Fair Software Installation

rossjudson writes: "There's a little war going on in your computer; it's a war that you might be aware of if you're an experienced computer user. If you're new to the game, there's very little chance you know about it, but it affects you, and it gets worse, not better. The battleground in this war is your CPU, your disk space, and your system's stability." He's got a particular beef with NEW.NET, but lays out (in the article below) what he thinks is a workable, generalized code of conduct for software installation.

Fair Software Installation These days, we all download and install software from the Internet. And that software is rarely written entirely by one entity; rather, components are combined to create the programs we want. There is an increasing and disturbing trend to ship components that perform-system level tasks and have system-level effects. These effects are magnified because many of these components are installed without adequate notification to the user (either by omission, or deliberately).

The NEW.NET domain resolution component is a good example. This component is installed by a number of freely downloadable Windows programs on the Internet. Some of those programs notify the user that they are going to install the NEW.NET software; others do not.

Installation of NEW.NET alters the basic functionality of your system: It causes your system to behave in a manner that is inconsistent with international standards. That this is done in a stealthy manner is unacceptable. The fact that NEW.NET is unstable besides is another issue that we will deal with separately.

If I am installing a program that calculates speaker enclosure volumes, I shouldn't have to worry about it redefining my network stack and destabilizing my computer.

What does a reasonable software program or component do? It should perform its defined, published task. It should not consume excessive resources. It should have a defined starting point and defined ending point. If it is defined to be a service, it should publish that fact and indicate the starting mechanism it uses.

Let me draw upon the realm of commercial software for an example of a program that is an offender. Creative's PlayCenter 2 application is used to move music to and from Creative Nomad MP3 players. It can also play media. When you run the PlayCenter application, you get the functionality you expect. When you start examining your system files afterwards, though, the picture changes.

PlayCenter installs a service, a disk detection system, and a news collection daemon. It does not attempt to inform the user that these daemon-level processes are being put in place. It does not offer the option to make them manually-startable. Worse, the news collection daemon would actually chew up all your CPU idle time.

I think creators of software have some basic obligations:

1. Inform users when drivers, services, or daemons are being installed.
2. Allow users to omit any of the above that are not strictly necessary for program operation.
3. Ensure that during uninstallation, system-level components are accurately removed, "leaving no trace."
4. System-level and daemon components must be subject to a higher level of quality control. It is possible that some level of legal liability should be present for the corruption of the system.
5. Transmit no information from a component to any party unless specification notification to the user has taken place, and is renewed on a periodic basis.
6. Collect no information on a user without prior agreement, and a renewal of that agreement on a periodic basis.

There's been a longstanding battle between virus writers and anti-virus software. The equivalent to anti-virus software in the component world is Lavasoft's Ad-Aware. If you haven't run it before and you have a Windows box, get it and run it. The first time can be a real shocker -- tremendous amounts of crap can build up in your system without you knowing about it.

The little war I mentioned earlier is going to get nastier soon. Uninvited components like Cydoor and NEW.NET are sure to take steps to defeat Ad-Aware and programs like it. If I wrote a stealth component today, I would have it seek out an Ad-Aware signature file and modify it to ignore me, or add my directory to the ignore lists. Ad-Aware could respond by digitally signing the files, or with other techniques. This cycle will escalate, with each side taking new steps to ensure its dominance. Users will pay the price in decreasing system stability.

I am hard-pressed to see the difference between NEW.NET and the Sub7 trojan horse. Both subvert a computer for the purposes of others; both do it in stealth. The good folks at NEW.NET will surely disagree; they'll say that those applications that install their software inform the user, and as such, it really isn't their responsibility.

I say it is. NEW.NET makes active use of the component on your computer; I think that they cannot duck their responsibility for its behavior. They are a not passive participants; they are not a library component being used by others.

