
A close look at how Oracle installs deceptive software with Java updates - Hagelin
http://www.zdnet.com/a-close-look-at-how-oracle-installs-deceptive-software-with-java-updates-7000010038/
======
chrisacky
Just to tell my experiences on this, I was _forced_ to install the crapware
last week. There was no way for me to uncheck or opt out of the checkbox.

I have a machines which I connect to that do not have any mouse connected. I
have no problem in navigating systems with a keyboard and can run through
installers probably quicker than most people with a mouse can, but when this
dialog popped up for me, I was stumped for about 10 minutes. I employed every
shortcut in my keyboard-shortcut arsenal and fell short.

I genuinely felt like this was not just some programming mistake (because the
"Next" control was already highlighted waiting for me to hit Enter). It is a
dark pattern that was purposefully introduced to their installer to make it
impossible for users like me to opt-out of their installer.

A consequence of their deception was that they did get a dozen installs from
me, but my dislike for Oracle increased tenfold, and in a quiet-protest, I'll
make damned sure that I suggest any alternative to an Oracle product when I
have reasonable alternatives (Without cutting off my nose to spite my face).

~~~
halviti
_I employed every shortcut in my keyboard-shortcut arsenal and fell short._

One good one to remember is ALT+Left Shift+NumLock

Then you can use your keypad as a mouse. / and - toggle which mouse button 5
is.

~~~
error54
Also, pressing shift 5 times is an easy way to enable sticky keys in Windows.

~~~
smcl
I have accidentally enabled this a million times and I've no idea what it does
other than messing up my keyboard.

~~~
FredFredrickson
It's an accessibility feature. If you don't have the dexterity to hold keys
down yourself, you can enable sticky keys and (if I remember correctly) it
will make certain keys act as toggles so you don't have to do finger-yoga to
hit certain key combinations.

------
neya
Ladies and gentlemen, introducing THE fugliest company of all time - ORACLE.

The company that sued Android unsuccessfully, The company that fucked up JAVA,
The company that fucked up MySQL, The company that fucked up OpenOffice, The
company that doesn't like anything good happening within the tech sector.

I _really_ miss those days when Oracle was highly respected and used to be a
great workplace to be a part of.

~~~
stevoski
Oracle fucked up Java? Not my view. Installing Java on Windows installed
unwanted stuff for years during Sun's days. (Was it the Yahoo toolbar? I
forget).

Oracle, for all its faults, has actually managed to get the new versions of
Java back on track. Sun seemed to be unable to get Java 7 out the door. Oracle
did so, and is making good progress on Java 8.

~~~
pasbesoin
I won't speak to Java itself, but I will say that -- crapware side-effects
aside -- the Java SE installation process has actually improved since Oracle
bought out Sun.

Whether coincidence or causative, I don't know.

It runs more quickly, and it only has a single instance of a single level of
nested installers (for the JRE). A couple of years ago, the installation
process had gotten simply bleep-awful, especially after they tacked JavaFX
onto it, which installation seemed to take even longer than the installation
of the rest of the SE package.

------
NelsonMinar
It's a nice racket Oracle has. Every time they release a security fix, they
make a few hundred thousand bucks on drive-by installs. Security holes as
business model.

~~~
nhebb
They don't even need to release a fix. I have been prompted to update several
times in the past year, where I go through the install process (including
having to uncheck the Ask box), only to get the message at the end that
version x.y.x is already installed.

The updater is just plain buggy. Ed Bott mentioned the problems with limited
user accounts, but I didn't see him mention the issue with jucheck ignoring
the update settings:

[http://superuser.com/questions/130961/how-to-stop-jucheck-
fr...](http://superuser.com/questions/130961/how-to-stop-jucheck-from-running-
java-wont-remember-check-for-updates-automat)

I also had an XP system where the %appdata% environment variable somehow got
deleted. This completely breaks the installer.

