What the hell is OpenCandy?

[kartal]

I know I said I would stop posting in this topic but this is the last one really I think that app103 laid out the case pretty well. Now I hope those who feel uncertain about what to think about OC, please read app103`s reply indepth.

They should not leave stuff behind, that is bad house cleaning. If I see one more OC registry-dll(without my consent) in my system  I will start an anti-OC group, and not kidding.

[wraith808]

Installshield (and several other installers) do the same thing.  How is this any different?

-wraith808 (May 18, 2009, 12:22 AM)

Install shield does what?  Does it install secret advertising network dlls?

-kartal (May 18, 2009, 12:26 AM)

No, but it installs dlls and registry entries that are not needed for the application without telling you.

mouser, I did not think that you were trying to pick on me. But the way wraith808 laid his cases sounded like he wanted to ridicule the idea little bit. I do not have any personally issues with any personality on this board

-kartal (May 18, 2009, 12:36 AM)

Ridicule what idea?  I'm positively stumped that anything that I said could have come across as ridicule... I was just stating a fact- that other things used during install place dlls on your system, and many of them leave them- especially things that have registration requirements.  And many times, these dlls are not needed to run the application- just for registration or during installation, or, in many cases, for similar non-identifying metrics.

[wraith808]

<snip />

This is like placing non-expiring tracking cookies in your registry....the kind that make the old doubleclick look like angels.

-app103 (May 18, 2009, 12:41 AM)

And again I say that many installers leave just as much information on your system, and have the same capability, though it's not used in that way (or at least I'm not cynical enough to believe that it is).  Just because something could be used in that way, doesn't mean that it is, or that this was even the intent.  And judging intent without knowledge is something that's negative in another way, IMO.

[cmpm]

Reminds me a bit of when uninstalling some programs, it will pop up a webpage asking why I'm doing it.

That is a direct link to the net from a program, that was not disclosed upon installing.

At least opencandy is not hiding it's dll under another name. And even has a folder with it's name. Though as mentioned. I would not know the name without kartal's thread here.

In searching, i googled a few phrases-

opencandy
opencandy recommendations
opencandy registry entries
opencandy spyware
opencandy adware

No independent articles labeled it as inherently bad.
Though comments were much like here.

I could not find much posted in 2009, most from around November of 2008. OC needs to be more open as well as those that use their technology in my opinion.

Why is it I had to point out what is installed where?
And not OC's webpage.
It wasn't hard to find, which is good.
But I don't know what that dll does.
Nor do I know how to find out.

What exactly is that dll doing in it's own folder as well as other programs, after the install, nothing? Is it waiting on input? Is it sending anything anywhere?

No, Dr apps I don't see you as a tech, as in computer technician.
Unless you are just not saying. Cause you haven't said anything that leads me to think that you know much more then anyone with google and some scanners.

And most troubling is the lack of willingness to disclose the users of OC. If it's so great then why is it not revealed before installs. There's other questions not answered as well.

The fact is, it is software-one file or 20-bundled with another program. Miro and OC are not the same company. That's two software companies, count 'em.

The potential risk of escalating this practice will devastate the software vendors participating in bundling services (there will be more then OC) that sell or recommend (same thing) other products in the install process. Especially without disclosing the facts upfront.

[drapps]

@kartal

"The thing is that OC installs itself(in the program directory as dll and in the registry) and does not tell the user about it even if the user does not want to install the recommended software, based on my experience."

@PhilB66
"I asked a similar question some 70 posts ago.... http://www.donationcoder....18297.msg164050#msg164050"

The fact that not ALL publishers (developers recommending other software via OpenCandy) were disclosing OpenCandy in their EULA was an oversight. It was an honest mistake and I apologize.

Effective immediately no NEW publishers will be allowed to release an OpenCandy powered installer without disclosing it in their EULA (along with a link to our privacy policy).

In addition, EXISTING publishers utilizing OpenCandy that have not disclosed so in their EULA (with a link to our privacy policy) are being notified NOW that they MUST update their EULAs.

