Fair Software Installation

rossjudson writes: "There's a little war going on in your computer; it's a war that you might be aware of if you're an experienced computer user. If you're new to the game, there's very little chance you know about it, but it affects you, and it gets worse, not better. The battleground in this war is your CPU, your disk space, and your system's stability." He's got a particular beef with NEW.NET, but lays out (in the article below) what he thinks is a workable, generalized code of conduct for software installation.

Fair Software Installation

These days, we all download and install software from the Internet. And that software is rarely written entirely by one entity; rather, components are combined to create the programs we want. There is an increasing and disturbing trend to ship components that perform-system level tasks and have system-level effects. These effects are magnified because many of these components are installed without adequate notification to the user (either by omission, or deliberately).

The NEW.NET domain resolution component is a good example. This component is installed by a number of freely downloadable Windows programs on the Internet. Some of those programs notify the user that they are going to install the NEW.NET software; others do not.

Installation of NEW.NET alters the basic functionality of your system: It causes your system to behave in a manner that is inconsistent with international standards. That this is done in a stealthy manner is unacceptable. The fact that NEW.NET is unstable besides is another issue that we will deal with separately.

If I am installing a program that calculates speaker enclosure volumes, I shouldn't have to worry about it redefining my network stack and destabilizing my computer.

What does a reasonable software program or component do? It should perform its defined, published task. It should not consume excessive resources. It should have a defined starting point and defined ending point. If it is defined to be a service, it should publish that fact and indicate the starting mechanism it uses.

Let me draw upon the realm of commercial software for an example of a program that is an offender. Creative's PlayCenter 2 application is used to move music to and from Creative Nomad MP3 players. It can also play media. When you run the PlayCenter application, you get the functionality you expect. When you start examining your system files afterwards, though, the picture changes.

PlayCenter installs a service, a disk detection system, and a news collection daemon. It does not attempt to inform the user that these daemon-level processes are being put in place. It does not offer the option to make them manually-startable. Worse, the news collection daemon would actually chew up all your CPU idle time.

I think creators of software have some basic obligations:

1. Inform users when drivers, services, or daemons are being installed.
2. Allow users to omit any of the above that are not strictly necessary for program operation.
3. Ensure that during uninstallation, system-level components are accurately removed, "leaving no trace."
4. System-level and daemon components must be subject to a higher level of quality control. It is possible that some level of legal liability should be present for the corruption of the system.
5. Transmit no information from a component to any party unless specification notification to the user has taken place, and is renewed on a periodic basis.
6. Collect no information on a user without prior agreement, and a renewal of that agreement on a periodic basis.

There's been a longstanding battle between virus writers and anti-virus software. The equivalent to anti-virus software in the component world is Lavasoft's Ad-Aware. If you haven't run it before and you have a Windows box, get it and run it. The first time can be a real shocker -- tremendous amounts of crap can build up in your system without you knowing about it.

The little war I mentioned earlier is going to get nastier soon. Uninvited components like Cydoor and NEW.NET are sure to take steps to defeat Ad-Aware and programs like it. If I wrote a stealth component today, I would have it seek out an Ad-Aware signature file and modify it to ignore me, or add my directory to the ignore lists. Ad-Aware could respond by digitally signing the files, or with other techniques. This cycle will escalate, with each side taking new steps to ensure its dominance. Users will pay the price in decreasing system stability.

I am hard-pressed to see the difference between NEW.NET and the Sub7 trojan horse. Both subvert a computer for the purposes of others; both do it in stealth. The good folks at NEW.NET will surely disagree; they'll say that those applications that install their software inform the user, and as such, it really isn't their responsibility.

I say it is. NEW.NET makes active use of the component on your computer; I think that they cannot duck their responsibility for its behavior. They are a not passive participants; they are not a library component being used by others.

I've been beating up on NEW.NET quite a bit in this article. I suppose it's because the deinstallation of their component trashed the IP stack on my Windows 2000 system and it took me a half day to put it back together again. What the hell were they thinking when they stuffed a buggy service deep into my IP stack without telling me? I think they should have to compensate me in some way. A $250 Small claims court action here in Virginia might be a way to do it.

The bottom line is, where does it end? Software installation programs should install components that the user expects. Full disclosure should be the order of the day. There will always be violators, though. There are a couple of remedies which could help:

1. A legal framework for "allowable" system modifications during installation can be created. By adhering to the requirements of disclosure and stability, manufacturers can avoid liability. The thread of liability may be required (although capped) to enforce conformance and responsibility.
2. A technical framework in the operating system can establish and protect secure boundaries around the system's core. Certain operating systems already do this (Unix), but the most widespread consumer OS does not.
3. A "signed installation" program, run by known entities, asserting that a given program and its installation don't violate the rules.

These remedies are necessary as the entities creating these components can't be counted on to do the right thing. Their business models are often predicated on the stealthy gathering of knowledge, and the altering of what goes into your computer.

Just think -- what if NEW.NET decided to start redirecting www.bestbuy.com to www.circuitcity.com? Is there a law somewhere or a technical remedy for this situation? I think there should be.

---

Slashdot welcomes reader-submitted features; use the story submission page if you'd like to submit yours.

What do you mean "your computer".

[lynx_user_abroad]

If you're running someone elses software on it, it's no longer your computer. They own it.

In most cases they're gracious enough to let you keep doing things with it, but make no mistake about it.

It comes down to a question of how much you trust the person/company who wrote the software.

Re:What do you mean "your computer".

[TRACK-YOUR-POSITION]

Assuming that most of us would like users to own their own computers, the name of the game would appear to be "minimize the number of people/companies you have to trust in order to efficiently use your computer." This is because once you've trusted Company A to supply your OS, trusting Company B to supply an application does not relieve vulnerabilities to A at all but adds vulnerabilities to B.

There are two paths we can take here:

A. Pick one company to put all of your trust in, and never install software from anyone else. This ideal company either develops the software almost in house or reads the source code that others have developed. Never install software created by anyone else unless you've read all of it's source code and compiled it yourself.

This means only companies large enough to do this can sell software, assuming a reasonably secure

B. Add the social and technical tools that this article and others suggest. Why the heck shouldn't it be illegal to INTENTIONALLY misrepresent what a piece of software is doing? Forget negligence--at least let's make false advertising illegal, huh? Why the heck should my operating system allow a video game to read my credit card number and modify my system?

Personally, I'd really like the ability to say "only let this program do X and Y and nothing else", where X might be (temporary) control of output devices and Y might be adding files to a particular directory. Yeah, I guess I could create a new user in Linux with just the permissions I want to give it for every program on my computer, then run the program with the appropriate user. But that would be a lot of work, even for me, and it wouldn't save every who uses computers whom I care about who happens to have better things to do in their life.

That's actually an interesting idea

[drew_kime]

Yeah, I guess I could create a new user in Linux with just the permissions I want to give it for every program on my computer, then run the program with the appropriate user.

Or, you could write an installer application that you run to manage all other installations. Have this app create a new user for each program as it's installed, with these users members of the "installer" group. That way nothing you install later could overwrite anything else you installed.

If there's an insoluble technical reason why this wouldn't work, I'm sure someone will tell me. Problems I see:

• Several apps dynamically link to the same library. You try to update one of the apps, and it includes an update to that library. Only the one that initially installed it can do this. (This could actually be a good thing.)
• Massive proliferation of users. Would this require rethinking what a "user" is? Or is it really even a problem?
• Would the installer have to run as root for this to work?

I'm sure there are other problems, but at first glance I like the idea.

Re:That's actually an interesting idea

[TRACK-YOUR-POSITION]

Wow, you actually read through all those typos and places where I forgot to keep typing what I was thinking? You are amazing! ;) This installer program sounds like a very good idea indeed. I have a wacky extension proposal, though. If I understand this idea, this installer will prevent apps from writing over other. But if we give every resource/file a new group(!) we can even prevent them from reading/executing files that they shouldn't--only app-users that need a resource are added to the resource's group. I must admit, in linux as it is today, this extension requires more paranoia than I can muster today. Maybe in the future if spyware became a problem with linux programs... But from my ignorant perspective, your installer sounds like a really great idea. Maybe someone who wants to sell commercial software under Linux would want to implement it--as a free open source program that guarantees the validity of a commercial closed source program.

That's what you get...

[ebyrob]

When you don't compile everything from source yourself. Down with binaries!

Oh wait, does compiling and reading code actually take work?

