Author Topic: FARR not a commonly downloaded program? (Read 23586 times)

dantheman · « **on:** October 15, 2011, 06:46 AM »

This is a good one!

After doing a fresh install of my good ol' Windows 7 Home,
i took IE out for a stroll to download one of my top 5 favorite programs (FARR).
After waiting a while for it to finish downloading,
IE tells me that it could be a dangerous program for it is not commonly downloaded?!
I couldn't install it straight from IE but did manager to find the Download folder and install it.
Of course, this happened prior to installing my AV program but still! What a... shinanigan!

Long live Firefox!

Ath · « **Reply #1 on:** October 15, 2011, 09:46 AM »

Long live Firefox!
-dantheman (October 15, 2011, 06:46 AM)

+1, that's a good reason to avoid IE like the plague

mouser · « **Reply #2 on:** October 15, 2011, 10:09 AM »

this means war!

dantheman · « **Reply #3 on:** October 15, 2011, 10:17 AM »

Oh! oh!

IE9 must be getting oversensitive these days.
I should have taken a snapshot but i was still in the process of installation.
Nevertheless, i did see with my own eyes words in a long phrase with "dangerous" and "not commonly downloaded" in it.

Sheeshhh!

dantheman · « **Reply #4 on:** October 15, 2011, 10:41 AM »

Here it is:

http://img265.imageshack.us/img265/3255/farrcouldharm.jpg

FARR not a commonly downloaded program?

Uploaded with ImageShack.us

Word "dangerous" wasn't there (sorry!)

mouser · « **Reply #5 on:** October 15, 2011, 10:50 AM »

And then the dialog practically begs the user to delete the dangerous file.

Here we go again.

This is an absolutely outrageous unacceptable message, just as bad if not worse than the false positive fiasco in the antivirus world.

You cannot go telling people that you think a download could harm their computer without any basis for doing so.

If you want to tell people that "Hey i've never seen this program so i'm not going to vouch for it's safety" that's fine.

But you just cannot tell people downloading a file "this could harm your computer" just because the program hasn't passed some mystery f*cking qualification.

This is how these big guys play this game -- they know they don't have to worry about their software being marked as harmful so they don't give a damn if they scare people away from independent developer stuff.

IE should be avoided like the plague until they fix this. Absolutely outrageous.

Please complain loudly and share this information widely -- these companies cannot be allowed to keep playing this game of scaring the life out of users every time they find a file that hasn't made it to some "approved" software list that the big companies control.

PROTEST LOUDLY -- this is not ok.

Once again Microsoft seems absolutely hell bent on destroying their reputation and running their company into the dirt.

rgdot · « **Reply #6 on:** October 15, 2011, 11:07 AM »

I mentioned @IE on twitter

https://twitter.com/...s/125241144182456320

wraith808 · « **Reply #7 on:** October 15, 2011, 11:58 AM »

Some more information:

This is from SmartScreen Filter. They talk about how to submit a site as safe on that page, but not a download.

For further reference, what follows is my experience downloading FARR.

FARR not a commonly downloaded program?
The initial download...

FARR not a commonly downloaded program?
The alarmist warning...

FARR not a commonly downloaded program?
The dialog if you select other options. Note that the option to ignore is hidden!

FARR not a commonly downloaded program?
Finally, the option to ignore...

Oh, and one last point to add insult to injury... the link (at least on my computer) to what is SmartScreen Filter at the bottom of the dialog is broken!

And as an FYI - how to disable this feature.

40hz · « **Reply #8 on:** October 15, 2011, 02:01 PM »

Once again Microsoft seems absolutely hell bent on destroying their reputation and running their company into the dirt.
-mouser (October 15, 2011, 10:50 AM)

Isn't it more like they're hell bent on destroying your reputation and running your 'company' into the dirt?

Apple, Microsoft, Oracle, Google, Canonical, Novell, Symantec, McAfee...I think I'm beginning to seriously hate any company that employs more than 50 people these days.

tomos · « **Reply #9 on:** October 15, 2011, 02:48 PM »

Wouldn't this be a good one to add to the falsepositivereport forum
(as discussed here on dc - The False Positive and Improperly Rated Site Epidemic)
??

