Main Area and Open Discussion > General Software Discussion
What the hell is OpenCandy?
wraith808:
Umm, how does OpenCandy work, again?
Do they provide their own entire installation framework, or is it "merely" a plugin DLL available for use with 3rd party installers like NSIS, InnoSetup, InstallShield et cetera?
If it's a plugin, then Wraith isn't entirely correct - the DLL won't be part of the installer.exe import table, and it will be loaded dynamically. Now, it's several years since I've played with installers, so it could very well be that the major installers load all contained 3rd party DLLs as soon as possible... but that sounds a bit stupid.
-f0dder (April 05, 2011, 03:08 PM)
--- End quote ---
I've had to incorporate 3p dlls with NSIS, InstallShield, and WISE, and in each case, the DLL was copied to the computer, which is installed, and then it was dynamically linked (of course), but it had to be loaded at the beginning of the installer. I sort of mixed my metaphors so to speak with the dynamic links... but it's not load on demand which is what I meant.
JavaJones:
I'm with 40hz: I think the OC logo and text, referring to the EULA, addresses the problem as best you can given current limitations. It also avoids the "problem" of increased attrition from an opt-in. ;)
Edit: I for one don't have a problem with the DLL being put on my computer (e.g. in temp) for it to be loaded in the installer. If upon immediately being loaded it's already *doing* stuff then I do take issue with that, but I would guess it won't *do* anything until actually asked to. In that case I personally am ok with it as long as I am asked if I want OC to *do* anything *before* it does it. Obviously this requires a bit of trust already, but that's fine by me. Ideally both the website/download location *and* installer would specify OC is used, that way if I'm concerned about even the DLL being loaded, I know I shouldn't bother with even downloading it.
- Oshyan
40hz:
the effort that's involved would be pretty substantial for little benefit
-wraith808 (April 05, 2011, 03:11 PM)
--- End quote ---
I think that's only true if you're looking at it from a purely technical perspective.
What makes OC a bellweather is its asking us to accept that a piece of software - provided by a third party and totally unrelated to the main app's function - should be allowed to scan and transmit data back to that third party without announcing itself or getting the user's permission before doing so.
Regardless of whether or not it's been happening in other places, this has not generally been considered acceptable behavior for a legitimate software product. Truth is, stealth and operating without permission has always been considered more in keeping with malware and quasi-maleware behaviors.
And with venture capital backing and several prominent software developers signing onto OC, I think we really need to see this as a company attempting to change the definition of what is considered acceptable. If it wasn't trying to do this, it wouldn't be causing some anti-malware products to flag its behaviors as suspicious.
Whether or not it's malicious, by the way it operates, OC shares cultural and technical similarities with software that is potentially dangerous.
And while so-called false positives may damage a product's reputation unfairly, we also need to consider that most anti-malware detection is based of behavioral analysis. And to have a legitimate product display such behaviors by design - and then insist the anti-malware detection methodology needs to be changed to accommodate it - creates an even bigger problem when it comes to continuing to be able detect truly malicious code that operates in a similar manner except for the payload.
I'll risk a clumsy analogy to illustrate my point:
***
Suppose in a certain city, several of the most notorious and violent street gangs were easily identified by the fact they wore green fedora hats and drove a certain model van. The police were aware of this behavior, so it was relatively easy for them to spot the gangs and intervene whenever they were seen racing around in their vehicles or entering buildings at a a run.
Now suppose that the EMTs in this same city decided to also adopt green fedoras and begin driving similar looking vehicles.
Now the police have a much harder time identifying potential trouble and preventing it.
Are those two green fedora wearing guys who just ran into that building going in to put a hit on somebody or rob the place? Or are they just EMTs responding to an emergency call? And is that van that just flew down the road fleeing a crime scene - or is it attempting to get a stroke victim to an Emergency Room in time to save someone's life?
When the EMTs are asked to stop wearing green hats and get different vehicles, they refuse, claiming it's not they who are doing anything wrong.
