Jon Alper's probably insufficiently humble opinion

****** See Updates at bottom******

I bought a bundle of apps sold under the banner of ‘Mac Promo’ that included a number of terrific tools I’ll probably talk about later but I also discovered things I now find very disturbing.

First, “Mac Promo” was a promotion run by Intego. It’s not Mac Update Promo. The, I think, deliberate ambiguity in the branding was mildly troubling but that’s hardly a major issue and, to be fair, the design and appearance of the promotion was clearly different from Mac Update Promo. Intego did, in the small print, say the bundle was being offered by Intego. (That the clock ticking down to the end of the offer period silently reset and extended the time limit is cheesy but not exceptionally weaselly. It’s standard issue marketing weaselly.)

Included in the bundle was a product called Personal Backup by Intego. When I initially looked into the Personal Backup product a few days ago prior to purchasing the bundle, the only documentation for Intego’s Personal Backup on their web site was Mac OS 9-era information including Classic UI elements. Personal Backup was not then, and is not now listed as a current Mac product on Intego’s site. That’s, at best, amateurish. At worst, it’s creepy.

The creepiness just got worse.

1. The creepy behavior goes all the way down to the license and getting started documents on the disk image for the application. They appear to be documents and are badged PDF and HTML respectively. In fact, both are applications, executables, programs, things that run code on your Mac. These executables appear to be as benign as wrappers that check what language your Mac is localized to and then open the appropriate documents. This is deliberately misleading the user, badging the document icons PDF and HTML respectively. Users lulled into trusting these things, apps masquerading as docs are, absolutely an infection vector for malware. That Intego’s faux docs aren’t literally malware doesn’t change the fact that to imply they are delivering documents when, in fact, they are delivering applications is bad behavior at best and, at worst, creating the kind of problems they then want to sell you products to avoid.
2. Intego’s Personal Backup product required online activation. The need for online activation is not warned of prior to purchase or installation and the installation experience is ambiguous as to what’s really going on. Don’t run LittleSnitch or the like and you’re likely never to even know it does it without looking closely. The serialization documentation on their web site doesn’t tell you that their products online activate and is, in my opinion, written to obfuscate the fact that they do. A developer is obligated to tell the user at least when you do the online activation that you are doing it. If they’re remotely polite, they should warn their customers prior to purchase that their product requires online activation.
3. Installing and using the product demands you run an installer as opposed to being a drag-install. This should usually raise a red flag because, if you run your Mac without administrator permissions (as you should), you will need to enter an administration-enabled user name and password  to allow the installer permission to run. Think about, for example, BBEdit. When you install BBEdit, you drag the application to your Applications folder (or wherever else you want to). When BBEdit needs additional functionality that demands it place executables outside it’s app package (the command line tools) it asks you first.
4. The Intego Personal Backup installer installs, at least: Two Applications to the Applications Folder (NetUpdate and Personal Backup), two Dashboard widgets, a daemon to handle scheduling of automated backups (necessary for automation functionality but they should tell you), a prefpane, a menu bar item and, on launch, a goody pile of plists and app caches. It’s simply excessive. To run a personal backup application with the functionality they include, you need an application that can, with the users’ permission, escalate privileges to access certain files to back them up. You optionally need to allow a daemon (background application) to be run at every startup to allow the app to start itself and run a scheduled backup. If you don’t schedule automated backups, you don’t need the deamon. If you do schedule automated backups, the app should ask to install the deamon. Intego’s documentation for NetUpdate or the Personal Backup application it payloads onto at install doesn’t tell you what, specifically, is installed let alone what is not removed by their uninstaller. A developer is, in my opinion, obligated, when they install anything more than the App and generate a prefs file, to tell the user what they are installing. If not in a ‘read me’ available at installation, at least on your web site in a clearly discoverable place.
5. The installer’s “Uninstall” option does not remove all of these things or warn you that to remove that portion of cruft it does uninstall, a restart is necessary.
6. Finding all the crud (including still running code after a post-uninstall restart) demands you know how to look for it. OS X spotlight won’t find it all. DEVON Easy Find (Free, yay DEVON Technologies) is one method, there are others. If you sell anti-malware software, installing faceless and fairly deeply buried things that run every time you start your Mac is tres uncool.

