Hacker News new | comments | show | ask | jobs | submit login
Y Combinator is funding the future of spam in Windows (istartedsomething.com)
1065 points by longzheng on Jan 15, 2013 | hide | past | web | favorite | 455 comments

I can speak quite a bit about this "industry": We (VLC) receive 1 of those offers per day.

They are liars, shady business, IP violators and are downright dangerous.

They have all those great offers for you, but they refuse to give any details as soon as you ask any question. More than half of them are "the biggest in the world" (sic). They lie about download numbers, about download size, about number of software actually installed and about their connexions. They even lie on the actual payback price.

If you refuse, they build special websites, copying yours, with your IP and trademark and register adwords with your name, in every way possible.

They also resell their solutions/websites to other people, using "Affiliate networks", so that once you take one down, 20 appear. And the guy who you took down had no idea who you were or what the software was...

They also have deals with download.com/softopedia/softonic to change/rewrap your installer, without your agreement, often violating your license; or they give back money to those websites, so they are ranked higher than normal other downloads.

And of course, open source software are never respected.

I believe OP is very polite: There are no good reasons to not shame them publicly.

> They also have deals with download.com/softopedia/softonic to change/rewrap your installer, without your agreement, often violating your license; or they give back money to those websites, so they are ranked higher than normal other downloads.

I can confirm this, it's the reason we stopped having a download altogether even though it offered features that were hard to do without a download.

Using software I wrote as a vector to spread malware is really beyond the pale.

Heck, if it was just downloads I could still somehow steer clear of it but I really hate it when companies like Oracle and Adobe bundle this with their security updates and it is checked on by default[1]!!

Even worse to realize that reputable companies such as Google, Ask and McAfee compensate them for doing it. [2][3]

[1] http://i.imgur.com/3zWPK.jpg

[2] http://i.imgur.com/5mAdH.png

[3] http://i.imgur.com/P9CKl.png

That has to be a new low. Incredible, I never knew it had gotten this bad. I saw the whole download.com debacle as a bunch of jerks taking over a formerly reputable domain, but it looks as if this is now considered legitimate income across the board.

I believe Google Earth's Windows download does the same thing: there is a checkbox to download Chrome as well and set it as the default browser, and it's checked by default. On the download page, not in the installer.

A lot of people these days are bashing Apple and Google for creating walled gardens with their app stores, but this is really the primary reason such walled gardens have taken off. They offer a mostly crapware-free experience.

If Linux on the desktop were to get popular, I'd hate to imagine what might happen to the open source Fedora and Debian/Ubuntu repositories.

If Linux on the desktop were to get popular, I'd hate to imagine what might happen to the open source Fedora and Debian/Ubuntu repositories.

Nothing. In case you haven't been paying attention, Debian repositories were "app stores" before there were app stores. The software goes through extensive vetting and rigorous testing; no, I'm not saying every line of code is inspected, but to claim that a Debian maintainer would just blithely let crapware in is ignorant.

As for the walled gardens of Google and Apple, people are objecting to precisely that: the locked in, tinker-hostile way that the platform (not the app store) is managed. It's great that Google and Apple have finally seen the light and started curating software and making it easy to install, like it's been in Debian for nearly two decades. What's not great is telling people what they are and are not allowed to do with their property by anti-competitively denying the right the to install third party apps.

  ...through extensive vetting and rigorous testing...
I wanted to upvote your comment, but then I almost died laughing when I read that. Most Linux distributions are better about it now than they were many years ago, but I still remember being absolutely floored when RedHat had packaged a Perl module with a syntax error some years ago.

Same goes for Debian; some of the more "fringe packages" (those of upstream projects that haven't been updated in a while) tended to rot (compilation option changes to dependencies that silently broke parts of the program), and packages from upstream projects that changed rapidly tended to have dependency issues.

I'd also like to point out that while Debian may have had "app stores" before anyone else so to speak. The implementation left much to be desired compared to today.

Today a user simply selects an application and it gets installed. There's no prompts about whether I want the 37 additional dependencies, no text-based prompts about the configuration of some obscure package, and certainly the presentation was sorely lacking.

So yes, Debian may have had the concept early on, but as usual, Apple made something only a geek could love into something usable by everyone.

Usually there's a few tiers of packages, with the first tier packages being extensively tested and maintained, and the second tier packages mostly just provided as a convenience. I believe Debian calls the first-tier "main" and the second-tier "contrib" (and Ubuntu calls them "main" and "universe").

I've had breakages in Cygwin's emacs (missing GNUTLS dependency), Fedora's node.js (mismatched version of v8), GCC 4.7 (C++11 ABI regression, widely reported), Fedora 17's sssd (broke network login after upgrade), and perhaps most galling, Fedora 16's cron (which completely failed if you upgraded from 15). That's just in the past year. I don't think any of those packages are particularly niche or stale. I used to think maintainers were making miracles...now I think they're doing just OK.

Yep, I'm aware of that. Although not every Linux distribution makes that distinction and the person to whom I replied certainly didn't leave room for that.

But in the past, even the packages in the "first tier" were often pretty busted. But even for that tier, Linux distributions are not performing "extensive vetting and rigorous testing". They don't generally test beyond relying that other components that use it work as expected, and for many components, those are only as well tested as the tests that are included with the component.

Yes, some distributions do run security analysis tools or other things on the components they integrate, but that still doesn't count as "extensive vetting and rigorous testing".

The main repository is for free software, the non-free repository is for non free software, and the contrib repository is for free softwre that you must agree to some non-free license to actualy use (because they depend on non-free software, they are just installers, or for any other reason). Those are not different tiers of software stability.

Debian has the unstable, testing and stable distros, that move on different speeds and are subject to different amounts of testing.

If you know of any commercial operating systems where those "fringe packages" receive greater testing than they do in debian I would love to hear about them.

Maybe I should have clarified, as some people obviously have forgotten that testing does not indicate the absence of bugs, and vetting is for many things.

I had hoped the addition of "not every line of code" would have made clear that I make no claim that every package in Debian is bug free. But I still insist, Debian extensively tests packages, mostly for compatibility and dependencies, not to mention bug squashing parties. They are also very careful about what's allowed in (due to being license sticklers).

Of course, all of this strays from my main point: the Debian maintainers are highly unlikely to let in crapware, as opposed to some stores that have had viruses. And that's just the stuff they (eventually) got rid of; don't start me on all the officially approved software that tracks users.

As for your opinion of the ease of use, well, you're entitled to it but it doesn't make it true. What's so hard about using apt-get or, if you can't use a keyboard, one of the graphical managers? So it asks you if you really want to install dependencies instead of just filling up your hard drive, and that's a bad thing? Does the Apple or Google way of "managing" packages even track dependencies, or are they still forcing every vender to include their own (possibly filled with security holes) copy of a library with their apps? I haven't had to answer a configuration question for years, and I've never had a dependency issue with Debian. I say this as a daily user of, developer on, and administrator of machines running Debian for the past twelve years.

The LindowsOS app store was user friendly and based on apt/dpkg long before Apple got into the game.

You can install whatever 3rd party software you want on a Mac, side by side with software from the App Store. Note that this article is about PCs, not mobile. You seem to be conflating the two.

I don't see a really big difference between a PC and a phone. Don't see why one should be a walled garden and the other not.

Name Google's PC. The article may be about PCs, but the thread definitely devolved to talking about Android and iOS, and it's already been conceded that iOS doesn't allow third party apps. If I didn't know better, I might think you were trying to steer criticism away from Apple . . .

You mean the chromebook?

Linux would probably do better because few people have any reason to stray outside their distribution's repositories. And these repositories are just as rigorous in their way as the Apple or Google walled gardens; Debian packages have to be signed by the GPG key of a debian maintainer who takes personal responsibility for that package, and whose identify has been verified by having their key signed by another debian member (with a chain that presumably goes all the way back to the original founders). I'm not aware of any cases of a debian maintainer being "struck off", but I'm sure there'll be procedures in place.

