Slashdot Mirror

I totally agree... I love the Rhapsody service, I get to hear tons of new music because of it. The really big boys ain't on there, but I don't care about that shiz anyway... I don't need Metallica or Madonna.

I do have my gripes though... like songs that were once available for stream, later being removed, or limited to 30s clips... (the minority, but it still happens to me alot.)

As for the official RealPlayer (which rhapsody is not,) I do believe it still sucks...
http://www.stopbadware.org/reports/reportdisplay?reportname=realplayer01282008 [stopbadware.org]

thanks Yahoo! http://www.stopbadware.org/reports/reportdisplay?reportname=realplayer01282008

StopBadware should hear about this. It's exactly the sort of thing that gets a company a big red X on the StopBadware site. Plus some really bad publicity.

StopBadware is sponsored by Harvard Law School, Oxford University, and Consumers' Union. There's heavy legal firepower available if needed.

McAfee's SiteAdvisor already looks for malware available from web pages, downloading everything that might be a threat and running it in a virtual Windows machine with Internet Explorer. SiteAdvisor does the work themselves; they're not trying to get people to work for them for free. Google already had something like that, although not as good. Allowing users to add to the machine-generated lists is useful, but not a big deal.

Besides, why work for Google for free? If you're going to report phishing sites, report them to PhishTank, where the list is open and free. Harmful software should be reported to StopBadware, which, again, has public data.

Remember Google's scheme for getting people to photograph businesses and send the pictures to Google? Whatever happened to that?

I think one likely reason that the RIAA/MPAA are avoiding Harvard is because of the Berkman Center for Internet & Society which is an outgrowth of the Harvard Law school. You may be familar with Berkman through the Chilling Effects Clearinghouse, OpenNet Initiative (mapping government repression of the Internet worldwide), and the Stop Badware projects.

Berkman is very forward-looking and proactive regarding emerging issues of Law and Technology. The various fellows have been vocal and supportive of copyright reform. With such an interested, knowledgeable band of law professors and law students, it would be a serious black-eye if the RIAA attempted to litigate on the Harvard campus. I have to believe that they would be handed a bruising defeat, that would establish precedent regarding their campaign of extorting* settlement monies from poor college students.

* I mean extortion in the common, non-technical sense. Don't sue me for libel please.

This story is so inaccurate that it's not funny.

Let's start with the headline, Firefox 3 Antiphishing Sends Your URLs To Google. Anti-phishing is old hat. It's been around since the Firefox 2 launch last year. And by default it doesn't send URLs to Google. It checks them against a blacklist (automatically downloaded from Google around once every thirty minutes). It only sends URLs to Google for real-time checking if you explicitly enable it. When you turn on this option, a brief description of what gets sent to Google is displayed and you're asked to confirm that this is okay. You can also turn off the anti-phishing feature altogether, which prevents the download of the blacklist.

Anyway, that's old. The shiny new thing in Firefox 3 is malware protection (warning against sites that host viruses/spyware or try to exploit vulnerabilities in browsers/plug-ins). This only uses a downloaded blacklist (downloaded from Google, who have been collating this data as part of their StopBadware.org initiative); there is no mode that sends your URLs to Google.

There are some potentially controversial issues about the malware protection feature: there's currently no way to turn it off in the GUI and it's not possible to ignore the warning and visit the dodgy site anyway (you can ignore the phishing warnings). This does basically give Google a way to block access to any site in Firefox, which may be a matter for debate.

However, no URLs are sent to Google as part of the malware protection feature and URLs are only sent to Google for phishing protection if you explicitly enable it.

The article summary is basically codswallop.

Doesn't happen in Opera 9.21.8776!

I am doing the following:

1.) Using its built-in popup blocker

2.) Combining that with .pac files

3.) Combining THAT even moreso w/ filtering custom css stuff I use

4.) Not allowing JAVA or JavaScript in my webbrowsers on the public internet (some sites I have to make exception to, Opera allows this though, by site in its rightclick on a page "EDIT SITE PREFERENCES" popup menu options)

5.) Disallowing FLASH via registry hacks to the Win32 OS I use (Windows Server 2003 SP #2, FULLY hardened, per this URL -> http://it.slashdot.org/comments.pl?sid=237507&cid= 19410153 & it's methods for layered security outlined therein...

6.) & lastly, a custom adbanner blocking HOSTS file (referred to in the URL above)!

