Hacker News new | past | comments | ask | show | jobs | submit login
Java Runtime updater now installs ask.com toolbar on Macs (jamfsoftware.com)
330 points by pje on Mar 9, 2015 | hide | past | web | favorite | 173 comments

You aren't Oracle's customer. The Fortune 1000 are their customers. Oracle doesn't care about nerd outrage, the developer community, or end users.

Former Oracle employee, via acquisition. Horrible place to work.

This post is my own opinion and does not relflect insider or confidential information from Oracle.

I can't imagine that the Java installer asking to install the Ask.com toolbar on a Fortune 1000 CEO's home computer is terribly good marketing, though.

Those guys don't touch their machines or ever install anything. IT pushes out Java from an extracted MSI (yes oracle wont even publish the MSI, you need to rip it out of the exe). Its small company and home users who deal with this crap. No one cares about them, thus toolbars and crapware.

Actually, you don't even need the msi, unless that is the only mode you have for installation. Can use the java package with a /s switch and then use the deployment.properties file with custom configs in the link below to disable many features for java.


Visit /r/sysadmin and ask how well that works. Oracle makes undocumented changes and breaks things all the time. So you can have the proper settings to ignore toolbars, but randomly they'll install. Whoops. Who at Oracle do you complain to?

MSI's are just safer/simpler/easier to test/easier to deploy. The fact that they hide it is pretty unforgivable.

If they are installing, you are using the wrong installer. The one from the developers section on oracle's website does not include these toolbar's. Yes, msi's are easier to work with and many companies do not provide them, not just Oracle, but when you are given lemon's you make lemonade. Especially since complaining to oracle will get you no where.

They've been doing it on Windows and Linux for quite a while.

not when you do `tar xvzf jdk.tar.gz` which most enterpirse worlds will do as they manage their own estates.

CEO's computers are usually looked after by someone from an IT department. I doubt that most of them know or care. Even on the home computer, they just pay some good local tech to keep it running smoothly if they can't figure a way to have an employee do it.

Most Fortune 1000 companies don't allow their end users to install anything so this just causes the IT guy the amount of time it takes to have the config file set to "don't do that", heck they probably only have to do it once, or the version they use may not include the toolbar.

And most IT Admins know that the best place to get the installer isn't from Java.com that has crapware built into the installer but from the link below which doesn't have crapware built in.


I think it's not that nerd outrage isn't a force for change, it's that nerds just find a workaround like this link, and then move on with their life. The rest of people get stuck w/ toolbars, supercookies, etc.

You can also use Ninite, which solves this kind of problem for quite a few popular software packages without having to remember specific workarounds for every one.

That's why he added the 'home computer' bit.

Most Fortune 1000 company's managers also hate Java/Oracle, but it was the safe choice at some point (where the alternative was probably SAP), and now they're locked in.

No Fortune 1000 CEO uses a Mac, so that's not an issue.

Why would you say that? Just as probably >80% of them have iPhones, I suspect a fair number of them have Macs

Humor. Which nobody seems to have on HN.

I think Tim Cook might.

He knows already.

Apple has stopped including Java in OS X and banned Java in the AppStore.

Oh, how the mighty have fallen. This is what developer.apple.com/java read back in 2009 [0]:

Mac OS X is the only major consumer operating system that comes complete with a fully configured and ready-to-use Java runtime and development environment. Professional Java developers are increasingly turning to the feature-rich Mac OS X as the operating system of choice for both Mac-based and cross-platform Java development projects. Mac OS X includes the full version of J2SE 1.5, pre-installed with the Java Development Kit (JDK) and the HotSpot virtual machine (VM), so you don't have to download, install, or configure anything.

Deploying Java applications on Mac OS X takes advantage of many built-in features, including 64-bit support, resolution independence, automatic support of multiprocessor hardware, native support for the Java Accessibility API, and the native Aqua look and feel. As a result, Java applications on Mac OS X look and perform like native applications on Mac OS X.

[0] http://wayback.archive.org/web/20091223033016/http://develop...

i believe they banned apps that depend on the system java.

you can still include your own JRE.

There are lots of apps in the app store written in Java. However they have to ship a bundled JRE themselves.

Oddly, Oracle provide a tool to create a DMG with a .app inside that has a bundled inside. It's very easy to use. Doing this means your users don't need to install Java themselves anymore. Seems like the left hand cutting off the revenue stream of the right hand, but hey, I'm not complaining.

He probably does not need Java.

Except it was already an issue on Windows (has been for years).

Really? Perhaps not at work, but I'm sure plenty of them use Macs at home.

Who uses Java at home?

Only half-joking -- I'm not sure it has any real desktop application mindshare, though I don't know much about what people run on their Macs.

Minecraft, Starmade, and just about every 3d voxel shooter is based on Java. So there goes the other argument: that games aren't for Macs either.