You would get plenty of shady sites encouraging you to add another line to /etc/apt/sources.list for cool free screensavers, but it would be a lot more practical than it is in windows to tell people to ignore them and never install anything that doesn't come with the system.

True, this seems like the most balanced solution. Install everything from repos but allow third party repos and stores.

That way you are not tied to one gatekeeper but it is in your interest to get your app into at least one good repo that has a reputation to uphold.

I'm not sure that's a legit fear... Linux on the desktop in 2013 is fairly 'popular' and if it were that simple to infiltrate popular repos with spyware it would have been done years ago.

There are a ton of good people who work to keep those repos clean. Lets not trivialize their contribution by acting like anyone and their mother can make changes to the repo for a popular distro. Sure, a black[/grey] hat can make their own repository, but who in their right mind will use it?

>Linux on the desktop in 2013 is fairly 'popular' and if it were that simple to infiltrate popular repos with spyware it would have been done years ago.

What on earth are you talking about? Linux on the desktop is just above line noise. If hackers don't bother targeting Mac's ~10% desktop share, why would they bother targeting Linux' ~1%?

infiltrating a repo is probably not the hard part, the hard part is getting a linux app that people would want to install.

AFAIK, 0 QC or checking is done on the contents of a repo. additionally, there have been enough times in the past where someone has just straight up rooted the servers that the repo lives on ...

AFAIK, 0 QC or checking is done on the contents of a repo. additionally, there have been enough times in the past where someone has just straight up rooted the servers that the repo lives on

Are you talking about debian/fedora repos? Because if so, that is simply false. Both have heavy QC, and the packages are all signed by the developers keys, and the OS checks those keys.

App stores are just are likely to turn to crap. I've had lots of friends complain that they bought an app, and then an "upgrade" shoved advertisements in.

It's not third-party ads, it's first-party ads, which is slightly better.

Like OP, I have a lot of sympathy for software developers trying to sell in a world full of people who don't think they should pay any dollars for software. They are still gonna pay, just in terms of their privacy and computer security.

I've had that happen, but the ads only show up in that one app. They can't install ads across my whole iPhone like most adware does.

May be the case on iOS but with Android I've had apps that stick extra shortcuts on my homescreen and spam notifications every few hours. This makes battery life and usability a lot worse throughout the phone until you can find and kill the offending app.

If that happens again, use one or more of these apps to find the offender:

Ad Network Detector

Addons Detector

AirPush Detector

With Android 4.1+ (4.0? can't remember) if you long-press on the notification it will tell you which application is responsible for it.

This is similar to saying "what stops a bad guy with a gun is a good guy with a gun". Alternatively, you could regulate, i.e., locking down the platform and sandboxing all third-party apps.

A better alternative would be for google not to publish this shit on their store but still allow useful background notifications and allow third party manual installation.

I want to switch to Android, but I fear needing to have constant vigilance over what I install. Like running a Windows install but forced to use Java as well.

However, it's still preferrable to Apple's draconian policies.

I've been running Android since 2.3, I've not installed a malicious app yet (to my knowledge of course).

If you want, you can install security tools which scan apps prior to being installed, like Lookout, which will alert you to various issues.

Yes there's a lot of spammy apps, but if you're even halfway aware of what you're doing, you'll have to be very unlucky to be caught out by one.

> They offer a mostly crapware-free experience.

You must've forgotten Path fiasco, with its quiet uploading of user's full address book to company's servers, which turned out to be - SUR-PRI-SE - a "standard industry practice". Wall garden sanctuary my ass. Same rotten ethics, except far less visible.

As a result, you're now asked if you want the app you installed to be able to access your address book. Do you somehow feel that exe's on windows are more transparent?

If desktop Linux was widely requested by the general public, PC vendors and download sites would heavily promote custom Linux builds complete with pre-installed crapware, dubious defaults and quite possibly broken upgrade paths and most consumers would never know the difference. They'd probably have their own whored-out repositories too.

But Linux will never be in heavy demand as a brand. No great number of people will ever want to have Linux for the hell of it. The only way Linux could experience an upsurge in popularity would be through a mass increase in consumers' awareness of crapware and similar phenomena. And that could thus only be a small upsurge.

> The only way Linux could experience an upsurge in popularity would be through a mass increase in consumers' awareness

This is definitely not true. The following scenario seems to be quite possible: Due to the various problems of Windows 8, developers massively revolt and most applications are either written to older API's, or use cross-platform environments like C#, Python or Java. This essentially changes the Windows API from a moving target to a stationary target; as a result, Wine catches up -- it reaches near-100% app compatibility, perhaps with the aid of a donation from a philanthropist, Google, or some other player. OEM's recognize the cost savings possible from avoiding the Microsoft tax, and with good software compatibility now possible, they start selling discount models with Linux instead. Microsoft stops issuing new licenses for Windows less than 8 to try to pressure developers to port their stuff to Windows 8 by forcing customers to upgrade. But the move is too little, too late: The customers revolt, and since the alternative is already out of the bottle, people jump ship en masse due to lower prices and Windows 8's shortcomings.

Is this a particularly likely scenario? No. But it seems plausible, and it's not due to crapware, or consumer awareness about anything other than price tags.

Some people would say Ubuntu already went down this path with the automatic installation of Amazon advertising in a pretty intrusive way (imho at least)

Do you use desktop linux?


I'm not sure about Fedora but Debian has a very strict policy for the packages in their repos.


As I understand it, Fedora's packaging policy is more or less the same as Debian's. Free software only (stricter than Ubuntu), though there are some practical differences. They don't like packaging emulators that are primarily useful for non-Free ROMs. It is also my understanding, different than Debian, they don't like packaging software that no longer has a maintaining developer. Also no external kernel modules, no prebuilt libraries, etc.


Open source repos should be ok, assuming that their admins don't start allowing this crap in. They haven't done so far, with the one exception of the Ubuntu amazon thing.

A risk might be drive-by malware that adds stuff to /etc/apt/sources.list though, however to do this you would need drive-by malware that can bust into the root account, or to get the user to enter the admin password.

They've 'taken off' because they are the only game in town. A real test would be to provide such a 'curated' store alongside an open economy. Then that claim would mean something.

There's a big difference between the iOS app store and the Android app store. One is mandatory, the other is a convenient default.

You may be right about the industry as a whole, but I'm betting you're wrong about this particular instance based on what I know about PG and YC.

When I was reading the original TC article, I was thinking that there is actually an incredible opportunity here to create a legitimate ad network that would allow desktop developers to monetize similarly to how it's done on the web - to basically become the DoubleClick of the desktop world.

Why should ad supported desktop apps be any different than ad supported mobile or web apps?

Edit: These downvotes are pretty surprising, I didn't realize I was even being controversial. Can someone explain why creating a legitimate, privacy-respecting ad platform which allows desktop developers to monetize their applications in a manner that's almost exactly the same as ad supported web and mobile apps is that awful?

I'm not even saying that's necessarily what they're up to, I can just see where there's a tremendous opportunity to try and clean up the industry, and how, based on the people involved, the author and the commenter above could very easily be jumping to the wrong conclusions.

Desktop apps with built-in ads are okay. I've used a few here and there. I've also seen shareware model software that has ads that can be turned off by registering. That's fine too. In this case the ads are part of the application. They live within it. Uninstall the app, and the ads are gone. Such ads also tend not to invade users' privacy outside the app. They might send stuff about what you do in the app, but if you don't like it you can uninstall the app.

One of the key words here is "toolbar." It's in the same class as "HIV," "ebola," "herpes simplex virus," etc. Saying you're bundling third-party adware such as toolbars and "browser helpers" and similar is like saying you're purposefully giving someone a disease.

IT professionals managing Windows networks spend god-awful amounts of time removing such junk from Windows PCs. Not only do things like this invade privacy, they often slow down and break peoples' computers.

I don't disagree with your overall point but "toolbar" is not in the same class as "HIV". A little perspective please.

The analogy is apt enough. There's something you want whether it be 100 free wallpapers or a blowjob.

Providing you with such a thing required a certain level of "access" which can be used for evil.

