Miro installed a software package on my system (OpenCandy) and I did not give permission for this backdoor behaviour. I do not permit packages to submit other software without my knowledge and consent. When I de-installed Miro (and I will leave it de-installed until this issue is resolved), the OpenCandy package appears to still be there:
Top-level folder: c:\OpenCandy
Entries in the Registry.
Please acknowledge that you included this software and let me know how to remove it.
Help get this topic noticed by sharing it on Twitter, Facebook, or email.
EMPLOYEEI’m sorry0Hi Ripwit,
I'm sorry about this. OpenCandy is a a software recommendation engine that we added recently in order to suggest other free and open source software to our users. You can find out about the organization at www.opencandy.com.
I wasn't aware that it permanently left their recommendation engine on the user's machine after running it. We'll look into that right now and fix it as soon as possible.
Thanks for pointing that out,
OK, looks like I've been stung too!
I am surprised and shocked (perhaps I shouldn't be) that Participatory Culture Foundation has bundled this backdoor adware into their Miro installation process. To my mind, it is unconscionable and reprehensible that any reputable company trojan another application onto their users' systems without clear permission and the clear option for users to opt out. And (sorry jessep) it is inexcusable that in replying to this problem, PPF pass responsibility for the problem onto OpenCandy.
Don't PCF test their installation procedures before releasing software updates to a trusting public? I really can't work out which is worse -- knowingly installing unsolicited crap onto their users' systems or unknowingly installing unsolicited crap by insufficiently quality assuring their software before releasing it? Has PCF entered the ranks of disreputable software producers that everyone eventually learns to distrust?
Completely uninstalling Miro has not removed OpenCandy from my system -- it's still there in C:\OpenCandy (ok, I'm able to delete this directory), but registry entries still remain -- what do these do and how can I remove them all -- and who knows what crapware is now running in the background on my PC.
PPF, please provide **explicit** instructions, how the heck do I rid my PC of **all** traces of OpenCandy ????
Hi Guys, here's an explanation from OpenCandy about the issues related to the folder and registry entry. Please see next comment for instructions for removing the registry entry:
"OpenCandy is not an application, as it has absolutely no functionality outside of being used by your installer to present and install offers. OpenCandy software does not execute on your system outside of the installer unless you have accepted a recommended piece of software. If you execute the DLMgr.exe software after it has completed delivering a recommended piece of software, it will do nothing other than exit.
A copy of OpenCandy software is separately installed with each application that uses it. Each application's uninstaller is responsible for removing the installed pieces (OCSetupHlp.dll and DLMgr.exe).
In our next release, we have modified the software to relocate it's directory location to the logged in user's AppData directory and a defect has been corrected that created the directory when it was not needed.
After a recommender's software has been uninstalled, if a recommendation was accepted and installed, the directory is left in place because some recommended software's installers require the original install package to uninstall themselves.
(Most notably some Microsoft MSI based installers require the original .MSI file to uninstall. We are unsure why Microsoft chose this approach as it vastly complicates user's file management but given the number of MSI based installers apparently the majority of users do not mind the pitfalls)
If a user wishes to remove the OpenCandy directory, they may simply delete it noting that some installed recommended software may not be removable afterwards (see above). We highly discourage this practice and are working on a policy that would require recommended software to be removable without the presence of the original installer file. This would allow us to automatically remove the original installer file and the directory.
OpenCandy makes use of the system registry to store some data related to the operation and delivery of accepted software to a user's system. This information is anonymous and there is no association between any personal information you may enter into a recommender/recommended installer and the information stored by OpenCandy software.
We chose to use the registry to store this data in order to *prevent* the use of IP address recording, CPU ID#'s, or other unique personally identifiable means to coordinate session interactions. We believe in and strive to maintain a user's anonymity. This is no different than the use of anonymous cookies to keep track of a website session.
Session based interactions include things like:
-Installing a product
-Uninstalling a product
-Installing a recommended product
-Uninstalling a recommended product
The choice of using the registry also provides a heightened level of security for users of the Vista line of OS's. In order to interact with the OpenCandy registry entries, elevated administrator rights are required, which Vista prompts the user for consent prior to allowing access. This access level is required by Installers in general, but no common user software requires this level of access so malware cannot access this information without explicit notification of the user.
If a user wishes to remove the OpenCandy registry entries, they may simply delete the OpenCandy registry tree: HKLM/Software/OpenCandy. Doing so may interfere with some aspects of our recommendation system and provide poorer recommendations to the users that do so, however, there should be no other side effects."
So that's an explanation of what OpenCandy is and does relative to the issues outlined here. We're thinking this through right now, though, and considering our response to these issues.
