

InstallMonetizer quietly starts editing website, privacy policy - edandersen
http://www.withinwindows.com/2013/01/16/installmonetizer-quietly-starts-editing-privacy-policy/

======
edandersen
InstallMonetizer have display:none'd the Microsoft advisor from their About
page. What have they got to hide eh?

PG: we never got an update after you said you were "investigating". Can you
elaborate at all?

~~~
gus_massa
In these cases, "investigating" usually includes trying to fix it if something
is wrong and probably preparing some PR.

Don't expect that pg will come tomorrow and say "I investigated. Yep, they are
morons. Don't use it!" Expect same changes and a blog post from
InstallMonetizer saying "We appreciate the feedback of the community and to
improve the product we ..."

------
rdl
I don't understand if this post was supposed to be negative or positive. IMO
it's positive -- if they got a lot of press/hn/etc. attention over some of
their advertisers being less than ideal, and a privacy policy that was overly
broad, and they're now fixing it, that's great news.

From looking at this, it looks like maybe some of their advertisers did cross
the line, but I don't think desktop app install monetization is inherently
evil. It's slightly annoying that Oracle/Sun bundles the Ask Jeeves toolbar
with Java, for instance, but it's not any more annoying than having to pay $6
to cross the bridge.

~~~
pfisch
I have never once seen app install monetization not be evil. It is one thing
if an installer advertised a piece of software like how you see get firefox
buttons. It is another thing to try and wedge some app install agreements
between a bunch of other TOS agreements to try and trick people into
installing invasive software that slows down your applications and is often
very difficult to remove.

I don't really understand why YC would get behind such a business. Money isn't
everything. I guess they want to disrupt malware with some new even more
horrible malwares.

~~~
rdl
I've seen it "upstream" of the actual installation and be ok.

e.g. when you try to download/install Confluence, they cross-promote some
other Atlassian products. It's not done too hard (and I can't find an example
of it now). I've seen other "first party" examples of upsell where you are
going for one product and add another product from the same vendor.

I've also seen lots of horrible malware, trash, etc. That's almost always what
you see with PPI.

I think PPI is like banner ads were pre-Google. What we need is the "AdSense
of PPI" to deliver really contextually relevant/well targeted PPI to users.
The problem is I suspect this is really hard -- offering a $1-2 payout to put
a crappy toolbar is nearly the optimum for any mass market piece of software.
But, if you had more targeted software (say, an awesome reverse engineering
tool), there would probably be related tools you could promote at the same
time which would be win/win.

The irony is you're more likely to see this as a third-party service, since
individual volumes on tools with niche userbases are really low, unless a
publisher has a bunch of complementary products in-house. There's nothing
specific enough for a Java JRE downloader to win out over a shitty toolbar.
There isn't enough volume for a decompiler to pay someone in-house to go out
and negotiate a deal with a fuzzer or something, so you either do nothing, or
run shitty toolbars, or hope for a company who could provide really targeted
PPI for smaller niche publishers.

I'm not saying InstallMonetizer is that now or ever, but if someone did that,
I'd be really happy with them. It may or may not be a good business model,
though.

~~~
X-Istence
Atlassian does this from within their various products. For example within
JIRA it will advertise for Bamboo, which is their CI stuff. Except, we already
have CI in the form of Jenkins and are more than happy with it.

~~~
rdl
I could see that being annoying or helpful, depending on how it's implemented.
(I've only ever used Confluence).

~~~
X-Istence
It's annoying, well at least to me, because I would click on one of the
various tabs in JIRA and be presented with an ad instead of the information I
was seeking.

We have Jenkins set up to input data into Jira, unfortunately that integration
isn't entirely fantastic and doesn't always work as well as one would hope.
Mainly because Jira's SOAP API is an absolute mess.

------
shitlord
I am wondering why the MAC address is md5 hashed. There are only so many
possible MAC addresses for most consumer electronics. Couldn't you just find
the md5 hash for all of them and basically create a rainbow table?

~~~
mmastrac
The space for MAC addreses is 281,474,976,710,656. Based on
<http://golubev.com/gpuest.htm>, the rate for MD5 hashes is approximately 1
billion/second on a GPU.

So, in about three and a half days you could generate the whole space of MAC
addresses (assuming that they only protect it with a single MD5 hash). You'd
need about 1.7 petabytes to store it.

~~~
Sanddancer
For something like this, you don't even need to generate the entire MAC
address space. As of right now, there are a little more than 17000 assigned
OUIs ( <http://standards.ieee.org/develop/regauth/oui/oui.txt> ), which means
there are about 281 billion legitimately allocated MAC addresses. So, with
simple filtering, you could fit that hash table into a few terabytes of
storage space, and generate it in a handful of minutes.

~~~
rwg
In the ideal case, you'd only need to hash ~17000 * 2^24 MAC addresses to have
a complete table, but the reality is that there are a _lot_ of manufacturers
who assign MAC addresses in products using OUIs that they haven't registered.
(Registering an OUI costs US$1885, and when you're a factory working on razor
thin margins, that's a _lot_ of money.)

As an example, a $17 802.11n travel router I bought from Monoprice a few weeks
ago uses 00-B0-C0 as the OUI, which has no corresponding entry in IEEE's OUI
database. In the past, I've purchased cheapo no-name PCI Ethernet cards
(usually with Realtek chipsets and lots of empty pads and/or through-holes on
the PCBs where capacitors are supposed to go) which had similarly unregistered
OUIs in their MAC addresses.

~~~
Sanddancer
Ugh, yeah. I should have taken into consideration penny-pinching companies
when doing that math. Especially when their behavior makes it hard on everyone
else when the inevitable MAC conflict happens.

------
withinrafael
Just verified that a few InstallMonetizer bundles send MAC address information
in the clear, updated my post accordingly.

------
neurotech1
I'm wondering, why companies who use products like this, and pay-per-
installation packages don't just have a "uncheck" for add-on toolbar/adware
components. This is the case with Alcohol 52% (a CD emulator) that I used on
on Windows.

IMO Non-optional installation of adware/toolbars etc. crosses the line towards
"evil" malware.

~~~
codesuela
I'm pretty sure it is also illegal to distribute software in such a fashion in
the EU

------
atesti
The site does not load for me, here is a google cache link:
[http://webcache.googleusercontent.com/search?q=cache:d8XynYp...](http://webcache.googleusercontent.com/search?q=cache:d8XynYpnQcEJ:www.withinwindows.com/2013/01/16/installmonetizer-
quietly-starts-editing-privacy-
policy/+http://www.withinwindows.com/2013/01/16/installmonetizer-quietly-
starts-editing-privacy-policy/&hl=de&tbo=d&gl=de&strip=1)

------
readme
>"I can confirm the mac address is sent in the clear"

Forgive me if I'm missing something about TCP/IP, but why does that matter?
Couldn't a man in the middle get your mac address anyway?

If not, I don't see this as such a flaw. I think they must have meant that
they store it as a hash in the database. That way your data in their db is not
linked to your true self/computer.

~~~
MichaelGG
First, the idea behind hashing the MAC is so that they don't know your actual
address. This doesn't work as MAC addresses have too small a space for hashing
to be useful.

Second, MAC address is only exposed on the local network. It is not
transmitted over the Internet, it's only at the link layer to identify nodes.

------
jzd131
Sounds like spam software to me...

------
OGinparadise
Malwarebytes isn't letting me go to their website, the "we blocked xxx IP"
comes up. The game has changed, if a few major sec companies blacklist you,
you are toast.

~~~
longzheng
A friend of mine at MS said the same thing, the IT department blocked the IP.