~~~
niggler
Is the Ask.com toolbar installed before or after Java, and if java fails will
ask.com be rolled back?

~~~
noselasd
When you check for the Ask toolbar and click next in the Java installer, the
toolbar installer is fired off in the background, and installs itself after 10
minutes, regardless of what you do with the Java installer.

~~~
niggler
That's incredibly shady.

------
Aardwolf
This sums up everything I find wrong about the Windows philosophy. Software
whining for updates. Unwanted background programs. Installers that want to
install more than you ask for. Usage of the phrase "We recommend" where
recommend means "we get money if you".

I've never seen any of those terrible anti-user behaviours in a Linux package
manager, or makefile.

I would be fine with an actual security fix being downloaded and installed
silently (without any other payload of course).

~~~
kevingadd
This has nothing to do with Windows specifically and everything to do with
software developers prioritizing profit over all else.

What does the 'Windows Philosophy' have to do with the decisions Oracle makes
about _Java_ anyway? Do you really think Java follows the 'Windows
Philosophy'?

~~~
revscat
> This has nothing to do with Windows specifically and everything to do with
> software developers prioritizing profit over all else.

I don't know about philosophies, but Windows is the only OS I have used which
suffers from these problems. I have never experienced this on OS X or Linux.

I don't particularly care why, just that it happens.

~~~
bunderbunder
I strongly suspect that the fact that this doesn't happen as often on OS X and
Linux has very little to do with anything intrinsic to those two operating
systems. It's just that they're less fertile ground for this sort of thing.

For one, each having fewer users should not be ignored. 90% fewer users means
90% less potential profit. That's a big number even when you aren't relying on
a revenue generation model such as ads.

But not just that - also because the average user on both platforms
(particularly Linux) is more computer-literate, and therefore better-capable
of defending against this sort of thing.

And on the OS X side, remember that for a long time the Java run-time was
distributed by Apple. The agreement to start having it be distributed by
Oracle might well have included a "no crapware" provision.

On the Linux side, well, that's where all their enterprise customers live
nowadays. They really do _not_ want to piss off their enterprise customers
like that.

~~~
ajasmin
OS X and Linux apps don't have to be bundled in a custom installer. In OS X
you simply drag the app into you Application folder and now there's an App
Store that makes the whole experience even simpler and curated.

Linux distros have great package manager and you won't get greedy crap-ware
from the Open Source community.

It's a shame that Windows installers have become so bloated. The other day
I've seen one with a check box labeled "I agree [to install this crap ware]"
just bellow the license text. Really deceptive.

Hopefully the Windows Store will help improve that experience.

~~~
bunderbunder
Sadly, the Windows store is only for Don't-Call-it-Metro apps that can run on
the tablet version. So it really doesn't offer anything to help desktop users
- for the most part they're still stuck with the same old Windows Installer
quagmire.

------
mpweiher
So are the Feds going to go after Oracle and Larry for "unauthorized access to
a computer" and "wire fraud"? With, like, real jail time?

~~~
lawnchair_larry
Considering I clicked Java Installer.exe and got Ask.com toolbar installing,
it sounds like a clear cut case of identity fraud as well.

Taking up real estate in my toolbar is basically criminal trespassing, so
throw that in. I mean, it's not like in real life you can just say to an
inattentive person, "I'm about to break into your house unless you tell me no"
and have it be okay.

------
edandersen
Looks like YC should make an investment!

~~~
bobsy
It does seem to meet PG's critera

1\. The user has an opportunity to opt out.

2\. Calling Ask Toolbar "crapware" is only an opinion. Someone may actually
want it. _sniggers_

I think bundling software is fine so long as it is relevant and genuinely
useful. Ask Toolbar fails on both accounts. Bundled software shouldn't be
offered during minor updates or security fixes... or at the very least, during
these minor updates, it should be opt-in instead of opt-out.

------
DoubleMalt
Well when after the last security issue there were articles calling end users
for uninstalling java completely, I was pretty mad at the missing distinction
between the plugin and the runtime.

But now I really think this is a good thing to recommend under windows.

I will still continue using OpenJDK for server projects under Linux, but will
press for different solutions whenever installation of Jav on a Windows
machine might be required.

------
manaskarekar
Can someone comment on how .NET platform + tools compare?

As someone who is not invested in either camp, between the two, .NET seems
like a much better place to be invested in right now.

Edit: Thanks a lot for the replies, I'm much better informed.

