Feeds

Not cool, Adobe: Give the Ninite guys a job, not the middle finger

Top toolmaker told to stop installing crapware-free Flash

Combat fraud and increase customer satisfaction

Sysadmin blog Adobe wants the ability to easily roll out Flash updates removed from Ninite, the sysadmin Swiss army knife. I'm going to explain why this is a terrible thing.

First, though, I would like to discuss the real-world practical uses of products such as Ninite. Ninite is used by systems administrators and ordinary folk alike to install common third-party software. Far more importantly, Ninite and its ilk are used to ensure that these applications are kept up-to-date.

Ninite – and other applications like it – are the good guys of the internet. Unlike modern smartphones, Windows PCs do not have a foolproof mechanism by which third-party applications can be kept up to date. (No, the abomination formerly known as Windows 8's Metro and its software store spawn do not count.) When a security flaw is discovered in an app a patch must be issued by the software's vendor to fix it. That patch must either be disseminated through the vendor's update application or manually downloaded by the user.

Adobe's products are a security nightmare. Reader, Flash and Air are - alongside Oracle's Java browser plugin - the screen door through which the raw unfiltered sewage of the internet oozes into the homes of netizens. These products are awful, the security is worse and the management of them over the years beggars belief.

Even trying to find a web page that discusses the problem in a condensed form to link to proves overwhelming. The sheer volume of posts when you search for any of those products and "security" or "vulnerability" stalls the mind.

Ninite offers an installer that downloads the latest version of Flash from Adobe's own website (which is entirely different from unlicensed redistribution) and performs a silent install free of the unwanted additional software that Adobe pushes onto its users in the Flash update - such as the Ask toolbar or a trial version of McAfee Antivirus.

Adobe's solution to the security problem is decidedly half-arsed: the software giant's updater, which kicks into life when it notices the installed version of Flash is out of date, is a bug-ridden example of the unfathomable number of methods by which an application can crash. It fails to apply the upgrades and security fixes required on far too many occasions. This is assuming the PC is running a version of Flash that can update itself.

The alternative – a manual download – is something most users don't even know how to do. Even if they did, the majority can't be bothered. For those who do know enough to download the updates for Flash manually, Adobe attempts to foist upon them a trial version of McAfee Antivirus! This merely makes the whole Ninite situation more galling.

It is demeaning that Adobe should resort to attempting to bamboozle users with trial installer nagware in the pursuit of a few more coppers. It is downright vindictive to demand that third parties cease providing unified tools that augment the security of the internet by cleaning up the mess they made in the first place by shipping software as insecure as Flash.

Let me preempt the argument that Ninite is somehow "insecure because it's not directly from Adobe". First off, as I stressed above, Ninite's installer downloads the files directly from Adobe. Secondly, the man behind Ninite – Sascha Kuzins – is a good guy. At this point, given that the net result of Adobe's actions regarding Ninite is a less secure internet, I find Kuzins far more trustworthy than Adobe.

I've met the man; Kuzins is someone Adobe should be hiring for a bag of cash the size of a car and putting in charge of making its product delivery and maintenance mechanisms not suck.

What Adobe should explicitly not be doing is preventing Kuzins – and others like him – from making the internet we all share more secure. I can't find a way to justify this. Whatever the rationalization used by the Adobe department of idiocy enforcement, they should have checked with PR first.

It certainly is possible Adobe had a solid, logical reason for its request. From the view of a coalface admin just trying to keep things up to date this reeks of the exact same sort of hubris Sony displayed during the rootkit fiasco; an unrepentant willingness to make the internet less secure in order to pursue ultimately meaningless internal goals. So shame on you, Adobe; we all deserve better than this. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.