topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Tuesday March 19, 2024, 4:32 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: What the hell is OpenCandy?  (Read 361637 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #275 on: March 31, 2011, 11:39 AM »
The difference is that there is no opt out of OC when installing.

Opt out of *what*?  OpenCandy is more akin to a service than an application.  It doesn't install anything that's not required to have a clean uninstall, nor does it do anything other than during installation if you don't opt-in.  If you go to a site on the internet and it displays a page before you can access the site that has an ad that you choose not to install and even choose not to allow to show by the use of adblockers, it can *still* get information akin to the stated OC information, i.e. that you came to the page, whether you click through to an ad, and whether you click through to the main site.  Is anyone asking pages that do this to disclose that they're keeping track of who lands on the page?  And this is not a hypothetical situation; I know of a few popular sites that I visit that do this exact same thing.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #276 on: March 31, 2011, 11:47 AM »
I said more then I planned to in that post...so maybe I didn't communicate well.

Opt out of *what*?

Exactly, you can't, OC is included.

No offense to OC or anyone using their service.
They used to have a logo on the installer 'Powered by OC'.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #277 on: March 31, 2011, 12:21 PM »
I said more then I planned to in that post...so maybe I didn't communicate well.

Opt out of *what*?

Exactly, you can't, OC is included.

But what do you mean?  Opt out of using the installer extensions?  So perhaps you opt out of using Installshield because you don't like them.  Or wise.  Or INNO or NSIS?  It's an extension that's not installed on your machine.  You can code your own extension that sends the *exact* same information.

So opt out of *what* is my question that still remains unanswered?

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #278 on: March 31, 2011, 01:29 PM »
So opt out of *what* is my question that still remains unanswered?

3rd party tracking.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #279 on: March 31, 2011, 01:54 PM »
So opt out of *what* is my question that still remains unanswered?

3rd party tracking.

*You* aren't being tracked though.  From what I've seen (and what Renegade has shown from his experiences) it's no more intrusive than a counter on a page.  I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #280 on: March 31, 2011, 03:13 PM »
I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

You completely lost me on that one. :huh: Could you maybe rephrase it?  :)


wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #281 on: March 31, 2011, 03:29 PM »
I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

You completely lost me on that one. :huh: Could you maybe rephrase it?  :)



If it was tracking your actions, then subsequent actions would be based on that information.  But several detractors have admitted that it doesn't seem to utilize or even *have* that knowledge, just based on observation.  They might actually have it and not be using it- but that wouldn't seem to make sense either.

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #282 on: March 31, 2011, 03:47 PM »
So, The torches and pitchfork wielding villagers are incensed by the frankin-monsters insistence on playing possum?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #283 on: March 31, 2011, 03:53 PM »
So, The torches and pitchfork wielding villagers are incensed by the frankin-monsters insistence on playing possum?
;D  That's one way to put it...

Just a note- I really despise adware, spyware, and those that distribute it.  But like a lot of other pejoratives, I think it's very likely that the effectiveness of labeling something as malware will be diluted if it's applied indiscriminately.

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #284 on: March 31, 2011, 04:16 PM »
I'm sure there are quite a few entities interested in what is being installed and uninstalled, the time frames, and more.
Gathering a lot of that info would be useful to more then OC and it's developers and advertisers, I'm sure.

So if I install a program with OC's code in it, that info goes to OC and back to the developer and advertiser.
That's what it says it does on their site. Great for all 3 involved- http://www.opencandy.com/ -sign up.
Who else would be interested in that info? And pay for it.
But I really don't care, honestly.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #285 on: March 31, 2011, 05:32 PM »
To be fair to OC, even if I'm not super fond of it, if all it does is sending your OS locale and version, then it's no worse than a webbrowser - only you're a tinfoil hat wearing kinda guy with special addons, that information is present in the HTTP request headers for every web request made.
- carpe noctem

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #286 on: March 31, 2011, 05:41 PM »
From what I know and have seen, both in OC and here, there seem to be a few misconceptions about what OC is doing.

First, it's not tracking you at all. However, it is doing more than a Flash banner ad on a web site.

