4 edits | reply to eburger68
Re: FTC Spyware Workshop: 1st Impressions Hi All:
Before I review the discussion on Panel 5 of the FTC's Spyware Workshop, I want to return briefly to a point that I made in my review of Panel 4 ( »FTC Spyware Workshop: 1st Impressions ), where I remarked that large online corporations like AOL and Microsoft could not be completely trusted to protect the interests of consumers because of their own continuing interest in putting advertising before their customers. These kinds of large online entities often see themselves as gateways between advertisers and the millions of customers who populate their networks and services. When such companies stand to benefit from putting advertising in front of their customers, then there are good reasons to be skeptical of their commitment to protecting consumers from unwanted commercial messages, esp. as the free, open internet becomes an increasingly privatized oligopoly of large proprietary networks owned by a few media firms.
If you doubt the potential dangers of this scenario or arrangement, then you ought to read the following report from Reuters about Microsoft's plans to sell space on a "whitelist" of "legitimate marketers" whose unsolicited commercial messages will be allowed past Microsoft's spam filters on Hotmail and MSN:
»money.excite.com/jsp/nw/nwdt_rt.···20040505
Replace "spam" with "spyware" or even "advertising software" and convert the "spam"/"legitimate marketing" dichotomy into "spyware"/"adware" and you'll begin to get a sense for why I am wary of the efforts of large ISPs to assume the role of protecting their customers from "spyware."
Panel Five: Technological Responses to Spyware
Panelists:
U - Steven Bellovin, AT&T Fellow with AT&T Labs-Research
U - Jeffrey Friedberg, Director of Windows Privacy, Microsoft
P - David Moll, President, WebRoot (maker of SpySweeper)
P - Wayne Porter, Co-Founder and Primary Editor, SpywareGuide.com (distributor of X-Cleaner)
U - Daniel Weitzner, Technology & Society Domain Leader, World Wide Web Consortium; Researcher at MIT
Key:
X - industry/corporate friendly
U - unknown/undetermined
P - privacy friendly
Note: be sure to take a look at the photos of Panel 5 as well as the other other panels at Bill Pytlovany's blog page and Declan McCullagh's site:
Declan McCullagh - FTC Spyware Workshop Photos
»www.mccullagh.org/theme/ftc-spyw···r04.html
Bill Pytlovany's Blog from the Workshop
»www.mysteryware.com/blog.html
A Familiar Discussion
Of all the panels at the FTC's Spyware Workshop of April 19, this is the panel that covered topics that would be most familiar to the readers of DSLR/BBR and other online security forums. The discussion of this panel was dominated by the topic of ActiveX controls -- a special class of browser plug-ins that are the primary components in the automated online installations of "spyware" by unscrupulous web sites and services, installations often dubbed "drive-by-downloads." The panelists discussed the problems with "drive-by-downloads" of ActiveX controls as well as a few potential solutions. While there was nothing overtly problematic or objectionable about the points made by the panelists (unlike Panels 1 and 4), Panel 5's discussion of technological solutions was lacking in some regard.
Microsoft & ActiveX Controls
The most important component of Panel 5 was the presentation by Jeffrey Friedberg of Microsoft, who offered a useful overview of the problems with automated installations of ActiveX controls as well as the changes that Microsoft is making to that download and installation process in Service Pack 2 for Windows XP, due to be released in the very near future. (See »www.ftc.gov/bcp/workshops/spywar···berg.pdf for a PDF version of Friedberg's PowerPoint presentation.)
Friedberg first demonstrated what he called the "normal download experience," which is user-initiated. Those familiar with "drive-by-downloads" of "spyware" will know that so many of the unscrupulous web sites that foist unwanted advertising software on users employ web pages that themselves initiate the download and installation of software, instead of users -- a large part of the reason that users find this software so disorienting and confusing.
Even with this user-initiated "normal download experience," however, there are still significant problems, because the ActiveX Security Warning box provides almost no useful information about the software to be installed or the potential security problems -- a point that I made in my "Anatomy of a Drive-by-Download" ( »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ), which was one of the documents that I submitted to the FTC. Friedberg said almost nothing about this lack of useful information, though the gentleman sitting next to me at the workshop (identity unknown) provided a running commentary on Friedberg's presentation, muttering under his breath at such omissions.
