Get our Latest Finds
Subscribe to our RSS feed or enter your email address below to get the feed delivered to you by email:
Follow Gizmo
Using this Site
Gizmo's Freeware is Recruiting
We are currently looking for people with skills and/or interest in the following areas:
- File Manager
- Mobile Apps of the Week
If this sounds like you then click here for more details
Controversial Advertising Program Now Being Embedded in More Software
OpenCandy (OC) is a relatively new advertising product that more and more software developers are bundling with their programs. It can now be found in the installers of dozens of popular programs including IZArc, mirC, PrimoPDF, Trillian Astra and more.
OpenCandy employs some controversial techniques in its operation and this has created some heated discussions in internet forums and blogs. Some say it is adware or spyware while others say it is just another legitimate form of advertising. Whatever, you need to be aware of this product and its potential pitfalls.
How OpenCandy Works
OC makes software recommendations to users during the program installation process. That is, while you are installing one product you get an invitation to install others. Users can accept or reject these download recommendations from OC; it is their call. Here's an example of how it works when you install the excellent free archiving program IZArc.
At the start of the IZArc installation process you are presented with the licensing agreement which clearly flags OpenCandy as a separate agreement.
And here's what the agreement says:
If you agree to this you get offered other products to install before installing IZArc. The products offered depend on what you already have installed on your PC - OpenCandy scans your PC to find that out. Here's what I was offered:
Notice that neither option is preselected; you have to make a choice one way or another. Not all implementations of OC work like that. Sometimes the "install" option is preselected. That means that users who just mindlessly click through the installation of the product they want to install will also end up downloading and installing additional products. How OC is configured depends on the software vendor; the developer of IZArc in this case.
Harmless Advertising or a New Form of Spyware
Now to some readers all this may sound harmless enough but there is more to it:
- The recommendations made by OC are partly based on the products you already have installed on your PC. OpenCandy determines this by secretly scanning your PC without ever asking your permission.
- While you can elect not to download any of the programs suggested by OC you cannot opt out from installing OC itself; it is fully embedded in the installation process. The situation is made worse by the fact that some software vendors don’t even mention in their End User Licensing Agreement (EULA) that OC is included as part of the installation process for their product.
- If you accept any of the software recommendations made by OC then not only will that software be downloaded and installed but OC will also permanently install itself on your PC as well.
- Regardless of whether you accept or reject OC’s software recommendations OC will transmit information about your PC back to the OpenCandy Corporation.
- Some anti-malware programs including Microsoft Security Essentials flag some products containing OpenCandy as adware.
The makers of OpenCandy have published some credible counter-arguments. They claim:
- Many installers from reputable companies scan your PC during the installation process to check for old versions, the existence of essential components and more.
- They also claim that OC installs nothing permanently on your computer should you choose not to accept any OC download recommendations.
- They state that any data about your PC sent back to OC is the kind of general information collected when you visit a website and contains no personally identifiable information.
They also put forward an argument that OC is not adware as it does not conform with the Wikipedia definition of adware as programs that display ads during program operation or usage. Using definitions to deflect the argument is ridiculous. OpenCandy is without doubt adware. Yes, it displays ads during product installation rather than product operation but the effect is the same. To claim otherwise is fatuous.
But there is nothing particularly wrong with adware. Many reputable products like the free version of Avira AntVir and AVG Antivirus are adware. The product ads are the price that many users are prepared to accept in order to get the product for free.
Is OC spyware? There is little evidence to suggest this rather it seems to be just another form of adware. However it does worry us that the distribution model OC uses could potentially be used to turn the product into spyware.
In fact that’s the aspect of OpenCandy we find most disturbing. With the product now installed on a huge number of computers the current or future owners of the product could be be tempted at some time in the future to more aggressively utilize the huge installed base. Can the OpenCandy Corporation or its successor be trusted not to exploit this opportunity? Will a hacker break into their system and create a huge botnet? Who knows; nobody can know but the possibility itself is disquieting.
The Gizmo’s Freeware Policy on OpenCandy
We thought seriously about banning any product containing OpenCandy from our website but have decided against that on two grounds:
First we have no evidence that OpenCandy is a malicious product or spyware. It is simply an adware program. Yes it is a product that makes us feel uncomfortable in the way it pushes privacy limits and even more uncomfortable with the potential for the model to be exploited but these are ultimately soft objections.
Second to ban products containing OC would deprive our users of the right to make their own choices as to the products they wish to use. Some of the programs that contain OC are of outstanding quality. If users wish to use these products knowing that they contain OC then we need respect that choice.
We have however decided to attach some strong conditions to products that contain OpenCandy:
- Gizmos’ Freeware will not list any program that contains OpenCandy in its installer and does not clearly state this fact in its End User Licensing Agreement (EULA).
- Gizmo’s Freeware will not list any program that contains OpenCandy that does not provide users with the ability to opt out of all recommended downloads.
- The presence of OpenCandy will be treated by our editors as a negative when preparing our lists of recommended programs. It will be left to individual editors whether a program’s features and other strengths are sufficient to offset the inclusion of OpenCandy.
- Where we do list programs which we know contain OpenCandy we will clearly alert our readers to this fact.
This policy is now in place but it will take some time** for us to check every product and decide whether we will continue to recommend it. If you are aware that any product we recommend that contains OpenCandy then please leave a comment at bottom of the program review.
Now I know some people will consider these initiatives to be an over-reaction while others feel we have not gone far enough. What we have tried to do is balance the right of our readers to make their own informed choices about the products they use against the concerns we have about the OpenCandy marketing model.
What I can say is that we will keep the situation under ongoing review. Should the OpenCandy company show any indications they are moving their product in a direction that is not in the interest of our users then we will immediately ban all products containing OpenCandy from this site.
** To the best of our knowledge, all products listed here which contain OpenCandy have now been identified and an appropriate advisory added to the text. The situation is fluid though as some authors will no doubt remove it and others will begin bundling it with new software. If you discover an incidence of OpenCandy within a product listed here which is not marked as such, please inform us by leaving a comment on the appropriate page, or by contacting one of the mod team directly.
Gizmo
- Article type:
Printer-friendly version
Comments
The OpenCandy website is blocked by a HOSTS list provider, either MVPS or hpHosts.
yes, an article on the use of JauntPE, Universal Extractor etc. would be great. A question: does using a portable application mean it usually has to be run with administrator rights, rather than LUA/UAC controls; if so, are there increased risks?
I agree with Graham. This is the first time I have heard anything about "portable versions". I would greatly appreciate a more in-depth article with explanations and some specific how-to steps. Regardless, thank you for the information AllenM.
Some more info about OpenCandy:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?...
At least MSSE detects OC as Adware.
Apparently the OC components talk to servers at OpenCandy.com - so a hosts entry for 127.0.0.1 for that domain is probably a good idea (just in case).
Usually, Googling the product name followed by "bundled install" will reveal possible causes for concern in the first few search results. I don't think this is too much to expect of users unless these issues don't concern them.
Perhaps an easy way to remove having OC remain on a computer after too late realizing it is there is to install an uninstaller beforehand. The purpose of the uninstaller is to take a snapshot before and after an application is installed so that all entries are completely removed when the uninstaller is used.
I said to self, "self no problem...I just won't ever install anything that has this." Then I did the search for OCSetupHlp.dll, and there it was in a MediaCoder folder!
And apparently they have figured out how to get it on you machine so it is next to impossible to remove it.
If that can be done, someone please post--or write an uninstaller app.
The more of this kind of stuff I see, the more I like Linux.
Good point. Wonder what it tries to do with Linux when you install an "affected" (LOL) program using Wine?
Open Candy meets my specs of malware, absofushenlutly.
A legit app will inform you that it's gonna phone home for updates or whatever, and give you the option of 'Go Ahead' or "Remind me".
My firewall asks me to Allow/Disallow access and there's a check box -"Remember This Setting" - so I don't get pestered by ligits phoning home for new stuff.
If my opinion counts, Open Candy is malware.
Call it anything you want, put lipstick on it and dress it in silk but a rat is still a rat.
Many thanks for the heads up on this...but I really do think you should take a stronger line and ban any product that contains this in its entirety....it's not actually 'freeware' when the price you pay is far more damaging than a lil bit of 'money'....now is it?
Another option is HostsMan. It has lists (MVPS, hpHosts) you can download to block sites like OpenCandy. The Microsoft entry on OpenCandy says that it uses various servers at OpenCandy.com.
I download the main black lists (MVPS, hpHosts) into my HOSTS file. They add two OpenCandy sites to my HOSTS black list (www.OpenCandy.com, OpenCandy.com), so any attempts to get to those sites would be sent to my local server (going nowhere) rather than to OC.
Thanks for the heads up on MediaCoder - will be making sure not to update my 'old' installation... And a good reason to think doubly carefully before updating any utility (except for security reasons, of course).
I think there is enough advertising on tv.The internet should not be filled up with more crap'''''that is not wanted.
signed very frusterated!!
...yes, and who's Candy going to be made open to?? (Yuk!)
I'm not in favour of OpenCandy but there is no evidence to suggest it is damaging to either the system or to the individual.