I've been beating up on NEW.NET quite a bit in this article. I suppose it's because the deinstallation of their component trashed the IP stack on my Windows 2000 system and it took me a half day to put it back together again. What the hell were they thinking when they stuffed a buggy service deep into my IP stack without telling me? I think they should have to compensate me in some way. A $250 Small claims court action here in Virginia might be a way to do it.

The bottom line is, where does it end? Software installation programs should install components that the user expects. Full disclosure should be the order of the day. There will always be violators, though. There are a couple of remedies which could help:

1. A legal framework for "allowable" system modifications during installation can be created. By adhering to the requirements of disclosure and stability, manufacturers can avoid liability. The thread of liability may be required (although capped) to enforce conformance and responsibility.
2. A technical framework in the operating system can establish and protect secure boundaries around the system's core. Certain operating systems already do this (Unix), but the most widespread consumer OS does not.
3. A "signed installation" program, run by known entities, asserting that a given program and its installation don't violate the rules.

These remedies are necessary as the entities creating these components can't be counted on to do the right thing. Their business models are often predicated on the stealthy gathering of knowledge, and the altering of what goes into your computer.

Just think -- what if NEW.NET decided to start redirecting www.bestbuy.com to www.circuitcity.com? Is there a law somewhere or a technical remedy for this situation? I think there should be.

Slashdot welcomes reader-submitted features; use the story submission page if you'd like to submit yours.

Good idea

[crumbz]

This is one area where open source software can really pull ahead of Microsoft. Provide excellent documentation of the software and the coding as well. That's all folks. As shoddy as Microsoft's image is regarding security, they won't be able to have it both ways. Not to pick on them, as there are plenty of other targets (AOL being another), but they do have a poor track record in this arena.

The most direct benefit of this initiative is well-written code. Well-written code that undergoes peer review from impartial others is the best thing we can do to further this industry.

Re:Good idea

[TheCarp]

> How, exactly, does New.net's software mess with the IP stack?
> At worst, I understand it to be a simple DNS proxy that filters
> between new.net domains and regular domains.

Yup...your right about this... and the search path thing. The mistake you make is to assume that because the method of doing this that you thought of makes sense and works, that new.net did it that way.

Yes, they tell you thats ONE WAY to make it work. However, even the document that you quoted states, thats how to do it "Without the plugin". A Plugin is NOT a registry entry, its a program. Your assumption that this is how the plugi nworks is quite unfounded.

I can imagine a plugin that modifies the IP stack in some way to achieve this same end. It may even do other things too. It sounds to me like this is what they are doing (perhaps the whole point of the plugin is to add new.net to the search path while hiding the fact that its there, and preventing it from being changed)

If it was really as simple as you describe, then there is no need for this "plugin" to exist at all, all they need is a one shot program that changes a registry entry.

-Steve

he has some valid points...but....

[Em+Emalb]

"The NEW.NET domain resolution component is a good example. This component is installed by a number of freely downloadable Windows programs on the Internet. "

When you install something for FREE from the internet, you can't assume it will work as you want it to. Also, just because it works on your machine does't mean it works on everyone elses. this is pretty redundant IMO.

I am sorry the software screwed up your IP stack, but can you seriously expect to get money from them in small claims court for free software? Nobody forced you to put it on your machine.

Re:he has some valid points...but....

[mansemat]

When you install something for FREE from the internet, you can't assume it will work as you want it to. Also, just because it works on your machine does't mean it works on everyone elses. this is pretty redundant IMO.

NEW.NET is only a component. You could also find NEW.NET in commerical software that you pay for.

In that case you've PAYED for something. Do you still assume is will work as you want it to?

What a day to be without moderation points...

Re:he has some valid points...but....

[DahGhostfacedFiddlah]

If someone gives you a free hot-dog that happens to contain poison, can you take them to court?

Sorry for the stupidity - but it's the first analogy I could think of. The program/component was misrepresented (as something that wouldn't fuck with the IP stack), and that misrepresentation caused damage to his computer and a certain amount of time getting it to work again. I don't agree with punishing free software developers for bugs, and there's little precedent, but just because it's free doesn't mean that the creators can't be held liable.

