Opening Up OpenCandy

5

Posted by Cynic | Posted in Internet, Logic, OpenCandy, Security, Software, Uncategorized | Posted on 03-04-2011

Tags: ,

open candy logoI’ve been involved in a discussion about OpenCandy over at DonationCoder. It’s kind of got a fair bit of fight in it as the topic is hot and the opposing sides are passionate about the issue. What’s the issue? Spyware.

A few people have accused OpenCandy of being spyware. In the above post I briefly outline the smoking guns that show that OpenCandy is NOT spyware. Here I’m going to show that again, but I’m also going to open it up for non-technical people with some additional explanation. There are technical details in here, but I explain them all in simple, straight forward English. Later on I won’t explain the same things again as there’s no sense in repeating myself too much.

First, I’m not going to cite a trillion different definitions of spyware because more often than not they include wishy-washy garbage and contradictions that make them pretty useless as definitions. Instead, here’s a simple definition of spyware that is clear and succinct.

Spyware: Software that sends personal or unique information about a computer or user to a third part over a communications connection such as a network connection, e.g. the Internet or a mobile phone connection.

There’s nothing controversial in there. It could be made better, but it’s good enough.

OpenCandy does not do that. What it does is to download a list of possible offers, then choose one of the offers and present it to a person during a software installation.

Using WireShark, I pulled this information out from the OpenCandy powered installer for Photo Resizer, my own software:

clientv=27&cltzone=600&language=en,en&method=get_offers&mstime=0.280
&os=WIN6.1-64&product_key=613b8aaa21ae201a2c054a63f3e87f8d&v=1.0&
signature=5b437627dd2fdb9897e0bbd47c2c3d58

That’s a query string sent to the OpenCandy offer server. I’ll break it down and explain each part. Please note that in some places I am making educated guesses based on a good amount of experience with networking and software.

If you aren’t familiar with what a query string is, it’s just a list of key/value pairs that contain some information for a server on the Internet to process. You can see this in the address bar when you visit different Internet sites. The part to the left of the equals sign (=) is the key, and the part to the right is the value. They are separated by an ampersand (&) in the query string as you can see above.

clientv=27

This key/value pair looks like an identifier for the OpenCandy version to use. It’s a necessary value in case OpenCandy decided to upgrade their software. By identifying the version, they can keep things working. This is exactly the same principle as you use every day in Microsoft Office with new file types being named differently. That tells Windows and Office what version of the file format they are looking at. e.g. DOC vs. DOCX.

cltzone=600

This key/value pair looks like “client zone”, which would lead me to believe that it is identifying the country. While I’m not certain, it looks about right. That information could also be gotten from the IP address though, so I could be mistaken. However, 3 characters, “600”, is not enough space to send back any kind of personally identifying information. It’s just too small, so this could not possibly be used to justify an accusation of OpenCandy being spyware.

language=en,en

This is obviously the language, which is obviously not any kind of a basis to accuse someone of distributing software. This value is present in all browser communications and is fundamental for proper communications. Some web sites use this value properly, although most do not. e.g. Google does not use this value properly, and instead of serving you the proper content in the language that you request, they send you information in the language based on your IP address.

method=get_offers

This is an instruction for the OpenCandy offer server to send a list of offers. It may have other values. This is not a basis to accuse a piece of software of being spyware. The string “get_offers” is obviously not personally identifying.

mstime=0.280

This looks like a kind of time stamp. My guess is that it is the time since the installer was run or the startup time for the installer or the OpenCandy DLL. That would be useful for diagnostics, but would not serve any other purpose. The field is too small to contain any sort of personal information.

os=WIN6.1-64

This is obviously the OS version of my computer, Windows 7 x64. Again, this is not a unique value. All browsers supply this information and more, so it’s only repeating information.

product_key=613b8aaa21ae201a2c054a63f3e87f8d

This is the unique product key for Photo Resizer. There’s nothing secret about it. You can decompile the installer or get this value during installation through WireShark. It identifies the program being installed, and not the computer or user.

v=1.0

I believe that this is the version of the Photo Resizer installer that has been submitted to OpenCandy for inspection and certification. But no matter, again 3 characters isn’t enough to send information about you or your computer.

signature=5b437627dd2fdb9897e0bbd47c2c3d58

The signature value looks like an authentication parameter to check to see that it is indeed Photo Resizer and not some rogue software. That is, it looks like a security measure to protect the integrity of the OpenCandy network from malicious users or attacks. Now, if I’m wrong, which I kind of doubt, the length of that value is still too small to contain any kind of personal information.