A web site ad does not have the same access to your computer that OC has. OC has several offers available and they don't offer you what you already have, so, the logic is something like this:

Code: C# [Select]
  1. OfferList = { ...big list of offers ordered by profitability... };
  2.  
  3. foreach (item in OfferList)
  4. {
  5.     if (item.IsNotInstalled)
  6.     {
  7.         OpenCandy.MakeOfferToUser(item);
  8.         OpenCandy.OsLanguageCountry(); // Log OS, language and country as aggregates
  9.         return;
  10.     }
  11. }

There, item.IsNotInstalled checks to see if the item exists on the computer by checking the registry. In a way, that is more power than a normal ad. In another way, it's about equivalent.

Anyways, I don't have absolute knowledge of what is going on, but from what I can tell, that's it or at least pretty darn close.

I have not seen the advertiser SDK, so I don't know exactly what goes on there, but my guess is that there is something in it that informs OC if the offered software has been subsequently run. That is the part that ensures that the offered software is genuinely wanted by the user, which then tells OC to pay the original software author (like me). However, I am not certain. Just guessing there.

We trust software all the time. Some people even trust cracks and warez. (Yikes...) If there were something dirty going on, it would be much easier to simply not use OC and do all the dirty stuff in the software instead. But there isn't. It's pretty simple. It presents an "ad" during installation in the same way that a web site puts ads on its pages. The difference is that you're not being tracked with OC, but when you visit virtually any web page, you ARE being tracked by Double-Click or Google or someone. Google keeps PERSONAL track of you even. They use personally identifying information thanks to you having signed up at Youtube or Gmail or some other Google service. So when you visit www.acme.com, the ads are very specific to that site and YOU.

There are other privacy concerns out there that are much much more serious. But really, people just don't care. They are used to them now. This is just a slightly different way to serve up an ad/offer.

Truthfully, in an installer is PRIME space for it because you have the person's dedicated attention. They aren't distracted by anything else. (Which is the same motivation for why I used a full page back-splash for the Photo Resizer installer --- people aren't distracted then and can pay attention to the installer -- it targets people that are not tech-savvy.)

Anyways, I kind of hope that helps some with tracking and whatnot.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

cmpm

  • Charter Member
  • Joined in 2006
  • ***
  • default avatar
  • Posts: 2,026
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #287 on: March 31, 2011, 06:07 PM »
Thanks Renegade for that info.
I also thank you for your program and think you should profit more from the OC deal. imo.

I knew OC was in your installer before I installed it.
So even knowing it was there didn't stop me from installing.
OC doesn't bother me being there.
I did remove all the OC stuff from older apps after that Nod notice.
As a precaution and bored I guess. :)

That was the first time Nod blocked OC like I posted.
And I have installed other stuff with OC.
I wonder who changed, OC or Nod.
No big deal....did Eset ever answer you?

If anything starts any suspicious activity one my security programs will pick it up.
No worries....

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #288 on: March 31, 2011, 06:25 PM »
@cmpm - Thanks! :)

did Eset ever answer you?

Do they ever contact anyone? Sigh... No. Not yet. I doubt they will. They really need to work it out with OC and not me. I just submitted to help get their attention as it is bad for me and everyone else that uses OC.

It is kind of frustrating... The security companies really need to shape up some and come up with methods that are reliable.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #289 on: March 31, 2011, 06:25 PM »
My objection to OC isn't so much what it does on a technical level. My objection is with it's business model.

What they are doing is attempting to unilaterally redefine what constitutes adware and to justify an installation method that is basically stealthed.

I additionally have a problem with their "dealers choice" options for how it gets used (default in/default out) in an individual developer's application. I don't know if this is to provide OC with what they may feel is 'plausible deniability' when accused of being adware, or what.

Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

OC is attempting to do an end-run around that understanding. First, by muddying up the waters with their insistence on their own definition of what "advertisement" means. Second, by refusing to have OC ask permission prior to doing what it does.

From what I've seen, there seems to be a very deliberate decision not to draw attention to the fact it's on there at all. Otherwise, it would add a mandatory splash banner, and ask if it's ok to proceed.

But it doesn't...

From what I've seen and read of it, it's left up to the app developer just how much to say about the fact OC is piggybacking on his installer.