Re:What do you mean "your computer".

[L-Wave]

You see, its a battle of wills, and I'm the most stubborn individual on the planet and I will NOT be told how to use something in my possession

I see you own a gun, do NOT shoot yourself in the foot. =) hehe

Good idea

[crumbz]

This is one area where open source software can really pull ahead of Microsoft. Provide excellent documentation of the software and the coding as well. That's all folks. As shoddy as Microsoft's image is regarding security, they won't be able to have it both ways. Not to pick on them, as there are plenty of other targets (AOL being another), but they do have a poor track record in this arena.

The most direct benefit of this initiative is well-written code. Well-written code that undergoes peer review from impartial others is the best thing we can do to further this industry.

Re:Good idea

[Anonymous Coward]

No, no, no, New.net is not to do with Microsoft's .NET thing. It's some weirdass domain level company that buggers up your IP stack. There aren't any links in the article, but you can find more here [new.net].

None of the weird domains run on my boxes, so I suppose that's a good thing right now... *g*

What does open source have to do with it?

[JohnDenver]

Before you crap out an idea, maybe you can establish some context as what you're talking about. Try using a first sentence or a snippet from the main article to highlight the points that you are agreeing with, because I can't tell if you're accidentally posting in the wrong thread or if you're opinions are just stupid.

This is one area where open source software can really pull ahead of Microsoft. Provide excellent documentation of the software and the coding as well. That's all folks.

How would this make open source less susceptible to hosting a stealth component, or how would this prevent stealth components from piggy backing during an installation?

It seems that you think this is a security issue that can be solved like MS Outlook holes which allow scripts to propigate email. Unfortunately, all operating systems are susceptible to stealth code sneaking along with trusted software. There's really nothing you can do about it other than legal recourse.

Re:What does open source have to do with it?

[Negadecimal]

How would this make open source less susceptible to hosting a stealth component, or how would this prevent stealth components from piggy backing during an installation?

1) Download source code instead of binaries.
2) Review source code for "stealth code"
3) Compile.

Lather, rinse, repeat. This is naively simplistic, of course; searching large-ish apps for undesirable code is hard to impossible. But on platforms where OSS is the norm, chances are that someone will try anyway (especially when spyware starts leaving footprints on their firewall). It's our culture.

And for some reason, I'm reminded of a line from the second Harry Potter book: "Never trust something that can think for itself if you can't see where it keeps its brain!"

I'm sorry... Let me rephrase

[JohnDenver]

Let me rephrase... I meant to write

How would this make an open source operating system less susceptible to hosting a stealth component, or how would this prevent stealth components from piggy backing during an installation?

I can understand why an open source product may be less susceptible. Heck, Why would anyone even try to add a stealth component to an open source app? Why are you even answering the loosly phrased original question when the answer is obvious?

Re:Good idea

[q-soe]

Sorry but i miss your point. Microsoft have some security issues (although a quick read or CERT will show you that so do many open source products - they dont get publicity on it) but i dont understand the point your trying to make ?

When have Microsoft ever actually included spyware in products ? (and dont talk to me about Media Player - its been in the user agreement for a long time)

This issue has nothing to do with well written or badly written code IMHO - it has to do with companies willingness to take money from anyone who comes along, NEW.NET is spyware just like Gator or Bonzi Buddy.

Holding up open source with its lack of focus, consistency and in some cases stability as a standard is not relevant to this discussion - try getting a lot of common open source software to run with minimal knowledge on a linux system - try getting an out of the box Mandrake to play DIV-X movies as a new linux user. You can't unless you know to downgrade glibc and fix the other numerous dependency issues.

The fact is Microsoft have questionable business practicies and a rapacious attitude to business ethics but the thing is the average user just doesnt care - the stuff works. They dont give a crap if its bloated or needs activation because they can walk into a store, buy a cd, install it and it just works.

The open source model makes so much sense but its no panacea to the ills of the world. The fact that spyware isnt found in open source has nothing to do with the philosophy of the product but more to do with the fact that most of the software is developed privately or not for profit. Its no gurantee of quality or well written code.

As open source grows more mature (if it survives) this problem will grow as well, just like viruses will.

Stop putting everything back on MS and accept that the world is full on unscrupulous people out to make a quick buck, they exist in all areas.

PS if you want to look at it this way im not slamming open source or trolling for microsoft in any way. Im writing this on my Lycoris box (redmond linux) and i use and like linux despite so issues with it at times, i just cant stand the attitiude that everything bad is MS and everything good is open source.

Creative Playcenter?

[alen]

First the software gives you a custom install option. Second it took me all of 5 seconds to turn off disk detector. Third how many average computer users will know what to do when reading a screen that tells them it has to install something. A while back Kodak thought 9 clicks to install it's software was too confusing for the average user. What about this?

And what is this new.net thing?

Re:Creative Playcenter?

[mansemat]

This is just one example. What if somebody else doesn't give you the choice to turn of those components?

His point, I think, is that we need full disclosure about what the software install on your computer that is above and beyond the corse software function.

Sure most people will never read that crap, but it should be available for those of us who want to know what all that extra shit it they've installed on the computer just so you could, for instance, dump songs from your harddrive to you MP3 player.

Re:Creative Playcenter?

[Jinky]

And what is this new.net thing?

new.net is a company that tried to get a shit load more top level domains added, but couldn't. So, they went and made their own database for them all. (ie: .golf, .xxx, .love, .mp3, etc). The software installed by new.net mentioned in the article is basically a redirect when trying to go to those domains.

Say, for example, I had a site called www.stuff.mp3. Under nearly every ISP out there, this obviously would not work. The new.net software modifies the system to be able to recognize it. Outside of this software, the only way to get to this address would be to go to www.stuff.mp3.new.net.

I think that made sense :)

Re:Creative Playcenter?

[matman]

Couldn't you just add a DNS suffix to the system for new.net and achieve the same thing?

Re:Creative Playcenter?

[GigsVT]

I guess you meant search domains. Wow, I'm an asshole. Disregard other message, you are right.

Re:Creative Playcenter?

[ncc74656]

And what is this new.net thing?

It's an alternate DNS that works by installing a DLL that hijacks all name-resolution requests. If some software needs to know the address of foobar.com, the DLL checks first to see what address info new.net has on hand. If new.net can resolve foobar.com, it returns the address. If it can't, it passes the request on to whatever was previously configured for DNS. Removing it is a pain in the ass; the procedure involves fairly involved registry editing (let's just say it's more involved than getting your Windows box to talk to your Samba server).

Theoretically, there's no reason why they couldn't make it so that what looks like a link to Best Buy [circuitcity.com] takes you to Circuit City's website instead. I had to tweak the Best Buy URL so that it became a username fed to Circuit City's server (which presumably ignored it). With new.net, you could do the same by linking your IP address to your competitor's domain name. A 404 handler on your webserver that knows the general layout of your competitor's website would redirect people to the appropriate page on your site, so that just trying to go to one site's homepage [bestbuy.com] takes you to something completely different [circuitcity.com], no matter what you do.

(Dammit...looks like /. filters out anything between "http://" and "@". The first link is supposed to be http://www.bestbuy.com%2fHomeAudioVideo%2fDVDPlaye rs%2findex.asp%3fm=1%26cat=32@www.circuitcity.com/ ewebIMa/frame1.jsp?BV_SessionID=@@@@0243569614.101 6223317@@@@&BV_EngineID=ccedadcejfdehhhcfngcfkmdff hdffg.0&upper=head.jsp&lower=frame2.jsp&left=leftc hildcat.jsp&department=TV+Video+and+Camcorders&cat egory=DVD&right=productsearch.jsp. Must've been too many idiots tacking on goatse.cx to the end of CNET URLs or something.)

Legal Framework?

[dgb2n]

I was with the author all the way up until the point that he mentioned a legal framework for enforcement.

While all of those objectives are admirable, at the mention of involving governmental organizations in the enforcement of such standards I begin to get nervous. We live in a litigous society in the US as it is. Do we really want to enable a new class of lawsuits based upon violation of software installation standards.

Sure, publish some guidelines and get corporations to sign up agreeing to adhere. I'm just not sure I need or want legal protection to enforce it.

I certainly don't want to have my installation routines prescreened by the legal department before I can ship my code. Sheesh.

Re:Legal Framework?

[hagardtroll]

I think the "Legal Framework" needs to be built into the code as well as the law.

