Main Area and Open Discussion > General Software Discussion

What the hell is OpenCandy?

<< < (26/99) > >>

scancode:
-- All this testing was done on a VMWare VM
Testing started on a Clean, WinXP SP3 install. I took a registry and filesystem snapshot, proceeded to install MediaCoder (Audio Edition), typical next-next-next install. It left an OpenCandy folder in the temp dir, with a DLL and a small explanation (OpenCandy_Why_Is_This_Here.txt). After a reboot, for good measure, a third filesystem snapshot showed no changes, and the DLL was still there. However, I had no problems deleting the file. I poked fun at the DLL using OllyDbg (With MediaCoder as my victim) and found that indeed, all information sent is non-personally idenfying. However, it saved stuff (session keys, product keys) in HKLM\Software\MediaCoder with criptic names, even if I didn't install anything.

This are the HTTP requests it made.
Spoiler
--- ---api.opencandy.com?clientv=12&language=es,en&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=get_offers&os=WIN5.1SP2&product_key=4bc3108774fe0784644fed43647b5d3e&v=1.0&signature=dfb6e2937da9a2557da73950ff5fc381
api.opencandy.com?clientv=12&language=es&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=get_translations&product_key=4bc3108774fe0784644fed43647b5d3e&v=1.0&version=0&signature=a7707a70e4adfe281a43fe57e3c8226b
api.opencandy.com?accepted_ind=0&clientv=12&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=track_offer_result&offer_id=390&product_key=4bc3108774fe0784644fed43647b5d3e&session_key=356b199c89601bd9be384d6fde734ec3&v=1.0&signature=de090feecbad0d2cc50c61119265e919
api.opencandy.com?clientv=12&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=track_product_installed&product_key=4bc3108774fe0784644fed43647b5d3e&session_key=356b199c89601bd9be384d6fde734ec3&v=1.0&signature=6246b02806ebb3eafebdfc4af5c1433c

It's really opt-in as far as the additional installations are concerned, but I'm not sure about the purpose of those reg entries. I could do some more poking at it with Olly, but i'd rather hear the official version.

I tried Miro too, but they now bundle the Ask toolbar (opt-out)

I like the end-user experience, but I'm not sure why the reg keys are saved, (and why aren't they clearly identified as belonging to OpenCandy)

drapps:
Hi scancode (or Scancode) and DC'ers!

Hope all of you are well. I'm in the middle of moving (and re-setting up my lab) right now but I'll be back tomorrow to post more information. I figured I could throw a couple of things out here now.

The FAQs I promised are finally done and are going to be posted tomorrow (what coincidence!). The FAQs include information about the registry entries. Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.

Something big I want to announce... We've updated our plug-in (which all publishers are in the process of updating to/re-integrating), to version 1.3, so that OpenCandy provided files are only TEMPORARILY copied to the computer IF a recommendation is accepted and then they are deleted after the recommended software is downloaded and installed. So no more OpenCandy files will be left behind anymore! Which also means (by the very nature of not leaving OCSetupHlp.dll behind) that we have eliminated uninstall tracking for our publishers. It could take up to 4-6 weeks for everyone who participates as a publisher to update their installers with the new plug-in though (based on their release cycles, etc).

Thanks again everyone! Be well. :)

scancode:
Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.
-drapps (September 13, 2009, 07:42 PM)
--- End quote ---

Oh really?
Reg DumpREGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder]

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder\MediaCoderAudioEdition]
"VOCV"=dword:00000000
"OCN"=hex:01,00,00,00,c8,0f,21,12,54,23,34,02,3b,04,36,06,43,08,3f,0a,4a,0c,3d,\
  ff,c7,fd,bf,fb,ce,0f,24,12,25,23,38,02,3b,04,34,06,3f,08,4c,0a,48,0c,3f,ff,\
  cd,fd,bd,fb,bb,0f,57,12,20,23,40,02,40,04,46,06,44,08,4b,0a,0b,0c
"Location"="C:\\Archivos de programa\\MediaCoder Audio Edition\\mediacoder.exe"
"Version"="0.7.1.4496"

