Author Topic: What the hell is OpenCandy? (Read 384346 times)

scancode · « **Reply #125 on:** September 13, 2009, 06:45 PM »

-- All this testing was done on a VMWare VM
Testing started on a Clean, WinXP SP3 install. I took a registry and filesystem snapshot, proceeded to install MediaCoder (Audio Edition), typical next-next-next install. It left an OpenCandy folder in the temp dir, with a DLL and a small explanation (OpenCandy_Why_Is_This_Here.txt). After a reboot, for good measure, a third filesystem snapshot showed no changes, and the DLL was still there. However, I had no problems deleting the file. I poked fun at the DLL using OllyDbg (With MediaCoder as my victim) and found that indeed, all information sent is non-personally idenfying. However, it saved stuff (session keys, product keys) in HKLM\Software\MediaCoder with criptic names, even if I didn't install anything.

This are the HTTP requests it made.

Spoiler

[Select]

api.opencandy.com?clientv=12&language=es,en&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=get_offers&os=WIN5.1SP2&product_key=4bc3108774fe0784644fed43647b5d3e&v=1.0&signature=dfb6e2937da9a2557da73950ff5fc381
api.opencandy.com?clientv=12&language=es&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=get_translations&product_key=4bc3108774fe0784644fed43647b5d3e&v=1.0&version=0&signature=a7707a70e4adfe281a43fe57e3c8226b
api.opencandy.com?accepted_ind=0&clientv=12&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=track_offer_result&offer_id=390&product_key=4bc3108774fe0784644fed43647b5d3e&session_key=356b199c89601bd9be384d6fde734ec3&v=1.0&signature=de090feecbad0d2cc50c61119265e919
api.opencandy.com?clientv=12&machine_code=B876377DDB5C44C4B788798B8D54C56E&method=track_product_installed&product_key=4bc3108774fe0784644fed43647b5d3e&session_key=356b199c89601bd9be384d6fde734ec3&v=1.0&signature=6246b02806ebb3eafebdfc4af5c1433c

It's really opt-in as far as the additional installations are concerned, but I'm not sure about the purpose of those reg entries. I could do some more poking at it with Olly, but i'd rather hear the official version.

I tried Miro too, but they now bundle the Ask toolbar (opt-out)

I like the end-user experience, but I'm not sure why the reg keys are saved, (and why aren't they clearly identified as belonging to OpenCandy)

drapps · « **Reply #126 on:** September 13, 2009, 07:42 PM »

Hi scancode (or Scancode) and DC'ers!

Hope all of you are well. I'm in the middle of moving (and re-setting up my lab) right now but I'll be back tomorrow to post more information. I figured I could throw a couple of things out here now.

The FAQs I promised are finally done and are going to be posted tomorrow (what coincidence!). The FAQs include information about the registry entries. Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.

Something big I want to announce... We've updated our plug-in (which all publishers are in the process of updating to/re-integrating), to version 1.3, so that OpenCandy provided files are only TEMPORARILY copied to the computer IF a recommendation is accepted and then they are deleted after the recommended software is downloaded and installed. So no more OpenCandy files will be left behind anymore! Which also means (by the very nature of not leaving OCSetupHlp.dll behind) that we have eliminated uninstall tracking for our publishers. It could take up to 4-6 weeks for everyone who participates as a publisher to update their installers with the new plug-in though (based on their release cycles, etc).

Thanks again everyone! Be well.

scancode · « **Reply #127 on:** September 13, 2009, 08:21 PM »

Quickly though, even if you don't accept a recommendation, bookkeeping information about the publisher's software you did install (in your case Scancode, MediaCoder) are created within the publisher's registry key inside an OpenCandy key (so in this case it should be HKLM\Software\MediaCoder\OpenCandy\) as well as a non-reversible identifier created via a random number generated which helps us prevent fraud/gaming and also lowers the likelihood that a declined recommendation will be shown again in the future.
-drapps (September 13, 2009, 07:42 PM)

Oh really?