I don't know about this program but if its goal is to get personal information I think it must be for no good reasons.
If for no other or more substantive reason, OpenCandy is beyond question malware because, in whatever incarnation, it is surreptitious in its intent and functioning. Even in its concealed scan of one's computer, it is spyware pure and simple; its intent is concealed and disguised. Gizmo et al, you should have taken a much, much tougher stand on this burgeoning issue, which is much larger and more important than may seem at first glance. Even partially abetting the distribution of "freeware" infected with this vile, malicious contaminant violates our fundamental right to privacy as Americans. OpenCandy is a toxin; and its prevalence should be exposed and opposed by any means at our disposal. I urge you to revisit and reconsider your willingness to include OpenCandy-infected "freeware", admitted or not, in your site offerings. What we are seeing is only the beginning of a plague, which, unless totally resisted, will only get far worse.
These add-ons are a curse, mostly resource hogs, and potentially harmful. Whenever I run across software with these add-ons, like OpenCandy, I opt out of these adders. I try to use portable apps. where possible. If, I later find odd-ons within the install I try to delete them. If I can not find and delete the add-on offender I delete the whole of the thing. I come from a background of Commodore Vic20 & 64 with limited resources and continue with the minimalist mind set. Another way to defeat Opencandy maybe to include the DNS/URL in the HOSTS file.
Am I the only one who thinks this is paranoia? To put this in the same category as the likes of the Aureate of days gone by is excessive.
I've never found a good alternative to IZArc; it seems to be the last decent freeware archiver out there. (I declare that 7Zip's interface is cr4p.) I'm not going to stop using it just because some piece of "no personally identifiable information" will get sent out when I install it.
If you don't like it, I say you can go spend twenty euros on [a commercial product].
[edit] Commercial reference removed.
I raise my hand for a complete ban of this and any software that does this. And I could really care less what wikipedia has to say about anything. I couldn't find this hiding in my system anywhere and I don't recall being offered any suggested software. Thanks for the heads up. I'm surprised this has been out since 2008 and this is the first time I've heard anything about it! Why?
thanks for the great heads up....after reading this i did a registry search and found the following
HKLM\Software\webcode.biz\opencandy\
can i just delete this? thanks....harris
There is no free lunch.
Open Candy and other such programs are a bad solution to the problem of compensating software writers. I rarely find anything here that is truly free. Or if it is, it is not the best quality. My time is valuable and I do not mind paying for quality software that saves me time. My first choice is open source software, then I look for Legitimate older versions at bargain prices(Purplus) and then I subscribe to [a commercial discount site].
Software writers code, mostly with the intention of reaping some return. Unfortunately creativity and good business sense are rarely ever in the same person. An excellent creative coder is probably an inept business person.
I would be more enthused about a web site that featured and supported quality cr4p free software from independent writers for 5, 10 or 15 dollars.
Too many people want something for nothing. How many people here have actually donated to any of the software writers asking for contributions? How many people have spent weeks or months of their free time writing code to give away to unthankful strangers?
I would like to see an Open Source writers appreciation week or month where the whole Tech community is constantly encouraged to contribute to the writers of truly free software that they use. I think this site should at least encourage donations to writers that offer quality, clean and complete software for free.
A lot of times, you get what you pay for. It looks like free is just becoming a hook to catch a fool who will eventually pay a higher price.
[edit] Commercial site reference removed
What we are doing is removing any software that does not explicitly state in the End User License Agreement that OpenCandy is included, if indeed it is included. Beyond that, it's entirely up to the individual (of whatever nationality) to make the choice. It only violates your privacy if you choose to install it. If an installer contains OC and it is properly listed in the EULA, it will include a link to a site that describes exactly how OC works. If you have read the EULA properly and furnished yourself with the information available, and then you choose to accept it and install the software regardless, your rights have not been violated and i think it's a little unfair, not to mention wrong, to suggest that we here at Gizmo's are somehow complicit, in any way, in violating your rights. It is because we care about what people are installing on their computers that this article has been published, and we are taking steps to highlight any software (listed on this site) that contains OpenCandy, and to remove any software that installs OC through stealth.
I will not be using ANY program that contains OC. Just like Sony - with their rootkit DRM software - we must send a message to software creators and vendors that there is a limit to what we consumers will accept.
Unfortunately, most people will not care enough about this, so no "message" will be sent, and it will be just one more indignity that will become a common, acceptable practice. It would not shock me if software will soon have purchase price tiers that include advertising in all but the top-tier price.
@John at the Falls
"Too many people want something for nothing. How many people here have actually donated to any of the software writers asking for contributions?"