Re:he has some valid points...but....

[Hiro+Antagonist]

Funny; I grabbed all of my application software, from StarOffice to Opera, for free, off of the Internet, and it seems to work just fine. So do the numerous other, smaller applications, like 'mutt' and 'ssh' -- they haven't trashed my computer, either, and they were free.

I think what the author is trying to get across is that the user needs to be informed; and while this is taken for granted in the free software world, it seems to be largely absent nowadays in the world of commercial software.

When a Debian package is going to make changes to a configuration file, it asks me first (unless I tell it not to); when most Windows-based installers decide that it's time to replace the IP stack with a Jell-O recipe, it just goes ahead without informing the end user of squat. While Microsoft has made this easier, it's not totally their fault (for once); and it's something that applications developers need to keep in mind.

Re:he has some valid points...but....

[tyllwin]

Oh, come now. Let us draw an analogy or two:

You're at the supermarket. At one of the tables set up along the aisle, an employee offers a free piece of candy, which you accept. The center is filled with ipecac, and you vomit for the rest of the day.

You're at a concert. You accept a free nerf ball being given away by a radio station. It turns out to contain a miniature microphone which transmits your conversations back to the station's marketing department.

In any other form of human endeavor, would "it's free, whaddaya expect?" justify this sort of deception?

When the software comes clearly labelled "THIS FREE DOWNLOAD WILL INSTALL 2 PIECES OF SPYWARE, CAUSE ADVERTISING POP-UPS TO APPEAR ON YOUR DESKTOP, AND MAY REPLACE AND/OR DAMAGE INTEGRAL COMPONENTS OF YOUR OPERATING SYSTEM," then I'll agree that the person who installs it gets what he deserves. Until then, I say s/he's being damaged by intentional deceit.

Legal Framework?

[dgb2n]

I was with the author all the way up until the point that he mentioned a legal framework for enforcement.

While all of those objectives are admirable, at the mention of involving governmental organizations in the enforcement of such standards I begin to get nervous. We live in a litigous society in the US as it is. Do we really want to enable a new class of lawsuits based upon violation of software installation standards.

Sure, publish some guidelines and get corporations to sign up agreeing to adhere. I'm just not sure I need or want legal protection to enforce it.

I certainly don't want to have my installation routines prescreened by the legal department before I can ship my code. Sheesh.

Re:Legal Framework?

[hagardtroll]

I think the "Legal Framework" needs to be built into the code as well as the law.

The O/S should be the O/S should be the O/S. No third party application should be able to change the functionality or performance of the O/S.

The Application should be the application should be the application. No OTHER application should be able to change the functioning of the original application.

If the browser is an application that is part of the O/S that can be modified by a differnt application, then you never know what to expect.

If I want to run App A, later install App B. App B shouldn't be able to change App A unless that is what is advertised to do.

App B shouldn't be allowed to mess up App A or the O/S. If it does, that behavior should be detected and stopped.

That way if App B fails to work, it can be removed and the O/S and App A can go on their merry way.

Anyone want to start a software company?

[cperciva]

It seems to me that "scumware" is starting to take on proportions very similar to "wormware"; as the author notes, there seems to be little difference between the subseven trojan and the new.net software (or, I might note, whatever that horrible program was which made yellow links pop up everywhere).

Since anti-virus software doesn't seem to scan for these, perhaps someone should create a product which operates similar to antivirus software but instead scans for a dictionary of scumware?

And WTF is NEW.NET?

[grnbrg]

Anyone? Anyone? Bueller?

A URL or something?

Google just points you to http://new.net/, which doesn't look like anything.....

Re:Creative Playcenter?

[mansemat]

This is just one example. What if somebody else doesn't give you the choice to turn of those components?