And when an EMT unit is inevitably pulled over in error, the EMTs all demand that the police stop profiling them as if they were criminals - because again, it's not they who are doing anything wrong despite the fact their appearance and behavior demonstrates strong similarities to those who are.
In the wake of this, the police now have a much harder job zeroing in on potential trouble.
And as a result, they are not as effective as they used to be when dealing with a certain criminal element.
***
So while it may be a large effort for small gain, in the larger cultural and technical arena, having something work like OC introduces issues that could easily be avoided if it was implemented differently.
And that is something they are apparently refusing to do even though it shouldn't present much in the way of a technical challenge for them change their software.
Just my 2¢
:)
wraith808:
the effort that's involved would be pretty substantial for little benefit
-wraith808 (April 05, 2011, 03:11 PM)
--- End quote ---
I think that's only true if you're looking at it from a purely technical perspective.
What makes OC a bellweather is its asking us to accept that a piece of software - provided by a third party and totally unrelated to the main app's function - should be allowed to scan and transmit data back to that third party without announcing itself or getting the user's permission before doing so.
Regardless of whether or not it's been happening in other places, this has not generally been considered acceptable behavior for a legitimate software product. Truth is, stealth and operating without permission has always been considered more in keeping with malware and quasi-maleware behaviors.
And with venture capital backing and several prominent software developers signing onto OC, I think we really need to see this as a company attempting to change the definition of what is considered acceptable. If it wasn't trying to do this, it wouldn't be causing some anti-malware products to flag its behaviors as suspicious.
Whether or not it's malicious, by the way it operates, OC shares cultural and technical similarities with software that is potentially dangerous.
And while so-called false positives may damage a product's reputation unfairly, we also need to consider that most anti-malware detection is based of behavioral analysis. And to have a legitimate product display such behaviors by design - and then insist the anti-malware detection methodology needs to be changed to accommodate it - creates an even bigger problem when it comes to continuing to be able detect truly malicious code that operates in a similar manner except for the payload.
I'll risk a clumsy analogy to illustrate my point:
<snip />
So while it may be a large effort for small gain, in the larger cultural and technical arena, having something work like OC introduces issues that could easily be avoided if it was implemented differently.
And that is something they are apparently refusing to do even though it shouldn't present much in the way of a technical challenge for them change their software.
Just my 2¢
:)
-40hz (April 05, 2011, 04:09 PM)
--- End quote ---
I snipped out your example- I do get what you mean, so as my reply doesn't really speak to that...
1) As far as acceptable behavior, I think that though it might be through a different avenue, and through a different type of organization, this has been around for a while. And while people might grumble and complain, there's never been a huge outcry against it. (see yahoo toolbar, et al). I think the difference is that they are openly courting developers, while at the same time touting that they are not more of the same. So people are trying to prove that they are. I have to consciously every time I install iTunes, or when I used to use yahoo messenger, or several other apps remember to uncheck the installs for other items. And this is considered worse? And in each case, there was a bit of discussion (or sometimes not) and then it blows over. There's been no censure of Apple by the masses for their actions, nor of yahoo, or google, or any of the others that do the exact same thing. So to say that this is not acceptable behavior is just not true.
2) The fact that this shouldn't present much of a technical challenge is *also* not true. Especially when you're courting developers that already have an installer, and creating an installer is a *lot* of work. I've done it from scratch before, and there's a lot of things you take for granted that InstallShield or Wise give you for free. When I say a lot of work for little gain, I don't mean in terms of mindshare or other intangibles- those are hard to sell to VCs. I mean in justifiable ROI. I'm not defending the position; I'm just seeing things how they are.
So I don't think it's a refusal as much as it is a feasibility thing versus how much of an investment that the changes that you're mentioning would really cost versus their perceived gain.
Renegade:
P.S. Nice splash screen design BTW. Really like that camera graphic. :Thmbsup:
-40hz (April 05, 2011, 02:33 PM)
--- End quote ---
Thanks! I tried to make the software friendly and attractive from the get-go.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version