What the hell is OpenCandy?

[wraith808]

The difference is that there is no opt out of OC when installing.

-cmpm (March 31, 2011, 11:26 AM)

Opt out of *what*?  OpenCandy is more akin to a service than an application.  It doesn't install anything that's not required to have a clean uninstall, nor does it do anything other than during installation if you don't opt-in.  If you go to a site on the internet and it displays a page before you can access the site that has an ad that you choose not to install and even choose not to allow to show by the use of adblockers, it can *still* get information akin to the stated OC information, i.e. that you came to the page, whether you click through to an ad, and whether you click through to the main site.  Is anyone asking pages that do this to disclose that they're keeping track of who lands on the page?  And this is not a hypothetical situation; I know of a few popular sites that I visit that do this exact same thing.

[cmpm]

I said more then I planned to in that post...so maybe I didn't communicate well.

Opt out of *what*?

Exactly, you can't, OC is included.

No offense to OC or anyone using their service.
They used to have a logo on the installer 'Powered by OC'.

[wraith808]

I said more then I planned to in that post...so maybe I didn't communicate well.

Opt out of *what*?

Exactly, you can't, OC is included.

-cmpm (March 31, 2011, 11:47 AM)

But what do you mean?  Opt out of using the installer extensions?  So perhaps you opt out of using Installshield because you don't like them.  Or wise.  Or INNO or NSIS?  It's an extension that's not installed on your machine.  You can code your own extension that sends the *exact* same information.

So opt out of *what* is my question that still remains unanswered?

[app103]

So opt out of *what* is my question that still remains unanswered?

-wraith808 (March 31, 2011, 12:21 PM)

3rd party tracking.

[wraith808]

So opt out of *what* is my question that still remains unanswered?

-wraith808 (March 31, 2011, 12:21 PM)

3rd party tracking.

-app103 (March 31, 2011, 01:29 PM)

*You* aren't being tracked though.  From what I've seen (and what Renegade has shown from his experiences) it's no more intrusive than a counter on a page.  I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

[40hz]

I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

-wraith808 (March 31, 2011, 01:54 PM)

You completely lost me on that one. Could you maybe rephrase it?  

[wraith808]

I've even seen during the worst of their growing pains that severe detractors have said that the level of knowledge of what you've done seems to be absent.

-wraith808 (March 31, 2011, 01:54 PM)

You completely lost me on that one. Could you maybe rephrase it? 

-40hz (March 31, 2011, 03:13 PM)

If it was tracking your actions, then subsequent actions would be based on that information.  But several detractors have admitted that it doesn't seem to utilize or even *have* that knowledge, just based on observation.  They might actually have it and not be using it- but that wouldn't seem to make sense either.

[Stoic Joker]

So, The torches and pitchfork wielding villagers are incensed by the frankin-monsters insistence on playing possum?

[wraith808]

So, The torches and pitchfork wielding villagers are incensed by the frankin-monsters insistence on playing possum?

-Stoic Joker (March 31, 2011, 03:47 PM)

 That's one way to put it...

Just a note- I really despise adware, spyware, and those that distribute it.  But like a lot of other pejoratives, I think it's very likely that the effectiveness of labeling something as malware will be diluted if it's applied indiscriminately.

[cmpm]

I'm sure there are quite a few entities interested in what is being installed and uninstalled, the time frames, and more.
Gathering a lot of that info would be useful to more then OC and it's developers and advertisers, I'm sure.

So if I install a program with OC's code in it, that info goes to OC and back to the developer and advertiser.
That's what it says it does on their site. Great for all 3 involved- http://www.opencandy.com/ -sign up.
Who else would be interested in that info? And pay for it.
But I really don't care, honestly.

[f0dder]

To be fair to OC, even if I'm not super fond of it, if all it does is sending your OS locale and version, then it's no worse than a webbrowser - only you're a tinfoil hat wearing kinda guy with special addons, that information is present in the HTTP request headers for every web request made.

[Renegade]

From what I know and have seen, both in OC and here, there seem to be a few misconceptions about what OC is doing.

First, it's not tracking you at all. However, it is doing more than a Flash banner ad on a web site.

