Sign in to follow this  
peppeddu

Paint.NET Setup Front-End is trying to access the Internet

Recommended Posts

The installer pings the website so Rick can keep track of numbers of installation on what OS in what language.

This information allows him to decide which OS's are worth continuing to support (like when XP's market share dropped low enough to nix), and which languages to include in the program.

No personal information is sent or collected.

Share this post


Link to post
Share on other sites

The installer pings the website so Rick can keep track of numbers of installation on what OS in what language.

This information allows him to decide which OS's are worth continuing to support (like when XP's market share dropped low enough to nix), and which languages to include in the program.

No personal information is sent or collected.

OK, but why it doesn't say that in the EULA, so that I can decide wether to agree or disagree with the software installation?

The setup program tried to grab (according to what you're saying) my OS version number without asking me first.

And since what you say in the EULA is not true, how do we know that you're not sending also something else?

Share this post


Link to post
Share on other sites

O right he forgot to mention pyro has a little string he hacked into the installer to tell him if you wear socks so he knows how he should treat you...

seriously tho, you're being a little ridiculous -.- I've run multiple virus scans with several antivirus softwares and pdn is clearly not malware. Even if it was, I'd still trust Rick enough that I don't mind if he shares what brand of socks I wear with pyro

Share this post


Link to post
Share on other sites

OK, but why it doesn't say that in the EULA, so that I can decide wether to agree or disagree with the software installation?

The setup program tried to grab (according to what you're saying) my OS version number without asking me first.

And since what you say in the EULA is not true, how do we know that you're not sending also something else?

EULA is End-User License Agreement, not Full Disclosure Of Everything An Application Might Ever Possibly Do (which is generally referred to as source code). There's no such thing as "grabbing your OS version number" because that isn't secret or personal data, and there aren't any weird tricks involved in getting the information (it's a simple Windows API call). Would you like a prompt every time any application queries the OS version number, accesses a file, reads or writes the registry, tries to create a new window, uses more than 1 processor core, etc.? No, of course not. You'd spend all day being spammed with Yes/No dialogs. If you want to block an application's access to a resource, then you can create a special user account just for that program and then deny it access to files or registry keys that you don't want it to have access to. Most firewalls also have the ability to block specific application's access to network access.

It's 2011. Applications use the Internet. It's not trying to hack or steal information. If it were sending over anything that could be PII (Personally Identifiable Information), then I'd have a responsibility to list something in the EULA in order to satisfy privacy concerns (and possibly laws). But it's completely anonymous. If you really want to verify it, then set up a sniffer or something and inspect the packets.

Share this post


Link to post
Share on other sites

EULA is End-User License Agreement, not Full Disclosure Of Everything An Application Might Ever Possibly Do (which is generally referred to as source code). There's no such thing as "grabbing your OS version number" because that isn't secret or personal data, and there aren't any weird tricks involved in getting the information (it's a simple Windows API call). Would you like a prompt every time any application queries the OS version number, accesses a file, reads or writes the registry, tries to create a new window, uses more than 1 processor core, etc.? No, of course not. You'd spend all day being spammed with Yes/No dialogs. If you want to block an application's access to a resource, then you can create a special user account just for that program and then deny it access to files or registry keys that you don't want it to have access to. Most firewalls also have the ability to block specific application's access to network access.

It's 2011. Applications use the Internet. It's not trying to hack or steal information. If it were sending over anything that could be PII (Personally Identifiable Information), then I'd have a responsibility to list something in the EULA in order to satisfy privacy concerns (and possibly laws). But it's completely anonymous. If you really want to verify it, then set up a sniffer or something and inspect the packets.

Every respectable software that has no natural business of connecting to the Internet (e.g. a web browser) ask the user first before doing so, or it makes it clear in the EULA.

As far as I know, Paint.NET (a paint program) doesn't fall into the above category.

I know, it's 2011 and legitimate applications do connect to the Internet, but guess what? it's 2011 and lots of malware do connect to the Internet.

What's the difference between the two? One thing for sure, they ask us first.

--"Is it OK to send anonymous usage statistics?" Yes/No--

Even those free screensavers programs mention in the EULA that they do connect to the Internet and collect non PII.

I hope Paint.NET can do better than that.

Also, do you assume that everyone on the planet is on broadband just like you?

I wouldn't want Paint.NET to start a dialup connection when I am in my hotel room overseas just because you need a ping back to the server.

Yeah I know, I can set firewalls, sniffers, sandboxes, etc, etc.

But if I have to do that I wouldn't want that software in the first place. Would you?

Ask us first, you may be surprised to see how people are willing to cooperate to make Paint.NET even better.

Share this post


Link to post
Share on other sites

It sends an HTTP GET request for a file that doesn't even exist. I check the stats by looking at the 404's. There's no real payload being sent or received. It only does the ping if you're already connected to the Internet. It does the check on a background thread. I understand the concern about malware, and it's perfectly reasonable for you to raise the question. But in this specific case it's a trivial best-faith effort ping which can be easily verified by those who know how to do so. It's so benign that I honestly don't think it needs a callout in the EULA or a confirmation dialog/checkbox. You'd he surprised how many people opt-out of any kind of "statistics tracking".

Also, the installer ping only nets me information about the version of Paint.NET, and whether installation succeeded or failed. If you want, I can tell you where the code is in SetupFrontEnd.exe and how to inspect it with Reflector. (Maybe there's an extra check that should be added for some corner case or something, akin to the dial-up scenario you mentioned). The updater nets me stats on OS version, CPU architecture (x86/x64), and language.

Share this post


Link to post
Share on other sites

It sends an HTTP GET request for a file that doesn't even exist. I check the stats by looking at the 404's. There's no real payload being sent or received. It only does the ping if you're already connected to the Internet. It does the check on a background thread. I understand the concern about malware, and it's perfectly reasonable for you to raise the question. But in this specific case it's a trivial best-faith effort ping which can be easily verified by those who know how to do so. It's so benign that I honestly don't think it needs a callout in the EULA or a confirmation dialog/checkbox. You'd he surprised how many people opt-out of any kind of "statistics tracking".

Also, the installer ping only nets me information about the version of Paint.NET, and whether installation succeeded or failed. If you want, I can tell you where the code is in SetupFrontEnd.exe and how to inspect it with Reflector. (Maybe there's an extra check that should be added for some corner case or something, akin to the dial-up scenario you mentioned). The updated nets me stats on OS version, CPU architecture (x86/x64), and language.

There's no need to inspect the code, just would like to know beforehands if it needs to phone home, and it will even better to give us an option to opt out.

I am actually one of those guys that do read the EULAs and any other documents that comes with it, before installing a piece of software.

I have a machine dedicated to all the crapware that has access only to the Internet, not the internal network.

Paint.NET is installed in my internal network, and my first reaction after seeing the alarm popping up was, WTF?

In 2011 "free software" usually means two things:

#1 The developers are trying to get a wide enough user base to justify outside investors

#2 The application just want to get a hold and sell your data for the privilege of using their software

IMO Paint.NET falls into the first category. You're even signing the executable!

You want to ping or collect usage statistics without prompting? fine, just let us know so that we can decide accordingly and we don't get surprised when an access alarm pops up.

Even Microsoft in their Event Log Online Help prompts the user before sending the OS version number and other data.

Personally that's the kind of software I would want to run on my machine. I may not be the only one.

Share this post


Link to post
Share on other sites

Well, I guess we just disagree on the severity of what's going on here. I completely understand your position, and in general I agree, or at least I agree that it's a reasonable position to take. When I think of an application "phoning home", I imagine two-way communication with a payload and a response. If those payloads were encoded somehow, then the end-user (if they knew how) wouldn't be able to verify that nothing sketchy is going on. In this case, nothing sketchy is going on (I hope we can agree on that), and it's also possible to verify that (someone does not have to take my word for it, they can do their own inspection if they desire). In fact, the file name that it requests from the server is something like, http://www.getpaint.....58.1234.5678_0, where the last 0 means success and other integers are the Windows-defined error codes (many of us have become familiar with the rather unhelpful "1603" error code).

I liken the ping at the end of the Paint.NET installer to some gentleman standing at a mall entrance (or wherever) with one of those clicky counters and he pushes the button anytime someone enters the mall. His only mission is to quantify the amount of traffic. He's not taking pictures, he's not trying to memorize anyone's face, he's not trying to figure out if there are rich or poor people coming in at certain times of the day. He's not tracking which stores they go to, how much they spend, or even if they are smiling or grouchy. He doesn't have to ask any patron's permission to count that they walked through the door, because it's anonymous and what I would consider to be "fair use". The mall has a legitimate reason to know how many people are coming into the mall, as they need this information for planning and reporting. (Or, maybe they don't have a gentleman with a clicky counter, instead they have a turn-stile.) Many people won't even notice he's there, or if they do stop and ask him what he's doing then he just says "I'm counting" and they move along because it's just not very interesting.

Likewise, I have a legitimate reason to know how many times Paint.NET has been installed, and whether it was successful (I think we can all agree on that). I've put a ton of time into this application, yet I give it away for free (two simple facts). I honestly believe it's fair for me to know how many times it's been installed, and that I don't have to ask permission to get that information, so long as I'm doing it in an ethical and unobtrusive manner (which I do believe is the case). It's done in a way which can't net me any extra information, and in a way which shouldn't get in the way of certain configurations where Internet access is unavailable (dial-up) or restricted (firewalls), and it's done in a verifiable manner. Similarly, the mall guy doesn't stand in front of the door and ask each person's permission if they'd like to be counted. Calling attention to the counting can, in some cases, actually make it seem more sketchy. "Why do they need to ask permission just to count traffic? What else might they be doing, or planning to sneak in later?"

Like I said before, it's 2011. I should be able to do a simple, truly anonymous, verifiable ping without needing to announce it ahead of time, without asking permission, and without being associated with criminal activity even after thoroughly explaining what's going on.

  • Upvote 1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this