When your protection tools can’t be trusted: Intego
****** See Updates at bottom******
I bought a bundle of apps sold under the banner of ‘Mac Promo’ that included a number of terrific tools I’ll probably talk about later but I also discovered things I now find very disturbing.
First, “Mac Promo” was a promotion run by Intego. It’s not Mac Update Promo. The, I think, deliberate ambiguity in the branding was mildly troubling but that’s hardly a major issue and, to be fair, the design and appearance of the promotion was clearly different from Mac Update Promo. Intego did, in the small print, say the bundle was being offered by Intego. (That the clock ticking down to the end of the offer period silently reset and extended the time limit is cheesy but not exceptionally weaselly. It’s standard issue marketing weaselly.)
Included in the bundle was a product called Personal Backup by Intego. When I initially looked into the Personal Backup product a few days ago prior to purchasing the bundle, the only documentation for Intego’s Personal Backup on their web site was Mac OS 9-era information including Classic UI elements. Personal Backup was not then, and is not now listed as a current Mac product on Intego’s site. That’s, at best, amateurish. At worst, it’s creepy.
The creepiness just got worse.
- The creepy behavior goes all the way down to the license and getting started documents on the disk image for the application. They appear to be documents and are badged PDF and HTML respectively. In fact, both are applications, executables, programs, things that run code on your Mac. These executables appear to be as benign as wrappers that check what language your Mac is localized to and then open the appropriate documents. This is deliberately misleading the user, badging the document icons PDF and HTML respectively. Users lulled into trusting these things, apps masquerading as docs are, absolutely an infection vector for malware. That Intego’s faux docs aren’t literally malware doesn’t change the fact that to imply they are delivering documents when, in fact, they are delivering applications is bad behavior at best and, at worst, creating the kind of problems they then want to sell you products to avoid.
- Intego’s Personal Backup product required online activation. The need for online activation is not warned of prior to purchase or installation and the installation experience is ambiguous as to what’s really going on. Don’t run LittleSnitch or the like and you’re likely never to even know it does it without looking closely. The serialization documentation on their web site doesn’t tell you that their products online activate and is, in my opinion, written to obfuscate the fact that they do. A developer is obligated to tell the user at least when you do the online activation that you are doing it. If they’re remotely polite, they should warn their customers prior to purchase that their product requires online activation.
- Installing and using the product demands you run an installer as opposed to being a drag-install. This should usually raise a red flag because, if you run your Mac without administrator permissions (as you should), you will need to enter an administration-enabled user name and password to allow the installer permission to run. Think about, for example, BBEdit. When you install BBEdit, you drag the application to your Applications folder (or wherever else you want to). When BBEdit needs additional functionality that demands it place executables outside it’s app package (the command line tools) it asks you first.
- The Intego Personal Backup installer installs, at least: Two Applications to the Applications Folder (NetUpdate and Personal Backup), two Dashboard widgets, a daemon to handle scheduling of automated backups (necessary for automation functionality but they should tell you), a prefpane, a menu bar item and, on launch, a goody pile of plists and app caches. It’s simply excessive. To run a personal backup application with the functionality they include, you need an application that can, with the users’ permission, escalate privileges to access certain files to back them up. You optionally need to allow a daemon (background application) to be run at every startup to allow the app to start itself and run a scheduled backup. If you don’t schedule automated backups, you don’t need the deamon. If you do schedule automated backups, the app should ask to install the deamon. Intego’s documentation for NetUpdate or the Personal Backup application it payloads onto at install doesn’t tell you what, specifically, is installed let alone what is not removed by their uninstaller. A developer is, in my opinion, obligated, when they install anything more than the App and generate a prefs file, to tell the user what they are installing. If not in a ‘read me’ available at installation, at least on your web site in a clearly discoverable place.
- The installer’s “Uninstall” option does not remove all of these things or warn you that to remove that portion of cruft it does uninstall, a restart is necessary.
- Finding all the crud (including still running code after a post-uninstall restart) demands you know how to look for it. OS X spotlight won’t find it all. DEVON Easy Find (Free, yay DEVON Technologies) is one method, there are others. If you sell anti-malware software, installing faceless and fairly deeply buried things that run every time you start your Mac is tres uncool.
Now, why is all this so creepy, so utterly unacceptable, in this case when all sorts of apps behave similarly badly? Intego is in the business of selling tools that are all explicitly about keeping your Mac safe.
- AntiVirus Software
- Software Firewall/Internet Security Software
- Privacy software to clean your Mac of browsing history.
- Backup Software (not that you’d know they sell that product from their product listings and there’s no press release for Personal Backup more recent than July of 2008).
If Intego expects their customers to trust them to help keep them safe from malware, they shouldn’t behave like malware. If they are actually interested in controlling the spread of malware on MacOS, they should behave in a manner beyond reproach. If they want to have users learn basic habits that inherently make them safer from malware, they shouldn’t acculturate users to do exactly the sorts of things that lead to spreading malware. Intego is, without major changes in their behavior, not to be trusted. Period.
The Mac Promo bundle mentioned above also includes “Personal Antispam” from Intego. It too has faux HTML and PDF ‘documents’ and, it too installs a similar suite of cruft. The habits described above seem to apply to at at least two Intego products.
“You must provide a valid e-mail address when serializing the Software, which will then proceed with the activation procedure. At the end of the Period of Use, the Software will no longer be active, and to continue using the Software You will need to purchase a new license or subscription for a new Period of Use.” does appear in their License. The license is included the collection of ‘masquerading as documents’ applications on the installer disk image and here: http://support.intego.com/kb/index.php?x=&mod_id=2&id=70
Why do they want an email address? “6. Communication and Personal Information. By accepting this license, You grant to Intego the right to send You occasional e-mails or postal mailings regarding security alerts, new software, software offers, as well as reminders that Your Period of Use is due to expire. Intego will not sell or lease Your e-mail address or other personal information to third parties.”
In other words: In order to use the product you paid for, it is a condition of the license that they be allowed to email you ‘offers’. You can’t use the product you paid for unless you give them permission to spam you. Conversely, if you ask to be removed from their promotional email lists, you forfeit the license you paid for. How do you like them apples?
Email sent to email@example.com:
Subject: License disclaimer and removal request.