Welcome Guest.   Make a donation to an author on the site October 31, 2014, 07:59:05 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Check out and download the GOE 2007 Freeware Challenge productivity tools.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: Prev 1 2 3 4 5 [6] 7 8 9 10 11 ... 20 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: What the hell is OpenCandy?  (Read 128814 times)
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #125 on: September 13, 2009, 06:45:07 PM »

-- All this testing was done on a VMWare VM
Testing started on a Clean, WinXP SP3 install. I took a registry and filesystem snapshot, proceeded to install MediaCoder (Audio Edition), typical next-next-next install. It left an OpenCandy folder in the temp dir, with a DLL and a small explanation (OpenCandy_Why_Is_This_Here.txt). After a reboot, for good measure, a third filesystem snapshot showed no changes, and the DLL was still there. However, I had no problems deleting the file. I poked fun at the DLL using OllyDbg (With MediaCoder as my victim) and found that indeed, all information sent is non-personally idenfying. However, it saved stuff (session keys, product keys) in HKLM\Software\MediaCoder with criptic names, even if I didn't install anything.

This are the HTTP requests it made.

It's really opt-in as far as the additional installations are concerned, but I'm not sure about the purpose of those reg entries. I could do some more poking at it with Olly, but i'd rather hear the official version.

I tried Miro too, but they now bundle the Ask toolbar (opt-out)

I like the end-user experience, but I'm not sure why the reg keys are saved, (and why aren't they clearly identified as belonging to OpenCandy)
« Last Edit: September 13, 2009, 06:48:37 PM by scancode » Logged

drapps
Supporting Member
**
Posts: 29


View Profile Give some DonationCredits to this forum member
« Reply #126 on: September 13, 2009, 07:42:49 PM »

Hi scancode (or Scancode) and DC'ers!

Hope all of you are well. I'm in the middle of moving (and re-setting up my lab) right now but I'll be back tomorrow to post more information. I figured I could throw a couple of things out here now.

The FAQs I promised are finally done and are going to be posted tomorrow (what coincidence!). The FAQs include information about the registry entries. Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.

Something big I want to announce... We've updated our plug-in (which all publishers are in the process of updating to/re-integrating), to version 1.3, so that OpenCandy provided files are only TEMPORARILY copied to the computer IF a recommendation is accepted and then they are deleted after the recommended software is downloaded and installed. So no more OpenCandy files will be left behind anymore! Which also means (by the very nature of not leaving OCSetupHlp.dll behind) that we have eliminated uninstall tracking for our publishers. It could take up to 4-6 weeks for everyone who participates as a publisher to update their installers with the new plug-in though (based on their release cycles, etc).

Thanks again everyone! Be well. smiley



Logged

Dr. Apps
Software Community Guru for SweetLabs

http://twitter.com/drapps
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #127 on: September 13, 2009, 08:21:19 PM »

Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.

Oh really?

I see no mention of OpenCandy there... and the keys are being created by OCSetupHlp.dll
Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #128 on: September 13, 2009, 08:36:02 PM »

As kartal said, that is exactly what I was referring to as well. What if a malware is designed to look for OC's dll files and exploit a known or , up until now, unknown vulnerability in said dll?
That sounds a bit silly - if a piece of malware is able to scan for OC dlls, it's already on your system - what would it gain, then, by exploiting those DLLs?

I don't really like the concept - for me, no value is added, and having to skip yet another blablabla page during install is annoying. And 300kb (or however big the DLL is now) might not be a lot on my 20mbit ADSL connection, but there's plenty of people who aren't even of 256kbit.

Guess I could live with the scheme, though; it's definitely a lot less bullshit than what other applications are up to. And it's good to know that you're no longer leaving OCSetupHlp.dll behind and doing uninstall tracking... the next step is to make it very clear that data is being sent to your servers, and exactly what kind of data and why.

Anyway, I'm in the suspicious camp with Kartal and app103 on this one. You do seem like a nice guy, and the concept isn't all that bad. However, there really isn't any guarantee that the company won't go rogue... heck, if I managed to win the hearts and minds of users and got a large enough install base that I could make some hundred million bucks by snatching a little bit of usage data and sell people out... wouldn't I be tempted? As app says, there's a lot of power in being able to xref the "pretty harmless" data you're sending with other stuff. (I don't like the obfuscated registry keys, by the way).

Not saying that OpenCandy is evil or that it's going to end up being evil, but I'm not a big fan of advertisements, referrals, or capitalizing on user/usage information. Nothing wrong with making a buck, but I really don't see OC as a value-adder.
Logged

- carpe noctem
tranglos
Supporting Member
**
Posts: 1,079



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #129 on: September 13, 2009, 09:04:37 PM »

The only extra thing i want to comment on is how bizarre a situation we are in where every web site on the planet tracks every click we make, how long we stay on every given page, etc., and no one raises an eyebrow -- but yet if a "program" does it, most of us go crazy.

I have yet to read through this thread (fascinating discussion!), but I think I have what may be a good reason for making the distinction - or two. One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

Bottom line for spyware: die.


Logged

Paul Keith
Member
**
Posts: 1,982


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #130 on: September 14, 2009, 12:06:59 AM »

Quote
One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Not trying to defend OpenCandy since it's been so long since I read the thread but you do have a choice when it comes to websites by not visiting, signing up or sharing personal information on them. Pretty much the same thing as not downloading programs = choice. (Voting by boycott)

Also, most popular data mining sites are pretty much known from their Terms of Service and from the controversy they receive. (See Facebook articles)

Quote
Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

Not really. Adware and non-browser exploits are on par just as "rigged" programs are categorized on the same level as Javascript exploits as security/virus issues.

Quote
The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

Still is really. Remember until docx, Word has alot of privacy issues left out in the open. That puts it on par with Google Docs.

Similarly if you have an additional layer to your data, it's still a case of the spyware being able to break/know the encryption/password and not fully on just gaining access. Also most spyware can't really compare to the dormant "swine flus" of internet viruses so most part, the choice is still yours on whether you will reformat your OS or risk permanently removing it via an anti-spyware.

Quote
So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

Err... they kind of do. It's the modern day technological implementation of fascism.

Give me your bookmarks, pictures, private photoes, personal info for free and we'll make you easier to find your friends online or become an internet pop sensation. (the free equivalent of the modern day internet Aryan: instant fame/instant friends/instant consumerist relevance in exchange for illusionary slavery)

That's kinda your piece while your data is theirs.

Logged

<reserve space for the day DC can auto-generate your signature from your personal PopUp Wisdom quotes>
drapps
Supporting Member
**
Posts: 29


View Profile Give some DonationCredits to this forum member
« Reply #131 on: September 24, 2009, 05:16:41 PM »

Hi Everyone,

I’m back. Things have been hectic. Of course moving took much longer than I thought; I didn’t realize how hard it would be with the baby and doing 95% of the move myself!

Anyway…

Scancode,

Regarding the registry entries:

I misspoke (miswrote?) and should clarify that currently, per our Publisher’s Kit Integration Guide, it is only a requirement that OpenCandy related registry keys be stored within the publisher’s registry key. We don’t specifically require that they be within an OpenCandy subkey, though most publishers (MediaCoder excluded, obviously  smiley ) do put them within an OpenCandy subkey.

OpenCandy files in temp directory:

I/we owe you a big THANKS! You’ve actually discovered a bug with v1.3 of our plug-in that only affects NSIS based installers. Only the dll (OCSetupHlp.dll) should be in a user’s temp directory (when it’s unpacked by the installer) and it should be removed once the publisher’s installation is completed. This doesn’t change what I said above about when a recommendation is accepted. When that happens an OpenCandy folder containing the dll (OCSetupHlp.dll) and the text file (OpenCandy_Why_Is_This_Here.txt) are created within the publisher’s installation directory to facilitate the download and installation of the recommended software and once finished, the folder and files are automatically removed (unless one of those things listed in the OpenCandy_Why_Is_This_Here.txt happens: power goes out, etc... ).

We’re in the process of wrapping up version 1.3.1 which rectifies the issue. It'll take a bit before all our publishers have updated their builds. This bug does not affect OpenCandy publishers with Inno-based installers.

Oh yeah, the FAQs are up (http://opencandy.com/faqs)!

Be well everyone  smiley
Logged

Dr. Apps
Software Community Guru for SweetLabs

http://twitter.com/drapps
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #132 on: September 24, 2009, 08:55:16 PM »

I’m back. Things have been hectic. Of course moving took much longer than I thought; I didn’t realize how hard it would be with the baby and doing 95% of the move myself!
Thmbsup

I/we owe you a big THANKS!
You're welcome. Dev<>Users feedback is what makes DC græt!

Oh yeah, the FAQs are up (http://opencandy.com/faqs)!
Thmbsup

We don’t specifically require that they be within an OpenCandy subkey

Any chance of changing that? Specially after you give instructions as
Quote from: OpenCandy FAQs (http://www.opencandy.com/faqs/)
Click the arrow to expand the publisher’s registry key, and then right-click on the OpenCandy key and click ‘Delete’.
Logged

drapps
Supporting Member
**
Posts: 29


View Profile Give some DonationCredits to this forum member
« Reply #133 on: September 30, 2009, 12:09:12 PM »

Scancode, et al,

Hey y'all (yeah I said "y'all"), hope you're all having a great Wednesday!

Quote
DC<>Users is what makes DC great!

I agree, no question. smiley

Regarding the FAQ, Whoops. FIXED!  I added instructions for those publishers that currently don't use an OpenCandy subkey. See http://www.opencandy.com/...removing-registry-entries Thanks for pointing it out and I appreciate the time you took to read through the faqs. I'm a big fan of a "second set of eyes" especially when they come from the outside looking in.

I have more great news...

Regarding changing OC registry entry location to an OC subkey as a requirement, it was in the pipeline but I wasn't sure we would be able to get it into the version 1.3.1 update (which is rolling out shortly with the NSIS bugfix). But... we did! As of v1.3.1, all ALL OpenCandy publishers are REQUIRED put OpenCandy related registry entries inside an OpenCandy subkey within the publisher's registry key.

Take good care everyone. smiley
Logged

Dr. Apps
Software Community Guru for SweetLabs

http://twitter.com/drapps
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #134 on: September 30, 2009, 05:03:52 PM »

I have more great news...
Drumroll please...

As of v1.3.1, all ALL OpenCandy publishers are REQUIRED put OpenCandy related registry entries inside an OpenCandy subkey within the publisher's registry key.
Thmbsup Thmbsup Thmbsup * Removed OpenCandy from evil list smiley

As a sidenote, while reversing OCSETUPHLP, I found a text reference to /NOCANDY. If I pass that parameter to the installer (MediaCoderAE-0.7.1.4496), OpenCandy does not do any changes at all (no reccomendations, no external contact, no reg keys). Is that how it's supposed to work?

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
* scancode puts $25 against Kartal
« Last Edit: September 30, 2009, 05:05:43 PM by scancode » Logged

mouser
First Author
Administrator
*****
Posts: 33,611



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #135 on: September 30, 2009, 05:06:21 PM »

nice to hear it  thumbs up
Logged
mouser
First Author
Administrator
*****
Posts: 33,611



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #136 on: September 30, 2009, 05:07:34 PM »

rather than take bets -- it might be more helpful for all to say that in one year you will make a post about OpenCandy -- either praising them if they stayed true to their promise, or against them if they turned rogue.
Logged
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #137 on: September 30, 2009, 05:14:02 PM »

^^ what he said (and $25) (and my cat) (and a tattoo)
Logged

f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #138 on: September 30, 2009, 05:22:20 PM »

^^ what he said (and $25) (and my cat) (and a tattoo)
Gotta be a tattoo of p3lb0x's face saying "pzwn'd!", then Wink
Logged

- carpe noctem
scancode
Honorary Member
**
Posts: 636



I will eat Cody someday.

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #139 on: November 13, 2009, 07:44:02 PM »

I finally spotted OpenCandy on the wild: http://www.opencandy.com.ar/ http://www.sweetsa.com.ar...ndy&rubro=indiferente
Logged

cmpm
Charter Member
***
Posts: 2,025

View Profile Give some DonationCredits to this forum member
« Reply #140 on: November 13, 2009, 11:03:05 PM »

asquared malware pro popped up to block an opencandy host ip, twice when clicking on this thread

what does that mean?
seriously...i don't know.....
Logged
mouser
First Author
Administrator
*****
Posts: 33,611



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #141 on: November 14, 2009, 04:15:24 AM »

scan was just making a joke, thats a link to an online candy shop that for some reason has something called "opencandy":
Logged
wraith808
Supporting Member
**
Posts: 6,445



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #142 on: February 26, 2011, 08:46:16 AM »

An old thread, I know, but this is relevant to the topic and I was very surprised that it's come to this...

Logged

mahesh2k
Supporting Member
**
Posts: 1,408



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #143 on: February 26, 2011, 09:06:03 AM »

Looks like kartal wins  cheesy
Logged
app103
That scary taskbar girl
Global Moderator
*****
Posts: 5,290



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #144 on: February 26, 2011, 09:14:44 AM »

We were having an interesting discussion the other day in the DC IRC channel about this spike in traffic on my blog, all related to a single article I wrote about it almost 2 years ago.



And judging from some of the comments I have been getting, it seems as though some people are having trouble figuring out how OpenCandy ended up on their computer.

A lot seems to have happened in the last 2 years, including OpenCandy switching from opt-in to opt-out (and blaming developers for it) and Microsoft describing the privacy risks as very similar to a lot of what I described in this post.
Logged

cmpm
Charter Member
***
Posts: 2,025

View Profile Give some DonationCredits to this forum member
« Reply #145 on: February 26, 2011, 09:17:25 AM »

Windows Defender and Nod32 is picking them up too.
I just delete them as they come up.
Logged
wraith808
Supporting Member
**
Posts: 6,445



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #146 on: February 26, 2011, 09:58:11 AM »

A shame.  He seemed committed to it not being adware at the time.  But I guess everyone was right to be cynical about the application.
Logged

Josh
Charter Honorary Member
***
Posts: 3,338



View Profile Give some DonationCredits to this forum member
« Reply #147 on: February 26, 2011, 10:04:24 AM »

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
* scancode puts $25 against Kartal

Looks like scannie owes kartal 25 bucks.
Logged

Strength in Knowledge
kartal
Supporting Member
**
Posts: 1,529


View Profile Give some DonationCredits to this forum member
« Reply #148 on: February 26, 2011, 10:36:38 AM »

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
* scancode puts $25 against Kartal


Looks like scannie owes kartal 25 bucks.


Hey guys thanks for the follow ups , I did not know that I won. On the otherhand I am not surprised about my future predictions. I have been trying to talk about certain privacy and security implications of various services and apps on these forums, I am hoping to broaden people`s perspective on these very very important issues

I will happilly donate my new income to graceful open source projects and donation coder projects.


cheers

Logged
wraith808
Supporting Member
**
Posts: 6,445



"In my dreams, I always do it right."

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #149 on: February 26, 2011, 10:49:57 AM »

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
* scancode puts $25 against Kartal

Looks like scannie owes kartal 25 bucks.

That's not an accurate assessment.  They do not try to install hidden stuff and spy on your download-installation activity.  What they do is not provide an opt-in model, which is quite disappointing.  But they are middle of the road rather than malignant in terms of installing hidden stuff.
Logged

Pages: Prev 1 2 3 4 5 [6] 7 8 9 10 11 ... 20 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.068s | Server load: 0.13 ]