Spyware: Defining What's 'Acceptable'

I hardly see why spyware is such a big worry. If you don't download programs you don't know about and if you don't open random e-mail attachments, then you aren't going to get infected!

Unless you use IE or something with active x that likes to install things for your, for you convenience.

Well, unless you just have no idea how to increase your security level in your IE

I keep hearing people say "increase your security level in IE" time and time again, but that isn't the end all solution people think it is.

In business environments, hell, even for general browsing just raising your security level across the board often causes some pages not to load correctly or requires one to go to the trouble of adding the site to a trusted site list in order to make it work. Although we use custom security settings in the environment I work in, things still manage to slip through because of the exceptions that have to be made to allow the various web based applications to work properly. Not to mention to keep the help desk from being flooded with calls about "I can't get pages to load right in my Internet Explorer!!" How many people are going to actually go to the trouble, much less know how, to add sites they commonly visit to the trusted sites list?

Not everyone out there is as savvy as most of the folks reading and posting here are! MS needs to fix the problem by revising IE to not allow these drive by downloads to take place to begin with!

It's a "big worry" precisely because the overwhelming majority of our customers, our friends, and our families aren't willing or capable of being that careful. It's also not clear to them as to how legitimate freeware differs from spyware bundled crapola.

Even Acrobat Reader's forcing Yahoo toolbars down people's throats lately.

In any case, I've said before that I thought the endless search for the perfect definition of spyware is akin to alchemy -- it's never gonna happen. Edelman's "define consent" search idea doesn't seem any better to me. The only workable solution is a learning filter approach by which users (or their trusted partners) define what spyware is TO EACH USER'S CRITERIA. (The "I know it when I see it" ruleset that has been derided here by the great Eric Howes himself.)

-- B

To add to the Yahoo toolbar issue with Adobe.

If i try to use the update feature in Acrobat I'm forced to install the yahoo toolbar. So I've been installing from the web and not using there update feature.

Maybe the more people do as i do adobe will realize there Bill for Bandwidth is going up. Is it worth the 4 cents from yahoo?

More to the point, why update Acrobat at all? It only gets worse with each new version. Even on the PocketPC I've recently discovered that Acrobat 1.0 plays a lot better with others than 2.0 does.

-- B

said by "B":

---

In any case, I've said before that I thought the endless search for the perfect definition of spyware is akin to alchemy -- it's never gonna happen. Edelman's "define consent" search idea doesn't seem any better to me. The only workable solution is a learning filter approach by which users (or their trusted partners) define what spyware is TO EACH USER'S CRITERIA. (The "I know it when I see it" ruleset that has been derided here by the great Eric Howes himself.)

---

Good call, B, I happen to agree with that viewpoint as well. Defining "spyware", as a single fixed point, is bound to fail, because each of us have our own personal preferences and tolerance levels. It should simply be up to the user / owner of the PC, what software is allowed to be installed onto that PC. It's simply a matter of personal property and property rights - period. EULAs that attempt to appropriate personal property to some nearly-faceless company, without equitable compensation and owner consent can just go to digital heck. And take that damn purple dancing monkey too!

Wrong!

Drive by's.

Nuff Said.

WRONG! If you go to trusted sites, and if you don't use IE, then you won't get infected! I haven't been infected for years now (even though I still scan sometimes) since I have started using other browsers other than IE.

Sorry, but that's just a ridiculous assertion. It's equally valid to say "Wrong! If you never turn on your computer you won't get infected!"

What the heck is a 'trusted site'?? If your methodology were in place from day one, there would be perhaps one node on the whole World Wide Web -- Tim Berners-Lee's little server at CERN.

And we're talking about the majority of users who still continue to use (unpatched) IE.

I'm as anti-MS and anti-IE as most, but come on now. This almost comes off as trolling.

-- B

I'm not anti-MS, just anti-unpatched-IE.

A trusted site isn't a porn site. It isn't a "free games" site either. I mean you just shouldn't expect to be able to search the 'net for one of those things, and not expect some consequence.

