When it comes for Windows software I only use 2 types,
Open source software downloaded from the projects website directly or fully paid up commercial software.
There's three things here. First, adding a toolbar and screwing with user settings is freaking lame, but everyone does it and it's something that's been an accepted way to monitize software development.
However, injecting that into other people's software is low, especially if the developers aren't aware of it. CNET should be ashame.
Lastly, the way they present it to users should be plainly criminal. There's a way to offer additional programs, and that's with a checkbox. The screenshot they show is CLEARLY meant to confuse users, whereas even I would have clicked next hadn't I seen the circled text. On this point CNET should be sued for deceptive tactics, because they put NMAP (or the name of whatever you downloaded) as the title, and present buttons that are meant to deceive, making it seem like it's NMAP's own EULA.
I strongly disagree with the following part: "but everyone does it and it's something that's been an accepted way to monitize software development".
Here's why:
- bundling such software with any product kills trust in one single fire; why would I allow such a software to make it into my environment? What if there are additional hidden things inside the code which steal data from my system and send it to a third party or to the maker of the app? What if it steals my credit card info or if it uploads confidential data somewhere?
- it's a "no go" for people in corporate environments - if it has anything bundled with it (optional or not), it's not installed on any system inside the company, no further questions asked
- it doesn't matter if you offer a "paid" version without these things in it, how can I know you haven't added some other "extras" which steal data?
- if you choose to bundle software with your apps, you have some kind of issues with your business model
- bundling such software always exposes the user to all kinds of exploits, hacks and trojans
As for "optimizing" the experience of the persons on the receiving end of this crappy wrapper which shoves adware / malware / trojans down the people's throats, it's like saying we screw you over, but we intend to make it look GOOD and actually make you like it.
CNET and download.com should really be blocked at company level, along with all the security policies. They live in 2005-2006, not at the end of 2011. I doubt the guys running CNET are capable of coming up with any business model which doesn't involve making money off the software of other individuals.
Piriform uses this to great effect. Not sure what they're taking in from their enterprise level offerings, but everyone and their brother uses their free products.
"but everyone does it and it's something that's been an accepted way to monitize software development"
No piece of software that I have installed during the past two years has done so, and I sure wouldn't accept it as a way of funding development. I'd rather pay for a product in that case.
Can you give a few examples from your list of "everyone"?
I think the Java runtime installer asks to install a toolbar. There is something else that I can't recall (flash runtime?) that asks to install the Ask.com toolbar all the time as well. Some popular open source projects too (PDFCreator).
The flash download page asks you if you want to install an antivirus, I believe it's mcafee.
It's funny, though, that I encountered a "not so bright" person who simply told me "oh, I didn't know you could opt out, I was always uninstalling it afterwards".
You can also block the ask toolbar from downloading by killing toolbar.ask.com or the entire ask.com domain. It most certainly will not be missed.
Adobe does not pretent to give you an open source project like VLC player and bundle malware/adware into the installer as if VLC team did it. They even make the .exe signature identical to that of the original to fool people. Its wrong. and puts blame on the original makers. Its like if google wrapped every app submitted with ads that give only google money. The ads are annoying, and apps get bad reviews, but the app makers had no say in it.
They do not injecting it, it's just a small downloader that helps to download applications even with bad connection. And potentially may use a p2p distribution, as for example some game developers upload their game clients(>1gb). Well-known companies pay per download for their software suits, and they don't really like to pay for the interrupted downloads.
Im not sure about the deceptive tactics, they just trying to get people attention, not just unmarking checkboxes without reading.
What an antivirus says about some adware / adware downloader / toolbar doesn't matter - if it's adware, I don't want it; if it's shoved down my throat by some installer, I don't want it.
I had to deal with cleaning up a lot of machines in a corporate environment where the previous admin didn't care about security policies and security.
I found a gem, I think I might still have the photo somewhere, it was a PC which had so many toolbars in IE that they took more than half the height of the screen to display them all. Obviously, the "faces for yahoo messenger" and "good looking email" (incredimail) were among the installed "goodies" on that machine.
