Fair Software Installation 499
Fair Software Installation
These days, we all download and install software from the Internet. And that software is rarely written entirely by one entity; rather, components are combined to create the programs we want. There is an increasing and disturbing trend to ship components that perform-system level tasks and have system-level effects. These effects are magnified because many of these components are installed without adequate notification to the user (either by omission, or deliberately).The NEW.NET domain resolution component is a good example. This component is installed by a number of freely downloadable Windows programs on the Internet. Some of those programs notify the user that they are going to install the NEW.NET software; others do not.
Installation of NEW.NET alters the basic functionality of your system: It causes your system to behave in a manner that is inconsistent with international standards. That this is done in a stealthy manner is unacceptable. The fact that NEW.NET is unstable besides is another issue that we will deal with separately.
If I am installing a program that calculates speaker enclosure volumes, I shouldn't have to worry about it redefining my network stack and destabilizing my computer.
What does a reasonable software program or component do? It should perform its defined, published task. It should not consume excessive resources. It should have a defined starting point and defined ending point. If it is defined to be a service, it should publish that fact and indicate the starting mechanism it uses.
Let me draw upon the realm of commercial software for an example of a program that is an offender. Creative's PlayCenter 2 application is used to move music to and from Creative Nomad MP3 players. It can also play media. When you run the PlayCenter application, you get the functionality you expect. When you start examining your system files afterwards, though, the picture changes.
PlayCenter installs a service, a disk detection system, and a news collection daemon. It does not attempt to inform the user that these daemon-level processes are being put in place. It does not offer the option to make them manually-startable. Worse, the news collection daemon would actually chew up all your CPU idle time.
I think creators of software have some basic obligations:
- Inform users when drivers, services, or daemons are being installed.
- Allow users to omit any of the above that are not strictly necessary for program operation.
- Ensure that during uninstallation, system-level components are accurately removed, "leaving no trace."
- System-level and daemon components must be subject to a higher level of quality control. It is possible that some level of legal liability should be present for the corruption of the system.
- Transmit no information from a component to any party unless specification notification to the user has taken place, and is renewed on a periodic basis.
- Collect no information on a user without prior agreement, and a renewal of that agreement on a periodic basis.
The little war I mentioned earlier is going to get nastier soon. Uninvited components like Cydoor and NEW.NET are sure to take steps to defeat Ad-Aware and programs like it. If I wrote a stealth component today, I would have it seek out an Ad-Aware signature file and modify it to ignore me, or add my directory to the ignore lists. Ad-Aware could respond by digitally signing the files, or with other techniques. This cycle will escalate, with each side taking new steps to ensure its dominance. Users will pay the price in decreasing system stability.
I am hard-pressed to see the difference between NEW.NET and the Sub7 trojan horse. Both subvert a computer for the purposes of others; both do it in stealth. The good folks at NEW.NET will surely disagree; they'll say that those applications that install their software inform the user, and as such, it really isn't their responsibility.
I say it is. NEW.NET makes active use of the component on your computer; I think that they cannot duck their responsibility for its behavior. They are a not passive participants; they are not a library component being used by others.
I've been beating up on NEW.NET quite a bit in this article. I suppose it's because the deinstallation of their component trashed the IP stack on my Windows 2000 system and it took me a half day to put it back together again. What the hell were they thinking when they stuffed a buggy service deep into my IP stack without telling me? I think they should have to compensate me in some way. A $250 Small claims court action here in Virginia might be a way to do it.
The bottom line is, where does it end? Software installation programs should install components that the user expects. Full disclosure should be the order of the day. There will always be violators, though. There are a couple of remedies which could help:
- A legal framework for "allowable" system modifications during installation can be created. By adhering to the requirements of disclosure and stability, manufacturers can avoid liability. The thread of liability may be required (although capped) to enforce conformance and responsibility.
- A technical framework in the operating system can establish and protect secure boundaries around the system's core. Certain operating systems already do this (Unix), but the most widespread consumer OS does not.
- A "signed installation" program, run by known entities, asserting that a given program and its installation don't violate the rules.
Just think -- what if NEW.NET decided to start redirecting www.bestbuy.com to www.circuitcity.com? Is there a law somewhere or a technical remedy for this situation? I think there should be.
Slashdot welcomes reader-submitted features; use the story submission page if you'd like to submit yours.
Creative Playcenter? (Score:4, Informative)
And what is this new.net thing?
Yeah, Brother! (Score:3, Informative)
This led me on a chase through my computer. Through a combination of Ad-Aware, Startup Cop, and Process Explorer I managed to get rid of a bunch of leftover or not wanted CRAP that was hogging up my system!