What do they use? I am curious to know

Why is it a horrible place to work?

* Developers are on a five year laptop replacement cycle.

* You will take the corporate standard laptop and like it.

* You will take the corporate standard screen and like it.

* You will take the one corporate standard virtual machine you are allocated and like it.

* Everything moves slowly, even for a corporate bureaucracy.

* None of the above applies to Sales - they can have whatever they want whenever they want, including brand new MacBook Pros yearly. (That says a lot about priorities)

* Stack-ranking system that tries to force managers to give 1/3 of the team bad rankings every year. In theory the top 1/3 are supposed to get bonuses/options, but in practice managers just spread the pain around so even as a top-performer I got screwed.

* Pay used to be kinda average, but now that the wage fixing cartel was shut down and wages have risen it makes Oracle look hilariously low.

* Lots of mandates from on high about what technologies to use

* Above mentioned technologies are heavily designed by architecture astronauts; if it makes the install 8 GB and take 15 hours all the better to push customers to consulting services. Lots of XXXFactory classes and useless abstractions.

* Be forced to tell a customer you can't restore your copy of their database to test with because ProdDev IT won't give you NAS space to store it (not that it would be fast enough to be usable anyway)

* Everything interesting or good for customers will get massive pushback; the focus is on checkboxes that CTOs can understand

* Manager turf wars and pompous blowhards abound, all looking to carve out a nice little kingdom to lord over.

It's a place to go earn a basic salary until you retire. After the acquisition, everything got much worse.

If your company is acquired by Oracle, plan your exit strategy and stay just long enough to cash out whatever options you have.

If a company you rely on is acquired by Oracle, look for an alternative immediately. They will eventually strangle you, even unintentionally just by neglect. Never put yourself in the position of relying on Oracle unless you're on the Fortune 1000 list.

Again, all my personal opinion and does not rely on any confidential or non-public information. I was just a developer and have no knowledge of strategic decisions at Oracle.

> Again, all my personal opinion and does not rely on any confidential or non-public information. I was just a developer and have no knowledge of strategic decisions at Oracle.

This seems like the sort of polished addendum you'd write if you're used to having to say it over and over and over again. Do you just have this saved as a text expander snippet and use it in all your posts?

Oracle are also notoriously litigious.

My large corp experience is that you are expected to paste a similar disclaimer on all external communications, during your employment, where your employment with that company is relevant to the conversation - explicitly such as above, or even implicitly.

The only place I see this not done is on mailing lists, where your corporate allegiance is more or less expected.

After you've had this bashed over your head a few times, it's just standard cruft to append.

I don't think any customer would like this.

As a former Oracle employee (also there via acquisition) I can confirm that they don't care at all about anything but the money. If adware makes money, that's OK for them. And, yes, they don't care about nerd outrage and I'm also sure that CxOs of Fortune 1000 companies don't care about adware (or us) too. Even if they care (and they probably not), they cannot afford to avoid Oracle DB and/or Java in any case. I'm sure they try in many ways to avoid to spend the insane amount of money Oracle products cost.

Ah, and yes: it is an awful place to work. For the same reason: they don't care about anything but money... Employees are COGs, nothing more, nothing less. If you find the right niche, you can live a quiet salaried life there for some years, btw... like probably in any other giant company.

Anyone care to explain how they somehow haven't ruined VirtualBox yet?

It's on the way. The performance and feature gap between VMWare and Virtualbox is widening everyday.

I highly recommend a section of Bryan Cantrill's talk where he covers Oracle - https://www.youtube.com/watch?v=-zRN7XLCRhc&t=2100 lasts two or three minutes.

For someone who can't watch videos, can you summarise?

Listen, and understand! That Ellisonator is out there! It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you give it money.

On the contrary, ask.com is quite happy with this. They are paying Oracle, therefore they are the customer. You are not.

This is really tragic, since the Java language and VM are nice pieces of technology. Unfortunately Oracle is killing them. I'd never use them for a new project now.

Indeed. JVM used to be widely regarded as crap, and Java as a slow, bloated language. And while Java may still be a bit bloated, it's no longer slow, and JVM became an awesome piece of tech, bringing tons of real advances in things like garbage collection algorithms, and supporting a nice ecosystem of very powerful languages.

So while Java managed to fix its reputation itself, Oracle is doing everything in their power to break it again.

At least we have Ruby, Python, Node, and OpenJDK. They can't ruin every ecosystem.

Come to look at it, you have to work really hard to ruin a programming language. Kudos to Oracle for figuring out how to reach this almost impossible goal. s/.

I'd never use them for a new project now.

Why not? There's a tool called javapackager that makes a self contained app install for Linux, Mac, Windows that doesn't require the user to install the JRE, if you're doing desktop projects. For servers this stuff is irrelevant anyway.