None of the fields are long enough to contain any information.

Now, for the XML itself… I’m not going to explain it all as that would simply take too long. Instead, I’m going to run my FL Studio update and find the OC information in there, post it, and the resultant XML from that.

So, when installing the OpenCandy powered installer for FL Studio 10, this is the OpenCandy GET request:

clientv=27&cltzone=600&language=en,en&method=get_offers
&mstime=0.219&os=WIN6.1-64
&product_key=aa0891b96e4cdc07b5c878e7de2316c0
&v=1.0&signature=df54629db8357026c13c68df288225b8

Again, it looks pretty much the same, with nothing alarming in there.

The FL Studio installer EULA contains this:

Recommendation software
This installer uses the OpenCandy network (or similar) to recommend other software you may find valuable during installation of this software. OpenCandy (or similar) may collect and use *NON personally identifiable* information about THIS installation and the recommendation process. Collection of this information by OpenCandy ONLY occurs during this installation and the recommendation process; in accordance OpenCandy’s Privacy Policy, available at <www.opencandy.com/privacy-policy>.

OpenCandy downloaded some XML. I’m not going to explain it in depth as it’s simply very long. However, here’s the short explanation…

XML is a container format that lets you easily transfer arbitrary information. The nice thing about XML is that you get to define everything yourself, unlike HTML which is already predefined.

Now, the XML for OpenCandy contains offer listings. Those include things like some text to display, the name of the program for an offer, the download location, the downloader that takes care of it all, a graphic to make things look nice, etc. etc. In short, it’s very similar to what you might see on a web site. There are some additional directives and parameters for the offers, but they aren’t related to the computer or user; they are related to the offer. Again, it’s got nothing to do with the user or computer and isn’t in any way, shape, or form personally identifying. It’s been downloaded from the server. It’s information FROM the server, and not from the user or computer.

For the XML, click here. If you examine it, you will see that there is nothing remotely like spyware.

I declined the offer from Uniblue as  I don’t need it.

Next, after I declined the offer, this request was sent:

accepted_ind=0&clientv=27&method=track_offer_result&mstime=606.626
&offer_id=790&offer_shown_secs=34157&opt_shown_count=1
&product_key=aa0891b96e4cdc07b5c878e7de2316c0
&session_key=94f78bd10c5abef3bf7f0b928cf5319a
&skipped_offer_ids=&v=1.0&signature=be82fca424013cff56f1e593b67842e0

Breaking that down gives this (a bit more readable):

accepted_ind=0
clientv=27
method=track_offer_result
mstime=606.626
offer_id=790
offer_shown_secs=34157
opt_shown_count=1
product_key=aa0891b96e4cdc07b5c878e7de2316c0
session_key=94f78bd10c5abef3bf7f0b928cf5319a
skipped_offer_ids=
v=1.0
signature=be82fca424013cff56f1e593b67842e0

Most are the same, but there are some new ones. What happens there is that the OpenCandy DLL simply tells the server that the offer was declined. Again, there is nothing personal or identifying in there.

In fact, if you look at the 2 from Photo Resizer and from FL Studio and compare values, you’ll see that they are different. If they were the same, then there might be some reason to suspect that my computer were uniquely identified. But there are no similarities. They are clearly not related.

I also found this in the packet analysis:

clientv=27&method=track_product_installed&mstime=1181.412
&product_key=aa0891b96e4cdc07b5c878e7de2316c0
&session_key=94f78bd10c5abef3bf7f0b928cf5319a
&v=1.0&signature=277e0b3a8b8577d3a79720310e55bb10

Which along with the 1 immediately above just finishes the FL Studio installation and alerts the OpenCandy server that the FL Studio installation completed. Again, nothing to worry about.

The long times there are because I was writing this as I was installing my FL Studio upgrade, and farting around with other things as well.

