The Great Controversy

[Technical Ben]

If you can't be bothered to read what a file that you are about to download does, you have no buisness downloading that file, end of story.

Every mod that includes modstatistics clearly states that it includes it, and at the very least contains a link to the modstatistics thread which clearly explains what modstatistics does, and how to disable it. At that point, you have the choice to not use that mod, or to follow the simple instructions to disable it.

Anyone who neglects to perform this basic step of computer 'hygiene' has no buisness downloading files, much less installing mods.

Anyone calling modstatistics 'spyware' is indulging in pointless histrionics.

Do you read the HTML to every page before you activate it? No, the browser does that for you (yes, there are sites with small print, let alone tracking inside webpages).

[pxi]

And I'd prefer the KSP community to be able to look at anonymous statistics about me then to having the government do that.

At this point I've poured nearly 2000 hours into KSP. This community is probably about as far as I want that information spread.

[LaytheAerospace]

Do you read the HTML to every page before you activate it? No, the browser does that for you (yes, there are sites with small print, let alone tracking inside webpages).

This is a pretty common argument (not you, the post you're replying to) from defenders of onerous opt-out practices (note: I am not taking a stance on whether or not ModStatistics is onerous). The AMD drivers with that useless Raptr thing are the best example I can think of. If you guys think ModStatistics is bad, then look at just how much worse it can be, and from a (formerly) trusted company.

Long story short, at some point in the past year or so AMD partnered with Raptr to bundle its software with its driver packages. Raptr is enabled by default, and not called out in the installation unless you choose a custom installation, which is pretty rare for most users. Raptr then proceeds to spy on the computer so it can phone home with game statistics, which Raptr certainly sells (why else does it collect them? The data is useless otherwise, it can't sell you games you already own and play). It falls very firmly into how I classify malware (unwanted software which performs an undesired function), but there are legions of people on the AMD forums defending AMD for intentionally hiding it in effectively mandatory driver updates. The argument seems to be that you deserve to be punished if you dare to use an express installation, because they're less intelligent for trusting AMD to not bundle malware with their drivers. Even if it's not malware, it's clearly not something the users wanted or expected.

Addon authors not selling your data. They don't want to muscle in to your digital life and make you use their software when you never wanted to. All they want is usage statistics for their mods, information that's extremely helpful in maintenance. Cut them a little slack, they're not out to destroy your privacy. Disagree with how they did it all you want, but understand that they're not acting out of malice. Invoking the specter of EU laws, which is essentially unenforceable here (at best you could use it to annoy sites hosting the content in EU data centers), is just tacky.

That said, my personal view is that any data collection should be prominently displayed and opt-in only. It's a fact that opt-out causes additional installations because of user error, and it's unethical to take advantage of users in that way. Playing fast and loose with consent is not acceptable, even if you're asking for consent to do something you believe to be totally benign, or even helpful. Your users have a right to go to whatever extent they like to protect their privacy, even if you feel it's unnecessary and silly.

Full Disclosure: I am a professional software engineer working on financial software (among other things), and deal with stuff like this regularly.

Edited July 31, 2014 by LaytheAerospace
Clarification of who I was responding to

[enneract]

The only flaw in that argument is that a lot of folks just download the new version of their favorite mods, and were a bit surprised when they came with extra stuff. Yes, in a perfect world, people would go to the forum post of each mod they grab every single time there is a new patch, and read all of the fine print. We do not live in that world. Even the opt-out bit, which seems obvious to those of us used to modding, is a challenge to some of our users.

That isn't a 'flaw', that is the whole point. If you can't be bothered to read the description for what you are downloading, you gave up your right to complain about it when what you downloaded does what it says on the tin.

This does not make them bad people (heck, I got surprised in my own save, and I daresay I have some business downloading a mod from what one would assume is a pretty safe place - the Kerbal forums - or Curse, the official mod repo). The reality is that dealing with mod users is an ugly, messy, less than perfect business.

Nobody said anything about 'bad people', just people who have abrogated their personal responsibility.

People constantly break our stuff. They break it, change it, and are surprised when we don't support it. Again, they are not bad people, but placing an assumption of a certain universal level of technical savvy and due diligence on those users - or trying to tell them they should not do things that may hurt them, break stuff, or cause unintended or unexpected (yet well documented) consequences - is a recipe for sadness. This is reality, and why opt-out was, and still remains, the best choice. Squad's decision on this should not be a surprise.

non sequitur

Do you read the HTML to every page before you activate it? No, the browser does that for you (yes, there are sites with small print, let alone tracking inside webpages).