The O/S should be the O/S should be the O/S. No third party application should be able to change the functionality or performance of the O/S.

The Application should be the application should be the application. No OTHER application should be able to change the functioning of the original application.

If the browser is an application that is part of the O/S that can be modified by a differnt application, then you never know what to expect.

If I want to run App A, later install App B. App B shouldn't be able to change App A unless that is what is advertised to do.

App B shouldn't be allowed to mess up App A or the O/S. If it does, that behavior should be detected and stopped.

That way if App B fails to work, it can be removed and the O/S and App A can go on their merry way.

Re:Legal Framework?

[zangdesign]

The O/S should be ...

Well, there's goes third party extensions to the OS, such as skinning (can change the functionality), media players (can change the performance), virus scanner (can change both), etc.

The Application should be ...

And there goes third party extensions to programs, such as plugins for Photoshop, plugins for Dreamweaver, plugins for Logic Audio, etc.

You've negated yourself, there.

Re:Legal Framework?

[geekoid]

Nervous is ok, but don't get paranoid, a great many good stadards has come out of the US government.

Without somesort of consumer guigelines that can be enforced, companies won't bother doing it.

Anyone want to start a software company?

[cperciva]

It seems to me that "scumware" is starting to take on proportions very similar to "wormware"; as the author notes, there seems to be little difference between the subseven trojan and the new.net software (or, I might note, whatever that horrible program was which made yellow links pop up everywhere).

Since anti-virus software doesn't seem to scan for these, perhaps someone should create a product which operates similar to antivirus software but instead scans for a dictionary of scumware?

Re:Anyone want to start a software company?

[Reality Master 101]

Ad-Aware [lavasoftusa.com] is what you're describing. This software rocks, by the way. Highly recommended.

Re:Anyone want to start a software company?

[ncc74656]

Since anti-virus software doesn't seem to scan for these, perhaps someone should create a product which operates similar to antivirus software but instead scans for a dictionary of scumware?

...umm, something like this [tomcoyote.com]?

Yeah, Brother!

[jackjumper]

The other day I discovered that I couldn't burn CDs at 10x any more. In fact, I had to slow down to 2x in order for it to work.

This led me on a chase through my computer. Through a combination of Ad-Aware, Startup Cop, and Process Explorer I managed to get rid of a bunch of leftover or not wanted CRAP that was hogging up my system!

Quicken, for example, had two programs that started up every time my system started. There was a Lexmark printer application running, even though I no longer have the printer and had uninstalled the driver!

And don't even get me started on Real One...

What a pain in the ass...

Re:Yeah, Brother!

[Tackhead]

> I used to love Real and Real Player. Now they install so much extra junk and do everything they can to always have something running. Ugh. One of the worst offenders out there and they only install their own software.

On an old 98SE box, I installed Real 5.0.

When it wanted to be upgraded to G2 (because a file I wanted to play needed the new codec, and I didn't want to upgrade the spam-free 5.0 player), I imaged the drive, ran the "over-the-net" upgrade ("Play the video, then let us download and run an executable, just trust us!") on the imaged drive, swapped drives back and compared the results.

I then copied the modified DLLs from the "upgraded" drive into the proper directory on the "old" drive, and voila, RealPlayer 5.0 playing G2 streams.

Did it all over again for Realplayer 7.* and 8.*.

Man, I love my South Park ;-)

The practical upshot of all this was that many of the "new" RealVideo streams don't need the new player - they just need the right DLLs copied into the right directories and the old player will work fine.

And WTF is NEW.NET?

[grnbrg]

Anyone? Anyone? Bueller?

A URL or something?

Google just points you to http://new.net/, which doesn't look like anything.....

Re:And WTF is NEW.NET?

[rossjudson]

NEW.NET supplies a new series of top level domains. They aren't doing this with anybody's authorization; they have simply shipped a trojan with a ton of popular free software packages that alters your IP stack to point to their TLDs. If you go to new.net and click on "enable", a Java applet will install this stack-altering crap on your system, after you foolishly allow it to do so. But, really, they install with a lot of different "free" packages.

There are even instructions for Linux

[clump]

UNIX and Linux instructions:

http://www.new.net/download/instructions_unix.tp

Wild.

Did you read the site?

[mblase]

It tells you everything you need to know. You can even install their software, if you're feeling self-destructive.

Property Questions

[Loundry]

I've long maintained that I do not think that information is property, and I therefore can't agree with things like Intellectual Property laws.

This post raises some interesting thoughts: are my computer's CPU cycles and my system's stability my "property"? Do companies have a right to infringe on those things? Do I have a right to sue if other companies infringe on those things without my explicit permission?

Don't mod me up; I just want to see the discussion that ensues. :)

Re:Property Questions

[BitwizeGHC]

Your computer system and your CPU are your property. They are physical, tangible objects that you paid money for.

Companies using your property for reasons that you didn't authorize, through subterfuge, are clearly in violation of your property rights. And "By clicking here, you agree to yadda yadda" is BS, particularly concerning software components you aren't told about.

Re:Slightly offtopic

[Technician]

I just removed Macromedia software from my system. Most of the content it runs is ads. Unfortunately they defaulted it to autoplay. Play could not be shut off while it was loading content. Many ads would end in some kind of animated GIF that still ran even with play and loop unchecked. It would only stop after unchecking loop, play and rewinding the annimation. Too bad they tried to satsify the content providers (advertisers) instead of the end users. All it would have needed was a configuration that a user could set up to not run flash automaticaly. A simple play button on a annimation would have been nice. It was the lack of configuration options that convinced me to remove Macromedia completely.

Re:Property Questions

[gilroy]

Blockquoth the poster:

"Fraud" is a good word for the password analogy, but only if the password were used to fool someone. What if, instead, it were used to gain access to your system?

Maybe we need to broaden the definition of "someone". Obviously a stolen password is intended to be used to fool your system. As we move toward semi-autonomous software, we going to have to expand our concepts of identity, fraud, lying, etc.

There is a "signed installation" system out there

[Dynedain]

You say one of the solutions is:

A "signed installation" program, run by known entities, asserting that a given program and its installation don't violate the rules

Guess what? That already exists for Windows (which is the platform you are obviously complaining about)...its called WHQL Certification.

Re:There is a "signed installation" system out the

[arkanes]

That's cool, except it's not what WHQL is, and hardly anything gets WHQL certified anyway.

Re:There is a "signed installation" system out the

[IIOIOOIOO]

You have the right idea, but WHQL is for hardware drivers, which is nice in and of itself. Rather, microsoft will sign software for you if you consent to pass a bevy of tests that determine whether or not you play nice with the OS, including not thrashing system files. Unfortunately, this kind of certification is VERY expensive, and not really an option for shareware authors. What would be nice is creation of an independent, cheaper organization that would supply similar certifications.

Re:There is a "signed installation" system out the

[Zathrus]

No. WHQL is only for hardware drivers. It is not their job to sign off on installation programs for random application software you may be interested in.

It's really amazing to see how much cluelessness is going on in this thread. Spyware programs are becoming pervasive on the Windows platform (and they could be written for Linux too if the spyers felt the marketshare was large enough to care about). And it's not just free software doing it. Pseudo-free software like Eudora is a huge culprit of spyware. And there are an increasingly large number of commercial software packages that install spyware to one extent or another (and while Creative may allow you to not install it, other software doesn't). MOST of the spyware doesn't bother asking you if you want to install it, and doesn't make any evidence of itself being installed. Probably because nobody in their right mind would want it installed.

And, sadly, it's a case of "it's not illegal, so it must be legal" reasoning that's going on here. You might be able to make a case for theft of computer services and/or trespassing, but it'd be a stretch.

Re:There is a "signed installation" system out the

[IDIIAMOTS]

Microsoft outlines policies for "well behaved" installations in Windows Logo Policies - Overview for Software [microsoft.com].
This is similar (but not exactly like) to WHQL certification for hardware.

interesting article

[Str8Dog]

RIAA and MPAA have made huge strides to protect thier copyrights. But the same companies would see no problem with this type of deception. We really want the government to say away from regulating the computer industry, but untill they do this BS will continue to get worse. The average AOL user has no idea and are building a army of zombie DOS machines and now an army of zombie marketing harvesters....

If Spyware would only follow these rules...