Maybe under False Positives / Microsoft

db90h · « **Reply #10 on:** October 15, 2011, 05:54 PM »

There is no mystery. Sign your software. This is not 1999 anymore. What Microsoft has been trying for years to do is strongly encourage software vendors to obtain digital code signing certificates (authenticode). The preference would be for all software to be digitally signed by a cert issued via a trusted CA. I already explained to mouser the benefits of having a cert, there are many.

PROTEST LOUDLY -- this is not ok.

Try if you want, but sooner or later you will be forced to get a digital certificate ;p. One year of a digital cert costs less than one month of your hosting costs... So, what is the hold up? You do have proper documentation on DC, I assume? Registered as a business?

db90h · « **Reply #11 on:** October 15, 2011, 05:59 PM »

Wouldn't this be a good one to add to the falsepositivereport forum
(as discussed here on dc - The False Positive and Improperly Rated Site Epidemic)
??

Maybe under False Positives / Microsoft
-tomos (October 15, 2011, 02:48 PM)

No, sorry ;o. Not this time. This is not a false positive. It is a different sort of problem, and I'm not saying it isn't a problem.

Bottom line is that we are moving (slowly) to an age where all software is digitally signed. This has become the only way to deal with the malware epidemic. That way certs can earn 'trust' based on the software they've signed in the past.

They are NOT that expensive these days, though still not cheap. They used to cost many times more, so at least they have gone down in price. They are also a PITA to get, but not that bad if you have your documentation in order and they can verify it.

db90h · « **Reply #12 on:** October 15, 2011, 06:15 PM »

Also, if mouser were to obtain a cert, he could sign other author's freeware with it ... Just FYI ... In fact, THAT may be one of the best ways in which DC grows, allowing freeware authors a way to have their software signed and authenticated as 'good', without having to buy a cert of their own.

wraith808 · « **Reply #13 on:** October 15, 2011, 07:31 PM »

How much is the cert? Maybe we can hold a special DC fundraiser to cover the cost?

db90h · « **Reply #14 on:** October 15, 2011, 07:32 PM »

How much is the cert? Maybe we can hold a special DC fundraiser to cover the cost?
-wraith808 (October 15, 2011, 07:31 PM)

Like $79-$100 a YEAR (approx).. there is no reason for anyone not to have one. And no reason to need a fund raiser to get one since this is only 1/4 of the supposed monthly operational costs of DC. But, whatever works for you guys.

Yes, you could go find more expensive certs to buy, but I already told mouser last month where to buy cheap certs.

db90h · « **Reply #15 on:** October 15, 2011, 07:55 PM »

And sorry to be so blunt, but I DID tell mouser he needed a cert before this occurred.. and, well, everyone should already know these things happen without certs. Now that you know how cheap they are, surely you see -- there is no excuse not to have one. It is the cost of doing business. The malware guys forced that upon us. Now, I would like to see more competition in the trusted CA list, so prices further go down, BUT they are plenty low enough for DC.

mouser · « **Reply #16 on:** October 15, 2011, 08:00 PM »

I actually already have one. Got it cheap through StartSSL which I reviewed for their great services here.

I tried using it on one of my programs and it was very annoying to do, and it didn't seem to have any real benefit so i stopped using it.

But i could start again i suppose.

db90h · « **Reply #17 on:** October 15, 2011, 08:06 PM »

I actually already have one. Got it cheap through StartSSL which I reviewed for their great services here.

I tried using it on one of my programs and it was very annoying to do, and it didn't seem to have any real benefit so i stopped using it.

But i could start again i suppose.
-mouser (October 15, 2011, 08:00 PM)

Great, use it.. though not sure if they are a trusted CA when it comes to code signing under Windows or not, you will have to check.

Of course, if you bought it in Dec 2010 for 1 yr, then you've only got a month left.

Remember, although abrasive, because I am under a lot of pressure, I am trying to be helpful.

You can automate your signing process, so its done as you build your stuff. Very easy.

db90h · « **Reply #18 on:** October 15, 2011, 08:08 PM »

I also removed some of my more abrasive comments... I'm just under a lot of pressure. DC is a great service, trying to help.

IF you offered free signing to your freeware authors, MAN that would be a great way to drive new freeware authors here...

wraith808 · « **Reply #19 on:** October 15, 2011, 10:04 PM »

How much is the cert? Maybe we can hold a special DC fundraiser to cover the cost?
-wraith808 (October 15, 2011, 07:31 PM)

Like $79-$100 a YEAR (approx).. there is no reason for anyone not to have one. And no reason to need a fund raiser to get one since this is only 1/4 of the supposed monthly operational costs of DC. But, whatever works for you guys.