Friedberg next presented what he dubbed "some common tricks" that software vendors use when foisting unwanted advertising software on unwitting users of Microsoft's Internet Explorer web browser (Microsoft's browser is currently one of the primary vehicles through which unwanted software is delivered to consumers' desktops).
Trick # 1 was "Program Name More Than Just a Name." MS designed the ActiveX Security Warning box to allow software vendors to insert the names for their programs into the box and provide a link which users can click on to get more information about the program, perhaps even the End User License Agreement. Some vendors, however, have gone well beyond supplying just a name for their software, inserting entire sentences of descriptions and information about their software, which I noted myself in my "Anatomy of a Drive-by-Download" ( »www.staff.uiuc.edu/~ehowes/dbd-anatomy.htm ). I understand why some vendors are doing this -- to supply consumers with more information about their programs right up front, though Friedberg is surely right to note that the ActiveX Security Warning box was simply not designed for this purpose, nor is it the ideal means or method for vendors to supply notice and disclosure about the functionality of their software. Still further, the practice of linking to the EULA through the Security Warning box is problematic because users might not know to click the link and thus may not ever see a license agreement, even though they effectively agree to its terms by clicking through the Security Warning box to consent to the software installation.
Trick # 2 was a "Pop-Under Exploit" in which web pages use a pop-under window (which appears behind the current browser window) that contains Object tags to initiate a "drive-by-download." What is so confusing about this "exploit" for consumers is that the software installation appears as if out of nowhere, with no warning whatsoever. Many consumers mistakenly assume that the software mentioned in the Security Warning box originates from the site they are visiting and mistake it for a plug-in of some sort necessary to view the content of the site. Indeed, so common is it for web sites to require the installation of special programs -- often in the form of ActiveX controls -- that it is completely understandable that many consumers would have gotten into the habit of simply clicking "Yes" whenever such a box appears. Nonetheless, this kind of installation arrangement is a dubious, even deceptive way for vendors to push their software on internet users.
Tricks # 3 and # 4 ("Cancel Means Yes" and "Faux Security Alert") were but two examples of the myriad ways that unscrupulous software vendors and web sites use deceptive GUI elements to trick users into "consenting" to the installation of otherwise unwanted advertising software. These kinds of abusive installation practices are really bottom of the barrel, but they are quite common among the advertising software industry, unfortunately.
Before turning to the changes made in Windows XP Service Pack 2 (SP2), Friedberg noted that IE users can unwittingly role out the welcome mat for unwanted software by lowering the Security settings for the Internet zone from the default "Medium" setting, which at least ensures that users see the ActiveX Security warning box. When users lower the Security settings for the Internet zone, they won't even see the Security Warning box -- unwanted software will simply install on their systems whenever they land on web pages that initiate the download and installation of ActiveX controls.
Friedberg's point was a good one, however, Friedberg didn't fully address the full range of problems with automated installations of ActiveX controls. Even at the Medium setting, users are being tricked into consenting to the installation of software they don't want or need. Still further, there is plenty of software that exploits security holes in Microsoft's software to bypass the Security Warning box altogether.
A better approach to Internet Explorer security is to lock down the Internet zone altogether -- making it at least as secure as the Restricted sites zone -- and add trustworthy sites that require the use of active content (ActiveX controls, Java applets, scripting) to the Trusted sites zone (see »www.staff.uiuc.edu/~ehowes/btw/i···opts.htm for instructions and »www.staff.uiuc.edu/~ehowes/resource6.htm for a small program to automate the configuration process). If users are loath to tighten the Security settings for the Internet zone (which can lead to a raft of burdensome, inconvenient warnings and notices), then they should look into a Restricted sites "blacklist," which adds web sites and domains associated with advertisers and advertising software vendors to the Restricted sites zone (see »www.staff.uiuc.edu/~ehowes/resource.htm for one such list). Once added to the Restricted sites zone, these sites and domains will be unable to perform automated installations of ActiveX controls (among other things).