And I'm sorry folks, but to require that some information be put in the EULA about OC is almost laughable. Not to defend people who don't read the EULAs, but the people who produce OC know (as those of us in the industry do) that very few people ever read license agreements. I'm almost tempted to say "How convenient."

just-a-nose.gif

This is a potential "camel with its nose in the tent" issue. OC may be the most innocuous and benign piece of code out there. But what it is asking us to see as acceptable behavior for a software installer is not. Because it asks us to greenlight an action that has, up until now, been considered unacceptable behavior.

This whole issue could have been avoided if OC just did what every other ad-type software does - pop up a notice and ask to be installed before anything actually is.

But OC has chosen not to do that.

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

And in order for OC to sell their services to their advertising partners, they have to offer some unique sales proposition that gives them the advantage over more traditional piggyback product installers.

And that unique sales proposition is a low key approach to installation that borders on stealth, even if it doesn't quite cross the line, combined with a policy of substituting the term "recommendation" for "advertisement."

Not that it matters. Actions always speak louder than words.

To quote Douglas Adams remix of the classic 'duck test': If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.

In my little corner of the universe, if you ask me - out of the blue - to consider buying something,  then it's an 'advert' AFAIC.

And calling it something else - and insisting it's not - only makes it quack louder.

 :)
« Last Edit: March 31, 2011, 06:31 PM by 40hz »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #290 on: March 31, 2011, 06:36 PM »
Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

...

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.


When most people go to install software, they aren't agreeing to a lot of things, but things are genuinely changed on their system that they have NOT asked for. This is the normal way of doing things and nobody would call it malicious. For example, an installer adds registry keys and puts a DLL in the system32 folder, creates a ProgramData entry, another local/roaming directory structure, checks if certain other software is installed, if not installs it or upgrades it, etc. etc. That's normal. But OpenCandy isn't doing all that stuff. It runs then it's done.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #291 on: March 31, 2011, 07:39 PM »
This is the problem, and will continue to be the problem:

When I install your software there has to be a certain amount of trust in you for me to be able to do that. And now I have to have trust in OC as well.

While I may trust you, I don't trust OC at all and I never will, regardless of how much you trust them.

  • The same guys responsible for the spyware in DivX start a company to pack offers into the installers of other people's software.
  • They assigned each computer a unique tracking ID, even if they declined the offer, building profiles of people and what they installed, what they declined, and all kinds of other information tied to that unique ID...till they got caught.
  • They used registry entries like permanent tracking cookies, even if you declined the offer...until they got caught.
  • When they get caught doing something, they say it was a bug, the developer's fault, etc. never taking the blame for their shenanigans.
  • They said they don't believe in opt-out and would never change from opt-in to opt-out...until they did, and they blamed developer greed for them adding that option.

What are they going to do next? What will they get caught doing that they will have to change? What will they blame next on the developers that put OC in their installers?

When you ask me to trust them while installing your software, you are asking too much and I won't do it.

They are also peddling their stuff to open source developers, to include a closed source .dll on machines that install the open source software. When I install open source software, I expect to be able to have access to the source, all of it, for everything it installs on my machine. If the source for the OC dll is not included, it has no business being put on my machine during the install of a piece of open source software.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #292 on: March 31, 2011, 08:50 PM »
But that's the thing -- It doesn't get installed! It runs, but it isn't installed.

Sorry. I'm a bit color blind in that end of the spectrum.  :)

Regardless of whether it copies itself onto the hard drive, or loads itself into RAM before it runs, it's still installed on your system. The mechanism employed for the IPL* (initial program load) is a technical detail, not a functional difference.

------------
* At least that's what they called it when I was taking my CompSci courses in college.  ;D

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #293 on: March 31, 2011, 08:55 PM »
Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

...

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.


When most people go to install software, they aren't agreeing to a lot of things, but things are genuinely changed on their system that they have NOT asked for. This is the normal way of doing things and nobody would call it malicious. For example, an installer adds registry keys and puts a DLL in the system32 folder, creates a ProgramData entry, another local/roaming directory structure, checks if certain other software is installed, if not installs it or upgrades it, etc. etc. That's normal. But OpenCandy isn't doing all that stuff. It runs then it's done.


This! If it were installing anything, I'd totally agree.  But it's not!

They are also peddling their stuff to open source developers, to include a closed source .dll on machines that install the open source software. When I install open source software, I expect to be able to have access to the source, all of it, for everything it installs on my machine. If the source for the OC dll is not included, it has no business being put on my machine during the install of a piece of open source software.

