177 comments

[ 4.8 ms ] story [ 212 ms ] thread
Whoa... Stay classy, Oracle.
Stay classy? They've been doing this to Windows users for ages.
So they've done their users a favor by providing a consistent experience over all supported platforms?

I'd really like to listen in to one of the meetings where decisions to do such kind of blatant platform-abuse is being discussed. Possibly alternatives A/B/C (you always have to have 3 alternatives, right?) are the Ask-Toolbar, a bitcoin-miner or adding the end-user-PC to a botnet for DDOS-extortion, so we can be lucky that they agreed to do "A".

That's pretty much the definition of "to stay", e.g. keep doing what you've been doing.
TL;DR

If the user keeps to the default installer settings and goes next, next, next... AND in Safari deliberately selects "Install" (not pre-selected) in the confirmation window, the ask.com toolbar will be installed.

So similar to Windows and avoidable but still annoying.

I can kind of understand some small software developers out there doing this stuff to make a few extra dollars but Oracle? It just seems so unnecessary. I guess they just can't get their head around giving something away for free.

Some more information...

"When you have a commercial relationship like this, not only are you dealing with your [own] corporate policies on communication, and revenue recognition and all that kind of stuff, but you also have a commercial partnership and agreement that you have to abide by and follow," said Smith during the call.

Smith also defended the practice by saying Oracle had inherited the deal when it acquired Sun Microsystems, the creator of Java, in 2010. "This is not a new business, this is not something that Oracle started," Smith said. "This is a business that Sun initiated a long time ago."

Sun had bundled third-party software with Java since at least 2005, when it offered a Google toolbar. In the following years, Sun made similar arrangements with Microsoft and Yahoo, before switching to Ask.com.

With Java, it's true our installer waits 10 minutes before running the install process, but this to ensure the JRE [Java Runtime Environment] updates properly without additional strain on a user's computer," an Ask.com spokeswoman said in an email reply to questions Monday. "This is not intended to trick users."

http://www.computerworld.com/article/2494794/malware-vulnera...

The defense that "hurr durr Sun did it and we just haven't removed it yet" doesn't apply when you're actively adding it to installers on other platforms.
It still changes your browser homepage with an opt-out checkbox, it's pretty bad.
It appears to tell you you've installed the extension, then ask you if you want to install it. Anyway, it would be fairly simple for someone not paying careful attention to install something completely unrelated to what they're actually trying to install; that's a trojan in my book.
I agree. That's why paying attention is important when installing 3rd party software. Especially when an installer requests admin privileges.
Which is probably what the average user does, if I extrapolate the data from friends and family.

Installing adware with security updates is just so wrong on several points. It is difficult enough to get non-techies to install security updates and now you additionally have to teach them to watch out for crapware that someone sneaks in there.

I'm choosing C# over Java whenever I can, just because of the ask.com toolbar, seriously I find it that annoying.

That's not the point. As someone who is actually a fairly big fan of Java, my concern is the damage this continues to do to Java's image in the minds of non-technical users (especially those in executive positions).
This has already been played out on Windows. It isn't damaging anything reputation wise.
Indeed. Developers will keep chosing JVM for technical reasons, managers will keep choosing Java for business reasons, and the end-user doesn't have any choice. Want the application to run? Install Java.
Na... look for an app that doesn't need it. Haven't had Java on any of my machines for 5 years and i don't miss it one bit.
Many websites/webapps run on Java on the server side.

Also some desktop apps come with Java bundled together. The user just installs the app and runs it.

Steve jobs would build an uninstaller that ran right after to remove the shit.
I hope Apple adds it to XProtect and revokes their code signing certificate.
I installed this yesterday on my father in laws mac and don't remember seeing the ask thing...
How much $ does one make with this kind of crapware-bundling? Like how much would i get for 1000 toolbar installs?
I think the point is not for the user to make money, but the people bundling the toolbar.

I think ask.com pays whoever bundles their toolbar so it's basically advertising money, at least it seems like that for me.

That's what he is asking: How much money Oracle gets per install?
Yes, I'm fairly certain that's what the parent meant. If he was running a company doing the bundling, how much would he get paid if his bundle installed the toolbar 1000 times, now how much would he as an end user get if he installed it 1000 times on his own machines.
Aha! that makes more sense. I read that as if the user would get money for using ask.com toolbar.

But yeah, thanks to both of you.

Now that I think about it, I'm not sure if ask.com is willing to bundle their toolbar with any product. Maybe they select only high-volume products?