@app103
"Let's say I install something containing OC and decline the recommended application. Then the next time because of the stuff they left on a user's system, they know what I previously installed, so they don't offer me that, and they know what I declined and won't offer me that again, either. After awhile, after a sizable portion of the world's developers are using OC in their installers (which is what they are hoping for), it would be possible to gather a pretty large list of what a user has installed on their system and what they are not interested in, in a single shot."

OpenCandy's recommendation engine doesn't function to build a database of what software people have installed on their system. It's function is to make a "good" recommendation. So if 90% of computers install "Bob's Bodacious Biorhythms" software when it's recommended by "Julio's Horoscope Creator" then statistically we (and Julio) are probably making a "good" recommendation. The inverse, if "Joe's Awesome Task Manager" recommending "Frank's Fantastic File Syncing Tool" results in zero installs then it tells us that "Joe's Awesome Task Manager" should look into recommending something else.

@app103
"But if it is harmless and not capable of doing anything, what would be the reason for leaving it and any registry entries related to it on a user's system after the install process is completed, unless it is to activate and/or retrieve other data later, such as the next install of anything containing OC?"

The OC dll is also called during uninstallation.

We provide (aggregate, non-personally identifiable) statistics back to publishers about installation and uninstallation of their software. The idea being that anonymous statistics like (a high percentage of) uninstallations can help a developer recognize if something needs to be fixed, changed, enhanced in their software (though they're going to have to reach out to their users to find out the actual reasons). 

@app103
"Combine that with the data they can collect from your IP address when it contacts their servers, and they can pretty much know where you live, your connection type, what ISP you use, whether you install software at night more than during the day, on weekends rather than during the week, and a ton of other statistical data about you,too. Even without knowing your actual identity and precise street address, they can know a lot about you. This is what is not told to the user, and it's this type of information collecting the user doesn't know about and hasn't consented to."

The key words are "can collect". We don't. As I've stated previously (and as written in our privacy policy), we don't store your IP address (we do use it to determine what COUNTRY you are in), we don't care about your ISP, connection type, or when you install software. The user is told and consents to it when they accept the EULA for the publishers software they are installing.

@cmpm
"Why is it I had to point out what is installed where? And not OC's webpage."

We are currently in the process of re-architecting our entire website. Currently it has ZERO flexibility to work with content. Also, previous to me being hired at OpenCandy there wasn't a single/central person (who had time and was responsible for) getting content/information on the website. So a lot of the information I've provided here will be available on our website as well.

@cmpm
"What exactly is that dll doing in it's own folder as well as other programs, after the install, nothing? Is it waiting on input? Is it sending anything anywhere?"

Answered above in response to @app103. It does not send anything, anywhere except during installation or uninstallation of a publisher's software. The information sent is disclosed in our privacy policy.

@cmpm
"No, Dr apps I don't see you as a tech, as in computer technician.
Unless you are just not saying. Cause you haven't said anything that leads me to think that you know much more then anyone with google and some scanners."

Ouch!

I am. It's what I've been during for years. This thread hasn't afforded me the opportunity to prove my "geek cred". But I'm around (on Twitter, now here, and hopefully I'll launch my new blog soon)... So, there will be plenty of opportunities for me to share my tech knowledge.

@cmpm
"And most troubling is the lack of willingness to disclose the users of OC. If it's so great then why is it not revealed before installs. There's other questions not answered
as well."

Answered above in response to @app103. ALL Publishers MUST disclose OpenCandy via their EULA.  Publishers are free to decide for themselves if they want to talk about OpenCandy on their websites (though we encourage them to blog/inform their community about us!), some of them already do (I linked to some, a bunch of posts back). Also, we have "Powered by OpenCandy" on every recommendation screen and we have a link to our site in the downloader. I also mentioned earlier in this thread that we plan to have an OpenCandy link (and possibly a link to specific information about the recommended program) in the recommendation screen but due to technical issues it hasn't been implemented yet.

BTW, our privacy policy is available here: http://assets.openca....com/privacy-policy/ Also, if anyone wants to check out our SDK and documentation, it's available here: http://www.opencandy.com/participate/ (I didn't link to the direct download of our SDK because when it's updated the file name changes).

Thanks.

Dr. Apps

[mikiem]

OK -- here's the deal...

