Sneaky installer



  • I'm always seeing new ways for installers of free software to trick people into installing crapware, but this is a new one. ImgBurn includes some crapware by default and makes the "Custom Installation" setting appear disabled! Appearances are deceiving. You can click "Custom Installation" and uncheck the crapware if you want, you just have to click on a visually disabled item to do so.

    Another trick I've seen recently is to put a crapware installer on the "You've Finished Installing" step of the wizard. When you click "Finish and Close" without paying attention, it installs WeatherShoppingToolbarSearchMediaPlayer 4.3 because you weren't paying attention and you're also not used to unchecking things on the completed dialog.



  • @mott555 said:

    I'm always seeing new ways for installers of free software to trick people into installing crapware, but this is a new one. ImgBurn includes some crapware by default and makes the "Custom Installation" setting appear disabled!
    That's why if Ninite has it I'll always get it that way.



  • One I came across was disguised as an EULA, should you click 'I agree' you would end up with some browser toolbar or whatnot.

    Sneaky indeed. A lot of small and easy programs fall victim to either greedy management taking more and more pixels for the ads and less real estate for purpose or the 'include everything and the kitchen sink'-school of thought. Once they stop being small and easy people stop using them, management gets desperate, they include even more crap in some misconceived plan to win back the hearts of their beloved customers end in the end nobody uses their program any more.

    Oldversion.com is a nice graveyard of programs that went under due to their own success...



  • I had the same issue when µTorrent downloaded and installed an update the other day. The update wizard had a dialog at the end of the process that I didn't catch because I accidentally made a keystroke when it popped up. Next thing I know it's hijacked chrome and set Yahoo as the default search engine.



  • @pnieuwkamp said:

    One I came across was disguised as an EULA, should you click 'I agree' you would end up with some browser toolbar or whatnot.

    CNET did that to me recently. I think I was downloading a HTML to PDF converter, but it popped up with four extra EULAs, each of which was actually adding a different, extra piece of shit to the download. I think they made me download a special CNET installer, too. Now that I think about it, why the fuck did I do any of that? Normally anytime I have to start jumping through hoops I look for something else. Temporary insanity, I guess.



  • @mikeTheLiar said:

    I think they made me download a special CNET installer, too.
    CNET is not to be trusted.


  • Trolleybus Mechanic

     Recently, I've seen:

    1) Confusing double-negative checkboxes that vary randomly between making you want to check them and making you want to uncheck them, depending on the flavor of law and asshole they were programmed under.  [ ] I do not agree to skipping the terms and conditions to agree to not installed FuckYouToolBar

    2) Showing you an EULA, and at the bottom putting a HUGE "I AGREE" button. Except that it's actually I AGREE (fine print: to install FuckYouToolBar...), and far below that there's a hyperlink-style link in 1pt font that says "I agree & skip installation"

    As much as I blame the ad scum fuckers, I heap equal blame on every browser maker out there. How fucking hard is it to not allow 3rd party programs from altering settings or installing extensions. Why is there not "Lock my fucking browser (default)" setting that automatically rejects outside changes to whateverthefuckyoucall about:config.

    I mean seriously-- when was the last time ANYONE changed their home page? Aside from when you first install the browser (and even then, some people leave the Mozilla branded Google page there). When in the history of the entire Internet has anyone actually willingly changed their homepage?  Lock it down, don't allow it to be changed by anything except the user unlocking it, making the change, and re-lock it afterwards.

    They're already halfway there with extensions (on Firefox, at least). If you try to install, it'll only install from trusted sources, give you a countdown and a confirmation prompt.

    The last piece of shit that accidentally got installed on my system was able to change the home page, change the Firefox PROXY SETTINGS!!!!, fuck around with my DNS, put in a Scheduled Event to update and re-install itself, and played merry fuckery with a ton of about:config settings.  I'm sure it would have done the same with IE and Chrome if they were installed. Fucking hell, what fucking year is it?



  • @flabdablet said:

    @mott555 said:
    I'm always seeing new ways for installers of free software to trick people into installing crapware, but this is a new one. ImgBurn includes some crapware by default and makes the "Custom Installation" setting appear disabled!
    That's why if Ninite has it I'll always get it that way.