(comment deleted)
Unfortunately, I imagine it'd be a fair bit of money. Many toolbars track every site you visit, how long you're there, what you type on the site (including personally identifying information), and a host of other Orwellian things.

I can't imagine anyone feels good about trying to trick their users into installing this crap. If the money wasn't good, only completely amoral psychopaths would do it. As it stands, the financial incentives bring it to the point where greedy asshats are also willing to get in on the action.

Define "a fair bit of money", please.

It's telling that Facebook, a company that's not known for treating their users as anything other than a commodity to be packaged and sold, would never stoop to something like this.

In an era where a photo sharing site sells for over a billion dollars, Oracle must be raking in hundreds of millions on this deal for it to be worth the damage to their Java brand.

facebook is probably able to get data through other means. Their like button javascript on half of the internet for example.
Do any of these "other means" involve installing shady software on people's computers?

They've had many opportunities to do stuff like that with their iOS and Android apps but have never dared.

My point is they wouldnt need to install shady software on your machine. They're able to track you with their like button.
I find it amazing that people seemingly don't know that Facebook tracks you across the web through those embedded Like buttons, and more amazing that many who do know don't seem to care.
There's a reason I have the equivalent of "127.0.0.1 facebook.com" in my /etc/hosts file.
Facebook doesn't do it because they don't need to do it, at least right now. Wait until they're on the ropes, fighting for their corporate life in one way or another, then see what they do.
Given how much money there is in malware, the low risk of getting caught, and the zero risk of legal repercussions, how would you think the incentives looks like? Lenovo got caught and the legal actions so far been almost non-existent.

If this action enable someone to get a raise or a promotion, the final $ amount doesn't need to be very high. just enough to be deemed a financial successful project.

Bundleware... Pay Per Install (PPI) in industry terms... can make you a lot of money. I regularly get offers of up to $2 per install to bundle things with PortableApps.com. I could make millions in just a few months even at more industry standard payment levels. It would kill the project and hurt my reputation, of course. But it can be tempting when you run a free open source project and you're falling behind on your rent.
> But it can be tempting when you run a free open source project and you're falling behind on your rent.

Which isn't the case for Oracle AFAIK... ;-)

Google likely pays Oracle quite a bit for the default bundleware installations of Chrome. It's a way for Oracle to profit off the userbase installing Java for free and for Google to increase Chrome's share. Fun fact, Google pays Adobe a lot of money to bundle default installations of Chrome with Flash downloads as well.
That's weird... doesn't Chrome come with a custom build of Flash already? So if you download flash, you download Chrome, which in turn downloads flash?
Yes and No. Chrome comes with its own version of Flash installed. So, when you try to download Flash for your copy of Firefox, it automatically downloads and installs Chrome (with its own copy of Flash) unless you uncheck the box in the middle of the download page. Adobe doesn't care, they get paid by Google. And Google pays to increase Chrome's market share.
As far as I know if you install JDK and not JRE there should not be any additional adware. At least for now.
I installed the JRE and JDK (on diff machines) from the downloadable installers (not the updater) and neither installed the adware, nor had the option to.
This makes me wonder if they're doing a partial rollout to some small percentage of users to test the waters.
Same here, installed both JDK and JRE today and no crapware screns.
I guess the target group are less tech savvy users that install it because they don't really know what they are doing, like less law savvy people who agree every terms of use. Kind of shady but accepted practice. JDK users are probably less exploitable.
Nothing in that link claims that apps have to 'just' bundle the JRE only.
At the rate Java has been fixing exploitable vulnerabilities lately, I would rather have just one copy to keep up-to-date. I know that's not a very Mac-like attitude though.
But you only need to update the JRE's that interface with the outside world, and unless there are bugs in the JVM's network code that would be only your Java browser plugin.
There have been bugs in networking related code in the JRE. For example, I believe it was recently discovered that their SSL implementation was completely and utterly broken and enabled a MITM attacker to totally disable encryption (the SKIP-TLS attack). Guess what most software is probably relying on to protect their auto-updater?
They SSL implementation was broken against an active attacker - this is very different from being broken totally. Obviously it is still very, very bad but it doesn't mean you shouldn't use it if you are not going to replace it with anything else.
Almost all exploitable vulnerabilities are related to the browser plugin. There's no danger of keeping outdated JRE inside some application.
Unless you need Java Secure Sockets Extension to work - see smacktls.com.
New versions of IntelliJ IDE EAPs come with a JRE runtime if you choose that option. Jetbrains developers had major problems with subpixel font rendering on post-Apple JREs so they forked OpenJDK I think to fix it.
Business as usual for Java, king of bloat.
You aren't Oracle's customer. The Fortune 1000 are their customers. Oracle doesn't care about nerd outrage, the developer community, or end users.

Former Oracle employee, via acquisition. Horrible place to work.

This post is my own opinion and does not relflect insider or confidential information from Oracle.

I don't think any customer would like this.
As a former Oracle employee (also there via acquisition) I can confirm that they don't care at all about anything but the money. If adware makes money, that's OK for them. And, yes, they don't care about nerd outrage and I'm also sure that CxOs of Fortune 1000 companies don't care about adware (or us) too. Even if they care (and they probably not), they cannot afford to avoid Oracle DB and/or Java in any case. I'm sure they try in many ways to avoid to spend the insane amount of money Oracle products cost.

Ah, and yes: it is an awful place to work. For the same reason: they don't care about anything but money... Employees are COGs, nothing more, nothing less. If you find the right niche, you can live a quiet salaried life there for some years, btw... like probably in any other giant company.

Anyone care to explain how they somehow haven't ruined VirtualBox yet?
It's on the way. The performance and feature gap between VMWare and Virtualbox is widening everyday.
I highly recommend a section of Bryan Cantrill's talk where he covers Oracle - https://www.youtube.com/watch?v=-zRN7XLCRhc&t=2100 lasts two or three minutes.
For someone who can't watch videos, can you summarise?
Listen, and understand! That Ellisonator is out there! It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop, ever, until you give it money.
On the contrary, ask.com is quite happy with this. They are paying Oracle, therefore they are the customer. You are not.

This is really tragic, since the Java language and VM are nice pieces of technology. Unfortunately Oracle is killing them. I'd never use them for a new project now.

Indeed. JVM used to be widely regarded as crap, and Java as a slow, bloated language. And while Java may still be a bit bloated, it's no longer slow, and JVM became an awesome piece of tech, bringing tons of real advances in things like garbage collection algorithms, and supporting a nice ecosystem of very powerful languages.

So while Java managed to fix its reputation itself, Oracle is doing everything in their power to break it again.

At least we have Ruby, Python, Node, and OpenJDK. They can't ruin every ecosystem.
Come to look at it, you have to work really hard to ruin a programming language. Kudos to Oracle for figuring out how to reach this almost impossible goal. s/.
I'd never use them for a new project now.

Why not? There's a tool called javapackager that makes a self contained app install for Linux, Mac, Windows that doesn't require the user to install the JRE, if you're doing desktop projects. For servers this stuff is irrelevant anyway.

Java is mostly open source too, so if you wanted to make your own system JRE installer setup, I guess you could (though OpenJDK isn't identical to the Oracle JRE).

Why is it a horrible place to work?
Larry, that you?
* Developers are on a five year laptop replacement cycle.

* You will take the corporate standard laptop and like it.

* You will take the corporate standard screen and like it.

* You will take the one corporate standard virtual machine you are allocated and like it.

* Everything moves slowly, even for a corporate bureaucracy.

* None of the above applies to Sales - they can have whatever they want whenever they want, including brand new MacBook Pros yearly. (That says a lot about priorities)

* Stack-ranking system that tries to force managers to give 1/3 of the team bad rankings every year. In theory the top 1/3 are supposed to get bonuses/options, but in practice managers just spread the pain around so even as a top-performer I got screwed.

* Pay used to be kinda average, but now that the wage fixing cartel was shut down and wages have risen it makes Oracle look hilariously low.

* Lots of mandates from on high about what technologies to use

* Above mentioned technologies are heavily designed by architecture astronauts; if it makes the install 8 GB and take 15 hours all the better to push customers to consulting services. Lots of XXXFactory classes and useless abstractions.

* Be forced to tell a customer you can't restore your copy of their database to test with because ProdDev IT won't give you NAS space to store it (not that it would be fast enough to be usable anyway)

* Everything interesting or good for customers will get massive pushback; the focus is on checkboxes that CTOs can understand

* Manager turf wars and pompous blowhards abound, all looking to carve out a nice little kingdom to lord over.

It's a place to go earn a basic salary until you retire. After the acquisition, everything got much worse.

If your company is acquired by Oracle, plan your exit strategy and stay just long enough to cash out whatever options you have.

If a company you rely on is acquired by Oracle, look for an alternative immediately. They will eventually strangle you, even unintentionally just by neglect. Never put yourself in the position of relying on Oracle unless you're on the Fortune 1000 list.

Again, all my personal opinion and does not rely on any confidential or non-public information. I was just a developer and have no knowledge of strategic decisions at Oracle.

> Again, all my personal opinion and does not rely on any confidential or non-public information. I was just a developer and have no knowledge of strategic decisions at Oracle.

This seems like the sort of polished addendum you'd write if you're used to having to say it over and over and over again. Do you just have this saved as a text expander snippet and use it in all your posts?

Oracle are also notoriously litigious.

My large corp experience is that you are expected to paste a similar disclaimer on all external communications, during your employment, where your employment with that company is relevant to the conversation - explicitly such as above, or even implicitly.

The only place I see this not done is on mailing lists, where your corporate allegiance is more or less expected.

After you've had this bashed over your head a few times, it's just standard cruft to append.

I can't imagine that the Java installer asking to install the Ask.com toolbar on a Fortune 1000 CEO's home computer is terribly good marketing, though.
No Fortune 1000 CEO uses a Mac, so that's not an issue.
I think Tim Cook might.
He knows already.

Apple has stopped including Java in OS X and banned Java in the AppStore.

Oh, how the mighty have fallen. This is what developer.apple.com/java read back in 2009 [0]:

Mac OS X is the only major consumer operating system that comes complete with a fully configured and ready-to-use Java runtime and development environment. Professional Java developers are increasingly turning to the feature-rich Mac OS X as the operating system of choice for both Mac-based and cross-platform Java development projects. Mac OS X includes the full version of J2SE 1.5, pre-installed with the Java Development Kit (JDK) and the HotSpot virtual machine (VM), so you don't have to download, install, or configure anything.

Deploying Java applications on Mac OS X takes advantage of many built-in features, including 64-bit support, resolution independence, automatic support of multiprocessor hardware, native support for the Java Accessibility API, and the native Aqua look and feel. As a result, Java applications on Mac OS X look and perform like native applications on Mac OS X.

[0] http://wayback.archive.org/web/20091223033016/http://develop...

i believe they banned apps that depend on the system java.

you can still include your own JRE.

There are lots of apps in the app store written in Java. However they have to ship a bundled JRE themselves.

Oddly, Oracle provide a tool to create a DMG with a .app inside that has a bundled inside. It's very easy to use. Doing this means your users don't need to install Java themselves anymore. Seems like the left hand cutting off the revenue stream of the right hand, but hey, I'm not complaining.

Really? Perhaps not at work, but I'm sure plenty of them use Macs at home.
Who uses Java at home?

Only half-joking -- I'm not sure it has any real desktop application mindshare, though I don't know much about what people run on their Macs.

Minecraft, Starmade, and just about every 3d voxel shooter is based on Java. So there goes the other argument: that games aren't for Macs either.
Why would you say that? Just as probably >80% of them have iPhones, I suspect a fair number of them have Macs
Except it was already an issue on Windows (has been for years).
What do they use? I am curious to know
They've been doing it on Windows and Linux for quite a while.
not when you do `tar xvzf jdk.tar.gz` which most enterpirse worlds will do as they manage their own estates.
Most Fortune 1000 companies don't allow their end users to install anything so this just causes the IT guy the amount of time it takes to have the config file set to "don't do that", heck they probably only have to do it once, or the version they use may not include the toolbar.
And most IT Admins know that the best place to get the installer isn't from Java.com that has crapware built into the installer but from the link below which doesn't have crapware built in.

http://www.oracle.com/technetwork/java/javase/downloads/inde...

I think it's not that nerd outrage isn't a force for change, it's that nerds just find a workaround like this link, and then move on with their life. The rest of people get stuck w/ toolbars, supercookies, etc.
You can also use Ninite, which solves this kind of problem for quite a few popular software packages without having to remember specific workarounds for every one.
That's why he added the 'home computer' bit.
Most Fortune 1000 company's managers also hate Java/Oracle, but it was the safe choice at some point (where the alternative was probably SAP), and now they're locked in.
'tis but a simple registry edit rolled out via Group Policy.
Those guys don't touch their machines or ever install anything. IT pushes out Java from an extracted MSI (yes oracle wont even publish the MSI, you need to rip it out of the exe). Its small company and home users who deal with this crap. No one cares about them, thus toolbars and crapware.
Actually, you don't even need the msi, unless that is the only mode you have for installation. Can use the java package with a /s switch and then use the deployment.properties file with custom configs in the link below to disable many features for java.

http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/j...

Visit /r/sysadmin and ask how well that works. Oracle makes undocumented changes and breaks things all the time. So you can have the proper settings to ignore toolbars, but randomly they'll install. Whoops. Who at Oracle do you complain to?

MSI's are just safer/simpler/easier to test/easier to deploy. The fact that they hide it is pretty unforgivable.

If they are installing, you are using the wrong installer. The one from the developers section on oracle's website does not include these toolbar's. Yes, msi's are easier to work with and many companies do not provide them, not just Oracle, but when you are given lemon's you make lemonade. Especially since complaining to oracle will get you no where.
CEO's computers are usually looked after by someone from an IT department. I doubt that most of them know or care. Even on the home computer, they just pay some good local tech to keep it running smoothly if they can't figure a way to have an employee do it.
Could someone please confirm that original JRE installer downloaded from www.oracle.com contains this? (I dont have a mac). On Windows you often get modified installers, if you download from 3td party website.
The official Java updater on Windows includes offers. It usually tries to install Chrome and will do so unless you unselect it during the upgrade process.
FYI, Oracle installs Baidu (Nasdaq BIDU) bloat wares in Java Updater here in China.
On Mac?
Why the downvote? I was just checking.
Finally! I've been waiting for this for so long! It seemed so unfair that only Windows users could get the Ask.com toolbar for free...
As some commenters pointed out, the installer is now an APP instead of a PKG. The original PKG is inside the APP at Contents/Resources/JavaAppletPlugin.pkg (right click on APP -> Show package contents).
I think everyone using the Java runtime should install and use the ask.com toolbar. Why not?
This certainly poisons the Java well a little bit more in general, and desktop Java in particular. Android and a sea of line-of-business webapps will keep the Java platform healthy for a very long time, but this kind of thing makes me shake my head in sadness.

More positively, this is a an excellent data point for both free software advocates ("look at the abuse closed source enables") and Apple ("do you really want to foist crapware on your users? just use our awesome native tools to write apps!")

I imagine that this move infuriates much of the Google Android team (because it weakens the developer story slightly) and makes them very glad that they have "Android plan B" with Go.

Developers don't install the consumer JRE anyway. They install the JDK which doesn't do this. I doubt it'd make any difference to Android.

Meanwhile, for apps like Minecraft that want to distribute consumer Java apps, just bundle the JRE. It's quite easy these days.

You really don't think stuff like this moves the dial at all in a developers mind when deciding whether to focus on Android or iOS?
Crapware in installations must end.I made a desktop PC for my sister with nothing but Windows 8.1. It only took my sister, an otherwise competent computer user, 48 hours for her computer to become infested with some web-ad hijacker and numerous IE toolbars.
"an otherwise competent computer user"

"numerous IE toolbars"

IE?

Internet Explorer...
Yeah, Frozenlock's snarkily trying to imply that "otherwise competent" computer users don't use IE.
Technically rjohnk didn't claim his sister used IE, only that IE toolbars were installed.
Wow, my bad, I thought the parent was genuinely asking.
It won't end. If there's money somewhere (adware in software), it will happen whether you want it or not.
I knew I clicked "remind me later" for a reason.. what the hell. Did Oracle run out of money in its lawsuit with Google?
The bigger context is this: jamf makes software to help manage fleets of Macs, by providing abilities such as deploying a package to a group of Macs. It's quite good and IIRC Apple uses it for configuration management. If a vendor gives you a normal package, as Java once was, it was fairly easy to deploy.

Contrast deploying the JRE with a simple package vs deploying it on Windows, which usually required an ever-evolving set of hacks to extract MSIs from the installer and install it in an automated fashion without installing bloatware, having it sit in the taskbar, auto-updating (which is a no-no in an enterprise environment), etc.

Now, thanks to this change, people on the Mac side will get to experience all the joys of deploying the JRE on Windows.

Isn't there a crapware-free version you can get on the developer site?
For what it's worth, the installer app contains a .pkg for the JRE that you can install by the normal methods. OTOH, the Flash installer used to contain a normal package, but no longer does.
I suppose this system could be crashed by automatically installing hundreds of millions of instances of the Ask toolbar to the point that it is economically infeasible for them to pay Oracle.
This is really f&ed up. They are clearly against the common user that only wants to use their software. They advocate so much about security but embed a undesired software with their runtime. I really can't understand.