Quicken, for example, had two programs that started up every time my system started. There was a Lexmark printer application running, even though I no longer have the printer and had uninstalled the driver!
And don't even get me started on Real One...
What a pain in the ass...
There is a "signed installation" system out there (Score:4, Informative)
Two more examples (Score:2, Informative)
Weather Bug: This is another one. It just starts running and does not give an option to turn it off. I had to hack the registry to get rid of it.
Oh well... I am slowly converting to completly Linux...
Re:And WTF is NEW.NET? (Score:3, Informative)
What New.Net is: (Score:5, Informative)
So if you want to buy sweat.shop, you can go to new.net and do just that.
The software in question is a "plugin" that "fixes" windows to use their dns servers when requesting a domain that ends in ".shop" or whatever.
For more info, don't be so lazy and click on the "About Us" button at the bottom of the new.net homepage
http://www.new.net/about_us_mission.tp [new.net]
I submitted a story about this on slashdot long ago and, surprise! it was rejected. I'm sure I wasn't the only one who thought this site and company is worth discussing.
-- Punch the Monkey!
Re:Creative Playcenter? (Score:5, Informative)
new.net is a company that tried to get a shit load more top level domains added, but couldn't. So, they went and made their own database for them all. (ie: .golf, .xxx, .love, .mp3, etc). The software installed by new.net mentioned in the article is basically a redirect when trying to go to those domains.
Say, for example, I had a site called www.stuff.mp3. Under nearly every ISP out there, this obviously would not work. The new.net software modifies the system to be able to recognize it. Outside of this software, the only way to get to this address would be to go to www.stuff.mp3.new.net.
I think that made sense :)
Windows Users (Score:2, Informative)
Re:Good idea (Score:3, Informative)
None of the weird domains run on my boxes, so I suppose that's a good thing right now... *g*
Mac OS X Software installs... (Score:5, Informative)
For instance, I installed MS Office on my laptop a while ago (still waiting on Sun & Apple to resolve their differences & build StarOffice for the Mac). The entire procedure was:
1. Insert Office CD
2. Drag-And-Drop a folder onto my hard drive
3. Start using it.
Installing applications from the Internet is even easier. I'm a happy registered user of OmniGraffle [omnigroup.com], a diagramming and graphical tool that makes other programs like it feel worthless. The installation process for that is:
1. Download the file, which unpacks as a disk image & it automatically mounted.
2. Drag & Drop the application.
3. Start using it.
Another nifty feature is that, to the high-level graphical interface, an application appears as a Bundle [apple.com], and therefore it looks like a single executable file. To the regular user, this is a far more intuitive presentation of what an "Application" is. However, if you whip up a terminal & go poking around a bundle, you'll see that it's really a collection of every file the application needs to work.
Mark my words, the Winblows platform will be emulating this behavior within their usual UI 5 year lag.
--Mid
Re:Huh? (Score:5, Informative)
They are the new version of Alternic. Remember them? They set up their own root nameservers in order to sell their own top level domain names. In order to make it work, they had to persuade ISPs to use their root nameservers instead of the official ones.
New.net has apparently learned from the Alternic episode. No, they didn't learn the part about respecting the official DNS structure. They learned that getting all the ISPs to agree and cooperate is not very practical.
So instead of changing the DNS system from the top down (Alternic), they are trying to change it from the bottom up, starting with your Windows computer. In my opinion, this is just as sleazy, no! even more sleazy than the tricks USR pulled to get dialup customers to force the ISPs to buy overpriced X2 access servers.
RealPlayer (Score:3, Informative)
Your PC will also run faster.
Open up the preferences. I think it is a button on the "General" tab labeled startcenter. That opens up another dialog that allows you to disable it (top checkbox - uncheck it). It will pop up a message with a dire warning - just click Yes I really Want To Do This. That should be it.
All the startcenter is good for is preloading Real (so it starts up 3 seconds faster - big whoop) and poping up annoying messages.
Re:One more example of why... (Score:3, Informative)
--info to see information
--scripts list config scripts that may run
--triggers list trigger scripts that may run
You have the option to extract scripts and check them yourself. You can also see the services and deps that the package provide, etc. All without installing it.
I know, you never install binaries, and of course, a binary may have something in there that shouldn't be there.
But then again, I imagine you rarely, if ever, read 100% of the source code you just compiled and installed, read the makefile, or keep track of where exactly it put things. You probably just trust it because you have the source, not because you READ the source.
Then again, I might be wrong, and you do.
Personally, I install binary RPMs from trusted sites. (Red Hat, SuSE, KDE, a couple others), and from source tarballs when I think there might be a trust issue.
A good, reputable, signed RPM is a good way to determine trust.
