I’ve been involved in a discussion about OpenCandy over at DonationCoder. It’s kind of got a fair bit of fight in it as the topic is hot and the opposing sides are passionate about the issue. What’s the issue? Spyware.
A few people have accused OpenCandy of being spyware. In the above post I briefly outline the smoking guns that show that OpenCandy is NOT spyware. Here I’m going to show that again, but I’m also going to open it up for non-technical people with some additional explanation. There are technical details in here, but I explain them all in simple, straight forward English. Later on I won’t explain the same things again as there’s no sense in repeating myself too much.
First, I’m not going to cite a trillion different definitions of spyware because more often than not they include wishy-washy garbage and contradictions that make them pretty useless as definitions. Instead, here’s a simple definition of spyware that is clear and succinct.
Spyware: Software that sends personal or unique information about a computer or user to a third part over a communications connection such as a network connection, e.g. the Internet or a mobile phone connection.
There’s nothing controversial in there. It could be made better, but it’s good enough.
OpenCandy does not do that. What it does is to download a list of possible offers, then choose one of the offers and present it to a person during a software installation.
Using WireShark, I pulled this information out from the OpenCandy powered installer for Photo Resizer, my own software:
That’s a query string sent to the OpenCandy offer server. I’ll break it down and explain each part. Please note that in some places I am making educated guesses based on a good amount of experience with networking and software.
If you aren’t familiar with what a query string is, it’s just a list of key/value pairs that contain some information for a server on the Internet to process. You can see this in the address bar when you visit different Internet sites. The part to the left of the equals sign (=) is the key, and the part to the right is the value. They are separated by an ampersand (&) in the query string as you can see above.
This key/value pair looks like an identifier for the OpenCandy version to use. It’s a necessary value in case OpenCandy decided to upgrade their software. By identifying the version, they can keep things working. This is exactly the same principle as you use every day in Microsoft Office with new file types being named differently. That tells Windows and Office what version of the file format they are looking at. e.g. DOC vs. DOCX.
This key/value pair looks like “client zone”, which would lead me to believe that it is identifying the country. While I’m not certain, it looks about right. That information could also be gotten from the IP address though, so I could be mistaken. However, 3 characters, “600”, is not enough space to send back any kind of personally identifying information. It’s just too small, so this could not possibly be used to justify an accusation of OpenCandy being spyware.
This is obviously the language, which is obviously not any kind of a basis to accuse someone of distributing software. This value is present in all browser communications and is fundamental for proper communications. Some web sites use this value properly, although most do not. e.g. Google does not use this value properly, and instead of serving you the proper content in the language that you request, they send you information in the language based on your IP address.
This is an instruction for the OpenCandy offer server to send a list of offers. It may have other values. This is not a basis to accuse a piece of software of being spyware. The string “get_offers” is obviously not personally identifying.
This looks like a kind of time stamp. My guess is that it is the time since the installer was run or the startup time for the installer or the OpenCandy DLL. That would be useful for diagnostics, but would not serve any other purpose. The field is too small to contain any sort of personal information.
This is obviously the OS version of my computer, Windows 7 x64. Again, this is not a unique value. All browsers supply this information and more, so it’s only repeating information.
This is the unique product key for Photo Resizer. There’s nothing secret about it. You can decompile the installer or get this value during installation through WireShark. It identifies the program being installed, and not the computer or user.
I believe that this is the version of the Photo Resizer installer that has been submitted to OpenCandy for inspection and certification. But no matter, again 3 characters isn’t enough to send information about you or your computer.
The signature value looks like an authentication parameter to check to see that it is indeed Photo Resizer and not some rogue software. That is, it looks like a security measure to protect the integrity of the OpenCandy network from malicious users or attacks. Now, if I’m wrong, which I kind of doubt, the length of that value is still too small to contain any kind of personal information.
None of the fields are long enough to contain any information.
Now, for the XML itself… I’m not going to explain it all as that would simply take too long. Instead, I’m going to run my FL Studio update and find the OC information in there, post it, and the resultant XML from that.
So, when installing the OpenCandy powered installer for FL Studio 10, this is the OpenCandy GET request:
Again, it looks pretty much the same, with nothing alarming in there.
