Hacker News new | past | comments | ask | show | jobs | submit login
What Happens When You Install the Top Download.com Apps (howtogeek.com)
740 points by ds on Jan 13, 2015 | hide | past | favorite | 384 comments

And this is why Apple created Gatekeeper and made the Mac OS X App Store so ridiculously onerous for developers[1]. The software world is, for all intents and purposes, a thin sheen of gold flecks and diamonds atop a veritable cesspool of shit.

You can just imagine the conversation at 1 Infinite Loop:

    Marketer: The Panic guys are considering pulling
    out of the App Store. Maybe we should reconsider
    our App Store strategy to make it more inclusive.

    Product Manager: Have you seen the top 10 downloads
    from Download.com? They literally destroy your
    operating system.

    Marketer: ...
All that said, I'm disappointed with many of the restrictions that Apple places on iOS and OS X developers, but, after reading an article like this, I'm reminded why these restrictions exist, and that it's our own fault.

[1] and sandboxed iOS apps, and made the iOS App Store the only way to install iOS apps without jailbreaking your phone.

Ironic, considering that Apple did exactly the same, when you installed QuickTime on Windows. They tried to trick you into installing iTunes and Safari and set them as default apps.

Also, it stinks that Apple has nailed iOS that shut that even as a knowledgeable user you are not able to bypass it. They did not yet dare to do the same on Mac OS, but who knows when that comes.

Apple tricked quite a few Windows users into installing Safari and setting it as the default. Then Apple discontinued Safari for Windows without making an announcement or notifying uses (same as they do with older OS X versions... they just stop updating them). So there are quite a few people out there using Safari on Windows with no clue about the fact that they're using a completely insecure browser.

If someone went to the trouble of installing Safari they know

And by the way, I never managed to make it work in Windows...

One of the main points of this thread is that Apple specifically targeted people who _weren't_ trying to install it.

Ah I understand now.

True, if you installed iTunes or QT and it installed it as extra, yeah, you probably have an older browser installed (but I think there's not that many people that still use it)

I think you are still missing the complete context of the original comment. Once a browser is set as default, for a significant portion of people that won't change unless they are somehow prompted or forced to change it again at a later date. To many people, the browser is just another part of the OS that allows viewing webpages, and they just call it "The internet".

It seems if they were that clueless, they would have had many more opportunities to change default browsers without realizing it.

What other browsers auto-install from other software and automatically change your default?


From what? It automatically sets itself as default?

Yup. Chrome is offered as opt-out bundleware with quite a few Windows apps and Google pays the publishers for this. This is how quite a few regular users switched to Chrome. Even just updating Java in Windows it'll try and sneak a copy of Chrome in with the update.

lets be honest. flash or java plus the ask toolbar have been installed by now, and managed to install chrome.

chrome has a way of installing itself.

No, they really didn't. I've fixed quite a few friends' computers and asked 'why do you have Safari and Quicktime installed?' and the answer is always 'I have no idea, maybe iTunes did it'.

Apple are quite happy to trash another company's OS. The Windows iTunes experience was terrible: it ate resources, was opaque in operation, didn't always sync properly and could occasionally wipe your devices. It used to be required for OS updates.

The "nailing shut" is an increasing problem for anyone that believes in a free market in software. Which isn't helped by all these sites shipping value-negative software.

I'm not going to lie, that does sound similar to my experience with iTunes on OS X (though I do remember it somehow being even worse on Windows).

If you have an ssd and more than one Apple device, each device you synch eats up about 10gb of space or more. If you have a spouse with an iPhone in addition to yours, a kid or two with itouches, then that can easily eat up 50+Gb of an ssd drive. This can be a very significant percentage of your drive!! And there's no way to change it to anything by the c drive on windows.

There is a complex method of changing the backup drive by setting up symlinks.

It is user-hostile of Apple to force use of C:\

If you have a Mac with more than one hard drive, one of which is an SSD, you probably know how to set up symlinks.

I nearly choked when Steve Jobs described iTunes for Windows as "a glass of water for someone in hell". More like "a bucket of lava for someone somewhere reasonable".

As an anecdote to counter another anecdote, I've never had these problems with Windows iTunes. I've used it since getting the HP branded iPod back in '02 (I think), and my music library has grown into the upper tens of thousands of songs since then.

It's caused me to believe that all these people trashing on iTunes have broken computers, because the software plainly doesn't do half the crap it's accused of doing.

To continue the mostly-irrelevant story time, I've installed it a few times and generally it works OK now but it is still quite slow for what it is. My main computer is no dog either (i7, 16GB RAM, SSD, yadda yadda) and compared to other media player/managers it really is a poor performer.

I can almost understand this on the newer versions since they've made it a sort of one-stop-shop for playing media, managing iOS devices, shopping for media and software, and sorting your content databases.

But the older versions I used back when I had a "classic" iPod were just terrible and all I did with that was load music onto the iPod. I seem to remember installing some custom firmware on the iPod specifically so I could just treat it like an external drive and manage the media on it via Winamp or Mediamonkey or some other program that had no business doing a better job at handling an iPod than something straight from Apple.

Even now I just use it maybe once or twice a year to back up and update my old iPad 2. I haven't found a way to disable all of the various iTunes helper processes that want to run in the background (short of turning them off in services.msc) so it only gets updated and run when absolutely necessary.

Maybe I'm just doing something wrong and it will run better if I open it more often and let it do its thing but there's just a point where it doesn't do anything (other than iOS backups) that I can't do more easily with other software.

...but I also admit that like many things, my previous bad experiences may be causing confirmation bias and leading me to take note of iTunes issues more than I would with other software.

iTunes for Windows seems fine to me. It syncs my iPhone OK, and doesn't otherwise annoy me.

It's nice that I don't have to buy into their cloud or OS to use their phone.

> Also, it stinks that Apple has nailed iOS that shut that even as a knowledgeable user you are not able to bypass it.

I agree with that feeling wrong but consider it from the perspective of anyone who cares about security. We live in a world where millions of people have fallen for attacks which required them to type in their admin password and okay a software install, open the web console and paste JavaScript in to compromise their own account (see e.g. https://www.facebook.com/help/246962205475854), install custom Android apps which then exfiltrate data or attempt local exploits, etc.

Apple chose not to allow that for iOS to ban that class of attacks outright. I've reconsidered my previous cynical conclusion that this was just to boost the app store profits based on the number of people I've heard mention using an iPad because they don't have to worry about installing programs; now I think the real profit comes from the trust in the platform – you need an awful lot of $.30 app profits to balance out a single device purchase.

I'm not enthusiastic about heading into the no-user-serviceable-parts world but it's not like the traditional PC model has worked out well when the majority of non-technical users has some level of dread/acceptance that they'll make a mistake and be compromised.

iTunes for Windows is a monster that drains the life out of the PC.

Microsoft Office for Mac OSX was coded with the same evil spirit.

This behavior is unethical but pervasive, and should be outlawed somehow, it hurts everyone. Specially when it comes from the two biggest players in the market.

When I used a Mac as my primary device, I relied on Office for Mac and it always ran well. I never had problems with it. The only issue was the lack of Visio, which I replaced with Omnigraffle.

Disclosure: I work for Microsoft, though this experience was at a previous employer.

This has been my experience too -- everything works reasonably well, I'm pleased with it. It's not always pretty (and I'm frustrated that some keyboard shortcuts don't work like they ought to) but it's always run properly.

Microsoft Outlook for Mac (the newer "blue" one, v15.3) is actually my favorite mail client on the mac. It's basically exactly what I wanted -- I wish there was a Windows version of the Mac Outlook :)

I've been pretty happy with MS Office for Mac over the past few years.

I've seen bugs in Word and Excel

Sometimes Words starts typing multiple lines and Excel freezes when copy pasting filtered cells. I've learned to work around these bugs, (having been there for over a year). Maybe Office for Mac is not be coded by the devil, but lacks features and is unsatisfactory in ways that make me consider turning on the PC

I always think about the tough state of existence for the "iTunes for Windows" and "Office for Mac" dev teams.

I'm sure they get no support from corporate IT, their company's marketing constantly makes fun of their chosen field of expertise, and they probably even have their own table in the cafeteria. :(

Less ironic when you consider that all of those Apps are from the same reputable company and not malware, nor do they have any hidden purpose beyond trying to assimilate the WinClones to the Appleborg (although it seems to have given Apple such a bad rep among some Win users that it backfired).

It stinks for the user. It's way better for developers who aren't into having their software pirated though. Which in the end is better for the users.

Piracy is rampant on jailbroken iOS devices.

Indeed. I only learned recently just how rampant – not even half of the copies of a "App Store best of the year" game were bought. (https://twitter.com/ustwogames/status/552136427904184320) I wouldn't even have imagined so many people would even jailbreak their phones anymore.

Those numbers are somewhat sketchy if I recall right. Apple doesn't allow app authors to have access to an unchanging ID of a device, so if they're doing something like

(number of changeable UIDs that touched our server) - (app store sales) = copies we should have been paid for

..then there's a huge problem with their methodology. It would fail on the basic use case of one user with one app store account installing the app on more than one device (especially with kid friendly games like this), or re installs after a device wipe, or reinstalls after a user with a busted phone gets a new one, and so on.

As usual, bad statistics being used in defense of the piracy bogeyman. The number of people who jailbreak their phones is a tiny minority of iOS users, and the number of people who do so to pirate is an even tinier minority of that.

Even as someone that has no moral issues with downloading apps for free, I can tell you that it's not worth it on iOS. The contrast between the "it just works"-ness of the app store, and the hoops you need to jump through to get free apps is jarring.

Methodology on Android is also problematic, for the same reasons:


Five percent are paid downloads, so the ratio is 9.5 to 1, but a portion of those are people who have both a phone and a tablet, people who have more than one Android device with them. So a small portion of that 95 percent is going to be taken up by those installs.

> So a small portion of that 95 percent is going to be taken up by those installs.

More! I have burned through four Android phones and three tablets with one google account. Everyone who upgrades their device makes "one pirated copy" by the logic of this study.

And a huge portion of the current (licensed, not the chinese ones without a valid Google license) Android phones are likely to be upgrades for older or broken devices.

Isn't this partially a result of selling iPhones in countries where majority of population doesn't have access to any means of payment that would work with App Store?

I boggle at people going to that much effort to pirate such cheap games. Is there a region restriction issue?

it's not a matter of price, or restrictions, but more about how people interact with the platforms.

They believe they already paid for the phone; they know they still need to pay their carrier for something they use but paying for software?

    common that's digital. copyable. 
    wait! I need to tie my credit card to my phone? no way. I certainly can afford apps, but it's better to use them for free.
    why do they need to pay if facebook, gmail, whatapp... are free.. 
    do you read the news? app developers earn billions!
    I know you need to pay for window, but I've using for free for the last 10 years you know..
Just read at the free games' reviews.. they complain and demand, without even thinking on giving a dime to authors.

I know quite a few people who are too cheap to pay the < 1$ for most apps...

And I know quite a few people who are too broke to pay $1 for most apps. You are implying that people pirate $1 games "because they're too cheap to pay" which most of the time is just completely untrue - for a lot of people, it's a matter of not having the money.

Some people here need to take a reality check break once in a while and look at people who don't make as much as they do.

If they somehow came up with the money to buy an iPhone -- $500+ unlocked, or $100+/month on a multi-year contract -- they don't "not [have] the money" to occasionally spend $1 on an app. They've just chosen to spend a lot on the phone itself, which might not leave much left over.

Lest you think I'm speaking from a position of not understanding poverty: my salary in 2013 was $21k pre-tax, with a wife and a kid. I had a $10 flip phone and spent about $8 a month on minutes.

Stolen iPhones, back in the days when there was no option for remote wipe/disable, or used iPhones (some friend got a 1st gen iphone for ~20€) can be dead cheap.

And honestly, I'd choose a working-order 1st gen iphone over any brickphone.

> If they somehow came up with the money to buy an iPhone -- $500+ unlocked, or $100+/month on a multi-year contract

Looks like you need the reality check I was talking about. I can find you $40 smartphones in countries that aren't the one you're in. And by the way, $40 can still be a huge investment for such people (just like $500 is to a lot of people in the US).

Edit: Those downvotes-without-explanation are really unnecessary, seriously. If you think I'm wrong, you very well may need a reality check yourself.

> "Looks like you need the reality check"

Please stop being rude.

EDIT: saying things like "If you think I'm wrong, you very well may need a reality check yourself" makes it seem like you're not open to dialogue. It comes off as rude, arrogant, and accusatory. That probably contributes to the downvotes.

> "I can find you $40 smartphones"

I can find plenty of $40 smartphones at Wal-Mart and Kroger. But this thread isn't about $40 smartphones, it's about iPhones -- and, in particular, the parent to your prior comment mentioned knowing people "too cheap" to pay for apps despite owning (implied: relatively new) flagship phones.

I know some people who are legitimately too broke to pay for apps, but they don't have new iPhones. Last year I didn't have a $40 smartphone, and definitely not a $500+ iPhone, precisely because it would have been a bigger investment than I could justify for a phone. I get that there are people for whom a $40 phone and $1 per app is too much money, but they don't have an iPhone6 or even an iPhone5, and they're not pirating the sort of apps that only run on those phones. The people pirating those apps aren't too poor, they're too cheap.

> makes it seem like you're not open to dialogue.

Complaining about downvotes without replies makes it seem like I'm not open to dialogue? I think it makes some people in here seem like they live in a bubble, to each their own huh?

> But this thread isn't about $40 smartphones

Actually, it is; GGP said he "knows people too cheap to pay $1 for apps" and that is completely valid for Android as well. The rest of your post's premise is wrong on that basis. I'm not claiming iphones are popular amongst that sector of the population. But even if I did, as someone else said below, actual pirated/resold iphones do cost around 30-40 USD making them just as accessible.

Edit: And I don't mean to be rude, it just disgusts me how some people here are so full of money it doesn't even register that for some, $1 is a big deal.

> "Complaining about downvotes without replies makes it seem like I'm not open to dialogue?"

No. Treating disagreement as a sign that people need a "reality check" and that they're "in a bubble" makes it seem like you're not open to dialogue. Like you don't even acknowledge the possibility that someone disagreeing with you could have a valid perspective.

> "it is ... completely valid for Android"

Yes, but the broader context of the thread was about iPhone piracy. Also note that he claimed he knew people "too cheap" to pay $1 -- not people "too poor" to pay $1 -- for apps.

I get that $1 is a big deal to some people. I live in one of the poorest zip codes in my state. I've taken in three poor families in the last two years (a divorced mom, teen parents, and a single woman working through community college). My church runs a fairly substantial food bank and clothing bank. I'm connected to a ministry that rescues young women from polygamy (FLDS, AUB, and related groups) and they often have 3-5 children, no money, and a 6th grade education at age 20. I taught in a school where 95% of students qualified for federal free/reduced lunch. Some of my family members do charity work out at Navajo Mountain in southern Utah, which is one of the poorest places in the US.

The people I know in deep poverty are not major app pirates. Most of them don't have smartphones, and the ones that do have $40 or less grocery store phones running Android 2.2 on a pay-as-you-go plan, with either free games or no games.

Conversely, everyone I know who pirates $1 apps is either a college student whose parents pay for everything and they just can't be bothered to ask mom for iTunes credits, or they're a middle-class adult who thinks "I can get it for free if I jailbreak my phone, so it's not stealing." They have adequate dollars to pay for apps to go with their $500+ phone and $100+/month plan, but choose not to. Hence, "too cheap".

It's like complaining that prisons are full of criminals. While playing around with a jailbroken iOS device is fun I would never do it with a device I use myself for something real.

Yep. This ruined my Apple for me for about half a decade. I refused to use any of their products because my only interaction with them was with their shitty Windows software, so I assumed all their software was shit. It wasn't until I worked with a Mac fan who let me use his 2005 MBP that I realized that they can actually make decent software.

Microsoft seemed to do the exact opposite in this time period. Their Office software was very Mac-like and worked very well on OS X.

Unpopular opinion time:

I've had a Mac Mini for 3 years, and I still haven't found any Apple-made desktop software I would call "decent". I've had only iPhones since the 3G came out, too, so I'm not just an anti-fanboy.

That's not an unpopular opinion -- I know a fair number of Mac users and I don't think I know any of them who are devoted fans of Apple's application (rather than system) software. I've been using Macs more or less full time since 1999; over those 15 years some of their applications have been pretty good, subjectively speaking, but in general Apple is pretty frustrating in this regard. They'll come up with a neat application, let it languish way too long, then go into a fit and rewrite large swaths of it in strange and occasionally compatibility-breaking ways. Every time I look at iPhoto (admittedly not often) it seems to be an entirely different program. The current version of Pages can now almost do everything that the previous version of Pages could, but not quite. Aperture started life as a pretty brilliant program then sat around drooling on its shoes while Lightroom raced past it. And as we head into 2015, iTunes still has blocking dialogue boxes, which makes things a wee bit inconvenient if you're trying to use it as a media server. (Which you really shouldn't. I'm a masochist, I guess.)

> I don't think I know any of them who are devoted fans of Apple's application (rather than system) software.

I fail to see the difference between OSX and Windows then. Legacy Win32 APIs probably are still there, somewhere, but they've built a fairly solid system on top of that. PowerShell is one major argument in favour of Windows platform: it really makes resource management and scripting (and remote administration) quite nice. Meanwhile, for practically anything other than core system services (and sometimes for those too...) you need to install 3rd party applications.

It's exactly the same on Mac OS: I had to install Spectacle just to make the system support the most obvious shortcuts for positioning and resizing windows. Homebrew/mac ports are nice and I know of no Windows equivalent, but I think they target very specific kind of users and are rather limited in usefulness.

In any case: I'm a Linux user, have been using FreeBSD on the desktop before that for years, worked on Windows earlier, and now I'm being forced to use a Mac for iOS development. I see no real difference between OSX and Windows7/8 in terms of OS capabilities: out of the box they're both rather weak (for my purposes, anyway). With some tinkering and 3rd party applications both can be made into workable systems - but the tinkering is both harder and more limited than what's possible on Linux.

Other than mentioned homebrew and some degree of POSIX-compliance which makes compiling many *nix programs natively under Mac OS possible, what makes it nowadays better than Windows (I mean core OS functionality)?

That's really subjective, but for me I suppose it's two things.

First, I'm probably not alone on HN in reading that last sentence of yours that begins "Other than..." as being roughly equivalent to "Other than that, Mrs. Lincoln, how was the show?" OS X doesn't just have "some degree of POSIX-compliance"; it's Unix, full stop. If you are that "specific kind of user," this isn't optional.

Second, as squishy as this sounds, I simply like the OS X user experience more than Windows or any Linux/FreeBSD desktop environment that I've tried. The Mac gets the GUI right in subtle ways that are hard to describe but that I always notice when I'm using other systems. And this isn't due to lack of personal exposure; I'm, well, old by today's computing standards, and I've used the original MacOS for years, FreeBSD for several years (including professionally) and many versions of Linux, from the SLS days up through Ubuntu 12. (Actually, I'm running Ubuntu 14.10 and Arch Linux on two different servers, but they're GUI-free.) And I wouldn't trade OS X for any of them.

I know for some people, being able to tile terminal windows into a 3x3 grid without ever touching a mouse is their UX nirvana, but I am not one of those people, and I don't think I'm less productive for it. The fastest way to get a window the size and place I want it is often with a mouse. The fastest way to copy and move files is often with drag and drop. I know (some) people insist that I must be slowed down by constantly using mouse-driven software and switching between a tabbed terminal, a GUI text editor and a visual diff tool -- all with (gasp) overlapping windows! -- but I'm not. Really. And there are a fair number of Mac-only programs that I prefer to their Linux or Windows counterparts, if I can even find such counterparts. (Keynote, OmniOutliner, Soulver, ReadKit and xScope all come to mind.)

And, last but not least, it's nice -- at least for me -- to have a full Unix system that also has a lot of commercial software support. I don't run much Microsoft or Adobe software, but I'm glad I have the option. The applications I mentioned in parentheses there are all commercial, and as cliché as it may be to claim that commercial software generally has a better UX than free software -- and even more obnoxious, that Mac software tends to have a better UX than Windows -- it often matches my experience.

Surely you must tolerate OSX, or why would you still use the Mac Mini?

I usually use the Mac Mini solely for iOS development, and (since it's there anyway) iTunes management of my iDevices.

I have a main machine I run Linux on, and use a KVM to switch between them.

I admit that using a Windows keyboard on it is definitely a barrier, though.

It's entirely possible to run Linux/Windows on Mac hardware.

One thing we're seeing here is a clash of business cultures. Most developers and businesspeople that would hang around Hacker News are the sort of people who think business is about delivering the most value you can and getting paid for it. But globally that's really a minority point of view. Most global business focuses exclusively on the getting paid part, and tries to deliver the least possible value required to get money as quickly as possible. If you can get paid by delivering no value or even negative value, that's a big win. The ideal product is a vapid "pet rock" fad or an addictive drug like heroin or cigarettes.

The sort of software you see profiled in this article is the result of those kinds of quick-buck hustlers trying to game the software market. That's the majority of global business culture, which is why outside walled gardens with quality control it's the majority of software.