Just to make it clear, I see the adware installed by apps as exploits all kinds of assholes use on people who have no clue what security is about. Telling them they might find their bank account empty or that their email account might send emails with porn to their entire list of contacts usually gives them a hint about what they expose themselves to.
P.S.: If you really "worked" there and you stopped doing that, I can hardly see the point in defending them. Perhaps you're the guy they paid to write that adware injector ("the small downloader")? You come off as the guy who defends the company he's working for because he wants to keep his job.
Please stop trying to explain or excuse what CNET is doing. It's not ok.
When my mother forwards me the latest malware scare chain letter she got frm her friends, I tell her to picture her computer as a plane flying at Mach 4, high above in the stratosphere, confident almost nothing launched from the ground can harm her.
I can tell you that since she moved away from Windows, I never had to clean up her computer. Under Windows, it was a monthly chore.
I am aware there are attack vectors than can be employed against her setup, but the odds of something that could affect her friends also affecting her are vanishingly small - and I have never observed one of those on the wild. Education plays a role too and I took the steps to show her what looks fishy. Her box is also behind a very paranoid router that will page me if anything fishy starts to happen on her side of the network. It was so silent I programmed a weekly "lamp test" so I know it's still watching.
"For laymen's purposes it pretty much is, though. When was the last time anyone on Linux/OSX got some adware / popups?"
For OS X, one or two months ago. Do a web search, the times are changing for Mac security.
"I've also never heard of antivirus for Linux. Which doesn't mean there aren't viruses, it means it's not a concern on the most part."
No, it just means it's not your concern. When online crime has become a business, it makes sense to try to protect yourself. Major AV companies have a product for Linux.
They are also, for the most part, add-on (and readily removable) parts of the system. Usually some network service or web app vulnerability.
There have been a few kernel-level exploits, most of which are DoS vulnerabilities, though a few are privilege escalations (meaning: paths to root or full system ownership).
Still, as a whole, the modular architecture and high system transparency of Linux means that it's far easier to avoid, detect, and recover from attacks than Windows. Mac OS X is slightly less protected, but only somewhat.
Contrast this to the gaping security whole that remains the Windows shell, the tightly integrated default Web browser, the "document as application" model, various unsecured default services, very low system transparency (/proc, /sys, strace/ltrace/dtrace, netstat, etc., are wonderful), and, oh, say, the fucking impossibility of deleting open files, and you've got a massive security migraine.
Still.
And, yes, Virginia, there's antivirus for Linux. We run clamav on our servers to keep all those damned Windows viruses from proliferating by way of our services. But viruses as an attack vector for Linux itself? No.
It's great as an additional protection in your mail setup. My personal domains are few and email accounts not widely exposed. ClamAV caught 7 viruses in 2010, though I get about 20 spam emails per day. Since I never check the imap folders for spam, it might be that some of them were not caught by ClamAV, but by spam filters instead.
Anyway, for 7 virus emails per year I couldn't justify 100+Mb memory requirement on my 512 linode, so ClamAV no more.
Maybe you don't remember the root-kitted Redhat boxes in Korea which were, for some years, responsible for a surprising volume of spam.
Linux distributions then started shipping with un-needed services turned off, and increased broadband meant home machines were attractive targets for botnet malware.
In the past anti-virus on Linux tended to be used by people with a Linux mail server and MS Windows clients.
But, to bring it back to this particular discussion: It'd be fairly easy to wrap malware around a Mac OS X software. The user would need to click and give it permission to install. But how many Mac users run as admin and would just click the warning anyway?
rkhunter and chrootkit are two free malware scanners (also in ubuntu repos). There's also Avast for Linux. Avira have a free scanner (no GUI though) etc. If you actually look there are plenty of antivirus and antimalware tools.
The fact is that there is malware including viruses for Linux. The fact is though that they are pretty rare, and the types involved are unlikely ever to become serious threats on the desktop.
It's not perfectly safe, but it's safe enough that safe enough that basic precautions for the desktop are currently good enough. Of course mobile systems are something different.