His point, I think, is that we need full disclosure about what the software install on your computer that is above and beyond the corse software function.

Sure most people will never read that crap, but it should be available for those of us who want to know what all that extra shit it they've installed on the computer just so you could, for instance, dump songs from your harddrive to you MP3 player.

Re:Keep it simple

[Sorthum]

The problem with this idea is that end users generally don't want to know the nitty gritty details about their machines-- they just want the damned things to run. That's why this standards idea is such a good idea-- it keeps the end users happy because programs such as the old AOL versions won't mess with settings without telling you about it, and it makes those more knowledgable happy because they're not having to rebuild IP stacks (as an example) because some buggy code made it into a final release.

Screw it

[drivers]

I'm switching to free software.

Three words: Package Management System

[JonKatzIsAnIdiot]

A package management system is the user's first and best defense against this type of thing. With it, a user can always determine which files are needed for which applications, and vice-versa. You can check what is going to be installed before you do it. While a malicious/ignorant software vendor could put malware into a package file, at least all of the files that make up that package can be determined later on. No other software management system can provide that information as easily. Not installer programs, and not even the sacred install-from-source routine.

EULAs unenforceable

[coyote-san]

First, EULAs have not been upheld by the courts. Especially when they "shock the sensibilities." That's why UCITA is trying to write enforceability into law.

Second, the EULA you saw focused on the main application being downloaded. It is unlikely that this EULA will discuss embedded applications with any depth, at most you might see a paragraph making vague references to third-party applications.

Third, one of the cornerstones of contracts is that it's an conscious, INFORMED agreement between multiple parties. One or more parties may decide to remain ignorant, but once one party begins to deliberately withhold pertinent information that another party wants it's a whole new ballgame. As the author points out, there is absolutely no reasonable way anyone could ever expect an application that computes the size of a speaker enclosure cause a critical part of the OS's network stack to be changed.

Finally, I think this situation is so outrageous that it's getting close to gross negligence, not just negligence. You can contractually limit your exposure due to negligence (you made an honest mistake), but you can't contractually limit your exposure due to gross negligence (you knew there was a problem, you know your inactions would cause harm to others, but you didn't give a damn).

A better analogy is that you bought a hot dog. Okay, this is a little iffy, but most people understand that some cheap hotdogs have filler and they'll pay more for a "100% beef" hotdog. But now you learn that you're now sterile because the hot dog producer has been dumping dangerous chemicals in the brew, but hey you agreed to this risk when you bought those cheap 'dogs.

Re:Here is an idea...

Ummm Windows doesn't obscure the installation routines, it forces (or allows, however you look at it) the developer to choose their method of installation. Microsoft develops an installer, but they're about the only developer that uses it. Most developers use InstallShield or another program to build their installation front-end, and it's up to the developer to decide how much control over the installation they give the users.

In the end, as long as it has a custom install option that allows me to dictate the location and/or existence of each component, I'm fine. It's a complete pain in the ass when a piece of software is misrepresented or doesn't even tell you it's installing something else, though. Again, though, that's not an OS-dependant thing, as developers could do the same thing on any OS that permits/utilizes binary installers. You can avoid that by using open source software and just compiling everything yourself, but even then are you looking over the code you're compiling first to make sure it's not doing something odd in a background thread?

Disclosure, choice and the future (rant)

[legLess]

That's my summary of what we need: disclosure and choice. The user must know every single non-required system modification, and have the choice to not install any of them.

But this won't work, of course. Our favorite example is Microsoft, who blithely says, "It's all required; it's all part of the OS; either take the package or don't." Making choices confuses people, see, and we want to avoid that.

Without being elitist at all, some of what they say is true. One reason Microsoft has succeeded is that they remove those scary choices from the users. It's the software equivalent of "bread and circuses" - don't bother people with the details, wow them with flash, and they'll mostly ignore what goes on in the background.

