Go to a  "printer friendly" view of this message which allow an easy print Printer-friendly copy Go to the page which allows you to send this topic link and a message to a friend Email this topic to a friend
Forums Lobby MASTER YOUR TOOLS - Hardware & Software Digital postprocessing & workflow (Public) Nikon & Nikonians Imaging Software (Public) topic #1959
View in linear mode

Subject: "Annotate Expert - Potential for Harm" Previous topic | Next topic
sfbillm Silver Member Nikonian since 15th Jun 2004Mon 05-Apr-10 07:28 PM
864 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
"Annotate Expert - Potential for Harm"


Santa Fe, US
          

As someone famously said, "I have a bad feeling about this."

(Please note: My comments are based on the information available here about AE, not from experience on my system. I have not and will not allow this program to dl and install itself on my computer.)

I feel very strongly that this software has been written using some very bad practices, ones which will cause users serious problems and compromise their systems' security.

1. The install procedure compromises security. AE does not allow the almost universal method of dl and install: Dl a file to a location of your choice on your computer, and then run it to install. This is done w.o having to change the security settings on your computer, wit the possible exception of disabling automatic virus checking during the install itself. No changes in IE security settings are required.
AE, OTOH, requires permanent changes to IE security that seriously degrade a system's security when it is connected to the Internet.
a. Install method one requires that Nikonians be added to ones' trusted sites list. While I don't question that Nikonians can be trusted, that setting should be reserved for sites that are verified secure (https). Nikonians is an http site, not https. By adding an http site to the trusted sites zone, you increase the chance that a spoof (making a malicious site look like a trusted one) could put malware on your system.
I realize that the instruction says to do this only temporarily, during the install. But, if Nikonians has to be in trusted sites for the dl to work, how can the automatic update function if Nikonians is removed?
b. Install method two is even more problematic, as it depends on disabling Authenticode verification.
Here's what Microsoft says about this:
From IE help:
"Authenticode technology checks to see if the program has a valid certificate, that the identity of the software publisher matches the certificate, and that the certificate is still valid. Note that this does not prevent a poorly written program from being downloaded or run on your computer, but it helps reduce the chance of someone misrepresenting a program that is intended to be malicious or intentionally harmful."
From MS Support:
"Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process."
Again, the implication is that this change must be permanent if automatic updates to AE are to work. I believe this to be quite simply an unacceptable risk.

2. The idea of automatic updates over which the user has no control or choice in their install is unacceptable.
Sooner or later, there will be an update that causes problems. Almost every sw vendor that I've had experience with, large and small, has at sometime issued an update they shouldn't have.
If the user has the options of when and whether an update is installed, then (as some of us do), we can wait a few days after an update is available to see if it works. Not to allow this runs a great risk that at some point some serious damage will be done to users' systems by a flawed update.

3. AE is installed in a folder that users normally don't have access to.
I believe this is bad practice also. This would seem to indicate that the folder is in some basic way different from a normal Windows folder. (Else why couldn't a reasonably savvy Windows user get access to it?)
If so, this raises questions about whether other Windows operations would have difficulties when they try to access the folder. What of disk defragmentation programs that try to move files? What about backup programs - will they have access? Will such a folder impact the integrity of the Windows file system? What will happen with various disk checking/repair programs?
Finally there's a philosophical issue for me: If it's on my disk, I want to be able to get to it it for some reason I believe I need to. I'm more than irritated by programmers that think I'm too inexperienced (dumb?) to know what to change and what to leave alone.


SantaFeBill

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

Replies to this topic
Subject Author Message Date ID
Reply message No risk for harm using Annotate
bgs Administrator One of the two c-founders, expert in several areas Awarded for his valuable Nikon product reviews at the Resources
06th Apr 2010
1
Reply message RE: No risk for harm using Annotate
ericbowles Moderator Awarded for his in-depth knowledge and high level skills in various areas, especially Landscape and Wildlife Photoghraphy Writer Ribbon awarded for for his article contributions to the community
06th Apr 2010
2
Reply message RE: No risk for harm using Annotate
p0cketpicker
05th May 2010
3
     Reply message RE: No risk for harm using Annotate
sevtcard Silver Member
05th May 2010
4
     Reply message RE: No risk for harm using Annotate
p0cketpicker
05th May 2010
5
          Reply message Admin note: Do not use the links mentioned
bgs Administrator One of the two c-founders, expert in several areas Awarded for his valuable Nikon product reviews at the Resources
08th Jun 2010
6
     Reply message RE: No risk for harm using Annotate
bgs Administrator One of the two c-founders, expert in several areas Awarded for his valuable Nikon product reviews at the Resources
08th Jun 2010
7

bgs Administrator One of the two c-founders, expert in several areas Awarded for his valuable Nikon product reviews at the Resources Charter MemberTue 06-Apr-10 10:17 AM
5600 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#1. "No risk for harm using Annotate"
In response to Reply # 0


DE
          

Bill,

Thanks for your note. First of, the application is not harmful and I am truly sorry to hear that you feel fear.