A web site ad does not have the same access to your computer that OC has. OC has several offers available and they don't offer you what you already have, so, the logic is something like this:

Code: C# [Select]

1. OfferList = { ...big list of offers ordered by profitability... };
2.  
3. foreach (item in OfferList)
4. {
5.     if (item.IsNotInstalled)
6.     {
7.         OpenCandy.MakeOfferToUser(item);
8.         OpenCandy.OsLanguageCountry(); // Log OS, language and country as aggregates
9.         return;
10.     }
11. }

There, item.IsNotInstalled checks to see if the item exists on the computer by checking the registry. In a way, that is more power than a normal ad. In another way, it's about equivalent.

Anyways, I don't have absolute knowledge of what is going on, but from what I can tell, that's it or at least pretty darn close.

I have not seen the advertiser SDK, so I don't know exactly what goes on there, but my guess is that there is something in it that informs OC if the offered software has been subsequently run. That is the part that ensures that the offered software is genuinely wanted by the user, which then tells OC to pay the original software author (like me). However, I am not certain. Just guessing there.

We trust software all the time. Some people even trust cracks and warez. (Yikes...) If there were something dirty going on, it would be much easier to simply not use OC and do all the dirty stuff in the software instead. But there isn't. It's pretty simple. It presents an "ad" during installation in the same way that a web site puts ads on its pages. The difference is that you're not being tracked with OC, but when you visit virtually any web page, you ARE being tracked by Double-Click or Google or someone. Google keeps PERSONAL track of you even. They use personally identifying information thanks to you having signed up at Youtube or Gmail or some other Google service. So when you visit www.acme.com, the ads are very specific to that site and YOU.

There are other privacy concerns out there that are much much more serious. But really, people just don't care. They are used to them now. This is just a slightly different way to serve up an ad/offer.

Truthfully, in an installer is PRIME space for it because you have the person's dedicated attention. They aren't distracted by anything else. (Which is the same motivation for why I used a full page back-splash for the Photo Resizer installer --- people aren't distracted then and can pay attention to the installer -- it targets people that are not tech-savvy.)

Anyways, I kind of hope that helps some with tracking and whatnot.

[cmpm]

Thanks Renegade for that info.
I also thank you for your program and think you should profit more from the OC deal. imo.

I knew OC was in your installer before I installed it.
So even knowing it was there didn't stop me from installing.
OC doesn't bother me being there.
I did remove all the OC stuff from older apps after that Nod notice.
As a precaution and bored I guess.

That was the first time Nod blocked OC like I posted.
And I have installed other stuff with OC.
I wonder who changed, OC or Nod.
No big deal....did Eset ever answer you?

If anything starts any suspicious activity one my security programs will pick it up.
No worries....

[Renegade]

@cmpm - Thanks!

did Eset ever answer you?

Do they ever contact anyone? Sigh... No. Not yet. I doubt they will. They really need to work it out with OC and not me. I just submitted to help get their attention as it is bad for me and everyone else that uses OC.

It is kind of frustrating... The security companies really need to shape up some and come up with methods that are reliable.

[40hz]

My objection to OC isn't so much what it does on a technical level. My objection is with it's business model.

What they are doing is attempting to unilaterally redefine what constitutes adware and to justify an installation method that is basically stealthed.

I additionally have a problem with their "dealers choice" options for how it gets used (default in/default out) in an individual developer's application. I don't know if this is to provide OC with what they may feel is 'plausible deniability' when accused of being adware, or what.

Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

OC is attempting to do an end-run around that understanding. First, by muddying up the waters with their insistence on their own definition of what "advertisement" means. Second, by refusing to have OC ask permission prior to doing what it does.

From what I've seen, there seems to be a very deliberate decision not to draw attention to the fact it's on there at all. Otherwise, it would add a mandatory splash banner, and ask if it's ok to proceed.

But it doesn't...

From what I've seen and read of it, it's left up to the app developer just how much to say about the fact OC is piggybacking on his installer.

And I'm sorry folks, but to require that some information be put in the EULA about OC is almost laughable. Not to defend people who don't read the EULAs, but the people who produce OC know (as those of us in the industry do) that very few people ever read license agreements. I'm almost tempted to say "How convenient."



This is a potential "camel with its nose in the tent" issue. OC may be the most innocuous and benign piece of code out there. But what it is asking us to see as acceptable behavior for a software installer is not. Because it asks us to greenlight an action that has, up until now, been considered unacceptable behavior.

