As living in China, it doesn't seem they were crossing a line. Things gone mad here.
If you want to type Chinese, you'll need an IME. Most of Chinese people relies on them. It was indeed an exploitable point, that you slip a lot of stuff into it:
- News pop-ups of course;
- System information gatherer? Sure;
- Search engine, convenient;
- Anti-Malware software, certainly;
- Anti-Virus software, you'll have it;
- Homepage? Come on, let's make a bolder move
- Browser!
- A PC Manager. It's a combination of AV/AM and a software catalog, and the sweetest feature is to tell you how many seconds it took to boot up to your desktop, and shows a % of population you've beat across the nation, people can be bitchy over this.
Not just one major software vendor did this, everyone capable did, and still doing. There's also large internet companies that used by people on daily basis uses 0day exploits to push their desktop software. Like if you browse the Chinese part of the internet for one day, you'll end up with bunch of cute little Anti-Virus/cleanup/tweaking goodies rest in your notification area, some times they fight each other and cause BSoD.
I think the word you are looking for is "censorship" instead of regulation. Though I suppose "heavy regulation" could a clever/funny euphemism for "censorship"
Along the same vein, I highly recommend this read from Aral Balkan[0] on how advertising and analytics data is now really just a fancy word for what we considered spyware back in the older (freer) days of the Internet.
I can't speak for anyone else, but there's only so far I would be able to go in a job. I once turned down a job because a major client of the company was the RIAA. It reminds me of what LinkedIn did with their iPhone app and Email.. I can't believe that either Android or iOS would allow any of their apps after they did that.
I don't have either FB or FB messenger installed, since the split... mostly because they ate my battery life, and breaking apart existing/working functionality sucks. Not to mention they've been gimping their mobile website ever since, I've been avoiding them much more lately. But FB is nowhere near this level of sleaze.
I once turned down a gig from someone who wanted a tool to spam fake Yelp reviews. He had an elaborate vision for it: a control panel he could use to choose a target and whether to make the reviews good or bad, which controlled a fleet of instances on EC2, Rackspace, etc, so that when one was detected he could just use others.
It's easier to turn down unethical work when it's only a few thousand dollars, vs your full-time job. Still, I felt pressure because I was actually talking with him on behalf of a guy I was subcontracting for, and who had invited me to partner in his own agency, so I did worry about injuring that relationship. It did make me wonder though, if those were the leads he was turning up, whether a partnership was such a good idea. . . .
The really disappointing thing is that if you root Android you can use "App Opps" to selectively disable permissions, per app. It works great. But Google won't enable it by default.
I think Google is redoing the whole permission system in Android M. Reportedly, instead of the approve everything once at install time model, they're moving to the iOS way of default minimum permissions and asking the user at use-time to approve additional things.
They do, although in real life terms this will mean practically nothing for John Doe, because he'll have to:
- buy a new device with M
- hope his existing phone gets M before one year to date or ever.
That's not what I'm implying. But suggesting that user should suck it up because something is coming in 6-12 months if he's lucky is not a valid excuse, because he can take his money NOW elsewhere.
As an ex Android user of 5 years, I just got tired of this "coming soon" attitude.
[Tinfoil for Facebook][0] is good, and only wants network, location, and storage permissions (and you can turn off location). It doesn't provide background notifications, though.
Also, "Tinfoil for Facebook" has explicit Orbot support (Tor for Android). Works very nicely. There is a "Tinfoil for Twitter" too which works much the same way.
There was a single mention of Paint.NET in the article with no other comment. Is that the company involved in this? It was not clear to me nor do I recognize the name of the author.
There are two technical holes in how this was achieved, disregarding the initial drive-by update install:
* Unprotected browser cookie storage
* Android web-based App Install requires no user interaction past a request to a web endpoint
I'll put this comment here as a response to sibling and child comments about Paint.NET and to defend the author (Rick Brewster) regarding misleading installers.
Rick has had numerous problems over time with scammers wrapping Paint.NET with scumbag installers and with "backspaceware" distributions. He's documented these issues in his blog:
For as long as I've used Paint.NET (since v1) his home page and download page have never obfuscated or tried to lure users into downloading and installing crapware.