~~~
davesims
I had about a decade in both, and really they're two very different worlds.
From a code standpoint I'd much rather be in C#. It's one thing that MS has
done really, really well over the last 10 years. They've taken a pretty
aggressive stance towards adopting new features and although it's become
fairly complex as of 4.0 and on, it really has some great features, some
functional-inspired things like closures and collections api stuff that
reminds me of Ruby in a lot of ways, and a great web framework in MVC that is
honestly almost as fun to code for as any of the open source web frameworks
out there. If you had to choose between one of the big J2EE stacks and MVC, no
question, MVC is far, far better. The infrastructure is still a big 'ol MS GUI
world, and I'd rather do <badPainfulThing> than spend a lot of time
configuring and deploying IIS apps, but then TomCat and WAR files et. al.
ain't exactly fun either.

Java's JVM/bytecode infrastructure on the other hand has undergone a
renaissance as a VM platform for a lot of very cool languages: Scala and
Clojure being the two big examples there. But that's _Really_ not the same
thing as Java, obviously. And there's Android -- a completely different
ecosystem, and somewhat truncated as a Java dialect, but still basically the
Java language and able to employ most of the libs you're used to having:
Guava, Guice and so on. No dynamic code gen, which stinks, but I know why they
did it. So if you have Java under your belt and want to get into mobile stuff,
that's a huge plus.

So, as a general-purpose language skill, Java is still really, really
important to know and will have legs for a long time to come. ASP MVC is a
great framework, and if you can't work in something like Django or Rails or
the like, it comes in nice 3rd or 4th place in terms of making for general
coder happiness. C# is a far more progressive and interesting language than
Java, but that's a philosophical difference between the gatekeepers of the two
languages: Java intentionally moves slow for the sake of stability and
continuity, C#'s minders have apparently embraced a little of the 'move fast
break things' attitude of some parts of the open source world. I prefer the
latter, but understand the rationale of the former.

Me, I'm a Rails coder these days but also get to hop back into Java for
Android dev and the rare foray into ASP work and they all have strengths and
tradeoffs and they'll all be around a long time. The only thing I think I
would avoid on principle, for my own sanity, is any enterprisey J2EE
framework. That truly does feel like a massive leap backwards.

~~~
untog
Agreed with this. I used to code C# for a living but have moved on- however,
I'm now playing around with MonoTouch in my spare time and I'm loving using C#
again.

MonoDevelop is a poor man's Visual Studio, but it's a lot less demanding and
runs on OSX. Backend frameworks like Nancy.fx are really great for being even
simpler versions of MVC, too.

~~~
davesims
I was shocked how well MonoDevelop worked out when I used it briefly a couple
of years ago. But my expectations were pretty low -- I was expecting a
compatibility quotient something close to Wine circa 2001, and got instead a
basically functioning C# environment on my Mac, which was pretty dang cool.

------
brown9-2
You would think that a company Oracle's size wouldn't need to resort to
install commissions from something like this.

You would think that after several years of conning people into using their
search engine, the employees at Ask would feel dirty to have to engage in such
tactics.

~~~
spyder
Even Google is supporting these shady practices by powering some of the search
toolbars and probably paying the toolbar owners for ad clicks. See MyWebSearch
(<http://home.mywebsearch.com/>) mentioned in the article.

------
jakub_g
One additional note regarding the installer: to opt out of the toolbar
installation, you have to click _the checkbox itself_. You can't click the
text label associated to it. I call it a bug, but certainly it's a feature in
this context.

~~~
talmand
Actually, that's very common. It's one of my pet peeves for web design but I
see it often in installers and the applications themselves.