Yes, you could go find more expensive certs to buy, but I already told mouser last month where to buy cheap certs.
-db90h (October 15, 2011, 07:32 PM)

It *is* still an expense on something that makes minimal, if any money, so there is a reason for people not to have one IMO. If people would donate even a bit that might be a valid argument, but with the way the economy is and everyone watching money, to put this kind of burden on people giving away things for free is not just an "oh well, that's the way it has to be."

40hz · « **Reply #20 on:** October 16, 2011, 01:01 AM »

Great, use it.. though not sure if they are a trusted CA when it comes to code signing under Windows or not, you will have to check.
-db90h (October 15, 2011, 08:06 PM)

FYI:
Start Commercial (StartCom) Ltd. is listed as a CA on Microsoft's Root Certificate member page:

http://social.techne...s/articles/2592.aspx

So they're a trusted CA.

But you may need to do additional steps or sign a supplemental agreement of some sort before a code signing EKU gets applied to your root certificate. I'm not too up on the mechanics of obtaining certificates, but I recall a client of mine ran into something similar with Microsoft once and had to do something extra before the "code signing" part got ok'd. And IIRC, it cost considerably more than a standard SSL/TLS/MIME certificate. Something like $400-500 annually?

db90h · « **Reply #21 on:** October 16, 2011, 02:03 AM »

I would like to further elaborate that AS trust becomes a commodity on the internet, the ability for small freeware authors to 'just author' without going through h*ll is lessened, and thus DonationCoder, by offering signing of donationware for donationware authors, could represent a substantially more compelling business model than it does today. You have the inherent trust, earned certificate trust, plus community exposure, as enticements. It would be a great platform from which new donationware could be launched.

wraith808 · « **Reply #22 on:** October 16, 2011, 08:03 AM »

I would like to further elaborate that AS trust becomes a commodity on the internet, the ability for small freeware authors to 'just author' without going through h*ll is lessened, and thus DonationCoder, by offering signing of donationware for donationware authors, could represent a substantially more compelling business model than it does today. You have the inherent trust, earned certificate trust, plus community exposure, as enticements. It would be a great platform from which new donationware could be launched.
-db90h (October 16, 2011, 02:03 AM)

Wouldn't that also put an onus on DC to vet these software programs? I don't think there is an official policy regarding that in place now, but it would seem that this would have to change.

UPDATE: I downloaded software from my site (and I'm sure that I don't get as much traffic as even FARR, let alone the other software from DC), and I didn't get that message. It could be as simple as the fact that my programs don't have installers (just executables in zip files), but I wouldn't think that they'd not scan zips, would they?

rxantos · « **Reply #23 on:** October 16, 2011, 12:15 PM »

== Begin Rant ==

Thus the solution is to bend over and allow Microsoft to make false accusations on software from authors that did not pay them homage.

I guess we live in a world that people have gotten use to that.

I thought there was something called libel and slander. After all, what proof do they have that the software could harm your computer?

I guess we live in a world where justice and pride is something reserve for the rich (since is far cheaper to bend over than to get justice).

== End Rant ==

JavaJones · « **Reply #24 on:** October 16, 2011, 12:32 PM »

I wonder if certificate signing really is the solution, do we have any definitive knowledge that it is? If so, I understand the intention, but really don't agree with the methodology. As the recent rash of compromised CAs has shown, this is hardly an effective security measure. What good is "trust" when the trusted parties don't care enough to implement proper security on their trust-granting systems?!

The idea of offering certification assistance to freeware authors who host their stuff here is interesting and worth further consideration I think.

Btw wraith, I do think they flag exes specifically with this, so your downloads probably weren't triggered precisely because they're zips. This is not an antivirus scan being run by IE, it's pattern matching, with exe as a likely component that increases risk assessment. Scanning inside ZIPs probably isn't done. That job is really up to your antivirus.

Edit: Ran some tests, interesting results. A download of one of Skwire's programs from here in ZIP format did not show the same message. A download of Terragen in MSI (installable) form from planetside.co.uk also did *not* trigger the message. To the best of my knowledge the Terragen installer is not signed, but it's also not an EXE. It may also be more popular than FARR, though that's debatable.

- Oshyan