[jjhall]

I installed Kazaa the other day at home, knowing it would attempt to install the BDE3 (I think) viewer. Since my hard drive is NTFS, I created the BDE directory under my second account, and used NTFS permissions to be only readable/writable by the "Administrator" account. I thought that would stop it from installing. I was wrong, however. The program simply installed inside of a different directory.

It doesn't run because I did the same thing to that directory, but it still installed when I took fairly advanced measures to prevent it. The fact that programmers are writing applications that users have no control over is a step in the wrong direction. I don't want the "3D Advertising Projector" on my system, yet it installed anyway. That to me sounds like something Norton should be protecting from...

I do write simple programs for personal use for myself. I have given a few to friends, but I never install a "Jeremy in 3D" viewer or anything like that. Note to programmers: If it is ABSOLUTELY ESSENTIAL to the operation of the program, go ahead and force installation, but tell the user what it is and why you need it. If it is not essential, simply put a check box to not install it. Or at least instructions on how to safely remove it.

I understand that Kazaa is trying to make some money by forcing ads, but when people won't even install their software because of the ads, they are shooting themselves in the foot. If they used simple HTML banners, I probably wouldn't go to the trouble to block them.

Another thing that annoys me greatly is the Real Player (whatever they are calling this version) notification program. It pops up ads and new version notifications near the systray. There is not an option ANYWHERE I can find to disable that function. They used to have the real icon in the tray that you could close. And they had an option to keep it from loading. How much of my system resources is it taking to check in the background for new updates/ads? There are a few things I need real for (unfortunately) or I would uninstall it and be done with it. If I try to play a stream that won't play with the version I have, I will upgrade on my own. I don't need a resource hog app telling me when to upgrade.

RealPlayer

[BranMan]

I think that just disabling the "startcenter" will get rid of most of your annoyances - if it isn't running all the time in the background, it can't pop up crap in your face all the time.

Your PC will also run faster.

Open up the preferences. I think it is a button on the "General" tab labeled startcenter. That opens up another dialog that allows you to disable it (top checkbox - uncheck it). It will pop up a message with a dire warning - just click Yes I really Want To Do This. That should be it.

All the startcenter is good for is preloading Real (so it starts up 3 seconds faster - big whoop) and poping up annoying messages.

Re:If Spyware would only follow these rules...

[CtrlPhreak]

Get rid of all that spyware, I use ad aware. It has worked for a lot of things I never heard of and it's simple/small. Check it out www.lavasoft.de. Free as well.

Re:If Spyware would only follow these rules...

[arkanes]

BDE is ALSO some stupid video viewer that kazaa installs. It doesn't need it, it's a spyware app. it has nothing to do with the Borland engine.

Two more examples

[rogerl]

Real Player: Real Player assumes that you want their "service" running at times. It assumes that you want it to be your default media player. You try and turn some of these off via there options screen. Sometimes it works, Sometimes it does not.

Weather Bug: This is another one. It just starts running and does not give an option to turn it off. I had to hack the registry to get rid of it.

Oh well... I am slowly converting to completly Linux...

What New.Net is:

[PunchMonkey]

new.net is a company who decided that instead of waiting for the new top level domains to be approved, they'd just start up their own root domain servers and sell the new top level domains themselves.

So if you want to buy sweat.shop, you can go to new.net and do just that.

The software in question is a "plugin" that "fixes" windows to use their dns servers when requesting a domain that ends in ".shop" or whatever.

For more info, don't be so lazy and click on the "About Us" button at the bottom of the new.net homepage

http://www.new.net/about_us_mission.tp [new.net]

I submitted a story about this on slashdot long ago and, surprise! it was rejected. I'm sure I wasn't the only one who thought this site and company is worth discussing.

-- Punch the Monkey!

Re:What New.Net is:

[rbeattie]

I've often wondered what would've happened if Microsoft had thought of this several years ago - or decided to do something similar tomorrow.

Imagine if every WindowsXP that was sold had browsers that resolved Microsoft Name Service ( MSNS or simply ".NET") addresses? Imagine if Microsoft had thought about this in 1997 and every Microsoft browser (forget any other internet app - since that's obviously what New.net is doing) since then checked Microsoft.com's MSNS service for it's own custom domain names BEFORE your local DNS?

If they marketed it enough, my Mom wouldn't know the difference between .com and .shopping (a Microsoft-only domain).

It's an interesting thought... they could've controlled A LOT more of the internet than they do already. Maybe Microsoft isn't as smart and vicious as we all think...

But you know, all the ICANN haters always point out that the DNS system we use today is strictly voluntary and they have a point.

-Russ

Screw it

[drivers]

I'm switching to free software.

daemons?

[room101]

daemons? what are those. I don't think they exist on windows. (;-)

On windows, they are "services". They give you exciting service. Way better than those unix daemons. They only talk to you in your head and tell you to burn things. Or at least, that's what they do to me. Maybe I'll post an "Ask Slashdot" to get further insight. Oh, maybe not, the voice in my head says that it will get rejected.

Re:daemons?

[pyramid termite]

daemons? what are those. I don't think they exist on windows. (;-) On windows, they are "services". They give you exciting service.

They service you. Repeatedly and often, painfully.

Windows Users

[jyak]

Take control back of YOUR computer with all the proper utilities. Go to onlythebestfreeware.com [onlythebestfreeware.com] tto get the best free utilities to rid your computer oof unwanted items.

Three words: Package Management System

[JonKatzIsAnIdiot]

A package management system is the user's first and best defense against this type of thing. With it, a user can always determine which files are needed for which applications, and vice-versa. You can check what is going to be installed before you do it. While a malicious/ignorant software vendor could put malware into a package file, at least all of the files that make up that package can be determined later on. No other software management system can provide that information as easily. Not installer programs, and not even the sacred install-from-source routine.

Re:Three words: Package Management System

[Junta]

Of course, current package managers don't protect things sufficiently either, as they provide their own list of modified/new files. What the package *actually* installs/modifies does not necessarily coincide with what the package claims. A sort of enhancement I would like to see is a packgame managemant system in which packages are chrooted to a safe playground for all operations, and when it wishes to make changes/add new files to the real filesystem (presumably out of that playground), it would be *required* to do so only through a special commit facility provided by the package management utility. This commit facility could be configured for various levels of trust per app, from prompting on each operation to rejecting to allowing operations. Also, every operation is logged at a minimum of saying when and by what a file has been modified (keep a running history), to storing diffs between package modifications (good for, say, /etc files where changes are typically small and compress well).

Of course, as with anything, it couldn't protect against bypassing the mechanism (well, maybe with extensive kernel modifications, but probably not worth it), but for people currently relying on package management to keep their system consistent, this sort of infrastructure may be a good next step in the face of bad behaving packages.

i concur

[SubtleNuance]

If I wrote a stealth component today, I would have it seek out an Ad-Aware signature file and modify it to ignore me, or add my directory to the ignore lists. Ad-Aware could respond by digitally signing the files, or with other techniques.

If this begins (too late?) than I fully expect our friends @ NAI or Symantec to add this trash to their virus software. Anything that tries to protect itself from being removed is a virus. %insert_your_own_windows_joke_here%.

Ive been very happy with Ad-Aware, and as the author suggests, the first run on my own machine was a real eye-opener. I have some frineds in a local PC clone shop, and they run AdAware on almost all their repair/re-stage jobs -- they have been amazed at the numbers of Malware apps they have found running on people's PCs.

Disclosure, choice and the future (rant)

[legLess]

That's my summary of what we need: disclosure and choice. The user must know every single non-required system modification, and have the choice to not install any of them.

But this won't work, of course. Our favorite example is Microsoft, who blithely says, "It's all required; it's all part of the OS; either take the package or don't." Making choices confuses people, see, and we want to avoid that.

Without being elitist at all, some of what they say is true. One reason Microsoft has succeeded is that they remove those scary choices from the users. It's the software equivalent of "bread and circuses" - don't bother people with the details, wow them with flash, and they'll mostly ignore what goes on in the background.

This succeeds because it's what people want. My 72-year-old mother doesn't know about patches and updates and service packs, and for fuck's sake she shouldn't have to. For good or ill, most people view computers as slightly cantankerous, very expensive toasters. They have no idea that they have, sitting on their desks, a little machine that can do very nearly anything. They want to do a couple things, and they want those things to be easy.