------
regularfry
This problem has been known and complained about for _ages_. What's the
community response? We have OpenJDK, why does anyone put up with an abusive
installer from Oracle?

~~~
jarito
Because Windows is not a supported platform? You have to find an unofficial
build or build it yourself.

~~~
mathnode
Is anyone distributing 64bit OpenJDK builds for windows?

EDIT: I found: <https://github.com/alexkasko/openjdk-unofficial-builds>

~~~
untog
Just the word 'unofficial' is enough to stop most large companies using them.
It is (was?) the same with Firefox- they never offered an MSI installer for
use on corporate networks. There were unofficial versions, but you could never
be sure that someone hadn't bundled something extra in there.

~~~
mamcx
"but you could never be sure that someone hadn't bundled something extra in
there".

Irony,

With Oracle, your are SURE.

------
nnq
Java could have been such a good thing, even in the browser (ok, as platform,
ignoring the language's shortcomings, but still...). Whys did both Sun and
Oracle strive so hard to fuck it up? _It's as if these guys have a "how to
fuck things up for the end user" brainstorming meeting every week!_

~~~
brazzy
I think the last few years have shown conclusively that the it is not a good
thing in the Browser because the sandbox security model is too complex to be
implemented correctly.

~~~
nnq
> the sandbox security model is too complex to be implemented correctly

...is there any other simpler security model than this? Java even seems a
simpler and more "well behaved" language than JavaScript, and JVM bytecode is
said to be even simpler (though I'm not an expert on this...), and browsers
had they own share of Javascript related exploits but people rolled updates
quickly, acted responsibly and _didn't do anything particularly stupid_ (as
opposed to the described crapware incident perpetuated by Oracle).

EDIT+: one can buy browser exploits cheaper on "the x market" and they are
more useful than JVM exploits so "security" is not Java's Achilles' heel, and
it's Swiss cheese all the way down if you at most web-facing software
unfortunately...

------
gus_massa
I really hate the crapware, and I hate more the "opt-out" crapware. But the
"summary" of the article is a little unfair:

 _Oracle's Java plugin for browsers is a notoriously insecure product. Over
the past 18 months, the company has released 11 updates, six of them
containing critical security fixes. [...]_

The updates and security fixes include not only the plugin, but all the Java
runtime that is much bigger and complex. (For example, one of the updates was:
[http://www.oracle.com/technetwork/topics/security/javacpuoct...](http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html#AppendixJAVA)
). This is like accusing Chome or Dropbox of being insecure, because they do a
lot of updates (that are automatic, invisible and don't offer crapware).

------
fencepost
Crapware-free downloads ARE available.

If you go to Oracle's Technology Network area to download (or Google for the
specific version e.g. "java 6u38" or "java 7u11 oracle" because of all the
press) you can agree to their binary license and download crap-free offline
installers.

The link for 6u38 is
[http://www.oracle.com/technetwork/java/javase/downloads/jre6...](http://www.oracle.com/technetwork/java/javase/downloads/jre6u38-downloads-1877409.html)
and the link for 7u11 is
[http://www.oracle.com/technetwork/java/javase/downloads/jre7...](http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html)

------
peapicker
Interesting how many comments about desktop Java being dead, when the highest
selling video game still available and being developed is Minecraft, written
in Java, which runs on the desktop... (over 9 million registered users, and
still increasing... enough to make it the #9 all-time selling video game)

I will admit tho, for traditional desktop apps, it is very dead.

------
edgesrazor
I'm glad this was said in a much larger avenue than my paltry Twitter account.
To bundle a toolbar installation in with a major security fix is not only
dishonest, it's unethical and who's to say that toolbar isn't the next piece
to contain a security hole?

------
nodata
A sleeping add-on installer that waits ten minutes? Sounds kind of rootkit-y,
opt-in or not.

------
bhauer
I can't sympathize with this article and most users in this thread because I
don't understand why anyone uses Java within web browsers. Today, Java is for
server-side code. Full stop. Okay, I know some people still have to use
Applets, but none of us here, right?

Kidding aside, I've installed the Oracle JDK on dozens of Windows machines and
not once have I been prompted to install a toolbar or bloatware.

1\. Navigate to java.oracle.com

2\. Select Java SE.

3\. Select to download JDK SE 7u11

4\. Accept license agreement

5\. Download Windows x64

6\. Open installer

7\. Select to install "Development Tools" and "Source Code" (disable "Public
JRE")

8\. Wait and then close installer

9\. Run c:\java\bin\java.exe

10\. Review Windows' "Programs" and note only JDK has been installed; no
toolbars

11\. Celebrate

I suspect many people are installing the JRE, which is something I've never
done. Since the JDK can run Java code, why install the JRE at all?

~~~
bskap
Because many people are still stuck using applets in the browser. The JDK
won't run those.

------
thesis
Last update I received I clicked the next button a little to fast. I realized
after I went through the dialogs too quick and I figured no big deal I'd just
cancel it when the McAfee dialog came up. It never did... all of the
installation was in the background.

Shady!

------
facorreia
I think the Java plugin should start to be flagged as malware given the
persistent presence of holes that allow remote execution of arbitrary code,
the clever bundling of questionable software and the update wizard behavior.

------
alayne
Sun was installing toolbars before Oracle bought them. I remember them
bundling the Yahoo toolbar with Java.

------
chadscira
What really upsets me about this is that it's Java that they are stuffing this
adware into... Java a previously legitimate requirement that many applications
have chosen to build on top of as a language/platform. For the average user it
looks like all of these other programs are promoting this... I'm surprised
that they can get away with it.

------
kjackson2012
Fuck Oracle. And unfortunately, I guess that means Fuck Java too. This is the
exact kind of stupid behavior that kills great technologies like Java, by
stupid, greedy people that care more about money than technology. If this is
how they expect to treat their users, I'll switch permanently to Python, PHP,
and anything else besides Java.

------
king_magic
I happily uninstalled Java from all of my machines/OSes last week. Glad to be
rid of it.

~~~
neumann_alfred
I decided to try the same. It's been ages since I last played Minecraft, and I
have frankly no idea what other apps I'm using might be using Java; the only
way to find out is to uninstall it. It's not like I can't install it again if
I need it.. but the days of just having it installed "just in case" are over
for me. I might even uninstall Flash just for kicks.

------
jiggy2011
I think this is in a large part due to the way programs install on Windows
perhaps.

These programs seem to rely on getting the user to make a choice during
installation time. Windows is the only major OS that seems to rely on
"installers" being programs in their own right.

For example on debian, .deb packages provide a standard installation process.
Whilst it would still certainly be possible to inject all types of crapware
into a .deb the actual install process is not really conductive to this,
because there is no way (AFAIK) to pop a custom screen during the install.

------
pasbesoin
One reason I always download the full installer (even to upgrade), rather than
using the Java update notification service (it runs, but when it prompts with
an update -- if it does so before I manually upgrade -- I use that
notification as a cue to go download the full installation; I _don't_ let the
service upgrade me).

------
emmelaich
My experience is that the one from java.sun.com does not have the crapware.
Especially if you install jdk?

The one from java.com does.

I'm not 100% certain though.

BTW, there is a process to install java without the installer and without
admin rights on Windows. The process is described on say StackOverflow but I
have it scripted.

I should put it up on github sometime!

------
d4vlx
Too bad Google missed out on buying Sun.

------
DHowett
I was just about to decry ZDNet for calling the kettle black here, but it
seems they removed the scummy invisible pop-up ad click target they used to
put in the negative space next to the column.

------
andmarios
I do not have any such issue. Are you sure this sidebar comes with the
official java installer from www.java.com?

From what I've heard, I guess it comes with Java installers from 3rd party
sites.

------
suyash
Do not take this article Seriously. This is garbage post and problem is with
ASK and not Oracle here.

------
aydoubleyou
And this is why Apple creates their own install packages for Java.

~~~
otterley
Not anymore, they don't. (Source: <http://bit.ly/947yQJ>)

------
adamkochanowicz
This seriously changes my opinion of Oracle.

------
doctorpangloss
Isn't it a little ironic that we're reading an article about foistware where
the author searches for his own book on multiple search engines?

------
kahawe
I used to work with Sun for quite some time; I can say without failure every
single Sun tech I came across was pretty damn cool, knew what they were doing
and was hooked up in the Sun-universe enough so they could provide excellent
pointers and ultimately that translated into happy customers. On top of that a
lot of their enterprise-y software wasn't half bad to begin with, it was just
always terrible getting good documentation and information as an "outsider" oh
and there were a couple of years when you could just forget the sorry excuse
they passed off as "support". But there was always the possibility of going
"black-ops", just de-compiling and providing your own fix and although this is
far from great, things just worked and everyone was happy. Sun's suits didn't
really matter from our point of view anway, they did no harm, stood in
nobody's way, shook hands and invited folks to dinner when appropriate. Fair
enough, you cannot really ask for more, anymore and it would literally be
paradise, so I was happy with that. Even-though I never got that project
manager I was basically paying for...

Enter big red. Talking to brain-washed zombies cannot feel very different from
talking to Oracle's sales drones and customer relation dummies. You were
talking about "A", they would start trying to sell you pricey-addon for the
database when you weren't even talking databases in the first place. Whoever
was a useful tech contact inside Sun before now turned into a walled-off
zombie as well and I guess I was lucky they didn't just slap a price tag on
picking-up the phone or simply answering an email. And to top it off I had to
suffer one of their pre-sales dummies loudly telling an oh-so-ridiculous story
how, can you imagine, bigcorpA was running tomcat(!) in their production
environment! And not the abomination from hell that Oracle gets away with
charging huge amounts of money for!! Well can you imagine that!!!

Another case of too-big-to-fail and nobody ever got fired for buying Oracle,
hm?

~~~
VonGuard
Bit Torrent makes all its money through Ask's tool bar. Ask props up a whole
economy, it seems. But hey, at least Oracle figured out how to make money on
Java! Sun never did that.

~~~
bunderbunder
Which raises an interesting question - how _do_ you make money on a platform
like this?

I've been wondering because I think that my preferred managed environment
(.NET) is doomed if Microsoft continues keeping it tied to Windows. On the
Microsoft side, I suspect that Microsoft's market share in the server and
enterprise space is going to continue dwindling for the foreseeable future,
which means that their current plan for making profit is far from certain. But
neither Sun nor Oracle seem to have figured out a way to distribute Java for
free to the world at large and make a profit off of it, and it's hard to
imagine that Microsoft is any more capable of pulling that rabbit out of its
hat.

Perhaps the trick is that you don't try to make money on it, at least not
directly. And there's a great project out there that's trying to do it that
way. But, well. . . . ugh. I love Mono; it seems like it has everything going
for it. From a technical standpoint it's been rapidly closing the gap with
Microsoft's implementation, which I suspect means it's probably already ahead
of the Java platform in many respects. The flagship language is certainly way
ahead. And it has the singular distinction of being the only Free platform in
this sector, which would make you think that folks would be extremely
interested in seeing it win. Why that doesn't seem to be the case continues to
mystify me. I know it's still got a few Big Business cooties on it, but it's
got way, way, way less of them than Java does.

~~~
dredmorbius
> Which raises an interesting question - how do you make money on a platform
> like this?

Professional services. Hardware sales. Turnkey solutions (you want to support
industry X using Java? ...). Development tools (to the extent not provided by
third-parties). Certification/compliance. Associated products (nice Java app
you've got there, need a database to go with it?).

Here's a thing: making money off of software _by itself_ is _hard_. One of the
lost messages in the recent trash-talking of Microsoft is that the fall of the
House of Redmond also means the fall of software as a standalone, unit-sold,
high-value product. Nobody but nobody else operates this way, certainly none
of the current tech leaders: Google, Apple, Facebook, Amazon. Two sell ads,
two sell things. None sells software.