Scam emails will likely exploit your email client, your browser or your technical/it sec inability - neither of which is solved by windows alone. Education is the definite answer, not switching platforms.
Scam emails are unlikely to affect your platform in their current form for most users. They affect, instead, in most cases, your bank account.
Yes, education is the key, but certain classes of problems are largely solved by switching platforms.
In fact the PCI-DSS standard requires all desktops in the processing environment to be running antivirus software unless they are on a UNIX-like operating system.
CNET was the top choice for me back 10-12 years ago whenever i wanted to download a utility / piece of freeware/shareware.
Of course when their market share went down... they had to change their business-model...This is just the next step after bloating their pages with ads.
I'm guessing that not the same people are in charge as those who were in their glory days:_)
A note from Sean
Download.com Developer Community,
My last communication to you was shortly after we launched the Download.com Installer in late summer. At that time I asked for patience as we began work to deliver a mutually beneficial model to market.
We are on the verge of fulfilling our vision of coming to market with an installer model that delivers files faster and more efficiently to users, while enabling developers to a) opt-in to the Installer, b) influence the offers tied to their files, c) gain reporting insight into the download funnel, and d) share in the revenue generated by the installer. However, due to some press that surfaced yesterday and the potential for subsequent misinformation, I am reaching out now to address that press and to provide a progress report on the upcoming launch:
First, on the press that surfaced yesterday: a developer expressed anger and frustration about our current model and how his file was being bundled. This was a mistake on our part and we apologize to the developer and user communities for the unrest it caused. As a rule, we do not bundle open source software and in addition to taking this developers file out of the installer flow, we have gone in and re-checked all open source files in our catalog. We take feedback from our developer & user communities very seriously and take pains to both act on it and respond in a timely manner.
With that, I want to share progress made thus far: This week we will launch the alpha phase of our new installer. This alpha phase is intended to test the tech and do QA, and will roll through the next few weeks to ensure that our installer is bug free. Between this week and the end of January we will be completing the necessary engineering and administrative work to roll out our beta, which will include a small group of developers who've agreed to participate in the beta launch. Our goal is to exit beta by end of February and have the necessary systems in place to enable opt-in, influence over advertising offers (for those offers that impact your product), download funnel reporting and revenue share back to you, the developers. In the weeks/months following the full release, we will continue to iterate on the model, adding more features to the Installer and bringing greater efficiency to our own download funnel (read: increased install conversion).
The initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible. More communication will follow as we move into Q1, and until then, thank you for continuing to work with Download.com.
What good alternatives would people suggest? What should be the "goto" site we could suggest to a novice for finding a clean copy of almost any software...any suggestions?
(Assuming that an expert user would straight to the source website)
Any good "goto" site won't stay that way for long, because it will automatically have strong incentives to try tons of stupid crap like this.
But you can use these sites for software lookup. Then you check the listed developer name, Bing your way onto their website, and look for a download link.
Not a site for grabbing any software, but for most of the software I (or, for example, my mother in law) would use (outside of dev tools), I go to ninite.com, tick the boxes of what I want and get what is essentially a single installer for everything.
This is one reason app stores will continue to gain traction. It's a single place you can go and know you are getting the developer approved version, all with the addition of easy updates.
Regular users have no way to reliably identify the software producer's website. Advising them to "just google it" is likely to end up with them clicking a scammy AdWords link where paying $40 to download some freeware counts as getting off lightly.
If you download something from the programmer page it is impossible to be sure that it has no spyware/crazy-toolbars/whatever. Some time ago, if you download it from download.com you know that it was safe.
True but when you want to suggest to a novice "Why don't you use "X" "
It is unrealistic to expect them to search for X in Google, go to the appropriate link of X's creator, figure out the right page to download it from.
Instead - Go to filehippo search for X in the big search bar at top - download first result - is a much easier workflow. (Trust me on this one - I tech support about 6 relatives)
"This is probably why CNET switch to installing the Babylon Toolbar yesterday. This is a good and welcome move by Microsoft, but the whole process of paying “distribution partners“ to changer user's home page to MSN and search engine to Bing is rather sketchy"
I am puzzled by the reaction of some journalists and people here. Have you actually thought why the toolbar is marked as malware? Usually, that's because one guy in one of the AV companies installed the toolbar, didn't like it and so put a flag on. Malware as a definition is something that does harm to your computer. We could argue whether this is actually the case as most of the toolbars, including StartNow just provide search functionality and homepage reset - this is how they make money - there is no reason to do anything sketchy on top of that.
I am not trying to defend toolbar companies here but the quote above that its actually a good thing to replace StartNow with Babylon is misinforming the public. These toolbars all do the same thing and they should either be marked all by AV companies or not. Of course its never gonna happen because there are some AV companies that won't flag toolbars because hey - they distribute toolbars too!
Everything on CNET is being tested manually with VirusTotal. If it gets at least 4 positives/false positives from 43 antivirus engines they don't publish it or work with it, until developers get things settled down with anti-virus/anti-malware companies.
They get not that much profit from paid accounts cause of small percentage of subscribers, and give away tons of traffic + man hours even for free products. That includes manual testing, checking and writing descriptions, reviewing, and that repeats for each update. And lots of companies update their products like 10 times a week, just to get bumped in search, or create like 20 versions of 1 program under different names, especially Chinese developers.
So they just monetizing traffic and stimulating developers to get subscriptions to remove ad for their products.
I personally hate all kind of that toolbar stuff, but hey, there are not so many ways to promote an alternative search engines that work for free.
Here's the deal: That still doesn't mean it's not crapware.
You mention the difficulty of funding your download site (built almost exclusively on supplying other people's free content). I can't imagine what the bandwidth costs must be on a site like that. I'm sure there are plenty of other visitors on HN that are familiar with this issue and are daily encountering similar ethical decisions about how best to fund their business.
There are many ways of resolving difficult ethical decisions. http://en.wikipedia.org/wiki/Normative_ethics One useful technique is to ask yourself: If everyone behaved in this manner, what kind of world would result?
So let's imagine such a world:
* Want to view a .pdf on the web? ... receive and run an executable downloader from an unrelated party.
* Want to watch a video on YouTube? ... receive and run an executable downloader from an unrelated party.
* Want to install an application? ... receive and run an executable downloader from an unrelated party.
Do you see the problem here?
(Maybe you don't, but most everyone else on HN will and I'm doubtful that you're even reading the responses. But if you are still interested I'm sure we can politely explain it further for you.)
It's just my humble opinion as an internet marketer :) i'm not related to CNET atm, worked there as tech for some time. And i think it's really an ingenious idea with wrapper, maybe not so good with all that toolbars.
Maybe it's crapware and they lose like all geeks, 20% publishers and 30-40% users maximum - they still will be like x10 profitable than before. Don't get me wrong but Google wasted like hundreds of millions on unprofitable YouTube, and now they airing this shitty advertisements that are so fucking annoying %) luckily there are all theese adblock extensions out there.
But it's not an ingenious idea; malware has been doing that kind of thing forever.
Downloading and installing software is an activity that is fraught with peril. The authenticity of the app you're downloading is critical and almost all the security properties depend on it.
If you think that breaking app authenticity is a great marketing opportunity, well, your brand will do no business with me or those I advise.
The problem with this statement is that what you say is true... but only for the software the developers are actually distributing on CNET.
Whether CNET passes their own wrapped installer through VirusTotal is a good question, and I for one highly doubt that's the case. Who knows, maybe they tried, got a hit for malware and decided that they would ignore it because it would be counter productive...
I am not sure I follow you. By that you mean that CNET installer is a malware because its installing toolbar without disclosing it to the user? Surely StartNow toolbar should not be marked because somebody decides to bundle it. If I take your software and bundle it does it make it malware? I am arguing that all those toolbars do same things, and they should be marked as PUP not as malware as they are not in the same category as viruses.
> the quote above that its actually a good thing to replace StartNow with Babylon
He meant it was good for Microsoft to stop paying them to screw people; not good for CNET to keep screwing people in the service of a different client.
EDIT: Picture. http://www.crunchbase.com/assets/images/original/0000/5821/5...