Not relevant? I'm simply talking about people who fail to read the plain description of what the author claims the download does. You get into the realm of malware when you are dealing with software which not actually do what it claims to do.

[xEvilReeperx]

Not relevant? I'm simply talking about people who fail to read the plain description of what the author claims the download does. You get into the realm of malware when you are dealing with software which not actually do what it claims to do.

Or when it omits certain functionality from its description. Where in the original post does it tell its users it goes to a random web site and downloads executable code? It can be pointed at anything on any website and the DLL will download it and save it anywhere on the drive KSP was installed to (assuming the OS/permissions allow it). Hmm ... rides in on something that seems legitimate, then can be directed to install anything an outside, unauthorized third party wants on the host's computer ... I'm sure there was a word for this...

[enneract]

Or when it omits certain functionality from its description. Where in the original post does it tell its users it goes to a random web site and downloads executable code? It can be pointed at anything on any website and the DLL will download it and save it anywhere on the drive KSP was installed to (assuming the OS/permissions allow it). Hmm ... rides in on something that seems legitimate, then can be directed to install anything an outside, unauthorized third party wants on the host's computer ... I'm sure there was a word for this...

That is the automatic update mechanism, which IS opt-in.

I'm not sure where you get this 'It can be pointed at anything on any website and the DLL will download and save it anywhere on the drive KSP was installed to' nonsense. It downloads the newer version of the DLL specified on the update server, and places it in a specific location.

[Kamuchi]

The biggest beef I had with the plug is the lack of info, besides if you want it to auto update.

Not who created and maintained it, link back to the forum post and a statement it`s "Mod Statistic" and is bundled with another mod.

That is the issue that got me abit fedup from the start.

[enneract]

The biggest beef I had with the plug is the lack of info, besides if you want it to auto update.

Not who created and maintained it, link back to the forum post and a statement it`s "Mod Statistic" and is bundled with another mod.

That is the issue that got me abit fedup from the start.

You admit that you did not practice due diligence. Your complaints are invalid.

[xEvilReeperx]

That is the automatic update mechanism, which IS opt-in.

I'm not sure where you get this 'It can be pointed at anything on any website and the DLL will download and save it anywhere on the drive KSP was installed to' nonsense. It downloads the newer version of the DLL specified on the update server, and places it in a specific location.

The point wasn't that it was opt-in, it was that the mod forum post makes no mention of it whatsoever so no amount of careful reading will reveal exactly what the mod does.

As to the second part: I think it's safe to assume you either didn't look at the code or didn't understand it. The plugin sends a download request with its version info. If that version info doesn't match the server's, it sends a string that looks like this:

[
  {
    "url": "http://stats.majiir.net/downloads/ModStatistics-1.0.3.dll",
    "path": "Plugins/ModStatistics-1.0.3.dll"
  }
]

It's sent in plain text with no encryption. No sanity checks are done on the path or web site; ModStatistics will go directly to the url given and download *anything*, and then attempt to put it into the relative path--so ellipsis are legal. Think about the consequences for anyone with 1.0.3 (at this time of writing) or lower installed if Majiir's website security were ever broken

[Borklund]

You admit that you did not practice due diligence. Your complaints are invalid.

No, his complaint is entirely valid. Or do you think that checking every KSP mod you download for unwanted spyware is a reasonable expectation? It isn't anywhere else in the software industry, except when it comes to potentially malicious software from dubious sources. I don't know about you but I'd prefer to have the assumption be that when I am downloading a mod, I will get exactly that mod and nothing else, without having to look through a long forum post, a readme or have to go digging through subfolders, or anything else. I should be able to press the big download button, put the mod folder in my GameData folder and not have to worry about potentially malicious software being downloaded to my computer without my consent or prior information.

[RoverDude]

That isn't a 'flaw', that is the whole point. If you can't be bothered to read the description for what you are downloading, you gave up your right to complain about it when what you downloaded does what it says on the tin.

Nobody said anything about 'bad people', just people who have abrogated their personal responsibility.

non sequitur

Not relevant? I'm simply talking about people who fail to read the plain description of what the author claims the download does. You get into the realm of malware when you are dealing with software which not actually

do what it claims to do.

I think the point you are missing... and I daresay, the point that was missed when this whole thing first came up... is that you have to decide if you want to be right or be effective. Technically, everyone should read the fine print, be personally responsible, and understand how to modify config files. One can most certaily argue these points, as I see happening, till you are blue in the face. And when it comes down to the brass tacks, nobody can dispute that these are valid points.