And, of course, users of alternative browsers such as Mozilla ( »www.mozilla.org/releases/ ), Firefox ( »www.mozilla.org/products/firefox/ ), and Opera ( »www.opera.com/ ) will not hesitate to point out that not only have all of these non-MS browsers offered pop-up blocking for several years now, but they are simply not vulnerable to the ActiveX exploits used by advertising software vendors to foist their software on Internet Explorer users.
Friedberg next turned to the "enhancements" Microsoft has made to Windows XP SP2. First, Microsoft has added a pop-up blocker to Internet Explorer, though it is turned off by default. When turned on, most pop-ups are suppressed and a discrete notice about the blocked pop-up is provided in an information bar just under the URL Address bar. As with Mozilla's built-in pop-up blocker, users have the ability to configure pop-up blocking site-by-site. Given that so many "drive-by-downloads" are initiated by pop-ups, this feature alone will improve the security of Internet Explorer users.
Second, SP2's Internet Explorer will suppress all automated installations of software not initiated by the user. Instead of popping up the well-known Security Warning box, SP2's Internet Explorer will display yet another discrete notice in the information bar near the top of the main browser window, which users can click on for more information and options.
Even when users do decide to initiate the download of ActiveX controls themselves, they will see a new and improved Security Warning box. Of interest is the ability for users to specify that software from certain vendors (identified by the digital certificates used to sign ActiveX controls) always be installed or never be installed. (Internet Explorer currently does provide something resembling this feature through the "Publishers" box on the Internet Options "Content" tab, however, users only have the option to trust software vendors/publishers, not distrust them.)
This feature has enormous potential for anti-spyware activists and vendors, who could build lists of digital certificates from known spyware vendors and add them to the Registry to automatically block the installation of unwanted software, much as the SpywareGuide block list ( »www.spywareguide.com/blockfile.php ) and JavaCool's SpywareBlaster ( »www.wilderssecurity.net/spywareblaster.html ) do already by setting the "kill-bit" for the CLSIDs of known spyware.
SP2's Internet Explorer also comes with a new "Add-on Manager," which gives user a convenient and powerful way to view and control the ActiveX controls that are installed on their systems. (Although current versions of Internet Explorer do provide something like this already through the Downloaded Program Files folder, that functionality is difficult to find for most users and occasionally unreliable.)
All in all, these new enhancements should significantly improve the security of Internet Explorer users who download and install SP2. There are, of course, several important caveats to this picture, which I will return to shortly. Those interested in getting more information about SP2 for Windows XP should consult the following documents and web pages at Microsoft's web site:
Windows XP Service Pack 2 - Security Information for Developers
»msdn.microsoft.com/security/prod···ult.aspx
Windows XP Service Pack 2 - Technical Preview Program
»www.microsoft.com/technet/prodte···iew.mspx
Changes to Functionality in Microsoft Windows XP Service Pack 2
»www.microsoft.com/downloads/deta···yLang=en
or »www.microsoft.com/technet/prodte···sp2.mspx
Windows XP Service Pack 2: A Developer's View
»msdn.microsoft.com/security/prod···psp2.asp
Other Notes About ActiveX Controls
Although Friedberg's presentation was the highlight of Panel 5 and overshadowed almost everything else that was discussed, several of the other panelists did address ActiveX controls.
First, Wayne Porter of SpywareGuide ( »www.spywareguide.com/ ) explained the purpose and functionality of the ActiveX block list distributed by SpywareGuide. JavaCool, it should be noted, makes a similar block list available through his excellent SpywareBlaster program ( »www.wilderssecurity.net/spywareblaster.html ). Both of these block lists "inoculate" Internet Explorer against the installation of unwanted spyware by setting the "kill-bit" on the CLSIDs of known spyware programs distributed as ActiveX controls. Combined with strengthened Security settings in Internet Explorer (see »www.staff.uiuc.edu/~ehowes/btw/i···opts.htm ) or a Restricted sites block list (see »www.staff.uiuc.edu/~ehowes/resource.htm ), such a block list can provide strong protection against the automated installation of unwanted software on the internet, though these block lists must be updated regularly to keep pace with the new varieties of spyware that appear on the Net almost daily.