Java is mostly open source too, so if you wanted to make your own system JRE installer setup, I guess you could (though OpenJDK isn't identical to the Oracle JRE).

And people are suddenly surprised there is strong anti-vaccine movement. This kind of things is the real reason for it.

From the producer who decides to reduce the amount of good in a box, while keeping the packaging and price tag the same, to the grocery store clerk that sells you meat that was already twice washed with dishwashing liquid to appear fresh (a very common practice), to the company that regularly sends you 4W LEDs when you order 5W hoping you won't notice, and if you challenge them they'll tell you it was a factory labeling mistake, to the smartphone vendor that tells you about amazing experience and then sells you equipment loaded with so much crapware that you cringe every time you turn it on - everyone around you is out there to get you. So many businesses try to fuck you over, all the time, and they totally get away with it.

And then everyone is surprised people have trust issues. It's hard enough to get people to install any kind of updates in the first place - and how we're expected to have a secure Internet if people have a very good reason not to install new versions of things?

Seriously - companies like Oracle, like Ask.com, like Lenovo, SuperFish, like Uber and like so many, many others - start-ups, mom&pop's, medium companies, big corporations - they all found a very profitable business model: taking the common value of trust we have in society and burning it to earn money. And I guess it works well - if you're an executive who's going to get a pay raise and maybe a promotion for literally shitting on the faces of your customers, when why wouldn't you do it? Well, except of having any decency at all?

Whoever decided to bundle this crapware with Java Runtime, if you're reading this - you're actively contributing to one of the biggest problems our civilization is facing. You should feel responsible. The next time someone dies because he refused to follow established procedures out of lack of trust, this is - in a small but important part - on you.

It may feel like I'm exaggerating here, but just look around and think for a minute. The collapse of trust we see in contemporary society is raising to the level of becoming an existential threat for our civilization. And I wish I knew a way how to reverse it...

A bit of a slippery slope to associate the installation of adware with the anti-vaccine movement.

Not at all. OP is pointing to a common underlying social dysfunction. We live in a hierarchically exploitative society, which contributes to the global collapse of trust.

I'm sure if it were somehow possible and legal to bundle some kind of mind-control adware into a vaccine that forces you to buy the sponsor's brands, someone would be doing it.

> We live in a hierarchically exploitative society, which contributes to the global collapse of trust.

Indeed. And I think people sometimes don't realize that this trust on society-level is literally the one thing that separates us from being savages. Not our technology, not our military, not the scientific advances, not the democracy, but bonds of trust are what keeps civilization from falling apart.

> I'm sure if it were somehow possible and legal to bundle some kind of mind-control adware into a vaccine that forces you to buy the sponsor's brands, someone would be doing it.

Then it would be detected, someone would get fired, company would pay some huge fines to FDA of WHO or whomever, at best maybe regulations would also be updated, and then everything would be business as usual. Everything, except the trust people just lost - because seeing the corruption everywhere, what possible reason would they have to believe that the new regulations will be effective at preventing such event from happening again?

> ...seeing the corruption everywhere, what possible reason would they have to believe...

This is a fundamental truth that needs to be realized now if there is to be any hope of preventing our slide from a democratic republic into a new form of feudalism. More specifically, a financially stable democratic republic into a feudal society that dissembles, victim-blames, and makes shows of force to hide a useless economy and defaulted obligations.

The trust and respect that being destroyed by both business and government is also what the finance pundits refer to when they talk about "confidence in the market". When many people start observing that "rule of law" and "meeting of the minds" as used by everyday business interactions have become a double-standard that will be enforced in only one direction, the rational conclusion[1] is to respond with the same lack of trust and respect.

I am of the opinion that we already reached this point. A lot of people already deeply mistrust large business, and w4 only have to look at the evening news to see the level of confidence most people have in the economy. We're simply waiting for a spark to ignite the situation. I actually thought the fast-food employee situation[2] was going to be that spark last year, but it seems that problem has been put on hold for the moment.

Meanwhile, we get to deal with the collaborators that work to maintain the current situation by trying to explain away bad behavior like this Lenovo/Superfish stupidity. I hope they like the future they are creating...

[1] why? see the "tit-for-tat" solution to the iterated prisoner's dilemma

[2] https://medium.com/@sarahkendzior/the-minimum-wage-worker-st...

This text from [2] was one of the most heart-breaking pieces I read recently. I knew the situation was bad, having a friend who used to work in restaurants - but the article has really driven the point home for me.

> When many people start observing that "rule of law" and "meeting of the minds" as used by everyday business interactions have become a double-standard that will be enforced in only one direction, the rational conclusion[1] is to respond with the same lack of trust and respect.