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder\MediaCoderAudioEdition\Completed]
"VOCV"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder\MediaCoderAudioEdition\Completed\4bc3P-5D167002CA994BC1A6D86224393B241C]
"VOCV"=dword:00000000
"Session"=hex:01,00,00,00,99,0f,26,12,27,23,34,02,65,04,35,06,33,08,6b,0a,6d,\
  0c,3e,ff,98,fd,9e,fb,9f,0f,29,12,22,23,65,02,61,04,35,06,64,08,6f,0a,3c,0c,\
  6c,ff,ce,fd,99,fb,c2,0f,29,12,76,23,67,02,37,04,37,06,3f,08,3e,0a,0b,0c
"PK"=hex:01,00,00,00,ce,0f,73,12,74,23,32,02,32,04,35,06,3f,08,3e,0a,3c,0c,39,\
  ff,98,fd,99,fb,ca,0f,26,12,2f,23,35,02,35,04,31,06,33,08,6f,0a,6e,0c,69,ff,\
  ca,fd,cf,fb,cc,0f,25,12,20,23,63,02,36,04,61,06,34,08,6c,0a,0b,0c
"CRC"=hex:01,00,00,00,9f,0f,21,12,2f,23,67,02,66,04,36,06,65,08,3c,0a,6e,0c,35,\
  ff,cb,fd,9d,fb,ce,0f,27,12,2e,23,30,02,30,04,34,06,35,08,3b,0a,6e,0c,6f,ff,\
  c7,fd,c4,fb,cf,0f,25,12,75,23,37,02,62,04,35,06,65,08,3f,0a,0b,0c
"Installed"=hex:04,00,00,00,32,9c,aa,42


I see no mention of OpenCandy there... and the keys are being created by OCSetupHlp.dll

f0dder:
As kartal said, that is exactly what I was referring to as well. What if a malware is designed to look for OC's dll files and exploit a known or , up until now, unknown vulnerability in said dll?
-Josh (May 30, 2009, 04:22 PM)
--- End quote ---
That sounds a bit silly - if a piece of malware is able to scan for OC dlls, it's already on your system - what would it gain, then, by exploiting those DLLs?

I don't really like the concept - for me, no value is added, and having to skip yet another blablabla page during install is annoying. And 300kb (or however big the DLL is now) might not be a lot on my 20mbit ADSL connection, but there's plenty of people who aren't even of 256kbit.

Guess I could live with the scheme, though; it's definitely a lot less bullshit than what other applications are up to. And it's good to know that you're no longer leaving OCSetupHlp.dll behind and doing uninstall tracking... the next step is to make it very clear that data is being sent to your servers, and exactly what kind of data and why.

Anyway, I'm in the suspicious camp with Kartal and app103 on this one. You do seem like a nice guy, and the concept isn't all that bad. However, there really isn't any guarantee that the company won't go rogue... heck, if I managed to win the hearts and minds of users and got a large enough install base that I could make some hundred million bucks by snatching a little bit of usage data and sell people out... wouldn't I be tempted? As app says, there's a lot of power in being able to xref the "pretty harmless" data you're sending with other stuff. (I don't like the obfuscated registry keys, by the way).

Not saying that OpenCandy is evil or that it's going to end up being evil, but I'm not a big fan of advertisements, referrals, or capitalizing on user/usage information. Nothing wrong with making a buck, but I really don't see OC as a value-adder.

tranglos:
The only extra thing i want to comment on is how bizarre a situation we are in where every web site on the planet tracks every click we make, how long we stay on every given page, etc., and no one raises an eyebrow -- but yet if a "program" does it, most of us go crazy.
-mouser (May 13, 2009, 03:25 PM)
--- End quote ---

I have yet to read through this thread (fascinating discussion!), but I think I have what may be a good reason for making the distinction - or two. One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

Bottom line for spyware: die.

Navigation

[0] Message Index

[#] Next page

[*] Previous page