Original URL: https://www.theregister.co.uk/2013/05/01/adobe_says_no/
Not cool, Adobe: Give the Ninite guys a job, not the middle finger
Top toolmaker told to stop installing crapware-free Flash
Sysadmin blog Adobe wants the ability to easily roll out Flash updates removed from Ninite, the sysadmin Swiss army knife. I'm going to explain why this is a terrible thing.
First, though, I would like to discuss the real-world practical uses of products such as Ninite. Ninite is used by systems administrators and ordinary folk alike to install common third-party software. Far more importantly, Ninite and its ilk are used to ensure that these applications are kept up-to-date.
Ninite – and other applications like it – are the good guys of the internet. Unlike modern smartphones, Windows PCs do not have a foolproof mechanism by which third-party applications can be kept up to date. (No, the abomination formerly known as Windows 8's Metro and its software store spawn do not count.) When a security flaw is discovered in an app a patch must be issued by the software's vendor to fix it. That patch must either be disseminated through the vendor's update application or manually downloaded by the user.
Adobe's products are a security nightmare. Reader, Flash and Air are - alongside Oracle's Java browser plugin - the screen door through which the raw unfiltered sewage of the internet oozes into the homes of netizens. These products are awful, the security is worse and the management of them over the years beggars belief.
Even trying to find a web page that discusses the problem in a condensed form to link to proves overwhelming. The sheer volume of posts when you search for any of those products and "security" or "vulnerability" stalls the mind.
Ninite offers an installer that downloads the latest version of Flash from Adobe's own website (which is entirely different from unlicensed redistribution) and performs a silent install free of the unwanted additional software that Adobe pushes onto its users in the Flash update - such as the Ask toolbar or a trial version of McAfee Antivirus.
Adobe's solution to the security problem is decidedly half-arsed: the software giant's updater, which kicks into life when it notices the installed version of Flash is out of date, is a bug-ridden example of the unfathomable number of methods by which an application can crash. It fails to apply the upgrades and security fixes required on far too many occasions. This is assuming the PC is running a version of Flash that can update itself.
The alternative – a manual download – is something most users don't even know how to do. Even if they did, the majority can't be bothered. For those who do know enough to download the updates for Flash manually, Adobe attempts to foist upon them a trial version of McAfee Antivirus! This merely makes the whole Ninite situation more galling.
It is demeaning that Adobe should resort to attempting to bamboozle users with trial installer nagware in the pursuit of a few more coppers. It is downright vindictive to demand that third parties cease providing unified tools that augment the security of the internet by cleaning up the mess they made in the first place by shipping software as insecure as Flash.
Let me preempt the argument that Ninite is somehow "insecure because it's not directly from Adobe". First off, as I stressed above, Ninite's installer downloads the files directly from Adobe. Secondly, the man behind Ninite – Sascha Kuzins – is a good guy. At this point, given that the net result of Adobe's actions regarding Ninite is a less secure internet, I find Kuzins far more trustworthy than Adobe.
I've met the man; Kuzins is someone Adobe should be hiring for a bag of cash the size of a car and putting in charge of making its product delivery and maintenance mechanisms not suck.
What Adobe should explicitly not be doing is preventing Kuzins – and others like him – from making the internet we all share more secure. I can't find a way to justify this. Whatever the rationalization used by the Adobe department of idiocy enforcement, they should have checked with PR first.
It certainly is possible Adobe had a solid, logical reason for its request. From the view of a coalface admin just trying to keep things up to date this reeks of the exact same sort of hubris Sony displayed during the rootkit fiasco; an unrepentant willingness to make the internet less secure in order to pursue ultimately meaningless internal goals. So shame on you, Adobe; we all deserve better than this. ®