Reg Dump

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder]

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder\MediaCoderAudioEdition]
"VOCV"=dword:00000000
"OCN"=hex:01,00,00,00,c8,0f,21,12,54,23,34,02,3b,04,36,06,43,08,3f,0a,4a,0c,3d,\
ff,c7,fd,bf,fb,ce,0f,24,12,25,23,38,02,3b,04,34,06,3f,08,4c,0a,48,0c,3f,ff,\
cd,fd,bd,fb,bb,0f,57,12,20,23,40,02,40,04,46,06,44,08,4b,0a,0b,0c
"Location"="C:\\Archivos de programa\\MediaCoder Audio Edition\\mediacoder.exe"
"Version"="0.7.1.4496"

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder\MediaCoderAudioEdition\Completed]
"VOCV"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\MediaCoder\MediaCoderAudioEdition\Completed\4bc3P-5D167002CA994BC1A6D86224393B241C]
"VOCV"=dword:00000000
"Session"=hex:01,00,00,00,99,0f,26,12,27,23,34,02,65,04,35,06,33,08,6b,0a,6d,\
0c,3e,ff,98,fd,9e,fb,9f,0f,29,12,22,23,65,02,61,04,35,06,64,08,6f,0a,3c,0c,\
6c,ff,ce,fd,99,fb,c2,0f,29,12,76,23,67,02,37,04,37,06,3f,08,3e,0a,0b,0c
"PK"=hex:01,00,00,00,ce,0f,73,12,74,23,32,02,32,04,35,06,3f,08,3e,0a,3c,0c,39,\
ff,98,fd,99,fb,ca,0f,26,12,2f,23,35,02,35,04,31,06,33,08,6f,0a,6e,0c,69,ff,\
ca,fd,cf,fb,cc,0f,25,12,20,23,63,02,36,04,61,06,34,08,6c,0a,0b,0c
"CRC"=hex:01,00,00,00,9f,0f,21,12,2f,23,67,02,66,04,36,06,65,08,3c,0a,6e,0c,35,\
ff,cb,fd,9d,fb,ce,0f,27,12,2e,23,30,02,30,04,34,06,35,08,3b,0a,6e,0c,6f,ff,\
c7,fd,c4,fb,cf,0f,25,12,75,23,37,02,62,04,35,06,65,08,3f,0a,0b,0c
"Installed"=hex:04,00,00,00,32,9c,aa,42

I see no mention of OpenCandy there... and the keys are being created by OCSetupHlp.dll

f0dder · « **Reply #128 on:** September 13, 2009, 08:36 PM »

As kartal said, that is exactly what I was referring to as well. What if a malware is designed to look for OC's dll files and exploit a known or , up until now, unknown vulnerability in said dll?
-Josh (May 30, 2009, 04:22 PM)

That sounds a bit silly - if a piece of malware is able to scan for OC dlls, it's already on your system - what would it gain, then, by exploiting those DLLs?

I don't really like the concept - for me, no value is added, and having to skip yet another blablabla page during install is annoying. And 300kb (or however big the DLL is now) might not be a lot on my 20mbit ADSL connection, but there's plenty of people who aren't even of 256kbit.

Guess I could live with the scheme, though; it's definitely a lot less bullshit than what other applications are up to. And it's good to know that you're no longer leaving OCSetupHlp.dll behind and doing uninstall tracking... the next step is to make it very clear that data is being sent to your servers, and exactly what kind of data and why.

Anyway, I'm in the suspicious camp with Kartal and app103 on this one. You do seem like a nice guy, and the concept isn't all that bad. However, there really isn't any guarantee that the company won't go rogue... heck, if I managed to win the hearts and minds of users and got a large enough install base that I could make some hundred million bucks by snatching a little bit of usage data and sell people out... wouldn't I be tempted? As app says, there's a lot of power in being able to xref the "pretty harmless" data you're sending with other stuff. (I don't like the obfuscated registry keys, by the way).