I can see a couple ways for this to go:

1. Special-purpose machines. Instead of one computer, you'll have a few little ones. A web pad in the kitchen that downloads recipies, a glorified word-processor in the study hooked up to a printer, maybe with accounting software. Most people will go to Office Depot and spend a few $hundred on a black box, kind of like a cell phone now days, then throw it away when a newer model appears. Microsoft is set to own this market.
2. General-purpose machines. Geeks will still want a real, live computer that they can control. This is only going to get harder and harder. Twenty years from now, I bet there'll be fewer general-purpose computers than there were twenty years ago. The after-market parts business will dry up as copy-control gets more and more intrusive. I mean, I can build a box from a bunch of parts, but I can't build a fucking motherboard or hard drive.

Computers have to get easier to use while at the same time getting more complicated and doing more things. The only way to do this is to remove end-user control of the device. Fewer scary options, fewer things to screw up. For the most part this is a good thing. Most people using PCs today are basically helpless aside from a few well-known command sequences.

The hard fight will be to retain control of real computers while consumer boxes get dumbed-down. What will make this possible (IMHO):

1. No DRM. Period. This will kill general-purpose computing forever.
2. More standardization. As the parts market shrinks and specialty boxes become more common, it'll be harder for ASUS (e.g.) to sell mobos into the after-market channel. There will be consolidation, but as long as #1 above is avoided it shouldn't be fatal.
3. Concentration on software quality. The OSS community generally goes a better job of this than closed-source, but it will have to get better. Quality alons isn't enough; as we know, 500% better isn't better enough if you don't have good marketing.

This is a long, winding rant, and has gone a little off-topic. Back to the point: I don't think this situation will get better, or at least not in the way we hope. It's going to be incredibly difficult to hold software manufacturers liable for anything; it'll be even harder to hold them liable and let OSS off the hook.

The best hope, I think, is operating system diversity, which at this point means forced licensing of the Windows source code. If you can use Microsoft Windows that basically bends over for any cute-looking virus or trojan, or (e.g.) IBM Windows that flat-out refuses to install anything that isn't digitally-signed and verified (assume, for the minute, non-DRM verified), what would you pick? What would your mom pick? What would you want your mom to pick?

Re:Disclosure, choice and the future (rant)

[imadork]

Computers have to get easier to use while at the same time getting more complicated and doing more things. The only way to do this is to remove end-user control of the device. Fewer scary options, fewer things to screw up. For the most part this is a good thing. Most people using PCs today are basically helpless aside from a few well-known command sequences.

You're forgetting one big point here. Even if the end-user doesn't make the decisions, someone has to. How can we be sure that the decisions are made in the best interests of the consumer?

The answer, of course, is that they won't be. That special-purpose machine will still have to be maintained, but this time it will be maintained my Microsoft (or A0L), remotely, who could care less about your mom's access to recipies on a smart-pad in the kitchen, if they can't bill her each and every one. Or make her access to recipies "bundled" with all sorts of stuff she doesn't need.

If you can use Microsoft Windows that basically bends over for any cute-looking virus or trojan, or (e.g.) IBM Windows that flat-out refuses to install anything that isn't digitally-signed and verified (assume, for the minute, non-DRM verified), what would you pick? What would your mom pick? What would you want your mom to pick?

OK, so maybe your Mom can't make decisions about her computer for herself. But can she really trust MS, or AOL, or IBM?

Re:Disclosure, choice and the future (rant)

[markmoss]

I agree with you, except for one thing: "Special-purpose machines... Microsoft is set to own this market." Microsoft is _trying_ to grab as much of this market as they can, but they do not and will not own it. The most prominent example of special purpose machines today is PDA's -- and the Palm OS is doing quite well in competition with Windows CE.

But you want to build a special purpose word processing machine. So, do you go spend $$$ on Windows CE and the Word component of MS Office, or do you download Linux, KDE or Gnome, and Star Office? Either way, you put lots of work into figuring out how to configure the software to work on your particular hardware. But with Linux, once it works, you can clone that setup indefinitely, for free. With Windows, you pay by the copy, after paying initially to get the development system. With Linux, you'll have to work harder to make it luser-friendly and hide all the system complexity. With Windows, MS has hidden much of the system complexity even from experts -- if it happens to all work right, that's great, but if it doesn't work, you'll have a hard time getting the info to fix it. And you cannot modify the code, or look at it to figure out why things are going wrong -- not that you want to do this in Linux either, but if things really go wrong it might salvage the project.

And finally, with Windows, there is always the risk that Bill Gates will decide he wants to buy Brazil or something, so next year your license costs jump from $50 to $200. It might make it pretty hard to compete with those $300 Linux boxes, but if you've built your whole business around Windows CE, you might not have a choice. Maybe you'd better co-develop an OSS implementation, just in case.

OTOH, when you market the system, you can piggyback onto lots and lots of MS advertising claiming that Windows is the biggest innovation since the wheel. Unless you try to sell it somewhere that lying advertisements are prosecuted as fraud, or to people that are clueful.

Windows will be a big player in this market, but it cannot dominate it. The basic problem is that MS's tactic of changing data file formats to force upgrades is beginning to wear thin even in conventional PC's; if they start telling people that they have to throw out perfectly good hardware because it doesn't support Word 2005, many will shift to something else instead. And if they stick to existing standards, they are going to wind up competing with _free_ without any really superior features. MS marketing is actually good enough to win this -- part of the time.

Re:Disclosure, choice and the future (rant)

[legLess]

You make an excellent point, and I allude to it briefly and obscurely in my rant, but you say it better. The data format argument is a good one.

This is part of what I meant by "software quality." So far MS is lousy at it, and OSS is better. Some companies pick this up and use embedded Linux, but we should mostly count that as a miracle - OSS has to be so much better than MS even to make a dent because MS has such a huge warchest to throw at marketing.

I don't know how to solve this. Some big companies (e.g. IBM) are betting parts of their business on OSS, and their marketing may be enough to combat Microsoft's.

Microsoft is fast, fast, fast, though. Many companies have discovered this to their detriment. Microsoft, once it decides on something, can go after it with more ferocity and better organization than nearly any other entity on the planet. Most of this is thanks to their immense bank account from monopoly profits.

One thing at which they're lousy is grass-roots, and this is where OSS shines. Bottom line: power to the people, baby!

Some choice quotes

[mblase]

Some choice quotes from http://www.new.net/about_us_guiding.tp [new.net]:

"New.net will seek to work with ICANN to ensure stability in the Internet, and we will attempt to work in the best interests of all parties to not interfere with anything that ICANN plans to do." (Clearly, the author of this article would argue with the use of the word "stability".)

"New.net is building a more open registry business that also will enable other parties to introduce new domain name extensions to the millions of users that have access to New.net domain names. New.net will determine which extensions to release in the future, applying the standards set forth below." (You call that open?)

"We are building a DNS infrastructure that is at least as reliable as the root servers that serve .com, .net, .org, .co.uk, and other top-level domains." (I don't consider having to install special software just to get to a URL "reliable", but maybe I'm narrow-minded.)

Shoe's on the Wrong Foot

[bumski]

The author makes a lot of good points, but in the end, he's placing the responsibility for preventing unwanted, system-level changes on the wrong party.

Installing or modifying "system-level" components such as drivers, services, and daemons shouldn't be possible for anyone without administrative privileges. If the operating system fails to distinguish between normal users and administrators, then it's the OS that needs to be fixed, rather than the practices of innumerable software suppliers.

And if the user chooses to run always with administrative privileges, well, he deserves what he gets.

Mac OS X Software installs...

[MidKnight]

One of the thing that is impressive about applications that are written natively for OS X is the installation procedure: it usually involves a complex procedure called "copying". All hyperbole aside, it is that easy.

For instance, I installed MS Office on my laptop a while ago (still waiting on Sun & Apple to resolve their differences & build StarOffice for the Mac). The entire procedure was:

1. Insert Office CD
2. Drag-And-Drop a folder onto my hard drive
3. Start using it.

Installing applications from the Internet is even easier. I'm a happy registered user of OmniGraffle [omnigroup.com], a diagramming and graphical tool that makes other programs like it feel worthless. The installation process for that is:

1. Download the file, which unpacks as a disk image & it automatically mounted.
2. Drag & Drop the application.
3. Start using it.

Another nifty feature is that, to the high-level graphical interface, an application appears as a Bundle [apple.com], and therefore it looks like a single executable file. To the regular user, this is a far more intuitive presentation of what an "Application" is. However, if you whip up a terminal & go poking around a bundle, you'll see that it's really a collection of every file the application needs to work.