This whole issue could have been avoided if OC just did what every other ad-type software does - pop up a notice and ask to be installed before anything actually is.

But OC has chosen not to do that.

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

And in order for OC to sell their services to their advertising partners, they have to offer some unique sales proposition that gives them the advantage over more traditional piggyback product installers.

And that unique sales proposition is a low key approach to installation that borders on stealth, even if it doesn't quite cross the line, combined with a policy of substituting the term "recommendation" for "advertisement."

Not that it matters. Actions always speak louder than words.

To quote Douglas Adams remix of the classic 'duck test': If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.

In my little corner of the universe, if you ask me - out of the blue - to consider buying something,  then it's an 'advert' AFAIC.

And calling it something else - and insisting it's not - only makes it quack louder.

 

[Renegade]

Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

...

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

-40hz (March 31, 2011, 06:25 PM)

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.


When most people go to install software, they aren't agreeing to a lot of things, but things are genuinely changed on their system that they have NOT asked for. This is the normal way of doing things and nobody would call it malicious. For example, an installer adds registry keys and puts a DLL in the system32 folder, creates a ProgramData entry, another local/roaming directory structure, checks if certain other software is installed, if not installs it or upgrades it, etc. etc. That's normal. But OpenCandy isn't doing all that stuff. It runs then it's done.

[app103]

This is the problem, and will continue to be the problem:

When I install your software there has to be a certain amount of trust in you for me to be able to do that. And now I have to have trust in OC as well.

While I may trust you, I don't trust OC at all and I never will, regardless of how much you trust them.

• The same guys responsible for the spyware in DivX start a company to pack offers into the installers of other people's software.
• They assigned each computer a unique tracking ID, even if they declined the offer, building profiles of people and what they installed, what they declined, and all kinds of other information tied to that unique ID...till they got caught.
• They used registry entries like permanent tracking cookies, even if you declined the offer...until they got caught.
• When they get caught doing something, they say it was a bug, the developer's fault, etc. never taking the blame for their shenanigans.
• They said they don't believe in opt-out and would never change from opt-in to opt-out...until they did, and they blamed developer greed for them adding that option.

What are they going to do next? What will they get caught doing that they will have to change? What will they blame next on the developers that put OC in their installers?

When you ask me to trust them while installing your software, you are asking too much and I won't do it.

They are also peddling their stuff to open source developers, to include a closed source .dll on machines that install the open source software. When I install open source software, I expect to be able to have access to the source, all of it, for everything it installs on my machine. If the source for the OC dll is not included, it has no business being put on my machine during the install of a piece of open source software.

[40hz]

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.

-Renegade (March 31, 2011, 06:36 PM)

Sorry. I'm a bit color blind in that end of the spectrum. 

Regardless of whether it copies itself onto the hard drive, or loads itself into RAM before it runs, it's still installed on your system. The mechanism employed for the IPL* (initial program load) is a technical detail, not a functional difference.

------------
* At least that's what they called it when I was taking my CompSci courses in college. 

[wraith808]

Up until now, there has been pretty much universal agreement that anything which gets installed on your PC without giving notice and asking your permission is unacceptable.

...

And I think the reason for that is very simple: most people wouldn't install OC if they knew about it.

-40hz (March 31, 2011, 06:25 PM)

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.


When most people go to install software, they aren't agreeing to a lot of things, but things are genuinely changed on their system that they have NOT asked for. This is the normal way of doing things and nobody would call it malicious. For example, an installer adds registry keys and puts a DLL in the system32 folder, creates a ProgramData entry, another local/roaming directory structure, checks if certain other software is installed, if not installs it or upgrades it, etc. etc. That's normal. But OpenCandy isn't doing all that stuff. It runs then it's done.

-Renegade (March 31, 2011, 06:36 PM)

This! If it were installing anything, I'd totally agree.  But it's not!

They are also peddling their stuff to open source developers, to include a closed source .dll on machines that install the open source software. When I install open source software, I expect to be able to have access to the source, all of it, for everything it installs on my machine. If the source for the OC dll is not included, it has no business being put on my machine during the install of a piece of open source software.

-app103 (March 31, 2011, 07:39 PM)

But it doesn't *install* the dll... when you get an installer for OSS software, is it required to give you the source to the installer?  I don't think so, though I could be wrong?  And if it's not, there's no reason to have to give the source to the OC dll.

But that's the thing -- It doesn't get installed! It runs, but it isn't installed.

-Renegade (March 31, 2011, 06:36 PM)

Sorry. I'm a bit color blind in that end of the spectrum. 

Regardless of whether it copies itself onto the hard drive, or loads itself into RAM before it runs, it's still installed on your system. The mechanism employed for the IPL* (initial program load) is a technical detail, not a functional difference.

-40hz (March 31, 2011, 08:50 PM)

Yes, indeed it is a functional difference.  Several things run on your machine without being installed - classic asp and javascript are two good examples- they run on the client in the browser.  Does that mean that every bit of JS or VBscript has to be vetted?

[app103]

But it doesn't *install* the dll.

-wraith808 (March 31, 2011, 08:55 PM)

What is the purpose of an installer? I thought the purpose was to install software. And software consists of many types of files, not just .exe executables.

If one of my applications comes with xml and wav files, I am not going to argue that they are not "installed" with my application...they are.

The big issue with the OC .dll being installed along with open source software is that it is compiled code in which the source is not available.

when you get an installer for OSS software, is it required to give you the source to the installer?

No, I wouldn't expect the source for the installer maker, but I would expect to be supplied with the information of what was used and with the scripts used to make the installer if they were not included and I asked for them.

I should be able to compile an exact copy and when you toss in the OC dll, that isn't possible. I should also be able to change any of it any way I see fit and redistribute those changes, and if I am not allowed to change and redistribute the OC dll, then it has no business being placed on my system, without that right, along with an open source application.

[Eóin]

I should be able to compile an exact copy and when you toss in the OC dll, that isn't possible. I should also be able to change any of it any way I see fit and redistribute those changes, and if I am not allowed to change and redistribute the OC dll, then it has no business being placed on my system, without that right, along with an open source application.

-app103 (March 31, 2011, 09:20 PM)

No, not in the slightest do you have that automatic right. Only if the developers wants to let you do that then you should be allowed to and not all OS licenses do grant that right. GPL developers tend to want to allow to that, but even the GPL is very clear that the license doesn't extend to other software bundled with the GPL'd application.

[mouser]

App I have to disagree with you on the point about the installer needing to be open source for an open source project.

It would of course make sense that someone philosophically drawn to the open source movement would want an open source installer, but i don't see any reason anyone distributing their open source software should have to avoid using a closed source installer or shouldn't be able to show advertisements during their installer setup, etc. if that's what they want to do.

[wraith808]

But it doesn't *install* the dll.

-wraith808 (March 31, 2011, 08:55 PM)

What is the purpose of an installer? I thought the purpose was to install software. And software consists of many types of files, not just .exe executables.

If one of my applications comes with xml and wav files, I am not going to argue that they are not "installed" with my application...they are.

The big issue with the OC .dll being installed along with open source software is that it is compiled code in which the source is not available.

-app103 (March 31, 2011, 09:20 PM)

But the dll isn't *left* on your machine.  It is to facilitate the installation.  That's the same as saying that NSIS is installed on your machine just because certain supporting dlls have to be extracted to be loaded into memory.  That is *not* installation.  It assists in installation of the requested software.

[mouser]

Whether the dll is left as part of the installer/uninstaller or not, i don't see the problem.

Now if using the installer permanently put some background process that was running even after you installed your program of choice, that would be a completely different matter and i would be up in arms, but otherwise this seems much ado about nothing to me.

[Eóin]

As much as I tend to defend OC (for some reason) I do think the term 'installation' is confusing both apps and 40hz's real points.

The issue is that even if you run the installer and say no to everything, at some stage the OC DLL gets loaded and executed. So if you are of the opinion that you don't trust OC, then there is just no way you can install the original application.

This is the no opt-out issue, you can't opt out of OC getting to run on your PC and doing whatever it does, benign though that may be.

To me it's a non issue, I don't know the authors of most of the software on my PC, and for none of the opensource programs did I go and compile the code myself, or even glance over it, so I'm already placing a great deal of trust in complete strangers.

Personally, if anything OC have earned my trust from what I've read in this thread, so if a DLL wants to run I don't really care.