Not saying that OpenCandy is evil or that it's going to end up being evil, but I'm not a big fan of advertisements, referrals, or capitalizing on user/usage information. Nothing wrong with making a buck, but I really don't see OC as a value-adder.

tranglos · « **Reply #129 on:** September 13, 2009, 09:04 PM »

The only extra thing i want to comment on is how bizarre a situation we are in where every web site on the planet tracks every click we make, how long we stay on every given page, etc., and no one raises an eyebrow -- but yet if a "program" does it, most of us go crazy.
-mouser (May 13, 2009, 03:25 PM)

I have yet to read through this thread (fascinating discussion!), but I think I have what may be a good reason for making the distinction - or two. One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

Bottom line for spyware: die.

Paul Keith · « **Reply #130 on:** September 14, 2009, 12:06 AM »

One: with websites you don't really have a choice. It's not even as if you could avoid sites that gather such data and reward those that don't, because it's a safe bet they all do. With desktop apps though, you still have a choice. Also, you can't tell if someone's Apache server is hooked to a big honking advertising database, but you can usually tell if your desktop apps try to phone home. So not only do you still have a choice, but you have the technology to help you make it.

Not trying to defend OpenCandy since it's been so long since I read the thread but you do have a choice when it comes to websites by not visiting, signing up or sharing personal information on them. Pretty much the same thing as not downloading programs = choice. (Voting by boycott)

Also, most popular data mining sites are pretty much known from their Terms of Service and from the controversy they receive. (See Facebook articles)

Two, probably more important. As long as we trust the browsers we're using (and I am aware of JavaScript exploits et al), the information a browser can leak really pales in comparison to what a local app can potentially disclose. Anything on your system that's not encrypted is game, so I'd say the stakes are higher.

Not really. Adware and non-browser exploits are on par just as "rigged" programs are categorized on the same level as Javascript exploits as security/virus issues.

The distinction does blur the more people switch to web apps like Gmail or Google Docs, but you can still use your best judgement about what to use Google Docs for, and when to stick with Word. But when you have spyware on your desktop, then the choice between what's sensitive and what isn't is no longer yours.

Still is really. Remember until docx, Word has alot of privacy issues left out in the open. That puts it on par with Google Docs.

Similarly if you have an additional layer to your data, it's still a case of the spyware being able to break/know the encryption/password and not fully on just gaining access. Also most spyware can't really compare to the dormant "swine flus" of internet viruses so most part, the choice is still yours on whether you will reformat your OS or risk permanently removing it via an anti-spyware.

So I think there is a difference, and of course I still wish Odin's wrath upon all the data collectors everywhere. Bottom line for websites: if tracking me is making you money, I want a piece of it, because it's my stuff. You would not give that data to me for free, would you?

Err... they kind of do. It's the modern day technological implementation of fascism.

Give me your bookmarks, pictures, private photoes, personal info for free and we'll make you easier to find your friends online or become an internet pop sensation. (the free equivalent of the modern day internet Aryan: instant fame/instant friends/instant consumerist relevance in exchange for illusionary slavery)

That's kinda your piece while your data is theirs.

drapps · « **Reply #131 on:** September 24, 2009, 05:16 PM »

Hi Everyone,

I’m back. Things have been hectic. Of course moving took much longer than I thought; I didn’t realize how hard it would be with the baby and doing 95% of the move myself!

Anyway…

Scancode,

Regarding the registry entries:

I misspoke (miswrote?) and should clarify that currently, per our Publisher’s Kit Integration Guide, it is only a requirement that OpenCandy related registry keys be stored within the publisher’s registry key. We don’t specifically require that they be within an OpenCandy subkey, though most publishers (MediaCoder excluded, obviously

) do put them within an OpenCandy subkey.