Mark my words, the Winblows platform will be emulating this behavior within their usual UI 5 year lag.

--Mid

Re:Mac OS X Software installs...

[markmoss]

Sorry, even Win98 had this beat. If you left it set up at defaults, it is:

1. Insert the CD. An install window opens automatically.
2. Click Yes.

Most of the time it works. What MS hates to discuss it that when it doesn't work, you are likely to be really f*d up. And it leaves too many openings for malicious or just badly written software to install things you didn't want. I assume the Mac has similar vulnerabilities, but since Apple maintains much tighter control over software for the Mac, the chances of an installation going bad is lower.

Re:Mac OS X Software installs...

[bdowne01]

Well, I think that's a little oversimplified. It actually involves clicking "Next" several times as well ;)

But I believe his point is that you have control over what's installed on the Mac. If you don't want it installed, don't copy it.

A Windows install is a scripted behind-the-scenes shindig. Who knows what's being added to your registry...where & what files are being installed, etc.

-brian

Earthlink and my neighbor's PC

[dpilot]

A while back, my neighbors switched from Earthlink to Adelphia cable. Trying to be a good netizen, I spoke with them about getting a firewall, and set up a time to install Zone Alarm on their machine.

When I went over, they made a side mention about all the stupid popup ads they were getting on Adelphia, how they hadn't gotten them on Earthlink, and Earthlink had promoted, 'No ads with us.' I responded that we didn't get any more than normal popups, on either Linux or Windows.

So we installed Zone Alarm, and started up the cable link, again. First thing we see is a program out of an Earthlink directory attempting to contact the nameserver. Press the 'No', and the popups were gone. Apparently some piece of Earthlink software got in a tiff because the nameserver belonged to another ISP, and decided we needed to be punished.

How, I ask you,

[jwinter1]

How, I ask you, how are corporations supposed to cater to your every whim without efficient and effective spyware? Do you just expect movies about Britney Spears and snowboarding to just appear out of nowhere? They can't waste time and money with "original" ideas; they need proven material.

And that's why I gladly install as much spyware as I can. That way I know that my opinions on everything, from linux to pornography all the way to pornography and linux, are recorded by internet tracking software.

Thank you, spyware, thank you. And thank you too, Britney.

Preaching to the Choir?

[scott1853]

Ok, how many people here choose the standard installation options and how many ALWAYS choose Custom just so they know what's being put in their system?

The programs that I've seen install that New.NET and SaveNow crap have always had them as customizable installation options. You just had to click a button and read the contents of one more screen during the install.

The software that crap comes with is free anyways. So what's the problem? Are you going to write your own software or take a trip to the store to pay for software (assuming it's retail) just so you can save yourself 10 seconds off your install time?

Why don't you go talk to Fritz Hollings and maybe he can work that fine idea into some worthwhile legislation for you. Or better yet go talk to gates about only installing software that the author has spent thousand of dollars having verified by windows quality labs.

Famous words

[ftobin]

Because the program is licensed free of charge, there is no warranty for the program, to the extent permitted by applicable law. Except when otherwise stated in writing the copyright holders and/or other parties provide the program "as is" without warranty of any kind, either expressed or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. The entire risk as to the quality and performance of the program is with you. Should the program prove defective, you assume the cost of all necessary servicing, repair or correction.

Now, not only does GPL'd software contain this clause, but practically any software. You accept a great deal of risk when you install software.

Did you participate in a eula from new.net?

[stienman]

If the EULA you read for the software that installed NEW.NET didn't force you to waive liability from new.net, and new.net didn't give you a EULA that waived their liability, then you could claim they are liable for the destruction of data and software on your PC, since you never waived such liability.

Seriously. Check with a lawyer.

-Adam

You, the consumer, have exactly what you want

[PrismaticBooger]

Microsoft has gone to a lot of effort to ensure that you don't have the level of control you're seem to want in this rant. If you really wanted this level of control, you'd use a product that offered it. Instead, Windows consumers have demonstrated to Microsoft that they don't care. Microsoft users will suffer through countless reboots. They'll even readily grab their ankles for a complete reinstall when some poorly written software hoses their fragile system.

Windows users will not only tolerate, but pay for all of that. And they'll pay for it, as Microsoft well knows, because it's applications that sell Windows. So they'll ensure that application developers can fully commandeer your machine if they want to, because that's what application developers say they need to make the users happy.

Who would ever have imagined that such privileges can be misused and abused?

Now stop whining to the government to protect you from yourself and start making some forward-thinking decisions about the software you use and support.

Most people wouldn't understand anyway.

[Eric Damron]

I agree with the author that you should always be able to remove any program completely leaving no little surprises behind. However, notifying people that it is about to install a driver, service, or daemon might be too much. Most people won't even know what a driver, service, or daemon is, so what would you say to them?

"About to install a daemon in your system... Do you really want to do this? DO YOU!!"

hehe Ok maybe it wouldn't go like that but most people won't be sure how to respond. All they want is for the program to do the job that they paid their money for it to do.

Not telling people about installing spyware should be a crime. The fact that information is being passed out of my PC without my approval is theft. It doesn't matter if it's my credit card number or a list of sites that I visit. It should not be up to corporations to decide what is to be considered private information on my PC. I can handle that job, thank you very much.

The problem

[jafac]

The problem with this is that Microsoft is the standard, and in order to be MS Certified software, you MUST use Microsoft's MSI installer (which is absolute SHIT!!!). And MSI isn't going to play nice in any of the ways you outlined, because MS doesn't want it to, and doesn't care.

The invisible hand job at work again. Wheeee!

Alarm program for installers?

[esnible]

What's needed is a program that monitors installation programs and reports if they are attempting to do something shoddy.

Sort of a 'ZoneAlarm' for setup.exe files, which monitors nasty registry changes, DLL overwrites, etc.

It's not impossible for a Win32 'debugger' to control and watch an install program. I know there are trace programs, and Bounds Checker, but none seem designed for the person who just wants a button to kill and undo an installation that touches, for example, the winsock DLL.

Installation Specialist

[rossz]

I'm an installation speciliast. That is, I write installers for many different platforms. One of my biggest complaints about software is installers written by amatures. Typically, the manager tosses a copy of InstallShield at the junior programmer and says, "why don't you deal with this when you have a moment". This is usually said a few days before the release date. The result is a mediocre installer that runs ok most of the time, but often the installer will have a basic flaw, such as replacing important system files with an old version.

On Linux/Unix platforms, it's even worse. The installer is almost always a horrid shell script that has been hacked on by a dozen different people over several years. No one really knows what that script is actually doing. The script works great, so long as you are running RH 7.1, because that's the distro the programmer uses.

As for standards, they do exist on Windoze platforms and people familiar with writing installers deal with them. In the Linux/Unix world, it's a free for all. There are some general standards, but all too often they are ignored.

When it comes to "stealth" installing, I wouldn't do it. If the component isn't necessary to run, then it is an option with a checkbox. If it's pretty good idea to install it, it will be checked by default. If it's just eye candy, it will be unchecked. If the primary software won't run without it, it will not be an optional component.

In summary, hire the right person for the right job. Stick to standards where they exist, fight for reasonable standards where they don't. Never forceably install unecessary components. Most important, don't ever change basic system functionality.

Cybercrime?

[gotan]

What's the difference between a big corporation putting software on my computer without my knowledge to sniff me out or add unwanted functionality, and a cracker doing the same thing? I don't see it. I really wonder if you couldn't apply some of the recently tightened cybercrime laws to the case, essentially fighting one evil with the other.

I installed RealPlayer recently...

[Remus Shepherd]

Yes, despite every warning I've heard, there was a .ram format video that I really wanted to watch, and so I thought it would be okay to install RealPlayer just briefly. And now, I am living a nightmare.

My Windows 98 box, which was none too stable to begin with, is having serious problems with blue screen crashes and registry errors. RealPlayer auto-loads things on startup, most notably a scheduler that goes out and checks for updates once a week with no way to turn it off. It's taken over dozens of file types, even ones that it apparently doesn't handle. And -- most annoying of all -- it has no Uninstall option, which I would expect of any professional software. I think I've pulled all the auto-loading parts of this demonic software out of my startup scripts, but to really be rid of this evil thing I'm looking at a full reformatting of my hard drive.

No software package should ever put a system in that kind of state.