Re:he has some valid points...but.... (Score:3, Informative)
New.net is "bundled" with other software, most notably "imesh" (file-sharing).
I work at an ISP, and we see a fair share of problems from this Trojan Horse.
You're correct -- no one forces anyone to put new.net on their machines. But the most frequent scenario I encounter is the patriarch of the family calling about the "family system." When Add/Remove programs reveals the presence of IMesh and New.net, invariably the statement is, "I guess one of the kids..."
This is legally very precarious ground. Kids are not old enough to make contract agreements, so unless there is some sort of age-check performed, these Trojans are coming in a backdoor with no legal agreement involved.
This is especially dangerous where no "opt-out" is offered. DivX Nteworks [divx.com] is currently offering an "ad-sponsored" version of their new codec, DivX 5.0 (otherwise a nice piece of software) -- we are already getting calls about "where are all these pop-ups coming from?"
I installed the DivX package and guess what?
1. There is no choice in installing it, if you want this package, you must install the advertising software.
2. It doesn't just deliver ads. It provides detailed information about your net activities to a server that then decides what ads to deliver to your system.
3. Uninstalling DivX does not remove the service that it adds to an XP machine. DivX Networks claims in its forums that it uninstalls with their software, but no user has yet agreed with them on this point.
So, when "Junior" installs DivX on the family PC, the entire family gets spied upon, with no one of legal age having consented.
This is a lawsuit waiting to happen. DivX Networks in particular stand to lose a great deal in terms of community resect/user trust, if not in cash.
Installation Specialist (Score:3, Informative)
On Linux/Unix platforms, it's even worse. The installer is almost always a horrid shell script that has been hacked on by a dozen different people over several years. No one really knows what that script is actually doing. The script works great, so long as you are running RH 7.1, because that's the distro the programmer uses.
As for standards, they do exist on Windoze platforms and people familiar with writing installers deal with them. In the Linux/Unix world, it's a free for all. There are some general standards, but all too often they are ignored.
When it comes to "stealth" installing, I wouldn't do it. If the component isn't necessary to run, then it is an option with a checkbox. If it's pretty good idea to install it, it will be checked by default. If it's just eye candy, it will be unchecked. If the primary software won't run without it, it will not be an optional component.
In summary, hire the right person for the right job. Stick to standards where they exist, fight for reasonable standards where they don't. Never forceably install unecessary components. Most important, don't ever change basic system functionality.
Re:There is a "signed installation" system out the (Score:4, Informative)
This is similar (but not exactly like) to WHQL certification for hardware.
Re:he has some valid points...but.... (Score:3, Informative)
Required Tools of the Trade (Score:3, Informative)
If you are going to use Windows software from untrusted (i.e. most everyone, especially M$) sources you must take steps to protect yourself. First, trust your gut. Does the developer "smell funny"? Is the software from a startup company with no visible means of revenue? I tend to trust programs created by individuals or small teams that demonstrate some passion for what they do (EAC [exactaudiocopy.de], or LAME [mp3dev.org] for example)
Then, get Technological on their ass. Start with a personal firewall that monitors all outgoing traffic. Zone Alarm [zonelabs.com] is the one I trust - gut feelings, and I've read some negative things about Black ICE [networkice.com]. Amaze and astound your friends as you block requests from RealPlayer, Windows Update, and other "legitimate" programs that like to access the net without asking permission.
Then get Ad Aware [lavasoftusa.com] and get that sinking feeling as you see the total number of unauthorized programs, components, and services on your system.
Finally, install Proxomitron [thewebfairy.com] to make make your browser behave a bit more politely by re-writing the html it sees before it sees it (and find yet another reason to love Shonen Knife. They're way kawaii!)
Forewarned and fore-armed (hairy ones, even), you stand a much better chance of maintaining control of your system.
Re:Yeah, Brother! (Score:3, Informative)
On an old 98SE box, I installed Real 5.0.
When it wanted to be upgraded to G2 (because a file I wanted to play needed the new codec, and I didn't want to upgrade the spam-free 5.0 player), I imaged the drive, ran the "over-the-net" upgrade ("Play the video, then let us download and run an executable, just trust us!") on the imaged drive, swapped drives back and compared the results.
I then copied the modified DLLs from the "upgraded" drive into the proper directory on the "old" drive, and voila, RealPlayer 5.0 playing G2 streams.
Did it all over again for Realplayer 7.* and 8.*.
Man, I love my South Park ;-)
The practical upshot of all this was that many of the "new" RealVideo streams don't need the new player - they just need the right DLLs copied into the right directories and the old player will work fine.