How to delete the OpenCandy Registry Key:
The following instructions are tested on Windows XP. These instructions were gathered from this article on about.com. For instructions for Windows Vista (very similar) please visit this article
1. Start the registry editor
- Go to Start Menu
- Click 'Run'
- Type 'regedit', click ok
2. Navigate to the open Candy folder
- On XP it is located at: HKEY_LOCAL_MACHINE > SOFTWARE > OpenCandy
3. Backup the OpenCandy Registry Key (just to be safe, in case something goes wrong.)
- Right click the OpenCandy registry key (looks like a folder)
- Click 'export'
- Save the file somewhere on your computer
4. Delete the OpenCandy Registry Key
- Select the OpenCandy registry Key (looks like a folder)
- Go to the edit menu and click 'delete'
- Click 'OK' to confirm the deletion
That's it, you're done.
I'm a little miffed about why use the registry at all for this type of activity. The registry should be place to store installed software configurations, not whether a user clicked A or B on thursday. If you want to store that level of info fine, but store it somewhere in the miro database. The miro database seems to be doing fine understanding which videos and channels I want to download... why aren't you treating the updates the same way? Treat them as a podcast... simple RSS.
On the upside, you guys have an exit button that works... Nothing upsets me more than a program that wants to start at startup, asks me if I'm sure I want to exit (when I choose it from the menu... sometimes when the X is close to other buttons that have meaning I'd appreciate an 'are you sure'..) , and 'closes to some hidden form' when I click that X in the corner. If you want to play with any of these 3, give me the option to turn it on and tell me about it, don't do it for me, and always keep them settings in the options->settings menu.
We're going to remove OpenCandy from our installer next week. Thanks for pushing back on this.
We still think the core idea of open source projects promoting one another is a great one, and we'll continue to support and promote other FOSS projects whenever possible.
I just found entries for OpenCandy while doing normal cleanup. After an internet search I came to these questions. I have to say Miro has committed a very serious violation of trust here for the following reasons:
1) You did it in the first place. --Jesse, I know you have been very pleasant on these forums but this is the equivalent of a thief breaking into my house and WHEN I find my stuff at the pawn shop, the thief offering to "graciously" give it back. Sorry, it doesn't work that way. There are some things you JUST DON'T DO. Remember Intuit's TurboTax a few years back?
2) There was no uninstall. Yes, you have give some instructions on how to MANUALLY edit the registry. Who let's average users do that?!
3) There was NO uninstall! Even with your steps above, the underlying DLL and service are still not uninstalled. I'm willing to bet that those registry entries just magically reappear.
4) You lied. I don't use that lightly. Above, you said that OpenCandy has been removed from Miro. The datestamp says "5 months ago". I just checked another machine. Download and install dates are 4/18/2009. Guess what? OpenCandy is installed.
Miro has now completely violated the user's trust.
This OpenCandy stuff is quite stinky, I cannot believe that a group calls itself "Participatory Culture Foundation" manages to install a hiddenware-spyware called OpenCandy. I am truely impressed by the skills and foresight that are shown by the developers.
They said it was removed, but it was just removed from the installer, it keeps installing itself in a hidden manner which is even worse.
Not the nightly builds.
Jessep, the thing is that OpenCandy is in the business for collecting user data. If that is not spying on people, then what is ?
Anyways, I loved Miro and tried to support it. But This OpenCandy thing is not something I want to see in an application`s installer I use(free or paid). Thus I wont be using Miro from now on.
You also need to declare on Miro`s web site that Miro is participating with OpenCandy ring but you do not. This is deceptive. Do not get me wrong I am not looking for cynical motivation here but right way to do the business is to declare such stuff prior to download not during installation.
So what I'm seeing is that the OC files are in the registry below the PCF registry entries. And the OC files are getting installed in the C:\\Program Files\Participatory Cult...\Open Candy directory.
For me, testing nightly builds regularly, it's 1 extra screen to click next on, as the OC option is set to Don't install, by default. After that - it doesn't do anything.
The next day when I install the nightly again, yes, another install, another offer. But I think if OC was really devious and spying on me, it would make a new unique offer, not the one I had declined the day before. Or even a few minutes before depending on the tests I was running.
I think you are over-reacting.
the problem is that it's not disclosed
that another software company is installing on my computer
when i choose a software i don't want more
OC is trying to help sales-fine
i need to know before i download
exactly what i'm getting
over-reacting? i don't think so
it's not dangerous-the file and reg entry
it's done without informing that i'm getting two software companies
not 1 like i choose
i will opt-out of OC untill they and the softwares involved disclose this practice
and build an uninstall or opt out of OC
it's exploiting a loophole and most users will not see it
perhaps that's the plan, since it's already in the computer before you can stop it
Guys, OpenCandy is installing itself you opt in or not. Instead of playing it down why do not you just look into the problem?. We are not talking about the recommended software we are talking about repeated OpenCandy registry entries and installation files regardless of the state of the choice during installation.