Ultimately I think this is the case because human beings are wired for scarcity and conflict. Get while the getting's good, because the next famine or raiding army is always coming. No point in building any real value in that world. It'll just get stolen or destroyed. HN is full of people who subscribe to the futurist/enlightenment notion of progress and the idea that we might be almost post-scarcity enough to entertain the decadent luxury of benevolence.

Also, it seems like no-one is ever pursued to justice for creating such software, and this is the opposite of the greater public's expectations.

> and that it's our own fault

Whose fault exactly is it?

Has anybody in HN worked with a company which does this crapware bundling, let alone creating? Or does anybody know anyone who's "in the business"? Because I, quite honestly, can't understand how or why people would be doing this. Is it really that "Well, I know this shit is going to infect thousands of machines with software which nobody would like to have, but hey, it gives me my salary, fuck yeah!"?

It's just sad that there are people scamming others like this, and people who jump into it because hey, paycheck!

> Has anybody in HN worked with a company which does this crapware bundling, let alone creating?

If anyone here has worked for Adobe (Flash included crapware for a long time), Oracle (Java updates used to or still do include crapware), Google (browser toolbar was crapware), or Apple (Quicktime for Windows attempted to install iTunes and Safari), then yes.

Every sane piece of Mac software: download a big disk image (dmg), mount it, copy the application folder to /Applications. To uninstall, drag it to the trash.

Adobe software: download a tiny disk image, launch the hideous Adobe installer program, give it root, have it download and install God-knows-what to God-knows-where. To uninstall, open a terminal and go medieval on everything with a name containing "Adobe", "Macromedia", "Flash", etc.

Adobe creates the most user-hostile software that is not pure malware.

Adobe creates the most user-hostile software that is not pure malware.

I have always had a problem with adobe, and I used to say it was because 'they specialize in non-standards', but I think you have a much better point. It just feels like you're getting screwed every time you see that A.

> 'they specialize in non-standards'

I think you have the nub of it here. I first learned to loathe Adobe almost 20 years ago, with Acrobat for X11. Every other X11 program would spawn a new process and a new window when you typed "program ... &" in your xterm, but "acroread ... &" would talk to the One True Acroread Ur-process instead. This, of course, caused all sorts of unpleasant and non-standard behavior when opening and closing PDF files. Not to mention that the interface was a bloated nightmare compared to xdvi and ghostview.

Then they bought Macromedia and Flash, with its ability to create non-standard horrors on the web. It was like watching the formation of a black hole of abusive software, and I still wait for AOL and RealPlayer to be sucked in by Adobe's evil gravitational pull.

They have, sadly, been doing this on MacOS for years. It was like that in the Classic days as well, they were always one of the few companies who actually used an installer, and cleaning up after one was an annoying process of combing extension and preference folders for lingering cruft. Fortunately there were apps to help find useless leftovers, but it was still a pain compared to how otherwise pleasant the MacOS software experience generally is.

Whenever you install Chrome (not sure if other Google product that does the same),

you got GoogleUpdate as ..

  - startup trigger
  - firefox addon (!!)
  - scheduled task
And it's not Google alone, big players are the worst malware distributors as part of they _own_ products

Stallman was ALWAYS right.

Ah, GoogleUpdate... Trying out Chrome gave me the unfortunate opportunity to learn about launchctl(1), Apple's version of cron(8). I haven't used Apple software on Windows in awhile, or vice versa, but I bet both are similarly awful. I didn't know about the Firefox addon, but that's a clever little extra bit of evil.

So, while I may be a baby-killing enabler (I work for the DoD), at least I've never bundled crapware with my software.

The truth is, if you look far enough, you can always find something to be guilty about. I'm not going to blame programmers working for any of those companies, but I will squarely place the blame on companies with hypocritical culture.

Apple upper management: Hey, let's bundle all this crap with something that people actually want!

Years later

Apple upper management: Wow! People are bundling crap with things that people actually want! We should put a stop to that by fucking over our customers' right to choose in a free market!

Ooh, that's right. Stupid Ask toolbar in the Java updates.

Pretty much, yes - if there's a buck to be made and the law isn't being broken (in a way that will be meaningfully prosecuted), someone will do it.

To answer your first question, someone from HN should surely about this given: http://www.istartedsomething.com/20130115/y-combinator-is-fu...

Extensive commentary at https://news.ycombinator.com/item?id=5059806

Yeah, pg even defended a YC-backed company that had built a business model around exactly this kind of bundling, saying that it wasn't a big deal because their installers always asked for permission before installing the bundled crap. (Which they did in exactly the same way as these download.com installers - by making the prompts look like EULA acceptance screens.)

pg "investigated" that crapware company a couple of years ago [1], but they still apparently exist, and continue to collect MAC addresses.

[1] https://news.ycombinator.com/item?id=5062133

What was the result of that investigation? Can't find any info in the original thread.

I don't know, but I'm guessing that the comment solved the PR problem, so there was no need to do any investigation, or to act on the results of one.

EDIT: pg's response was basically "suck it": https://news.ycombinator.com/item?id=5092711

Our fault, collectively, just as it is our fault that the environment is being destroyed, or that third world clothing manufacturers pay peanuts to their employees.

If 'we' wanted to, we would at least work on getting rid of this kind of behaviour. In an alternative world, the equivalent of GreenPeace would parade the C|NET offices, newspapers would write angry editorials about them, harmed users would write them millions of complaint letters, and class action lawsuits would be filed.

Problem is that 'normal' users have been slowly subdued into "it's my fault" mode.

Nobody has time for all that. Humans just don't have the attention bandwidth to solve problems like this. Not in conjunction with everything else going on in the world.

> Whose fault exactly is it?

People who think that software should be free, as in beer.

Developers have to be paid. When people paid for software with dollars, this exchange was much more straightforward. But now people think that software should be free as in beer, which means it comes with ad software or "sponsored software" that in turns sells ads, or spies on everything you do, or something to pay the bills.

Well, I disagree. There's a ton of software that is being developed and distributed for free because the authors actually care about solving a problem. Not all software needs to be sold, not all developers do it for money. For many people money is the problem (you need to put time to get it which could be better used to build useful stuff), not the goal.

Some developers choose to sell their software, and they have their perfect right to do so. Hard work needs to be compensated, and if someone wants that compensation to be money, then so be it. Just label it in clear terms. Ad-software is not a legitimate earning method, it's robbery. What it tells is that you don't give a damn about neither problem you're pretending to try to solve (otherwise you wouldn't let your app to be polluted with worthless crap) nor your users, who will have to live with malware (which, on global scale, is a huge negative utility in terms of lost productivity and health lost to stress/anger).

(I skipped here over the big, expensive software - things like Photoshop, Matlab, etc. That they are result of hard work of people who need to get paid is obvious, and everybody knows that they should buy that software if they needed, and they will receive something valuable in exchange.)

Not all software needs to be sold,...

I'd go a bit farther: not all software can be sold. Making some extremely niche software fills that niche, but there may be a very small audience for, say, combinatory logic interpreters, or theorem provers. If we as a society demand that every piece of software be sold, and maybe the bulk of the members of the society have a weird idea that the price of something has to reflect the cost of that good plus profit, then a lot of software will never get written, and a lot of ideas won't get tried out, and a lot of niches will go unfilled.

I think you two might agree, but are talking past each other.

Of course TemMPOraL is right: There's nothing wrong with someone who truly wants to give away software for free. Saying that's wrong is saying that any act of generosity, kindness or charity is wrong.

But Daniel is not saying that free software is the problem, but that "People who think that software should be free" is the problem. When people expect software and web services to be free, producers who can't afford to give it away free are forced[1] to resort to other means. And when he says that for people paying "for software with dollars, this exchange was much more straightforward", he is echoing Maciej Cegłowski[2] of pinboard in his call: Don't Be a Free User[3].

The real problem is not free software, but software that dishonestly claims to be free. Ad supported software is not free[4]. Software that is monetized by pushing other software is not free. Software that sells your data is not free. Software that hooks people first and then pushes in-app purchases[5] is not free.

I'm actively working on how to get us out of this mess. If you're interested give me a holler.


[1] I'm being generous. I think anyone who is ethical and honest with themselves wouldn't allow themselves to be forced into doing anything dishonest. "You can't get permission for the wrong thing and don't need it for the right thing" (https://news.ycombinator.com/item?id=8877192)

[2] https://news.ycombinator.com/user?id=idlewords

[3] https://blog.pinboard.in/2011/12/don_t_be_a_free_user/

[4] https://news.ycombinator.com/item?id=8585237

[5] I call this the drug dealer business model. Microsoft perfected this in they way they got everyone hooked on DOS, then Windows and then Office, and then took it to a new level by giving away IE for "free".

I don't think your argument is valid. If you market your software as free, then it should be. You can't just fill the computer of the person with trash without asking just because "but I have to be paid!!!!". Now, some of these softwares did ask for permissions, I am just responding to your comment.

If it's going to spy on you, it should tell you right up, not in small prints in the EULA.

Also, the assumption that developpers have to be paid is wrong, some people might do it for charity or for other non-profit reasons.

Developers have to be paid. When people paid for software with dollars, this exchange was much more straightforward.

There are plenty of services I pay for that sell data about me and/or show me advertizements.

So this is an appealing story, but it only works until someone decides "I could get paid, AND sell the user to advertizes/data harvesters." It's always easy to make now-impossible scenarios into appealing hypotheticals, and I'm sure that market forces COULD mean that none of the software or services currently supported through advertizement and data harvesting invasive and advertizement wouldn't do so, but nobody can say for sure.


Hey look:  -> "App store... (3 new)"

Pretty sure I bought this laptop. ($2000) But there sits an advertisement, right in my GUI. Yes, this one is pretty harmless, but it is still there.

You're right, but ultimately this is a band-aid over the fact that OSes have terrible permission separation and application isolation. If OSes were better architected from a security point of view, it would be substantially less of a problem.

You seem to know a lot more about operating systems design than Microsoft. Why don't you submit a paper?

Microsoft knows far more about operating system design than Microsoft. I'm sure MS research is chock full of people who could design something far, far better than Windows. The problem is twofold:

(1) Convincing anyone in management that developing such a thing would be worthwhile when people are still buying the old thing in droves and when such an endeavor would have a long bootstrap/incubation period before it'd be commercially viable.

(2) Making all the legacy software work via compatibility layers.

Not sure which of these would be harder.

Present OSes have security models rooted in the multi-user needs of workstations and servers in the 1970s and 80s, back when the Internet was kind of a walled garden and security risks consisted mostly of students and kids playing around.

>Present OSes have security models rooted in the multi-user needs of workstations and servers in the 1970s and 80s, back when the Internet was kind of a walled garden and security risks consisted mostly of students and kids playing around.

Okay, what security model do you propose then? I'm curious because I don't see a security problem here. No OS security was bypassed, there was no OS bug that was exploited. This is what happened - The user downloaded a file and installed an application.