If you're familiar with the GOTD site (giveawayoftheday.com), today (5/29) they're offering a copy of StarBurn. StarBurn offers in an very upfront, opt-in/out way to add a toolbar etc -- check out the high % of negative comments & comment ratings, mainly because the add-on's even offered. Take that to mean whatever you want... myself, I think it's an expression of the indignation many users feel when they find developers even approaching anything beyond the normal expectations of their app. Personally I think a full statement & notice should be presented as the 1st step in the install, & NOT in the EULA.

I think any developers, marketers etc reading this should take note -- people do get upset. They should also note the loyalty & respect so many users give to whatever anti-spyware apps they favor, & they do go wild over that sort of software. I'm NOT saying Open Candy is spyware, but rather that people are rather paranoid & distrusting of this sort of thing.

That said, I feel it reasonable that developers include Open Candy if they wish, & I will act accordingly, now that I'm (embarrassingly late) aware of it. If it's an app I can do without, I will. If it's an app I don't wish to abandon, I'll do my best to remove / disable Open Candy, & will make others aware of it as possible &/or reasonably convenient.

Thanks Much, kartal, for bringing OC up!

[mikiem]

wraith808,

You make a very good point about installer software & it's often abusive nature. It's a solid endorsement of uniextract, when it'll work, along with Regshot & maybe even installwatch pro when it won't. In my personal experience easily 90% of the registry entries made by most installation software is not needed, nor are the redundant, hdd stored install files they sometimes provide helpful or wanted. Just like OC, IMHO they should be avoided if at all possible, and usually circumvented when not. In fact, bypassing the install often tackles OC from what little I can tell scanning my drives & registry very quickly.

[mikiem]

In other words -- I really think its misdirected energy to be complaining about the abstract concept of using a DLL in an installer -- there is just nothing to complain about regarding such a trivial everyday thing.  And I don't see why anyone should care if an installer makes an opt-in recommendation to a user about another program that the author wants to recommend.

FWIW there are folders & reg entries created without the user's awareness / permission, even if you ask politely as with the StarBurn example I mentioned. People don't watch because they don't feel that they should have to. I'm not saying that's right or wrong -- just that it is. If it bugs some % of customers & potential customers, it's still the developer's decision -- I think they should approach it with their eyes open. Users are after all more than occasionally fickle, & telling someone that logically they shouldn't be upset is kinda like throwing gasoline on an open flame.

[drapps]

OK -- here's the deal...

If you're familiar with the GOTD site (giveawayoftheday.com), today (5/29) they're offering a copy of StarBurn. StarBurn offers in an very upfront, opt-in/out way to add a toolbar etc -- check out the high % of negative comments & comment ratings, mainly because the add-on's even offered.

-mikiem (May 29, 2009, 03:19 PM)

It's funny that you posted this because this morning I was scrambling to find out what "Skymediapack" was and whether it was a required component of Starburn. I didn't think it was because I've installed Starburn many times before and never noticed it.

I DON'T think Starburn was "very upfront" about Skymediapack at all. There is ZERO explanation in the Starburn installer of what Skymediapack is, what it does (like change your home page), whether it is optional AND to top it off... it's pre-checked to install (aka opt-out). So, many people are probably installing Skymediapack by accident which is why they're mad. I would be too. I (obviously) didn't install it, but some people in the GiveAwayoftheDay comments are saying that Skymediapack doesn't have an uninstall entry.

The way I look at it, this is exactly the reason why OpenCandy exists. OpenCandy recommendations are crystal-clear that they are optional, there's useful information about what a recommended application (or service) does (app highlights), and all OpenCandy recommendations are OPT-IN.

Dr. Apps

EDITED: forgot the word 'application' and added '(or service)' in the sentence "...about what a recommended does (app highlights)..."

[mikiem]

Hi Dr. Apps,

I don't disagree with you or OC at all... really. But going from here I read a few Google hits and read what seems to be the same sort of upset user response. From a purely Marketing & Customer Service / Satisfaction standpoint, where a lot of my work was focused for a couple decades, there's a perception problem, & those won't just go away by presenting logic or even facts.   