Sure everyone has their opinion, I do respect that but the thing is that this issue has nothing to do with an opinion or perspective. I happily downloaded Miro and ended up with something called OPENCANDY. Yes I can delete it but I can delete the things I see. How am I supposed to know whatelse they put on my computer? I do not trust them a byte, a nibble, not even a bit.
If the developers think that they can make money out of this thing they are wrong. I hope they make but this kind of stuff generally blows back. Did you know that founders of OpenCandy at some point were founders of shameful DIVX?
"At one point, DivXNetworks offered for download an "ad supported" version of their DivX Professional product free of charge to users who were willing to view advertisements. The ads were delivered by the GAIN ad server software. While this attracted much criticism at the time, users had to manually select the "ad supported" download rather than the for-pay professional version or the free version. Additionally, users were informed during installation of the ad-supported version that the Gator software would be installed on their PC and were presented with a license agreement to which they had to consent in order to continue the installation. Regardless, the Gator software would still install parts of itself without the user agreeing to this installation, and was difficult to remove after installation. This raised considerable consternation amongst DivX users, causing many to turn to its free software rival, Xvid. "
Disclosure -> Transparency -> Choice
The Problem? Disclosure!
The Solution? DISCLOSURE!
Some of you know me from other threads, but for those that don’t, I’m Dr. Apps, Software Community Guru for OpenCandy. I joined OpenCandy at the end of February of this year. I discovered OpenCandy when I was updating MediaCoder in November, 2008 (see here: http://twitter.com/drapps/statuses/1018127759). (Sorry, can’t help but intro myself.)
Jesse and I discussed this thread at length over the last two days and I realized I’ve been missing the message on what you said you wanted. Which is disclosure. At OpenCandy we are passionate about doing what we do in a way that is respectful of users. If there is a way to do it better, we are all for it.
We have already begun work on messaging for the Miro download page to inform people that Miro’s installer includes recommendations powered by OpenCandy.
Disclosure is all well and good. But if people don’t know what we actually do, why we do it and most importantly HOW we do it, they aren’t going to be able to make an informed decision about OpenCandy.
What We Do
We provide technology and a network to enable software developers to choose software (or services) they love or believe their users will find valuable and present it to users as a recommendation during installation of their software. Our network is moderated; meaning those that wish to participate must meet certain guidelines to ensure safety, security and transparency to users.
Why We Do It
Yes, the people who started OpenCandy were former DivX founders, executives and engineers. Yes, they made business decisions while at DivX, for DivX that I personally (as a user-advocate and computer fix-it guy) didn’t agree with. This isn’t about DivX though, this is about OpenCandy. After leaving DivX, they realized that some of what they learned about software distribution could be applied to something that revitalized the software community for the mutual benefit of USERS AND DEVELOPERS. They saw how third party bundling was being done in a non-user friendly manner (from the install experience to the privacy issues) and created a vision and framework to do it in way that DOES offer an optimal user experience. OpenCandy was born.
How We Do It
The OpenCandy Installer Plug-in.
If you decide after receiving a recommendation that you don’t want the OCSetupHlp.dll on your computer, feel free to delete it. I guarantee it won’t magically re-appear.
#2) Installer Analytics
The plug-in also enables publishers to learn ANONYMOUS aggregate statistics like how many times their software is installed and uninstalled. This helps developers create better software and drives competition in the software community. The thinking is that if a software publisher knows how many times their software is installed and uninstalled then they’ll be able to notice, for instance, if one month a new version they released results in a statistically higher rate of un-installations. Then they can reach out to their community (via blogs, forums, etc) and say “Hey, the recent release of our software is resulting in 30% more uninstalls. If anyone has any ideas why, please chime in and let us know what you think is causing this.”
To reiterate: The OCSetupHlp.dll has ZERO functionality by itself. It only runs as part of the installer it was integrated with.
Wrapping it up :)
I know it’s hard for people to understand (or accept) what OpenCandy does unless the information is readily available. Our new website will be launching soon and I’m also working on getting our FAQs up here (on GS).
I’m glad to be able to have this conversation out in the open for everyone to be a part of. That way we can be sure we’re doing the right things and that our actions match what we’re saying. :)
We are really proud of what we’re doing, why we’re doing it and most of all, HOW we go about doing it. That’s why we have awesome partners (like Miro) working with us. They’ve had the chance to learn our story because we’ve communicated and shown it to them, but until now we haven’t had the chance to share it to the rest of the world. :)
Dr. Apps / Andrew
No matter how you "sugar coat" it OpenCandy IS adware and spyware. First off aren't the recommend programs a type of ad? Personally I think so. Also anything that sends info back from my registry is considered spying. "Anonymous" or not. Besides how can it be anonymous when you get my IP and other info unique to only my machine?
Dr Apps you made a claim that it sends data back when a OpenCandy app is uninstalled, so if the OC dll can be removed at ANY TIME how does this function still work then say the dll is removed? Also if users are running firewalls and BLOCK OpenCandy/ app installer from accessing the internet how will OpenCandy still function and what use will it have? I think the ONLY REAL thing it will succeed in doing is ruin peoples trust in otherwise good software.
Software developers PLEASE don't bundle this with your software. Nobody likes being forced into installing unwanted third party apps especially addware and spyware. This concept DOES NOT work, its been proven with Gain (Gator Advertising and Information Network), Cydoor as well as numerous IE toolbars.
Oh and one last note Dr Apps if you claim your program is so legit how come you don't release the source code and tell us the REAL facts as opposed to being so vague and writing the same thing, nearly verbatim, on all sites that you post on?
The Internet Unibomber
The presence of opencandy should have been disclosed up front, before any download or install.
To date no disclosure has been done upfront.
This is opencandy's mistake.
As well as those who choose to include it in their product.
Discovered and in the open by end users instead of opencandy or it's clients. And how to remove it.
This is not good business practice.
opencandy's file, transfers personal use information over the net.
I didn't say-
"personally identifiable information".
I said personal information.
Recording my personal address is not the issue.
What I download and uninstall, is, that includes opencandy, in your own words.
Other software has pop-ups in their own software, not all, but some, that will trigger a 'why, and how can we help make it better' web site or form. And that is a software I picked to download.
But they don't have a separate software company bundled to report what I install or uninstall. Never asked for it and don't want it either.
Their are download counters that keep track of how many downloads of any software. That should be enough info to determine it's usefulness. As well as blogs and forums posted by the software themselves or other sources of info.
If you want me to let opencandy monitor or report to another software vendor, what I install or uninstall.
Please ask first.
And I'll decide if I want that software installed and that info monitored.
You change words of others which changes the subject. Avoiding addressing the concern posted.
To Dr Apps
Ok our views as to what can be adware could differ so I'm not even gonna argue that. But when your plug-in is sending back ANY KIND of info off my machine that I do consider a form spying. For example the apps I have installed on my machine. That is only for me and the other users of my machine to know. NOT for some company of the internet.
When I was referring to being forced into installing third party apps I WAS NOT referring to the recommended app but to the OpenCandy plug-in its self. Isn't it a kind of app considering its code being executed on my machine? Maybe it doesn't have any power without the host installer but nonetheless its still code I never consented into executing. Personally I don't like it when an app I choose to install comes bundled with stuff I never consented too.
Also you said it yourself that when the installer is blocked from the internet OpenCandy wont work, so then what purpose does it serve? In other words what will be in it for you guys at OpenCandy and the developers say a lot of people blocked it? Next why cant the recommendations be HARD CODED into the installer without the need of the plug-in? Albeit they wont be as personally tailored but could be chosen at random from some internet server with a ONE WAY stream to the others machine. Therefore possibly eliminating the "spying" factor.
I never meant that anything closed source was not legit. In fact I do use several closed source apps myself although I do prefer FOSS alternatives when given the choice. Im just saying that if OpenCandy released the source to there plug-in it might better convince the skeptics to OpenCandy's legitimacy.
The Internet Unibomber
1) You said that with the latest version the OpenCandy folder and its contents will be deleted after install of the app/apps (assuming the recommended one was chosen) . Will the regkeys and cookie also be removed?
2) Say someone did install an app with OpenCandy and did choose the recommended app will the recommended app also include OpenCandy and if so were will it end?
Being a nice person or not is not the issue either, nor the rest of your post.
Your percentage estimate is a guess at best.
I'm talking about facts, you are not.
And advising the use of a firewall?
To block your own program?
List the programs using opencandy.
I dare you to be honest.
Open Candy is still around, unfortunately. I installed IEPro for IE7 and was promptly peddled whether I wanted to download that piece of garbage, IE8 or not. Of course I opted out and installed IEPro for IE7 and still would up with Open Candy on my machine.
Dr. Apps, get a clue. It seems 98% of the responses you've gotten here are negative. If I want to opt in, then by all means, install Open Candy. If I opt out, I shouldn't have ANY traces of it on my computer, whatsoever.
I’m PISSED & ANGRY @ Open Candy. This thing is spyware and should be STOPPED all its doing is killingF/OSS and making people loose trust in those developers.0
see the change log
OpenCandy has changed NOTHING!! I do not even know how many registry errors I have because of them. The only way I found out about this at all was having my computer continuously crash *^%%$^$.
I have RAM and virtual memory errors all over the place...your company declared it would release a clean copy that fixed the bug that www.opencandy.com had in their software.
Thanks for nothing but problems...
Pissed off and hurt that I put my trust in your product and at myself for giving your company the trust...my own stupidity...never again!!!