But it doesn't *install* the dll... when you get an installer for OSS software, is it required to give you the source to the installer?  I don't think so, though I could be wrong?  And if it's not, there's no reason to have to give the source to the OC dll.
But that's the thing -- It doesn't get installed! It runs, but it isn't installed.

Sorry. I'm a bit color blind in that end of the spectrum.  :)

Regardless of whether it copies itself onto the hard drive, or loads itself into RAM before it runs, it's still installed on your system. The mechanism employed for the IPL* (initial program load) is a technical detail, not a functional difference.

Yes, indeed it is a functional difference.  Several things run on your machine without being installed - classic asp and javascript are two good examples- they run on the client in the browser.  Does that mean that every bit of JS or VBscript has to be vetted?

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,884
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #294 on: March 31, 2011, 09:20 PM »
But it doesn't *install* the dll.

What is the purpose of an installer? I thought the purpose was to install software. And software consists of many types of files, not just .exe executables.

If one of my applications comes with xml and wav files, I am not going to argue that they are not "installed" with my application...they are.

The big issue with the OC .dll being installed along with open source software is that it is compiled code in which the source is not available.

when you get an installer for OSS software, is it required to give you the source to the installer?

No, I wouldn't expect the source for the installer maker, but I would expect to be supplied with the information of what was used and with the scripts used to make the installer if they were not included and I asked for them.

I should be able to compile an exact copy and when you toss in the OC dll, that isn't possible. I should also be able to change any of it any way I see fit and redistribute those changes, and if I am not allowed to change and redistribute the OC dll, then it has no business being placed on my system, without that right, along with an open source application.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #295 on: March 31, 2011, 10:04 PM »
I should be able to compile an exact copy and when you toss in the OC dll, that isn't possible. I should also be able to change any of it any way I see fit and redistribute those changes, and if I am not allowed to change and redistribute the OC dll, then it has no business being placed on my system, without that right, along with an open source application.

No, not in the slightest do you have that automatic right. Only if the developers wants to let you do that then you should be allowed to and not all OS licenses do grant that right. GPL developers tend to want to allow to that, but even the GPL is very clear that the license doesn't extend to other software bundled with the GPL'd application.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #296 on: March 31, 2011, 10:14 PM »
App I have to disagree with you on the point about the installer needing to be open source for an open source project.

It would of course make sense that someone philosophically drawn to the open source movement would want an open source installer, but i don't see any reason anyone distributing their open source software should have to avoid using a closed source installer or shouldn't be able to show advertisements during their installer setup, etc. if that's what they want to do.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #297 on: March 31, 2011, 10:17 PM »
But it doesn't *install* the dll.

What is the purpose of an installer? I thought the purpose was to install software. And software consists of many types of files, not just .exe executables.

If one of my applications comes with xml and wav files, I am not going to argue that they are not "installed" with my application...they are.

The big issue with the OC .dll being installed along with open source software is that it is compiled code in which the source is not available.

But the dll isn't *left* on your machine.  It is to facilitate the installation.  That's the same as saying that NSIS is installed on your machine just because certain supporting dlls have to be extracted to be loaded into memory.  That is *not* installation.  It assists in installation of the requested software.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #298 on: March 31, 2011, 10:20 PM »
Whether the dll is left as part of the installer/uninstaller or not, i don't see the problem.

Now if using the installer permanently put some background process that was running even after you installed your program of choice, that would be a completely different matter and i would be up in arms, but otherwise this seems much ado about nothing to me.

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Re: What the hell is OpenCandy?
« Reply #299 on: March 31, 2011, 10:27 PM »
As much as I tend to defend OC (for some reason) I do think the term 'installation' is confusing both apps and 40hz's real points.

The issue is that even if you run the installer and say no to everything, at some stage the OC DLL gets loaded and executed. So if you are of the opinion that you don't trust OC, then there is just no way you can install the original application.

This is the no opt-out issue, you can't opt out of OC getting to run on your PC and doing whatever it does, benign though that may be.

To me it's a non issue, I don't know the authors of most of the software on my PC, and for none of the opensource programs did I go and compile the code myself, or even glance over it, so I'm already placing a great deal of trust in complete strangers.

Personally, if anything OC have earned my trust from what I've read in this thread, so if a DLL wants to run I don't really care.