Three times as bad as malware: Google shines light on pay-per-install As some point you have probably downloaded a "free" piece of software only to find it has come with a whole host of other unwanted friends that go on to redirect your browser search bar or inject ads where there weren't any before. This is the world of pay-per-install (PPI) and Google, along with New York University and the …
I generally have the opposite problem on Linux. Why can't the package manager read my mind and install the extra bits that are necessary?
For example (this is a bit esoteric): apt-get install snmp .... ... why the fuck would you not want MIBs after installing snmp? *sigh* *Google* apt-get install snmp-mibs-downloader.
Bizarrely, with Gentoo I feel a bit spoilt in comparison with binary distros because USE flags indicate what you get and what you don't get with a package. It just takes a little longer to turn up. Now, with Arch you get close to the best of both worlds - they seem to give you the full package eg net-snmp does have MIBs in it and it's pre-compiled.
I've just read the Gentoo ebuild for net-snmp, there is no USE for mibs - they just get installed because snmp without them is just so much .1.3.6.1.4.1 (yes, that was from memory.) Ubuntu is weird (but I use it a lot and to be fair Debian, as upstream, may be to blame)!
Because they are non-free
2.2.3 The non-free archive area
The non-free archive area contains supplemental packages intended to work with the Debian distribution that do not comply with the DFSG or have other problems that make their distribution problematic. They may not comply with all of the policy requirements in this manual due to restrictions on modifications or other limitations.
Packages must be placed in non-free if they are not compliant with the DFSG or are encumbered by patents or other legal issues that make their distribution problematic.
In addition, the packages in non-free
must not be so buggy that we refuse to support them, and
must meet all policy requirements presented in this manual that it is possible for them to meet. [5]
why ... would you not want MIBs after installing snmp?
Because if you're managing the machine over the network (as in that thing the second letting in SNMP stands for), you don't need the MIBs on the machine you're monitoring, but rather you need them on the one you're monitoring from. They don't serve any purpose on the machine you just installed the SNMP daemon on unless you're doing everything locally (which you might be, but it's not the usual scenario).
I can't remember which distribution this happened on (might have been CentOS), but I tried to install the vim editor, and the package manager wanted to install x.org, gnome, gtk3, and a whole page full of other cruft as dependencies... serious wtf moment.
...that Google are investigating what amounts to 'bundled' software. OK, I'll admit that the article is referring to software for which there is most likely no option to not install it, unlike purchased software where hopefully there either is no bundle, or it's at least possible to select not to install it.
* ironic, in that Google bundle a fair bit of stuff which I'd certainly not really want into the code of things like Android and Chrome, though it's not actually separate software.
"Adobe Reader download page has had Google Chrome preselected (opt-out) for years now if you venture to the page with Internet Exploder."
It's not so much the browser though, it's hard coded into the installer I think. Because I'm using Opera which is now build on Chromium, and even I get that same crappy download stuff.
"It's not so much the browser though,"
I think it is. I'm primarily using Firefox and Adobe is offering the McAfee/Intel crap combo for it. I also tried Vivaldi and it is also getting the McAfee/Intel treatment. But if I use IE/Edge then only Chrome is offered. I tried this with each browsers' private browsing feature just in case.
So Why Opera is also getting Chrome along with IE? No idea.
> stuff which I'd certainly not really want into the code of things like Android and Chrome
Prompted by the article and not entirely unrelated to 'unexpected features of surfing', I wondered if Lop.com was still a problem and apparently (15 years later?) it is! Though with default mobile-device browsers it just sends everything you type in the URL bar to the 'preferred search provider' rather than forcibly redirecting you to their home page.
It's all forced upon us, the level of objection is dependent on the manner of the forcing...
"Nothing is really "FREE"".
I find your lack of faith disturbing ;)
FreeBSD is a derivative from Berkeley Unix but, as its name implies, the freely available variant of it. Of course the current FreeBSD is nothing like its ancestor and due to licensing issues also can't be considered an official Unix any more but it's quite clear that this OS has its roots within Unix. All funded by the FreeBSD foundation, a non-profit organization with one primary goal: to support FreeBSD. And the best part: the foundation is basically ran thanks to the support of dozens of people all around the world.
Now, please note: the only reason I started with FreeBSD is that this OS happens to be my personal favourite. But that doesn't make them unique nor do I allow myself to base myself solely on bias here.
Because there's also the awesome GNU Operating System, which most people would simply refer to as "Linux". Yeah, but there's more to that project than that. This whole endeavour is sponsored by the Free Software Foundation which also has a specific mission statement, one even broader than the FreeBSD foundation. The FSF stands for promoting computer user freedom. Where one of its tasks sits within GNU/Linux.
Or what about the Apache software foundation? Home of the highly acclaimed (and most dominating) Apache webserver, or the freely usable Java EE backend Tomcat.All freely available, right for the picking (download).
So yeah, you might want to be careful with statements such as yours.
Have you heard the phrase "free as in speech, not as in beer"? Your cynicism suggests that you've been exposed too much to the latter rather than the former. Yes, we boring FOSS enthusiasts actually *do* enjoy something that is really "FREE", as you put it. The people who face endless disappointment in life are those who chase the free beer, only to discover that it is someone else's piss.
But i guess it was google that missed it... what is the effectiveness of these bundled ads.
For example, the one that does affect OSX is having your start page changed. I use chrome and leave it to default to google search. When i find it has changed to Yahoo, the first thing i do is change it back and go into a panicked lock down on "what did i just install that did that".
Marketing people are not the brightest so these PPI installs must be selling the goods.
It is worth noting that the cost for Vietnam being so low is probably because it is known here (in Vietnam) that people will happily look and click on ads, but no one buys anything.
I guess the USA is known for people being receptive to ads and stumping up a credit card number.
Easy enough to check...
* visits Adobe's download page for Flash *
I had to enable javascript to check, but now you get "added value" - you get the opportunity to opt out of downloading two items now, rather than just one: Not only the McAffee Security Scan Plus scareware, but also True Key by Intel Security (some kind of password manager).
Thanks, now I finally understand the new business model of M$: they want to be the 1st PPI in the world with W$-10 unwanted-software-auto-install-can't-disable-it.
It must be a coincidence that Google revealed that just now, and says "operating system" in the list of what can possibly be a vector of infection without saying which "O.S.". but we have guessed of course!
And that would be why whenever I buy a new machine, I buy a fresh hard disk (since the OEM is going to over-charge you for it anyway) and a fresh boxed copy of Windows. I'll pop the old HDD from the machine, pop the new one in along with the Windows install disk. I keep the old disk around in case I need to send the machine back to manufacturer for repairs or if there are drivers I need to siphon off the original image.
"Not necessarily, but the law gives you a *lot* more protection, including the ability to sue the author, if you should wish."
Have you noticed the price of litigation in the UK and the US these days? Trying to sue anybody with a lot more money than you can be very hazardous.
Personally, I have no problem with bundled software if it's obvious, and anything it does (such as send your details off to Google, Facebook or whoever) is *clearly* stated in the install screen. I'd even go so far as to ask that programmers include a page on the install dialog of their package (assuming it has an install dialog) stating that their package uses such and such, which will be sending their details to whoever (including what details). I also prefer to see them at least offer a payment option that removes any bundled software/spyware.
I like free software, but I do not expect developers to provide it for free if they don't want to. They have a right to earn money, the same as you or I. I do ask that they are clear when they do install spyware though.
That said, it is annoying when you buy a new laptop and they've bundled gigabytes of crap with it (including Norton Antivirus).
Why can't people just do what you should do, when you install something NEVER select the standard install options, always select the custom option to see what crapware they are trying to install as well.
Long gone are the days where you were given the option to install the Google toolbar as an added option, if you don't do the install properly then you get all the crap for free.
And that isn't just for free/shareware, some paid for software has been known to side install 3rd party junk as well.
Some software builds in a 20-day delay before waking up so users don't immediately associate it with the free download they just installed.[..]
Despite efforts to block the installations from occurring, the PPI networks have a wide variety of ways to bypass their efforts. The paper's authors found that affiliates jump between domain names every seven hours in order to constantly stay ahead of blocking efforts. They incorporate technology to get past filters and virus scans.
Surely these are enough to qualify them as malware on their own? Especially trying sneaky tactics to hide their origin.
In a related blog post, Google noted that it was constantly improving and updating its "safe browsing" notices in order to flag up sites that includes this sort of software,
Google.. Would that be the company that keeps trying to shove their [cough]"browser" on your machine by having it bundled with lots of other stuff, lots of adds for it in search results and who try to stuff their, well, stuff down your throat every chance they can get? Is their any chance their site-flagging software lists their own sites?
Absolutely correct. Delaying installation is clear evidence of malicious intent. Any AV package that doesn't detect this is *manifestly* broken beyond repair and you should ditch them in favour of either something that isn't utter shit or nothing. (Either would be better than something that just sits there telling you how great it is whilst letting obvious malware through.)
What's that you say? NONE of the commercial AV packages detect this? Gosh! Colour me surprised...
Google did research on this? If so, it did it only to figure out how it could install its own spyware. The Google Toolbar is known to be one of the most common pieces of spyware and foistware in existence, and Android and the Chrome browser both have spying built in (as does Mozilla, due to the close relationship Mozilla had with Google).
Why is this reported? If users want free software, someone has to pay. Software doesn't write itself, some person has invest the time to create the software and, as the saying has it, time is money. The argument seems to be that software developers should not seek to earn anything from their efforts because so potential users don't like the inconvenience. Then put your hand in your pocket but stop whining.
As others have pointed out the irony is that Google is publishing the research on which this article is based. Google which earns so much of its money flogging adverts. But that's fair IMO. Google has invested in providing a service we all use at no charge and they recover their investment by selling product.
Finally, there seems to an allusion that software downloaded with free software is equivalent to malware. So the implication is that legitimate downloaded software like Skype is the same as software which has the one aim of hacking PC. Really? I get that you don't like Microsoft but, really, get over it.
On Linux, systemd qualifies as unwanted, even if nobody seems to be getting paid. What a horrible piece of bloatware with jarring, contrary, counter-productive behaviors, shoved down my throat. Apologists are always prompt to say "but you can jump through this hoop and that one" to get the correct, useful and expected behavior, except when you can't, and otherwise systemd wastes your time to correct and reconfigure it so it's not so annoying and in your way. Ugh.
"In short, if you are trying to download something for free that you know you should really be buying, chances are it will come with some unwanted extras that your system will not notice."
What about Oracle Java and it's bundling? Or any of the other free "tools" that some twit somewhere decides you need in order to view their webpage?
And it's starting to crop up in things you pay for too. If I buy X, I bought X, not X plus what ever bundled up crapware your "partners" paid you to load onto MY kit. I've seen commercial software in the past, typically a game, where in order to run the game you have to have the vendor's ad network installed. The moment I see that sort of thing is the moment I refuse to have it on my kit.
Considering that Google have been paying to have Chrome shovelled into everyones PC with java and flash updates, I think it is a bit of a cheek.
Chrome rose to dominance via foisting itself on you, same as the crappy Norton and Mcafee scanners, which are also distributed via legitimate Java and flash installers.
Point the finger at the mirror Google. You helped to legitimise this behaviour.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