This succeeds because it's what people want. My 72-year-old mother doesn't know about patches and updates and service packs, and for fuck's sake she shouldn't have to. For good or ill, most people view computers as slightly cantankerous, very expensive toasters. They have no idea that they have, sitting on their desks, a little machine that can do very nearly anything. They want to do a couple things, and they want those things to be easy.

I can see a couple ways for this to go:

1. Special-purpose machines. Instead of one computer, you'll have a few little ones. A web pad in the kitchen that downloads recipies, a glorified word-processor in the study hooked up to a printer, maybe with accounting software. Most people will go to Office Depot and spend a few $hundred on a black box, kind of like a cell phone now days, then throw it away when a newer model appears. Microsoft is set to own this market.
2. General-purpose machines. Geeks will still want a real, live computer that they can control. This is only going to get harder and harder. Twenty years from now, I bet there'll be fewer general-purpose computers than there were twenty years ago. The after-market parts business will dry up as copy-control gets more and more intrusive. I mean, I can build a box from a bunch of parts, but I can't build a fucking motherboard or hard drive.

Computers have to get easier to use while at the same time getting more complicated and doing more things. The only way to do this is to remove end-user control of the device. Fewer scary options, fewer things to screw up. For the most part this is a good thing. Most people using PCs today are basically helpless aside from a few well-known command sequences.

The hard fight will be to retain control of real computers while consumer boxes get dumbed-down. What will make this possible (IMHO):

1. No DRM. Period. This will kill general-purpose computing forever.
2. More standardization. As the parts market shrinks and specialty boxes become more common, it'll be harder for ASUS (e.g.) to sell mobos into the after-market channel. There will be consolidation, but as long as #1 above is avoided it shouldn't be fatal.
3. Concentration on software quality. The OSS community generally goes a better job of this than closed-source, but it will have to get better. Quality alons isn't enough; as we know, 500% better isn't better enough if you don't have good marketing.

This is a long, winding rant, and has gone a little off-topic. Back to the point: I don't think this situation will get better, or at least not in the way we hope. It's going to be incredibly difficult to hold software manufacturers liable for anything; it'll be even harder to hold them liable and let OSS off the hook.

The best hope, I think, is operating system diversity, which at this point means forced licensing of the Windows source code. If you can use Microsoft Windows that basically bends over for any cute-looking virus or trojan, or (e.g.) IBM Windows that flat-out refuses to install anything that isn't digitally-signed and verified (assume, for the minute, non-DRM verified), what would you pick? What would your mom pick? What would you want your mom to pick?

Some choice quotes

[mblase]

Some choice quotes from http://www.new.net/about_us_guiding.tp:

"New.net will seek to work with ICANN to ensure stability in the Internet, and we will attempt to work in the best interests of all parties to not interfere with anything that ICANN plans to do." (Clearly, the author of this article would argue with the use of the word "stability".)

"New.net is building a more open registry business that also will enable other parties to introduce new domain name extensions to the millions of users that have access to New.net domain names. New.net will determine which extensions to release in the future, applying the standards set forth below." (You call that open?)

"We are building a DNS infrastructure that is at least as reliable as the root servers that serve .com, .net, .org, .co.uk, and other top-level domains." (I don't consider having to install special software just to get to a URL "reliable", but maybe I'm narrow-minded.)

Shoe's on the Wrong Foot

[bumski]

The author makes a lot of good points, but in the end, he's placing the responsibility for preventing unwanted, system-level changes on the wrong party.

Installing or modifying "system-level" components such as drivers, services, and daemons shouldn't be possible for anyone without administrative privileges. If the operating system fails to distinguish between normal users and administrators, then it's the OS that needs to be fixed, rather than the practices of innumerable software suppliers.

And if the user chooses to run always with administrative privileges, well, he deserves what he gets.

Install Software?

Installing software is IMO ridiculous. I really like the model used in most OS X programs, which is you drag over the self contained program to whereever you want and just run it. No registry bullshit and all config files are thrown in your home directory so you can upgrade it and not lose any settings.