Still no. One thing destroys your life (or significantly alters it), the other installs some crap on your computer. You can always format and reinstall a computer.

I think that difference is a given.

It's humor via hyperbole. Compare to the common hacker usage of "evil".

Maybe it's just me but this needs to be a lot funnier to pull out that sort of metaphor.

As it is it's just slightly bad taste.

"Can someone explain why creating a legitimate, privacy-respecting ad platform which allows desktop developers to monetize their applications in a manner that's almost exactly the same as ad supported web and mobile apps is that awful?"

Tracking IP and even MAC addresses? Hello? Spyware is spyware.

Also: ads are ads. If your product does nothing respectable (as opposed to selling eyeballs to advertisers under false pretenses) that is worth paying for it to anyone, that's bad luck. It doesn't justify deliberately and systematically messing with the rational decision making process of people, and that others are already doing that is no justification either, nor that they have been doing it for so long.

The same level of tracking is done on the web, constantly. And you don't need to give any sort of permission for it. What is different is gaining root/Administrator access on the machine in order to ensure the tracking is done vs a client side browser script asking if it can run. And then using that access to install a rootkit or mess with the registry to ensure tracking software starts on reboot, etc. That is what is annoying.

Because your browser is incredibly carefully sandboxed, and your desktop is not.

Worse yet, even the low level of sandboxing that desktops posses are almost always defeated by installers: "This installer requires administrator privileges to run"

... aka. yes, you will take our spyware-crapware-rubbish, and you'll love it, or you wont use our app. Capish?

You don't get that with websites. That's why it's ok.

(Incidentally, this is the same reason why its not ok on mobile platforms, where your options of permission are to read your contacts and make phone calls and 'services that cost money' or no, you can't play this game of Cat Pong your friends are talking about...)

They advertise that they convert 60-85% of their installs. When that percentage of users installs crapware they're clearly being tricked into it. So it doesn't look like this is a trustworthy company at all.

Goto their site: http://www.installmonetizer.com/AT_advertisers.php and checkout their advertising partners. Babylon and JackpotRewards are hardly the kind of "advertisers" to get excited about. Babylon has several toolbar partnerships (I have worked on these) and I can imagine how their partnership with Install Monetizer will just lead to another toolbar offer being presented to the users during install time.

Here, you are coming off as a sycophant who is blindly supporting PG and YC without checking your facts which could be the reason for your downvotes.

i agree - i wouldn't mind a text ad next to my unarchiving tool (which i don't use all that often so as to not justify payuing for one). But they need to be unobtrusive like google's text ads.

But therein lies the problem: a tool that you don't use often (hence a low number of ad impressions), and an unobtrusive ad that you might not even see, let alone click. That's unlikely to earn enough money to be worth it. The developer either has to drop the advertising revenue model and try another, or crank the ad model to questionable ethics. Sadly, some developers opt to do the latter.

You can downvote people? how?

You need 500+ karma. After that, a downvote arrow appears right under the upvote arrow.

Exactly this. I'm often advising people to install VLC when they are having problems with Windows Media Player, but whenever I tell them to google for it on their own they end up with some toolbar infested crap.

So now I specifically instruct them to go to videolan.org.

Googling for "vlc", "vlc download", or "vlc player", the top 3-4 results are all to videolan.org.

Ads may distort this for some users, though...

Maybe because I spent almost 3 hours per week to clean it.

Wow. That really sucks man. I hope something changes where you don't have to do this forever.

I told my Dad's wife to download VLC and she ended up with the crapware version too. I didn't even realize they existed until then. I was shocked =(

You have my sympathies.

Thanks :)

What do you do, what proportion of your time is advancing yours or flagging them?

Sorry, I cannot answer to that publicly. Mail me.

I understand that some details should be kept secret, but it would be nice to read a blog post about this.

Do you know if the Intel App-Up site is legit or do they also bundle the crapware installers?


It's the first thing I see for "VLC" when I turned off Ad Block.

Completely free, no adware, no spyware and full source is provided. This is rare :)

Probably the ads. For a while, Google helped made this even worse by paying companies like Dell to set the default search on new PCs to specially-customised version of Google with far more prominent ads that were less clearly distinguished from normal search results.

Wow. Source?

Dell has been installing crap since at least 2006/07. Thats when I started wondering why all new PCs at a certain company where all infected just few days after purchase. Then I realized this thing (myway?) was being installed by default.

I really didn't think it was ever a Google product though. Correct me if I'm wrong.

Yes unfortunately unless you have adbock installed the "first" results in a google search for "vlc" are typical for the (adware, spammy) sites.

In a clean, private window of safari, I'm seeing 4 videolan results before cnet and others of varying levels of crapitude.

He mentions "adblock", if I google for "vlc" I get an advert for a adware version of VLC above the videolan.org ones.

videolan.org has a pretty confusing name. I bet if it was vlcplayer.com it would get better downloads.

For the same reasons mozilla.org is not firefoxbrowser.com

perhaps not the best example, since the Mozilla Foundation (mozilla.org) runs the Firefox promotions to getfirefox.com.

On your Google, with your results, with your search history and thus in your specific filter bubble.

Fuck, people, don't you get this already? There is no n-th result on Google. Don't act like there is.

yes, this didn't always used to be the case though.

Hopefully some google algo tweaks are working to help.

True now, but it wasn't true a year ago when I installed Windows 7.

This just happened to my friend yesterday when I told him to install VLC. I think he may have clicked an ad instead of the first search result. I saw three pages for different add-ons and toolbars with several pre-checked checkboxes apiece. After unchecking and clicking through it just exited (hopefully) and launched the VLC install program.

After reading some comments and noticing that you're one of the VLC lead developers (awesome software, by the way!), I am wondering if you have a way to make VLC notify its users at the first launch (after install) and tell them something like

"You have installed VLC, it should have come without any additional software such as tool bars or file compressors. If this was not your case, you probably installed it from a third party that arbitrarily and without our consent added external programs. We recommend you to install VLC from videolan.org, etc."

That way, casual users will at least be aware of the external installs problem.

The type of person who would read that disclaimer is the type of person who wouldn't have downloaded from the wrong site in the first place.

VLC is open source. It would be trivial for a rebundler to remove that warning. If they are violating the license already, there seems to be no impediment to changing the code for personal gain.

VLC for Windows is hard to compile to be honest. But binary patching is doable, indeed.

Yeah, it usually is trivially easy. If I were to do it, first thing I'd do is to look for the string in executable and patch it by hand with a hex editor.

What's the legality of distributing a binary-patched app covered by the GPL? Something makes me think it's questionable.

The really sad part of malware that is tied to freeware or shareware is that the whole thing is a self-inflicted downward spiral. The software authors will tell you they need that malware money because nobody pays for shareware anymore. You know why I stopped downloading and buying shareware years ago? Malware.

And the really unfortunate thing is that a few big bad apples can and did ruin it for everyone else. I don't have time to figure out who is going to install shit on my system vs who isn't, so I just assume everything is bad and avoid it all, with the exception of a handful of known-good products (like VLC) from known-good sources (the author's own websites).

The end result is an ecosystem in which new useful tools (even ones that aren't malware peddlers) now have a near-impossible time creating a critical mass of users, so any money to be made in that market can only come from these terrible spammy practices, which is just sad.

This is why the Mac Gatekeeper is an awesome idea. Unfortunately they fucked up the implementation. Also they are the only CA so they can control who signs apps or not.

And this is not new, I've written an article on the exact same topic a year and a half ago about VLC:


> They also have deals with download.com/softopedia/softonic

The problem here is that those sites still rank very high in search results.

Why is it that they've lasted as long as they have? They offer so little to the end-user.

Please please please create auto-subtitles functionality for VLC on the Mac. I switched from Windows recently and there's nothing compared to Media Player Classic for easy subtitles. Thanks thanks thanks.

What do you mean?

On Media Player Classic you can easily download subtitles for whatever movie you're watching by going to File>Subtitle Database>Download. It will search a DB online somewhere then let you choose and automatically load them into the player. This is something I've not found on any video players available on the Mac. It would be an awesome if it was coded into VLC.