    I've begun toying with Chocolatey. More command-liney (without having to pay). Has packages ninite doesn't have (although I think there are some that chocolatey doesn't have). Might be worth a gander.



  • @Lorne Kates said:

    How fucking hard is it to not allow 3rd party programs from altering settings or installing extensions. Why is there not "Lock my fucking browser (default)" setting that automatically rejects outside changes to whateverthefuckyoucall about:config.

    I just started using Windows 8.1 and I think there is a setting to lock search and homepage... I'd have to look again though.



  • @Lorne Kates said:

     Recently, I've seen:

    1) Confusing double-negative checkboxes that vary randomly between making you want to check them and making you want to uncheck them, depending on the flavor of law and asshole they were programmed under.  [ ] I do not agree to skipping the terms and conditions to agree to not installed FuckYouToolBar

    2) Showing you an EULA, and at the bottom putting a HUGE "I AGREE" button. Except that it's actually I AGREE (fine print: to install FuckYouToolBar...), and far below that there's a hyperlink-style link in 1pt font that says "I agree & skip installation"

    As much as I blame the ad scum fuckers, I heap equal blame on every browser maker out there. How fucking hard is it to not allow 3rd party programs from altering settings or installing extensions. Why is there not "Lock my fucking browser (default)" setting that automatically rejects outside changes to whateverthefuckyoucall about:config.

    I mean seriously-- when was the last time ANYONE changed their home page? Aside from when you first install the browser (and even then, some people leave the Mozilla branded Google page there). When in the history of the entire Internet has anyone actually willingly changed their homepage?  Lock it down, don't allow it to be changed by anything except the user unlocking it, making the change, and re-lock it afterwards.

    They're already halfway there with extensions (on Firefox, at least). If you try to install, it'll only install from trusted sources, give you a countdown and a confirmation prompt.

    The last piece of shit that accidentally got installed on my system was able to change the home page, change the Firefox PROXY SETTINGS!!!!, fuck around with my DNS, put in a Scheduled Event to update and re-install itself, and played merry fuckery with a ton of about:config settings.  I'm sure it would have done the same with IE and Chrome if they were installed. Fucking hell, what fucking year is it?


    Blakeyrat's back! Oh, I how I missed you.



  • @DoctaJonez said:

    The update wizard had a dialog at the end of the process that I didn't catch because I accidentally made a keystroke when it popped up. Next thing I know it's hijacked chrome and set Yahoo as the default search engine.

    The single greatest UI mistake of windowing systems is to allow windows to grab the focus. If the user is in the middle of a heavy typing session, say, developing code, it may be several tens of keystrokes before the user notices that the focus has been moved and stops typing. I have accidentally deleted files due to this.



  • @Lorne Kates said:

    As much as I blame the ad scum fuckers, I heap equal blame on every browser maker out there. How fucking hard is it to not allow 3rd party programs from altering settings or installing extensions. Why is there not "Lock my fucking browser (default)" setting that automatically rejects outside changes to whateverthefuckyoucall about:config.


    IE does exactly that. It only lets third-party software "request" to add a toolbar or change the website, which means there's a small pop-up bar asking you to accept the changes next time you run it, which you can just ignore.

    Still, it's impossible to protect anything when you're giving software full control over your system. Which you're doing every time you install something. So if you do that it's only a matter of time until installers just skip whichever mechanism you have for changing your home page and edit your config files directly, "for an easier end-user experience".



  • @Lorne Kates said:

    1) Confusing double-negative checkboxes that vary randomly between making you want to check them and making you want to uncheck them, depending on the flavor of law and asshole they were programmed under.  [ ] I do not agree to skipping the terms and conditions to agree to not installed FuckYouToolBar
    ☑ Don't not refrain from not installing the Ask toolbar in none of my browsers.



  • @anonymous234 said:

    @Lorne Kates said:

    As much as I blame the ad scum fuckers, I heap equal blame on every browser maker out there. How fucking hard is it to not allow 3rd party programs from altering settings or installing extensions. Why is there not "Lock my fucking browser (default)" setting that automatically rejects outside changes to whateverthefuckyoucall about:config.