There are some crappy OSX apps(like Office X and Maya) that use "installers" but I stay away from that crap.

Re:What do you mean "your computer".

[TRACK-YOUR-POSITION]

Assuming that most of us would like users to own their own computers, the name of the game would appear to be "minimize the number of people/companies you have to trust in order to efficiently use your computer." This is because once you've trusted Company A to supply your OS, trusting Company B to supply an application does not relieve vulnerabilities to A at all but adds vulnerabilities to B.

There are two paths we can take here:

A. Pick one company to put all of your trust in, and never install software from anyone else. This ideal company either develops the software almost in house or reads the source code that others have developed. Never install software created by anyone else unless you've read all of it's source code and compiled it yourself.

This means only companies large enough to do this can sell software, assuming a reasonably secure

B. Add the social and technical tools that this article and others suggest. Why the heck shouldn't it be illegal to INTENTIONALLY misrepresent what a piece of software is doing? Forget negligence--at least let's make false advertising illegal, huh? Why the heck should my operating system allow a video game to read my credit card number and modify my system?

Personally, I'd really like the ability to say "only let this program do X and Y and nothing else", where X might be (temporary) control of output devices and Y might be adding files to a particular directory. Yeah, I guess I could create a new user in Linux with just the permissions I want to give it for every program on my computer, then run the program with the appropriate user. But that would be a lot of work, even for me, and it wouldn't save every who uses computers whom I care about who happens to have better things to do in their life.

Re:If Spyware would only follow these rules...

You could use a system comfiguration utility that comes with windows "MSCONFIG.EXE". I dont think it comes with win 2k/NT though, and the win98 version works with some caveats in 2k. you could remove stuff that starts at startup with this. this doesnt look at services though.

You might also take a look at this page: http://mlin.net/StartupCPL.shtml

Disclaimer: I use msconfig, but havent used startupcpl (yet) ....

Re:Creative Playcenter?

[matman]

Couldn't you just add a DNS suffix to the system for new.net and achieve the same thing?

Re:If Spyware would only follow these rules...

Get kazaa lite instead. All the spyware has been hacked away & the files repackaged. Do a web search for it. ;)

Preaching to the Choir?

[scott1853]

Ok, how many people here choose the standard installation options and how many ALWAYS choose Custom just so they know what's being put in their system?

The programs that I've seen install that New.NET and SaveNow crap have always had them as customizable installation options. You just had to click a button and read the contents of one more screen during the install.

The software that crap comes with is free anyways. So what's the problem? Are you going to write your own software or take a trip to the store to pay for software (assuming it's retail) just so you can save yourself 10 seconds off your install time?

Why don't you go talk to Fritz Hollings and maybe he can work that fine idea into some worthwhile legislation for you. Or better yet go talk to gates about only installing software that the author has spent thousand of dollars having verified by windows quality labs.

You, the consumer, have exactly what you want

[PrismaticBooger]

Microsoft has gone to a lot of effort to ensure that you don't have the level of control you're seem to want in this rant. If you really wanted this level of control, you'd use a product that offered it. Instead, Windows consumers have demonstrated to Microsoft that they don't care. Microsoft users will suffer through countless reboots. They'll even readily grab their ankles for a complete reinstall when some poorly written software hoses their fragile system.

Windows users will not only tolerate, but pay for all of that. And they'll pay for it, as Microsoft well knows, because it's applications that sell Windows. So they'll ensure that application developers can fully commandeer your machine if they want to, because that's what application developers say they need to make the users happy.

Who would ever have imagined that such privileges can be misused and abused?

Now stop whining to the government to protect you from yourself and start making some forward-thinking decisions about the software you use and support.

Re:If Spyware would only follow these rules...

I installed Kazaa the other day at home, knowing it would attempt to install the BDE3 (I think) viewer.