OpenCandy files in temp directory:

I/we owe you a big THANKS! You’ve actually discovered a bug with v1.3 of our plug-in that only affects NSIS based installers. Only the dll (OCSetupHlp.dll) should be in a user’s temp directory (when it’s unpacked by the installer) and it should be removed once the publisher’s installation is completed. This doesn’t change what I said above about when a recommendation is accepted. When that happens an OpenCandy folder containing the dll (OCSetupHlp.dll) and the text file (OpenCandy_Why_Is_This_Here.txt) are created within the publisher’s installation directory to facilitate the download and installation of the recommended software and once finished, the folder and files are automatically removed (unless one of those things listed in the OpenCandy_Why_Is_This_Here.txt happens: power goes out, etc... ).

We’re in the process of wrapping up version 1.3.1 which rectifies the issue. It'll take a bit before all our publishers have updated their builds. This bug does not affect OpenCandy publishers with Inno-based installers.

Oh yeah, the FAQs are up (http://opencandy.com/faqs)!

Be well everyone

scancode · « **Reply #132 on:** September 24, 2009, 08:55 PM »

I’m back. Things have been hectic. Of course moving took much longer than I thought; I didn’t realize how hard it would be with the baby and doing 95% of the move myself!
-drapps (September 24, 2009, 05:16 PM)

I/we owe you a big THANKS!
-drapps (September 24, 2009, 05:16 PM)

You're welcome. Dev<>Users feedback is what makes DC græt!

Oh yeah, the FAQs are up (http://opencandy.com/faqs)!
-drapps (September 24, 2009, 05:16 PM)

We don’t specifically require that they be within an OpenCandy subkey
-drapps (September 24, 2009, 05:16 PM)

Any chance of changing that? Specially after you give instructions as

Click the arrow to expand the publisher’s registry key, and then right-click on the OpenCandy key and click ‘Delete’.
-OpenCandy FAQs (http://www.opencandy.com/faqs/)

drapps · « **Reply #133 on:** September 30, 2009, 12:09 PM »

Scancode, et al,

Hey y'all (yeah I said "y'all"), hope you're all having a great Wednesday!

DC<>Users is what makes DC great!

I agree, no question.

Regarding the FAQ, Whoops. FIXED! I added instructions for those publishers that currently don't use an OpenCandy subkey. See http://www.opencandy...ing-registry-entries Thanks for pointing it out and I appreciate the time you took to read through the faqs. I'm a big fan of a "second set of eyes" especially when they come from the outside looking in.

I have more great news...

Regarding changing OC registry entry location to an OC subkey as a requirement, it was in the pipeline but I wasn't sure we would be able to get it into the version 1.3.1 update (which is rolling out shortly with the NSIS bugfix). But... we did! As of v1.3.1, all ALL OpenCandy publishers are REQUIRED put OpenCandy related registry entries inside an OpenCandy subkey within the publisher's registry key.

Take good care everyone.

scancode · « **Reply #134 on:** September 30, 2009, 05:03 PM »

I have more great news...
-drapps (September 30, 2009, 12:09 PM)

Drumroll please...

As of v1.3.1, all ALL OpenCandy publishers are REQUIRED put OpenCandy related registry entries inside an OpenCandy subkey within the publisher's registry key.
-drapps (September 30, 2009, 12:09 PM)

* Removed OpenCandy from evil list

As a sidenote, while reversing OCSETUPHLP, I found a text reference to /NOCANDY. If I pass that parameter to the installer (MediaCoderAE-0.7.1.4496), OpenCandy does not do any changes at all (no reccomendations, no external contact, no reg keys). Is that how it's supposed to work?