New.net Software (Score:4, Informative)
Below is the list of all of our present and past distribution partners (download partners have always been clearly listed on the New.net website):
Present Partners:
BearShare
KaZaA
iMesh
Past Partners:
Go!Zilla
Babylon
Cydoor
GDivx
WebShots
Each one of our current and previous distribution partners is required to provide disclosure during installation that our software is bundled. We in no way install in a "stealthy manner", since it is the responsibility of the user to read the install screens that are provided during an installation.
In light of these recent comments regarding disclosure, we are working with each of our distribution partners to improve awareness of the New.net bundle in the install process.
New.net's software provides a service to its customers as well as its users that want to gain access to domain extensions that our sold on our site. In order to provide resolution, our software adds itself to the TCP/IP stack. There are other methods to resolving our domain extensions such as adding "new.net" to the domain suffix search order or adding our DNS servers in the DNS server search order in the network configurations. You may also append ".new.net" to the domain extension in the address bar of the browser for resolution. Our software is our "user friendly" way of providing such access. Manually changing network configurations requires a reboot whereas our software can install in seconds and provide resolution immediately.
Our software is not "unstable" in anyway unless a user tampers with the configuration to a point where it makes Windows unstable. This is consistent with any other software that adds itself to the TCP/IP stack. If someone were to just randomly start deleting files on their system that are referenced in the TCP/IP stack, without first checking to see if there is an uninstall in Add/Remove Programs, then of course you would expect nothing less than an unstable or corrupt system with network issues.
"The little war I mentioned earlier is going to get nastier soon. Uninvited components like Cydoor and NEW.NET are sure to take steps to defeat Ad-Aware and programs like it. If I wrote a stealth component today, I would have it seek out an Ad-Aware signature file and modify it to ignore me, or add my directory to the ignore lists. Ad-Aware could respond by digitally signing the files, or with other techniques. This cycle will escalate, with each side taking new steps to ensure its dominance. Users will pay the price in decreasing system stability."
Let's be clear on this point: New.net does not create or distribute any kind of stealth software in order to avoid signature files for Ad-Aware. In fact, Lavasoft had determined that our software is not "spyware" and discontinued removing our software since August 2001. I welcome anyone to contact Lavasoft directly for further information. There are still mirror sites out there that list New.net as a component that is removed by Ad-Aware; but I assure you that these sites reflect information prior to August 2001.
"I've been beating up on NEW.NET quite a bit in this article. I suppose it's because the deinstallation of their component trashed the IP stack on my Windows 2000 system and it took me a half day to put it back together again. What the hell were they thinking when they stuffed a buggy service deep into my IP stack without telling me? I think they should have to compensate me in some way. A $250 Small claims court action here in Virginia might be a way to do it."
The New.net client is clearly listed in Add/Remove Programs like the majority of all other software and when the correct procedure is used then the software is properly uninstalled. If someone decides to remove software "their way" as opposed to the correct way then you can assuredly expect problems. Please explain your procedures of "deinstallation" that lead to a "trashed IP stack," this may be useful to the New.net QA team.
Leonard Amabile
Director of Customer Support
New.net, Inc.
How To Tame Real One (Score:1, Informative)
Re:New.net Software (Score:2, Informative)
"I would say the primary reason that Ad-Aware isn't touching new.net is they're terrified (rightly) of damaging a user's IP stack during the uninstall. Too bad you weren't worried about the same thing when you wrote earlier versions of your software. I understand that recent versions of new.net are improved in this area, and I applaud your decision to test it."
Any of your comments regarding Ad-Aware is false and I would like for you to provide evidence that otherwise. I have been in contact with Lavasoft many times and the result, from Lavasoft, was that we are not "spyware" and that they had no reason to remove us.
Your comments suggesting that we are a trojan is most offensive and should be corrected as soon as possible. Its comments like yours that spread the wrong information and cause fear and concern to users that would otherwise not have a problem. We do not transmit any personally identifiable information and our software is a service to our users and customers.
Leonard Amabile
Director of Customer Support
New.net, Inc.
*fix* Re:I installed RealPlayer recently... (Score:1, Informative)
In Win98:
Run msconfig at Start/Run... select startup tab, deselect realtray and anything else you don't trust. If you don't recognize something, do a google search for it FIRST to make sure what it is.
Or find the exe, right click on it, choose properties, and see if theres any company info in the version information.
This is also a nice way to disable the annoying "Critica Update Notification!!!" from popping up in the middle of a Counterstrike / Tribes2 tournament. Uncheck "mstask", and visit windowsupdate.com whenever you feel the urge. Note: it will reset itself to on after an update, so repeat the procedure.
Note that msconfig doesn't work on XP / 2000.