I can guarantee that Annotate was NOT developed using bad engineering practices. While we honor your feelings, we should make certain here and now that your statements are your very personal ones and are not necessarily reflecting any facts.

Let me now come to the facts:


Regarding your fears with installation:
The install procedure does NOT require you to execute the steps that you described. Few users have their browsers configured at such a high security level that the level needs to be adjusted.

This is absolutely the same problem as that we are using cookies for authentication here at Nikonians and if you turn cookies off due to whatever security scare issue, you will not be able to login to Nikonians. So, it is possible to disable most internet sites and most software by setting your security settings to paranoid high.

A vast majority of users who install Annotate do not have to alter their IE settings at all, because they have these settings already set at a reasonable security level. Several thousand users have installed the application without any security level changes reported.

Even those users who have to adjust their security settings in order to install Annotate have to do so only temporarily.

Regarding installing the application from the Internet:
You will download the setup.exe (or annotate.application) file that is then performing the installation from our server to your application cache (see below for exact location).

>> How can the automatic update function if Nikonians is removed?
Updates can work even after IE security settings are set back to their previous values, because updates use a different principle. While during installation user interacts with his web browser, during updates, the user interacts only with the application.

During installation, the browser tries to protect the user from performing an action that it was configured to deny. No ClickOnce (the technology we use)-deployed application would work on a system with security settings set too high. This is the same situation as with “No java/javascript/ActiveX applications would run in a browser that is configured to deny these”.

Annotate is signed by the publisher (enprovia software engineering) with an authenticode signature. This protects you, the end user since Annotate refuses to run if it is infected from a third party application, malware or similar! Many applications on the net are not signed and they are not having this additional security.

Annotate uses ClickOnce technology (http://en.wikipedia.org/wiki/ClickOnce) to install itself and maintain updates.
ClickOnce is widely used by .NET application vendors, because it is safer and simpler to the end user than any other installer technology. It also uses very well tested components developed by Microsoft that ensure its reliability and security.
ClickOnce applications are fully isolated on the target system and do NOT in any way influence any other program installed on the system, or the system itself.

Regarding your fears with updates:
If an update is available, user is notified and can choose whether he want to install the update. The application only provides a notification that the update is available. It will NEVER install any update by itself. You can wait as long as you wish before you will accept the issued update.

ANY update of Annotate can be rolled back to previous version from the Control Panel.

Regarding your fear with install location:
“AE is installed in a folder that users normally don't have access to.”
This statement is for the normal (beginner) computer users without any knowledge about computers.

In terms of accessibility, the folder is as normal as any other folder. It is only special in its location. There is no reason for any user (even any experienced user) to need to access files located in this folder.

The exact folder location for a specific application is managed by ClickOnce technology. Not even the vendor of the application can determine the exact location where his application is installed. This is a security feature to protect end users.

The folder is called Application Cache and is located at “C:\Users\<your profile name>\AppData\Local\Apps\2.0” (on Windows 7/Vista) or at “C:\Documents and Settings\<your profile name>\Local Settings\Apps\2.0”

All defragmentation, backup, disk checking and repair programs have normal access to the folder.

So, no risk and have fun!

Bo Stahlbrandt. Founder and Administrator located in Bratislava/Slovakia and in the Black Forest/Germany.
Find out more about The Nikonians Team -- See the latest, hottest posts

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

    
ericbowles Moderator Awarded for his in-depth knowledge and high level skills in various areas, especially Landscape and Wildlife Photoghraphy Writer Ribbon awarded for for his article contributions to the community Nikonian since 25th Nov 2005Tue 06-Apr-10 11:11 AM
8876 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#2. "RE: No risk for harm using Annotate"
In response to Reply # 1


Atlanta, US
          

Bo

Thanks for the clarification. This is a new application for all of us so understanding your approach in development and addressing security was helpful.

Eric Bowles
Nikonians Team
My Gallery
Workshops

Nikonians membership — my most important photographic investment, after the camera

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

    
p0cketpicker Registered since 24th Feb 2010Wed 05-May-10 04:39 AM
8 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#3. "RE: No risk for harm using Annotate"
In response to Reply # 1


US
          

Bo,

While I do not share Bill's concerns with security of the program, the install, folder setting or location, I do have to express my PERSONAL OPINION regarding the AE program. I am an avid photog for well over 40 years and a very long-time computer user with some coding experience. I have used a wide variety of software starting back in the DOS days and extending through accounting systems, vector drawing, photo rework, spreadsheets, and of course word processing. Currently, in retirement, I do research and writing all day most days on computer. This said only to qualify my point ...