Required Tools of the Trade

[thomis]

If you are going to use Windows software from untrusted (i.e. most everyone, especially M$) sources you must take steps to protect yourself. First, trust your gut. Does the developer "smell funny"? Is the software from a startup company with no visible means of revenue? I tend to trust programs created by individuals or small teams that demonstrate some passion for what they do (EAC [exactaudiocopy.de], or LAME [mp3dev.org] for example)

Then, get Technological on their ass. Start with a personal firewall that monitors all outgoing traffic. Zone Alarm [zonelabs.com] is the one I trust - gut feelings, and I've read some negative things about Black ICE [networkice.com]. Amaze and astound your friends as you block requests from RealPlayer, Windows Update, and other "legitimate" programs that like to access the net without asking permission.

Then get Ad Aware [lavasoftusa.com] and get that sinking feeling as you see the total number of unauthorized programs, components, and services on your system.

Finally, install Proxomitron [thewebfairy.com] to make make your browser behave a bit more politely by re-writing the html it sees before it sees it (and find yet another reason to love Shonen Knife. They're way kawaii!)

Forewarned and fore-armed (hairy ones, even), you stand a much better chance of maintaining control of your system.

From the Darkest Days of MS DOS Onward

[nickynicky9doors]

Remember the trials and tribulations that was Win 3.x and 286 before it? These complaints have been around since the inception of the PC, except that in the darkest days users were demanding and not getting something as simple as UnInstall.

Packaging Systems

[clump]

One of the things I really like about Linux is packaging formats like RPM and DPKG. The approach is that your system is to be built from modular pieces that can be tracked, updated, queried, and removed.

Now the problem, and source of frustration for some users of RPM, is that these management systems do not respond well to circumvention. IE, compiling an application outside of /usr/local or using an installer that doesn't let the package management system know it exists. Case and point: Perform a server-class Redhat installation. Install XFree86 from XFree86-distributed binaries then try to use something like an official xterm RPM and your system will say you need to install X11.

An interesting approach to this is that of Debian's in that you will have an official package available for just about anything you could want. Browse debian.org's unstable software archive to see. Conversely apt will handle dependencies of packages for you as a result DPKG/Apt is *more* tempermental about being circumvented.

Though I wish people would respect the original ideas of RPM and DPKG, I think the concept is great, and avoids the tomfoolery of mucking with nasty-3rd party installers if done correctly. When you can't or don't want to use a package, go with /usr/local. Things like new.net installers don't cut it over here.

Computer War .. Ha ...

[TheViffer]

This is prob redunant and mark it as such ...

But go install Quicktime, Real Audio and Microsofts Media player and then see the war that breaks out on your box.

Windows is hopelessly broken in this respect

[bcronin]

Anyone who's administered Windows machines knows that Windows programs, in their never-ending quest for convenience, routinely install taskbar "daemons". I find that you can gauge the naivete of a user as directly proportional to the number of small icons next to the clock.

The point is that Windows application writers are so used to running a resident process in support of their dinky programs that it seems to me to be too late to change the practice. Of course, some programs are more intrusive than othes (Real Player, anyone?), but it seems like the developers of just about every dinky little app seem to think they won't be taken seriously unless their program loads SOMETHING at bootup.

Of course, I shouldn't complain. I make good money doing PC consulting work; a good percentage of my calls are people whose machine is so clogged with TSRs that it has become unusable.

New.net Software

[lamabile]

First off let me provide some background information regarding our software.

Below is the list of all of our present and past distribution partners (download partners have always been clearly listed on the New.net website):

Present Partners:

BearShare
KaZaA
iMesh

Past Partners:

Go!Zilla
Babylon
Cydoor
GDivx
WebShots

Each one of our current and previous distribution partners is required to provide disclosure during installation that our software is bundled. We in no way install in a "stealthy manner", since it is the responsibility of the user to read the install screens that are provided during an installation.

In light of these recent comments regarding disclosure, we are working with each of our distribution partners to improve awareness of the New.net bundle in the install process.

New.net's software provides a service to its customers as well as its users that want to gain access to domain extensions that our sold on our site. In order to provide resolution, our software adds itself to the TCP/IP stack. There are other methods to resolving our domain extensions such as adding "new.net" to the domain suffix search order or adding our DNS servers in the DNS server search order in the network configurations. You may also append ".new.net" to the domain extension in the address bar of the browser for resolution. Our software is our "user friendly" way of providing such access. Manually changing network configurations requires a reboot whereas our software can install in seconds and provide resolution immediately.

Our software is not "unstable" in anyway unless a user tampers with the configuration to a point where it makes Windows unstable. This is consistent with any other software that adds itself to the TCP/IP stack. If someone were to just randomly start deleting files on their system that are referenced in the TCP/IP stack, without first checking to see if there is an uninstall in Add/Remove Programs, then of course you would expect nothing less than an unstable or corrupt system with network issues.

"The little war I mentioned earlier is going to get nastier soon. Uninvited components like Cydoor and NEW.NET are sure to take steps to defeat Ad-Aware and programs like it. If I wrote a stealth component today, I would have it seek out an Ad-Aware signature file and modify it to ignore me, or add my directory to the ignore lists. Ad-Aware could respond by digitally signing the files, or with other techniques. This cycle will escalate, with each side taking new steps to ensure its dominance. Users will pay the price in decreasing system stability."

Let's be clear on this point: New.net does not create or distribute any kind of stealth software in order to avoid signature files for Ad-Aware. In fact, Lavasoft had determined that our software is not "spyware" and discontinued removing our software since August 2001. I welcome anyone to contact Lavasoft directly for further information. There are still mirror sites out there that list New.net as a component that is removed by Ad-Aware; but I assure you that these sites reflect information prior to August 2001.

"I've been beating up on NEW.NET quite a bit in this article. I suppose it's because the deinstallation of their component trashed the IP stack on my Windows 2000 system and it took me a half day to put it back together again. What the hell were they thinking when they stuffed a buggy service deep into my IP stack without telling me? I think they should have to compensate me in some way. A $250 Small claims court action here in Virginia might be a way to do it."

The New.net client is clearly listed in Add/Remove Programs like the majority of all other software and when the correct procedure is used then the software is properly uninstalled. If someone decides to remove software "their way" as opposed to the correct way then you can assuredly expect problems. Please explain your procedures of "deinstallation" that lead to a "trashed IP stack," this may be useful to the New.net QA team.

Leonard Amabile
Director of Customer Support
New.net, Inc.

Re:he has some valid points...but....

[mansemat]

When you install something for FREE from the internet, you can't assume it will work as you want it to. Also, just because it works on your machine does't mean it works on everyone elses. this is pretty redundant IMO.

NEW.NET is only a component. You could also find NEW.NET in commerical software that you pay for.

In that case you've PAYED for something. Do you still assume is will work as you want it to?

What a day to be without moderation points...

Re:he has some valid points...but....

[DahGhostfacedFiddlah]

If someone gives you a free hot-dog that happens to contain poison, can you take them to court?

Sorry for the stupidity - but it's the first analogy I could think of. The program/component was misrepresented (as something that wouldn't fuck with the IP stack), and that misrepresentation caused damage to his computer and a certain amount of time getting it to work again. I don't agree with punishing free software developers for bugs, and there's little precedent, but just because it's free doesn't mean that the creators can't be held liable.

Re:he has some valid points...but....

[Hiro Antagonist]

Funny; I grabbed all of my application software, from StarOffice to Opera, for free, off of the Internet, and it seems to work just fine. So do the numerous other, smaller applications, like 'mutt' and 'ssh' -- they haven't trashed my computer, either, and they were free.

I think what the author is trying to get across is that the user needs to be informed; and while this is taken for granted in the free software world, it seems to be largely absent nowadays in the world of commercial software.

When a Debian package is going to make changes to a configuration file, it asks me first (unless I tell it not to); when most Windows-based installers decide that it's time to replace the IP stack with a Jell-O recipe, it just goes ahead without informing the end user of squat. While Microsoft has made this easier, it's not totally their fault (for once); and it's something that applications developers need to keep in mind.

Re:he has some valid points...but....

[Shadarr]

Download.com has introduced a nice little disclaimer that they attach to programs which, while a lot more wordy and circumspect, basically says "this program contains spyware". It makes it way quicker to decide which program to try than scrolling through all the user feedback to see if anyone has posted a warning.

Re:Whta do you mean, "not totally their fault"?