In your previous post you mentioned terrible permission separation and application isolation - I don't see how its connected to the problem.

It seems like you want it to be so that malware applications can be installed by any user without the system suffering any consequences. You can't achieve that goal without also crippling regular applications that legitimately might want to do everything that a malware application does.

I don't have a fully baked design in mind, but I could probably come up with one if I had a long time to focus on it. I do have a general framework in mind for how one might approach the question.

First and foremost, security should be a primary OS design objective and it should go into the design deep. It should be something you think about before secondary concerns like a process model, binary format, driver framework, or memory management.

Every single executing piece of code should be signed (with self-signing by the user an option of course). In that respect the app store model has it right, but I'd like to see something that ultimately puts the keys in the hands of the user. That means that a keyring is something you put down with the task manager, memory manager, etc. It's a core OS function. The ability to administrate the keyring and control permissions is also a core OS function.

Every function call outside a context should do a permission check against the certificate of the executing code. The right way to design this would be to make it work first, then figure out how to make it fast without compromising security. I think fundamental innovation would be needed here. I'm not sure exactly how this should work.

We should get away from distributing compiled code that runs straight on bare metal for most things. It might still be available as a permission, but one that would come with a warning to the effect that this could allow something to pwn your machine. Honestly I'm not sure if it's necessary. I'd look into the idea of shipping binaries as LLVM byte code and AOT compiling everything, and possibly including a secure implementation of OpenCL for really high performance computing needs.

A concept of users should be baked in from the get-go too, and should be part of the permission set of an executing context. Each user should have a key and be able to authorize other keys by signing them, etc.

So yeah, I think that's sort of a starting point. Crypto and permissions should be baked in from the get-go.

It'd also be important to think about usability from the get-go, since if it doesn't "just work" nobody will use it. UI/UX would be a challenging part of the project.

Storage is another challenge -- how to allow execution contexts to hand-off and/or share data without compromising security and without being too inefficient. The fact that storage is getting so cheap means things like copy-on-write with versioning might be baked in from the get-go to permit almost any operation to be rewound for a good period of time. So if a piece of bad code borks your work, just undo. I wonder if the whole OS could be built around a command model where things just fall off the end when they're too old? Log-structured everything? Again, not fully baked but I think it's the right general direction.

I highly doubt I am unique in thinking these things. I'm not the sharpest tack in the world and these kinds of ideas strike me as obvious results of reasoning from first principles about current OS challenges and failures.

The app store and mobile sandboxing models are steps in the right general direction but they are very, very ham-fisted compared to what I'm imagining here. They're the right ideas applied as a band-aid to fundamentally obsolete systems. They also cut the user out of the picture. I think that's because their models are ultimately too shallow and coarse-grained (and also because the vendors want control). Develop something good enough and the user can be put in the driver's seat without the machine turning into a malware cesspit. If the user authorizes a piece of bad code, just de-authorize it and it dies.

Thanks for taking the time to reply.


I don't understand how only allowing signed execution would help avoid this problem. Like you said, anyone could pay to get their company listed as a 'trusted' entity. The problem is you cant push this task to the user, because the non-technical layman user is not in a position to determine this.

If we only allow signed binaries to be loaded in memory, then we won't need IPC to pay the security tax for every function call. - given that there are probably going to be tens of thousands of them per second.

>We should get away from distributing compiled code that runs straight on bare metal for most things. [..] Honestly I'm not sure if it's necessary.

Poof, no more program debuggers, profilers, no more device drivers, no more third party file systems, no more .. you get the idea. Maybe that's not "most" things, but ask yourself how functional is an OS without the ability to load kernel mode stuff.

> Each user should have a key and be able to authorize other keys by signing them, etc.

How does that help my mom? She's just going to call me when the computer asks her "weird questions about keys and permissions". The entire point is that the average user is not the best judge of what is and isn't malware. Technically savvy users already have no issue with malware for the most part.

>Develop something good enough and the user can be put in the driver's seat without it turning into a malware safari.

Again, why would the user WANT to be in the drivers seat? They have no clue how to drive the car!

> If the user authorizes a piece of bad code, just de-authorize it and it dies.

That only tackles the problem of cleanup, which is a separate problem. By that time, the malware is already on the system and it's sent your credit card and documents to the bad guys.

"I don't understand how only allowing signed execution would help avoid this problem. Like you said, anyone could pay to get their company listed as a 'trusted' entity."

The purpose of signing isn't to guarantee that an entity is anything, but to allow the user to absolutely and decisively rule what code is allowed to execute. If the Russian Mob sneaks some code from "G0ogle, Ink." onto my machine by tricking me into authorizing that cert, I can just de-authorize it and then it all DIAF.

When I say signing, I don't necessarily mean the app store feudal model. I mean an inverted version of that -- where the user decides what runs by approving certs by signing them with some kind of master key.

"Poof, no more program debuggers, profilers, no more device drivers, no more third party file systems, no more"

You can debug Java pretty effectively. There are great toolchains for that. I agree that direct ASM may be required for a few things like drivers, but those are going to be the exceptions not the rule.

"How does that help my mom? She's just going to call me when the computer asks her "weird questions about keys and permissions"."

"Again, why would the user WANT to be in the drivers seat? They have no clue how to drive the car!"

Freedom and control are things you should have, but should not be forced to exercise. It should be possible to leave them alone and just trust one or more vendors. This is a UI/UX issue.

With things like iOS I don't have the option.

"That only tackles the problem of cleanup, which is a separate problem. By that time, the malware is already on the system and it's sent your credit card and documents to the bad guys."

Absolute security perfection isn't possible, but I think huge improvements can be made. Don't let the perfect be the enemy of the good.

Data leakage and social engineering are particularly thorny because they're really only half technical problems. The meat sack using the machine is always going to be a weak point in any security model. But if the machine were secure, it would help.

We're going around in circles I think.

The entire problem is that the users have no idea prior to installing the software, whether its legit or malware. I don't see anything in what you've proposed that solves the root problem. Yes, we can look at peripheral problems like cleanup and revoking certificates but those only affect users AFTER they've already made the choice of installing a particular piece of software.

> We're going around in circles I think.

Just you, my friend. If you recall, here is the point you were challenging:

> this is a band-aid over the fact that OSes have terrible permission separation and application isolation. If OSes were better architected from a security point of view, it would be substantially less of a problem.

Would you now concede this point?

> If you recall, here is the point you were challenging:

Yes, and I didn't receive any information that would lead me to believe that applying his/her suggestions would substantially tackle the root problem. All process isolation does is push the problem out further into the application side of things. Now the user has to micromanage the data flow in between applications. The root problem has very little to do with OS architecture, and I'm happy to be convinced otherwise.

>Would you now concede this point?

Okay. If you insist. I have no desire to "win" the argument. It's merely idle chit chat for me. My code's compiling ;)

The idea isn't to solve that problem, but to limit the damage significantly.

I should be able to give a Russian mob hacker on crack access to my machine without worrying too much about them doing anything I don't give them permission to do.

There is tons of old research that just hasn't been put in practice. There are 3 major desktop OSes, and they all adopt 80's view on security i.e. security is mainly about separating users and not necessarily about separating applications.

a) I'd like all applications to be run in sandboxes. That way you don't have to care if you application has malware or its processes got hacked. You have that in iOS I believe (but iOS has other problems), but to various degrees it's been done in solaris and freebsd, probably can be hacked in linux but no major distro has it as a precooked solution.

b) Have OS written in memory safe language. Microsoft got Singularity, I have no idea why that never saw the light of day. That thing could kill Linux on a large portion of the server market. Hopefully we will get something written in Rust now.

What does download.com have to do with this? Anyone in their right mind will figure out that it's terrible. I don't think the App Store really competes with download.com. It competes with independent websites that use PayPal downloads and license keys. Download.com, macUpdate, softpedia, download.cnet.com, and the like don't give anyone an excuse to lock down their platform this tight. The cure is worse than the disease. If there are fifty green download buttons on a site, which button are you going to click? Hopefully the red X in the top corner.

independent websites that use PayPal downloads and license keys

As of 1 Jan this is now economically infeasible in the EU (see "VATMOSS").

Using the number given in the Pinegrow thread today: It is economically infeasible to pay your payment processor 5 percent instead of 3? It's annoying, sure, but infeasible?

Specifically you can't use paypal. As they say on the BBC, other payment processors are available and you have to get one that will handle the VAT for you.

You can still offer Paypal via another payment processor.

How about using a provider like Fastspring? Or are their fees too high?

They certainly claim to handle it; I can't really speak as to whether their fees are too high, but it's higher than paypal.

I think the reason this really is a surprise* is because they claim these are the top downloaded apps.

*edit: Wish it were a surprise.

Windows has an app store too and because there is a vibrant market for paid third party applications [particularly B2B] it is not so onerous on developers. It's not the primary channel to reach users.

Apple has a gatekeeper model because many years ago it shifted to the view that money users spent on third party software was coming out of their bottom line.

There might be some room for something somewhere in between download.com and Apple's app store.

The Android app store?

More like android f-droid store.

Its mostly a windows problem. I haven't seen malware from .debian.org or more recently .freebsd.org.

That's due to the much smaller install base. As soon as you get any commercial software on linux, you break outside the package manager and start getting closer to crapware (see graphics drivers installation process which is normally 'download this shell file and execute it as root').

At that level (you're using linux, know what 'root' is, how to access root and how to execute a shell file as root) you're being lazy if something like that bites you in the ass.

Also its possible to screw up a system that way, but its easier / lazier to just install the wrapper package that takes care of everything including dependencies.

So on freebsd, pkg install nvidia-driver, or on legacy linux apt-get install nvidia-driver and you're all done.

Someone looking for trouble could do it the hard and dangerous way, but why?

Also commercial software other than possibly games, is dead man walking and is dead on FOSS platforms. Sure, go ahead, pretend its the 80s and try to charge me money for an editor, or a compiler, or pretend its the 90s and try to charge me for a web browser or a database, its just not happening.

... and try to charge me money for an editor ...

OK, make an editor that great as Sublime Text, put a msgbox that I really should pay $60 for multi-PC license, and be done with it.

freebsd or "legacy linux" "commercial software ... is dead man walking"


Which leads us back to the real reason why you don't get malware on Linux - because non-tech-savvy people don't use it. If ever, say, Ubuntu reaches popularity levels comparable to Windows among general population, you'll be seeing tons of toolbars there as well.

well actually Ubuntu bundled spyware


    Ubuntu uses the information about searches
    to show the user ads to buy various things
    from Amazon. Amazon commits many wrongs
    (see http://stallman.org/amazon.html); by
    promoting Amazon, Canonical contributes to
    them. However, the ads are not the core of
    the problem. The main issue is the spying.
    Canonical says it does not tell Amazon who
    searched for what. However, it is just as 
    bad for Canonical to collect your personal 
    information as it would have been for Amazon 
    to collect it.
More info, plus a script to fix:


> you're being lazy if something like that bites you in the ass.