I've been thinking about the names we use in law and economics and I realized many have become just misleading labels. It's like a variable named m_iNameCount that points to a global array of instances of Thread class. And this leads to the common trick of those "collaborators" you described, the "motte-and-bailey"[0]-like argument. They will defend bad practices by saying, e.g. "it's value-added; surely adding value is good?", where everyone knows that value-added doesn't actually mean adding any real value for your customer.

[0] - http://slatestarcodex.com/2014/07/07/social-justice-and-word...

>actively contributing to one of the biggest problems our civilization is facing.

Lets tone down the reddit style outrage politics and hyberbole eh? This is a common practice, while ugly, is barely noteworthy. This kind of fan-service tying it to vaccines is really out of bounds as well. There's no relationship here between the two.

It's not about outrage politics. I honestly believe there is a relationship between two and that this is a big problem.

Of course getting slapped in the face by a crapware-bundling Java update won't make you skip your kid's vaccination, but where do you think the lack of trust for doctors comes from? It's from living in a society where almost every organization you interact with tries to pull a fast one on you (if you don't believe that, go and talk with some antivaxxers - you'll quickly realized that they're not stupid - they're afraid and don't trust authorities because they see themselves getting constantly abused by them). So if you decide to abuse your user's trust for a quick buck because "it's a common practice", you're part of the problem - just like the girl who sold you that twice washed meat or the guy who insists that it's the factory that mislabeled the lightbulbs, even though your handy multimeter confirms what's on the label (EDIT: both are real examples I have direct knowledge of; heck, because I'm nice to the people working in my local grocery store, they discreetly signal me to pick something different when I want to buy meat that is old and was washed).

>It's not about outrage politics.

You are literally equating a toolbar with parents not vaccinating their children. I think you've lost a basic sense of perspective here.

I do no such thing. Please read more closely. For the sake of clarity, let me explain this in other form.

1) Anti-vaccine movement = public health problem = dangerous.

2) Anti-vaccine movement comes from declining levels of trust in authorities.

3) Tricking your users into installing crapware = abusing them = making them trust your company less.

4) Being lied to and abused like that by pretty much every company all the time, in all sectors = people lose the general level of trust in organizations.

5) from 1), 2) and 4), lack of trust leads to actual danger.

6) from 3), by abusing your users you're contributing to actual danger.

"Contributing" doesn't mean you're fully responsible for the outcome - it means you're as responsible as your contribution is. It's a tragedy-of-commons thing.

> Anti-vaccine movement comes from declining levels of trust in authorities.

I'll just leave this relevant episode of [Last Week Tonight](https://www.youtube.com/watch?v=YQZ2UeOTO3I). While anti-vaxxers are clearly wrong let's acknowledge that health care, at least in the US, has been partially corrupted.

The thought that medical workers might be offering unsound advice in this one area when it's known they behaved unethically in that other area suddenly does not appear so unreasonable.

I see your John Oliver and raise you Yvain[0] - a doctor's description of how it actually works. Spoiler: it's more subtle and much worse.

[0] - http://slatestarcodex.com/2015/02/17/pharma-virumque/

>> You are literally equating a toolbar with parents not vaccinating their children. I think you've lost a basic sense of perspective here.

He's saying:

1) Anti-vaxers don't trust corporation or the government - which is why they don't vax.

2) Corps/govs are repeatedly seen doing stuff for themselves at the expense of the public - this is where that lack of trust comes from.

3) Crapware and unwanted toolbars are an example of #2

It's a fairly direct contribution from 3 to 2 to 1. It's not that the crapware makes people fail to vaccinate. It's that the crapware is part of a widespread problem reinforcing the appearance of #2 which leads people to #1.

>equating a toolbar with parents not vaccinating their children

If you think that's what TeMPOraL is saying, I think you need to read more closely. There's more nuance than you give credit for.

If the root cause of vaccination refusal is declining trust in institutions, and established corporate brands can be considered institutions, then intentionally diluting or weakening an established corporate brand can be seen as contributing in a very minor way to vaccination refusal.

If a person has never once encountered an institutional representative that is trustworthy, it is natural by human psychology (but not by formal logic) to conclude that such people do not exist. Then, when someone approaches, and relies upon institutional trustworthiness to accomplish a certain purpose, such as by invoking the CDC, the AMA, and medical colleges around the world to convince parents to vaccinate their child, what you absolutely do not want is for them frantically searching the paperwork for the checkbox that has to be unchecked in order to not give the kid autism (especially the Ask.com toolbar form of it) with their immunity.

It may be obvious to you that Oracle and physicians are different. But to many people, medicine and software are just different types of magic, and equally confusing. They might as well be alchemy and thaumaturgy. For them, using software is like following a recipe or performing a ritual. Everything they do not understand is equally magical.

