how-to block ads
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
1 edit | reply to CalamityJane
Re: Sunbelt Adjusts WhenU Detections
said by CalamityJane  :OH! I see! Lavasoft should have hired Eric, right? Full disclosure is the key. Maybe a full disclosure sound file would be easier to understand? I'm not for the decisions made, but this represents an 'upfrontness' that has been absent with the latest batch of "downgrades or adjustments" or whatever their being called today. Given the education I've gotten in past 2 minutes, I sure wish the title to the thread was
"CounterSpy Downgrades WhenU" insead of "CounterSpy Adjusts WhenU" I'm starting to think it's me that's in La-La Land.
edit: or however this thread titled. | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| My comment wasn't about you, snowy...I agree with your topic title edit suggestion. I'm just mad that this whole thing has come down to a software wars thing. It was ok for it to be bad in the thread about Lavasoft...now it's OK because Sunbelt sez so.
No wonder we're all confused here {but Eric is disclaiming he is paid by Sunbelt, so I suspect we have a right to voice our opinions about that!)
Give me a break from the madness!
--
It takes a disaster to make a woman out of a female
Gladiator Security Forum
Proud Member of ASAP (Alliance of Security Analysis Professionals) | |
B
Premium,MVM
join:2000-10-28
| Wait a sec, CJ, weren't you the one who said we were all overreacting like crazy and indirectly discouraging malware victims from using a good product (Ad-Aware) to cure themselves?
I'm just not sure which "madness" you're referring to now. Personally I think all commercial antispyware enterprises are doomed, for exactly these reasons. They have to spend too much time finessing the obvious -- spyware companies are evil and must be avoided. They can't just blanket-ban WhenU and Claria without getting sued. That's why we need a lawsuit-proof community based effort or an individualized pseudo-Bayesian approach to spyware blocking. (I said the same in another thread today.)
-- B
--
In a realm outside causality and function | |
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL | The madness is,I think, who make the most money from their ills? 
I will still say that users should use the layered approach, and not depend soley on one product. | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to B
said by B :That's why we need a lawsuit-proof community based effort or an individualized pseudo-Bayesian approach to spyware blocking. (I said the same in another thread today.) -- B A Bayesian approach..just won't work for this type of thing. What you're describing is a sandbox-like utility that uses your rejection of previous executables to reject new ones. This would require recognising similar parts of executables - this is almost signature based detection with heuristics, back to square one.
Re: "A lawsuit-proof community based effort" perhaps something along the lines of Microsoft's Spynet or ZAs system of whether to allow or deny traffic based on community votes. Basically an app which relies only on an online community being aware that 1)the spyware app exists and 2) a default action based entirely on votes. (A modification of this idea perhaps: »sourceforge.net/projects/proxicus)
I personally favour a black and white criteria model with no default action, with this criteria being as..what's the word..factual? uncontentious as possible.
For example using: »research.sunbelt-software.com/Li···eria.cfm
Un-contentious:
Installs via ActiveX controls
(virtually uncontentious) installs via a security exploit or vulnerability
displays third-party advertising in pop-ups
reconfigures the user's browser home page, search settings, or other user-selectable browser preferences
modifies or deletes the HOSTS file
cause those PCs to establish phone connections to premium rate phone numbers (over X dollars/min)
(with a comprehensive set of subcategories) collects Personally Identifiable Information
installs no uninstallation program or equivalent mechanism (i.e., an "uninstaller")
lacks an End User License Agreement
Contentious:
..not functionally required to view the content
...installs without first providing sufficient notice and choice to users and without securing their full, meaningful, and informed consent.
...uses false, misleading, confusing, deceptive..
...with a documented track record of consumer complaints
...techniques that most reasonable persons would find objectionable
..substandard, inadequate notice and disclosure
...without first providing sufficient notice and choice to users and without securing their full, meaningful, and informed consent
...the acceptance of terms that most reasonable persons would find objectionable, onerous, or outrageous
Contentious criteria is useless in my opinion. Contentious criteria means legal threats.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
| |
alexeck
join:2004-12-20
Clearwater, FL
1 edit | Hi folks,
Anyone who knows me or reads my blog knows that we are hardline spyware fighters.