I mean maybe—it's not like you have the option to analyze or debug what you're running. You can't predict everything that can go wrong, even if you know the rest of your system top to bottom.

I agree with you partially. But Apple has taken its own interests into consideration. Apple is not doing this out of the kindness of their hearts - They take a fat cut out of each sale.

Have you seen the Debian repositories or the Ubuntu Software center. They have a great selection of software, are easy to use, while at the same time not taking away your freedom or resorting to Orwellian tyranny.

> They have a great selection of software

The Debian repositories are great, but don't kid yourself: unless you're a developer, it's very likely that there are at least a handful of mission-critical apps missing from the Linux ecosystem.

You Missed my point. I wasn't comparing the Linux ecosystem to Apple ecosystem. The Debian repo and Ubuntu software center is a fairly good source for 90% of the popular great apps available within the linux ecosystem. It is as or almost as secure, easily accessible and user-friendly as the Apple App Store, while at the same time giving the user full freedom to do what he wants. The Apple system takes away the user's freedom to achieve the same(the 'Orwellian tyranny' part)

Can I get an example? I am considering moving some family to Linux and I couldn't find anything they would be missing upon a cursory glance.

I used to re-install windows to my family like once a year, but then I refused to doing it anymore but I offered to install ubuntu on their machines. It's being like 4 years so far and they hardly need any maintenance from me.

IMOE the main issue are software-suites

Cad and 3D: my dad is really used to windows, and learning the linux environment was an easy step for him. He could never do the switch to open source cad alternatives. We tried using wine, but for performance we ended up keeping windows as a 2nd bootable for him to draw.

Photoshop, and Corel: I installed ubuntu to a friend who works as graphical designer. She is currently using gimp, and inkscape but she had a hard time making the switch.

Games: my son really was the most resilient to the change. He played every blizzard game, and since there aren't (wasn't ?) linux support it was a big non-stop for him. Then he moved to minecraft, and that made him reconsider the switch. He's been using linux for about 2 years already -- no windows partition at all

In my experience Blizzard games has worked fine with wine. Did you try running the games with wine?

we did, but the performance wasn't good enough for playing. even modern games played better than older ones.

Get an off the shelf GPS watch from Garmin or TomTom. The bundled software doesn't do Linux and apt has nothing much..

Yes, I can't be mad at the Apple Store for sandboxing. Their pricing model, totally, but sandboxing I want more than any other store feature out there—if I could use it for steam I would in a heartbeat.

If apple would limit themselves to keeping malware off their users systems I'm pretty sure that very few people would have an issue with the app store.

Oh cool, so you go ahead and trust a corporation to tell you what you can and can't install on your operating systems, I'm sure that will go well. They have your best interests at heart.

Atleast Macs allow you to not use the AppStore (for now).

Download.com is just the beginning of this crap. At least a lot of people now realise that download.com is shady. Google is just as bad as download.com, but people still think of Google as a reputable site. Even in this discussion people are recommending just googling the product name to find a download. Please don't tell people to do that. It's dangerous.

If you type terms like 'firefox' into google search much of the time the top result (which is actually an ad) takes you to a site offering a version of firefox bundled with toolbars and god knows what other malware. The story is similar for other popular windows downloads. I've even seen these ads crop up for things like Chrome in the past.

For example, here is a search I did just now for the term 'download firefox'. The top result is an ad leading to malware: http://i.imgur.com/Ote9c2k.png

Imagine having to explain to an inexperienced computer user how find to firefox or other common software, without clicking on any of these landmines google carefully disguises right at the top of the results.

I've been bringing this up on HN for a while now and nothing has changed. Many of the sites are the same as they were a year ago. Google does manual review of adwords sites. The domains of these sites have been the same for at least a year. Google knows exactly what is going on, making them just as bad as donwload.com in my view.

Google search ads are probably one of the biggest vectors for malware these days, along side the kinds of big download button ads you see on software sites (many of which are also google ads).





This is the exact reason why the first thing I do for a friends computer is installing adblock on chrome.

As an aside, I wonder how prevalent the adware would be when searching for "download chrome"?

This. For all that people handwring about "Won't somebody please think of our ad revenue!", I consider installing some kind of adblocker more or less a standard safety measure for the web. A huge volume of browser-vectored malware comes from bad ad clicks, and even I've made a mistake or two in the past clicking on bogus download buttons and the like.

µBlock is especially good for this as some of the lists have additional rules specifically targeting malware sources, and it can block things like actual script tags and such instead of just hosts.

And it's not like people with ad blockers would lead to ROI, anyway.

people defending ad blockers tend to say this, but that's not true. As much effort in advertisement is about validating your product as it is about selling it. No one buys a BMW from an online ad, but yet here it is! http://i.imgur.com/QCDc2gl.png

Well it's not there to sell cars so much as it is to say to the public "BMW are valid cars"

So just having the advertisement get seen is what's important to them. At least that's my understanding. Evaluate the argument for yourself: http://www.reddit.com/r/explainlikeimfive/comments/14y695/el...

It's also another reason I filter ad's. I'm afraid they will manipulate the way I think.

At least the actual, genuine result is visible without scrolling. A few years Google were paying computer manufacturers to set a special version of Google with more prominent ads as their default search engine. The net result was that if you got a new computer and searched for Firefox using their default, Google-supplied search the genuine result was actually below the fold in some cases.

Can you back that up with a citation?

Not trivially, unfortunately - I didn't save the information at the time and don't seem to be able to find details because it's buried under articles about Google's newer changes to increase the number of ads and the (equally ad-heavy) redirection page for URL typos they were paying OEMs to bundle at one point.[1] Basically, there's too much discussion of other bad practices for me to Bing or Google this one. Sorry.

[1] See http://blog.opendns.com/2007/05/22/google-turns-the-page/

Interesting. Do you have any more information about that scheme?

I had to install the DirectX user runtime recently and was pretty shocked to see Microsoft has loaded it up with lots of crapware. First when you click download from its page at http://www.microsoft.com/en-us/download/details.aspx?id=35 you're prompted to set MSN as your homepage, download the malicious software removal tool, and download IE11 (if you're on Windows). Then after you skip that you get the download and when you run it it will try to get you to install the Bing bar in the installer. Overall just a really shady and crap experience, especially coming from Microsoft.

Also agreeing to set MSN as your homepage with the install bloats the download size from a svelte 286kb for the DX web installer to 2.4mb (just to set a homepage!?). Way to completely defeat the purpose of providing a small installer by bundling in crap.

> and download IE11 (if you're on Windows)

This has my support :)

Yeah, I'll allow that one to be honest. Also, the Malicious Software Removal tool is probably a good thing too, as it's real and from Microsoft, and will definitely help some non-technical users.

Although a better way to deal with this perhaps is for the "Your download is complete, thanks etc" page you see after clicking download to include recommendations from MS with their seal of approval. I would consider that a welcome gesture from MS, bundle-ware not so much.

The reason why you bundle installers like this is to catch the 'press yes to everything' group of users. In this case it's done for the greater good (mostly), most users don't care about security updates or upgrading outdated software - a bit like hiding medicine in your food, they won't eat it if they know it's there.

If you had it at the end you'll get very low participation rates. If you're installing DirectX it's because you are trying to play a game, so an additional screen to the effect of 'would you like to play your game now or in 5 minutes' will result in everyone picking the 'play game now' option and nothing being installed.

I still think it's bad. In the way that it teaches people that bundling software in installers is something legitimate companies do and therefore makes the general public less skeptical about stuff like this

Well to be fair, the difference is subtle and depends where you put the emphasis.

From Microsoft it is a malicious software removal tool.

From just about anyone else it is a malicious software removal tool.

I stopped trusting Microsoft installers when Windows Update listed the Bing Desktop as a Critical Update.

The accusation has been around for a while and is not true.[1] Amazing how the story has morphed from "Optional Update" to "Critical" in 1 year's time. And it just sounds untrue. Why would you believe that?

[1] http://www.dasmirnov.net/blog/bing-desktop-won-t-be

In the off chance you ever come back to read this, this is my bad.

I never saw any articles about it at the time. I just remember it always being in my Windows Update list and I was sick of it. Windows Update in my mind should generally be for OS and software updates, and not for software that Microsoft is looking to push.

Which is funny, because I'm a Windows guy who works in the Microsoft stack.

I really would like to know when that happened.

It never did. It's always been an optional update.

The homepage change is a pretty low move, but the other items make sense. DirectX is most likely used by gamers, who are often fairly young, have risky internet habits, and not very security conscious. Using an old version of IE isn't good from a security pov and the malicious software remover tool is a great way to lower the number of botnet hosts.

I really wish MS would give up on pushing MSN and Bing. They're just terrible products. Shame their good products get mixed in with them.

Mobile computer tech, here. War story follows.

I handle high single-figures of these adware and/or potentially unwanted programs (PUPs) infestations every week.

Mostly it's Windows 7 and 90% adware/PUPs-centric, occasionally ransomware. In the huge majority of cases, the following will get a computer back up and sorted in a sensible amount of (billable) time:

First, bring known-good copies of AdwCleaner, Junkware Removal Tool, RKill and ComboFix on a thumb drive. Same-day downloads are preferred as some detect out-of-date versions and don't play nice. Shut down computer. Restart in safe mode with command prompt. Run explorer.exe from command prompt. USB typically works as usual, even in safe mode. Run each of the applications above as administrator in the order they are listed. Some will require a reboot to complete their work. The reboot should be in normal mode, subsequent restart(s) to run other cleaner(s) should be in safe mode with command prompt. Diminishing returns will take place after the third of fourth cleaner, and allow 15 minutes for a typical infection.

The longest it's taken me to completely clean a computer of was 7 hours, comprising around 18GB of tat. If it's a severe infection, I will recommend a rebuild from known-good factory media after a Windows Easy Transfer export, assuming there's not too much in the way of user content.

As an up-sell, I also offer a better-than-factory reset where there's a clean Windows 7 installed and no vendor-specific junk on there. Computer vendors aren't as bad as free-to-use software vendors, but there's a reason why a adequate Lenovo laptop can be bought in the UK for 230GBP (including sales tax at 20%). Install, updates, and Windows Easy Transfer will typically be around 2 to 3 hours. It's a hard sell with a cheap laptop, especially since some clients are already preparing to buy a new laptop rather than fix the old one.

The problem with using cleaning tools like the ones you mention is that I'm always left wondering, "What did I miss?" when they've finished. Since it's a long process that's always potentially incomplete, I abandoned that approach years ago. The first thing I ask a client is "What data do you want to keep?" Then I scan the drive offline (mostly for my own curiosity, but also to get an idea of what I'm dealing with), save the data, reinstall the OS from scratch, then restore the data (sometimes with additional scans). This is the only way I feel comfortable handing the computer back to the client.