Oracle contributes to the undermining of trust in the same way as the quick-lube mechanic that charges to refill the blinker fluid, or the home renovation contractor that does a bait-and-switch with the estimates, or the banker that issues a bunch of liar loans, or the public retirement plan administrator that invests in businesses owned by friends of the mayor, or the fed-cop who uses parallel construction on illegal surveillance data to catch a crook.

It creates an atmosphere of mistrust. That alone is not sufficient to bleed over into medicine, but the health care industry in the US is an enormous, corrupt clusterfuck. Anecdotes are not data, but a well-told story shapes public opinion in a measure far beyond statistical significance. One video documentary on YouTube is more impactful than a 200-page CDC report. If the CDC has no inherent trustworthiness, people will preferentially believe the thing they can understand.

It isn't Oracle's fault, in any measurable way, but they certainly are not helping. We need to be able to trust someone to not sell us out for a fraction of a penny.

Indeed. And so I'm not saying that it's Oracle that is destroying the trust in doctors - I only want to point out that they are contributing to the problem, via the mechanism you described. And that everyone else who's "selling you out for a fraction of a penny" is also contributing, and all those contributions add up to a very serious problem we're facing.

It's funny, because the kind of rip-offs you mention in your first paragraph seem to have been around for as long as trade existed. See for proof this 3,700-year-old sumerian clay tablet:


Yeah, I remember seeing it posted on HN. I wonder what methods they had back then to keep fraud in check, and how effective they were compared to ours, from the point of view of an average citizen.

Still, I think that our complex technological civilization needs a higher base level of trust for it to work than the civilization of Sumer, because we depend on it much more than ever in history.

Finally! I've been waiting for this for so long! It seemed so unfair that only Windows users could get the Ask.com toolbar for free...


My fear would be:

  brew install java-runtime
  ==> Downloading http://oracle.com/osx/java-osx-8-x86_64.tgz
  ######################################################################## 100.0%
  ==> Downloading http://ask.com/osx/asktoolbar-2.4.tgz

More like:

  $ real-pkg-manager install jre-openjdk
  ==> Downloading http://trustedmirror.somerealdistrib.org/openjdk.tgz
  ==> Checking openjdk.tgz signature
  ==> Installing
  ==> Done
You just need the right tools and community.

This is my fear too, and I'm pretty convinced we'll get there at some point, if and when the *nix-on-desktop scene gets more competetive.

This seems to be a common pattern - after you delivered all the value you could and you still have competition, eventually you and everyone else will start one-up each other on abusing your users for additional profit.

No worries, the maintainers will surely include a --no-junk flag

I hope Apple adds it to XProtect and revokes their code signing certificate.


If the user keeps to the default installer settings and goes next, next, next... AND in Safari deliberately selects "Install" (not pre-selected) in the confirmation window, the ask.com toolbar will be installed.

So similar to Windows and avoidable but still annoying.

I can kind of understand some small software developers out there doing this stuff to make a few extra dollars but Oracle? It just seems so unnecessary. I guess they just can't get their head around giving something away for free.

Some more information...

"When you have a commercial relationship like this, not only are you dealing with your [own] corporate policies on communication, and revenue recognition and all that kind of stuff, but you also have a commercial partnership and agreement that you have to abide by and follow," said Smith during the call.

Smith also defended the practice by saying Oracle had inherited the deal when it acquired Sun Microsystems, the creator of Java, in 2010. "This is not a new business, this is not something that Oracle started," Smith said. "This is a business that Sun initiated a long time ago."

Sun had bundled third-party software with Java since at least 2005, when it offered a Google toolbar. In the following years, Sun made similar arrangements with Microsoft and Yahoo, before switching to Ask.com.

With Java, it's true our installer waits 10 minutes before running the install process, but this to ensure the JRE [Java Runtime Environment] updates properly without additional strain on a user's computer," an Ask.com spokeswoman said in an email reply to questions Monday. "This is not intended to trick users."


The defense that "hurr durr Sun did it and we just haven't removed it yet" doesn't apply when you're actively adding it to installers on other platforms.

That's not the point. As someone who is actually a fairly big fan of Java, my concern is the damage this continues to do to Java's image in the minds of non-technical users (especially those in executive positions).

This has already been played out on Windows. It isn't damaging anything reputation wise.

Indeed. Developers will keep chosing JVM for technical reasons, managers will keep choosing Java for business reasons, and the end-user doesn't have any choice. Want the application to run? Install Java.

Na... look for an app that doesn't need it. Haven't had Java on any of my machines for 5 years and i don't miss it one bit.

Many websites/webapps run on Java on the server side.

Also some desktop apps come with Java bundled together. The user just installs the app and runs it.

Which is probably what the average user does, if I extrapolate the data from friends and family.

Installing adware with security updates is just so wrong on several points. It is difficult enough to get non-techies to install security updates and now you additionally have to teach them to watch out for crapware that someone sneaks in there.