Yes, you should! Browsers should be read-only, by definition. I've been saying it for years, but nobody listens...

It's good that currently patched IE (if you're lucky enough to have XP instead of 2000, or WinME, or Win98SE, etc.) is less the wide gaping goatsex hole of doom that it once was, but that doesn't really help much right now.

ActiveX is overdue for history's scrapheap, and from the drive-by exploits I've seen lately, Sun Java had better tighten up too.

-- B

said by "B":

---

ActiveX is overdue for history's scrapheap, and from the drive-by exploits I've seen lately, Sun Java had better tighten up too.

---

Meanwhile, Firefox's XPI-install packaging technology, has just added the ability to craft OS-specific extension, and extensions containing OS-specific .DLL/.so native code. Which would run unsandboxed. So it looks like it's a welcome-home party for ActiveX's twin brother, "XPI native-code extensions". I'm starting to wonder, as Firefox grows and expands in capability to match IE, will we end up with much the same thing and the same issues all over again? We still don't have "Zones" or fully-functional code-signing up and running in FF yet, but I have this sneaking suspicion that we will.

Links please? A couple of minutes of Googling didn't turn up much for me...

-- B

Wasn't there an advertising server hacked or otherwise compromised recently that resulted in hijacks being delivered through ads on reputable sites? Sometimes even "safe hex" can fail.

Why shouldn't we be able to trust free games?

Also, much malicious adware comes hidden in P2P software and security software.

How do we separate the legitimate from the illegitimate when we lack definitions of those terms.

And it isn't equally valid. There are alternatives to IE for browsing the internet, there aren't for using your computer.

You're kidding? There aren't alternatives to using your computer??

-- B

Um... You can't read well or understand what you are saying can you? Is there a way to do stuff on your computer without it being on?!?!? NO! So there aren't alternatives to using a computer that isn't on. Making your argument invalid.

Listen, you twerp, if you don't even realize that you're the dumbest person in the room then I feel sorry for you. It's called an analogy.

I'll try spelling it out so that even you can understand it.

1. You wrote "WRONG! If you go to trusted sites, and if you don't use IE, then you won't get infected!" Meaning if one were to use a different tool (a different browser) to accomplish one's desired tasks (surfing the web) then one would be be safer.

2. I then wrote "Wrong! If you never turn on your computer you won't get infected!" Meaning if one were to use a different tool (a pencil, a telephone, a typewriter, walking into a store, opening a magazine, visiting a library) to accomplish one's desired tasks (writing, communicating, publishing, purchasing, masturbating, learning) then one would be safer.

Neither, of course, is relevant to our real computer-filled and IE-filled world!

-- B

P.S. I highly recommend that "visiting a library" part.

You could get killed going to a libary! Books could fall on your head, maybe your bus/car will crash?



Anyways, my main point still remains. Spyware is for dumb people.

Hmm...I see, so we should all start blaming MS and do not blame those people who are just too stupid to patch their IEs?

finally, someone using a little common sence here!

quote:

---

I hardly see why spyware is such a big worry

---

Ugh, you don't help people with their computers much, do you? Lots of people don't care to read some of the dialogs carefully and "download programs" whether they intend to or not. I don't know anyone who actually wants PrecisionTime but I've seen it on countless machines, for example. Other spyware gets in through vulnerabilities in either Java or IE.

The majority of spyware "infections" I've seen are viral in nature. They don't simply go away when you uninstall them. They aggressively repair themselves if you try and remove them. Aurora (nail.exe) was one of the worst I've seen.

I used to fix peoples problems with their PCs. Then I realized if they are dumb enough to get it, then they don't desserve to have it removed, without a price anyways.

well, you sound like a driver that doesn't care to slow down when the little light turns from green to yellow either...

lol, we're talking about the general public and computer literacy here.

all ya got to do is quit driving over nails & you won't have any more flat tires...

Edelman's exactly right. Defining standards for user consent seems to me to be a fairly straightforward matter. And that, of course, is the problem. Purveyors of crapware want as much wriggle room as possible -- we've seen this with other social parasites, such as telemarketers -- and thus will resist crisp definition of what they can and cannot do.