(In regards to the latter - I have one built up from years of doing this on my own & lately, from http://stopbadware.org/ , & that has over 90,000 sites in it, as of today that could be banners that suck up my bandwidth, OR WORSE, deliver me "Mal-Content" (pun intended, because this has been shown to be the case sometimes, yes, believe-it-or-not, in adbanners having code that is malicious in them the past 2-4 years now, & articles here on /. even stated it in the past)... & STOPBADWARE.ORG gets its data from GOOGLE (as to sites that bear malicious content & GOOGLE's mantra "Don't be EVIL" is good enough for me I suppose, lol!))

Anyhow, sorry webmasters of the planet - I am a HUGE fan of HOSTS files that block banners, because of the above, & the fact it's MY MONEY I spend to go online, & I want ALL OF MY POSSIBLE BANDWIDTH!

APK

This should be reported to "StopBadware.org". StopBadware.org's definition of badware requires prior consent to send personally identifiable information to a site. This should be enough to put WGA on the Badware list.

Google is now flagging sites that have been identified by StopBadware.

StopBadware is run by law professors from Harvard and Oxford, with assistance from Consumer Reports. StopBadware is effective. They complained about the Jessica Simpson screensaver, which installed spyware in May 2006. The makers of that didn't listen. In October of 2006, a US federal judge shut that outfit down.

Their protocol is proprietary and their software is closed source. They refuse to release their code under the GPL or document their protocol so that people can develop open source clients. How this crap is permitted in 2006, I do not know, but I would never install their badware on my computer. (Not that I could, since it is not compatible with my operating system.)

especially in light of all the bloaty software and annoying features aol has taken on: http://www.stopbadware.org/reports/reportdisplay?r eportname=aol082706

• The proposal does not require that, when collecting data, the collecting organization specifically identify itself. EU data privacy laws generally require that. California law requires that web sites give "the actual name and address of the business" before accepting credit cards, and that's a good standard. If you can't identify who collected the data, you can't effectively exert your rights against them. "xyz.com" isn't enough; you need "XYZ, Inc. 1234 Wilshire Blvd, Los Angeles, CA".
• "Web sites: Visiting pages on a Web site implicitly means the customer consents to the site's privacy statement and terms of use." - that's very weak, and not supported by law.
• For some things, even explicit consent is not enough. See the standards at StopBadware.org, which prohibit automatic updating which modifies other programs changes the functionality of the one being updated without user consent. (Think Tivo, where automatic updates took away commercial-skipping. That's badware.)
• Personal data transfer to third parties and retention policies need not be specified. Not good. In particular, the owner of the data (the user) needs the right to know which third parties have the data. And the collector of the data must remain responsible for what "affiliates" do with it. This has been a serious problem, where the "good company" disclaims responsibility for what their "affiliate" did. Remember the "outsourced medical transcription" scandal.
• The "privacy" document doesn't address the privacy issues associated with digital rights management (DRM). "Who knows what's on your ebook?"

For a more user-side view of privacy from a technical standpoint, the National Association of Theater Owners Digital Cinema Requirements document is valuable. Digital cinema at the movie theater level has DRM, and the theater owners have organized to tell (not ask) the studios exactly how intrusive the DRM can be. Stuff like

• "The System shall not compromise the security of the theatre's in-house network, including the security of digital cinema systems, point-of-sale systems, and other data systems owned and/or operated by the exhibitor." (i.e. no Sony-type rootkits)
• "The system shall be designed to push data to outside business entities per the needs of the exhibitor, and shall not allow outside business entities to pull data from the exhibitor's equipment or from the premises without the express written permission of the exhibitor on a case-by-case basis. All such communications shall be recorded and shall be auditable by the Exhibitor." (i.e. no spyware; the user has to explicitly send the log data, and can look at it first)
• "System components (servers, projectors) shall be capable of being moved from auditorium to auditorium within the same facility in any combination without limitation and without requiring receipt of new decryption keys." (you can swap components around without DRM problems)
• "Systems shall allow the movement and playback of shows among all auditorium systems within a complex." (you can move the movie from one room to another without DRM problems)
• "New Security Keys shall be delivered within 15 minutes of the time of request." (no long downtime because the DRM people screwed up)
• "Systems shall employ the standard interchange method for security log reports .... Systems shall employ tools that allow the exhibitor to filter security log reports logs prior to sharing." (it's all in XML, and you can see what the DRM owner sees.)

This should be reported to StopBadware.org.

Well, knock yourself out.

That should earn it the Badware Logo.