I agree there's an element of wondering with the tools. Part of the reason I use a bunch is to remove as much as possible. Even on the fifth scan, there are still things found. That's the cutoff where, in my experience, subsequent scans by other tools just don't find things.

I second the `what do you want to keep` sentiment, too. The downside to this is having them effectively sign off on what they want, and then they forget something until 6 months down the line. I have provision for keeping a drive image of their drives for 28 days, with prior permission, and I check in with them after 7, 14 and 21 days to make sure all is well. The comfort of a familiar desktop is a powerful thing, and the Windows Easy Transfer process makes it easy and straightforward.

Agree. The moment you infected - you never know which closet the garbage hides the copy of itself in.

Burn everything and build afresh.

Hopefully lesson learned.

I would, and do, take the further step and repartition & reformat in DOS to eliminate rootkits. Have seen them carryover through new installs before, even after reformatting; TDSS I believe it was, but not 100%.

Addendum: I save a ninite.com installer to their desktops, renaming it to `Run this every Wednesday`. If they see any `You need to update Flash Player` dialogues, I advise them to close them and only run the desktop icon - this in and of itself saves most people from reinfection.

Edit: typo and formatting.

I cannot say enough about ninite. They are brilliant. I moved to the Mac a year ago, and I miss it dearly. I wish they had a Mac version. It's so convenient. And safe. And easy. I paid them for something just because I wanted them to be successful. Single best product I used on Windows!

That's so nice to hear. Thank you!

I'd love to make a Mac version someday, but the problems are so much worse on Windows so we're focusing there.

Wow, the co-found of ninite :D

I can't thank you enough! That program is _always_ the absolute first i download on every windows machine, period.

I think i've told all my friend about ninite by now, and everyone is super impressed.

Would you care to elaborate on how it works? do you download from each software homepage, or do you constantly have to download latests versions and then serve from your own server?

Any way you could make a free or cheap one-time pay, for a version that can use a private server to host, and then deliver programs to it this way.

Wouldn't homebrew-cask be helpful with this? It's basically homebrew for apps. Haven't tried it yet, but I always wanted to start using it with my next clean install/mac purchase.


Hmm, interesting. I'll check it out, thanks.

Have you tried GetMacApps? http://www.getmacapps.com/ I have a coworker who uses it, and it seems to be exactly like a Ninite for Mac.

I hadn't seen that. Thanks. What I was talking about above is the updater, which doesn't have an analog, AFAIK.

Adobe forced ninite to remove the Flash installer, so that won't help. You can set Flash to auto-update in Control Panel > Flash Player > Advanced > Automatic Updates. (I've heard it's more complex in Win8 though.)

Late edit: The only place you can reliably get unbundled Flash installers (without the toolbar crap) is here: https://www.adobe.com/products/flashplayer/distribution3.htm...

This is a brilliant idea.

You have the worst job on the planet. Thanks for doing it.

Is there any particular reason you don't just backup all of the user's personal files/configurations, note what programs they have installed and then reformat/reinstall?

Doing this you would be 100% adware free and the client might even notice/appreciate the speed boost of a fresh install.

> Is there any particular reason you don't just backup all of the user's personal files/configurations, note what programs they have installed and then reformat/reinstall?

Mostly down to client feedback. Personally, I'd much prefer to have the nuke and rebuild approach. I offer this as a preference (safer, faster, etc), but the familiarity of these pokey vendor-supplied apps for photos and the like is a very strong draw for folks.

The burden of technical knowledge doesn't run deep. They want a low-price laptop, and all their stuff safe and sound. The value they place in their data is, in my experience/anecdotally, proportional to their purchasing habits.

Most don't have hard drive backups, despite my continued insistence. Years of photos just get stockpiled without any recourse to a backup. There's some interesting psychology at stake, too; knowing that photos are there and actually referring to them are too entirely different things.

I disagree with this procedure.

1) Rebooting the computer can spread the infection. You should try to clean it with 0 reboots. Ignore safemode. Kill adwcleaner with taskmanager.

2)ComboxFix is unnecessary. Malwarebytes/ESET work most of the time, and if not there are about 3 other scans to use.

Anyone who wants to buy a new laptop for speed purposes should be talked into trying an SSD first. A cheap laptop comes with a mechanical hard drive and doesnt alleviate disk io bottlenecks.

>Kill adwcleaner with taskmanager.

AdwCleaner requires a restart to finish up, as I understand it. If you know differently, I'm genuinely interested.

>ComboxFix is unnecessary.

Respectfully, I disagree. It's caught things that the others have missed. Anecdotal evidence, sure, but in my experience it's proven useful.

Most of the time new laptops are not for speed purposes - there is a misconception that a new laptop is a fresh start, not necessarily a much faster computer.

The thought process invariably is: this laptop is slow and full of ads, I need a new laptop to start over without the ads and _new is best_. My clients are mostly non-technical, that's why they call me; technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.

TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning.

> It's caught things that the others have missed.

What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.

>AdwCleaner requires a restart to finish up, as I understand it.

Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?

>technical clients (say, 1 in 10) are more willing to explore SSD and appropriate RAM.

Thats why you word it "would you like me to make your computer much faster for $100 dollars. I can replace the moving parts with electrical ones."

> What other things? Did you run FSecure, Panda, ESET, Emsisoft, Avira, Avast, Herdprotect? It might be useful, but it is dangerous. It should be an absolute last ditch effort, not standard procedure.

I should clarify. I am predominantly dealing with annoyances, adware and unwanted applications – not viruses or malware, in the main. It's junk, not malicious or infecting - at least in the vast majority of cases.

Removing the non-viral noise makes the process of cleaning up anything else far easier. Number of rootkits encountered in 3+ years of domestic and small business technical support: zero. Number of file infecting viruses encountered in the same period: 2. Number of ransomware (Trojan horse, worm at a push) infestations: dozens. Number of adware and miscellaneous browser infestations dealt with: hundreds.

>Try running it twice in a row without a restart. Try running it before and after a malwarebytes scan, without a restart. Does it find things?

That's a really interesting question, and not one I can answer right now. I do intend to try this in a VM a la the OP link. I will endeavour to find out and report back.

Don't forget TDSSKiller and Norton Power Eraser. Super useful tools for checking MBRs.

ive found malwarebytes rootkit detection to be roughly as effective as tdsskiller. it's not enabled by default, or you can download it as a separate product. mcafee has one too. rootkit buster has never detected a thing in my experience. i still run it first just to see if it ever will.


I'm not familiar with Malwarebytes Antirootkit, but TDSSKiller from Kaspersky searches for 1 single rootkit, TDSS, and performs a removal. I haven't done this type of work in a while but 3-4 years ago it was the defacto tool of choice for dealing with MBR infections.

TDSSKiller removes the following.

List of malicious programs: Rootkit.Win32.TDSS, Rootkit.Win32.Stoned.d, Rootkit.Boot.Cidox.a, Rootkit.Boot.SST.a, Rootkit.Boot.Pihar.a,b,c, Rootkit.Boot.CPD.a, Rootkit.Boot.Bootkor.a, Rootkit.Boot.MyBios.b, Rootkit.Win32.TDSS.mbr, Rootkit.Boot.Wistler.a, Rootkit.Win32.ZAccess.aml,c,e,f,g,h,i,j,k, Rootkit.Boot.SST.b, Rootkit.Boot.Fisp.a, Rootkit.Boot.Nimnul.a, Rootkit.Boot.Batan.a, Rootkit.Boot.Lapka.a, Rootkit.Boot.Goodkit.a, Rootkit.Boot.Clones.a, Rootkit.Boot.Xpaj.a, Rootkit.Boot.Yurn.a, Rootkit.Boot.Prothean.a, Rootkit.Boot.Plite.a, Rootkit.Boot.Geth.a, Rootkit.Boot.CPD.b, Backdoor.Win32.Trup.a,b, Backdoor.Win32.Sinowal.knf,kmy, Backdoor.Win32.Phanta.a,b, Virus.Win32.TDSS.a,b,c,d,e, Virus.Win32.Rloader.a, Virus.Win32.Cmoser.a, Virus.Win32.Zhaba.a,b,c, Trojan-Clicker.Win32.Wistler.a,b,c, Trojan-Dropper.Boot.Niwa.a, Trojan-Ransom.Boot.Mbro.d, e, Trojan-Ransom.Boot.Siob.a, Trojan-Ransom.Boot.Mbro.f.

I would assume it has grown in the last few years, I also would wager a guess that most of these are related/derivatives of each other.

I was under the impression it sort of grew into a multipurpose rootkit tool

"TV-advertised laptops for 200-250GBP are very appealing for my client demographic. It irks me, sure, but then sometimes people have to learn by doing. The tide is very slowly turning."

At least 'formerly-known-as netbooks' aren't selling for twice that, anymore. Although, they are still excruciatingly painful to work on if you're used to anything faster...like an x86 Celeron.

In 2012, YC invested in a company InstallMonetizer[0] which, from my understanding, helps align software products with bundling other installers for additional revenue.

[0] http://www.crunchbase.com/organization/installmonetizer

That's by far the worst company they ever invested in.

See here for PG's take on this:


Which basically boiled down to him trying to argue that people must want malware because they clicked through a deviously worded dialog box.

From building spam filters to funding a spam company. Building things people want? Ha!

I guess it's worth noting other YC partners in that thread also defending malware, for example Garry Tan: https://news.ycombinator.com/item?id=5093746

It seems like the culture of spam and malware is deeply embedded in YC these days.

It's just disrupting something or other.

I dunno, there's a few contenders. Scribd was pretty bad. RapGenius was pretty bad in terms of the people.

Edit: Oh, and Quora, even if that wasn't much more than YC lending its name.

Impossible to have so many investments and not have a few bad apples. Still surprised PG did not distance himself further from installmonetizer, otoh props for standing by his investment and doing damage control for them at the expense of the YC cachet.

PG defended scribd (much as InstallMonetizer), including automated scribed links on HN, even as it was hijacking people's content and widely loathed.

And Airbnb was spamming Craigslist posters (https://growthhackers.com/companies/airbnb/ - but of course selling cereals is the anecdote preferred by storytellers), and I have freelancer friends who got totally screwed by YC companies ("We can't pay for your work right now but we'll hire you and give you tons of equity right after demo day!" ... only to never respond to their emails ever again. Yes, the few of my friends to whom this happened could have been less naive, but still shitty).

The vast majority (but not all) of startups do dubious things. That's to be expected in an environment that glorifies "breaking things" and worrying later if what they're doing is legal or not. Being YC affiliated does not change that in the slightest bit.

What was wrong with RapGenius? I actually like them. Simple idea executed well. I still use Genius regularly.