    IE does exactly that. It only lets third-party software "request" to add a toolbar or change the website, which means there's a small pop-up bar asking you to accept the changes next time you run it, which you can just ignore.

    Still, it's impossible to protect anything when you're giving software full control over your system. Which you're doing every time you install something. So if you do that it's only a matter of time until installers just skip whichever mechanism you have for changing your home page and edit your config files directly, "for an easier end-user experience".

    I recall my dad asking me why Chrome was asking him if he wanted to allow a "foreigner program" to install an addon.


  • If you look carefully, you'll notice that the radio button isn't actually disabled, and the title text isn't either - it's just coloured grey. If the radio button were disabled it'd be greyed as well, and disabled title text has a white backdrop to increase readability.

    All in all, that's rather open and honest - the title (Improve your Internet Protection), description (ImgBurn recommends the AVG toolbar...), and the Standard Installation text all describe exactly what it wants to do. I've seen installers that bundle it in "Standard Installation" but make it look like you're just installing the software you meant to install. Like this...

    ImgBurn 2.5.8.0                                     

    Please select an installation option:                                                                            

    Install ImgBurn 2.5.8.0 with the recommended settings*                                                                                                                                                   

    Custom Installation  

    *Includes AVG Toolbar and AVG Secure Search for homepage, newly opened tabs, and default search provider.



  • One I've seen not too long ago (can't remember the app) was a standard installation/custom installation thing. I did custom installation, removed all the toolbar stuff, and then clicked next.
    Then a dialog turned up with a LONG message and yes- and no-buttons. I nearly clicked yes, as it looked like a standard "blah blah you've decided not to install our great toolbar" message, but I just read the last sentence. I can't remember the wording, but it basically said: "Click yes to install the toolbar anyway!"
    Great trick. It's not as though I could've done it on accident. And the message was far too long for people to read anyway. I might have fallen for it, had it not been the very last sentence that indicated this.



  • @DoctaJonez said:

    I had the same issue when µTorrent downloaded and installed an update the other day. The update wizard had a dialog at the end of the process that I didn't catch because I accidentally made a keystroke when it popped up. Next thing I know it's hijacked chrome and set Yahoo! Search Powered by Bing™ as the default search engine.

    FTFY



  • @WernerCD said:

    I've begun toying with Chocolatey. More command-liney (without having to pay). Has packages ninite doesn't have (although I think there are some that chocolatey doesn't have). Might be worth a gander.

    Chocolatey looks very promising. Nice find!

    Since about 2005 I've been maintaining the standard operating environment at the school I netadmin using my own updater scripts, and this is the first alternative I've seen that has me seriously thinking about migrating. I will have a good play with it and see what it can do.

    It will be interesting to see whether the Chocolatey package repository ever gets comprehensive enough to call for the same kind of stable/testing/unstable split that the Debian project uses to manage its own repos, and whether it attracts a similarly dedicated community of maintainers.


  • Discourse touched me in a no-no place

    @Lorne Kates said:

    I mean seriously-- when was the last time ANYONE changed their home page?
    What's a home page? Every time I start my browser, it opens with all the tabs I had open when it last crashed.



  • @PJH said:

    What's a home page?

    The home page is the technology that allows MSN.COM to get hits. According to a scientific poll, the address "MSN.COM" (or any of its regional variants) has been typed 11 times in a browser address bar over the last 6 months; out of those 11 times, 8 were a typo from people trying to access the Madison Square Garden website (msg.com) and 2 were a typo from people who wanted to see if it's true that msnbc.com is offline. Yet.


  • Discourse touched me in a no-no place

    @PJH said:

    What's a home page?
    What's an installer?



  • @dkf said:

    @PJH said:
    What's a home page?
    What's an installer?

    I write all my programs in Go, so it's just one file. What the hell would I need an installer for with one file?



  • @Ben L. said:

    I write all my programs in Go



  • On the topic of confusing/malicious options, this was linked on Hacker News today: http://toys.usvsth3m.com/realistic-facebook-privacy-simulator/



  • @Arnavion said:

    On the topic of confusing/malicious options, this was linked on Hacker News today: http://toys.usvsth3m.com/realistic-facebook-privacy-simulator/


Log in to reply