It’s Only Software

I decided to post this as a public safety announcement, since I (surprisingly) didn’t see this blogged elsewhere. I have, for many years now, used the free/open source PDFCreator software for simple PDF generation and testing.

I recently updated to the most recent version (0.9.7) of the software (now hosted at pdfforge.org), and have made an interesting discovery.

The software is bundled with a browser toolbar component that has behavior which I would consider malware or trojan-like behavior. The notable difference is that it redirects certain types of browser traffic to www.searchsettings.com, which is a linkbait/parking-type site.

In Firefox, I noticed an extension called “Search Settings 1.2″ which, once removed, killed this behavior. After more research, I saw that IE had 2 Add-Ins installed (these were also removed). I did some more digging, and that’s when things got interesting.

There is a SourceForge Bug 2607106 “Remove trojan from download!” filed against this project. There’s the report at SiteAdvisor on pdfforge.org hosting this malware. There’s the post from an angry user on the pdfforge.org message boards.

To clarify, there are other “free” PDF creation projects that are questionable at best. However, I always took PDFCreator (sf.net) as a legitimate open source project.

The PDFCreator Toolbar is apparently implemented using “mybrowserbar”. As per their terms of service, they indicate:

f) modify your Microsoft Internet Explorer and/or Mozilla Firefox browser settings for the default search engine, address bar search, “DNS error” page, “404 error” page, and new tab page to facilitate more informative responses as determined by The Toolbar;

mybrowserbar.com “Company Information” redirects to www.spigot.com, which claims to be “Coming in March 2009″. spigot.com is a proxied domain, so there’s no further information available.

I downloaded and investigated the source tarball for the PDFCreator project, and the source of the browser toolbar installer is nowhere to be found (indeed, the .exe included with the installer isn’t present). There’s a response from Philip, one of the developers, in the pdfforge.org forum which sheds a little light on the browser toolbar. I completely empathize with his desire to make some money from his open source work; however, I’d disagree that this is an appropriate approach, and at the very least, the toolbar install option should be more up-front about it.

It’s unfortunate to see a long-time, responsible open source project act this way, and I do hope it’s an honest mistake. I wanted to give people the heads-up who may not be aware of this.

Conveying a significant point about software architecture in 300 words is a challenge, particularly if those 300 words need to come from a software architect. — Barry Hawkins

Seen at TheServerSide. Read more architecture goodness at 97 Things. Which of these precepts do you like? Which have you heard before from architects or teammates?

This post is to expand on some of the thoughts I posted on the SpringSource Blog in response to Rod Johnson’s excellent description of the SpringSource business model and its commitment to development of open source software.

Now that SpringSource has shown an ability to crank out new product releases on a seemingly weekly basis, I wanted to reflect on where Spring is positioned in the Java open source community, and how open the Spring Core project is to work done by the public.

The hypothesis of my experiment occurred to me when I happened to be reviewing Spring JIRA assignments one day. I was curious whether, following the bug assignments, the majority of development on the “Spring Core” projects (including Spring MVC and what we would consider “classic Spring”) is performed solely by SpringSource employees.

I decided to go about verifying this and would like to present my findings. Note that this is a purely objective study of a particular widely used open source project, and shouldn’t be construed as an opinion on the findings.

Edit Sept 22, 2008 Please note that although the publishing of this post by freakish timing occurred less than 24 hours after the announcement by SpringSource, I want to be clear that this article was drafted and published before I was aware of this news. As such, please don’t misread this investigation as a “response” to the announcement.

Since SpringSource is obviously a private company, I determined the list of employees by consulting publicly available information sources. Anyone is welcome to refute the claims in this article.

I have no direct working relationship with anyone at SpringSource; however, to verify the facts cited in my study, I did email an advance copy of the article to Juergen Hoeller, Spring Project Lead. Juergen kindly took the time to review it and clarify a couple facts that I wasn’t able to discern through public information. Juergen has always been friendly and considerate in the dealings we’ve had through Spring JIRA or the Spring forums, and I appreciate the help!

Read on for the analysis…
Continue reading “How Open Source is Spring?: An Analytical Investigation”

I recently wanted to download Flash and start learning how to it with Java and/or Ruby, with the intention of purchasing once (or before) my trial period expired. I could not believe my eyes when I read that Adobe, a company in the business of making software has ceased offering trial downloads of many of its products for a full month due to what is apparently a ridiculously simple bug in date calculation:

During the month of June 2008, certain product trials that are launched for the first time (regardless of when they were installed) will function for only one day instead of 30 days, due to an error in a line of code that counts down the remaining days in a trial. You will not experience this issue if you have launched your trial before June 1, 2008, or do not launch it until July 1 or thereafter.

We understand that trials are an important tool to experience the new features of a product. However, this issue would have resulted in a frustrating situation for a large number of customers — an experience that just does not meet the high standards we have set for all of our products and solutions. We invite you to explore the other resources available on Adobe.com in order to experience the products in action.

So, rather than fix a bug that is likely resulting in thousands of lost trial users (which one would assume translates into $$ in revenue), Adobe has foolishly decided – sorry, no downloads for a month! After much searching on the ‘net, I absolutely could not find a trial download anywhere (all download sites link back to Adobe’s broken download page).

At least people can still download some of the good Adobe products while they’re waiting

Come on, Adobe! If I was a stockholder, I would be furious.

(Also covered here)

Hate this dialog?

Seen here and here. Posting so I don’t forget how to remove this darned thing in the future. Since I rarely shut my machines down, I find the dummy-proof-update feature of Windows incredibly annoying.

Since the spammers found my blog long before anyone else, I had enabled high levels of moderation on first using WordPress. This was mainly due to the fact that the only comments I got were links to various online pharmacy sites (hmm, “ph”ish and “ph”armacy do start with the same letters…).

To be more friendly to actual people, and unfriendly to robots, I’ve installed the reCAPTCHA plugin, which I believe should be a good mix of (1) anti-bot, (2) not too annoying or hard to read, and (3) provides something useful (book digitization). If anyone attempts to comment and runs into a problem, do let me know.

Really, this blog (hate the word) is mostly a set of personal notes for myself. If anyone else finds it interesting, great, but if not, at least I won’t forget something interesting

This is a perfect name for some kind of mashup relating to Slashdot. The only problem is that I can’t think of any data that could be sensibly mashed with Slashdot – can you?

< insert random hello, world comment here >

< insert boilerplate about how everyone has a blog and now I do too >

Nice to meet you