People disliked them because the founders acted like obnoxious fratbros, but the specific claims of wrongdoing were over blackhat SEO ( https://news.ycombinator.com/item?id=6956658 ) which ended up getting them penalised by Google.

The other commenter covered the blackhat SEO / Google smackdown. As far as the people:


There's a wide variety of these "Pay-Per-Install" (PPI) type services, all of which profit by installing some form of malware on your machine. Sketchier services pay more, but also install stealthily rather than asking. Any kind is a pretty disturbing way to profit from your users. They're the kind of things you see script kiddies deploy to a small botnet. Not something you expect from a legitimate company.

> Because when the product is free the real product is YOU.

I disagree with this conclusion. Also, I have a related issue with some of the opinions I hear e.g. on HN that confuse me.

Many a person says in defense of ads - "but surely authors have to support themselves, otherwise there'd be no site/software", "TANSTAAFL", etc. But this seems to me to be in disagreement with observable reality.

What I see is a strong and direct correlation between amount of ads and crappiness/dishonesty. For websites, it is usually "the more ads there are, the more likely content is wrong/crap/nonexisting and the author is there to take your money". For applications, similarly - more ads means crappier downloads, and - if it's the author's site that's full of banners - the program is most likely shit.

What I observe is that there are two reliable types of sources/downloads: 1) linked on author's site, free and free of ads - they signal that the author actually cares about the content they're providing (see "the toilet-paper companies"[0]) and 2) linked on author's site, that ask you to pay up front - here it signals that the author is honest.

So do the authors really have to "support themselves"? Or is it that the honest ones either do it for free (because they care, and they get money needed to support it elsewhere) or sell in clear terms? And the ad-dependent money makers have no business being on the Internet in the first place?

That's why I also feel no guilt for browsing with AdBlock on - neither the ads nor the ad-serving pages are a good deal for anyone in any way.

As for the Downloads.com, CNET, et al. - I hope that the introduction of Windows Store/package manager will shut them down for good. They're evil, they deserve to be down.

[0] - https://news.ycombinator.com/item?id=8319102

I've always considered the assertion that quality content is only created if there is financial reward to be a flagrant lie.

Expectations of ads fully supporting websites are relatively new even to the world wide web, let alone the internet. 10 years ago, you might at best hope that your ads would offset a bit of the websites hosting costs.

The really good content is put up by people who are in it because they care about the content, not the money. The same is true of software.

My experience is that if you are offering quality, you either give it away for free, or insist on up front payment.

Pay by ad, pay by data and in app purchase are all business models of people who want money and don't care about the content, but know their product isn't good enough to sell.

There is certainly a lot of great content created by people doing it for the love, but love only gets a person so far. To do real in-depth reporting takes quite a bit of time, way more than anyone but the independently wealthy have at their disposal unless they are working (and being paid) as professional reporters.

Consider the work on the Snowden files. Snowden handed his huge collection to professional reporters, who then spent weeks and months carefully reading it, confirming what they could independently, working with experts to understand what was most important, working with lawyers to understand what they could and not publish, and finally, writing and editing the articles.

Or consider investigative journalism pieces like the work that revealed the problems at the U.S. Veteran's Administration, or the Washington Post's series on civil asset forfeiture:


The Post and other news operations need to make money somehow, so that their reporters can afford to spend the time to keep doing this work. So far, ads are the only revenue source that seems reliable, although a lot of news ops are experimenting with online subscriptions as well.

Ok, but on the other hand consider the remaining 95% of content created by news sites, which is lies, clickbait, and total&utter crap. I very much apperciate investigative journalism for both the entertainment value and the function it provides to society - but that's a very, very small part of what gets published in papers, and the rest of what gets to the front pages of news sites is what makes them an example, not an exception, of my rule.

I applaud the work of professional journalists who care about stories they do and providing value to the public. So I want to support them, but not the other 95% published under the same banner. Because seriously, I get much better value from HN and Reddit comments, which not surprisingly, are both free and written by people who care.

I think there are probably far more people who will create crap content for financial reward than there are people who will create quality content for donations.

and in that case the higher the barriers that are placed between them and the user, the better. vive le ad blockers.

> That's why I also feel no guilt for browsing with AdBlock on

I understand the reasoning, but you seem to be taking it to a logical extreme. There are some reputable and useful sites that use ad income, I don't routinely use AdBlock or similar for that reason. If a site annoys me with its ads it gets DNS blacklisted (pointed towards my "you don't want to go there" page via local DNS config.

> neither the ads nor the ad-serving pages are a good deal for anyone in any way.

Hence the DNS blacklist, though this isn't overly helpful (mainly because new sites spring up constantly) and not useful to non-techies (most people don't run a local DNS cache that they can drop a new block into with a simple script call).

I am considering a browser extension that takes it from this point of view rather than the AdBlock point of view though, i.e. "I don't want to go to such sites" rather than "I'll go to such sites, but they aren't serving me ads and other crap". One of the many personal projects that will probably never see the light of day because I'm too busy with other things... (so if someone else wants to copy the idea, go ahead and I'll be an alpha/beta tester!). Something that either intercepts page transitions and warns "you've previously marked this site as having irritating pop-ups, are you sure you want to proceed?" and/or scans pages for links and visually marks those pointing towards marked domains. The next step would then be some sort of distributed store for collating what people mark so it can warn about sites I've not previously visited, though of course if such a thing became popular enough to be useful there would be the constant game of trying to stop people abusing this to block competitors sites or de-list their own.

> As for the Downloads.com, CNET, et al. ... they deserve to be down.

I can't say I disagree there!

> There are some reputable and useful sites that use ad income, I don't routinely use AdBlock or similar for that reason. If a site annoys me with its ads it gets DNS blacklisted (pointed towards my "you don't want to go there" page via local DNS config.

This is something that sometimes actually crosses my mind. I acknowledge the existence of good people who rely on ad income (assuming they get something from ad views; I pretty much don't click on ads at all) and I'm willing to modify my behaviour to accomodate them. I sometimes unblock pages when they ask nicely (e.g. episodecalendar asks you if you could unblock ads when you have a free account, and since I actually get a real value out of this site (having my favourite shows pop up in Google Calendar, so I don't need to manually track new episodes), it was only fair that I unblock them).

From the division of Interesting Ideas That I Have No Time To Make, here's mine: an ad-block that instead of blocking ads, replaces them with crowd-sourced images of your choice - like "best of DeviantArt", Banksy pictures, ads for effective charities, etc. It was inspired by this picture I found once: http://editorial.designtaxi.com/news-banksycoke2405/big.jpg.

There was once an AdBlock extension that replaced ads with lolcats instead of removing them. I think it was an April Fool thing, but the code is probably still out there to be used as a starting point.

Another good option for replacing the ads would be to put appeals in place, things like the recent push for funding for the ebola hit areas in Africa, the appeals that followed tsunamis, famines, and other natural/humanitarian disasters, and so on.

Thanks, I think I'll look for it after work.

Yes, that's also an excellent idea. The point is to allow people, per the quote I linked, to adapt the ad space to their own taste. Humanitarian appeals could be a good default. This could also solve the problem that some people complain about, that some pages have layouts built with ads in mind and become "uglier" when ads are blocked (not that I ever saw this actually happening).

I also run a local DNS blacklist that benefits everyone on my network, but I rarely update it since I started using the RequestPolicy Firefox extension. It supports the point of view of "Don't fetch resources from third party domains unless I need them." If a page is broken, I can temporarily or permanently add the missing resource for that domain or globally with a simple click. Denial by default is a much better strategy as it provides some real protection against serious threats like XSS, in addition to thwarting tracking and ads.

Quite often type 1 goes to ad-supported later

Instead of dowloading from Sourceforge (loaded with ads and its own devious 'installer'), CNET, Download, etc, there are no-crapware alternatives that offer more management tools as well (remembering your list of apps across machines, automated updates, discoverability):

Ninite: nice, simple, installer: just select apps and let the installer do it all for you.

AllMyApps: all the apps, no crapware (at least for now).

chocolatey: a command-line package manager for Windows




Ninite is clean and great for managing deployment on multiple machines, although it offers a limited number of curated apps (but they tend to be very common).

AllMyApps has tons of apps and the most user-friendly. I could give that to my mum. Only had some minor issues sometimes when it fails to recognise versions to update. It will even recognise and update apps that were not installed through its manager.

Chocolatey has lots of packages and you can create your setup to make it easy to deploy across machines. It's getting more secure and the authors are putting a review process in place to guarantee quality.

I've used all three and they all offer something useful. All allow you to manage your own deployment across machines.

We have much the same functionality at http://PortableApps.com/ You get an app store, an automatic app updater, an app manager, and hundreds of freeware and open source apps. All free of malware and bundleware.

As a bonus, all the apps run from a single directory each, making it easy as pie to uninstall and remove all the apps settings at the same time (as opposed to bits left behind in AppData, Local AppData, the Registry, your Profile directory, etc). And they're portable, so you can run them from a cloud drive (DropBox, Google Drive, etc) that's backed up and synced between machines or from a USB drive.

I love the functionality of portableapps.com! The web design does need some work though... :/

It's really way too visually cluttered. Somehow my brain has been trained to think "be careful" when I see clutter like this on a web page.

It's cluttered and dated, sadly. We have a new design about ready as part of our Drupal 8 upgrade but had some issues upgrading to it. I'll be making another attempt soon.

This is great, especially considering the main download for an app like FileZilla from Sourceforge contains extras in the installer.

Wow, what a great site. Thanks for this link!

PortableApps is great!

A nice list. How long they're all around?

I still can't shake the feeling that it's only a matter of time before Moloch gets to them and they'll start serving crapware like any others. I'd love to be wrong on that.

Ninite Co-Founder here.

Our pro-version SAAS business model works great.

Plus we started Ninite because junkware enraged us so much. It's just punching down at non-technical users. I'd kill the company before doing that.

Anyway, we'll be around and junkware free until the world moves to platforms where everything's signed and sandboxed.

Thank you for your reply. I'll definitely check out your product then.

You do a great job, thanks.

Ninite is a really greate tool I've used it countless times while having a student job at our universities user support from 2010-2013.

I really hope their business model (selling an update tool to private users and a side-wide deploy tool to businesses) works out until there is a usable windows store / package manager around.

Each time I have to help someone setup a new windows laptop I get reminded why I'm using Linux as my main OS ;)

I know ninite has been around for at least a few years. I've used it and it was an excellent UX. One installer, go through the wizard, then sit and watch it install a dozen useful things for you without having to hunt down all their installers and carefully click through, unchecking, canceling, backing through, and skipping around the horrible installers most of them have.

Ninite is quite good; I've been using it for years. At one of my old jobs (a local PC repair shop), we were even in the process of switching our custom install script to a Ninite package.