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
-kartal (May 17, 2009, 01:05 AM)

* scancode puts $25 against Kartal

mouser · « **Reply #135 on:** September 30, 2009, 05:06 PM »

nice to hear it

mouser · « **Reply #136 on:** September 30, 2009, 05:07 PM »

rather than take bets -- it might be more helpful for all to say that in one year you will make a post about OpenCandy -- either praising them if they stayed true to their promise, or against them if they turned rogue.

scancode · « **Reply #137 on:** September 30, 2009, 05:14 PM »

^^ what he said (and $25) (and my cat) (and a tattoo)

f0dder · « **Reply #138 on:** September 30, 2009, 05:22 PM »

^^ what he said (and $25) (and my cat) (and a tattoo)
-scancode (September 30, 2009, 05:14 PM)

Gotta be a tattoo of p3lb0x's face saying "pzwn'd!", then

scancode · « **Reply #139 on:** November 13, 2009, 07:44 PM »

I finally spotted OpenCandy on the wild: http://www.opencandy.com.ar/ http://www.sweetsa.c...mp;rubro=indiferente

cmpm · « **Reply #140 on:** November 13, 2009, 11:03 PM »

asquared malware pro popped up to block an opencandy host ip, twice when clicking on this thread

what does that mean?
seriously...i don't know.....

mouser · « **Reply #141 on:** November 14, 2009, 04:15 AM »

scan was just making a joke, thats a link to an online candy shop that for some reason has something called "opencandy":

What the hell is OpenCandy?

wraith808 · « **Reply #142 on:** February 26, 2011, 08:46 AM »

An old thread, I know, but this is relevant to the topic and I was very surprised that it's come to this...

mahesh2k · « **Reply #143 on:** February 26, 2011, 09:06 AM »

Looks like kartal wins

app103 · « **Reply #144 on:** February 26, 2011, 09:14 AM »

We were having an interesting discussion the other day in the DC IRC channel about this spike in traffic on my blog, all related to a single article I wrote about it almost 2 years ago.

What the hell is OpenCandy?

And judging from some of the comments I have been getting, it seems as though some people are having trouble figuring out how OpenCandy ended up on their computer.

A lot seems to have happened in the last 2 years, including OpenCandy switching from opt-in to opt-out (and blaming developers for it) and Microsoft describing the privacy risks as very similar to a lot of what I described in this post.

cmpm · « **Reply #145 on:** February 26, 2011, 09:17 AM »

Windows Defender and Nod32 is picking them up too.
I just delete them as they come up.

wraith808 · « **Reply #146 on:** February 26, 2011, 09:58 AM »

A shame. He seemed committed to it not being adware at the time. But I guess everyone was right to be cynical about the application.

Josh · « **Reply #147 on:** February 26, 2011, 10:04 AM »

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
-kartal (May 17, 2009, 01:05 AM)
* scancode puts $25 against Kartal
-scancode (September 30, 2009, 05:03 PM)

Looks like scannie owes kartal 25 bucks.

kartal · « **Reply #148 on:** February 26, 2011, 10:36 AM »

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
-kartal (May 17, 2009, 01:05 AM)
* scancode puts $25 against Kartal

-scancode (September 30, 2009, 05:03 PM)

Looks like scannie owes kartal 25 bucks.
-Josh (February 26, 2011, 10:04 AM)

Hey guys thanks for the follow ups , I did not know that I won. On the otherhand I am not surprised about my future predictions. I have been trying to talk about certain privacy and security implications of various services and apps on these forums, I am hoping to broaden people`s perspective on these very very important issues

I will happilly donate my new income to graceful open source projects and donation coder projects.

cheers

wraith808 · « **Reply #149 on:** February 26, 2011, 10:49 AM »

ok here is my bet, I am putting my 100$ if anyone wants to bet on it.
I am %100$ sure that in 2 years OC will become an application that will try to install hidden stuff and spy on your download-installation activity. If anyone wants to bet I am accepting bets. Since we do not want to gamble lets keep the amount not more than 100$.
-kartal (May 17, 2009, 01:05 AM)
* scancode puts $25 against Kartal
-scancode (September 30, 2009, 05:03 PM)

Looks like scannie owes kartal 25 bucks.
-Josh (February 26, 2011, 10:04 AM)

That's not an accurate assessment. They do not try to install hidden stuff and spy on your download-installation activity. What they do is not provide an opt-in model, which is quite disappointing. But they are middle of the road rather than malignant in terms of installing hidden stuff.