't collect or drop any cookies as of today.

What do you think Google should do to combat the practice of allowing malware companies to infiltrate extensions how they have?

This is a very hard problem even for someone with the resources of Google to solve. A starting point could be an improved feedback system upon extension removal like they just announced for ads.

Does it drive you crazy the amount of computer illiterate people rating you 1 star because they just don't understand?

Tons of people complaing it didn't find them a coupon because more than likely the coupon just flat out doesn't exist at the time.

There's a lady saying your chrome app crashed her computer instantly and she cannot reboot.

Just reading these drives me insane and it's not even my app!

Yea it hurts each time we get one of those. We're fighting an uphill battle because we're looking for coupons on something you are already going to buy instead of trying to get you to buy something you weren't planning on buying. By design it's not going to be 100%.

The auto coupon feature finds people savings ~23% of the time. We want that # to be as close to 100% as possible. But to do so, we have to figure out new and innovative ways to find people savings.

How come Honey has found me no discounts yet? :(

What sites have you used it on?

Thank you for making a stand.

Is there a way to report these companies? I mean like can you report them to chrome? it seems like they don't have a system for this. Is there a reason they don't deal with this kind of thing?

Google doesn't have a robust system to deal with this because (I hope) this isn't a very common problem. If you have reason to believe an extension is behaving like malware, you can submit it to Google at: https://support.google.com/chrome_webstore/answer/1078344?hl=en

What was your initial reaction, how did they approach you.

The first time we were approached we thought it was legit. Spent some time going back and forth until we got to the specifics of what we need to do on our side. Then we realized it would turn us into a spyware.

Have you had any threats from said companies after refusing the offers?

no they just move on to the next developer I'm sure

How would they be able to use Honey to spread malware?

It's not about spreading malware. It's about turning existing non-malware extensions into malware.

Hypothetical question: if the most evil of such companies offered you sixty billion dollars to buy you out, would you do it?

For sixty billion dollars?! I would take it in a heart beat. Then I'll take $1 billion, split it 700,000 ways and send each one of our users a $1,500 check along with a letter explaining the situation. Retire with $59B and a clean conscience.

What language is used to code Honey and similar extensions? I've been wanting to learn code other than HTML lately.

Honey's frontend is entirely Javascript so start with that. You can also learn Node.js if you want to build an extension w/ any kind of backend.

How can we protect ourselves from this kind of thing once they succeed in buying someone else out? Is there an ap for that?

I think the platforms will eventually need to step in to do the quality control. Google has taken the first steps to requiring that extensions be hosted in the Chrome store. This gives them the ability to remove a bad extension from everyone's browser if they ever catch it.

You said they are "shadowy companies that use aliases and shell companies to contact us" as an excuse to not name names. Well, I would like to push you on this as not a valid excuse. The attraction to your AMA is that these companies have approached you, and now you are not mentioning them.

This SOUNDS fishy, so I would like to give you a chance to indeed expose them by name and hopefully by site and email. Let the rest of us connect the dots and see where they lead.

Well, if I point the finger at a specific company, we could get hit with a defamation lawsuit. Please understand that we're not an anonymous person on the internet and we can't get away with something like that.

The point of this AMA is to bring some transparency to the mechanics of how the whole "malware in extension" system works. It's far more useful than posting the names of a few non-public facing companies.