Slashdot Mirror
How To Hijack Your Own Windows System With Bundled Downloads
How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion:
[N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.
Download.com is crap.
Sadly open source isn't immune to this crap with SourceForge now doing this stupid shit of bundling malware, adware, toolbar hijacks, etc. Especially when you have yahoo's like FileZilla's admin approving(!) of this irresponsibility !?
At least Git hasn't been effected (yet)
that's not what I meant.
Why is it that in 2015, to install software from the internet, I need to let someone run a privileged script that can and will write whatever it wants, where it wants? Why can't I just get some archive bundle that I can drop into a collection of other applications?
I think the OS X style application bundles are the right way to do things.
Non impediti ratione cogitationus.
malware = stuff designed to do nothing more than harm your computer.
adware / junkware = stuff not specifically designed to do that, but a pain in the butt, extremely annoying, probably unwanted but not necessarily "evil" as such.
No malware doesn't mean it's "safe" or won't fill your computer with unwanted junk. Hell, even some AAA paid-for game titles will fill your computer with junk given half a chance.
That said, download.com has been dead to me for a number of years. Precisely because, like a text conversation I had with an old friend just now, people eventually have to ask me to clean their machines after touching it. Sure, it's not doing damage, but slowing your machine, popping up junk, intercepting your default search etc. is not "malicious" so much as downright rude and annoying, if you've agreed to it.
It's like the difference between posting some junk mail through my door, and posting some dog excrement. One is clearly intended to harm. The other's just a pain in the butt that I never really wanted (even if I "volunteered" for it at some point, somehow).
Sorry, but I remove (and have more trouble removing) more "adware" / "junkware" in my professional life than I ever do malware. It doesn't mean it's okay, still, but it's not malware. It's not exploiting security holes, stealing your passwords,avoiding your antivirus,etc. Most of it will remove itself if you ask it to. But that doesn't mean that anyone actually WANTS it either.
Sorry, the second you bundle unnecessary junk into your downloads, I stop using you. I've had to abandon several good pieces of freeware because of that (yes, I'm looking at you IZArc and lots of your friends because you just can't resist bundling some unwanted junk with a lovely freeware util that I'd gladly give you £10 for if it didn't have that stuff).
Lots of comments in the HTG story suggesting using Unchecky, and Ninite.com for safe downloading. Download.com and Sourceforge have given into the dark side of making tens of millions a year by installing toolbars and other malware. Whatever happened to the great days of shareware?
Liability? The software that people install is not Microsoft software, nor is it compiled by Microsoft.
With Linux there are also some third party install programs. Most because they are not open source.
So it is not Windows that keep this antiquated process. It is the people who write the programs who all have a different idea on how to do things. Just having a discussion if a user should or should not have an option as default will give various answers.
https://ninite.com/ will do already a lot already to overcome that.
Obviously what Microsoft could easily do is make something similar and ask developers to give the programs to them in a certain format. I am also sure that Microsoft does not want to be a reseller.
Don't fight for your country, if your country does not fight for you.
it would certainly be way more honest.
Non impediti ratione cogitationus.
Isn't that exactly what Microsoft is now doing with the Windows Store and "modern" apps, though?
Why does Windows keep this antiquated process around?
Try the windows 8 app store.
The antiquated process is kept around because everybody rejected their solution. Admittedly the app store only carries 'new ui' apps, and the 'new ui' was, deservedly, the main reason for all the rejection.
But a LOT of the issues with the 'antiquated' installer solution WERE actually resolved with it.
Yes, there are .pkg installers that could bundle god knows what, but they're not the norm for Mac software.
Have you tried using download.com as your source for mac software?
Windowss with chocolatey isntalled ---> run powershell as admin --> choco install stellarium --> go have cofee.
For much of the Mac's history this was also the case. If you wanted an application, you just copied the damn thing from one media to another.
IIRC, it got worse over time on the Mac as apps got bigger (more supporting crap, stuff to copy to the System Folder, maybe a control panel or init, etc).
One in a while you run into applications, often utilities, that are truly standalone -- you can copy it to a new system and just run it. And then there are the various techniques for making portable apps, some kind of hand-done with a wrapper, others that scan a system before install and after and package all the deltas and use a wrapper after running to redirect all the various accesses.
I kind of blame shared libraries myself versus static linking. I've never quite groked the attraction of shared libraries. I get pilloried on Slashdot for saying this, of course. Usually its "ZOMG how will I patch my system when $library has a security weakness and 69 apps all use it" or "it takes too much disk space".
#1 is a fair criticism, I guess, but means little on Windows which seems to use less of that kind of a shared library, but I also wonder if there isn't a counter argument by which not every app statically linked to a common library will have the same bug and won't need updating. And it's not like updating a shared library is always risk-free; there's always the chance that an updated dependent library may change in some way that borks some of the apps that depend on it or some of the problems and cruft from several versions of the same library on the same system.
#2 seems like a bullshit criticism in this day and age. I'm curious what a "typical" OS install would be like space-wise if it was all statically linked.
And if you had all-statically linked applications, updating them to new versions would be just a matter of copying in a new version which seems simpler and more manageable to me for some reason.
Of course, none of this means much to apps which legitimately have a shit-ton of included resources which need to be shared system wide. Those have to go in their right places somehow, but if they are app specific they could just be in the same directory as the application. Maybe apps could um, register, their shared capability with the system so it would know to look for a resource in a virtual directory /app/resource/shared instead of a system-wide /resources directory -- the app itself remains self-contained, no installer required, and it could just register its capability at runtime with the system.
This reminds me when link farms were more of an issue than they are today, and when just doing a search could kill your windows machine.
Really it is the search engines that keep these people in business, and modifications of the algorithm could minimize the damage just like it did with link farms.
"She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
In Windows, you don't need elevated privileges to install an application to a user-specific location.
Where have you been? Unless you're deploying "Hello world" written in C++, it is certain you're going to have to distribute some library which insists of being installed in the system area along with registry entries. Therefore you will have to have admin privileges. Heck even just copying to Program Files takes admin privileges starting with Windows 7.
Because, thanks to nonsense like the registry, installing an app into Windows is a non-trivial operation. ... So if you've got files that need to tag along with the .exe (especially DLLs) or want the app installed for more than one user, you're stuck with installer hell.
a) it's crappy developers that force the registry hell on you. There's no reason to use it, nor any requirement to use it.
b) There's no problem building a single EXE with all required DLLs (or there didn't used to be.)
c) there's nothing preventing you from shipping a zip (because windows still doesn't understand a tarball) which has everything packaged up nice and neat (ie, a bundle)
d) multiple users can use an app that you drop into the appropriate places, some will require that when you drop it there, you have to elevate your privs, but that's pretty standard
There's no excuse to have installer hell. Just say no.
The cesspool just got a check and balance.