EDIT: Just turned off my adblocker and see I'm sadly very wrong about the crapware download ads. My other points still stand though.
Oh, I see your point. about the ads (just turned off uBlock), makes me sad to see that :( It used to be much cleaner than that. I'd be interested to know how much control he has over those.
He has total control. Its his website, he has made the choice to work with scummy advertisers for a larger cut. Make no mistake: He could choose to run adverts that are not immoral and are not pushing malware, and in return he would earn slightly less money.
I have no sympathy whatsoever for him - he's directly benefiting from the same scummy industry he's complaining about.
Wow. I really admired that product, back when I used Windows. That's pretty sad, Paint.NET was doubtlessly a lot of hard work to create, and it's name now besmirched with this bad decision.
It would not be Paint.NET itself - lots of Windows freeware apps are approached by advertising companies. The advertising company pays the freeware company a lot of money to add a checkbox during install. It's this kind of checkbox that the author is talking about. They probably gave Paint.NET (and Java, winzip, winrar, etc etc) a ton of money to put that there.
Paint.net has ads on their pages, right next to the download page... Their own download link is non-obvious, and the advertisers create full-size ads with a big green button saying "download" ... what the user gets isn't the installer from paint.net proper. I think the fact that the paint.net guys are resorting to allowing ad networks on their main page instead of an inline donate option (like ubuntu) is pretty bad.
Another example, as recently as 3 months ago a search on google for "chrome" would result in a few ads that were for malware like this.
The ones that are in the actual installers upset me a lot... more so in open-source, and one of the reasons people are starting to avoid source-forge like the plague.
I thought SF rescinded their new policies? Regardless, I still won't be using them unless I must.
I guess this might be one benefit of the Windows Store, as long as that hasn't been taken over. I haven't checked it in awhile nor know their guidelines.
I don't know if either have the funding, but Github or Atlassian would be better stewards of sourceforge, at least in terms of migrating the whole thing into the fold of Github or Bitbucket.
As it stands, I get a little sad when I see a project still on or using SF.
> Over time, those notification and opt-in screens were “optimized” away as much as possible. They already “agreed” to our 23 page EULA when they were trying to install Paint.NET but accidentally clicked the wrong download button anyway, right?
I'd say that what he's talking about is those sites that offer software for download, and the download button is displayed under an advertisement which also shows an image of a download button. If you click on the ad (showing an image of a download button), you get the malware, instead of the Paint.NET installer that you were trying to download.
There's also a lot of sites that package adware without the developer's consent. See for example the semi-recent Sourceforge controversy: SF approached devs asking if they'd be interested in using their new download manager that would automatically install third-party 'offers' (unless the user declined the EULA the first 2 times and accepted on the third try). The GIMP team not only declined, but abandoned SF altogether - so now SF's version of GIMP includes adware, and the devs don't see a single dime from it.
Okay, thank you. I must have skimmed the intro the first time. Still he only mentions once that he works at the advertising agency and not Paint.NET, in his second sentence. I was thoroughly confused about what type of company Paint.NET had become.
There was a single mention of Paint.NET in the article with no other comment.
I suspect this was an example of one of the bait-apps that shonky download sites (download.com and now sourceforge.com etc) repackage with toolbar installers.
The replies are correct--I mentioned Paint.NET mainly becaues that was/is a highly effective site to get people to click the misleading "Download" button ads.
As for browser cookie storage, there's not much the browsers can do. Even if they were encrypted or obfuscated somehow, the browsers themselves would still need access so people would always be able to reverse-engineer the process.
The only way I could see them preventing the web-based install exploit would be to always require a password first (and not just rely on session cookies to identify the user). I'm not sure if Google is doing that now or not.
Its funny the author mentions all the Google Play stuff about installing apps to users phones without them ever even knowing.. I actually found a company exploiting this in the wild using browser extensions, I wrote about it on this blog:
Oddly enough I submitted a bug report to google telling them they should set a content-security-policy on play.google.com, and was basically told "wont-fix" so the vulnerability to play store still exists.
