why would an installer need access to my computer?

[ShadowProwler420]

You obviously have an issue with this application and don't want to use it (or maybe you DO, but are too anal about every little red flag (true positive or false positive, whatever the case may be) that comes up). We get the point!

Do you have nothing better to do that whine and complain at each response that comes around on this thread, or do you not have enough drama in your life you feel the need to continue this mindless bickering?

Just stop being such a paranoid little attention wh0z0re already and come to the realization that it is highly unlikely that WoWI would allow ANY kind of files bearing even REMOTELY malicious intent to be hosted at this site (let alone giving it as much support/backing as they have)!!

[downset]

you are just sad

i raise a valid usability and security concern, first couple of responses are don't be paranoid and how else can it be done, then the programmer tells me he can not be bothered with users or usability, then you come to insult me

again the wise thing to do would be too look into how you can fix this instead of shooting the messenger, you come over like some cult that is replying to a non believer

[Vraan]

Originally Posted by downset again the trust everything or you are paranoid mantra also i challenge you to even name 3 applications that pop up this warning this is a problem for both usability (it confuses the user and asks him to trust some random app over a security warning) and security (you actually advise this behavior making any security warning useless as you train users to just click allow)

Well, I dont see how you have the right to complain about what replies you get, the choice to post about it on the forum was yours.
That you worry is reasonable, of course, but like someone else already said, if the app was filled with virus or doing something shady to your computer, other users would have noticed.
And about the "Use it or dont use it" mantra is true. People have tried to explain why it needs permission the best they know, but if you dont find those reasons good enough, then it is in the end up to you weither you want to use it or not. Most likely, they wont change the application just because you dont happen to like the installer, so in the end, nothing will change.
Use it or dont, I doubt it's a life-changing decision to make.

They can't correct something that isnt there. Yes, it asks for access, and people have already tried to tell you why, but it doesnt actually DO anything wrong. No one has noticed it doing ANYTHING it shouldn't do, thus there is nothing to correct. It's you vs. an entire community, and no one else seems bothered.

[downset]

you are right, a program that pops up a warning that it has an invalid certificate and wants unrestricted access is no problem at all

no other application does this, but for the complex and close to impossible task of checking a bunch of files for updates this just has to be done

only paranoid haters would complain




but don't worry my choice is made, it just amazes me that no-one even considers this a problem, i would think many programmers would reside here some that care about this kind of thing....

the only kind of posts i get is the inane justifications of people who don't even know what i mean and a programmer that does not care that his program presents itself as a harmful application

nice thing you have going here

[ShadowProwler420]

And the way you word your original post leads one to believe YOU are the one with malicious intent concerning this issue. You seem to be pretty much spitting in the face(s) of the author(s) of this app with the whole "This is baffling, after blocking <BLAH BLAH BLAH BLAH BLAH> you guys want full access to my computer <YADDA YADDA YADDA>" routine, then you add an exclamation point to it all with the whole "thanks but no thanks" line.

If you think you know so much about it all, why don't you stop BELLYACHING about everything and offer to HELP??

[Tristanian]

Originally Posted by downset you are right, a program that pops up a warning that it has an invalid certificate and wants unrestricted access is no problem at all no other application does this, but for the complex and close to impossible task of checking a bunch of files for updates this just has to be done only paranoid haters would complain

Shirik has already explained that Windows requires a certain permission set, in order for Minion to work as intended. It is not possible to use the same certificate and require a different permission set for mac. Shirik was not upset because "an os caught his application that wants access to parts it doesn't need", Minion has been tested on Mac and I'm willing to bet he was well aware of the warning. The warning (albeit generic) and the "Details" button is there for a reason, which is, to allow the user to make an informed decision. It has already been explained to you why the warning exists and thus I would expect that a reasonable person would ultimately make a choice, to trust the application and install or not install. No one here is forcing you to do either thing. It's really as simple as that.

but don't worry my choice is made, it just amazes me that no-one even considers this a problem, i would think many programmers would reside here some that care about this kind of thing.... the only kind of posts i get is the inane justifications of people who don't even know what i mean and a programmer that does not care that his program presents itself as a harmful application nice thing you have going here

No one considers this a problem, probably because satisfactory explanations have been presented. Using your logic, we should probably conclude that each and every time a security feature is being triggered by an action restricted to a specific entity (in any OS), a harmful application is always to blame. While obviously that is something likely to occur, if it was the case for every single application, I'd reckon Window's UAC at least would have it really bad On a more serious note, as I mentioned earlier, it ultimately comes down to a simple point : "trusting" an application and allowing it to continue functioning, the way its designed to function, or not trusting it for whatever reason and disallowing access/deleting it/whatever. There is nothing paranoid about this and in all honesty continuing to argue over such a simple matter, iterating the same points, only weakens your point of view.

[forty2j]

.. I think we could all stand to tone down the rhetoric.

Full Disclosure: I am a Mac user, and a very happy Minion user.

Originally Posted by downset you are right, a program that pops up a warning that it has an invalid certificate and wants unrestricted access is no problem at all

The reason warnings like this exist is to give you the opportunity to make a choice about what is happening to this system. It lets you know, when you might not have known otherwise, that something is being installed to your computer. Without this warning, your favorite **** site or gold-selling site could drop anything it wants (say, a keylogger to get your WoW credentials / online banking login / etc.) onto your computer without your knowledge.

But it is exactly that: a warning. It may as well say "Did you know you were installing Minion?" Since you did, in fact, know that, and mean to do that, you can say yes. If it said "Did you know you were installing RandomTrojan?" you could say no. If you say "no" to every warning that ever pops up, you could never do much of anything to your computer.

I'm not a user of jupdater, but after looking at it bit I don't think it's a fair analogy. There are many java programs that you can just drop on the desktop/dock and run.. but Minion has a lot of system-specific configuration work to do. This is why it's not just a drag-n-drop.

Shirik (who happens to be the primary author) has already explained that since this is a cross-platform installer, it has to request the minimum permissions for all its supported platforms. Since one of those platforms is Windows, and the required permissions for that platform is All, that's what is requested.

On the invalid certificate issue.. there are TONS of reasons why a certificate could be invalid, up to and including greed on the part of the certificate issuer. I once had a 3-screen argument with Firefox because it didn't want me to use a certificate registered for www.<trusteddomain>.com being served by www2.<trusteddomain>.com. The best plan is just to look at the certificate and see if you can intuit that it means well. In this particular case, it may be related to the fact it is Beta software - for testing purposes by hardy users only - and therefore a signed certificate hasn't been purchased yet. If that makes you uncomfortable then - while I can assure you there is nothing wrong here - your best plan may to be to wait for the official release.

Edit: the shortened form of "****ography" is filtered on this site. Who knew?

[zero-kill]

He sounds like the kind of person to call his ISP and whine about the speed of his internet when he's using a wireless g router, in the basement, which is 3 floors under the router, on a slow computer, with 256K ram, running Mac OS 8.4. (or Windows 98).

[MidgetMage55]

Shirik explained his reasons for why the app does what it does.

You either accept this and trust his reasons or you don't.

Install it and move on or don't and move on.

Either way, move on.

[Cairenn]

Okay guys, tone it down. You know the rules. No flaming. No personal attacks. He has his concerns and it's his right to air them if he wishes. Shirik has responded, as the programmer of Minion and as a staff member of WoWI. If there is any more conversation to be had in this thread, it should be between them.

downset - I understand that you have concerns and you are certainly welcome to discuss them. However, you seem concerned that this is a third party application that we have adopted for our use. This isn't the case. It was written in-house by Shirik specifically for our sites. As well, please note that we've been running our network of sites for 7 years now and have only ever had a single instance where there were any malicious files on any of the sites (which was discovered and cleared up extremely quickly). Also note that every one of our sites are official members of the fansite programs for each of the applicable game companies. As well, we have a lot of people using Minion already. If there was any problem with our site(s) and/or Minion, those statements would no longer be true. If we weren't trustworthy, the game companies themselves would be kicking us out of their fansite programs. If there was a problem with Minion, users would have it uninstalled and it would be splashed all over the internet "do not to trust it, it is malicious".

[Shirik]

Originally Posted by forty2j On the invalid certificate issue.. there are TONS of reasons why a certificate could be invalid, up to and including greed on the part of the certificate issuer.... In this particular case, it may be related to the fact it is Beta software - for testing purposes by hardy users only - and therefore a signed certificate hasn't been purchased yet. If that makes you uncomfortable then - while I can assure you there is nothing wrong here - your best plan may to be to wait for the official release.

That is in fact why the certificate is invalid. The certificate is "invalid" (in fact, valid for me, but invalid for you) because it is a self-signed certificate that offers no real guarantee of identity. If you really wanted the CA associated with the certificate, I could give it to you so you could install it to trust it, but there's really no reason for that.

Regarding permission sets, Java only offers two built-in:
- Applet permissions (create temp files, no spawning of processes, no accessing URLs outside of where it originated from)
- Full permissions (can do everything that a typical application can do)

Note that "Full permissions" is NOT asking for root on your computer or anything of the sort. It is simply asking for Java's full permission set. It still runs in the context of the current user, and thus I can simply do everything a typical application can do. In fact, one might argue this makes Java more secure in this regard, because I am asking for confirmation before I get anywhere that any other application could have done normally.

Minion actually installs its own intermediary permission set, known as the Minion Security Manager, which falls somewhere in between Applet permissions and Full permissions. This allows modules to run without being initially trusted, and users of Minion have already seen it in action. It offers more fine-grained security levels such as access to individual folders and servers. It is fully capable of blocking access to folders which you have not authorized (and some people have already had problems with Minion due to it being a bit paranoid, itself, and blocking modules when it should not have).

[zero-kill]

Sorry Cairenn

*turns off muh lazer*

[Bluspacecow]

Not to kick a dead horse here but I'm pretty sure that with OS X's protected memory scheme there's no way that a program can grab another program's security access.

So even in the likelyhood that Minion was getting access to system files , an illicit program would not be able to grab that access to write stuff anywhere.

And yes I do read notes from Black Hat conferences where they speak of hacking OS X - there has been no news of programs being able to piggy back other programs that way.

[Shirik]

Originally Posted by Bluspacecow Not to kick a dead horse here but I'm pretty sure that with OS X's protected memory scheme there's no way that a program can grab another program's security access.

The intermediate security manager that I was referring to is for modules, which may need to have additional restrictions. To the OS, the modules and the core are all one big application. Thus, it's Minion's responsibility to act like a mini-OS and allocate permissions accordingly. Fortunately, Java offers a very powerful way to implement this functionality (and leverages it against applets).

[downset]

too many replies are form people who only ever seen windows, os x has no UAC, warnings mean something and are very rare


i can name 2 very high profile and complex java apps:

1. jdownloader, installs by drag and drop and updates itself without any security warnings

2. vuze (used to be azereus): installs with an installer and updates itself without any security warnings

both are multi platform, both are permission wise equal, they update automatically, and download files form the internet and put them in a folder

[Akryn]

Originally Posted by downset too many replies are form people who only ever seen windows, os x has no UAC, warnings mean something and are very rare

Java is not Mac OS.

both are multi platform

...and likely don't use self signed certs? I could be wrong but it looks like that is what the actual cause of the error is (which is obviously coming from the JRE not the OS and, apparently, means that you're only granting user-level permissions). I think it's reasonable for Minion to use a self-signed cert -- at this point in its development, anyway.

[Tristanian]

Just a friendly reminder (again) :

Originally Posted by Cairenn Okay guys, tone it down. You know the rules. No flaming. No personal attacks. He has his concerns and it's his right to air them if he wishes.

Keep it civil, people.

[Dolby]

Originally Posted by downset too many replies are form people who only ever seen windows, os x has no UAC, warnings mean something and are very rare i can name 2 very high profile and complex java apps: 1. jdownloader, installs by drag and drop and updates itself without any security warnings 2. vuze (used to be azereus): installs with an installer and updates itself without any security warnings both are multi platform, both are permission wise equal, they update automatically, and download files form the internet and put them in a folder

OSX does have a type of UAC, when ever you download and copy a new app to the application folder and run it. OSX will inform you that this app is new and was downloaded from the web. Then ask you if you are sure you want to run it. Not 100% the same as UAC but similar in end result.

Those you listed don't install directly from the web page like minion. Those you've listed you download a dmg image and either your browser auto opens it or you double click the dmg. Minion installs directly from the web page so you'll see different security warnings.

Yes both programs you listed above are multi-platform but do NOT have multi-platform installers. Minion uses a multi-platform installer too.

Now if we should ditch our current install process and go with an OS specific installer instead is something to debate.

The last thing we want to do is scare people away from using minion and is why we are in beta so we can discuss these things.

[Republic]

Originally Posted by downset i am not complaining about poor choice of words, i am telling the choice of words is spot on, a previous poster found he had to correct apple and minimize the risk its not paranoia, its a valid concern for the safety of my OS and private data, if every little app behaved like this we would have 0 security left.

Eh, no offense intended here but you seem like the type that "should" frown on using updaters in the first place. If you're truly that concerned about your system saftey, why even use...bah, you understand the point. As I believe updaters cater to the lazy and less "able" among us (yeah yeah, I know smart folks can use them for convenience...so before you start yelling at me...I KNOW!!!), I find great irony that someone as anal about system security is even using one, but that's me.

It's times like this that I wonder why some kids like to make a big fuss about pc security issues, but will chow down immediately on a pizza delivered from god knows where. Think about it

[Republic]

Originally Posted by downset 2. vuze (used to be azereus): installs with an installer and updates itself without any security warnings

eh, not for nothing bud, but that's a much more alarming security situation than a warning from your Java minion