I think that all the badness comes from this action called "install". Most of these applications could be written as a .exe and a few datafiles lying in a directory, with the .exe accessing these datafiles and making system calls and that's all. Why things aren't done that way even for very simple programs is beyond me.

Most people wouldn't understand anyway.

[Eric+Damron]

I agree with the author that you should always be able to remove any program completely leaving no little surprises behind. However, notifying people that it is about to install a driver, service, or daemon might be too much. Most people won't even know what a driver, service, or daemon is, so what would you say to them?

"About to install a daemon in your system... Do you really want to do this? DO YOU!!"

hehe Ok maybe it wouldn't go like that but most people won't be sure how to respond. All they want is for the program to do the job that they paid their money for it to do.

Not telling people about installing spyware should be a crime. The fact that information is being passed out of my PC without my approval is theft. It doesn't matter if it's my credit card number or a list of sites that I visit. It should not be up to corporations to decide what is to be considered private information on my PC. I can handle that job, thank you very much.

Re:Mac OS X Software installs...

[bdowne01]

Well, I think that's a little oversimplified. It actually involves clicking "Next" several times as well ;)

But I believe his point is that you have control over what's installed on the Mac. If you don't want it installed, don't copy it.

A Windows install is a scripted behind-the-scenes shindig. Who knows what's being added to your registry...where & what files are being installed, etc.

-brian

Re:That's actually an interesting idea

[TRACK-YOUR-POSITION]

Wow, you actually read through all those typos and places where I forgot to keep typing what I was thinking? You are amazing! ;) This installer program sounds like a very good idea indeed. I have a wacky extension proposal, though. If I understand this idea, this installer will prevent apps from writing over other. But if we give every resource/file a new group(!) we can even prevent them from reading/executing files that they shouldn't--only app-users that need a resource are added to the resource's group. I must admit, in linux as it is today, this extension requires more paranoia than I can muster today. Maybe in the future if spyware became a problem with linux programs... But from my ignorant perspective, your installer sounds like a really great idea. Maybe someone who wants to sell commercial software under Linux would want to implement it--as a free open source program that guarantees the validity of a commercial closed source program.

So it will install spyware on first run instead

[Smack]

If they want to install crap and spyware, they will. The fact that installation on OS X is just drag-and-drop is quite nice, but it doesn't change the uncaring attitude of these developers.

Windows is hopelessly broken in this respect

[bcronin]

Anyone who's administered Windows machines knows that Windows programs, in their never-ending quest for convenience, routinely install taskbar "daemons". I find that you can gauge the naivete of a user as directly proportional to the number of small icons next to the clock.

The point is that Windows application writers are so used to running a resident process in support of their dinky programs that it seems to me to be too late to change the practice. Of course, some programs are more intrusive than othes (Real Player, anyone?), but it seems like the developers of just about every dinky little app seem to think they won't be taken seriously unless their program loads SOMETHING at bootup.

Of course, I shouldn't complain. I make good money doing PC consulting work; a good percentage of my calls are people whose machine is so clogged with TSRs that it has become unusable.

Re:Property Questions

You getting my passwords and PINs doesn't constitute stealing. You using those numbers to withdraw money from my bank account does.

Re:If Spyware would only follow these rules...

[CtrlPhreak]

Get rid of all that spyware, I use ad aware. It has worked for a lot of things I never heard of and it's simple/small. Check it out www.lavasoft.de. Free as well.

That's what you get...

[ebyrob]

When you don't compile everything from source yourself. Down with binaries!

Oh wait, does compiling and reading code actually take work?

Re:Whta do you mean, "not totally their fault"?

[Hiro+Antagonist]

This has nothing to do with holes in APIs; this has to do with third-party software installing extra crap without notifying the user. A Debian package or an RPM could easily install spyware or make unwanted changes without notifying the user -- the reason that I've never seen a package that does is because free software developers tend to have more respect for their users; it's more of a peer relationship than an adversarial one.