Chocolatey used to mostly be OSS stuff, but it looks like they've expanded with some nerd-favorite proprietary stuff now too. The list is also moderated, so that's a good sign.

I can't speak for the other two, but I believe Chocolatey is being integrated (or vice versa) with OneGet, the built-in package manager for Windows 10.


ninite is at least 4 years old if not older and it has always stayed the same AFAIK.

There's also MSYS2, we are on SourceForge, but we'll never bundle or allow bundling crapware with our installer (and we release .tar.xz files for people who don't like installers).


Add http://scoop.sh/ to that list.

As a scoop user it should be noted that scoop is much more oriented towards developers. Scoop runs in the Powershell environment and tends to mostly offer posix tools or SDKs as available packages, although git repositories can be added to scoop to provide more packages (there aren't that many of these right now).

Scoop looks really awesome. Will definitively keep an eye on it.

I'll add filehippo.com to that list.

I regularly get called by people complaining that their computer no longer works. Pretty much every time it turns out that their machine is loaded with crapware. It amazes me how people just put up with random browser windows popping up and having to search via some random search engine that has been imposed on them.

At the minute I just have to put up with spending a few hours removing the worst offenders and then running several different adware removers. It generally keeps them running well for a few months.

I would love to set up a VM so whenever things start going wrong they could just delete the VM and start fresh. Currently VMs are a bit too heavy weight, a lot of people struggle with the concept of working in multiple Windows let alone knowing which machine they are actually working in. I am looking forward to Microsoft implementing containers ala Docker. It will be interesting to see what possibilities will be available for making it seamless and quick enough for a computerphobe to browse within a container.

I feel your pain. Whenever family ask me to look at their computer I spent an hour deleting spyware and such. The worst bit is they do have antivirus and Windows defender, but they do nothing to stop it :/

The common advice to stop it before was "don't use IE". Everyone uses Chrome now, and so that's now where everything installs itself (check the extensions and there is usually something dubious). Google even have a tool to remove this stuff: https://www.google.co.uk/chrome/srt/

I had to deinfect a adware infested computer of a colleague recently. In my oppinion, most adware is very eager to include some proper way of uninstalling, just to not be classified as a trojan/virus/... Even if this is completely leaning to persuade the customer NOT TO INSTALL it:

"You will loose precious functionality, your computer will get slower, the locusts will invade your country: Are you SURE to deinstall CrapToolbarAdMakeComputerFaster2000? [NO!] [NOT AT ALL!] (yes) [CONTINUE USING ADWARE]"

I guess it's done that way so that Microsoft would look like to impair a earnest software business' operation, would they choose to include it in their "evil monopolistic" antivirus software.

It is that 5% that refuse to go away and then reinstall themselves when you finally work out how to get rid of them that takes up 95% of the time.

> I feel your pain. Whenever family ask me to look at their computer I spent an hour deleting spyware and such. The worst bit is they do have antivirus and Windows defender, but they do nothing to stop it :/

Once I installed Linux for my folks, all these problems magically disappeared.

I can't find my InDesign icon... where have you put it?

InDesign is the industry standard.

There may be loads of OS alternatives, but unfortunately for people who can only just use a mouse and have invested years into learning that one package they just aren't going to be willing to invest a lot of time into exploring the alternatives.

I think the point was, most people like the OPs parents just use their computers for web browsing. And all of today's best web browsers run on linux.

I helped my parents switch to linux mint, and it's been fairly successful.


"if you aren't using your computer for work"

Even that's not much of a challenge. Many years ago when my wife started working at home on her mac (1st gen mac mini so this must be about a decade ago?) corporate IT had a few puzzles to solve, but even a decade ago everything was moving to either web or rdesktop or vnc. If you can get the corporate windows guys to implement a workaround or whatever to allow macs to be used, then its usually a very small jump indeed to linux or freebsd or whatever.

I'm struggling to think of a stereotypical desk job that can't be done with a browser and perhaps rdesktop on the side. The exceptions I can think of like 3-D cad would be a problem, but that's not stereotypical desk job work.

Also in my experience, school kids, volunteer workers, and grandma are google docs users not office 2010 users. Google is taking over that space quite effectively. The school system has a contract with google such that if you want to edit your essay in office on your computer at home, well, fine, but you'll be exporting into google drive to actually submit the homework, so save yourself some time and annoyance and do the whole thing online.

> I'm struggling to think of a stereotypical desk job that can't be done with a browser and perhaps rdesktop on the side. The exceptions I can think of like 3-D cad would be a problem, but that's not stereotypical desk job work.

Totally agree. The situation has improved so much in that regard - even if you don't have native apps for your platform, there is good chance there's a bunch of online services that can help you do the very same thing.

So your parents use inDesign who needs hours of training and they can't avoid install crapware? Yeah, sure.

Domain-specific knowledge. My co-worker designs complex machinery in solidworks like the best of us, but he keeps capslock on and navigates to google.com before doing a search. There are many people like him, who learn the things they need to learn and don't make any headway on the rest.

My wife.. she despises computers and only learns stuff that she absolutely has to, even then it is very reluctantly and is intensely stressful for everyone in her vicinity.

It amazes me how people just put up with random browser windows popping up and having to search via some random search engine that has been imposed on them.

I believe they just feel helpless, they don't know to do - but they are annoyed, because from my experience they'll ask for help the first computer-savvy person they see, even if they don't know them well.

Funnily, situation is actually a perfect dating opportunity for introvert geeks like me. I get a ton of requests for help from pretty much every student of non-CS field I talk to for longer thant 5 minutes. Removing their crapware can be a good start of a closer relationship ;).

It's always wise to begin all relationships with an open and honest conversation about any viruses each person may have.

For some getting to the point of actual conversation might be a difficult thing; fixing someone's computer serves as a good social object.

Non-technological people are very bad at distinguishing bad sources from legitimate ones. I see it all the time - "well, the address bar said freemp3converter.com - it looked legit to me..."

Now imagine a site or software that tries to look just remotely serious. Normal people often just don't see the difference. Plus, it's pretty normal in Windows world to have all kinds of crap installed - Dell, nVidia & Co. install and autostart their little, unnecessary helpers left and right. I think for many people it's hard to tell if that checkbox from the XYZ App is worse than Dell's.

It's true, but how can you blame them? Even "reputable" sources like the official Java updater and many others attempt to install crapware.

I consider myself reasonably savvy and even I get tricked to install crap on windows if I'm not 100% attentive when installing software.

The other day I was setting up a brand new windows machine. I wanted to download chrome so I boot up internet explorer, end up at the bing home page and search for "chrome".

I've just tried again just now, here's what I end up with: https://i.imgur.com/1fTyQXI.png

You'll notice the first ad has a green URL pointing to google.com, seems legit enough right? Wrong, if you click it you end up on some other URL.

I didn't pay attention to that and actually ended up downloading the installer on that webpage, thankfully I realized something was wrong when the actual setup wizard looked weird. I still ran it though, and with administrator privileges, so I'm basically already dead.

This is me, all tech savvy and yet I fucked up with the first thing I attempted to install on a fresh windows.

After that I wanted a PDF reader. Adobe being completely crap I googled for alternatives and found many recommendations for "foxit". I download and install it: it tries to install a bunch of third party "cloud" services and prompts you to subscribe to third party services basically everywhere on the UI. I just wanted a bloody PDF reader... That's the state of "free" software on windows in 2015.

At that point you just can't blame the user, Microsoft should have done something about that issue at least a decade ago.

> I googled for alternatives and found many recommendations for "foxit"

Unless you have some specific need then the only good alternatives are Chrome and Firefox. They both can open PDFs without any extensions and after you tell windows to always open pdf files with one of them you basically get the same experience minus ad ware and shoddy coding.

> You'll notice the first ad has a green URL pointing to google.com, seems legit enough right?

Is Microsoft really as stupid as to put some other domain/url than the one advertised inside href of that link or am I missing something?

SumatraPDF is an open-source, minimal PDF and epub reader.

And yet, when they introduce a sandboxed store like Apple does, people throw a pitch fit :P (at least from what I remember, so pardon me if my memory is a bit fuzzy)

Firefox has a very useful setting to block installation of add-ons, which I've taken to setting after installing some of the fundamental, safe add-ons.

In about:config, create a boolean value xpinstall.enabled and set false.

This does protect against those browser toolbars that people somehow manage to install.

However there is apparently a UI feature that prompts to re-enable installation ( though I've never seen this ):



That is REALLY useful, thank you!

Back in the day I was an intern at an elementary school, and the computers there had a piece of software installed that basically disallowed any change (unless entering a password by an administrator like myself), and if a change did happen it was undone at a reboot. I'm not sure how it worked or even how it's called, but that's another option. I'm sure it didn't keep browser history either though, although I'm sure there's workarounds for that too.

Just don't give people administrator accounts in Windows, that way they can't / shouldn't be able to install anything, and definitely not something that can permanently change stuff in a computer.

Are you possibly talking about DeepFreeze[1]? My school had it too, IIRC.

[1]: http://www.faronics.com/en-uk/products/deep-freeze/enterpris...

Deep Freeze was a huge help at my school as well.

The problem is that is an all or nothing solution. Sometimes they legitimately need to install something.

> It amazes me how people just put up with [...] having to search via some random search engine that has been imposed on them

Yes, exactly. It's as though your yellow pages phone book had its pages replaced with green paper, the entries were all written in comic sans and all of the entries just gave the same phone number for Dominos Pizza. And yet, you continue to use it to try and look things up, stopping occasionally to phone a friend of yours who works in the dictionary industry to complain, and he tells you to sell your house and move to a different street, so that you will get a new copy of the yellow pages delivered.

Of course that would never happen, so why do we put up with it here?

I expect it's down to a 'computers do inexplicable things all the time that I will never understand, so i better just put up with it or something worse might happen' mentality, which we (as IT professionals) can do something about. Computers should be as obvious, understandable and predictable as physical objects.

Can't you do something similar with Windows Restore points?

I seem to recall getting burnt by them a long time ago, so I've never trusted them. Are they stable now?

They're only useful for simple problems – e.g. a user-level compromise or an innocent mistake by non-malware. If anything malicious ever gets admin privileges, you still need to reinstall from scratch.

Since you need a real backup solution either way I've always disabled restore points since they're at best redundant.

They seem to be. I successfully used them a few times to get rid of that annoying kind of malware that tries very hard to not let you uninstall it (includind even automatically killing any open cmd.exe and regedit.exe window).

What I find bizarre is how people put up with multiple useless browser toolbars that sometimes take up so much space that you can hardly even see the browser content area.

I find Conduit on so many computers I get called to touch.. and the person can't even recall their actions to how such things got there.

You can install Windows to partition inside VHD file without using virtualization.

You can use "Refresh your PC" option in Windows 8+.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact