Slashdot Mirror
How To Hijack Your Own Windows System With Bundled Downloads
How-To Geek has tested and described something that you probably shouldn't do on your own computer -- unless, as they did, you do it on a virtual machine just for this purpose. Namely, they downloaded 10 of the most popular software titles from download.com, clicking through as a naive user might, accepting the defaults or the most obvious Next buttons, as most users surely do. They note that download.com's stated policies certainly look good on-screen; it says that the site comprehensively screens for, and disallows, malware of all kinds. But malware of various kinds, even if much of it is in a grey zone rather than actually malicious, is a fair description of what the authors encountered as they clicked through. Bundled software, some pieces of it at odds with others, was attached to each of the downloads, and from download to installation the process by design foisted more and more junk on their system, even if some of the bundled junk could have been avoided by a user jaded by previous hijackings. The conclusion:
[N]o matter how technical you might be, most of the installers are so confusing that there's no way a non-geek could figure out how to avoid the awful. So if you recommend a piece of software to somebody, you are basically asking them to infect their computer. And it doesn’t matter which antivirus you have installed — we've actually done this experiment a number of times with different antivirus vendors, and most of them completely ignored all of the bundled crapware. Avast did a pretty good job this time compared to some of the other vendors, but it didn't block all of it for sure. There are also no safe freeware download sites because as you can clearly see in the screenshots in this article, it isn't just CNET Downloads that is doing the bundling it's EVERYBODY. The freeware authors are bundling crapware, and then lousy download sources are bundling even more on top of it. It's a cavalcade of crapware.
Download.com installs crapware news at 11
Time for bed, said Zebedee - boing
Why does Windows keep this antiquated process around?
That's a great question. The only thing I can think of is someone making money off of having the crapware bundled together to offset the cost of offering their product as a free download.
When Oracle bundles the ask.com shitware with Java, and you have to conscientiously know it's there and un-check it, is it any surprise pretty much everyone else does this stuff?
Some ass is always trying to monetize your clicks, and 'free' comes with strings.
I've noticed over the years CNET is doing this, so much so that I don't typically trust them as a source.
The marketing assholes have pretty much wrecked the internet, and they pretty much use the same tactics as the malware people -- putting stuff on you don't want.
Lost at C:>. Found at C.
Liability? The software that people install is not Microsoft software, nor is it compiled by Microsoft.
With Linux there are also some third party install programs. Most because they are not open source.
So it is not Windows that keep this antiquated process. It is the people who write the programs who all have a different idea on how to do things. Just having a discussion if a user should or should not have an option as default will give various answers.
https://ninite.com/ will do already a lot already to overcome that.
Obviously what Microsoft could easily do is make something similar and ask developers to give the programs to them in a certain format. I am also sure that Microsoft does not want to be a reseller.
Don't fight for your country, if your country does not fight for you.
Why does Windows keep this antiquated process around?
Chocolatey.
https://chocolatey.org/
Microsoft tried the easy install, walled garden approach with Windows 8. It didn't go over well.
The process goes something like this:
"Help. My computer is slow."
"You need to clean up the malware."
"Okay, I did a Google for malware cleaner. That only made it worse."
"Oh, you have to install Malwarebytes. That software's a fake."
"Okay, I don't know how I was supposed to know it was fake, but now I've installed Malwarebytes. Things got worse."
"That's because the first search result in Google is actually an ad for somebody else distributing Malwarebytes with its own malware. You have to go to this page instead."
"Okay, I don't know I was supposed to know that too, but now I've installed it. Why is it still not working?"
"Because the malware on your computer redirects attempts to remove the malware on your computer."
"Fuck this. I'm buying a tablet."
(one month later)
"How do I delete all this crap on my tablet?"
"You can't unless you root it. Here's a guide that a five year old child could follow, with only a 10% chance of bricking your unit."
"Then fetch me a fucking five year old child because I'm paralyzed by learned helplessness by this point."
I think we forget how overwhelming and stacked against the user the entire process is.
I'm pretty sure you're mistaken there. I've done installers with both RPMs and MSIs. Not my specialty, but I have some experience.
In Windows, you don't need elevated privileges to install an application to a user-specific location. You only need it to install system-wide. The registry keys to track Windows Installer components can be referenced from either location in the registry (the administrative access part, or the user-only part).
It's not all that different from RPM, though really it's a little easier to do user-only installs with Windows Installer. You need administrative privileges to install system wide w/ RPM. You can also do a bunch of RPM hacking to install to a user-only RPM database and installation folder without root, so long as you specify that you're running RPM against a non-default RPM database location, and someone went to a lot of trouble to permit user only installs in your RPM spec file. There's a bit of work to enable this in regular MSIs, too, but it's actually better supported that under RPM.