I love the resource this Nikonians site affords in shared experiences, but if it were possible, I would seek a refund of my $49 for Annotate Expert. Only FaceBook manages to exceed the confusing, non-intuitive, seemingly non-functional level of this program. I have used no fewer than 3 net-based free programs that work far better, and have since purchased a full-featured annotation program that provides considerably more for $20 less. I hate it, but the AE program falls far short of many programs available today for less or no money.

Thanks,
Randy

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

        
sevtcard Silver Member Nikonian since 05th Mar 2009Wed 05-May-10 04:57 AM
330 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#4. "RE: No risk for harm using Annotate"
In response to Reply # 3
Wed 05-May-10 04:59 AM by sevtcard

US
          

>I have used no fewer than 3 net-based free
>programs that work far better, and have since purchased a
>full-featured annotation program that provides considerably
>more for $20 less.

and what might those programs be??


www.broadwallphotography.com

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

            
p0cketpicker Registered since 24th Feb 2010Wed 05-May-10 05:30 AM
8 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#5. "RE: No risk for harm using Annotate"
In response to Reply # 4


US
          

>>I have used no fewer than 3 net-based free
>>programs that work far better, and have since purchased a
>>full-featured annotation program that provides
>considerably
>>more for $20 less.
>
>and what might those programs be??
>
>
>www.broadwallphotography.com


I have provided several URLs you may explore. They include a number of free and/or moderately priced programs. Of the free ones I have tried in the past, all worked quite well.

Please let me know if there is any other part of my post I need validate.

http://www.easysector.com/

http://www.freedownloadscenter.com/Multimedia_and_Graphics/Graphics_Editors/Alamoon_Watermark.html

http://www.sharewareconnection.com/fototagger.htm

http://www.visualwatermark.com/

http://www.aoaophoto.com/

http://www.freewarefiles.com/Photo-Watermark_program_24416.html

http://photo-watermark-software.smartcode.com/

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

                
bgs Administrator One of the two c-founders, expert in several areas Awarded for his valuable Nikon product reviews at the Resources Charter MemberTue 08-Jun-10 05:35 PM
5600 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#6. "Admin note: Do not use the links mentioned"
In response to Reply # 5


DE
          

At least one of the links mentioned in the post above from user p0cketpicker links to a site which only collect addresses for spamming purposes. These should not be accessed - seriously.

Bo Stahlbrandt. Founder and Administrator located in Bratislava/Slovakia and in the Black Forest/Germany.
Find out more about The Nikonians Team -- See the latest, hottest posts

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

        
bgs Administrator One of the two c-founders, expert in several areas Awarded for his valuable Nikon product reviews at the Resources Charter MemberTue 08-Jun-10 05:40 PM
5600 posts Share on Facebook Share on Twitter Share on Linkedin    Click to send email to this author Click to send private message to this authorClick to view this author's profile
#7. "RE: No risk for harm using Annotate"
In response to Reply # 3


DE
          

Randy,

I hope you have received your refund and that that has been settled by now.

In general: The new release of Annotate Expert allows the user to select the location where to install the program. It further supports tethered shooting and annotations on TIFF and PDF in addition to the previous support of RAW and JPG.

Most annotation programs on the market are nothing but drawing programs, making it possible for you to draw text and symbols on the image (and thus destroying it). Annotate Expert does not destroy the original, but rather writes on top of a layer, like a glass sheet, without affecting the original. Furthermore, the annotations are made into IPTC keywords and are all searchable.

We understand if the concept of annotating images this way may seem new to some, but we truly believe it has some direct advantages.

Thanks to all of you who are supporting the community by using and buying the software and giving us feedback on it - that way we are able to make the software even better!

Bo Stahlbrandt. Founder and Administrator located in Bratislava/Slovakia and in the Black Forest/Germany.
Find out more about The Nikonians Team -- See the latest, hottest posts

  

Alert Printer-friendly copy | Reply | Reply with quote | Top

Forums Lobby MASTER YOUR TOOLS - Hardware & Software Digital postprocessing & workflow (Public) Nikon & Nikonians Imaging Software (Public) topic #1959 Previous topic | Next topic


Take the Nikonians Tour and learn more about being a Nikonian Wiki /FAQ /Help Listen to our MP3 photography radio channels Find anything on Nikon and imaging technology - fast!

Copyright © Nikonians 2000, 2014
All Rights Reserved

Nikonians®, NikoScope® and NikoniansAcademy™ are trademarks owned by Nikonians.org.
Nikon®, Nikonos® and Nikkor® are registered trademarks of Nikon Corporation.