Now, why is all this so creepy, so utterly unacceptable,  in this case when all sorts of apps behave similarly badly? Intego is in the business of selling tools that are all explicitly about keeping your Mac safe.

They sell:

• AntiVirus Software
• Software Firewall/Internet Security Software
• Privacy software to clean your Mac of browsing history.
• Backup Software (not that you’d know they sell that product from their product listings and there’s no press release for Personal Backup more recent than July of 2008).

If Intego expects their customers to trust them to help keep them safe from malware, they shouldn’t behave like malware. If they are actually interested in controlling the spread of malware on MacOS, they should behave in a manner beyond reproach. If they want to have users learn basic habits that inherently make them safer from malware, they shouldn’t acculturate users to do exactly the sorts of things that lead to spreading malware. Intego is, without major changes in their behavior, not to be trusted. Period.

**************Update**************

The Mac Promo bundle mentioned above  also includes “Personal Antispam” from Intego. It too has faux HTML and PDF ‘documents’ and, it too installs a similar suite of cruft. The habits described above seem to apply to at at least two Intego products.

**************Update again**************

The text:

“You must provide a valid e-mail address when serializing the Software, which will then proceed with the activation procedure. At the end of the Period of Use, the Software will no longer be active, and to continue using the Software You will need to purchase a new license or subscription for a new Period of Use.”  does appear in their License. The license is included the collection of ‘masquerading as documents’ applications on the installer disk image and here: http://support.intego.com/kb/index.php?x=&mod_id=2&id=70

Why do they want an email address? “6. Communication and Personal Information. By accepting this license, You grant to Intego the right to send You occasional e-mails or postal mailings regarding security alerts, new software, software offers, as well as reminders that Your Period of Use is due to expire. Intego will not sell or lease Your e-mail address or other personal information to third parties.”

In other words: In order to use the product you paid for, it is a condition of the license that they be allowed to email you ‘offers’. You can’t use the product you paid for unless you give them permission to spam you. Conversely, if you ask to be removed from their promotional email lists, you forfeit the license you paid for. How do you like them apples?

**************Update again…again**************

Email sent to support@intego.com:

Subject: License disclaimer and removal request.

It may not be obvious but you need a text editor once you  move beyond the most basic use of your Mac. You have three real choices. Learn a proper UNIX text editor like emacs or  vi, buy BBEdit or get TextWrangler for free. There’s another alternative I won’t mention because I’m a huge BBEDit fan and biased. Tough noogies. I’m not mentioning it.

I hate writing code. It’s not what I do. I can, if you force me, find and fix bugs in some language swhile enduring enormous pain and suffering but it’s utter misery for me. If I hate writing code, why am I telling you that you need a programmer’s text editor?

You can read the documentation on the above linked pages for all the uses somebody who is a programmer or system administrator will have for these tools and yeah, when I am a sys admin, I use those features. The official uses are myriad but you, like me, will likely find you have use for them in some measure for more uncommon purposes.

It will open essentially any file.

• It’s a way to extract data from many old or mysterious files you’d imagine were of no use because you had no application that could natively open the file.
• It’s a great way to find hidden data you might find useful in files you can open natively. Deleted changes from a file that wasn’t sanitized? Metadata about the creator of a file? You’d be surprised what lurks in some places and it can be useful to find out.
• It will let you look at your own files before distribution so you can have increased confidence you’ve sanitized out any metadata you’d prefer not to share.

(Note: Don’t assume that because you can’t see metadata you might prefer not to have people see that it’s not there. It could be there in a binary format, hashed or even really encrypted. Just because you don’t have a means to decode it doesn’t mean somebody else can’t. The cleaning described above is just good practice but in no way a complete solution. It’s sometimes what we call “good enough”.)

They are also handy for more mundane tasks even less paranoid or curious people may need. These are a few things I can think of having needed to do at some point in the last month.

• Need to do a multi-document search or search and replace? Say, for example, you have a pile of Word docs for an info packet. Sure, you’ll go back to the original word processor to make the changes to be sure you don’t break formatting but find where these mentions you need to update are, a fast multi-file search is a very handy thing.
• Need to pull all the links off a page to do a manual link check or just save them all outside your browser’s bookmarking mechanism?
• You have a backup of your WordPress blog and you want to take a quick look at a post offline.
• You  use some other more WYSIWYG web authoring tool but you need to update a link from a machine you don’t have that tool installed on.(Never use a Word Processor for this. It will surely mangle your HTML)
• You want to clean up the delimiter some program used for it’s export format. Came out as comma separated and you want tabs? Grab a BBEdit.

I’m sure many of you readers can think of other uses. Drop me an email or add a comment. Oh, and if you do drop me an email instead of a comment, tell me why? I get a huge pile of emailed comments and some of them make me make an edit or write a new post but I get very few proper comments here. Yes, I set it up so you need to register to make a comment which is, admittedly, a pain in the neck. It was a compromise to avoid the effort to do a whole bunch of mediation and spam filtering. Is it really that annoying to make an account?

Final note: If, like me, you don’t have either emacs or vi skills and aren’t overcome with an urge to acquire them, there is a nice alternative when you can’t install TexWrangler on a Mac you’re doing administration work on: nano.  It’s been mapped to the pico command by default in MacOS and, if you ever used pine for email, it will be familiar. To get it, open Terminal.app and type pico. The rest? You’re on your own but it’s not horrid to figure out and, unlike emacs, you won’t need an extra limb. Of course you can’t do what you can with emacs but then again, if you need emacs, that’s on your Mac too and you didn’t need this article.

I wish I could tell you all the horror stories. They’ve happened with some of the high budget projects I’ve done at every gig I’ve had. I’ll do my best to warn you without being able to actually show you all of the skeletons.

Somebody, usually somebody with more management experience than technical field experience will have a legitimate and very serious problem with how some workflow or business function is done at your company. They’ll meet somebody, read something and an email will arrive asking you to look into a new product or service that promises to solve their problem. The problem will be real and it will be important. Now, as a technology manager, you’re at a crossroads. How do you communicate your assessment of their proposed solution? Sorry, can’t help you. Too many variables. Is your boss ‘science minded’? Is she somebody you can have a real conversation with who will work alongside you to evaluate their idea? Damn, you’re a lucky devil. Is he a puffed up MBA-having-suit-wearing-testosterone-juiced-schmuck who got the job despite all reason? You’re hosed. The reality is, you’re almost surely waist deep in the vast expanse of gray in between. What I can tell you is, do some due diligence and don’t rely on IT industry press ‘case study’ articles and customer testimonials.

I first learned this lesson the hard way at my first real job managing a network and support for a medium sized business. I sold my boss on a service contract for CE Software’s QuickMail. We were already using QuickMail (served with damned near bulletproof reliability from an SE-30. I was pitched a long term contract by CE for a roadmap of upgrades. I was handed all sorts of documentation about how other customers were doing well in these arrangements and given prospective ROI analysis that painted a nice rosey picture for the future. I pitched my then boss with passion. I didn’t do enough homework. CE never shipped what they promised. The roadmap was vapor. My employer got screwed for a few grand. I felt terrible about it. My boss at the time, I think actually saw it coming and let it happen to give me some on the job training. He wouldn’t no matter how much I begged him to, let me point the company’s pit-bull lawyers at CE.  There were lots of lessons for me in this experience and some of those will be the topic of future posts. But the key lesson is, don’t believe what you read. Test, test, test.

What I can tell you is this. If you read an article in the I.T. press talking about how Enormocorp successfully deployed the proposed solution, it’s a lie. I mean it. If you read an article in “How to succeed in IT” magazine  featuring an interview with a CIO who just deployed a multimillion dollar CRM system and the quotes talk all about the amazing ROI, it’s a lie. It can’t be used as meaningful data in making your decision about whether your company needs the product. If the sales guy shows you this article? If he has a stack of five others like it? if his whole presentation is all about how deploying his solution will help make your small company able to be as successful as his Fortune 500 poster child clients? You are in serious trouble.

Now, did the CIO interviewed actually lie? Probably not. The article wasn’t long enough for enough truth. Here’s how it happens. How do I know? I was the guy you shouldn’t have relied on.

I was an avid user and advocate for Retrospect (A LAN backup package then made by a company called Dantz). I made a decent portion of my living for years implementing a series of successful deployments of Retrospect. Honestly, and I mean this, I saved companies I worked for literally millions deploying Retrospect for them. I enjoyed a great relationship with Dantz during this time and some of those people I knew back then at Dantz are, to this day, people I’d call friends. Retrospect was, at the time, a truly spectacular product.

My relationship with Dantz was so good, I got seeded with betas before they even admitted they were working on a new version. Back then, everything wasn’t in perpetual beta. I got surreal levels of support and I ate a lot of good meals on their dime. At the height of their success I was one of a half dozen or so consultants and I.T. managers asked to do a promotional interview for them. I can count on one hand with a spare finger or two, the number of companies I’ve ever trusted enough to say yes to that kind of request. I did the interview, I had a few laughs. The somewhat colorful  out-takes apparently made an internal reel shown to employees. I told the absolute truth. At the time, Retrospect essentially had a monopoly the automated backup business on MacOS and deserved to. I never had access to sales figures but I personally had well more than a thousand nodes in the  field  that I’d supported, deployed or spec’d at some very big name clients.

The day that tape was made, if you bought into Retrospect and had a clue, you’d have probably done very well for your users and bottom line. If, a year later, you saw that clip and invested in a large scale Retrospect deployment, you’d have done OK. If, two years later you had? Perhaps, not so much.

This was because the Mac, the only platform Retrospect really supported fully at the time, was in a major transition to OS X. This was not easy for a company like Dantz to cope with. Apple was in a certain amount of chaos. MacOS was being fundamentally changed from the ground up and Dantz was investing in more cross platform support. Ultimately, Dantz was sold to EMC. By then, while still a useful tool, things were far from the “This damned thing just works” truth I’d spoken on the tape. By then? What I’d said on tape became a lie. It wasn’t when I said it but it became one.

Also, the promotional case studies tape, because its purpose was to talk about Retrospect, no deeper discussion of backup strategies, archiving and good disaster planning was even discussed. If you relied on Retrospect as your entire solution you’d have been in deep trouble. I didn’t lie about how great Retrospect was but anyone who deployed Retrospect without a lot of other work and concurrent procedures could well have ended up screwed. Anyone who added up the number of seats they needed, added the most expensive Mac they could buy to the budge for a server and thought that actually represented the real budget to deploy was in deep trouble. If you heard me say “buying Retrospect will solve all your backup, archiving and disaster planning problems” then you heard a lie. The fact that didn’t say that, and would never have said that doesn’t help you feel any better about having trusted what you’d heard however much you heard was different from what I’d said on that promo tape.

So, that’s a best case where the well intentioned quotes become lies. Here’s another reality behind most of the quotes and short case study articles you read and I’m saying this because I have read them about projects I’ve worked on. The case studies are often written and most publicized before the projects are even finished. They’re written during the deployments and, as is usually the case, right when everyone working on the deployment is in a honeymoon with the vendor and the vendor is psyched to have a poster child client. The foot soldier employees probably aren’t working with the system on a day to day basis yet. The total costs of the training haven’t been accounted for yet. The costs of changes in workflow imposed by the tool haven’t been accounted for yet (and often never are). You’re being pitched the success of the John Hancock Tower in Boston right before the windows have started to pop out in the wind.

One particularly sordid example I need to be circumspect about was a client who spent, literally, millions on big iron to serve a website using what was, for about ten minutes, the high fashion CMS du jour. The CMS maker’s CEO was driving around in his ‘explosive dot com ere growth funded’ Ferrari talking about how well the CMS was doing in an emerging marketplace. The hardware vendor was crowing about the partnership. There was press about the client’s choice of and success with the CMS.

The truth, however, was that the website hosted on that CMS never worked properly. The developers who ultimately had to wrestle with it on a day to day basis were in agony.  It never produced increased revenue. It had downtime incidents that amounted to days in a year. The CMS vendor folded in a hail of internal acrimony. The language of the CMS fell into a level of deprecation that would make studying Cobol seem a good career move today. The hardware ended up being a hundredfold or more in excess of what was ever necessary with the price tag and sever room infrastructure costs to match. None of the experienced technical staff working for the client wanted it to happen. Everybody, including me, counseled against it. Press quotes, books, testimonials and buzzwords overcame seasoned judgement and millions were lost. The press about it? About this deployment? The case study quotes? All one hundred percent positive.

If you’re being pitched an enterprise product to revolutionize your business, don’t believe what you read. Insist on much deeper dialog with existing and current customers. Plan a staged process of test deployment and evaluation. Listen to your internal staff’s concerns. Don’t listen to lies even when they may well have been spoken with all sincerity.