I'm not sure why the anti-crapware people need to humour them, though. Are they merely trying to over their arses with legal definitions? Is there an unhealthy dependency (no crapware means no need for anti-crapware products)?

Really?? I can't believe you're serious. User consent, as already indicated here, is granted the minute the user allows an executable to run -- Microsoft says so -- they put the EULAs right on the disk case.

-- B

"clarifying what constitutes a user's consent to allow spyware or adware to be installed on a personal computer."

I always thought by clicking I ACCEPT on the EULA gave your acceptance. If people are too lazy to read it, (most people are, I know I don't read every single one I've come across), and it states "We are going to install 'spyware/adware program'" what can you say about it?

Now, if they DON'T disclose what's being installed, that deserves punishment.

I'm wishing that one of these days a start-up company will just go crazy and list ALL spyware and adware on the internet today and decide not to communicate with any spyware vendors. I'll be willing to pay for it too.

when it comes down to removing unwanted or troublesome files from computers, i think that one of the major issues is that people will generalize what it is that's causing problems on their system and this is what's giving so many of these companies grounds to be upset. some people will refer to spyware as adware, or adware as spyware. hell, my father referrs to it as ad-aware. the problem with this is that if the software calls into the wrong classification, the vendors now have a leg to stand on when they complain. if only to say that certain adware companies will produce a program that only displays the occasional pop-up, but doesn't log or transmit user activity, that program should not "technically" fall into the same classification as spyware. to the bulk of people who spend their days removing this junk from computers this is splitting hairs, but companies are very particular about this sort of thing and we just so happen to live in an overwhelmingly litigious world.

for my money, i just refer to the stuff as malware or some other, more profane terms, because it doesn't necessarily classify it as anything other than bad software. in the legal world, it's about as vague as lining up a series of old, broken computers and asking a group of people to pick out the so-called "piece of crap". i think that the most clever way for a lot of the companies who combat malicious files from getting onto systems would be to use a suggested items list for identification & removal rather than trying to pigeonhole the different apps with generic terms. even the information regarding the reasons for removal could remain intact by pointing out obvious problems with the eula or simply identifying obvious problematic program behaviors. essentially, companies would be able to append new malware companies to their removal process, but without getting into any unnecessary name-calling. seeing as this is what so many of the adware/spyware companies are griping about, wouldn't this seem like it would make everyone happier?

How about this for a standard definition of malware? Any program, not an original part of the operating system, which does not include a fully functional uninstaller.My 3 year old can't seem to read a EULA yet, so things get installed. I don't really mind as long as I can take them out. It is amazing how many malware vendors target children's sites.Talk about sleazy.

A pretty good definition. Simple is good.

I'd also require that it not hide it existance or its actions.

why you internet junkies arguing? just use simple analogies to clearly state ur point...like what i am about to do...

for example:
you cant expect the car to be clean when you drive around with it right? aite then, same way you dont expect to use the computer and not get fragmented files and also surf/browse the internet without getting adware/spyware...simply just clean it when there's "dirt" on it.

problem solved for all nerds and noobs.

I for one think that EULA should have a max length by law (# of words). In order to do this and protect the software companies, I think there should be an installation set of terms that only pertain to the actual installation of said product install. Then have a full usage EULA that can be accessed from within the program itself (or help/readme/etc) that explains that actual program usage terms.

I think installation and usage are two entirely different sets of rules, and should be reflected as such by different acceptances by the end user.

Another great requirement that would be a good thing to implement, is require a list of all products installed at the very beginning of a EULA. This would make it obvious to a user right in the visible first window every product that will be installed.

I dont think anyone needs to worry about spyware/adware or virus, just dont download and install cheap software you don't know about like "cracks/p2p stuff" and don't use IE, within one sec thoes spywares can install automatically. Just use firefox and you dont have to worry about anything. You might still get popups but dont click on them, its just spyware software that are disguised as registry cleaners, computer boosters, anti virus....

I think we need to forget EULAs in their current form.