The FL Studio installer EULA contains this:
OpenCandy downloaded some XML. I’m not going to explain it in depth as it’s simply very long. However, here’s the short explanation…
XML is a container format that lets you easily transfer arbitrary information. The nice thing about XML is that you get to define everything yourself, unlike HTML which is already predefined.
Now, the XML for OpenCandy contains offer listings. Those include things like some text to display, the name of the program for an offer, the download location, the downloader that takes care of it all, a graphic to make things look nice, etc. etc. In short, it’s very similar to what you might see on a web site. There are some additional directives and parameters for the offers, but they aren’t related to the computer or user; they are related to the offer. Again, it’s got nothing to do with the user or computer and isn’t in any way, shape, or form personally identifying. It’s been downloaded from the server. It’s information FROM the server, and not from the user or computer.
For the XML, click here. If you examine it, you will see that there is nothing remotely like spyware.
I declined the offer from Uniblue as I don’t need it.
Next, after I declined the offer, this request was sent:
Breaking that down gives this (a bit more readable):
Most are the same, but there are some new ones. What happens there is that the OpenCandy DLL simply tells the server that the offer was declined. Again, there is nothing personal or identifying in there.
In fact, if you look at the 2 from Photo Resizer and from FL Studio and compare values, you’ll see that they are different. If they were the same, then there might be some reason to suspect that my computer were uniquely identified. But there are no similarities. They are clearly not related.
I also found this in the packet analysis:
Which along with the 1 immediately above just finishes the FL Studio installation and alerts the OpenCandy server that the FL Studio installation completed. Again, nothing to worry about.
The long times there are because I was writing this as I was installing my FL Studio upgrade, and farting around with other things as well.
I hope that the above has sufficiently demonstrated that there is nothing at all in OpenCandy to remotely suggest that it is spyware.
Ad supported? Yes. OpenCandy enables software authors like me to support software by presenting people with offers to install other reputable, vetted software titles. So both Photo Resizer and FL Studio are supported by ads. That doesn’t make them spyware though. That’s an entirely false accusation that I’ve just gone on at length to prove isn’t true. You can replicate the experiment yourself with WireShark.
In related news, Eset, the makers of NOD32, have still not gotten back to me about this.
Man… I think those guys at OpenCandy should hire ME as an evangelist~! =D
5 thoughts on “Opening Up OpenCandy”
So, now please explain me why it’s totally ok that an installer like the mediacoderhq transfers this data without my acceptance of any license or eula or opt-in/opt-out whatsoever. If I see a connection string containing Windows7…Product_Key at first sight, I’d first guess “there goes my windows license key!”. Anyhow, thanks for explaining the circumstances. But I think that its this behaviour that disqualifies the software (or better call it a service?). Even though they discribe what is changed and transfered on there website, I do not have an option to “not” choose to install/activate it (in case of the mediacoder soft). If they are so into explaining me what’s changed and where, why don’t they provide me an uninstaller?
I guess my only question about this is why it needs to leave behind files and registry entries if it’s strictly an installer thing. I just switched to MSSE from another program and it picked up OpenCandy’s DLL and such. It was installed in the program’s directory and not leftover temp files or anything too. If it only did what you described, I’d not really mind too much. But I’m puzzled as to why it’d need to install a DLL and registry entries and such along with the program if that’s all it did.
That sounds like an older version of OpenCandy as a previous version couldn’t delete itself – IIRC. I don’t think the newer versions do that. I would have to double check though. You might be able to get an answer from OC though. (Sorry – I can’t check ATM as I’ve got a lot on my plate.)
Above, I really only looked at network traffic.
For a Cynic, you don’t seem very cynical in your analysis.
It wouldn’t be very difficult to tie the product key, session key, or signature fields to a particular download of a product. The simplest, though least accurate means, would be a simple download->install timestamp check. More nefarious would be customized exe’s containing these fields for each downloader, also quite possible.
The problem there is that it doesn’t do that. Sure, we can conjecture all sorts of possibilities, but when you look at the actual HTTP traffic and evidence, what I have above is what you’re left with.