OK, for next major!

I used to work for an Affiliate Network. I can confirm the only thing that was cared about was the bottom line.

Thank you for not caving into their offers.

Also, good luck with your Windows 8 project!

But how do you really feel? ;)

"They are liars, shady business, IP violators and are downright dangerous."

This is completely prejudice! You've never met Install Monetizer, and don't know if they participate in the same activities as the companies that you're referring to.

"I believe OP is very polite: There are no good reasons to not shame them publicly."

This is childish, and I'd expect better from any contributing member of VLC.

Please read: > I can speak quite a bit about this "industry"

I never mentionned IM.

Also, see the comment from patio11 http://news.ycombinator.com/item?id=5060399

I'd give him some lenience...for anyone who distributes desktop software via the web, there is a continuous battle against fake or wrapped distributions.

So when earlier it was mentioned, I assumed "They have to have a different angle on this; they're a YC company." And seeing a strong thread title and no evidence for it other than "The industry they're in is ridiculously seedy", I thought maybe HN was in rush to judgement mode.

So I thought I'd try, you know, installing something.

Make your own call:


I took a look at your image and started a search for Babylon Browser. Autofill added stuff like "hijack" and "took over my browser".

Sounds like very bad news:


I can confirm that it is tenacious.

I don't know how since I always check for crapware, but I ended up with babylon having taken over my firefox browser. I removed it, but - just checking - oh look, there it is again.

Luckily, chrome is my go-to browser, (which explains why I haven't tried more brutal removals), but it is definitely not as simple as uninstalling.

It seems to be worse than I thought. http://support.mozilla.org/en-US/questions/938607

Jeez, I'm surprised that the people who created this filth aren't in prison. It's one TINY step away from botnet territory, which actually lands people in prison.

Botnets don't usually include a low-prominence opt-out link / checkbox / something that might not look quite like a button. Maybe they'd walk free if they did...

That is really interesting. What are the legal implications of using a computer in a botnet if the owner of that computer agrees to a EULA, I wonder?

Edit: I should say, "agrees" to it (unknowingly).

Folding@Home seems to do alright. As does Bitcoin.

Looks like even clicking on "Decline" does still made you prone to tracking from them. The excuse given in the answer is also pretty poor: http://i.imgur.com/FpjFp.png (permalink: http://www.mywot.com/en/scorecard/installmonetizer.com/comme...)

Wow! Defaulting the easy revert option to unchecked is the perfect kicker. It's like a cartoon villain curling his mustache.

The wording on that choice is incredible too.

Comment in elaboration, somewhat delayed because (all evidence to the contrary) I do sleep sometimes:

Some folks mentioned that this could be misleading, so to clarify: my research methodology, to the extent it can be called that, was a) open up the IM website, b) take a look at their advertiser partner wall (they don't have a developer partner wall, so I wasn't able to view the end-user experience directly), c) Google the first name that popped out: [babylon translation software], d) clicked the first link and downloaded, e) clicked past the first screen, which let me override my system default of Japanese such that y'all would be able to read the rest of the installer, where industry experience suggested to me that the action would be.

Sorry if I gave folks the impression that this was the InstallMonetizer application -- the impression I was trying to leave was "This is the core line of business for one of their marquis advertisers."

It is terrifying that it is this easy to get an intelligent and well-versed member of our community to download and execute a relatively-unknown binary, just to "see what it does".

I should probably start doing more of that other kind of hacking.

It makes me a little sad when I remember what pg aways say to startups. Make something users love.

Not this time, though...

The users aren't the people installing the software. The users are the clowns writing the software that is so horrible it needs to pay for installs.

And those users will love this new attack vector backed by some of the most respected folk in Silicon Valley.

It looks like Install Monetizer was previously known (or is also known?) as Optilly.



Maybe they "pivoted" from a clever take on ad campaign management to toolbars as a way to increase revenues?

It's funny that you mention Babylon - I've talked to one of the devs who was in the core of developing their "toolbar" and it is essentially malware which hooks anything and everything possible in Windows and tries its best not to give up when being uninstalled.

Things like it and Conduit (another toolbar/malware company) are probably the biggest "botnets" out there, all "legal".

My favourite part is how, by default, it won't even save your old settings for un-installation. Nice.

"They have to have a different angle on this; they're a YC company."

Why do you think they would have a different angle if they are a YC company?

I don't think there's an implication that a YC company would be more moral, just that they'd be doing something a little more interesting or subtle than the same old crap sleaze balls have been pulling for years now.

It's like finding that someone has got through the YC selection process based on a business model which involves putting "sex, horny, porn" in the title of each page on their website.

That rings kind of hollow after Blecharczyk ("among the nicest of all the people we've funded") was outed as an unrepentant habitual spammer. YC is demonstrably not immune to scumbags, which is not to say that other angels and VCs do better.

(For those who'd have to look it up: this refers to AirBnb.)

From PG's article:

"Microsoft isn't so benevolent now. Now when one thinks of what Microsoft does to users, all the verbs that come to mind begin with F."

This is why it's easy to cast YC's funding of a crapware company as a deliberate choice.

Presumably it's hard to get into YC without a "different angle".

"Its about the team, not the idea".

So this is potentially a little misleading. Is the screen shot of the installer actually a screenshot of InstallMonetizer in action, or is it just an existing / previous installer created by one of their clients (but not using InstallMonetizer).

I'm not a fan regardless, but I just wanted to make sure we're getting the right picture here. I came away from your comment believing this was a screen from their (InstallMonetizer's) actual installer, and I think everyone else did too. However, after reading pg's comment below, I'm no longer so sure that is the case.

Can you please clarify?

The installer screenshot seems to be for the software at http://www.babylon.com/. I think Patrick's point was that InstallMonetizer is promoting some scuzzy companies.

Great file name.

But yeah, these people really chose to do evil, in a shady business. Why? Why not start the next scientology, that would make them more money.

The sad fact is that pretty much every aspect of monetizing and advertising websites is seedy. Unless you're directly selling a product, the road to profitability is full of moral compromises.

There's isn't even a cancel button! Hopefully at least the top right X cancels the installation rather than just respawning the popup and requiring manual killing from task manager.

It pops a modal dialog saying that if you cancel the software won't get to be installed. I don't have a screenshot handy, but I get the feeling it was worded a bit verbosely to prevent people from guessing the correct of the two buttons to actually stop the install. If you pick the right button, your default browser gets force-directed to a page on their site to either a) re-start the download and install process or b) send a message to their CS team so that they can assist you with installing it. (I've got to admit, that is crafty, since you can presumably do the entire thing automatically.)

No, and notice the small "Skip all offers" text just below the checkboxes, it's kind of hidden between everything and difficult to see. It took me a while to figure that one out, average users have no chance!

My parents have fallen for this sort of thing within days of getting a new computer. It's so hard to get rid of and it made them feel like they were downloading viruses when they were really downloading legitimate software. It's a shame you've ended up having to do stuff like this when you are performing what should be, totally secure installs.

Babylon is the worst of the worst malware. I've never battled tooth and nail to get such supervirus crapware off my computer in my life.

Seriously, stay away!

The original Babylon Translator, with the One Click Translation of words in the screen was a very nice and useful product. It's a pity that they pivoted to the toolbar crapware thing.

Probably were no longer making any money when people could translate (safely) all from within Google Chrome!

Y Combinator also funded our solution to crapware.


Basically we automate multiple installers and decline toolbars just like you would.

Users range from the nontechnical to NASA. We even have a huge blind user base because these installers are frequently hell to navigate with a screenreader.

We make money selling a Pro version with extra features to businesses and school IT departments. It works well and aligns us nicely with our users' interests.

I'm very surprised to learn that ninite is YC funded. Thanks for a great product. And I say this on behalf of many less-technical friends, as well.

So YC is like the crack dealer who also runs his own rehab clinic. Pretty smart.

That would be more like selling crapware removal apps, which is already a common scam.

Ninite is more like pasteurization.

Ninite is great and has saved me time in the past. What exactly does this have to do with the article? Are you implying that since Y Combinator funded non-junk applications that it's okay to now fund junk applications?

I needed to post this here because we solve the problem in the article.

The problem is deceptive software. That we're funded by YC (or that InstallMonetizer is) is a red herring. But it sure does get some clicks!

On a perfect version of HN the top comments would be about solving the problems in posts, not elaborating on them.

Not to dump on HN though. This is a bug in human nature.

Glad to hear you like Ninite and that we saved you time, thanks for using it!

You're acting like Ninite can be used to install and remove any crapware from any installation under the sun. In reality Ninite only works with a select handful of applications. In other words, Ninite does not solve the problem that companies like InstallMonetizer create.

Except that, for most users, ninite provides (or, their goal is to provide) the installers necessary for the main pieces of software that cause these problems in the first place.

I think he was saying it was kind of a humorous contrast with YC essentially funding companies that compete in a way. The nerdy conclusion of this discussion would lead to a battle of the two platforms, one trying to install spam-ware and the other trying to prevent it...

Heh, maybe someone should apply to YC with a traffic sniffer/intercept/password cracker system so we have someone to battle, too :)

and both making MILLIONS! It's like some shadowy movie villian / arms dealer guy with a conspiracy to sell weapons to both sides!

Or like the Government of United States, which supplies arms to both the Government and the Rebels.

In places like Afghanistan, we actually put our own troops there, pay for PMCs and local national forces, and fund the enemy (Taliban, not AQ) via our supply contracts. That's even worse than just selling guns to everyone; we pay them both and then also sell them guns.

Its almost like there is a different motive than defeating the "enemy"...

"Constructive" =) http://xkcd.com/810/

It's nice move to fund both junk and solution for the junk... Some people say that antivirus software companies are the ones that make viruses, you know...

I'm one of those blind users who absolutely love Ninite. Have you ever considered managing the postinstall, too? I envisioned something which would monitor the %appdata% path where any user-specific data goes, as well as maybe the registry. Any changes get synced back to my shiny new Ninite account to be incorporated into the next install. Clearly this would take a bit of work, but since you're already imposing a selection process on your apps, and a majority of them are already well-behaved in terms of how they manage their data, it doesn't seem impractical. Ninite is generally the first thing that I run on a new Windows install. Pulling in my data feels like a natural part of this, and if you could get some kind of reasonable implementation worked out -- a background service syncing %appdata% regularly, a simple merge model which simply picks a winner instead of trying to reconcile the changes, etc, at first blush it seems quite workable.

Glad to hear you like it. We think about configuration stuff like this from time to time, but I'm pretty sure getting all the details right would take years. So we haven't made the leap yet.

Just wanted to add my thanks for a great product. We are a pro license holder where I work, I believe.

Not sure if this was your point, but I assume that you are using a lot of MSI and Windows API hooks, in which case this is a great example of the flexibility and integration options of Windows being leveraged for the good, as opposed to the crapware blight, which must be as frustrating for Microsoft as it is for us.

Good point. The relative openness of win32 allows junkware but gives us enough slack to fight it too.

It does make for a noisier and more confusing ecosystem though. My mom's still better off using an iPad.

Thanks for using Ninite Pro!

So basically, they're funding the problem AND the solution. Pretty nifty business-wise, if not very ethical :)

Perhaps they wanted to learn more about the problem after funding the solution.

It took me a double-read to understand you meant "...funded our solution (to [crapware] junk like this): ninite.com"

Upon first reading, it sounded like "to junk like ninite"

Great stuff!

Thanks! Edited (hopefully) for clarity.

Does your proggy pull installers off your own site or those of the actual publishers? If it's former, it might've been nice if you put every .exe through a multi-engine virus scanner (like VirusTotal).

Apps are downloaded from the publishers. We validate files with SHA-1 hashes and digital signatures (where available) before using them.

Wow, thanks for the link to the great product!

So even on a platform that's opened up to applications, the threat of crapware can create a business case for a curated third-party app store :-)

Wow, I didn't realize ninite was YC. Awesome.

The things I want:

Let me install an older version of uTorrent.

Let me install Steam in another location, not default.

Current ninite installs all I need except those two.

Thanks for the clarification. My natural reaction after reading the post was to get worried what Ninite does, which I regularly use.

Could you please elaborate how exactly do you automate the installers? Do you modify the applications being installed?

We don't modify the apps. We run the installers in a hidden window and simulate the clicks to install them without toolbars.

Thanks for using Ninite!

Do you guys have an OSX version in the works?

We're investigating. It will take at least a couple days, because we'll need to meet with the founders in person.

FWIW, the install window Patrick overlaid on top of InstallMonetizer's site in that screenshot is not actually InstallMonetizer.

But the Babylon installer is from one of IM's advertizers, so it is possibly indicative of the types of pages that IM inserts in other installers. If nothing else, the poor reputation of Babylon is indicative of the types of software that IM wants to co-install.

In the end, we don't have much information about what IM adds to installers--I suppose they don't want it too well known. We'd need to find an app that uses their installer to get a screenshot of it. Their website does give us some clues: one image shows an offer that is made to look like a license agreement, thus duping people into clicking Agree. Another clue is how they repeat that they "manage all optimization and conversion to ensure highest earnings," which I take to mean their wording and choices are designed to trick people into installing items they didn't ask for.

PS: installmonetizer.com website is down for now

It is back up as of now: http://installmonetizer.com/

This is an important point, something that wasn't completely apparent from patio's screenshot. Babylon is a client of InstallMonetizer. Of course, if they were involved in creating that installer, then I'd say they are partially responsible.

Thanks for at least acknowledging the concerns raised here. That's all we can reasonably expect a responsible investor to say/do at this point.

FWIW, I pulled a shot of Babylon being offered through InstallMonetizer and it's almost identical. Sorry, but Patrick wins this round :)


In the screenshot of Patrick, Norton appears as another of the clients of InstallMonetizer.

Norton is well known to have a preinstalled version in new computers that it's almost impossible to uninstall. I don't have a screenshot, but there is one in these articles: http://www.zdnet.com/blog/bott/can-microsoft-cure-pc-makers-... http://hothardware.com/printarticle.aspx?articleid=1731

(Perhaps the version that they install trough InstallMonetizer is more user friendly, but I'm at least a little afraid to try it.)


I believe he means that he needs to discuss this issue in person and will need a physical meeting, not that he invested without meeting them.

Ah crap, parse error, missed "with".

Either way, strikes me as a dubious and reputationally dangerous model for YCombinator to get involved with.

YC funds enough founders now, with few enough partners, that it's entirely possible for someone to be doing something sneaky and YC wouldn't catch on right away.

Initially, YC just has the business model / product description statement from the founders, a video (do they still do that?), an MVP if one exists, and maybe a meeting with the founders.

The only way this could really negatively reflect on YC's integrity -- if that's up to us to judge anyway -- is if the accusations turn out to be true and YC either chooses not to investigate or chooses not to counsel the founders against doing something like this. (Remember, YC does not have a controlling interest in the teams.)

Since pg has said they're checking in to it, I don't think "YC is turning evil" is a reasonable narrative here.

Indeed - didn't say they were turning evil, just playing with fire!

The crapware situation on Windows is horrible. I'm a Mac/Linux user but from time to time I have to power up my Windows VM.

A few days ago I wanted to install the Partition Magic trial on my Win XP VM. Having left Windows around 2005 I figured that typing "Partition Magic Win XP download" in Google would be helpful.

I got a handful of "reputable" download sources like CNet and the like. I went there and was bombarded by 20 (dramatization) different download buttons. I clicked the one that seemed most promising and somehow ended with a new Zip-Archiver installed ...

So I went back and found the Partition Magic installer. It was an installer with 'added value' that asked me three times to install some toolbar crap. I ended up with one of those toolbars installed because unchecking the box and clicking on 'next' obviously is not enough. You have to click the decline button instead of next.

Now I would consider myself computer literate and yet still I didn't manage to install a simple utility without littering my system with crapware. I can only imagine what hell the internet must be like to inexperienced (read: normal people) Windows users.

Yeah, I share the same experience: I'm mostly a linux user who had to setup a windows machine not long ago.

Even when installing legit software from what appeared to be legit sources I had to be very careful at every step in order to avoid all the spyware/toolbars/dubious extensions bundled with the installers.

The worst offender was some crapware installer that wanted you to check the components you didn't wan't installed. I almost got tricked. Next thing I'm sure they'll ask you "Are you not sure you don't want those components not installed?" [Yes] [Ok].

I may be wrong but I believe even the official Oracle Java updater asks to install some toolbar (Ask or yahoo I think? Or maybe just set the homepage? I forgot). Good thing I don't think very highly of Oracle or I might have been disappointed.

Edit: I remembered correctly: https://forums.oracle.com/forums/thread.jspa?messageID=10723...

I recall that the java yahoo toolbar has been there since Sun.

When I was mainly just a Java developer I always found that kind of embarrassing.

Agreed, a lot of the reasons that non technical users dislike Windows seem to be the result of these. It really takes control out of the users hands.

We can see the origins of this becoming a problem on Ubuntu with Canonical adding stuff like the Amazon search and seemingly having no issue with bundleware as a means of monetisation.

On the other hand I'm surprised this isn't more of an issue on the Mac, since Mac (especially older versions) will allow installation of software from random sources which could include bundleware.

Is there something about OS X that makes bundleware more difficult to develop or is it just easier to monetise an OS X app without bundleware?

I can see the future of apt-get on Ubuntu now...

    $ sudo apt-get install emacs
    After this operation, 86.3 MB of additional disk
    space will be used and AVG Toolbar Pro! GOLD EDITION
    will be installed to Chromium
    Do you want to continue [Y/n]?

If that happens, all someone needs to do is repackage Debian's version of aptitude for Ubuntu.

Or an older version from Ubuntu.

Really, this is a non-issue on Linux, because either 1) someone will just "fix" it an release their alternative, or 2) everyone will just stop using the offender.

You could've said the same thing about e.g. download.com. Turns out there's such a thing as momentum.

Depends on what type of software you are talking about. For copyright protected proprietary software (which Canonical want people to develop for their OS) there may be legal protections which prevent it from being rebundled outside of torrent sites (which have their own risks).

#2 assumes a savvy enough userbase.

Legal protections against rebundling aptitude? Something released under the GPL? Which means everyone has all of the ability to easily change the sucker.

If you're packaging something as a deb, you can potentially bundle other things, but at the same time, because a deb is a glorified tar.gz, someone can just provide information on how to get rid of the offending thing.

Or, if you're using Arch, the AUR maintainer just adjusts the PKGBUILD to do it for you.

It's not particularly hard.

And sure, having people install a different package manager requires a savvy enough userbase, to an extent. If they can copy and paste a couple commands into the terminal, they can change it (wget [somefile] && dpkg -i [somefile]). How hard.

I don't mean aptitude itself.

I mean , if you are bundling your own software for Ubuntu you get to distribute it however you like. If somebody else decides to redistribute it minus the crapware then you can potentially sue them.

So you can say "the only legal way to get my software is to download this file which is bundled with InstallMonetizerForUbuntu".

Whether it is bundled as a .tar.gz or a .deb and whether it comes from a random website or the Ubuntu software store is largely irrelevant to this point.

Sure, people will create programs and instructions on how to get the crapware off your system but this is basically the same state as now exists for Windows with various "cleaner" programs, some of which install even more shit.

I've said nothing about distribution. Only packaging. And specifically giving people instructions on how to do it themselves. Which isn't illegal. Nor is it particularly endorsing something illegal.

> So you can say "the only legal way to get my software is to download this file which is bundled with InstallMonetizerForUbuntu".

But, once I have that downloaded, I don't have to go straight to installation. I can remove files and change the install script. Sure, you can give me a binary file, but the only binary files I've ever received are after I've paid for something, and I've never found paid software bundled with crapware, even on Windows.

I can still write a script that would get rid of the bundled things provided you already have the packaged file, and distribute that script to anyone who wants it.

And while yes, people will create decrapifyers, I'm talking about preventative measures (modifying the installer).

Well sure, expert users can certainly reverse engineer installer scripts and some intermediate users might be diligent enough to go doing research before they install each program.

Not a solution that scales very well though, if it did we wouldn't have the problem we do on Windows at the moment.

Oh Zeus, no! One of the reasons I love Linux is the fact that I get to control what gets installed and how. Don't give people such ideas. Given how Ubuntu now is going to be full of ads and the like.

> Do you want to continue [Y/n]

"Yes" & "No, I do not not want to install this"?

IMO, some of it is due to http://en.wikipedia.org/wiki/Broken_windows_theory. One developer starts with an advert, somebody else has two, a third developer gets paid to sneak in some toolbar, the first notices "hey, I can make money that way, too", and the ball gets rolling.

Now, the question is why this has not happened for Mac Software, at least not on that scale. Gruber (2004) claims it is due to zero tolerance (http://daringfireball.net/2004/06/broken_windows).

I think that is partly true, and it sort-of started with the original PC. Installing a DOS program such as Lotus123 was a nightmare, where people had to answer such question as "number of lines on a page" and "how does your printer do bold" to configure a printer. Installing hardware, similarly, was a nightmare (what IRQ should we use? Do you have extended or expanded memory? etc).

Interesting analogy, it's certainly true that there is some sense of "community" for both Linux and Mac users in that people will generally choose these platforms because they have certain beliefs about how things should work and won't tolerate things that fall outside of this.

Windows on the other hand has no community and is kind of an multi-cultural wasteland where everything goes thus will tolerate more BS.

Not sure I agree with Gruber's conclusion though, if Mac had a large uptake in market share then that community would become diluted.

As it stands the random Grandma that uses a Mac without understanding computers gets a sort of herd immunity because there is a larger percentage of more nerdy and vocal users who won't tolerate BS.

If grandmas become the overwhelming majority of Mac users they lose some of that because the crapware vendors know that grandma is very unlikely to read the blogposts condemning their software.

It's low market penetration which explains the difference between OSX and Linux on the one hand and Windows on the other.

The iOS and Android app stores are full of crapware. Yes, that crapware does not have all the features of it's counterpart in the Windows ecosystem. Yet, much of it provides little value or functionality and even functional applications collect vast amounts of data not necessary for that functionality.

There is now a modest obstacle -- Apple's walled-garden app store approach. The default settings of the very latest OS won't allow a novice user to run a crapware installer, and Apple's app store won't feature them (unless the harried reviewer glances away from his monitor to drink some water or something).

HOWEVER, Mac OS X has never had this problem, and before the app store there was nothing inherently harder about writing crapware that bundles whatever creepy garbage could be monetized.

So actually I really wonder why OS X and Linux never had this problem (to any major extent). Is it merely the awesomeness of single-digit market share? In that case, Ubuntu's safe but Apple better start worrying about it.

Personally I suspect it's more complicated than that, but my ideas are half-baked.

A lot of OS X apps are installed by dragging the app to /Applications, no installer involved, it may be one of the reasons.

Not familiar with the OSX installation procedure, but I assume that dragging the app into the folder runs some installer script? Are there perhaps restrictions on what can be done via these scripts that would require 2 distinct actions to install say a browser toolbar and application?

Most OS X applications are usually a folder that behaves like an executable (has a custom icon, will run the app when you double click on it). So no, it's not running an installer script, it's just copying a folder, and the app runs with just what's in the folder, no install process needed.

For things that require changing system components, other apps etc. there is a normal install wizard.

The cool thing about Mac applications is they are self contained. Very rarely do you see an actual installer. Uninstallation is usually just deleting the application from the Applications folder.

I wish other operating systems did it that way. It's very convenient.

The problem is it leads apps to include their own copies of libraries - which then get out of date and have bugs. I remember when a vulnerability was found in zlib and just to update all of apple's first-party programs with the fix required something like 2.6gb of updates. I wouldn't be at all surprised if there were still some more obscure third party mac programs shipping the old, vulnerable version.

Well the alternative (dynamic loaded libraries) have their issues as well. After "DLL hell" and various issues on Linux in the past, I'm not convinced one side is fundamentally better than the other. 3 gig is nothing these days.

It isn't. Since every library the application needs is inside the bundle, you load multiple versions of the same lib on memory. Also counting the installer, the bundle and Brew or MacPorts you have a tons of way to install an app.

Not every. The ones that are distributed with the OS X base install usually are dynamically linked against.

My current project I'm working on links against the standard Cocoa frameworks, zlib, Core Audio, Audio Unit framework and the Accelerate framework. Yet the Frameworks directory in the app bundle is empty.

Well, if I'm not mistaken, Windows linking usually involves re-calculating offsets in the library code, so several versions of libraries are kept in Windows too. The only thing that is theoretically saved is disk space.

How often do you really have multiple third-party apps using multiple copies of the same third-party framework? How many third-party frameworks maintain binary compatibility between versions so that apps linked against different versions could still share a single installation of it?

MS-DOS did it, but on those days things were a lot simpler.

No, no setup scripts are run, you are just copying a folder inside /Applications. All setup an application needs (typically creating configuration folders and associating mimetypes) should be done the first time the application is launched.

Dragging an app into /Applications does just that: it copies a directory (hidden with an .app extension) that contains resources and executable. No script.

Some apps however come with an installer, but that's for apps that do more (e.g. need to install drivers, etc.). However, it's Apple's own installer which I think is provided by Xcode. So, no way to mess with it and install crappy things.

You can run arbitrary scripts in the installer, so you can install anything you want.

You can even (if you are iTunes 2.0, or a hater) delete the user's entire home directory!

Nope, no installer script. If a program needs installer script (to install drivers etc.), you get a package installer (like on Windows), however, they are rather rare and I've never seen any crapware in those so far.

No, it's just copying the bundle.

> Is there something about OS X that makes bundleware more difficult to develop or is it just easier to monetise an OS X app without bundleware?

MacOS apps very rarely have an installer, so there's little opportunity to install this sort of thing.

Installers are (rightfully) rare on OS X, but that doesn't preclude installing any random crapware you want. Your app can do it on first launch (or hey, tenth launch to make it less visible). Lots of apps have a first-launch screen where they confirm some options and maybe even ask for an admin password for housekeeping.

Hmm, Monetizer.framework?

Users are trained to just accept whatever in installers, however, while popups on first launch demanding admin passwords will often be treated with a little more suspicion.

Yes, I changed my UAC settings under Windows to require the admin password before sudoing (or whatever MS calls it).

It was just too easy to me even as a relatively experienced user to knee-jerk click the "Allow" button.

OS X applications are usually distributed as disk images (.dmg) containing the app itself, a symlink to /Applications for easily copying the app there, and maybe supporting files. Installers are unusual, except for huge software packages like Office or odd things like preference panes, which are not as easy to get to the right place.

I presume that people using Macs tend to be 1) wary of downloading any programs from random websites and 2) wary of having to run something like an installer. The Mac App Store means that people will only do these things less going forward.

>I presume that people using Macs tend to be 1) wary of downloading any programs from random websites and 2) wary of having to run something like an installer.

If only. Last time I did a "check up" on my sister's macbook she had managed to install a toolbar and some other evil shitware that would hijack her google searches to collect her info and redirect her to bing.

Yes, I've run afoul of the "download button" adverts before. I'm not surprised to see them on torrent sites etc, but it amazes me that some supposedly reputable download sites would allow such things.

Seriously. Take a look at the official site for the excellent open-source Windows graphics editor Paint.NET, for instance:


Now tell me where you are supposed to click to download the actual application. It confuses me, and I'm an experienced user who knows to look out for these sorts of things. I have no idea how normal people ever find the damn thing.

My question is: whose fault is this? Is it Paint.NET's, for allowing the ads onto their site? Or is it the ad network's (Google, in this case), for accepting the ads into their network?

The blame belongs to both.

Google should not allow ANY ads that contain a Download button, when the page has a link containing the text "Download." These ads can have no other purpose but to confuse users who are looking to download software. The problem is that Google makes money from these ads, and these ads have fantastic clickthrough rates. If they banned these types of ads, they'd make less money.

The author of Paint.NET is making good money every time a user mistakenly clicks on such an ad. This money also reduces his incentive to get rid of the confusing ad.

I get around this problem by running an ad-blocker, so I only see the one legitimate download link. But most users do not.

The problem is that Google makes money from these ads, and these ads have fantastic clickthrough rates. If they banned these types of ads, they'd make less money.

This is how industries get regulated -- when they refuse to regulate themselves. I hope Google realizes that and takes action on their own initiative...

Pardon me, but Paint.NET is not open-source.

"You may not modify, adapt, rent, lease, loan, sell, or create derivative works based upon the Software or any part thereof."

I did find this, but I've never used it: http://code.google.com/p/openpdn/

CNet/Download.com is not reputable. It's malware distributor.

The best rule of thumb is: if it looks shady, don't go there ever again. Another: every good program has an author, and this author has a valid, non-malware-installing link on his/her website.

If this is true then I imagine there is space for a trustworthy curated library which can replace CNET.

On OS X, there is MacUpdate. Not curated, but user-unfettered. There used to be another very similar one, called VersionTracker, which was much more popular... and then it was acquired by CNET. And everybody gradually stopped using it. There's probably some kind of lesson hiding in there somewhere...

Filehippo.com and Oldapps.com give the real, original installers, not the crap-wrapped. Sadly, both sites usually are not in top 5 in Google, so you need to know of their existence. Actually I rarely use them, addiction to Google is too big (though I usually go to the author's page from the results list). But when I can't find a 'normal' installer it's awesome to have them.

I learned this the hard way just the other day - installed an app from them and ended up with half a dozen adware installs as a side effect of their installer. I used to think that cnet was above board, but apparently they're not anymore.

This is why I have no moral qualms about using AdBlock on most of the internet. I made the mistake of disabling it on one such download site once, and it took me a while to find the actual download link in the mess of DOWNLOAD! ads. Then I went back to having plenty of whitespace on that page...

For me blocking advertisements online is no longer about blacklisting bad sites, but whitelisting the few good ones I want to support.

Good rule of thumb is to look for the smallest "Download" link on the page.

Won't be long before this rule of thumb goes out of the window.

They'll probably make a one by one pixel link that links to the clean download file.

Maybe we could write a chrome/firefox plugin that highlights downloads that are from the same domain? Or perhaps hides non-domain ones? Would that clean up most of these issues?

You'd probably have to have a button to toggle this on and off.

Most of these freeware download sites tend to use mirror sites for the actual downloads.

The download link for the actual product will often really be a redirect to a page with a "your download will start in 5 seconds" and then some JS triggers the actual download.

Even the legit download will usually offer you toolbars and crap anyway.

We could add the most common mirror sites as exceptions, you could add your own, and of course you can always toggle it on and off?

I think that may make it useful enough...

You could certainly create such a plugin, however those who would have the most use for it may not be those savvy enough to find and install it.

@jiggy2011 - oh, the irony...

Adblock covers the use case.

So true, the real one is almost always an ordinary looking link rather than a button.

My experience recently was similar. A simple open source installer landed me a like of toolbars, preformance tools, and other assorted crapware. Incredibly obnoxious, and instantly removed any respect I had for the developer.

Are you sure it was the original developer that inserted the crapware?

It would seem so. At least, it wasn't one of those repackaged installers that some download sites offer.

Do you have Adblock Plus installed? It frequently removes the illegitimate download links since it (rightly) classifies many of them as ads.

I'll take this chance to recommend the following linux distributions to those non-sysadmins who are wondering which one they can try out:

- Fedora 17 with Gnome. Out of the box it offers all kinds of installation options, like the one I always wanted and only found in Fedora (in my words): "Use all this but only this free space, and also encrypt it". The only downside is that out of the box it lacks some things every desktop user will want, like media codecs, but can be installed very easily. There are also tons of addons for Gnome that you will want to improve the UI (eg: get back the minimize button -.-), you can get them at extensions.gnome.org.

- Ubuntu 12.04 server edition. I chose server edition because it has an option for disk encryption, but it will use the entire disk, which sucks unless you have two disks like I do. Then you install 'ubuntu-desktop' and you are done. There is also a problem with both server and desktop edition when installing into some HDD's, they fail to align correctly for different block sizes. Other than that, this is the perfect distro for me. It is LTS so it will be supported for 5 years, and I hope that by that time they have rolled back the crap that they added to 12.10.

- Fedora 18. It should be released today, let's see what they got.

> Ubuntu 12.04 server edition. I chose server edition because it has an option for disk encryption,

Ubuntu 12.10 has options for disk and home folder encryption in the regular, GUI, desktop installer.

I know thanks, but I'm avoiding Ubuntu > 12.04 until they remove the crapware they added.

Been using Fedora 17 for a while at work. Used to hate RPM-based distros, but I took another look about a year ago. It's actually pretty nice.

I also don't hate Gnome 3. It's a bit immature, but it's pretty and fairly easy to use and stable.

I personally found Fedora 17 with KDE really awesome. It was both easy to install and configure, and is a pleasure to use. I would definitely recommend it as an alternative to Gnome.

If you can get used to Unity in a week or two, I recommend Ubuntu. Fedora has always worked fine for me, but Ubuntu tends to have fewer rough edges.

I use Ubuntu and I can't stand unity. It's far too easy to do `sudo apt-get install gnome-shell` and do `sudo add-apt-repository ppa:gwendal-lebihan-dev/cinnamon-stable; sudo apt-get update; sudo apt-get install cinammon` and still enjoy the Ubuntu base (community, font patches, etc). I've bounced around between many DEs lately. Elementary is really great, especially when I was just coming from OS X, but I've been shocked at how nice Cinnamon is.

xfce improved my experience of ubuntu considerably as well and the install was trivial too (sudo apt-get install xubuntu-desktop). alt-tab works there!

I use Xubuntu, it's probably the best way to get the good parts of Ubuntu (the good package selection, proprietary software support, and OOTB hardware support) while also having a good UI.

I don't know why people hate it, I love it. It gives me so much more visual space.

For example, with Unity I was able to start using Virtualbox VM's maximized instead of full screen, which is so much more comfortable. The host has the sidebar hidden (shows on hover), and the guest has it always visible (as hover wouldn't work for a guest). It really makes a great use of the visual space.

The alt-tab behaviour is borderline unworkable for anyone who's used Windows or Linux windows managers before 2011 and is trying to work with a case like several terminal windows and a browser window.

My GNOME 2/XFCE/MATE setup has one bar on top of the screen and that's it, I'm finding it is pretty good for screen space even on widescreen laptops.

The alt-tab thing I think they copied directly from Apple (not necessarily a good thing).

The thing that really hurts about the new alt-tab is that it breaks my mental stack. On Windows, in KDE etc I can switch back and forth between two browser windows easily. On Mac and Unity you either have to decide of your last app change was an app change or a instance change.

I love the altered behavior.

I want to switch to a different app -> Alt+Tab

I want my other Chrome window -> Alt+`

When I'm on my desktop, I switch between far too many windows to have a mental stack in my head of MRU applications, let alone windows.

Not arguing one is better than the other, but I thought I'd offer my perspective as a user.

And if you want to switch from a different app into the other Chrome window?

"I want to switch apps" = "Alt+Tab" ?

Even better with the previews because I can hit "Alt+Tab", see that Chrome is selected, keep Alt held down and then "Alt+`" to the right window.

CNet hasn't been a reputable download source for some time.

"A few days ago I wanted to install the Partition Magic trial on my Win XP VM"

Windows XP is more than a decade old. The latest release, nearly five.

To generalize about the current state of Windows based upon recent experience with Windows XP is either ignorant, disingenuous, or blindly biased.

The results of a google search are somewhat independent of OS. I've found exactly the same problem myself, when searching for Windows downloads in Mac OS X, and get similar spammy results in Windows XP, Windows 7 and Windows 8.

The quality of search results provided by Google are valid as basis for judging Google. A paranoid individual might even see an alignment between Google's web services business model and search results which facilitate the installation crapware upon the most popular desktop operating system particularly when that crapware generally provides tracking information useful for targeted advertising.

Of course, another stripe of deluded individual might blame Microsoft for the abundance of crapware on the internet.

I doubt the installer/websites would have behaved much different if I have had used Windows 7 or 8.

Your doubt is unfounded.


Your research, poor.


And your characterization of the Windows ecosystem based upon your experience either ignorant, disingenuous, or blindly biased.


I suspect Partition Magic is intended merely as an example of the crapware-and-misleading-download-buttons trend. You can spot similar scamminess on (for example) http://getpaint.net/ and http://tortoisesvn.net/.

The commenter purports to have a degree of technical expertise - they're running a VM and have some need for Partition Magic. Those features place the scenario many standard deviations from typical Windows user activities.

More importantly, any person looking for Partition Magic in 2013 is likely to be an ideal candidate for crapware. They are performing system administrative tasks. They don't perform such tasks on Windows systems frequently. And they are ignorant of Partition Magic's demise as a product. To boot, they probably have an outdated skill set in regard to Windows.

Download aggregators started installing crapware five years ago. Any person concerned with crapware and who has recent experience avoids them if at all possible. In short, a person looking for Partition Magic in 2013 is likely to suffer from Dunning-Kruger syndrome.

The original claims depend upon a degree of sophistication which its author lacks.

> In short, a person looking for Partition Magic in 2013 is likely to suffer from Dunning-Kruger syndrome.

I'm asking myself where I could have insulted you to provoke such a reaction.

It's an assessment of your Windows expertise based upon the specifics the experience you relayed, not ad hominem. By your own admission your familiarity with the Windows landscape is based largely on experience gained more than seven years ago and with an obsolescent version of the OS.

Dunning-Kruger effects are the result of one believing that they have more expertise than the do. With regards to the Windows ecosystem, this seems to be the case.

One of the salient features of my experience with the Dunning-Kruger effect is that I don't recognize situations in which I am exemplifying it - and logic would dictate that I exemplify it more often than I am aware.

As a crapware vector, partition magic is akin to Nigerian spam. Those who seek it are the ideal targets just as those who respond to the Nigerian banker's uncle are ideal candidates. Both pursue something too good to be true.

I am not claiming that your experience isn't real. I am saying that its conclusion is not that of a Windows expert.


> Dunning-Kruger effects are the result of one believing that they have more expertise than the do.

I never said I'm a Windows expert.

Maybe I just hit the worst case scenario or maybe you need street smarts when surfing the web from a Windows system. Maybe being an OS X user made me soft and easy prey. But still - alone that a reputable download source (one of those that pop up on the first google page) tricks me into downloading a custom archiver utility and wraps installers with crapware doesn't really speak for the Windows eco system.

Now it could be an isolated case but then again if crapware spreading wouldn't be successful people wouldn't be doing it. And I doubt that all crapware infections come from Partition Magic downloads on Windows XP.

> I am saying that its conclusion is not that of a Windows expert.

But the thing is that Windows experts are the minority of all Windows users.

I'm not convinced the conclusion is incorrect. The crapware situation on Windows IS horrible, whether you download any of it or not. Even if you manage to reliably avoid it, that still takes a non-zero amount of effort.

Life requires a non-zero amount of effort. Avoiding crapware just requires sound practice and by definition less effort than dealing with crapware.

As a point of comparison, the iTunes store contains loads of crap. This is not a reasonable basis for condemning iOS.

>And they are ignorant of Partition Magic's demise as a product. To boot, they probably have an outdated skill set in regard to Windows.

the great irony being that the solution would be to use a gparted live disc.

Than I present my own research (sometimes referred to as usage): it's the same thing in Windows 7.

Sure, that wikipedia article doesn't include installers that aren't the official one. But finding the official one can sometimes be a ridiculously daunting task.

And sure, Windows 8 has an app store now. So what? I can still install applications outside of it.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact