why would an installer need access to my computer?
 

why would an installer need access to my computer? Why is there an installer at all?

this is just baffling, after blocking wowmatrix curse gives me the very buggy mac curse client 3.0 and you guys want full access to my computer to install something as simple as an updater?



thanks but no thanks

How else do you expect it to install anything?
It's a choice.
See above.

"unrestricted" is a very WRONG definition of what its actually requiring, it need full permissions because it has to read, write, copy and overwrite.

I religiously watch my system for changes, access, upstream infor and downstream so I know whats going on with my computer.

AFAIAC the minion is safe for updating, the only worry i would have is with 3rd party additions to it.

Worst comes to worst, backup your WTF and interface folders before updating and virus, spyware, malware check it each time.

i expect to get a program icon i can put wherever i want there is no reason for something as trivial as an updater to have its own installer

the point is exactly that i don't expect nor want it to install anything where the system rightfully doesn't give it access in the first place

it is a bad unnecessary choice, it make you look unprofessional or worse like you have some hidden wrong intentions (why else ask access to my system)

there are no popular mac applications that work like this as most users will refuse to install them

the warning is not a poor choice of words its exactly what it is, unrestrictive, i give permission to write/read anywhere in the system

MMOUI Minion isn't a native cocoa based application (the one that you can just drag to your applications folder). It's something written in java and because of that it is asking you for permission.

You're complaining about "a poor choice of words" in the wrong place. I'm pretty sure that's a default warning written and provided by Apple themselves, not by Minion.

Also, I think you're being a bit (nah, overly) paranoid about the app. What is it going to do, delete every file and uninstall every other app? Highly unlikely. If it did do things to your computer that it shouldn't do, then other people would have already complained about it and Minion wouldn't be around anymore.

a java application does not need permission of any kind to be copied on my hard drive

there are many far more complex multi platform java apps, that work (install wise) exactly like a cocoa app does i.e. an icon i copy to my preferred location (1 example would be jdownloader)

there is no reason to ask permission, it only needs permission if it wants to do things it shouldn't like:

1. install new libraries (os x has all installed as is)
2. copy files to places where they don't belong
3. its malware and wants to destroy stuff

whatever it wants to do its potentially system destroying

i would suggest to stop responding if all you want to do is blindly defend a very poor design choice for no other reason than to not admit it is a poor choice

i am not complaining about poor choice of words, i am telling the choice of words is spot on, a previous poster found he had to correct apple and minimize the risk

its not paranoia, its a valid concern for the safety of my OS and private data, if every little app behaved like this we would have 0 security left.

I have to agree about the apple philosophy about applications, however, Minion is an application that is meant to be cross compatible. And that goes for installing it as well. You can't say it's a poor design choice. It's just one way to tackle cross compatibility.

I'd say you are pretty safe, considering our fine website here. I can understand the concern when your OS tells you something wants an unfettered access to your computer (p.s. Mac should use that verbiage :P), but installing software onto your computer is your decision. Unless you've *never* used a Windows based environment or what-have-you, you can easily say, "Nah, I don't want to use this because it may harm me, even though it doesn't seem to have harmed anyone else, but I want to have the caution this little box brought upon me by choosing the blue pill or the red pill." Or some variation.

This isn't a snarky remark. Just an observation on what has transpired thus far.

it has nothing to do with cross compatibility, jdownloader is cross compatible and yet installs correctly

many apps with an installer (a philosophy from windows and os 9, but possible on os x) do so without needing access, there is no reason why an app as trivial as an updater should ask for this

so i have a mac with maybe 300 applications, some in cocoa, some in java, some in old carbon, from all kind of developers, some multi platform, some only mac, none of them trigger this warning, yet a small little updater program does

i am not sure if any of you are actually from wowi or just rabid fans posting to defend their favorite site? If any of you are from wowi i would take this problem serious instead of be apologetic for something that has no valid reason to be like this.

It does need this access, I believe. The installer also updates your application, so it needs access to replace files.

Maybe Shirik can give a better answer.

I've been called a dog by some, but never rabid. I have never used the Mac OS extensively, and probably never will; also I never got around to downloading and using the updater, something about downloading directly every time without the convenience of having them all go at once just seems over kill for me. :banana:

Generally spealing, upgrading a cocoa application on OS X is actually really simple. You download a zip file or dmg file, and you drag the .app file in it to your applications folder. No need to mess with installers.

