In these cases, "investigating" usually includes trying to fix it if something is wrong and probably preparing some PR.
Don't expect that pg will come tomorrow and say "I investigated. Yep, they are morons. Don't use it!" Expect same changes and a blog post from InstallMonetizer saying "We appreciate the feedback of the community and to improve the product we ..."
I don't understand if this post was supposed to be negative or positive. IMO it's positive -- if they got a lot of press/hn/etc. attention over some of their advertisers being less than ideal, and a privacy policy that was overly broad, and they're now fixing it, that's great news.
From looking at this, it looks like maybe some of their advertisers did cross the line, but I don't think desktop app install monetization is inherently evil. It's slightly annoying that Oracle/Sun bundles the Ask Jeeves toolbar with Java, for instance, but it's not any more annoying than having to pay $6 to cross the bridge.
I have never once seen app install monetization not be evil. It is one thing if an installer advertised a piece of software like how you see get firefox buttons. It is another thing to try and wedge some app install agreements between a bunch of other TOS agreements to try and trick people into installing invasive software that slows down your applications and is often very difficult to remove.
I don't really understand why YC would get behind such a business. Money isn't everything. I guess they want to disrupt malware with some new even more horrible malwares.
I've seen it "upstream" of the actual installation and be ok.
e.g. when you try to download/install Confluence, they cross-promote some other Atlassian products. It's not done too hard (and I can't find an example of it now). I've seen other "first party" examples of upsell where you are going for one product and add another product from the same vendor.
I've also seen lots of horrible malware, trash, etc. That's almost always what you see with PPI.
I think PPI is like banner ads were pre-Google. What we need is the "AdSense of PPI" to deliver really contextually relevant/well targeted PPI to users. The problem is I suspect this is really hard -- offering a $1-2 payout to put a crappy toolbar is nearly the optimum for any mass market piece of software. But, if you had more targeted software (say, an awesome reverse engineering tool), there would probably be related tools you could promote at the same time which would be win/win.
The irony is you're more likely to see this as a third-party service, since individual volumes on tools with niche userbases are really low, unless a publisher has a bunch of complementary products in-house. There's nothing specific enough for a Java JRE downloader to win out over a shitty toolbar. There isn't enough volume for a decompiler to pay someone in-house to go out and negotiate a deal with a fuzzer or something, so you either do nothing, or run shitty toolbars, or hope for a company who could provide really targeted PPI for smaller niche publishers.
I'm not saying InstallMonetizer is that now or ever, but if someone did that, I'd be really happy with them. It may or may not be a good business model, though.
Atlassian does this from within their various products. For example within JIRA it will advertise for Bamboo, which is their CI stuff. Except, we already have CI in the form of Jenkins and are more than happy with it.
It's annoying, well at least to me, because I would click on one of the various tabs in JIRA and be presented with an ad instead of the information I was seeking.
We have Jenkins set up to input data into Jira, unfortunately that integration isn't entirely fantastic and doesn't always work as well as one would hope. Mainly because Jira's SOAP API is an absolute mess.
The problem with PPI is that it creates perverse incentives that are taken advantage of by malicious people[1], in the process creating a large underground economy.
I'm surprised that YC would get involved in something as shady as this. Even if the company has good intentions, if it takes off then it's main customers are less likely to in the long run.
> It's slightly annoying that Oracle/Sun bundles the Ask Jeeves toolbar with Java, for instance, but it's not any more annoying than having to pay $6 to cross the bridge.
Yes there is a difference. I teach people to work with computers, some are really clever and do amazing things, and some of them have trouble with relatively basic things such as navigating an "Open file ..." dialog window.
None of these people would have any problems grasping the idea of having the options 1) pay $6 and cross the bridge, or 2) don't pay $6 and find another route.
But neither the 7-year old kid, nor the grandmother will be able to figure out how to uninstall this Ask toolbar.
And maybe one Ask toolbar doesn't mess up your computer, but it is one more thing they did not ask for, and those things do add up to a slow and unusable computer.
That sucks. And here's the reason why it in fact is inherently evil: But even then, they did not ask for it, were never in the position to make an informed choice, and do not know how to revert the choice they did not wilfully make. It is preying on the weak.
I have seen cases like am 8 year old kid, who had just obtained his first PC (looked like it used to be a thin client, must've been real cheap, but not in terms of weeks pocket money!), it was infested with crapware, I swear I turned my back for a few moments and saw another toolbar had appeared. Unfortunately, as you probably know, fixing a computer like that takes a whole afternoon, but that's not the job I'm there for (I can make that kind of time to help out my parents occasionally but that's about it). This kid came from a low-income family, his two parents not exactly the brightest when it comes to computers either, so, what now? Breaks my heart, really. Paying someone to clean a computer is expensive, and they don't always do a good job either (or leave some remote desktop tool in place, etc etc).
How is this not evil?
If you want to make a non-computer analogy, how about being tricked into accepting some ridiculously overpriced service in a foreign country where you don't speak the language? Classic tourist con. Those who do speak the language say "No thanks", and walk away wondering what suckers fall for such an obvious trick.
This will pull down all the bundles they offer. Interestingly, you'll find they only have 42 current advertisers... and not Norton/others listed on the site. So add liars to the list of words to describe this company.)
