The Story Behind the OpenCandy Adware Debacle

[Hawk-NGO]

Remember the story of ESET and Microsoft OpenCandy mass false positive alerts we published a few days ago? OpenCandy's CEO has made the following statement: "I’d like to take a moment to update our partners, consumers and other interested parties on a situation that has consumed the vast majority of our small company’s attention lately.

A few weeks ago, on February 12, the Microsoft Malware Protection Center (MMPC) classified OpenCandy’s software as “Low (threat level) Adware.” This prompted Microsoft security products (such as Microsoft Security Essentials and Windows Defender) to alert consumers downloading any of the hundreds of high-quality, trusted applications that use OpenCandy to make software recommendations in their installers.

We believe we have identified the cause of this misunderstanding and taken action to resolve it, so it should not affect any new OpenCandy software distribution going forward. However, there still remains an issue that Microsoft is falsely alerting potentially hundreds of millions of consumers (who have downloaded or are downloading, previous versions of OpenCandy software)."

Read more: http://www.ngohq.com/news/19519-the-...e-debacle.html

[STEvil]

Despite the lack of clarity or direction from the MMPC, our team worked day and night to decode the nuances of the policies and procedures we were presented with and in time isolated what we believe to be the source of the issue. Namely, one individual OpenCandy partner (out of hundreds) appears to have been mistakenly missing an End User License Agreement (EULA) in their installer. This means that any consumer installing this specific partner’s software did not agree to OpenCandy’s transmission and collection of anonymous information (used for purposes of making a software recommendation).

Ok, a mistake. A mistake on the part of our partner and a mistake by us for not having the right process in place to catch that the EULA had been removed after it had passed our compliance process. The partner has since added their EULA.

So, why would a missing EULA cause such a ruckus? We asked MMPC and ourselves the same, and we believe it may be linked to one of our software features that enables us to place and access an OpenCandy specific “cookie” (unique, non-personally identifiable registry entry) on a consumer’s machine. In reality, we’ve never used this “cookie” feature but the intent behind building it in was to lower the chances that a recommendation previously declined would be shown again. We believe that MMPC was concerned with the possibility of utilizing a cookie that may have been placed without consent during the install of that specific partner’s software that was missing a EULA.

Note to self: dont install opencandy software. Cant be very anonymous or unique if they're sending YOU software recommendations and calling a registry setting a cookie.

[Mad Pistol]

Microsoft didn't make the mistake. It's OpenCandy who made the mistake by collecting personal information and placing a cookie designed for selling stuff.

Good job Microsoft. Makes me glad I've got MSE on my computer.

[Hawk-NGO]

Dont forgot.. software developers need to eat too. :P

[STEvil]

Dont forgot.. software developers need to eat too. :P

Then make software people will buy

[Mad Pistol]

Dont forgot.. software developers need to eat too. :P

Couldn't agree more. Shady tactics = empty plates.

[Caparroz]

Don't this rule apply in this thread?

4. We do not permit advertising of any kind.
This includes offering items for sale or trade (other than in the Classifieds). Posting to your homepage, an eBay URL, a URL to another site, or announcements of new sites. This applies equally to commercial and private sites/ads. This is also not to happen within user signatures. Links to deals available online are to be posted only in Online Deals & Sales. The only allowed links in a signature will be links directly related to XtremeSystems, Xtreme D2OL, Xtreme Folding@Home and XtremeSystems affiliated website or organization. If you wish to link to your site, you may do so in your usercp which links in every post you make.

[lalPOOO]

Don't this rule apply in this thread?

Considering that the suggestion is not to buy the product, its kind of hard to draw the conclusion that the op is trying to advertise something...

[Calmatory]

Considering that the suggestion is not to buy the product, its kind of hard to draw the conclusion that the op is trying to advertise something...

I think it has more to do with linking to ngohq, with which I myself see no problem with though.

[Mad Pistol]

Considering that the suggestion is not to buy the product, its kind of hard to draw the conclusion that the op is trying to advertise something...

Look at his name and the site he linked, then read the rule.

It's a gray area.

[RaZz!]

Look at his name and the site he linked, then read the rule.

It's a gray area.

i don't see what's wrong about it. others are doing this all the time as well, no matter if they're posting news, reviews or whatever.

there has to be a source. if the source is the OP himself - well, fine?!

[Caparroz]

Considering that the suggestion is not to buy the product, its kind of hard to draw the conclusion that the op is trying to advertise something...

i don't see what's wrong about it. others are doing this all the time as well, no matter if they're posting news, reviews or whatever.

there has to be a source. if the source is the OP himself - well, fine?!

Maybe I was a bit vague but looking at his/her (brief) post history all he/she does is post links to the ngohq website...

[nn_step]

Note to self: dont install opencandy software. Cant be very anonymous or unique if they're sending YOU software recommendations and calling a registry setting a cookie.

Here is a far better idea, don't install software unless you have the source code.

[RVWinkle]

This seems pretty mild, have you guys seen all the permissions that are granted to Android apps?