[Hiro Antagonist]

This has nothing to do with holes in APIs; this has to do with third-party software installing extra crap without notifying the user. A Debian package or an RPM could easily install spyware or make unwanted changes without notifying the user -- the reason that I've never seen a package that does is because free software developers tend to have more respect for their users; it's more of a peer relationship than an adversarial one.

Re:he has some valid points...but....

[UsonianAutomatic]

Right... especially when the EULA of whatever software you install indemnifies the creator of any damage the software might cause your system.

It's like suing tobacco companies after getting cancer/emphysema after years of smoking cigarettes that have a GREAT BIG SURGEON GENERAL WARNING on them.

EULAs unenforceable

[coyote-san]

First, EULAs have not been upheld by the courts. Especially when they "shock the sensibilities." That's why UCITA is trying to write enforceability into law.

Second, the EULA you saw focused on the main application being downloaded. It is unlikely that this EULA will discuss embedded applications with any depth, at most you might see a paragraph making vague references to third-party applications.

Third, one of the cornerstones of contracts is that it's an conscious, INFORMED agreement between multiple parties. One or more parties may decide to remain ignorant, but once one party begins to deliberately withhold pertinent information that another party wants it's a whole new ballgame. As the author points out, there is absolutely no reasonable way anyone could ever expect an application that computes the size of a speaker enclosure cause a critical part of the OS's network stack to be changed.

Finally, I think this situation is so outrageous that it's getting close to gross negligence, not just negligence. You can contractually limit your exposure due to negligence (you made an honest mistake), but you can't contractually limit your exposure due to gross negligence (you knew there was a problem, you know your inactions would cause harm to others, but you didn't give a damn).

A better analogy is that you bought a hot dog. Okay, this is a little iffy, but most people understand that some cheap hotdogs have filler and they'll pay more for a "100% beef" hotdog. But now you learn that you're now sterile because the hot dog producer has been dumping dangerous chemicals in the brew, but hey you agreed to this risk when you bought those cheap 'dogs.

Re:he has some valid points...but....

[tyllwin]

Oh, come now. Let us draw an analogy or two:

You're at the supermarket. At one of the tables set up along the aisle, an employee offers a free piece of candy, which you accept. The center is filled with ipecac, and you vomit for the rest of the day.

You're at a concert. You accept a free nerf ball being given away by a radio station. It turns out to contain a miniature microphone which transmits your conversations back to the station's marketing department.

In any other form of human endeavor, would "it's free, whaddaya expect?" justify this sort of deception?

When the software comes clearly labelled "THIS FREE DOWNLOAD WILL INSTALL 2 PIECES OF SPYWARE, CAUSE ADVERTISING POP-UPS TO APPEAR ON YOUR DESKTOP, AND MAY REPLACE AND/OR DAMAGE INTEGRAL COMPONENTS OF YOUR OPERATING SYSTEM," then I'll agree that the person who installs it gets what he deserves. Until then, I say s/he's being damaged by intentional deceit.

Re:he has some valid points...but....

[ArnoldYabenson]

Nobody forced you to put it on your machine.

New.net is "bundled" with other software, most notably "imesh" (file-sharing).

I work at an ISP, and we see a fair share of problems from this Trojan Horse.

You're correct -- no one forces anyone to put new.net on their machines. But the most frequent scenario I encounter is the patriarch of the family calling about the "family system." When Add/Remove programs reveals the presence of IMesh and New.net, invariably the statement is, "I guess one of the kids..."

This is legally very precarious ground. Kids are not old enough to make contract agreements, so unless there is some sort of age-check performed, these Trojans are coming in a backdoor with no legal agreement involved.

This is especially dangerous where no "opt-out" is offered. DivX Nteworks [divx.com] is currently offering an "ad-sponsored" version of their new codec, DivX 5.0 (otherwise a nice piece of software) -- we are already getting calls about "where are all these pop-ups coming from?"

I installed the DivX package and guess what?

1. There is no choice in installing it, if you want this package, you must install the advertising software.

2. It doesn't just deliver ads. It provides detailed information about your net activities to a server that then decides what ads to deliver to your system.

3. Uninstalling DivX does not remove the service that it adds to an XP machine. DivX Networks claims in its forums that it uninstalls with their software, but no user has yet agreed with them on this point.

So, when "Junior" installs DivX on the family PC, the entire family gets spied upon, with no one of legal age having consented.

This is a lawsuit waiting to happen. DivX Networks in particular stand to lose a great deal in terms of community resect/user trust, if not in cash.

Re:he has some valid points...but....

[geekoid]

so? people and companies still need to be liable for this type of behaviour.

I don't have to get my mail, but if I get anthrax does it make it my fault?

Re:GIGO

[rossjudson]

Well how about when you have a Creative Nomad Jukebox on your system and you need to move files over to it? it isn't a normal drive. I'm not trying to give advice to super smart guys like you, who obviously don't need anybody's advice on any topic.
I do agree with you; Creative software is crap. No argument there. Wish I didn't have to use it.
So how are people supposed to know what is "spyware infected" and what isn't?

Re:Keep it simple

[Sorthum]

The problem with this idea is that end users generally don't want to know the nitty gritty details about their machines-- they just want the damned things to run. That's why this standards idea is such a good idea-- it keeps the end users happy because programs such as the old AOL versions won't mess with settings without telling you about it, and it makes those more knowledgable happy because they're not having to rebuild IP stacks (as an example) because some buggy code made it into a final release.

Re:Here is an idea...

[alen]

I think Real Player is the king of unwanted components. And when you turn them off from running in the system tray, they turn back on. Unbelievable.

Re:Huh?

[glitch!]

What the @##$% is new.net?

They are the new version of Alternic. Remember them? They set up their own root nameservers in order to sell their own top level domain names. In order to make it work, they had to persuade ISPs to use their root nameservers instead of the official ones.

New.net has apparently learned from the Alternic episode. No, they didn't learn the part about respecting the official DNS structure. They learned that getting all the ISPs to agree and cooperate is not very practical.

So instead of changing the DNS system from the top down (Alternic), they are trying to change it from the bottom up, starting with your Windows computer. In my opinion, this is just as sleazy, no! even more sleazy than the tricks USR pulled to get dialup customers to force the ISPs to buy overpriced X2 access servers.

Re:One more example of why...

[Kymermosst]

RPMs are not nearly as bad. You can always do rpm -qp -l name.arch.rpm to find out what exactly it plans on installing, substitute the following for -l to do other stuff:

--info to see information
--scripts list config scripts that may run
--triggers list trigger scripts that may run

You have the option to extract scripts and check them yourself. You can also see the services and deps that the package provide, etc. All without installing it.

I know, you never install binaries, and of course, a binary may have something in there that shouldn't be there.

But then again, I imagine you rarely, if ever, read 100% of the source code you just compiled and installed, read the makefile, or keep track of where exactly it put things. You probably just trust it because you have the source, not because you READ the source.

Then again, I might be wrong, and you do.

Personally, I install binary RPMs from trusted sites. (Red Hat, SuSE, KDE, a couple others), and from source tarballs when I think there might be a trust issue.

A good, reputable, signed RPM is a good way to determine trust.

Re:One more example of why...

[Junta]

And this helps you know what happens how? RPM doesn't provide perfect tracking either (packages can lie about what they do and be believed by the database), but it at least makes an effort to track what files were created on behalf of what package. Blindly compiling and installing packages to the default location does not offer enhanced security or better tracking by itself. Maybe if you take the time to manually review all the Makefiles and source, then yes, you are in better shape (and of course record all these changes somewhere). You can even use a program to timestamp everything and figure out what files changed in the intervals, but this isn't perfect either.

as soon as you type ./configure, you give the package permission to execute whatever it wants. Though currently you can reasonably expect good things to happen, in a world with more malicious linux software, this could be very dangerous.

Re:! Kiddies - MAKE MONEY FAST !

[SuiteSisterMary]

does ANYONE know what the MS Office quickloader and file finder try to do to make office run faster? I sure as hell can't tell the difference when I turn them off. In fairness Lotus SmartSuite has 'em, too.

The quickloader pre-loads office DLLs into memory. Less to load when you actually want to run one of the office apps. The file finder creates indexes of the various office docs on your harddrive, so that doing ad-hoc searches isn't actually doing a hard-drive scan; the scan is done during off-hours.

Not .NET, NEW.NET

[Da VinMan]

This confused me too.

I don't think he's talking about Microsoft's .NET, but is instead talking about the alternative domain name root at http://www.new.net/