These are worth looking at. The majority of these "Offer Screens" don't look anything like offers, and look everything like license agreements - you know, those walls of text that no-one reads and everyone clicks "Accept" on. There's a 2010 video of the install process here, jump to 3:06min on the NSIS video.
http://installmonetizer.com/AT_Help.php
5 of the 42 Offer Screens are duplicates / same company, so I only count 37 advertisers. That's assuming this is the entirety of the offers available.
At least one of the offers "allows you to find retailers... by inserting contextual links on websites you are browsing". Another says "In order to keep software free, you will be served advertising through in-text and pop-up ads in your browser, they are targeted and relevant."
I have a hard time seeing this type of monetization as at all a good thing. Things like Facebook and Google ads can be framed as a good thing for the user and for some users often are useful. I just don't see how this type of monetization is ever in the users interest unless it is bundling mutually useful software to the app being downloaded (which isn't usually the case).
This isn't to say that these installers shouldn't be allowed to exist. Just that in general I hold YC to a higher standard. If they want to go that way, that is fine, just begins to change my opinion on the program.
"Things like Facebook and Google ads can be framed as a good thing for the user and for some users often are useful."
Google ads are useful but almost always if you follow up you will end up paying a lot more vs scrolling down to skip the ads. Ads cost money and all and eventually someone has to pay that.
I am not so sure about that, good organic results generally cost money as well. I have never seen my Google ads as a cost center that is forcing up prices, but positive ROI customer acquisition.
Long story but they are two different things: when you are forced to buy ads because your traffic crashes due to algorithm and UI changes things aren't as peachy as "let's spend $50K acquiring new customers and see how it goes." The small Adwords fish will eventually be eaten by ebay, Macys Amazon and other big spenders.
These days, searching for items and commercial topics, all I see is ads in the first page or two so for traffic ads are it. In fact, many times I click without realizing I clicked on an ad.
Low and behold traffic to other sites from Google is collapsing (1) and while good organic may cost money they should cost a lot less than $x to $xx for each click.
1 (for the second year in the row users are doing less desktop searches on Google and Google's ad clicks have increased by a lot so it's simple math)
I am wondering why the MAC address is md5 hashed. There are only so many possible MAC addresses for most consumer electronics. Couldn't you just find the md5 hash for all of them and basically create a rainbow table?
The space for MAC addreses is 281,474,976,710,656. Based on http://golubev.com/gpuest.htm, the rate for MD5 hashes is approximately 1 billion/second on a GPU.
So, in about three and a half days you could generate the whole space of MAC addresses (assuming that they only protect it with a single MD5 hash). You'd need about 1.7 petabytes to store it.
For something like this, you don't even need to generate the entire MAC address space. As of right now, there are a little more than 17000 assigned OUIs ( http://standards.ieee.org/develop/regauth/oui/oui.txt ), which means there are about 281 billion legitimately allocated MAC addresses. So, with simple filtering, you could fit that hash table into a few terabytes of storage space, and generate it in a handful of minutes.
In the ideal case, you'd only need to hash ~17000 * 2^24 MAC addresses to have a complete table, but the reality is that there are a lot of manufacturers who assign MAC addresses in products using OUIs that they haven't registered. (Registering an OUI costs US$1885, and when you're a factory working on razor thin margins, that's a lot of money.)
As an example, a $17 802.11n travel router I bought from Monoprice a few weeks ago uses 00-B0-C0 as the OUI, which has no corresponding entry in IEEE's OUI database. In the past, I've purchased cheapo no-name PCI Ethernet cards (usually with Realtek chipsets and lots of empty pads and/or through-holes on the PCBs where capacitors are supposed to go) which had similarly unregistered OUIs in their MAC addresses.
Ugh, yeah. I should have taken into consideration penny-pinching companies when doing that math. Especially when their behavior makes it hard on everyone else when the inevitable MAC conflict happens.
You could easily bring the space requirements down by storing hash chains instead of a lookup table, while still only taking minutes to reverse a given hash.
Correct. MD5 doesn't provide much security, as you can brute force the entire 48-bit space of MAC addresses rather quickly. (And as you point out, the relevant space is even less.)
They could combine the MAC with some other identifiers, like perhaps the product key from Windows or disk volume serials and hash that together.
I'm wondering, why companies who use products like this, and pay-per-installation packages don't just have a "uncheck" for add-on toolbar/adware components. This is the case with Alcohol 52% (a CD emulator) that I used on on Windows.
IMO Non-optional installation of adware/toolbars etc. crosses the line towards "evil" malware.
>"I can confirm the mac address is sent in the clear"
Forgive me if I'm missing something about TCP/IP, but why does that matter? Couldn't a man in the middle get your mac address anyway?
If not, I don't see this as such a flaw. I think they must have meant that they store it as a hash in the database. That way your data in their db is not linked to your true self/computer.
First, the idea behind hashing the MAC is so that they don't know your actual address. This doesn't work as MAC addresses have too small a space for hashing to be useful.
Second, MAC address is only exposed on the local network. It is not transmitted over the Internet, it's only at the link layer to identify nodes.
The MAC address is a globally unique identifier of the network card in the computer - hence it's pretty useful to uniquely identify the machine/user. It's also very stable; unlike cookies or data stored in the registry it won't be changed by the user or removed by crapware removal programs.
Malwarebytes isn't letting me go to their website, the "we blocked xxx IP" comes up. The game has changed, if a few major sec companies blacklist you, you are toast.
Yep this is blocked under "Pay-to-Surf" at the company where I work. Not sure what security provider they use, but this isn't looking good for a YC backed startup...
PG: we never got an update after you said you were "investigating". Can you elaborate at all?