
Java Runtime updater now installs ask.com toolbar on Macs - pje
https://jamfnation.jamfsoftware.com/discussion.html?id=13567
======
xenadu02
You aren't Oracle's customer. The Fortune 1000 are their customers. Oracle
doesn't care about nerd outrage, the developer community, or end users.

Former Oracle employee, via acquisition. Horrible place to work.

This post is my own opinion and does not relflect insider or confidential
information from Oracle.

~~~
organsnyder
I can't imagine that the Java installer asking to install the Ask.com toolbar
on a Fortune 1000 CEO's home computer is terribly good marketing, though.

~~~
zak_mc_kracken
No Fortune 1000 CEO uses a Mac, so that's not an issue.

~~~
benaiah
I think Tim Cook might.

~~~
pornel
He knows already.

Apple has stopped including Java in OS X and banned Java in the AppStore.

~~~
desdiv
Oh, how the mighty have fallen. This is what developer.apple.com/java read
back in 2009 [0]:

 _Mac OS X is the only major consumer operating system that comes complete
with a fully configured and ready-to-use Java runtime and development
environment. Professional Java developers are increasingly turning to the
feature-rich Mac OS X as the operating system of choice for both Mac-based and
cross-platform Java development projects. Mac OS X includes the full version
of J2SE 1.5, pre-installed with the Java Development Kit (JDK) and the HotSpot
virtual machine (VM), so you don 't have to download, install, or configure
anything.

Deploying Java applications on Mac OS X takes advantage of many built-in
features, including 64-bit support, resolution independence, automatic support
of multiprocessor hardware, native support for the Java Accessibility API, and
the native Aqua look and feel. As a result, Java applications on Mac OS X look
and perform like native applications on Mac OS X._

[0]
[http://wayback.archive.org/web/20091223033016/http://develop...](http://wayback.archive.org/web/20091223033016/http://developer.apple.com/java/)

------
TeMPOraL
And people are suddenly surprised there is strong anti-vaccine movement.
_This_ kind of things is _the real_ reason for it.

From the producer who decides to reduce the amount of good in a box, while
keeping the packaging and price tag the same, to the grocery store clerk that
sells you meat that was already twice washed with dishwashing liquid to appear
fresh (a very common practice), to the company that regularly sends you 4W
LEDs when you order 5W hoping you won't notice, and if you challenge them
they'll tell you it was a factory labeling mistake, to the smartphone vendor
that tells you about amazing experience and then sells you equipment loaded
with so much crapware that you cringe every time you turn it on - everyone
around you is out there to get you. So many businesses try to fuck you over,
all the time, and they totally get away with it.

And then everyone is surprised people have trust issues. It's hard enough to
get people to install any kind of updates in the first place - and how we're
expected to have a secure Internet if people have _a very good reason_ not to
install new versions of things?

Seriously - companies like Oracle, like Ask.com, like Lenovo, SuperFish, like
Uber and like so many, many others - start-ups, mom&pop's, medium companies,
big corporations - they all found a very profitable business model: taking the
common value of trust we have in society and burning it to earn money. And I
guess it works well - if you're an executive who's going to get a pay raise
and maybe a promotion for literally shitting on the faces of your customers,
when why wouldn't you do it? Well, except of having _any decency at all_?

Whoever decided to bundle this crapware with Java Runtime, if you're reading
this - you're actively contributing to one of the biggest problems our
civilization is facing. You should feel responsible. The next time someone
dies because he refused to follow established procedures out of lack of trust,
this is - in a small but important part - _on you_.

It may feel like I'm exaggerating here, but just look around and think for a
minute. The collapse of trust we see in contemporary society is raising to the
level of becoming an existential threat for our civilization. And I wish I
knew a way how to reverse it...

~~~
Shank
A bit of a slippery slope to associate the installation of adware with the
anti-vaccine movement.

~~~
api
Not at all. OP is pointing to a common underlying social dysfunction. We live
in a hierarchically exploitative society, which contributes to the global
collapse of trust.

I'm sure if it were somehow possible and legal to bundle some kind of mind-
control adware into a vaccine that forces you to buy the sponsor's brands,
someone would be doing it.

~~~
TeMPOraL
> _We live in a hierarchically exploitative society, which contributes to the
> global collapse of trust._

Indeed. And I think people sometimes don't realize that this trust on society-
level is literally _the one_ thing that separates us from being savages. Not
our technology, not our military, not the scientific advances, not the
democracy, but bonds of trust are what keeps civilization from falling apart.

> _I 'm sure if it were somehow possible and legal to bundle some kind of
> mind-control adware into a vaccine that forces you to buy the sponsor's
> brands, someone would be doing it._

Then it would be detected, someone would get fired, company would pay some
huge fines to FDA of WHO or whomever, at best maybe regulations would also be
updated, and then everything would be business as usual. Everything, except
the trust people just lost - because seeing the corruption everywhere, what
possible reason would they have to believe that the new regulations will be
effective at preventing such event from happening again?

~~~
pdkl95
> ...seeing the corruption everywhere, what possible reason would they have to
> believe...

This is a fundamental truth that needs to be realized _now_ if there is to be
any hope of preventing our slide from a democratic republic into a new form of
feudalism. More specifically, a _financially stable_ democratic republic into
a feudal society that dissembles, victim-blames, and makes shows of force to
hide a useless economy and defaulted obligations.

The trust and respect that being destroyed by _both_ business _and_ government
is also what the finance pundits refer to when they talk about "confidence in
the market". When many people start observing that "rule of law" and "meeting
of the minds" as used by everyday business interactions have become a double-
standard that will be enforced in only one direction, the _rational
conclusion_ [1] is to respond with the same lack of trust and respect.

I am of the opinion that we already reached this point. A lot of people
already deeply mistrust large business, and w4 only have to look at the
evening news to see the level of confidence most people have in the economy.
We're simply waiting for a spark to ignite the situation. I actually thought
the fast-food employee situation[2] was going to be that spark last year, but
it seems that problem has been put on hold for the moment.

Meanwhile, we get to deal with the _collaborators_ that work to maintain the
current situation by trying to explain away bad behavior like this
Lenovo/Superfish stupidity. I hope they like the future they are creating...

[1] why? see the "tit-for-tat" solution to the iterated prisoner's dilemma

[2] [https://medium.com/@sarahkendzior/the-minimum-wage-worker-
st...](https://medium.com/@sarahkendzior/the-minimum-wage-worker-strikes-back-
fa4c36eb306b)

~~~
TeMPOraL
This text from [2] was one of the most heart-breaking pieces I read recently.
I knew the situation was bad, having a friend who used to work in restaurants
- but the article has really driven the point home for me.

> _When many people start observing that "rule of law" and "meeting of the
> minds" as used by everyday business interactions have become a double-
> standard that will be enforced in only one direction, the rational
> conclusion[1] is to respond with the same lack of trust and respect._

I've been thinking about the names we use in law and economics and I realized
many have become just misleading labels. It's like a variable named
m_iNameCount that points to a global array of instances of Thread class. And
this leads to the common trick of those "collaborators" you described, the
"motte-and-bailey"[0]-like argument. They will defend bad practices by saying,
e.g. "it's value-added; surely adding value is good?", where everyone knows
that value-added doesn't actually _mean_ adding any real value for your
customer.

[0] - [http://slatestarcodex.com/2014/07/07/social-justice-and-
word...](http://slatestarcodex.com/2014/07/07/social-justice-and-words-words-
words/)

------
morphyn
Finally! I've been waiting for this for so long! It seemed so unfair that only
Windows users could get the Ask.com toolbar for free...

~~~
bigdubs
/s?

------
bluedino
My fear would be:

    
    
      brew install java-runtime
      ==> Downloading http://oracle.com/osx/java-osx-8-x86_64.tgz
      ######################################################################## 100.0%
      ==> Downloading http://ask.com/osx/asktoolbar-2.4.tgz

~~~
Zopieux
More like:

    
    
      $ real-pkg-manager install jre-openjdk
      ==> Downloading http://trustedmirror.somerealdistrib.org/openjdk.tgz
      ==> Checking openjdk.tgz signature
      ==> Installing
      ==> Done
    

You just need the right tools and community.

------
0x0
I hope Apple adds it to XProtect and revokes their code signing certificate.

------
moondowner
TL;DR

If the user keeps to the default installer settings and goes next, next,
next... AND in Safari deliberately selects "Install" (not pre-selected) in the
confirmation window, the ask.com toolbar will be installed.

~~~
smhenderson
So similar to Windows and avoidable but still annoying.

I can kind of understand some small software developers out there doing this
stuff to make a few extra dollars but Oracle? It just seems so unnecessary. I
guess they just can't get their head around giving something away for free.

~~~
powertower
Some more information...

 _" When you have a commercial relationship like this, not only are you
dealing with your [own] corporate policies on communication, and revenue
recognition and all that kind of stuff, but you also have a commercial
partnership and agreement that you have to abide by and follow," said Smith
during the call._

 _Smith also defended the practice by saying Oracle had inherited the deal
when it acquired Sun Microsystems, the creator of Java, in 2010. "This is not
a new business, this is not something that Oracle started," Smith said. "This
is a business that Sun initiated a long time ago."

Sun had bundled third-party software with Java since at least 2005, when it
offered a Google toolbar. In the following years, Sun made similar
arrangements with Microsoft and Yahoo, before switching to Ask.com._

 _With Java, it 's true our installer waits 10 minutes before running the
install process, but this to ensure the JRE [Java Runtime Environment] updates
properly without additional strain on a user's computer," an Ask.com
spokeswoman said in an email reply to questions Monday. "This is not intended
to trick users."_

[http://www.computerworld.com/article/2494794/malware-
vulnera...](http://www.computerworld.com/article/2494794/malware-
vulnerabilities/oracle-will-continue-to-bundle--crapware--with-java.html)

~~~
yellowapple
The defense that "hurr durr Sun did it and we just haven't removed it yet"
doesn't apply when you're actively adding it to installers on other platforms.

------
stolsvik
Oracle could have made a fantastic app ecosystem, with a great AppStore
application, given how their vm is installed on very many PCs around the
world. They could have done the 30/70 split and potentially gotten heaps of
money out of it. Sun was even up to it at some point, but it was horrible, the
way that only Sun could make UX horrible. But still, the potential is so
enormous that I cannot fathom how they miss it.

And this Ask-crap is what they do instead, making pretty much every user in
the world hate them. (Not to mention the insanity of how they handled the
security problems they found themselves in right after acquiring Sun and Java)

------
logn
Desktop Java apps should just bundle a JRE.

Launch4j: [http://launch4j.sourceforge.net/](http://launch4j.sourceforge.net/)

Legality:
[http://www.oracle.com/technetwork/java/javase/readme-142177....](http://www.oracle.com/technetwork/java/javase/readme-142177.html#redistribution)

~~~
sp332
At the rate Java has been fixing exploitable vulnerabilities lately, I would
rather have just one copy to keep up-to-date. I know that's not a very Mac-
like attitude though.

~~~
vbezhenar
Almost all exploitable vulnerabilities are related to the browser plugin.
There's no danger of keeping outdated JRE inside some application.

~~~
JoachimSchipper
Unless you need Java Secure Sockets Extension to work - see smacktls.com.

------
muraiki
The bigger context is this: jamf makes software to help manage fleets of Macs,
by providing abilities such as deploying a package to a group of Macs. It's
quite good and IIRC Apple uses it for configuration management. If a vendor
gives you a normal package, as Java once was, it was fairly easy to deploy.

Contrast deploying the JRE with a simple package vs deploying it on Windows,
which usually required an ever-evolving set of hacks to extract MSIs from the
installer and install it in an automated fashion without installing bloatware,
having it sit in the taskbar, auto-updating (which is a no-no in an enterprise
environment), etc.

Now, thanks to this change, people on the Mac side will get to experience all
the joys of deploying the JRE on Windows.

~~~
dubya
For what it's worth, the installer app contains a .pkg for the JRE that you
can install by the normal methods. OTOH, the Flash installer used to contain a
normal package, but no longer does.

------
rjohnk
Crapware in installations must end.I made a desktop PC for my sister with
nothing but Windows 8.1. It only took my sister, an otherwise competent
computer user, 48 hours for her computer to become infested with some web-ad
hijacker and numerous IE toolbars.

~~~
Frozenlock
"an otherwise competent computer user"

"numerous IE toolbars"

IE?

~~~
smhenderson
Internet Explorer...

~~~
drewbug
Yeah, Frozenlock's snarkily trying to imply that "otherwise competent"
computer users don't use IE.

~~~
RaleyField
Technically rjohnk didn't claim his sister used IE, only that IE toolbars were
installed.

------
sauere
How much $ does one make with this kind of crapware-bundling? Like how much
would i get for 1000 toolbar installs?

~~~
saganus
I think the point is not for the user to make money, but the people bundling
the toolbar.

I think ask.com pays whoever bundles their toolbar so it's basically
advertising money, at least it seems like that for me.

~~~
dtparr
Yes, I'm fairly certain that's what the parent meant. If he was running a
company doing the bundling, how much would he get paid if his bundle installed
the toolbar 1000 times, now how much would he as an end user get if he
installed it 1000 times on his own machines.

~~~
saganus
Aha! that makes more sense. I read that as if the user would get money for
using ask.com toolbar.

But yeah, thanks to both of you.

Now that I think about it, I'm not sure if ask.com is willing to bundle their
toolbar with any product. Maybe they select only high-volume products?

------
javajosh
This certainly poisons the Java well a little bit more in general, and desktop
Java in particular. Android and a sea of line-of-business webapps will keep
the Java platform healthy for a very long time, but this kind of thing makes
me shake my head in sadness.

More positively, this is a an _excellent_ data point for both free software
advocates ("look at the abuse closed source enables") and Apple ("do you
really want to foist crapware on your users? just use our awesome native tools
to write apps!")

I imagine that this move infuriates much of the Google Android team (because
it weakens the developer story slightly) and makes them very glad that they
have "Android plan B" with Go.

~~~
mike_hearn
Developers don't install the consumer JRE anyway. They install the JDK which
doesn't do this. I doubt it'd make any difference to Android.

Meanwhile, for apps like Minecraft that want to distribute consumer Java apps,
just bundle the JRE. It's quite easy these days.

~~~
javajosh
You really don't think stuff like this moves the dial _at all_ in a developers
mind when deciding whether to focus on Android or iOS?

------
fecak
There was a similar story relating to Java updates and Ask toolbars in 2013.
There is some history to this.

[http://www.zdnet.com/article/a-close-look-at-how-oracle-
inst...](http://www.zdnet.com/article/a-close-look-at-how-oracle-installs-
deceptive-software-with-java-updates/)

------
krisgenre
Even though I love Java and the ecosystem, this is one time I feel really
embarrassed asking a non tech person to install Java.

Is Oracle really getting substantial money out of this deal?

------
ttflee
FYI, Oracle installs Baidu (Nasdaq BIDU) bloat wares in Java Updater here in
China.

~~~
nmc
On Mac?

~~~
nmc
Why the downvote? I was just checking.

------
josteink
So everyone who said "Windows just has all these problems. Just get a Mac
instead! Nobody creates viruses or crapware for mac"... Guess what you just
did?

Yup. You gave Mac enough market-share for it to be profitable to bundle
crapware there as well. This is probably just the start and more will follow.

Whatever you do, please _don 't_ tell people to install Linux. I like it the
way it is and I don't want any of this shit coming here.

------
foreign-inc
Ironic?

[https://www.techdirt.com/articles/20130115/17343321692/why-a...](https://www.techdirt.com/articles/20130115/17343321692/why-
are-y-combinator-andreessen-horowitz-backing-drive-by-toolbaradware-
installer.shtml)

------
Animats
Search companies now have to pay third parties to get their product out.
Google pays Apple to be on the iPhone. Yahoo pays Mozilla to be on Firefox.
Bing is on Microsoft products because they're the same company. Now Ask is
paying Oracle to push their search.

This is strange. Google, Bing, Ask, Yandex, and Baidu provide very useful
services and put vast resources behind organizing the world's information. Two
decades ago people would have paid serious money for any of those services.
Yet now, search companies resort to expensive or, in this case rather
pathetic, measures to get people to use their product.

Even the social companies (Facebook, Instagram, etc.) don't need to do that.

------
vinceyuan
Will it happen on Mac?
[http://static.spiceworks.com/images/how_to_steps/0000/3886/t...](http://static.spiceworks.com/images/how_to_steps/0000/3886/too_many_toolbars.jpg)

------
Gonzih
As far as I know if you install JDK and not JRE there should not be any
additional adware. At least for now.

~~~
Tunecrew
I installed the JRE and JDK (on diff machines) from the downloadable
installers (not the updater) and neither installed the adware, nor had the
option to.

~~~
pohl
This makes me wonder if they're doing a partial rollout to some small
percentage of users to test the waters.

------
na85
Business as usual for Java, king of bloat.

------
pesnk
This is really f _&_ ed up. They are clearly against the common user that only
wants to use their software. They advocate so much about security but embed a
undesired software with their runtime. I really can't understand.

------
nmc
As some commenters pointed out, the installer is now an APP instead of a PKG.
The original PKG is inside the APP at Contents/Resources/JavaAppletPlugin.pkg
(right click on APP -> Show package contents).

------
roma1n
Whoa... Stay classy, Oracle.

~~~
ianlevesque
Stay classy? They've been doing this to Windows users for ages.

~~~
cnvogel
So they've done their users a favor by providing a consistent experience over
all supported platforms?

I'd really like to listen in to one of the meetings where decisions to do such
kind of blatant platform-abuse is being discussed. Possibly alternatives A/B/C
(you always have to have 3 alternatives, right?) are the Ask-Toolbar, a
bitcoin-miner or adding the end-user-PC to a botnet for DDOS-extortion, so we
can be lucky that they agreed to do "A".

------
Sarkie
Does this still work?

How to disable offers in the control panel.

[https://www.java.com/en/download/faq/disable_offers.xml](https://www.java.com/en/download/faq/disable_offers.xml)

------
MiddleEndian
It's been awhile since I've used OS X, but I don't recall there being any
bundled installers on anything.

Hopefully there will be some backlash; that was one of my favorite parts of
the platform.

------
unabridged
If you are developing products that require Java you are a huge part of the
problem. Learn a new language and start porting.

I am tired of 100% of the blame for these situations going to Oracle and
Adobe, they are just doing what they were designed to do, make money by any
means necessary. The developers who voluntarily learned a language and joined
a community that is controlled by a for-profit company are the only thing
keeping them alive. Every new product they make entices another end user to
install crap on their computer.

------
Friedduck
I worked on a couple of large Oracle projects, and they were probably the
worst vendor I've dealt with in the last decade. They had the potential to
solve really compelling problems, but it was overshadowed by how poor their
products were and the eye-watering costs.

Once you're hooked of course on their financial stack you have little choice
but to remain.

I'm watching with interest the adoption of Workday as a replacement for
Peoplesoft, and wonder aloud if someone will unseat them in their related
product groups.

~~~
nobleach
I have seen this in so many cases. Somehow Oracle convinced people of their
never-ending superiority. I know in 8i and 9i days, we were very happy with
its performance and feature set. That's not to say that SQL Server (or hell,
even DB2 or Sybase) couldn't have given it competition. But when I hear
executive types pushing Oracle these days, I have to ask, "really? REALLY?? do
you even know WHY you're pushing that monstrous heap of garbage?? Does it give
you something you can't get with Postgres? Oh yes... a flatter wallet. Touche.

As far as Workday, I'm intrigued that someone would chosen Adobe Flex as a
platform. (we just converted last year)

------
jstoiko
JRE is the new Flash

------
reberhardt
Obligatory [http://bad.solutions](http://bad.solutions)

------
kevin_thibedeau
I suppose this system could be crashed by automatically installing hundreds of
millions of instances of the Ask toolbar to the point that it is economically
infeasible for them to pay Oracle.

------
cagriaksay
It's mind boggling that they pay as much as $2 per install but can't afford
decent design. I've never seen a good looking toolbar, it's as if they try to
make them ugly.

------
bmoresbest55
This is the number one thing that I uninstall from my computer and friends and
families computers when they accidentally click too fast. These kinds of add-
ons are incredibly annoying.

------
pc2g4d
I don't understand why OpenJDK hasn't been able to supplant Oracle as the
standard Java distribution. That would eliminate reliance on the corporate
whim of Oracle.

------
hellbanner
I knew I clicked "remind me later" for a reason.. what the hell. Did Oracle
run out of money in its lawsuit with Google?

------
alanl
If you download from java.oracle.com as apposed to java.com these nasty
toolbars aren't included.

------
jdalgetty
I installed this yesterday on my father in laws mac and don't remember seeing
the ask thing...

------
craigasketch
Maybe I should go work at ask.com if I could make it suck less this wouldn't
be so bad...

------
t0mas88
Smells a lot like Adobe... Stupid move killing credibility of their software.

------
irascible
Why does Oracle want to kill Java so badly?

Buncha fuckin assholes if you ask me...

------
jkot
Could someone please confirm that original JRE installer downloaded from
www.oracle.com contains this? (I dont have a mac). On Windows you often get
modified installers, if you download from 3td party website.

~~~
JohnTHaller
The official Java updater on Windows includes offers. It usually tries to
install Chrome and will do so unless you unselect it during the upgrade
process.

------
tkinom
Just add "127.0.0.1 ask.com" to /etc/hosts?

While you're in it, add

127.0.0.1 doubleclick.com 127.0.0.1 doubleclick.net

also.

------
kasajian
I think everyone using the Java runtime should install and use the ask.com
toolbar. Why not?

------
ocdtrekkie
Welcome to the club, Apple snobs. :)

------
shylor
Steve jobs would build an uninstaller that ran right after to remove the shit.

~~~
lawnchair_larry
Probably not, he couldn't code.