I'm choosing C# over Java whenever I can, just because of the ask.com toolbar, seriously I find it that annoying.

It still changes your browser homepage with an opt-out checkbox, it's pretty bad.

It appears to tell you you've installed the extension, then ask you if you want to install it. Anyway, it would be fairly simple for someone not paying careful attention to install something completely unrelated to what they're actually trying to install; that's a trojan in my book.

I agree. That's why paying attention is important when installing 3rd party software. Especially when an installer requests admin privileges.

Oracle could have made a fantastic app ecosystem, with a great AppStore application, given how their vm is installed on very many PCs around the world. They could have done the 30/70 split and potentially gotten heaps of money out of it. Sun was even up to it at some point, but it was horrible, the way that only Sun could make UX horrible. But still, the potential is so enormous that I cannot fathom how they miss it.

And this Ask-crap is what they do instead, making pretty much every user in the world hate them. (Not to mention the insanity of how they handled the security problems they found themselves in right after acquiring Sun and Java)

Desktop Java apps should just bundle a JRE.

Launch4j: http://launch4j.sourceforge.net/

Legality: http://www.oracle.com/technetwork/java/javase/readme-142177....

At the rate Java has been fixing exploitable vulnerabilities lately, I would rather have just one copy to keep up-to-date. I know that's not a very Mac-like attitude though.

Almost all exploitable vulnerabilities are related to the browser plugin. There's no danger of keeping outdated JRE inside some application.

Unless you need Java Secure Sockets Extension to work - see smacktls.com.

But you only need to update the JRE's that interface with the outside world, and unless there are bugs in the JVM's network code that would be only your Java browser plugin.

There have been bugs in networking related code in the JRE. For example, I believe it was recently discovered that their SSL implementation was completely and utterly broken and enabled a MITM attacker to totally disable encryption (the SKIP-TLS attack). Guess what most software is probably relying on to protect their auto-updater?

They SSL implementation was broken against an active attacker - this is very different from being broken totally. Obviously it is still very, very bad but it doesn't mean you shouldn't use it if you are not going to replace it with anything else.

New versions of IntelliJ IDE EAPs come with a JRE runtime if you choose that option. Jetbrains developers had major problems with subpixel font rendering on post-Apple JREs so they forked OpenJDK I think to fix it.

Nothing in that link claims that apps have to 'just' bundle the JRE only.

The bigger context is this: jamf makes software to help manage fleets of Macs, by providing abilities such as deploying a package to a group of Macs. It's quite good and IIRC Apple uses it for configuration management. If a vendor gives you a normal package, as Java once was, it was fairly easy to deploy.

Contrast deploying the JRE with a simple package vs deploying it on Windows, which usually required an ever-evolving set of hacks to extract MSIs from the installer and install it in an automated fashion without installing bloatware, having it sit in the taskbar, auto-updating (which is a no-no in an enterprise environment), etc.

Now, thanks to this change, people on the Mac side will get to experience all the joys of deploying the JRE on Windows.

For what it's worth, the installer app contains a .pkg for the JRE that you can install by the normal methods. OTOH, the Flash installer used to contain a normal package, but no longer does.

Isn't there a crapware-free version you can get on the developer site?

Crapware in installations must end.I made a desktop PC for my sister with nothing but Windows 8.1. It only took my sister, an otherwise competent computer user, 48 hours for her computer to become infested with some web-ad hijacker and numerous IE toolbars.

It won't end. If there's money somewhere (adware in software), it will happen whether you want it or not.

"an otherwise competent computer user"

"numerous IE toolbars"


Internet Explorer...

Yeah, Frozenlock's snarkily trying to imply that "otherwise competent" computer users don't use IE.

Technically rjohnk didn't claim his sister used IE, only that IE toolbars were installed.

Wow, my bad, I thought the parent was genuinely asking.

How much $ does one make with this kind of crapware-bundling? Like how much would i get for 1000 toolbar installs?

Bundleware... Pay Per Install (PPI) in industry terms... can make you a lot of money. I regularly get offers of up to $2 per install to bundle things with PortableApps.com. I could make millions in just a few months even at more industry standard payment levels. It would kill the project and hurt my reputation, of course. But it can be tempting when you run a free open source project and you're falling behind on your rent.

> But it can be tempting when you run a free open source project and you're falling behind on your rent.

Which isn't the case for Oracle AFAIK... ;-)

Google likely pays Oracle quite a bit for the default bundleware installations of Chrome. It's a way for Oracle to profit off the userbase installing Java for free and for Google to increase Chrome's share. Fun fact, Google pays Adobe a lot of money to bundle default installations of Chrome with Flash downloads as well.

That's weird... doesn't Chrome come with a custom build of Flash already? So if you download flash, you download Chrome, which in turn downloads flash?