The great thing about StopBadware is that their guidelines define some actions as making software "badware" despite any disclaimers or EULA terms. "Hard to uninstall" software is always "badware", no matter what the EULA says.

That should earn it the Badware Logo.

The great thing about StopBadware is that their guidelines define some actions as making software "badware" despite any disclaimers or EULA terms. "Hard to uninstall" software is always "badware", no matter what the EULA says.

If this is "badware", please fill out a Badware Report at StopBadware.org.

That organization has real promise for putting a dent into adware and spyware. With legal support from Harvard University and Oxford University, financial support from Google, Lenovo, and Sun, and assistance from Consumer's Union, they're in a very strong position to fight back. They're not going to cave in because some business complains.

StopBadware has standards that are tougher than the usual "it's OK if the EULA says it is". That's been the problem with TrustE's Trusted Download Program, which is a whitelist for supposedly "good" badware. Then there was the Microsoft/Claria debacle.

Unfortunately, StopBadware thus far has a very short list of "badware". They need to be listing perhaps a few hundred items. So start sending in those reports. They need technical info on "badware".

What StopBadware has is legal support. They're backed by the law schools of Harvard University and Oxford University, and by Consumer's Union. They're not likely to cave just because some company sends they a threatening letter. In fact, for a company to sue StopBadware when they have a weak case could be disasterous for the company. It would open the company to discovery to determine exactly what their "badware" did, with executives and programmers forced to testify under oath.

StopBadware.org releases report on AOL 9.0

Posted by Christina Mon, 28 Aug 2006 11:22:00 GMT

Our latest report, on the free version of AOL 9.0, is a bit of a departure from some of the applications we have highlighted in the past. Perhaps John Palfrey, the executive director of the Berkman Center and one of StopBadware.org's principles, puts it best: "AOL has a long and storied history of being a leader in the fight against badware. AOL plainly does not belong in the same category as the all-too-prevalent, garden variety badware providers. But the free version of AOL 9.0 that we tested, in our view, does not live up to the company's rich legacy. AOL is a trusted brand in the Internet service space. What we are calling on AOL to do today is to honor that trust by telling users exactly what they're putting on their computers, give users an easy way to opt out of having so many programs installed and running after download, and ensure that users can uninstall all the applications they don't want on their computers."

Palfrey adds, "We've been very impressed with [AOL's] response since we sent them the draft report and we look forward to working with them to address the concerns that we are raising in our preliminary findings."

If it was just a few preferences left behind then there probably won't be any issue. But have a look at this screenshot. http://stopbadware.org/images/screenshots/AOL/AOL1 1.html

Two processes are left running and sucking up memory. The programmer who is charge of the unistall routine should be tarred and feathered and then forbidden from ever working in the field again. Beyond the obvious issue think about this. Aol 9.0.3343 is updated to 9.0.4000 because of a massive security flaw in AOLServiceHost.exe. You uninstalled AOL before the update came out and yet there sits part of the old version of AOL running as part of your OS just inviting trouble.

The AOL software is down right angelic compared to the Jessica Simpson Screensaver!

However, there is no reason why Ubuntu could not host Digitally Signed Shell Scripts ( DSSS ) on their website, and by default, include a MIME setting so that web-browsers will pass the script along to a plugin that checks that it has been signed by Ubuntu before executing the shell script. The script would then perform the one click download and install of the required software. The advantage of this is that the DSSS could be linked to by any Ubuntu website, FAQ , help, page etc.

Two precondition:
1) Ubuntu should not preselect any one service over another, but include scripts to install competeing services.
2) Any Ubuntu "affiliated service" that wants a Ubuntu DSSS would be required to sign an agreement to not use it to install any badware.

Here is how the program will work:

Internet users can visit StopBadware.org to check whether programs they want to download are infected with badware and alert others to programs they have encountered that include malicious software such as spyware, incessant pop-up ads or other obtrusive programs.

StopBadware.org will publish short user friendly reports on downloads they have identified as badware, as well as more detailed academic studies on the problem of badware.

StopBadware.org will publicize the names of companies that make up the most insidious purveyors of badware and shed light on how they make money through unethical marketing practices. For example, advertisements will spotlight the worst purveyors of badware.

StopBadware.org will seek the horror stories from Internet users who have been adversely affected by badware. It will publish these stories to raise awareness of badware's harmful affects.

Both of your questions (and more) are answered there.

Good news, but I would have been happier if the article or submitter also mentioned the actual URL of the site...