We need to have proper plain language definitions for "friendly adware", "malicious adware", "spyware", etc.

The EULA can then reference those definitions and people will know what they are talking about.

From the article:

quote:

---

-impair the use of system resources, including what programs are installed on their computers; or

---

That pretty much describes what anti-virus, anti-trojan and anti-spyware programs do.

We really need to work harder to come up with good definitions.

The basic things to me are whether the program hides its activity, and whether it comes with a working uninstall utility.

From the article here:
»hosted.ap.org/dynamic/st ··· =DEFAULT

quote:

---

-impair the use of system resources, including what programs are installed on their computers; or

---

That pretty much describes what anti-virus, anti-trojan and anti-spyware programs do.

When we try to get to detailed we mess ourselves up.

The basic things to me are whether the program:
1. Hides or disguises its activity.
2. Whether it comes with a working uninstall utility.

If the program is behaving in an obvious manner, and if the computer user can easily uninstall it by standard means, I think we can conclude that the program has the users concent to be doing what it is doing.

Dear Friends,

Obviously, hackers write law as well as lawyers program.

Any programme which changes any physical component in any way without clear statement of its purpose and function and without a simple and absolute means for removal, which is capable of being installed without positive action on the part of the operator of the computer, and a fail-safe second action to ascertain the intent of the positive action is unlawful to produce or disseminate. The penalty for the production of such a programme to be not less than twenty years in prison nor more than the natural life of the producer. The penalty for dissemination of such a piece of software to be life with no possibility of parole.


Harsh?

BBR does it well - the cookie exists solely so I do not have to login. I have to tick the box for it.
Adware should be clear -


Do you wish to allow a tracking cookie whose purpose is to log the sites you visit to maintain statistics for our sales force to show advertisers how many people and with what similar interests vist our site?

If so, please initial.



This is not so complicated as it sounds. I have a cookie policy that asks every time, except for a few sites, like this one.

Popups are not allowed, unless I am running a stock ticker programme.

The onus has to be made to fall upon the purveyor of the malware, not the end user. It has to be made clear to the eu what he is giving up for his convenience.

In order to effectuate this, we need a far higher tax on the upper income folks in our land. There is no reason why the advertising model has to be the only one that works here.

I look at my bookmarks and see how few of the original law and classics sites remain. Bandwidth costs cash. Since educational opportunity in the US in 2005 needs to be equalised, I say tax the wealthy few to enable every child to have equal access to the web and public telvision. When the producers of Survivor have to drive last year's Mercedes so poorer kids canaccess real source material on the web, we may have a chance at becoming a civilised country.

Of course, it is easier to accept a web based upon ads, where google millionaires sell their old Lotus Esprits on E-bay than to require the Gates of the world to contribute to the common weal. What do we care for the future of our land as long as we can have our SUVs, run windows without having to think of the kids who cannot access the classics, the scientific papers, foreign language news, &c because they are too poor?

A consitutional republic with a government of limited authority begins to decay when the unfettered appetites of the few combined with the unshakable apathy of the many congeal into sauce of the elements of her demise.

Because it is too much trouble to install a viewer, we need active-x which allows those with power to control those who are too lazy to care, until those who do care are silenced.
Sorry, at some point we forget that capitalism and socialism are mere economic systems, each at the supposed service of civilisation, neither part of the law of the land which still asserts the rights of the individual to live in peace with his own property, life and liberty.

Indeed,the very basis of external control of one's property is so abhorrent to the fourth, fifth, sixth, and eighth amendments, that I am surprised, not to say appalled, that there are not sixties' style riots in Redmond.

Funny how one good business plan can do what the emperor of Japan could not - usurp the very basic ability of Americans to think freely, act with dsicipline and decision, and ultimately alllow our sense of freedom to rot from within. My advice to Bush - withdraw from Afghanistan and Iraq - the real terrorist can be found leading the next Microsoft shareholder's meeting.

Send in the Seals and the Rangers. Just make sure their lappies are running linux or BSD.

All good wishes,

Yazdzik