Yes and No. Chrome comes with its own version of Flash installed. So, when you try to download Flash for your copy of Firefox, it automatically downloads and installs Chrome (with its own copy of Flash) unless you uncheck the box in the middle of the download page. Adobe doesn't care, they get paid by Google. And Google pays to increase Chrome's market share.

Thanks for not accepting the offers!

You're welcome :)

Unfortunately, I imagine it'd be a fair bit of money. Many toolbars track every site you visit, how long you're there, what you type on the site (including personally identifying information), and a host of other Orwellian things.

I can't imagine anyone feels good about trying to trick their users into installing this crap. If the money wasn't good, only completely amoral psychopaths would do it. As it stands, the financial incentives bring it to the point where greedy asshats are also willing to get in on the action.

Define "a fair bit of money", please.

It's telling that Facebook, a company that's not known for treating their users as anything other than a commodity to be packaged and sold, would never stoop to something like this.

In an era where a photo sharing site sells for over a billion dollars, Oracle must be raking in hundreds of millions on this deal for it to be worth the damage to their Java brand.

facebook is probably able to get data through other means. Their like button javascript on half of the internet for example.

Do any of these "other means" involve installing shady software on people's computers?

They've had many opportunities to do stuff like that with their iOS and Android apps but have never dared.

My point is they wouldnt need to install shady software on your machine. They're able to track you with their like button.

I find it amazing that people seemingly don't know that Facebook tracks you across the web through those embedded Like buttons, and more amazing that many who do know don't seem to care.

There's a reason I have the equivalent of " facebook.com" in my /etc/hosts file.

Facebook doesn't do it because they don't need to do it, at least right now. Wait until they're on the ropes, fighting for their corporate life in one way or another, then see what they do.

I think the point is not for the user to make money, but the people bundling the toolbar.

I think ask.com pays whoever bundles their toolbar so it's basically advertising money, at least it seems like that for me.

Yes, I'm fairly certain that's what the parent meant. If he was running a company doing the bundling, how much would he get paid if his bundle installed the toolbar 1000 times, now how much would he as an end user get if he installed it 1000 times on his own machines.

Aha! that makes more sense. I read that as if the user would get money for using ask.com toolbar.

But yeah, thanks to both of you.

Now that I think about it, I'm not sure if ask.com is willing to bundle their toolbar with any product. Maybe they select only high-volume products?

That's what he is asking: How much money Oracle gets per install?

Given how much money there is in malware, the low risk of getting caught, and the zero risk of legal repercussions, how would you think the incentives looks like? Lenovo got caught and the legal actions so far been almost non-existent.

If this action enable someone to get a raise or a promotion, the final $ amount doesn't need to be very high. just enough to be deemed a financial successful project.

This certainly poisons the Java well a little bit more in general, and desktop Java in particular. Android and a sea of line-of-business webapps will keep the Java platform healthy for a very long time, but this kind of thing makes me shake my head in sadness.

More positively, this is a an excellent data point for both free software advocates ("look at the abuse closed source enables") and Apple ("do you really want to foist crapware on your users? just use our awesome native tools to write apps!")

I imagine that this move infuriates much of the Google Android team (because it weakens the developer story slightly) and makes them very glad that they have "Android plan B" with Go.

Developers don't install the consumer JRE anyway. They install the JDK which doesn't do this. I doubt it'd make any difference to Android.

Meanwhile, for apps like Minecraft that want to distribute consumer Java apps, just bundle the JRE. It's quite easy these days.

You really don't think stuff like this moves the dial at all in a developers mind when deciding whether to focus on Android or iOS?

There was a similar story relating to Java updates and Ask toolbars in 2013. There is some history to this.


Even though I love Java and the ecosystem, this is one time I feel really embarrassed asking a non tech person to install Java.

Is Oracle really getting substantial money out of this deal?

FYI, Oracle installs Baidu (Nasdaq BIDU) bloat wares in Java Updater here in China.

On Mac?

Why the downvote? I was just checking.

So everyone who said "Windows just has all these problems. Just get a Mac instead! Nobody creates viruses or crapware for mac"... Guess what you just did?

Yup. You gave Mac enough market-share for it to be profitable to bundle crapware there as well. This is probably just the start and more will follow.

Whatever you do, please don't tell people to install Linux. I like it the way it is and I don't want any of this shit coming here.

Search companies now have to pay third parties to get their product out. Google pays Apple to be on the iPhone. Yahoo pays Mozilla to be on Firefox. Bing is on Microsoft products because they're the same company. Now Ask is paying Oracle to push their search.

This is strange. Google, Bing, Ask, Yandex, and Baidu provide very useful services and put vast resources behind organizing the world's information. Two decades ago people would have paid serious money for any of those services. Yet now, search companies resort to expensive or, in this case rather pathetic, measures to get people to use their product.

Even the social companies (Facebook, Instagram, etc.) don't need to do that.