I hope that the above has sufficiently demonstrated that there is nothing at all in OpenCandy to remotely suggest that it is spyware.

Ad supported? Yes. OpenCandy enables software authors like me to support software by presenting people with offers to install other reputable, vetted software titles. So both Photo Resizer and FL Studio are supported by ads. That doesn’t make them spyware though. That’s an entirely false accusation that I’ve just gone on at length to prove isn’t true. You can replicate the experiment yourself with WireShark.

In related news, Eset, the makers of NOD32, have still not gotten back to me about this.

Man… I think those guys at OpenCandy should hire ME as an evangelist~! =D

Cheers,

Ryan

Disappointed in NOD32

4

Posted by Cynic | Posted in Business, Security, Software, Super Simple | Posted on 29-03-2011

Tags: , ,

Security is an important issue, but at some point you need to just stop trying to defend against imaginary foes. I’m disappointed in ESET NOD32 as it is giving a false positive for OpenCandy as spyware.

NOD32 False Positive

I’ve looked into OpenCandy extensively. VERY extensively. I’ve examined the SDK. I’ve examined OpenCandy installers. I’ve not only spoken with representatives at OpenCandy, I’ve also spoken with their CEO, Darrius Thompson.

I came to know about this as I submitted my new software, Photo Resizer, to Softpedia. It was rejected because of the alert you see above.

Now, I don’t blame Softpedia. They were kind enough to promptly let me know that my software had been rejected. This is not their fault. They need to keep a “clean” download site, and they can’t have software that triggers alerts like that. The problem is that it’s a false positive.

This is the email I received (minus the Softpedia staff member’s name and email address and all that jazz):

Your product, Photo Resizer, has been recently proposed for submission to our software database.

Unfortunately, the application does not offer users the possibility to accept the OpenCandy service or not, which is considered a spyware behavior. Also our antivirus solution detected this as a potential threat as you can see from the attached screenshot.

Please take the appropriate measures to fix this issue and resubmit the software with us. If our staff will not encounter any problems during its installation or testing, it will be published on Softpedia as soon as possible.

Thank you for your understanding,
The Softpedia Support Team

They were nothing but polite. I was quite happy with their response. They’re in a tough position. But they are at the mercy of the AV and security companies.

I responded and included a screenshot of the installer that showed that users must make an explicit choice to accept or decline the OpenCandy offer (click the image for a larger version):

OpenCandy Optional Offers

So you can see there that there is nothing nefarious going on. You can either say yes or no.

I’ve been vocal in the past about “scareware” and how I really don’t like the predatory nature of scaring people into giving you money, and this really on reinforces my negative opinion of security in general. I think the security companies owe it to everyone to stop throwing so many babies out with the bath water because that’s just laziness. I know it’s a hard job to do, but that’s not an excuse.

I am firmly committed to quality software. While I fantasize about the many legal black-hat opportunities out there, I just don’t do them. I just can’t bring myself to do that. There are lots of legal sleazy things that I could do, but just because they’re legal doesn’t make them not sleazy.

I would greatly appreciate it if anyone out there would help voice some support for me and other developers out there that are trying to bring good software to your desktop and trying to make a living out of it with options like OpenCandy. Email ESET (the makers of NOD32) through their false positive page here.

You will be doing me and everyone else a favor. Thank you in advance for your support!

UPDATE:

WOW! Those guys at Softpedia are BLISTERING FAST! I just received a response:

Hello Ryan,

Giving users the option to install or not a component is the right way to do it and is not considered spyware, just Ad-Supported. Also the antivirus alert must be solved to, as NOD32 has many users that might signal it as a threat. We are looking forward hearing from you after this issue has been resolved.

=D

UPDATE 2:

This is terribly funny. Many download sites use anti-virus scanning to verify downloads. It’s common. But I just received this:

We would like to inform you that your program Photo Resizer 2.0 has successfully passed antivirus and antispyware tests and were so impressed that we decided to give you our 100% CLEAN award! We use for scanning now four of the best antivirus engines available on the market.

Four of the best doesn’t include NOD32. Sigh… I feel sorry for the poor buggers at ESET.