Second, David Moll of Webroot, maker of the anti-spyware program Spy Sweeper ( »www.webroot.com/wb/products/spys···ndex.php ) as well as the Spy Audit program used by Earthlink ( »www.earthlink.net/spyaudit/ ), discussed one of Webroot's new products. After dissing the "hobbyists" who had dominated the anti-spyware scene/market before the entry of Webroot with its Spy Sweeper product, Moll went on to describe a portable security scanner that Webroot has developed. It's an ActiveX control that users can download and run while on potentially insecure machines (a PC in an Internet cafe, for example). This portable security application scans the entire box for malicious code (keyloggers, system monitors, trojans, etc). Moll billed it as a way for users ensure that boxes they don't control are secure.
The irony of this "security application" was not lost on Steven Bellovin, Fellow with AT&T Labs-Research, also on the panel. Noting that mobile code is one of the biggest security problems in Windows, he quipped that Webroot's portable security scanner was one of the "scariest things" he had yet heard about at the workshop.
And Bellovin was right, of course, because what Moll had unwittingly pointed out is that ActiveX controls can be used to import and run completely foreign code of unknown provenance at the user's discretion on boxes that the user ostensibly shouldn't control.
Indeed, Moll was too focused on promoting his own products, unfortunately. Another of his gaffes was his off-hand remark to the audience that the topic of spyware was one that "none of us here had even heard about two years ago" (or something very close to that effect). DSLR/BBR regulars will know that "spyware" was a topic of discussion here almost four years ago. Where was Moll?
Wayne Porter also discussed Xblock's own X-Cleaner ( see »www.ftc.gov/bcp/workshops/spyware/porter.pdf ), yet another anti-spyware application ( »www.xblock.com/ ) distributed by SpywareGuide.
Misc. Topics
There were a few other topics that were discussed on this "technological solutions" panel. Steve Bellovin addressed the role of firewalls in network security. A few of the other panelists exchanged remarks on improving notice and disclosure during software installations, including P3P-like measures that could be used to provide more information about software functionality to users during installations. To his credit, Daniel Weitzner of the World Wide Web Consortium (W3C), one of the prime forces behind the P3P specification (see »www.w3.org/P3P/ ), expressed his skepticism of such an adaptation of P3P, though he said he wouldn't completely dismiss the idea.
DSLR/BBR readers will know that I have nothing but contempt for P3P as a solution to online privacy problems, esp. its partial implementation in Internet Explorer 6.0's Privacy controls (and I am not alone in this regard). See:
"IE6 & P3P Are Not Panaceas"
»www.staff.uiuc.edu/~ehowes/priv-···#ie6-p3p
"Internet Privacy w/ IE6 & P3P: A Summary of Findings"
»www.staff.uiuc.edu/~ehowes/ie6-p3p.htm
Internet Explorer 6.0 Resources
»www.staff.uiuc.edu/~ehowes/resource5.htm
P3P & Internet Explorer 6.0 Privacy Info
»www.staff.uiuc.edu/~ehowes/info2.htm
To my thinking, regarding P3P as a solution to consumer privacy problems is a bit like thinking the solution to shady car dealerships and crooked mechanics is to give all consumers an 800 page Chilton's Auto Repair manual, with the idea that they could learn about cars and "negotiate" their "choices" with businesses from a strong position.
Problems Not Addressed
As useful and informative as the discussion of technological solutions on Panel 5 was, it failed to address several key issues.
First, all of the discussion of automated ActiveX control installations overshadowed the fact that another major route for the installation of spyware is through software bundling, where unwanted advertising software piggybacks on other "free" software that consumers want. I have yet to see a good proposal for improving notice, disclosure, and choice during the installation of bundled software.
Second, as welcome as Microsoft's Windows XP SP2 will be, its immediate effect will be limited. Many consumers with Windows XP will not know to download and install it. Still further, many consumers are still running older versions of Windows, and MS will apparently not be incorporating the enhancements to IE detailed above into older versions of Internet Explorer for other versions of Windows, leaving millions of consumers vulnerable. Even after OEMs begin pre-installing Windows XP SP2, the percentage of consumers who benefit from these new IE features will be comparatively small, so I don't anticipate that advertising software vendors will dispense with "drive-by-downloads" in the foreseeable future.
