When your protection tools can’t be trusted: Intego
****** See Updates at bottom******
I bought a bundle of apps sold under the banner of ‘Mac Promo’ that included a number of terrific tools I’ll probably talk about later but I also discovered things I now find very disturbing.
First, “Mac Promo” was a promotion run by Intego. It’s not Mac Update Promo. The, I think, deliberate ambiguity in the branding was mildly troubling but that’s hardly a major issue and, to be fair, the design and appearance of the promotion was clearly different from Mac Update Promo. Intego did, in the small print, say the bundle was being offered by Intego. (That the clock ticking down to the end of the offer period silently reset and extended the time limit is cheesy but not exceptionally weaselly. It’s standard issue marketing weaselly.)
Included in the bundle was a product called Personal Backup by Intego. When I initially looked into the Personal Backup product a few days ago prior to purchasing the bundle, the only documentation for Intego’s Personal Backup on their web site was Mac OS 9-era information including Classic UI elements. Personal Backup was not then, and is not now listed as a current Mac product on Intego’s site. That’s, at best, amateurish. At worst, it’s creepy.
The creepiness just got worse.
- The creepy behavior goes all the way down to the license and getting started documents on the disk image for the application. They appear to be documents and are badged PDF and HTML respectively. In fact, both are applications, executables, programs, things that run code on your Mac. These executables appear to be as benign as wrappers that check what language your Mac is localized to and then open the appropriate documents. This is deliberately misleading the user, badging the document icons PDF and HTML respectively. Users lulled into trusting these things, apps masquerading as docs are, absolutely an infection vector for malware. That Intego’s faux docs aren’t literally malware doesn’t change the fact that to imply they are delivering documents when, in fact, they are delivering applications is bad behavior at best and, at worst, creating the kind of problems they then want to sell you products to avoid.
- Intego’s Personal Backup product required online activation. The need for online activation is not warned of prior to purchase or installation and the installation experience is ambiguous as to what’s really going on. Don’t run LittleSnitch or the like and you’re likely never to even know it does it without looking closely. The serialization documentation on their web site doesn’t tell you that their products online activate and is, in my opinion, written to obfuscate the fact that they do. A developer is obligated to tell the user at least when you do the online activation that you are doing it. If they’re remotely polite, they should warn their customers prior to purchase that their product requires online activation.
- Installing and using the product demands you run an installer as opposed to being a drag-install. This should usually raise a red flag because, if you run your Mac without administrator permissions (as you should), you will need to enter an administration-enabled user name and password  to allow the installer permission to run. Think about, for example, BBEdit. When you install BBEdit, you drag the application to your Applications folder (or wherever else you want to). When BBEdit needs additional functionality that demands it place executables outside it’s app package (the command line tools) it asks you first.
- The Intego Personal Backup installer installs, at least: Two Applications to the Applications Folder (NetUpdate and Personal Backup), two Dashboard widgets, a daemon to handle scheduling of automated backups (necessary for automation functionality but they should tell you), a prefpane, a menu bar item and, on launch, a goody pile of plists and app caches. It’s simply excessive. To run a personal backup application with the functionality they include, you need an application that can, with the users’ permission, escalate privileges to access certain files to back them up. You optionally need to allow a daemon (background application) to be run at every startup to allow the app to start itself and run a scheduled backup. If you don’t schedule automated backups, you don’t need the deamon. If you do schedule automated backups, the app should ask to install the deamon. Intego’s documentation for NetUpdate or the Personal Backup application it payloads onto at install doesn’t tell you what, specifically, is installed let alone what is not removed by their uninstaller. A developer is, in my opinion, obligated, when they install anything more than the App and generate a prefs file, to tell the user what they are installing. If not in a ‘read me’ available at installation, at least on your web site in a clearly discoverable place.
- The installer’s “Uninstall” option does not remove all of these things or warn you that to remove that portion of cruft it does uninstall, a restart is necessary.
- Finding all the crud (including still running code after a post-uninstall restart) demands you know how to look for it. OS X spotlight won’t find it all. DEVON Easy Find (Free, yay DEVON Technologies) is one method, there are others. If you sell anti-malware software, installing faceless and fairly deeply buried things that run every time you start your Mac is tres uncool.
Now, why is all this so creepy, so utterly unacceptable, Â in this case when all sorts of apps behave similarly badly? Intego is in the business of selling tools that are all explicitly about keeping your Mac safe.
They sell:
- AntiVirus Software
- Software Firewall/Internet Security Software
- Privacy software to clean your Mac of browsing history.
- Backup Software (not that you’d know they sell that product from their product listings and there’s no press release for Personal Backup more recent than July of 2008).