We also believe in transparency. So no "oops, we just discovered Sunbelt changed their database". There will be minor adjustments that we will make from time to time that don't warrant a full release like this one, but bigger ones like this you'll know about.
WhenU SAVE is adware, pure and simple. Just to verify the research team findings, I loaded it myself and tested it. It stays with a default action of Remove and a Moderate Threat level. Period. That is the program that has people here most concerned.
However, we're talking about programs like WeatherCast and WhenU Search here. I downloaded both of these programs and tested them personally. They're fairly innocuous. That doesn't mean we delist them, we have just changed their threat treatment and rating.
These are fine-tunings and adjustments to the database. We are absolutely not delisting these guys. We're just changing the default action and the threat level.
Anyone can also contact me directly if they want to discuss further -- alexe(at)sunbelt-software.com
As an aside, I will say that even though some of the members of the community perform research work for us, you can rest assured that they have full independence in their decisions and are not compromised in the least. They are not pressured to make any decisions. They are highly ethical and extremely conscientious and we wouldn’t have it any other way.
Alex Eckelberry
President | |
eburger68
Premium,MVM
join:2001-04-28
1 edit | reply to ghost16825
ghost16825:
I'm afraid this kind of software can't be analyzed using the "uncontentious" criteria that you've excerpted from the Sunbelt Listing Criteria. The "uncontentious" criteria you've come up with become plenty contentious once you realize all the software caught in the net of such ridid criteria, which are too focused on pure software functionality. To wit:
"Un-contentious:"
Installs via ActiveX controls
- Macromedia Flash (and hundreds of other legitimate browser plugins, including online anti-malware scanners)
(virtually uncontentious) installs via a security exploit or vulnerability
- (note: hinges on definition of exploit/vulnerability)
displays third-party advertising in pop-ups
- standard web browser
reconfigures the user's browser home page, search settings, or other user-selectable browser preferences
- numerous programs do this, including software packages that users install from their ISPs
modifies or deletes the HOSTS file
- TDS-3, Hostess
cause those PCs to establish phone connections to premium rate phone numbers (over X dollars/min)
- some folks do like premium rate dialers (and dialers are quite common and often used in Europe)
(with a comprehensive set of subcategories) collects Personally Identifiable Information
- again, plenty of programs do this
lacks an End User License Agreement
- this one nails half of the freeware on the internet, and plenty of legitimate payware as well
You'll surely protest that there's a difference between the "illegitimate" software that you meant to catch with those criteria and the "legitimate"/"innocent" software that, in a literal reading of those criteria, also happen to fit the bill. And I would agree -- there is a difference. The trick lies in putting your finger on it without being completely arbitrary in doing so -- that is to say, without resorting to hidden, assumed criteria that are contentious.
Eric L. Howes | |
B
Premium,MVM
join:2000-10-28
| reply to ghost16825
said by ghost16825 :said by B :That's why we need a lawsuit-proof community based effort or an individualized pseudo-Bayesian approach to spyware blocking. (I said the same in another thread today.) -- B A Bayesian approach..just won't work for this type of thing. What you're describing is a sandbox-like utility that uses your rejection of previous executables to reject new ones. This would require recognising similar parts of executables - this is almost signature based detection with heuristics, back to square one. Not necessarily -- who says it has to have signatures at all? I didn't propose a sandbox either, merely an analyzing filter that learns what YOU consider unwanted spyware. I'm not a talented enough programmer or designer to actually create such a thing.
But let's say it does amount to "signatures", if only user-defined ones. Here's part of my point. Sunbelt and Lavasoft et al. can't afford to simply block all executables that are determined to be from WhenU or Claria... but you as an individual user can. Once you control your own spyware definitions, you are free to completely blacklist at least the known offending parties, simply by having the filter learn what their code looks like and/or what their behavior is. My presumption in this case is that Spyware makers will never produce anything I want to run on my computer. I think that's a fairly safe assumption, at least until MS does go buy Gator.