I do. I donate money every month to freeware authors.
I donate to the authors of the freeware I love and use, and I donate to software authors whose products I don't use but that I want to support.
Granted the amount I donate isn't nearly what I would like to send, but it's what I can afford.
I always send my thanks and appreciation as well.
Many of us who donate time, skill and talent don't do it for the money - we do it because we have something to offer that we believe will help others.
Sending a note of thanks and appreciation for any program you use is very welcome to most people, whether you donate anything or not.
There is a free lunch too, at least for the guy who does our garden every other week. He lost everything in the recent disaster here (Teresopolis) and now his only cooked food comes via client generosity. Presumably anyone who can afford time online could donate to society in this way, or another of their choosing. Giving support is not about A, B or how much, it's about just doing something.
According to OpenCandy removing the registry key(s) will not cause any issues other than to their recommendation system'
"If a user wishes to remove the OpenCandy registry entries, they may simply delete the OpenCandy registry tree: HKLM/Software/OpenCandy. Doing so may interfere with some aspects of our recommendation system and provide poorer recommendations to the users that do so, however, there should be no other side effects."
http://getsatisfaction.com/participatoryculturefoundation/topics/opencandy
Note: I can not link to OpenCandy as it has a yellow WOT rating, but the linked thread at the Miro fora quotes from OC's site on this.
I would still suggest making a copy to store outside the registry-just in case.
Removing other parts of OpenCandy may cause issues in uninstalling the product which came with OC.
No increased risks discs, nothing should be any different whether you install the normal way or portabl-ize it, and no, nothing *has* to be run with admin rights unless it would normally need them. The apps that don't work well as portable are those that use device drivers, or become services that start at boot time. Some apps like WireShark have to play funky games to become portable, generally requiring admin rights to be able to temporarily install drivers, then uninstall the drivers again and clean up after themselves when the user exits.
I can run a portable app with or without administrator rights, it all depends what I need and how I launch it. I usually run without admin rights, but sometimes I want admin rights, for example like backing up files under Windows 7 where there are all kinds of different ACLs and funky stuff that I'm not really used to yet. I'm a Unix / Linux bigot, I use Windows because I have to for work and many of the apps I want to use are Windows based, and I write some other little Windows apps for my own use. I also run with admin rights when running system performance tools, because that usually gives more more access to kernel level, process, file handle, sockets etc information.
Since somebody had never considered, or maybe heard of this before - PC rebuilds for me are now trivial. My backup consists of a few batch files using Robocopy that copy of files and directories I care about to a little 160Gb external USB drive. I care nothing for Program Files, I have a directory of all my install files and another directory named Stuff that contains hundreds of portable apps. As long as I have those, and my data directories, I can reinstall an OS quickly, run four or five installers and copy my \Stuff and \Data directories back. I don't even use My Documents, My Music etc. - I have Amazon downloader, iTunes and Walmart downloader all set to put files under \mp3s which is also backed up to my external disk. Actually, I don't even have many files in my data directory, there are a couple of TrueCrypt containers that I access using (portable) TrueCrypt just as if they were additional disk drives with no noticeable performance hit.
Mmmm, an article could be nice. :-) Maybe one day. I used to contribute here quite a while ago until work pressures got the better of me and took more and more after hours work. I told Gizmo I was not doing justice to the software categories that interested me, and it would be better to give them up and let somebody else take them on and give them appropriate care and attention.
You're right MidnightCowboy, and rhiannon too - but unfortunately the vast majority of people want everything for free, and then complain when something is not free, or has some bugs or new features not yet in the software that are being worked on in the developer's spare time, yet would never donate their time and effort, be it writing programs, category editing, or even just short article contributing.
On the whole, we humans are a greedy, selfish, self centered species. Far reaching generalization, I know, and I know there are many, many people here who do spend a lot of time maintaining and contributing to this site. I was one for as long as I could. Maybe one day again, and I like free too, but I also give away what I write for free, and I have registered shareware and donated to many different software projects over the years. I would be willing to bet we are in the minority.
Most of us would not be willing to work for free, we want our free time to be available to us, to use on our interests, with free software and services, but we want other people to work for free either during the day, or in the spare time to give us free software.
Somebody I was talking to one day had been approached by somebody else to help him fix a computer. He asked if he could take his car to the shop the next day to get some free tires fitted, or at least, have some tires at cost price and not pay any labor. The incredulous response was no, I sell tires and for a living and my labor is time and money. The other person's response was I can come fix your computer for $x per hour, I work in IT for a living and my labor is time and money. The request for help was not taken any further.
Post new comment