ITT Mac users

It is impossible for me to create a certificate that requests different permission sets for Windows and Mac. Windows requires this permission set.

If you don't trust my application, why would you use it, anyway? Do you really trust your OS so much that you are willing to be insecure and let it act as your bodyguard?

P.S. If you really must know, a JWS application is not authorized to make files anywhere except in your temporary directory without requesting this permission set. Installers don't work too well that way. The application itself will not request this access.

there seems to be a general attitude to just trust anything or you are paranoid
its puzzling to me why a programmer would resort to the if you don't like it don't use it mantra, nothing i said is unreasonable

if you only care for windows don't release a mac version, other java apps seem to be perfectly fine installing whatever they need without needing unrestricted access

the bodyguard comment is just stupid, you seem upset an os caught your app when it wants access to parts it doesn't need

if this is how your app presents itself to the mac user it will not be widely used, but apparently you don't care so i guess everybody wins

How many people have you seen saying" MMOUI just ate my HD"?

I get that same message from DOZENS of well known, highly trusted applications.

Being security conscious is one thing. But lets put a little common sense in there too.

again the trust everything or you are paranoid mantra

also i challenge you to even name 3 applications that pop up this warning

this is a problem for both usability (it confuses the user and asks him to trust some random app over a security warning) and security (you actually advise this behavior making any security warning useless as you train users to just click allow)

You obviously have an issue with this application and don't want to use it (or maybe you DO, but are too anal about every little red flag (true positive or false positive, whatever the case may be) that comes up). We get the point!

Do you have nothing better to do that whine and complain at each response that comes around on this thread, or do you not have enough drama in your life you feel the need to continue this mindless bickering?

Just stop being such a paranoid little attention wh0z0re already and come to the realization that it is highly unlikely that WoWI would allow ANY kind of files bearing even REMOTELY malicious intent to be hosted at this site (let alone giving it as much support/backing as they have)!!

you are just sad

i raise a valid usability and security concern, first couple of responses are don't be paranoid and how else can it be done, then the programmer tells me he can not be bothered with users or usability, then you come to insult me

again the wise thing to do would be too look into how you can fix this instead of shooting the messenger, you come over like some cult that is replying to a non believer

Well, I dont see how you have the right to complain about what replies you get, the choice to post about it on the forum was yours.
That you worry is reasonable, of course, but like someone else already said, if the app was filled with virus or doing something shady to your computer, other users would have noticed.
And about the "Use it or dont use it" mantra is true. People have tried to explain why it needs permission the best they know, but if you dont find those reasons good enough, then it is in the end up to you weither you want to use it or not. Most likely, they wont change the application just because you dont happen to like the installer, so in the end, nothing will change.
Use it or dont, I doubt it's a life-changing decision to make.

They can't correct something that isnt there. Yes, it asks for access, and people have already tried to tell you why, but it doesnt actually DO anything wrong. No one has noticed it doing ANYTHING it shouldn't do, thus there is nothing to correct. It's you vs. an entire community, and no one else seems bothered.

you are right, a program that pops up a warning that it has an invalid certificate and wants unrestricted access is no problem at all

no other application does this, but for the complex and close to impossible task of checking a bunch of files for updates this just has to be done

only paranoid haters would complain




but don't worry my choice is made, it just amazes me that no-one even considers this a problem, i would think many programmers would reside here some that care about this kind of thing....

the only kind of posts i get is the inane justifications of people who don't even know what i mean and a programmer that does not care that his program presents itself as a harmful application

nice thing you have going here :D

And the way you word your original post leads one to believe YOU are the one with malicious intent concerning this issue. You seem to be pretty much spitting in the face(s) of the author(s) of this app with the whole "This is baffling, after blocking <BLAH BLAH BLAH BLAH BLAH> you guys want full access to my computer <YADDA YADDA YADDA>" routine, then you add an exclamation point to it all with the whole "thanks but no thanks" line.

If you think you know so much about it all, why don't you stop BELLYACHING about everything and offer to HELP??

Shirik has already explained that Windows requires a certain permission set, in order for Minion to work as intended. It is not possible to use the same certificate and require a different permission set for mac. Shirik was not upset because "an os caught his application that wants access to parts it doesn't need", Minion has been tested on Mac and I'm willing to bet he was well aware of the warning. The warning (albeit generic) and the "Details" button is there for a reason, which is, to allow the user to make an informed decision. It has already been explained to you why the warning exists and thus I would expect that a reasonable person would ultimately make a choice, to trust the application and install or not install. No one here is forcing you to do either thing. It's really as simple as that.


No one considers this a problem, probably because satisfactory explanations have been presented. Using your logic, we should probably conclude that each and every time a security feature is being triggered by an action restricted to a specific entity (in any OS), a harmful application is always to blame. While obviously that is something likely to occur, if it was the case for every single application, I'd reckon Window's UAC at least would have it really bad ;) On a more serious note, as I mentioned earlier, it ultimately comes down to a simple point : "trusting" an application and allowing it to continue functioning, the way its designed to function, or not trusting it for whatever reason and disallowing access/deleting it/whatever. There is nothing paranoid about this and in all honesty continuing to argue over such a simple matter, iterating the same points, only weakens your point of view.

.. I think we could all stand to tone down the rhetoric.

Full Disclosure: I am a Mac user, and a very happy Minion user.

The reason warnings like this exist is to give you the opportunity to make a choice about what is happening to this system. It lets you know, when you might not have known otherwise, that something is being installed to your computer. Without this warning, your favorite **** site or gold-selling site could drop anything it wants (say, a keylogger to get your WoW credentials / online banking login / etc.) onto your computer without your knowledge.

But it is exactly that: a warning. It may as well say "Did you know you were installing Minion?" Since you did, in fact, know that, and mean to do that, you can say yes. If it said "Did you know you were installing RandomTrojan?" you could say no. If you say "no" to every warning that ever pops up, you could never do much of anything to your computer.

I'm not a user of jupdater, but after looking at it bit I don't think it's a fair analogy. There are many java programs that you can just drop on the desktop/dock and run.. but Minion has a lot of system-specific configuration work to do. This is why it's not just a drag-n-drop.

Shirik (who happens to be the primary author) has already explained that since this is a cross-platform installer, it has to request the minimum permissions for all its supported platforms. Since one of those platforms is Windows, and the required permissions for that platform is All, that's what is requested.

On the invalid certificate issue.. there are TONS of reasons why a certificate could be invalid, up to and including greed on the part of the certificate issuer. I once had a 3-screen argument with Firefox because it didn't want me to use a certificate registered for www.<trusteddomain>.com being served by www2.<trusteddomain>.com. The best plan is just to look at the certificate and see if you can intuit that it means well. In this particular case, it may be related to the fact it is Beta software - for testing purposes by hardy users only - and therefore a signed certificate hasn't been purchased yet. If that makes you uncomfortable then - while I can assure you there is nothing wrong here - your best plan may to be to wait for the official release.

Edit: the shortened form of "****ography" is filtered on this site. Who knew?

He sounds like the kind of person to call his ISP and whine about the speed of his internet when he's using a wireless g router, in the basement, which is 3 floors under the router, on a slow computer, with 256K ram, running Mac OS 8.4. (or Windows 98).
:mad::p:mad:;)

Shirik explained his reasons for why the app does what it does.

You either accept this and trust his reasons or you don't.

Install it and move on or don't and move on.

Either way, move on.

Okay guys, tone it down. You know the rules. No flaming. No personal attacks. He has his concerns and it's his right to air them if he wishes. Shirik has responded, as the programmer of Minion and as a staff member of WoWI. If there is any more conversation to be had in this thread, it should be between them.

downset - I understand that you have concerns and you are certainly welcome to discuss them. However, you seem concerned that this is a third party application that we have adopted for our use. This isn't the case. It was written in-house by Shirik specifically for our sites. As well, please note that we've been running our network of sites for 7 years now and have only ever had a single instance where there were any malicious files on any of the sites (which was discovered and cleared up extremely quickly). Also note that every one of our sites are official members of the fansite programs for each of the applicable game companies. As well, we have a lot of people using Minion already. If there was any problem with our site(s) and/or Minion, those statements would no longer be true. If we weren't trustworthy, the game companies themselves would be kicking us out of their fansite programs. If there was a problem with Minion, users would have it uninstalled and it would be splashed all over the internet "do not to trust it, it is malicious".

That is in fact why the certificate is invalid. The certificate is "invalid" (in fact, valid for me, but invalid for you) because it is a self-signed certificate that offers no real guarantee of identity. If you really wanted the CA associated with the certificate, I could give it to you so you could install it to trust it, but there's really no reason for that.

Regarding permission sets, Java only offers two built-in:
- Applet permissions (create temp files, no spawning of processes, no accessing URLs outside of where it originated from)
- Full permissions (can do everything that a typical application can do)

Note that "Full permissions" is NOT asking for root on your computer or anything of the sort. It is simply asking for Java's full permission set. It still runs in the context of the current user, and thus I can simply do everything a typical application can do. In fact, one might argue this makes Java more secure in this regard, because I am asking for confirmation before I get anywhere that any other application could have done normally.

Minion actually installs its own intermediary permission set, known as the Minion Security Manager, which falls somewhere in between Applet permissions and Full permissions. This allows modules to run without being initially trusted, and users of Minion have already seen it in action. It offers more fine-grained security levels such as access to individual folders and servers. It is fully capable of blocking access to folders which you have not authorized (and some people have already had problems with Minion due to it being a bit paranoid, itself, and blocking modules when it should not have).

Sorry Cairenn :(

*turns off muh lazer*

Not to kick a dead horse here but I'm pretty sure that with OS X's protected memory scheme there's no way that a program can grab another program's security access.

So even in the likelyhood that Minion was getting access to system files , an illicit program would not be able to grab that access to write stuff anywhere.

And yes I do read notes from Black Hat conferences where they speak of hacking OS X - there has been no news of programs being able to piggy back other programs that way.

The intermediate security manager that I was referring to is for modules, which may need to have additional restrictions. To the OS, the modules and the core are all one big application. Thus, it's Minion's responsibility to act like a mini-OS and allocate permissions accordingly. Fortunately, Java offers a very powerful way to implement this functionality (and leverages it against applets).

too many replies are form people who only ever seen windows, os x has no UAC, warnings mean something and are very rare


i can name 2 very high profile and complex java apps:

1. jdownloader, installs by drag and drop and updates itself without any security warnings

2. vuze (used to be azereus): installs with an installer and updates itself without any security warnings

both are multi platform, both are permission wise equal, they update automatically, and download files form the internet and put them in a folder

Java is not Mac OS.

...and likely don't use self signed certs? I could be wrong but it looks like that is what the actual cause of the error is (which is obviously coming from the JRE not the OS and, apparently, means that you're only granting user-level permissions). I think it's reasonable for Minion to use a self-signed cert -- at this point in its development, anyway.

Just a friendly reminder (again) :

Keep it civil, people.

OSX does have a type of UAC, when ever you download and copy a new app to the application folder and run it. OSX will inform you that this app is new and was downloaded from the web. Then ask you if you are sure you want to run it. Not 100% the same as UAC but similar in end result.

Those you listed don't install directly from the web page like minion. Those you've listed you download a dmg image and either your browser auto opens it or you double click the dmg. Minion installs directly from the web page so you'll see different security warnings.

Yes both programs you listed above are multi-platform but do NOT have multi-platform installers. Minion uses a multi-platform installer too.

Now if we should ditch our current install process and go with an OS specific installer instead is something to debate.

The last thing we want to do is scare people away from using minion and is why we are in beta so we can discuss these things.

Eh, no offense intended here but you seem like the type that "should" frown on using updaters in the first place. If you're truly that concerned about your system saftey, why even use...bah, you understand the point. As I believe updaters cater to the lazy and less "able" among us (yeah yeah, I know smart folks can use them for convenience...so before you start yelling at me...I KNOW!!!), I find great irony that someone as anal about system security is even using one, but that's me.

It's times like this that I wonder why some kids like to make a big fuss about pc security issues, but will chow down immediately on a pizza delivered from god knows where. Think about it ;)

eh, not for nothing bud, but that's a much more alarming security situation than a warning from your Java minion ;)

Speaking as someone who's done Internet high speed tech support for Comcast, I can tell you that Comcast would just tell him to A) Get on a wired computer thats directly hooked up to the modem (Unless its a comcast supplied router), B) Upgrade their OS C) Call back when you do those tings OR Your SOL.

Also...

Offtopic, but had to respond:

* 640K ought to be enough for anybody.
o Often attributed to Gates in 1981. Gates considered the IBM PC's 640kB program memory a significant breakthrough over 8-bit systems that were typically limited to 64kB, but he has denied making this remark.

"I've said some stupid things and some wrong things, but not that. No one involved in computers would ever say that a certain amount of memory is enough for all time … I keep bumping into that silly quotation attributed to me that says 640K of memory is enough. There's never a citation; the quotation just floats like a rumor, repeated again and again."
Gates (19 January 1996), "Career Opportunities in Computing—and More". Bloomberg Business News

"Do you realize the pain the industry went through while the IBM PC was limited to 640K? The machine was going to be 512K at one point, and we kept pushing it up. I never said that statement — I said the opposite of that."
"Gates talks" (20 August 2001) U.S. News & World Report

This thread is still going? I wanna post too! :banana:

Why use something to install it? What are we all Dumb that we can do it ourselfs? Just install it yourself. END of subject.

To the OP, just so you know, Mac OS X is not the only OS that will throw that message. Linux (Ubuntu 9.04) does as well. It's nothing to be afraid of. As others have stated, Minion is a bit different from other Java based applications as it uses a multi-platform Java Web Start installer (thus the .jnlp extension). Vuze and JDownloader both use Mac specific installers.

Java Web Start is a multi-platform installer for Java based applications that uses a very small file to download load the application's files. It's not that common at the moment, however I would not be surprised to see it used more in the future for Java based programs that install from the Internet. I have run across it twice so far, for Minion and for an older WoW UI updater called NetherPanel (now dead). NetherPanel was also multi-platform. A similar type of installer is Microsoft's ClickOnce installer for .NET based applications for Windows.

I am very security minded myself when it comes to my PC, thus I am very careful to what I install (even on my current machine which is a Linux box). However Minion CAN BE trusted.

to the OP
 

I think the app can be trusted. I, personally, don't like it for many of my own reasons. Others love it. That's great. So choose to use it or not. If this is a "request" then reword your original post as that instead of simply bashing it.

I'm speaking as someone that is currently running tech support for a major cable provider, we still tell them to bypass their router-even if they got it from us, simply to show them where the problem is, if they don't want it, that's what HN support is for :p

I could totally tare into a lot of people and what they are saying here BUT i wont. I will simply say that the minion is perfectly safe, and to think that because a pop up warning for the installer poped up that its not, is ludicrous. Its as stupid as MS office install warning me on a Windows platform.

Don't hold back.. tell us how you really feel!

;) /hugs

*ahem*

Don't make me link to the Site rules....

Something just occurred to me while fixing dinner, one of my geek brain flashes:

If Minion was planning anything malicious on an OS X/Linux/other 'nix based system, it would pop up a sudo window (Mac's authentication pane is a version of the 'nix sudo command), asking for your user password allowing for superuser/root access. Without superuser/root access, malware cannot make any changes to a 'nix based system. That is one of the inherent strengths of a 'nix based system (such as OS X).

You're referring to the Unix backbone?

Yah, however many OS X commands are 'nix commands that have a pretty graphical front end (aka the Quartz "GUI engine") and new, user friendly names (most people would be like what is sudo?). However for power users, the 'nix commands are just a Terminal window away...

Yup. That's why OS-X will sometimes ask you for admin access. Usually it's because it requires access to files that are considered "sensitive" by the OS. Note that any application install that asks for this, is essentially asking for more access than Minion is notifying you about at install. At least Minion warns you about it. :)

That window you see on OSX doesn't really have that much to do with the Unix backbone.

That's called as part of the Security system built into OS X itself. I don't remember the name of the frame work but I think it's the Secure Services framework.

IIRC You don't even need to invoke it in code. You just access an area your user doesn't have permission to enter and it comes up.

Quartz was written by Apple. They didn't base it on X for the windowing system at all (other then a gee that's a good idea *writes their own version*). I refer to post I found by Mike Paquette that says they do (he's the guy that helped write Quartz :

http://developers.slashdot.org/comme...57&cid=6734612

That authentication box comes up automatically when a user attempts to access ares on the HD they don't have permission to enter (eg when the owner & group for a folder is system:wheel) . It's run out of /System/Library/CoreServices I believe.

I never said that Quartz was based on X Windows. I said Quartz was being used as a pretty front end for some of the 'nix commands. I know that Quartz is the main GUI engine used for Mac OS X. Apple did a damn good job of hiding the 'nix underpinnings of OS X in a very good GUI. It makes sense for Apple to use Quartz (and its widgets) for interacting with 'nix commands as using any X based windowing GUI would detract from the overall user experience that Apple is pushing for.

My apologies. I thought you were categorically stating that Quartz uses all unix commands which if you look up Apple developer documents it's not :)