Third, none of the panelists discussed the problems with current anti-spyware software, which many consumers find too complex and confusing, and which must be updated constantly in order to be effective against the heavy barrage of new spyware on the Net. As I noted in my comments to the FTC (see Myths #5 and #6 in »www.staff.uiuc.edu/~ehowes/ftc-c···tm#myths ), even computer savvy users who diligently keep up with spyware developments struggle to keep this class of unwanted software off their systems. And anti-spyware vendors themselves often struggle to provide protection against the deluge of new advertising software on the Net.
All of these problems should have been addressed more forthrightly on Panel 5 in order to give the audience and the FTC a realistic picture of the potential uses of anti-spyware technology in the fight to keep users' desktops free of unwanted advertising software.
Concluding Remarks on Panel 5
Panel 5 offered some small amount of hope for users of Windows XP SP2, however, there was nothing from Panel 5 to suggest that radical improvements in anti-spyware technology may be in the offing, which is what is needed if such technology is to play a decisive role in solving the problems with spyware. Anti-spyware technology currently resembles that used by the anti-virus industry for its software. Indeed, I often tell beginning users that anti-spyware applications like Ad-aware ( »www.lavasoft.de/ ) and Spybot Search & Destroy ( »spybot.safer-networking.de/ ) work much like an anti-virus program, only they scan for spyware, not traditional malware (viruses, trojans, and worms).
As such, anti-spyware technology has all the same vulnerabilities and shortcomings as anti-virus software, which has been around much longer, achieved much higher levels of market penetration and consumer adoption, and which is much more mature in some respects. Anti-spyware programs can provide strong protection against unwanted advertising software for a certain class of technically proficient users, but it is hardly a panacea -- at least not in its current forms. Those tempted to place too much faith in anti-spyware technology as a non-regulatory solution to the spyware problem would do well to remember the problems with anti-virus technology the next time a worm or virus swamps the internet and infests the computers of their friends, family, and co-workers, all of whom will probably have an anti-virus program.
On an unrelated note, I should report that my earlier comments on the Center for Democracy and Technology (see »FTC Spyware Workshop: 1st Impressions ) have prompted the CDT to get in touch with me. Not surprisingly, the CDT was less than thrilled with my assessment of their contributions to the fight against spyware. I am currently considering posting a more detailed explanation of my skepticism of the CDT's several actions and positions on the topic of spyware. If I do decide to post, it will be in this thread.
Also, I discovered that my name appears on one of WhenU's web pages:
»www.whenu-advertising-info.com/other.html
On that site -- which is primarily devoted to presenting WhenU's software as "consumer friendly" -- WhenU reprints an article from The New York Times (without attribution, by the way) for which I was interviewed almost two years ago. Presumably WhenU reprinted that article on its site to hold up its own software as an alternative, "consumer-friendly" form of "adware" that is radically different from the "spyware" discussed in that article. That's certainly not a distinction that I would make, though.
In fact, in my comments to the FTC (see »www.staff.uiuc.edu/~ehowes/ftc-c···#typical ) I told the story of having to clean yet another of my students' computers of unwanted software ("spyware," "adware," whatever you choose to call it). One of the more obnoxious programs on that student's box was WhenU's advertising software, though she had no idea how or when it was installed. That's not too surprising, given the results of PC Pitstop's survey of WhenU users, most of whom were unaware of the software on their PCs (see »www.ftc.gov/os/comments/spyware/···stop.pdf ).
There is but one panel left for me to discuss: Panel 6 (Government Responses to Spyware). This was an important panel, given the current amount of legislative activity on the issue of spyware. See the news links on my FTC Spyware Workshop page for more information on the several bills currently winding their way through Congress as well as several state legislatures:
The FTC's Spyware Workshop
»www.staff.uiuc.edu/~ehowes/ftc-spyware.htm
I anticipate that I will be posting my comments on that panel in the next few days.
All the best,
Eric L. Howes |