Re: "A lawsuit-proof community based effort" perhaps something along the lines of Microsoft's Spynet or ZAs system of whether to allow or deny traffic based on community votes. Basically an app which relies only on an online community being aware that 1)the spyware app exists and 2) a default action based entirely on votes. No, not even close. I don't like voting-based systems AT ALL. They're generally a mess. This kind of project needs trusted leaders to make decisions about what programs are spyware; frankly it's not that hard once the lawsuit shackles are removed. I called it a "community based effort" because it would still be collaborative and distributed, perhaps following an open source development model. If, for example, a person known only as "AS" were to begin distributing "OpenAntiSpyware", put it up on Sourceforge, and accepted definitions from the public, he or she could, I hope be relatively immune from legal action for distributing a product that, for example, prevented anything by Claria from running on individual's machines... (Failing that there's still the more underground Usenet/BitTorrent/P2P/foreign soil distribution methods.)
Contentious criteria is useless in my opinion. Contentious criteria means legal threats.
That's the whole problem. There's no such thing as non-contentious criteria when you're choosing to block another person's commercial "work". We simply have to remove, somehow, the specter of hovering legal threats before antispyware can really work. (Of course I'd much rather that the normal AV companies be charged with the responsibility.)
Categorizing spyware back in its proper place, malware, and letting users define what they consider malware still seems to me to be a good approach.
-- B
--
In a realm outside causality and function | |
ghost16825
Use security metrics
Premium
join:2003-08-26
| reply to eburger68
said by eburger68 :The trick lies in putting your finger on it without being completely arbitrary in doing so -- that is to say, without resorting to hidden, assumed criteria that are contentious. Eric L. Howes Ah, but that's it. What you're saying is that the difference is only intent. Wouldn't it be much easier to just detect spyware based arbitrarily on the whim of someone at Sunbelt (like yourself), regardless of the installation behaviour, what registry entries are put where, etc?
Sure, it would be a totally unprofessional and a non-transparent process but if dslreports users are any indication, most users might actually be happier with this criteria!!???
Thanks for taking the time to reply to the posts in this thread.
=======Somewhat irrelevant part starts here====
Re: my criteria-based idea - some explanation is needed.
In my opinion any detection policy is based mainly on two things. Firstly, decisions by any Anti-Spyware vendor need to have a clear scope. What should be detected, and what is some other software's problem to fix. I have not researched Sunbelt's scope of detection
I personally would stick with detection of only commercial-offerings or modifications of commercial software. Additionally, this anti-spyware software might contain some limited sandbox functions for common spyware vectors. eg. Software using global hook prompts, BHO install attempt etc. (This would be to cover a very small amount of any non-commerical spyware). Any home grown spyware which didn't use a common technique would not be detected.
The second main influence on a spyware detection policy is assumed knowledge of user. It would seem that most anti-spyware vendors have attempted to make minor setting adjustments based on user knowledge or just assumed no baseline whatsoever. In my opinion this has been a failure. It seems that it is much harder to differentiate between different user levels in the anti-spyware software market. Hence, the reason for my idea of a policy-based detection mechanism and forced user decisions on what the intent of the detected software is. I think this would be more accessible and transparent to everyone, than any industry-created terms for classes of spyware for which every software has a different term for, no matter how clear it may be. I think B may have stated in the past that he/she believed Acrobat Reader and the Google toolbar should be on some 'adware' list in anti-spyware applications. Whatever your opinions on this, it seems likely that we may see cases on the line between 'clear permission' and 'unauthorized or unwanted'. When this occurs I believe a policy-based software based entirely on pure functionality with forced user decisions, regardless of user skill level, will be the only way to deal with this issue.
--
Admin of the Kerio 2x-like open source project:
http://sourceforge.net/projects/kerio/
http://kerio.sourceforge.net/
| |
|