Saying another product does worse, or has more dangerous potential [mouser / wraith808 etc], only heightens an already suspicious customer's suspicions, & goes over less well if there's any sense of competition -- it's then seen as a "grasping at straws" sort of desperate defense when you can't or won't fix the customer's problem. [It does however work apparently with potential customers when a clear A/B choice is presented (for example MS Shopper ads).]

That all said, myself I'm rather neutral... my sole attempt at being useful was to post another point of view -- that of some % of any coder's clientele or customers. While not Obsessive - Compulsive like Monk (at least I hope not), personally I like to keep additions to my hdds to a minimum, & be aware of every addition made. Media Coder, which was already on my "Questionable" list is gone -- it only offered an in-case alternative to other apps, the author stopped providing a zipped, no-install d/l, & now it results in a few extra folders & entries to get rid of, which tipped the scale. Media Info I use daily, & it stays, though I'll still remove any extra folders / reg entries, & take another look at uniextract-ing it. The same criteria applies & will apply to programs I pay / paid for... a simple cost benefit analysis that includes the unwanted stuff I have to either ignore or remove. I would like to say I'm average, but I think I'm to the moderate side of center -- I've seen several GOTD visitors make negative comments because the developer included an innocuous ad for their pay-for upgrade in the GUI!

[cmpm]

Nothing about OC in the license or any place for xulrunner, mediacoder or miro.

This is targeting open source projects. And could be the end of some, with google hits mounting as to the nature of OC and the job of removing it. As it is a software that was received without notice.

When I download a software program or application, I expect that is what I'm suppposed to get.

http://getsatisfacti...ion/topics/opencandy

http://forum.mediaco...c.php?f=3&t=5741

Besides having to find and delete the file-

1. Start the registry editor
- Go to Start Menu
- Click 'Run'
- Type 'regedit', click ok
2. Navigate to the open Candy folder
- On XP it is located at: HKEY_LOCAL_MACHINE > SOFTWARE > OpenCandy
3. Backup the OpenCandy Registry Key (just to be safe, in case something goes wrong.)
- Right click the OpenCandy registry key (looks like a folder)
- Click 'export'
- Save the file somewhere on your computer
4. Delete the OpenCandy Registry Key
- Select the OpenCandy registry Key (looks like a folder)
- Go to the edit menu and click 'delete'
- Click 'OK' to confirm the deletion

How long will people have to deal with this?
When word spreads further, and it will, there will be no OC.
And how many open source projects will it affect?
All of them?

Since there is no notice or informing of an OC install.
(And good for "Bitdefender" to catch that operation.)
This is bad practice for a seemingly good source of info on other products. Why are the software's involved not 'open' about this tactic before the download even starts?

[mouser]

This thread is going in circles..  To get mad about a single key in the registry, or a DLL file that is part of the installer and does nothing but suggest another program you can opt-in to install, is really misplaced concern in my view.  All this hand wringing is best saved for *real* adware, spyware, hidden installs, etc. Stuff that really *does* install programs behind the scenes that users don't want.

As someone pointed out to me in a personal message -- this thread is starting to feel like the one single company trying to do this in a reasonable fashion is being made the scapegoat for the worst behaviors of the worst offenders in the spyware world.  There are real bad culprits out there, but this isn't one of them, and i think we are getting to the point where this thread is making things more confusing to readers rather than educating them.

Regardless.. maybe it's time we wound down the repeated posts on this thread that are merely restating the same points.  Maybe i'm guilty of that too, so i'll not be repeating myself again.

[Josh]

Mouser, I can point you to several infections I have had in the past, Pre-SP1 XP, that were only a single DLL that manipulated itself into various exe files once loaded at startup. A registry entry alone, yes, could be harmless unless it is exploiting some feature that is undocumented (as windows has thousands of) and the enabling of such opens up other holes. The dll, while part of the installer, is left behind. If someone discovers an exploit in said dll, or a way to load it with other malware and use it to exploit other holes, then the dll (for installer purposes only) serves another more vicious purpose. I am not saying OC does this, but I do believe NOTHING should be left behind that isnt absolutely necessary.

[Eóin]

Josh that's incorrect, a DLL sitting there not in use is completely benign. It's only if it is loaded into a process can it cause harm, and even then no more harm than that process itself could do. It getting loaded into some processes address space cannot happen spontaneously, something must load it and that something is then the malicious application, not the DLL.

Sorry to be blunt but you're concerns here are unfounded.

[cmpm]

Fine, mouser, I'll quit.

I am referring to reply 104 that has not been done.
There is no eula for open source posted with an install of these programs.

[Paul Keith]

This is one of those times where maybe the company should take advantage of the bad press and advertise themselves as ad-ware lite on their webpage with a special section on top answering/comparing and posting the answers here and on many other forums on what they do different from normal ad-ware. 

[kartal]

think

-mouser (May 30, 2009, 08:57 AM)

To get mad about a single key in the registry, or a DLL file that is part of the installer and does nothing but suggest another program you can opt-in to install, is really misplaced concern in my view.  All this hand wringing is best saved for *real* adware, spyware, hidden installs, etc. Stuff that really *does* install programs behind the scenes that users don't want.

-mouser (May 30, 2009, 08:57 AM)

Josh that's incorrect, a DLL sitting there not in use is completely benign. It's only if it is loaded into a process can it cause harm, and even then no more harm than that process itself could do. It getting loaded into some processes address space cannot happen spontaneously, something must load it and that something is then the malicious application, not the DLL.

Sorry to be blunt but you're concerns here are unfounded.

-Eóin (May 30, 2009, 09:26 AM)

What if someone else exploits it? I think some of you are very smart but naive  people.

On the otherhand all I have seen so far either OC had a bug in the installer or it was an honest mistake on the developer`s side or it was some other problems that was causing OC`s unattended invisible installations. Just more excuses for more malign behaviours. You know if noone ever raised anything about these issues, you bet they would not be called bugs or honest mistakes.


Mouser, I am already trying to reach the developers who embedded this OC stuff in their apps. So It is not like I am coming and just bithcing about the same issues over and over again. I hope that more users talk to developers. As someone pointed out the Miro forum, you can see that Miro users are very unsatisfied with Miro`s desicion and I myself bitched about it in ther beta forums as well. They seemed  like they had no idea what OC was up to.

[Eóin]

What if someone else exploits it? I think some of you are very smart but naive people.

-kartal (May 30, 2009, 01:10 PM)

No, it can't be exploited. This is not naivety, a DLL just sitting there inactive is completely benign. It cannot activate itself and if something else activates it then that is the malware.

[kartal]

What if someone else exploits it? I think some of you are very smart but naive people.

-kartal (May 30, 2009, 01:10 PM)

It cannot activate itself and if something else activates it then that is the malware.

-Eóin (May 30, 2009, 01:35 PM)

Is not that what I said? I used the word exploitation, I did not say it would activate itself.

[Josh]

As kartal said, that is exactly what I was referring to as well. What if a malware is designed to look for OC's dll files and exploit a known or , up until now, unknown vulnerability in said dll?

[drapps]

Fine, mouser, I'll quit.

I am referring to reply 104 that has not been done.
There is no eula for open source posted with an install of these programs.

-cmpm (May 30, 2009, 09:47 AM)

As stated in post #104... ALL publishers that were NOT ALREADY disclosing OpenCandy in their EULA have been notified that they need to do so. I expect it may take another couple of weeks or so for them to update their builds. We're on it!

In addition, no NEW publishers have been allowed to launch "powered by OpenCandy" installers without disclosing so in their EULA.

Thanks

Dr. Apps

[cmpm]

Your turn to show the proof.
I'm tired of doing your job.

[Eóin]

[cmpm]

No, I did not spend much time looking in to this crapware. It was easy, once pointed out.

What's tiring is responses like that.
Knock yourself out, I don't care.
Give me static for something that has been deliberately concealed to the end users.

It's been going on for more then 6 months now and they have done nothing about the complaints.
I seriously doubt they will.

Like nchsoftware, they are getting away with it.
It will get worse, a new loophole.

I'll report it as crapware/adware to anyone I can, at my leisure.

Thanks for the the tip Kartal.

[kartal]

Like nchsoftware, they are getting away with it.

-cmpm (May 31, 2009, 04:47 PM)

Hmm, what is up with nchsoftware?