If Intego expects their customers to trust them to help keep them safe from malware, they shouldn’t behave like malware. If they are actually interested in controlling the spread of malware on MacOS, they should behave in a manner beyond reproach. If they want to have users learn basic habits that inherently make them safer from malware, they shouldn’t acculturate users to do exactly the sorts of things that lead to spreading malware. Intego is, without major changes in their behavior, not to be trusted. Period.
**************Update**************
The Mac Promo bundle mentioned above  also includes “Personal Antispam” from Intego. It too has faux HTML and PDF ‘documents’ and, it too installs a similar suite of cruft. The habits described above seem to apply to at at least two Intego products.
**************Update again**************
The text:
“You must provide a valid e-mail address when serializing the Software, which will then proceed with the activation procedure. At the end of the Period of Use, the Software will no longer be active, and to continue using the Software You will need to purchase a new license or subscription for a new Period of Use.”  does appear in their License. The license is included the collection of ‘masquerading as documents’ applications on the installer disk image and here: http://support.intego.com/kb/index.php?x=&mod_id=2&id=70
Why do they want an email address? “6. Communication and Personal Information. By accepting this license, You grant to Intego the right to send You occasional e-mails or postal mailings regarding security alerts, new software, software offers, as well as reminders that Your Period of Use is due to expire. Intego will not sell or lease Your e-mail address or other personal information to third parties.”
In other words: In order to use the product you paid for, it is a condition of the license that they be allowed to email you ‘offers’. You can’t use the product you paid for unless you give them permission to spam you. Conversely, if you ask to be removed from their promotional email lists, you forfeit the license you paid for. How do you like them apples?
**************Update again…again**************
Email sent to support@intego.com:
Subject: License disclaimer and removal request.
This is UNBELIEVABLE! I can hardly believe what I am reading. And they are a “highly” rated anti-virus solution, according to some reviews – Sorry, I’m not sure if it was MacWorld or Mac | Life. But I noticed it recently as Macs are becoming more and more susceptible (in theory) to viruses and malware.
Is there any chance this is some sort of slackware masquerading as Intego?
@techprodave
Nope, it was the genuine article. You can see many of the things mentioned above if you download as a demo. For example: If you right-click and look in the menu, you can see the ‘HTML’ files are packages and, double clicking one should also make your Mac give you a first run application warning when launching. The license clause, you can see on their site. The collection of stuff ancillary to the product, you’ll see if you install. I’d love to hear if anyone else finds different behavior but I did a fair bit of digging to be pretty confident of what’s noted above. I don’t like to be unfairly or inaccurately critical.
It is surprising to see an article that is not only this hostile, but also this full of mistakes. I am posting this to correct a number of errors in your article.
First of all, you should realize that it is very serious to say that a company is “not to be trusted” without any serious evidence. You might want to keep this in mind if you publish more criticism on your web site.
But let’s begin at the beginning.
Mac Promo is clearly different from Mac Update Promo. The first has a domain macpromo.com, the second macupdate.com. I think anyone can see the difference.
Regarding Personal Backup: this product is only sold as part of Intego Internet Security Barrier, which is a suite of programs. Normally, the program is not sold on its own, but for this promotion, both Personal Backup and Personal Antispam were offered outside of the suite. Google would have helped you find info about the product here (http://www.intego.com/internet-security-barrier/), and a thorough manual here (http://www.intego.com/manuals/en/pb/personal-backup-106-user-manual.html).
Next, you criticize the use of “faux docs.” Do you have a Mac OS X Installation disc? This is exactly what Apple does with the same type of application that bears a PDF icon. This is very practical in a world where most people don’t speak English. You say they “aren’t literally malware,” which means you think that they are sort of malware…? In such a case, you might want to brush up on the meaning of the word “malware.”
Personal Backup does require online activation – so what? Many programs do. You have a valid serial number, so what’s the problem?
Third, Intego uses installers for its software because the programs are not standalone programs; they install daemons (for Personal Backup, this is related to scheduling), and NetUpdate, which is used for updates. You say that running an installer should “raise a red flag?” Why is this? Many programs use installers, notably all those that install files in the system space. (Would you consider the fact that installing, say, iTunes via an installer is a problem?)
As for the files installed, I’d like you to point me to one program – other than BBEdit, which is an exception – that provides you with a list of files it installs. Intego uses standard Apple installation packages. During the installation procedure, you can check the list of files that are going to be installed by choosing File > Show Files.
Intego’s uninstaller does remove everything a program installs, with the exception of preference files. If for some reason this is not the case, I would invite you to contact Intego’s support team (http://support.intego.com).
Peter,
I’d be happy to discuss this with you offline as well but here’s my rebuttal. I apologize for not posting your comment through sooner. I simply didn’t see it queued.
I realize it. Would you like contact into for my attorneys? If so, contact me offline. If not, don’t bluster. It makes you look like a bully.
Actually the URL for Mac Update’s promotional bundles is: http://www.mupromo.com/. How clear the difference with the corrected URL, I’ll leave as an exercise for the reader. I do think it’s clear enough. I also think it’s deliberately similar. I saw the difference before I bought my Intego Mac Promo bundle. I bought it anyway. I am happy with many of the products I bought and the bundle was a good bargain. The post you’re commenting on also says the difference was visible in several ways. Rather than call me wrong, please re-read what I actually wrote: “to be fair, the design and appearance of the promotion was clearly different from Mac Update Promo. Intego did, in the small print, say the bundle was being offered by Intego.” So, if you want to claim innocence on the part of Intego Marketing when choosing the name “Mac Promo” with only a small print mention of Intego as the offering entity, I’ll take your claim on faith. That said, in future, I recommend you choose “Wicked Cool Deal From Intego” or some such name in future lest you fall below the extremely high bar for conduct that comes with being in the business of providing security and privacy solutions.
Good Catch! I just checked my retail Snow Leopard disk and you’re correct, Apple did it too. I never noticed Apple doing it too and I will be poking them about it. It’s wrong, period. In fact, the OS vendor doing it is almost exactly as wrong as the security tools vendor doing it. Again, good catch! Why is it wrong? Again, from the article: “Users lulled into trusting these things, apps masquerading as docs are, absolutely an infection vector for malware.”
Now, as to the presumption that I am somehow naive as to the numbers of people who speak which languages as your mechanism for attempting to discredit my article: From the original article: “These executables appear to be as benign as wrappers that check what language your Mac is localized to and then open the appropriate documents.” clearly I know one tiny thing or two about localization and UE. The truism that not everyone speaks English is not a useful contribution to the discussion Correctly pointing out that I didn’t realize Apple behaved similarly badly is useful.
The issue I raised isn’t using an application to improve the user experience of localization but that, in doing so, you deliberately (as you point out Apple also does) obfuscated the nature of the ‘document’ with your icon design was the issue at hand. As stated in the original article: “That Intego’s faux docs aren’t literally malware doesn’t change the fact that to imply they are delivering documents when, in fact, they are delivering applications is bad behavior at best and, at worst, creating the kind of problems they then want to sell you products to avoid.”
Which means I think they (applications badged as documents) acculturate users to doing things that make them more susceptible to certain kinds of malware attack. Again, from the original article: “Users lulled into trusting these things, apps masquerading as docs are, absolutely an infection vector for malware.”
Since, apparently, this wasn’t sufficiently clear let me spell it out in more detail:
– If customers aren’t taught to inherently distrust anything they download that wants to run code on their Macs, they will continue to be susceptible to Trojan Horse malware. Microsoft’s failure to anticipate misuses of macro functionality in their implementation of VBA in Office combined with the tendency for users to trust ‘documents’ was the transmission mechanism for the most widespread malware infestation on MacOS since before OS 8 wasn’t Copland. In fact, ever. So far.
Customers should have reliable ways to know what can execute code and can’t. Failing that, firms who sell security software (and as you pointed out, Operating Systems) should be teaching them at best and not perpetuating the problem at least.-
I did google. Googling led me to the OS 9 era documentation on your site that I read prior to bundle purchase and the current documentation you link to that I read when I actually installed the product.
It appeared, though I could be mistaken, that you updated the documentation between when I first considered buying the bundle and when I went to research the above article after I bought it but it’s possible both are still on your site and I found one instance the first time and the second instance when I went back. I don’t feel like checking. I’ll take your word for it. The current docs were always there. Somewhere though, as recently as two weeks ago, were OS 9 era docs available on your site.
That you normally bundle a tool and unbundled it for a promotion is a perfectly fine decision. It does mean you’re now providing support, to the extent that you do provide support, to a customer base who paid a lot less to get an unbundled product, but that’s your call.
That you choose to make an offering of a product normally only available as part of a bundle and not call it out on your website as distinct component discoverable via navigation rather than search is also Intego’s choice. Valid reasons not to call attention to it include: not planning to sell the product unbundled again or research to make a decision about whether to unbundle in future. Both are valid though I’d tend to recommend other approaches if I were working with your marketing team. I think the link to your license in the original documentation is prima facie evidence I know how to use “The Googles” on the internets your tone seems suggest I bought last week at Best Buy.
I am extremely rabid about paying for the software I use and have been specifically contracted by clients to help bring them into license compliance. License compliance is an important aspect of I.T. management. In addition, I find piracy personally distasteful. That said, Online Activation is user-hostile. For more on my feelings on this issue, feel free to read this: http://blog.jonalper.com/2010/online-activation/
BBEdit, and BareBones Software in general are truly exceptional. That’s why I have been using paying for, and having clients pay for volume licenses of their products for nigh on two decades. We agree, they are worthy of praise. They don’t however, that I know of, call out a list of the files they install. That’s not what I said. What I said was: “When BBEdit needs additional functionality that demands it place executables outside it’s app package (the command line tools) it asks you first.”
I can’t burn the effort to give you anything like an exhaustive list of better behaved applications than Personal Backup but here are a few examples of ‘better behaved applications’ from an installation perspective:
Carbon Copy Cloner: http://www.bombich.com/ installs nothing outside it’s package but caches and a prefs file and both of those are discoverable in the typical locations. It does check for updates online by default but offers the option to disable this check.
SuperDuper, a commercial tool with great support, similar functionality to Carbon Copy Cloner and much more. (Including a handy way to catch and manage configuration management including testing and reverting from poorly behaved installers and uninstallers: http://s3.amazonaws.com/com.shirtpocket/SuperDuper/Testing.pdf ) places links to executables in it’s own package. They go in the usual places in MacOS for support files. The files are prefs, settings(scripts) and a link to the daemon that manages the scheduling feature. The daemon’s executable is contained in the App package. While it doesn’t explicitly warn like BBEdit, because of the way they did it: drag the app to the trash, the links dead-end and with it, the executable after a restart. (I am actually less confident about this architecture than I’d like to be but it appears to work this way and I do trust Shirt Pocket)
Ditto, Firefox and OnyX and EasyFind and many other ‘drag installable’ applications. DragThing installs a startup item link to itself by default but disabling it is a click in the prefs for the app. Yes, it should ask first but aside that, it’s a drag install for the executable and only the usual prefs and settings documents. Hardly all such drag installable apps are that pure of course but many, many, are.
As to who documents when they poke an executable outside themselves like BBEdit does? These guys: http://www.taoeffect.com/espionage/support/ do a great job of being extremely transparent about what their product does, what it doesn’t do and how it’s built in ways that make their customers informed and more secure.
A favorite counter example for Intego Personal Backup’s behavor though is this one: http://www.qdea.com/synchronize_pro_x_intro.html
They do try to install a scheduler executable at launch but no Admin permission, no install.
They document their scheduler (daemon) here: http://www.qdea.com/synchronize_pro_x_questions.html#autosync_reinstall
and their online activation behavior here:
http://www.qdea.com/synchronize_pro_x_license.html
and I didn’t need “The Google” to find either on their site.
… is incomplete (by necessity of brevity perhaps) but examining a package’s contents in the file system is in no way 100% reliable, by far, in determining what’s installed and where. Your engineering staff can confirm this for you.
The litany of ancillary items from menu bar items to dashboard widgets installed by your installer is discussed in the original article. The “needs a daemon” for scheduling was also mentioned in the original article.
Your engineering staff should be able to tell you why the need to run an installer, need privilege escalation (and in some cases a restart) should raise red flags for users concerned with security in more detail. In short, many MacOS applications can be simply dragged to any location the user chooses and launched. Many do not demand privilege escalation when downloaded and launch with a user account that doesn’t have administrator access. One hopes Apple continues to do an improving job of mitigating the damage that such non-privileged applications can do to a user’s data but once an application has been granted privileges there’s not much even Apple could to to make things safe .
An application that requires an installer is (usually) explicitly seeking access to parts of your file system outside that user’s scope. It’s, (usually) installing components in places the user doesn’t readily see. That’s potentially problematic. Hardly is it inherently problematic but it has greater potential to be an issue. Assuming that “raising red flags” equates to ‘don’t install’ is foolhardy. Simply clicking install and not doing some research about what you’re about to install and where is more foolhardy. Being a company in the business of selling security, data protection and privacy tools comes with, as I have said repeatedly, a responsibility to behave beyond suspicion, to follow and educate users about best and safest practices and to lead by example.
As to to the iTunes straw man? I use it, I buy content with it, I manage my iPhones and iPods with it and I enjoy it. That said: It’s bloated to excess, and does too many disparate jobs and I’m looking forward to a Ground-Up rewrite/rethink from Apple but I’m not holding my breath. That said, since iTunes is often barred from user machines in corporate environments for that and other reasons, it’s a lousy counter example.
It didn’t. My contact to support has still not been answered by anything other than Intego’s “we got it, here’s your ticket number” bot and, since I have managed to expunge everything Intego on my machine myself, I don’t need the support. If you would like me to invest my time in troubleshooting for either a bug or some user error on my part clicking Uninstall, I’d be happy to book a time with an engineer to walk through it so they can regress the issue. In the meantime, I’m sticking to my claim that the Uninstaller did not perform as you say it does.
You didn’t comment on one aspect of my post, admittedly an update you may not have seen when you commented, namely Section 6 of your license. That alone is, in my opinion, ample justification for distrust.
All the best,
– Jon