But at the end if the day, was taking that stand and choosing to die on that hill effective? Let's do a recap. When given a choice of voluntarily pulling the questioned software and de-fusing all of this, the choice was made to be 'right'. The net effect is that Squad came down hard with new rules, the community is damaged, and a good deal of personal capital in the form of community goodwill and trust was burned through. For the sake of being 'right'. What, in this case, would have been the effective choice?

Me, I'd rather be effective any day of the week.

[enneract]

The point wasn't that it was opt-in, it was that the mod forum post makes no mention of it whatsoever so no amount of careful reading will reveal exactly what the mod does.

Fair enough, though interpreting an automatic update mechanism as a sinister plot is... reaching, at best.

... insert condescending nonsense here...

It's sent in plain text with no encryption. No sanity checks are done on the path or web site; ModStatistics will go directly to the url given and download *anything*, and then attempt to put it into the relative path--so ellipsis are legal. Think about the consequences for anyone with 1.0.3 (at this time of writing) or lower installed if Majiir's website security were ever broken

Again, this is pretty standard. Most commercial software's auto-update mechanism functions in a similar way. You should probably immediately remove any software which communicates with the internet, including KSP's Launcher and Steam.

No, his complaint is entirely valid. Or do you think that checking every KSP mod you download for unwanted spyware is a reasonable expectation? It isn't anywhere else in the software industry, except when it comes to potentially malicious software from dubious sources. I don't know about you but I'd prefer to have the assumption be that when I am downloading a mod, I will get exactly that mod and nothing else, without having to look through a long forum post, a readme or have to go digging through subfolders, or anything else. I should be able to press the big download button, put the mod folder in my GameData folder and not have to worry about potentially malicious software being downloaded to my computer without my consent or prior information.

Uhh, yea, I think reading a forum post before you download software is perfectly reasonable. If you download a mod which includes modstats, you are getting 'exactly that mod and nothing else' because modstats is *a part of that mod*. Just because you *WANT* to behave like an idiot does not mean that the world must bend to accommodate your whims.

I think the point you are missing... and I daresay, the point that was missed when this whole thing first came up... is that you have to decide if you want to be right or be effective. Technically, everyone should read the fine print, be personally responsible, and understand how to modify config files. One can most certaily argue these points, as I see happening, till you are blue in the face. And when it comes down to the brass tacks, nobody can dispute that these are valid points.

But at the end if the day, was taking that stand and choosing to die on that hill effective? Let's do a recap. When given a choice of voluntarily pulling the questioned software and de-fusing all of this, the choice was made to be 'right'. The net effect is that Squad came down hard with new rules, the community is damaged, and a good deal of personal capital in the form of community goodwill and trust was burned through. For the sake of being 'right'. What, in this case, would have been the effective choice?

Me, I'd rather be effective any day of the week.

No disagreement. I think ModStats was probably a bad call. I just think that the arguments against it are puerile, fallacious, and ridiculous.

[RoverDude]

Uhh, yea, I think reading a forum post before you download software is perfectly reasonable. If you download a mod which includes modstats, you are getting 'exactly that mod and nothing else' because modstats is *a part of that mod*. Just because you *WANT* to behave like an idiot does not mean that the world must bend to accommodate your whims.

No disagreement. I think ModStats was probably a bad call. I just think that the arguments against it are puerile, fallacious, and ridiculous.

Were these really necessary? Is calling your potential mod users 'idiots' really productive? Are you being effective or just trying to be right?

Give it some thought.

[enneract]

Were these really necessary? Is calling your potential mod users 'idiots' really productive? Are you being effective or just trying to be right?

Give it some thought.

Yes, absolutely necessary. Those statements are *true*.

What can be destroyed by the truth, should be.

Let's be clear here, though - I'm not calling *users* idiots, I'm saying that they seem to expect to be able to behave *like idiots*. There is a difference.

Edited August 1, 2014 by enneract

[Borklund]

-snip-

Fair enough, though interpreting an automatic update mechanism as a sinister plot is... reaching, at best.

Again, this is pretty standard. Most commercial software's auto-update mechanism functions in a similar way. You should probably immediately remove any software which communicates with the internet, including KSP's Launcher and Steam.

You have hit the proverbial nail. Most commercial software's auto-update mechanisms I can trust because Squad and Valve (to use your examples) are businesses. It is probably a safe bet that Steam, the world's single biggest online retailer and gaming platform, has a much more protected system compared to some random internet stranger's personal server. There doesn't have to be a sinister plot, there only has to be vulnerability.

Uhh, yea, I think reading a forum post before you download software is perfectly reasonable. If you download a mod which includes modstats, you are getting 'exactly that mod and nothing else' because modstats is *a part of that mod*. Just because you *WANT* to behave like an idiot does not mean that the world must bend to accommodate your whims.

No disagreement. I think ModStats was probably a bad call. I just think that the arguments against it are puerile, fallacious, and ridiculous.

I think that you should probably read through important contracts, like a bank loan or a job contract or a medical consent form. I don't believe that I should have to apply the same level of intense scrutiny when I want to add another virtual part to my rockets-as-LEGO video game. If I download ModStatistics, I know what I'm getting. If I go to Curse or KerbalStuff or the forum and I download a part mod and I find ModStatistics enabled when I go to play the game I might be a little concerned. Then I have to go through all of my mod folders to find the one(s) with ModStatistics, because I can't just delete the ModStatistics folder, it would just redownload itself if I did that.

To reiterate as clearly as I possibly can:

Why should the onus be on me, the person just wants to get a mod for his video game, to trawl through thousands on words on a forum I might not even know about, or go looking through 10, 20 or 30 mod folders to see which one has cleverly embedded ModStatistics without my prior, informed consent, just so some stranger on the internet can get information about my playing habits and have the ability to download anything to my computer without me knowing about it. What is the utility? Why are you so adamantly defending what can best be described as malware? I think that's ridiculous, and you're the only one who could be described as puerile.

Edited August 1, 2014 by KasperVld

[enneract]

-snip-

You have hit the proverbial nail. Most commercial software's auto-update mechanisms I can trust because Squad and Valve (to use your examples) are businesses. It is probably a safe bet that Steam, the world's single biggest online retailer and gaming platform, has a much more protected system compared to some random internet stranger's personal server. There doesn't have to be a sinister plot, there only has to be vulnerability.

Your point here is predicated on the (false) assumption that a commercial operation can do a better job of data security than an individual. The same tools that are used by Steam and Squad to secure their website are used by even rank amateurs. A zero-day for Apache is a zero-day for Apache, etc.

I think that you should probably read through important contracts, like a bank loan or a job contract or a medical consent form. I don't believe that I should have to apply the same level of intense scrutiny when I want to add another virtual part to my rockets-as-LEGO video game. If I download ModStatistics, I know what I'm getting. If I go to Curse or KerbalStuff or the forum and I download a part mod and I find ModStatistics enabled when I go to play the game I might be a little concerned. Then I have to go through all of my mod folders to find the one(s) with ModStatistics, because I can't just delete the ModStatistics folder, it would just redownload itself if I did that.

Again, you are complaining that you are suffering the consequences of abrogating your personal responsibility.

To reiterate as clearly as I possibly can:

Why should the onus be on me, the person just wants to get a mod for his video game, to trawl through thousands on words on a forum I might not even know about, or go looking through 10, 20 or 30 mod folders to see which one has cleverly embedded ModStatistics without my prior, informed consent, just so some stranger on the internet can get information about my playing habits and have the ability to download anything to my computer without me knowing about it. What is the utility? Why are you so adamantly defending what can best be described as malware? I think that's ridiculous, and you're the only one who could be described as puerile.

Translation: I want someone else to choose for me what kind of content is allowed in mods, because I'm too lazy to practice basic, common-sense 'computer hygiene'.

Edited August 1, 2014 by KasperVld

[xEvilReeperx]

Fair enough, though interpreting an automatic update mechanism as a sinister plot is... reaching, at best.

I didn't say it was sinister or intended (by the author) for malicious use. I told you that the security in it is so poor (nonexistent) that anybody who could break a website's security could use it to distribute anything they wanted. You said this was 'nonsense' and so I briefly explained how it could be done, making it not "nonsense" at all.

I'm going to leave before this turns into another locked thread

[Laie]

Translation: I want someone else to choose for me what kind of content is allowed in mods, because I'm too lazy to practice basic, common-sense 'computer hygiene'.

This is the KSP community; I considered this to be a reasonably trustworthy source and felt no need to be too diligent about downloading and running the software it provides.

I hadn't even heard about ModStatistics until I wanted to install Scansat two days ago and noticed that subfolder. Then I googled. Then I became quite angry.

This isn't so much about Modstatistics and what it does... I might actually have played along if one had asked me nicely. But the Scansat developer included it in the download in such a way that, on another day, he might have slipped it past me. I was quite pissed off. I still am. If it is so harmless, why does he try to sneak it past his users? And if it isn't harmless, then what is it? Coming to think of it, what else did I install together with the mods I already have running?

"Coming to think of it" is the key phrase here. I felt no need to think about it before, because: trust. Now that I do think about it, I find myself thinking up quite horrible scenarios. Thanks a bundle.

[Ippo]

He didn't try to slip it past you, he clearly wrote in the OP that it is included. You don't have to scan the folders manually, you just need to read ONE forum post (and you should in any case: what if the new update had some new, complicated install procedure?)

[blizzy78]

But the Scansat developer included it in the download in such a way that, on another day, he might have slipped it past me.

It says right in the SCANsat OP:

NOTE: This mod includes ModStatistics, an anonymous mod usage statistics plugin. See the ModStatistics thread for more information and opt-out instructions.

If you can't be bothered to read that, it's your problem. Opt-in/out or not.

[Laie]

Repeat because you keep missing the point:

Coming to think of it, what else did I install together with the mods I already have running? I felt no need to think about it before, because: trust. Now that I do think about it, I find myself thinking up quite horrible scenarios. Thanks a bundle.

[Justin Kerbice]

All of this for just (another) miscommunication (it's the season) ! Unbelievable .

@Ippo: rely on a forum thread is bad, cause curse mods are not tied hardly to the forum and if I decide to browse curse, download one mod, nothing, absolutely nothing, force me to go to the related forum thread and read. If it is so, the mod is really badly packaged and could be considered as a 'crap'.

I think IMHO the least modder have to do is to include a bare minimal readme to make thing work as expected without using the laziness and think "if people want to know what I didn't take time to add because I'm too buzy being awesome (@Chuck Norris ), too bad for them".

This should be added to the add-on posting rules: "add an instruction manual which should be good enough to use your content and make it's work as designed."

Licenses on the other hand are useless to users but they got a higher priority, too bad :/.

[Borklund]

Your point here is predicated on the (false) assumption that a commercial operation can do a better job of data security than an individual. The same tools that are used by Steam and Squad to secure their website are used by even rank amateurs. A zero-day for Apache is a zero-day for Apache, etc.

Yeah no I'm going to stick my neck out there and suggest that Valve might have more adequate resources to deal with data security than some random internet stranger in his basement. Even if that were not the case, I know Valve and Squads' motivations. They're businesses. They're not going to put malware on my computer because that would extremely stupid. Some random person on the internet whose motivations I can never know on the other hand...

Again, you are complaining that you are suffering the consequences of abrogating your personal responsibility.

No, I am arguing that it shouldn't be my personal responsibility to go through each and every mod I download for unrelated malware. It's a video game, not a bank loan.

Translation: I want someone else to choose for me what kind of content is allowed in mods, because I'm too lazy to practice basic, common-sense 'computer hygiene'.

Calm down, and play the ball, not the man.

It says right in the SCANsat OP:

If you can't be bothered to read that, it's your problem. Opt-in/out or not.

He didn't try to slip it past you, he clearly wrote in the OP that it is included. You don't have to scan the folders manually, you just need to read ONE forum post (and you should in any case: what if the new update had some new, complicated install procedure?)

Same thing here. I shouldn't have to look through thousands of words or go through every downloaded mod folder to find out if there's any unrelated software that I never asked for included. Neither the SCANsat OP or the ModStatistics OP makes any mention whatsoever that it will download the contents of some random person's server to my computer if I try to delete an instance of it.

Why does someone need to know mod usage statistics beyond that which is available in the form of download counts elsewhere? Someone who is not affiliated with Squad, someone who could download possibly malicious or illegal content to my computer without my knowledge or informed prior consent? It should not be allowed to exist, period.

[blizzy78]

Why does someone need to know mod usage statistics beyond that which is available in the form of download counts elsewhere?

Statistics are not simple download counts. You want to see relations between mods, or even crashes. In any case, that should be discussed in the ModStatistics thread - if it weren't locked, obviously.

[Borklund]

Statistics are not simple download counts. You want to see relations between mods, or even crashes. In any case, that should be discussed in the ModStatistics thread - if it weren't locked, obviously.

Crashes can already be reported to mod makers on this very forum and you can post surveys or ask users what other mods they're using. Crash reporting and relationships between installed mods do not need to - and should not - come at the price of a piece of software which will download whatever is on some random person's private server at any given time without my prior informed consent.