This raises an interesting point I've thought a lot on which is "Developer Moral Responsibility" (Best way I can sum it it). I've started 2-3 blog posts on this subject only to shelve them indefinitely as the "gray" things I've been involved in were minor on the grand scale and the places I worked at when those things occurred were 99% "good" and I wouldn't want to smear their names over things that were minor at best (the "everyone else is doing it argument/excuse"). I would love it if a "Developer Morality Manifesto" or similar were created and accepted at both a developer and company level to cover some of these "dark" practices
Way back when I was young and webvan.com was hot, I also worked on similar stuff. I didn't know then who I was, or even slightly what I wanted in life. Typical early-20s kind of thing. Anyways, I understand exactly what this guy feels like, as I feel the same way about the things I did back then. And these days I have turned down a couple of jobs that I felt were being too aggressive about advertising. One company's product was to give you a kind of GMail search, at the cost of collecting all kinds of information about you and aggregating it on remote servers to use for advertising. The founders were real cool guys, but this was just not something I am willing to contribute to.
The point was never to sell access to compromised computers or anything quite as nefarious as that.
The point with all of these schemes is to get users to install applications on their computer (or phone) that we were getting paid for on a per-install basis. A user who ran through our installer and installed all of the offers might net you $3. Multiply that by thousands a day, hundreds of thousands a month.
On the mobile side, as I mentioned in the article, finding desktop users who we could actually make money off of on mobile offers was much harder, which is why I suspect the practice hasn't caught on and become much more widespread in the industry.
You know, I think that optimizing the deadliness of atomic weapons is a lot more defensible than this. The nukes have arguably prevented large-scale industrial war since WWII. I'm having a tough time coming up with a defense for building malware, though.
There really is no defense. It's just a money grab. When I was working there I dealt with it through compartmentalization and rationalization ("if I wasn't doing this someone else would, so I might as well earn that paycheck anyway"). Others there probably just didn't care.
The culture was very money-centric... everyone's compensation included a bonus component that was directly tied to how much revenue your products generated, and there would be big celebrations whenever new milestones were met.
This is not cool to be posting on HN; they have chosen to remain anonymous for obvious reasons, and regardless, the practice of doxing someone is pretty obnoxious.
Actually, at the end of the OP you can find the author's name, email address, and photograph. Doxxing is obnoxious, but in this case it's not a matter of exposing the identity of someone who was trying to remain anonymous.
This. This is what pisses me off at the Android and it's ecosystem. I'm an avid android user, and more and more witnessing how it's turning exactly what windows was(is) and how crappy they are in protecting their users.
You can submit an app to the play store and get it approved within a day. I mean, come one, phone data are some of the valuable possessions one has in this century and they care less about it being abused. I wish there can be a tightly knit app store similar to iOS with stringent reviews & regulation, but I know it's never going to happen.
OP claims they were getting routinely banned and Google was plugging the holes they were using. I use a ton of apps, usually install them from my browser, and never had any issues.
Google started manually looking at and approving all Android apps submitted to the Play Store a while ago, if I recall correctly. They just don't take 14 days to do it.
If you want to type Chinese, you'll need an IME. Most of Chinese people relies on them. It was indeed an exploitable point, that you slip a lot of stuff into it:
- News pop-ups of course; - System information gatherer? Sure; - Search engine, convenient; - Anti-Malware software, certainly; - Anti-Virus software, you'll have it; - Homepage? Come on, let's make a bolder move - Browser! - A PC Manager. It's a combination of AV/AM and a software catalog, and the sweetest feature is to tell you how many seconds it took to boot up to your desktop, and shows a % of population you've beat across the nation, people can be bitchy over this.
Not just one major software vendor did this, everyone capable did, and still doing. There's also large internet companies that used by people on daily basis uses 0day exploits to push their desktop software. Like if you browse the Chinese part of the internet for one day, you'll end up with bunch of cute little Anti-Virus/cleanup/tweaking goodies rest in your notification area, some times they fight each other and cause BSoD.