As far as I know if you install JDK and not JRE there should not be any additional adware. At least for now.

I installed the JRE and JDK (on diff machines) from the downloadable installers (not the updater) and neither installed the adware, nor had the option to.

This makes me wonder if they're doing a partial rollout to some small percentage of users to test the waters.

Same here, installed both JDK and JRE today and no crapware screns.

I guess the target group are less tech savvy users that install it because they don't really know what they are doing, like less law savvy people who agree every terms of use. Kind of shady but accepted practice. JDK users are probably less exploitable.

Business as usual for Java, king of bloat.

This is really f&ed up. They are clearly against the common user that only wants to use their software. They advocate so much about security but embed a undesired software with their runtime. I really can't understand.

As some commenters pointed out, the installer is now an APP instead of a PKG. The original PKG is inside the APP at Contents/Resources/JavaAppletPlugin.pkg (right click on APP -> Show package contents).

Whoa... Stay classy, Oracle.

Stay classy? They've been doing this to Windows users for ages.

So they've done their users a favor by providing a consistent experience over all supported platforms?

I'd really like to listen in to one of the meetings where decisions to do such kind of blatant platform-abuse is being discussed. Possibly alternatives A/B/C (you always have to have 3 alternatives, right?) are the Ask-Toolbar, a bitcoin-miner or adding the end-user-PC to a botnet for DDOS-extortion, so we can be lucky that they agreed to do "A".

That's pretty much the definition of "to stay", e.g. keep doing what you've been doing.

Does this still work?

How to disable offers in the control panel.


It's been awhile since I've used OS X, but I don't recall there being any bundled installers on anything.

Hopefully there will be some backlash; that was one of my favorite parts of the platform.

If you are developing products that require Java you are a huge part of the problem. Learn a new language and start porting.

I am tired of 100% of the blame for these situations going to Oracle and Adobe, they are just doing what they were designed to do, make money by any means necessary. The developers who voluntarily learned a language and joined a community that is controlled by a for-profit company are the only thing keeping them alive. Every new product they make entices another end user to install crap on their computer.

I worked on a couple of large Oracle projects, and they were probably the worst vendor I've dealt with in the last decade. They had the potential to solve really compelling problems, but it was overshadowed by how poor their products were and the eye-watering costs.

Once you're hooked of course on their financial stack you have little choice but to remain.

I'm watching with interest the adoption of Workday as a replacement for Peoplesoft, and wonder aloud if someone will unseat them in their related product groups.

I have seen this in so many cases. Somehow Oracle convinced people of their never-ending superiority. I know in 8i and 9i days, we were very happy with its performance and feature set. That's not to say that SQL Server (or hell, even DB2 or Sybase) couldn't have given it competition. But when I hear executive types pushing Oracle these days, I have to ask, "really? REALLY?? do you even know WHY you're pushing that monstrous heap of garbage?? Does it give you something you can't get with Postgres? Oh yes... a flatter wallet. Touche.

As far as Workday, I'm intrigued that someone would chosen Adobe Flex as a platform. (we just converted last year)

JRE is the new Flash

I suppose this system could be crashed by automatically installing hundreds of millions of instances of the Ask toolbar to the point that it is economically infeasible for them to pay Oracle.

It's mind boggling that they pay as much as $2 per install but can't afford decent design. I've never seen a good looking toolbar, it's as if they try to make them ugly.

This is the number one thing that I uninstall from my computer and friends and families computers when they accidentally click too fast. These kinds of add-ons are incredibly annoying.

I don't understand why OpenJDK hasn't been able to supplant Oracle as the standard Java distribution. That would eliminate reliance on the corporate whim of Oracle.

I knew I clicked "remind me later" for a reason.. what the hell. Did Oracle run out of money in its lawsuit with Google?

If you download from java.oracle.com as apposed to java.com these nasty toolbars aren't included.

I installed this yesterday on my father in laws mac and don't remember seeing the ask thing...

Maybe I should go work at ask.com if I could make it suck less this wouldn't be so bad...

Smells a lot like Adobe... Stupid move killing credibility of their software.

Why does Oracle want to kill Java so badly?

Buncha fuckin assholes if you ask me...

Could someone please confirm that original JRE installer downloaded from www.oracle.com contains this? (I dont have a mac). On Windows you often get modified installers, if you download from 3td party website.

The official Java updater on Windows includes offers. It usually tries to install Chrome and will do so unless you unselect it during the upgrade process.

Just add " ask.com" to /etc/hosts?

While you're in it, add doubleclick.com doubleclick.net


I think everyone using the Java runtime should install and use the ask.com toolbar. Why not?

Welcome to the club, Apple snobs. :)

Steve jobs would build an uninstaller that ran right after to remove the shit.

Probably not, he couldn't code.

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact