Hacker Newsnew | comments | show | ask | jobs | submit login

Paul, I'm one of the two people you're indirectly addressing with this HN post. (The second is Long Zheng.)

I wrote here: http://www.withinwindows.com/2013/01/16/installmonetizer-qui...

Long zheng wrote here: http://www.istartedsomething.com/20130115/y-combinator-is-fu...

I'll respond to each of your items individually.

1. OK.

2. Maybe. Or more likely users are mistakenly installing these applications because the offer screen is made to look exactly like the EULA acceptance dialog seen in every other installer.

But we don't expect this to be fixed. Anti-malware vendors have stepped in and are improving their definitions to catch this garbage but it's very much a cat/mouse game. (IM has been detected a few times, btw.) IM is very aware of this "threat" and designed their system around random domain names to mitigate detection issues as they arise. (Think about it -- Does IM, a legitimate company, really need to use fcgoatcalear.us and fcvalcsoi.us domain names? Come on.)

3. No idea where you got this information, given InstallMonetizer bundled software shows no actual EULA. The only EULAs shown during install are ones provided by the package author and the offer advertisers. Can you clarify this point, please?

4. Wrong. Existing IM bundles out there still send PII in the clear. This isn't something they can just flip a switch on and fix. (I saw IM edited their privacy policy to note the new hashing procedures but sadly that doesn't cover the bundles on the Internet today. So it's wrong.)

5. Yeah, I saw the company slip in the "Open-source software is a community product and you may not use our co-bundles with it" line. What a slap in the face of those who use commercially-permissive OSS libraries in their software...




4. Wrong. Existing IM bundles out there still send PII in the clear. This isn't something they can just flip a switch on and fix. (I saw IM edited their privacy policy to note the new hashing procedures but sadly that doesn't cover the bundles on the Internet today. So it's wrong.)

Note that Paul's response said that they "are going to start" uploading hashes.

-----


Few problems:

1. They already edited their privacy policy, so as far as I'm concerned it's "live". But...

2. It's not. And it will never be, because it's hard-coded into the software bundled out on the Internet today. They may provide new bundles with hash code in place, but it's too late...

-----


3. It's included in the EULA of the app itself. They modify the installer.

4. I don't think there is any claim that this can be fixed instantly.

5. This is not for OSS-using libraries -- that's totally cool. Everyone uses open source. What they've banned is people wrapping VLC to make money off software they haven't written. That's not cool.

-----


3. Have you used IM? :)

4. It's in the privacy policy, so it's supposedly live. Or are you saying the policy is wrong?

5. That may be the intent, but did you read the policy? It's a one liner banning all OSS.

-----


Also, transmitting MAC addresses and IP addresses in the clear really isn't anything to write home about -- that's how all TCP/IP packets are transmitted over ethernet, after all. The real question is what they do with that data on the server side. If they so desire, they could change that behavior far more easily, and retroactively apply that transform to all the data they've retained.

-----


Not exactly, the MAC address (which is a far stronger unique identifier than an IP address) will usually only survive the first hop in an IP transmission.

-----


Not even 'usually', it doesn't exit your LAN at all, once it hits your router, it is stripped and your data is packed with a different MAC address on the WAN (or any other layer 2 identifier depending on your connection), same for each hop after that.

-----


If you use EUI-64 as your interface ID in IPv6, your MAC address is part of your IPv6 address. That said, no modern OS does that anymore, times 1% of IPv6-enabled users, so the closer term is "almost never".

-----




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: