Slashdot Mirror
Morpheus Hijacks Browsers For Affiliate Links
An anonymous reader submits: "According to this news.com article, morpheus (aka streamcast) has begun silently installing a browser plugin on its users' machines that basically hijacks the web browser even when not running Morpheus. An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination. The user will not be aware that this is happening... however the site doing the redirecting will benefit because they are set up as an affiliate partner and will get a commission on the backs of the user. On a horrible scale of 1 - 10 for sleazy business practices, I rate this a 9.
Comments?"
So this is based on zero knowledge, but I would guess that that violates the terms of referership (is that a word), considering that fact that that "partner" did not actually refer you to the site.
/.
I think a list should be compiled and reported, I would guess that places like yahoo and amazon could file criminal, if not at least civil, suits against such cheaters. It wouldn't surprise me if they did too, just to make a point, and to try not to jade users to the system....
any thoughts? that's a dumb question this is
http://monkeyserver.com --- weeeeee
It's free software after all, how else are the developers supposed to make money? Not that I approve...
Of course, and I highly suspect it, I may be talking out of my ass. -oqti
Now that Morpheus is just a hacked-up (or down ;-) version of Gnucleus, there's really no point in using it anyway. I don't see what it provides that Gnucleus doesn't, other than annoyance.
Don't blame me, I get all my opinions from my Ouija board.
So Kazaa, the premeir FastTrack client, begun to bundle spyware.
Great, I can deal. I switch to Grokster.
Grokster begins to bundle spyware.
Fuck. Switch to Morpheus.
Morpheus bails from FastTrack, and switches to Gnutella.
Fuck again. Switch back to Grokster, use AdAware.
See that Morpheus, who explicitly claimed that it contained "No Spyware of Any Kind" engage in this type of practice?
I can only laugh at the pitiful wreck that the company/corporation-based P2P programs have become.
The truth of it is this could be seen as a virus. It is just a profitable one. They will get smacked on this one as soon as it comes out in the light of day.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Man-in-the-middle attack is the only phrase that flash across my mind... I have no way to check the identity of the "referer".
You can call me a paranoid. Each time when I need to buy stuff online using credit card. I will reboot to a cleaner "environment" -- a clean copy of OpenBSD or something similar. God knows who the hell the various windows plugins are doing..
An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination.
The final destination is more or less the same. The difference is the intermediary. Morpheus isn't stopping me from going to Amazon by instead redirecting me to Borders.com...They're just stealing referral dollars.
Honestly, though...I wonder how long it'll be before these online vendors lock out Morpheus' referral IDs, or even worse, deny the connections altogether (since the most recent source IP will be Morpheus' proxy, not your own).
And I assume that if there's a pre-existing Referral ID, Morpheus will strip it out and replace it with its own. Doesn't this constitute actual monetary theft?
"Mod, mod, mod...and another troll bites the dust."
This isn't that bad really for the user, Yahoo and Amazon will give a commision to somebody anyways. What really annoys me is that this hurts all the other websites in the world. If I give a legitimate referal from my site to Amazon, then I should get the commision, not Morpheus. If this becomes common practice, then it will effectively kill the way that business is done on the web, and in the process take out a ton of small websites that are struggling to stay alive out there.
These folks really must think that they own the user once the user buys their product, becuase even a "respectable" company like Intuit doesn't seem to have any problem with monkeying around with the private parts of the user's computer for their own purposes. Certainly those icons are paid placements.
Bruce
Bruce Perens.
If I were Amazon, I'd be going after both the affiliates and Morpheus - this sort of thing is called fraud...
-- Ed Carp, N7EKG erc@pobox.com PGP KeyID: 0x0BD32C9B What I'm up to: http://intuitives.mine.nu
That's not all. Try searching for "system.dat". That's the Windows System Registry. There, you can get names, passwords, Install codes, all kinds of neat stuff. Hit Gnutella or Morpheus. Do a regex to get the keys, etc.
That's scary.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
If I were a user of Morpheus I'd be looking at filing charges for cracking my computer and using it for unauthorized activities. Companies conducting business like this need to be naild HARD. Teach them a lesson and make an example of them.
And what about the programmers who wrote this 'feature'? Who are they? I wouldn't be opposed to blacklisting them, or at least smearing their names across the headlines. This is sleazy and unethical and shouldn't be tolerated by the rest of us 'respectible' programmers.
Brian
Remember Lexington Green!
Reminds me of a report about KaZaA around the middle of last year. The TopText 'spyware'added yellow links to some words in Internet Explorer. I never dealt with it first-hand, but it sounded very annoying.
Is Morpheus' latest effort at all related? It seems to be based around thr same idea, however the idea of being redirected sounds worse. For exanple, does it work that if you type say, http://www.google.com, you arrive at AltaVista?
What is it with crappy (ex)FastTrack networks and I-can-believe-it's-not-trojan software?
I think the point is that the intent of the promo copy was not distribution. You can say its in the spirit all you want, but it wasn't meant for distribution. Period.
I don't think its fair the way artists get ripped off by the "value chain" involved in getting music to consumers. However I do think it is their artistic content and they should have the right to determine who can hear it and who can't. That's why they sign contracts. Sure they get ripped off, but that's the way the system is set up.
You want to change it? Me too.
I don't think "screwing the man" helps change anything. All you get is "the man" trying to screw you back. Everyone enjoying all those encrypted CDs that don't play on computers? Leave that crappy system alone. Show your support of artists that use alternate distribution channels, download and share free music all you want. Make the distributor feel the pinch by helping their competition. P2P is not their competition, its their enemy. There's a difference.
So check out the artists that provide their music for free. Some artist release their music for use on these P2P networks, and they should be supported. But in the end, it is their choice.
Dave Matthews (for example) released the first single of an album on Napster, essentially saying "Here is a song, enjoy. If you like it, check out the rest of the album." He didn't say "Here is a song, steal the rest if you like it."
It should be up to the artist to determine what happens to their creation. Support the artists that choose the other way and you might start to see changes.
Stealing won't do much other than break the law. And warp your morals to that of a lowly slug. But that's a story for another day!
If software which does this sort of sleezy tactic put as a clear, easily obvious disclaimer "You are indirectly paying for this by allowing us free reign over your PC", then I'd wager that about 5 people on the planet Earth would actually install it. Instead, however, companies that do this sort of tactic either sneak it in entirely unintended, or they hide the details 40,000 words deep into a EULA which they know that no one reads, all the while promoting their "free" software. Why stop at redirecting the browser though? I mean surely there's some worthwhile nuggets of information on that harddrive somewhere that could be sold to the highest bidder. All's fair in the land of free software, right? (Why say just free though? Using this "anything goes" justification, anyone who believes that they are providing a more valuable service than they are charging can go nuts)
.NET Framework supposedly offers this but I wouldn't trust it until its evaluated and proven) or a legal solution. It's obvious that a "Dirtier-than-thou" cat fight is taking place with every sleezy vendor out slimeballing the next.
This sort of activity is atrocious, and I don't see how these people aren't facing the same punishment as the Kevin Mitnicks and Melissa virus writers are. Without any doubt there is a serious need for either a technical solution (one could say that it exists by way of Java : Sandbox every application to ensure it has no rights outside of its little world. The
What's worse is that it had somehow also managed to make it impossible to change his homepage from within IE (the fields were grayed out.) After a quick registry hack he was porn free
Anyway, as long as there's a way for people to make money off the swiss cheese that passes for software security, they're going to do it. The sad thing is most people don't know how to stop these things. The sadder thing is that most people don't remember a time when the internet wasn't about making money (when people were boycotting web sites with banner ads) and don't think there's much wrong with these tactics.
I should get some mod points for that subject :-)
Seriously though, the article says it can only affect IE. This makes sense, given that it's easier to do sneaky things in the registy and elsewhere which, while invisible to the user, will cause drastically different behavior in parts of the operating system, like IE.
Aren't you glad you use Netscape? Don't you wish everyone else did?
(apologies to the old Dial ads)
There is no sig, there is only Zuul.
First, they took an open source app, Gnucleus, and repackaged it as their own, adding nothing while actually degrading the software by adding popup ads.
Second, they started banning from their chat room anyone who mentioned this fact and posted the url to Gnucleus.
Now, they're installing scumware in order to control your browser for their own profit even while you're not using Morpheus.
Anyone left who still wants to argue with me about whether or not Music City is a company of degenerate sleazebags? Anyone who still disagrees with me that the proper course of action is to delete Morpheus and install Gnucleus immediately? (at least until something better comes along).
This is like spammers embedding banner images in their spam and getting paid every time someone opens the email just because the banner was loaded. It's just running the meter and the entity being screwed is the website that is paying them a referral fee.
The article, in one part, reads: "Griffin said the technology is simply taking the old affiliate referral program to a new level. Most of the referrals will happen inside the Morpheus application itself after the new version is launched with a commerce section, he said."
Yeah, right. Most of the referrals will clearly be a result of their sneaky browser add-ons, not because anyone really pays attention to the commerce section of a P2P client. Heck, P2P users generally get as much as they can for FREE--not exactly the target market of much of anyone.
Limewire is good. But don't download its Windows installer- that has spyware in it! Instead: install a JVM on your computer, then go to Limewire's page for alternate OS downloads, select "other" as your operating system, and run it using the JVM, without all the crap they bundle in. Most spyware is Windows-specific.
Yeah, it's a shame that P2P only became popular recently, in the age of the MP3. If it had been invented 10-20 years earlier, with RFCs, and had the stature of, say, FTP, people would be thinking of it as a fundamental part of the Internet. Instead we have this horrible situation, where anyone who uses a P2P client is presumed to be a freeloader or a criminal. P2P deserves better than a bunch of spyware-loaded clients that block each other's users from their own networks.
This like you asking a guy for directions to the "Stop and Rob", but he gives you directions to his brothers store, "Grab and Run". His brother lets him live in the basement of his house, because he sends lots of business to the "Grab and Run".
You wanted to get some YooHoo but the "Grab and Run" doesn't have any, and you were going to shoplift it anyhow.
Doubly pissed, you report the "Grab and Run" to the authorities (you saw a rack of VCRs in the back room, making copies of Asian snuff films.) The cops come and arrest the owner and throw his ass in jail.
After looking up the address of the "Stop and Rob", you head over there. The brother of the now jailed owner sees you, beats you to the ground, and takes your wallet. In your wallet is an I.O.U. from your boss to an employee that works in the same row of cubes as you. Your wallet is gone, and so is your mugger, so you get up and run over to the "Stop and Rob".
You ask to use the phone, and while the clerk is hitting on some drunk chick with a feather boa, you steal your bottle of YooHoo.
And you have installed Morphous on your net-unaware computer? :)
Wow, I should not post when knackered.
The article said that StreamCast will:
1. Redirect users to another site to collect usage statistics before sending them to the site they wanted to go to. This might be seen as invading people's privacy, but no personal data will be collected, merely usage statistics.
2. Put up a shopping section in Morpheus. That sounds perfectly legitimate to me.
3. Put referrals to online stores inside the browser window in some unspecified manner.
Please note that 1) and 3) are two separate points. They won't redirect you to another site when you're trying to go to Amazon.com, and then claim the referral bonus. The redirection is only for collecting usage statistics.
And the referrals inside the browser window have nothing to do with the redirection.
There's nothing in the article saying that StreamCast will hijack other people's referrals.
There's nothing in the article saying that StreamCast will pretend to refer people to sites (like Amazon.com) when they go there themselves.
"Shopping sites in general, as well as many other public sites that depend on referral revenue to operate will lose money as a result of this,"
What utter nonsense. A business is supposed to make money by selling a legitimate product or service. If a significant portion of your revenue comes from "referrals" and not from the sale of a legitimate product or service, then you deserve to go out of business.
kchhrr.
Ah, but the point is that the Morpheus user isn't the customer. The Morpheus user is the product that is sold to these advertisers, the real customers. The Morpheus software is bait.
...that comes up all the time, particularly with reguard to virii and warez. If you can't trust the software - don't install it. When you run any .exe in Windows, you accept that you do not know that it is going to do - at all! It may format your hard-drives, and mail all your porn to your mother.
/usr/local for others, so I never need to log in as anything but that unpriviledged user.
So, if you don't want all the crap, don't use software you can't trust. How do you know if you can trust it? Well, you could audit the source code and compile it yourself. You could write the software yourself. Or you could get the software maker to sign into a legally binding contract which says that their software will not do anything but its primary intended use (for Morpheus, this would be stealing music), and that they must disclose everything that it's going to do to your computer. Fat chance of that.
What do I do? I run Linux. I only login as a unpriviledged user (I have access to my home directory, that's all.) All the software I install I only install into my home directory (again, as the unpriviledge user.) I'm the sole user of my machine - I don't need to be putting it in
The security then isn't perfect, but strangely enough, most open source projects don't include spyware/scumware of any sort. So I don't worry about it.
Running any priviledged executable is the ultimate shrinkwrap EULA, saying, "I give you permission to do what ever you want to my computer." We'd all be a little better off if people were more paranoid about their computer - but if they don't mind untrusted software messing around, who am I to stop them? Maybe we'll get lucky, and the next version of Morpheus or Kazaa will automagically lock out any user that downloads it. That would provide a nice lesson. Would it be a virus? Well, you chose to download it and run it yourself. So, I say no.
What do you think?
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
I have played with a couple of them.
Limewire has spyware/adware hardwired into the program, at least in the Windows version. Re-apearing Reqistry keys shows this.
Seems to be possible to run BearShare without all the snooping. But 3rd party crap is included and you must be careful not to get it installed..
A bit offtopic but still on the subject of spy/adware.
Now even my Logitech comes with a lot of crap that when you try to install their drivers, you have to read carefully right to the end what the diaglog boxes says and even after avoiding all their "helpful" programs there seems to be one or two programs running in the background that you can remove without it having any impact on the functions of the mouse like the webwheel etc. witch by the way will have a date with my packet sniffer one day, I'd be surpriced if they didn't do some monitoring.
That Logitech was really too much, they REALLY tried to shove a lot of junk down your throat. Which made med loose the last ounce of respect for the company. I am a user who knows what to look out for, but I'll bet that 99% of the mouse buyers just answers yes to it all.
PS. EMI report today that due to falling profits, they're laying off 1800 people. That's eighteen hundred people who have lost their jobs, because of shit like Morpheus allowing easy piracy..
Right. Either that, or the fact that the economy is in the toilet and people aren't buying CDs. We're not really sure which. Let's allow the media empires to make some broad-reaching laws that limit consumer control just in case that's what the cause is.
First, using anyone's work without compensating them in the manner they dictate is immoral and illegal. Software, music, art, etc. PAY FOR THE MUSIC YOU LISTEN TO. Hopefully, pay the artist directly. If necessary, pay thier broker or distributor. But pay, or don't use the work.
Second, listening to music doesn't cost anyone anything. It just doesn't provide the revenue expected. If I just didn't listen to music, would that be costing those people jobs? I can't be held accountable for the effects of NOT buying something, can I?
If EMI cared about those 1800 people, they would take a 10% salary reduction across the executive level. I doubt they did. In reality, I assume the market is slower, technology is better and LESS PEOPLE ARE REQUIRED to do the same job than last year. If you don't need personnel, you let them go.
A web browser or an ftp client allow you to steal music and porn. Blank paper and a pen allows you to steal sheet music, books etc.
There is nothing illegal or wrong about p2p software, it's just another way of transferring information.
graspee
There's a difference, though.
In Intuit's case, they're trying to be helpful with targetted ads ("If you need a tax program, maybe you need a bank -- try this one") and they're obviously being open about it. Shortcuts on the desktop do not bug me. Highlight - click - drag - delete. (And ideally, this should be lowering the price of the software... fine by me.)
What does bug me is when a program silently installs something named 'cdload.exe' or some other important driver-sounding thing in the background which randomly pops up IE windows every 30 minutes or so, and really confuses the heck out of me (especially when I didn't have IE running in the first place!).
To me, "monkeying around with the computer" really means surreptitiously installing boot-time-start daemons which consume resources and spy/spam/etc actively, not just throw a few links around....
That's the difference between scumware and just selling "sponsored links".
Well, maybe that's because they effectively do own the user? Operating systems are still designed around the idea that any application has all priviledges the user running it has. This is a good idea if you have small tools -- e.g., cat may read all the files that I have read permission on. When you have larger applications, like a complete office suite, this solution is somewhat less good. Once the user installs software from the internet, this design is a fundamentally flawed one.
Users expect that e.g. on a UNIX system, cat will only read files, and therefore it is a perfect idea to let cat read all files that the user has read permission on. The user's perception will be "I may read this file," when technically it is actually "software I run may read this file."
As soon as the user installs software that does things they don't expect, because the software doesn't advertise all of its functionality, this model breaks. Most users won't even find out, and if they did, they'd probably ask "why is Morpheus allowed to do this?" The user will no longer have the perception that he is doing things, and will have to realize that actually it is the software doing things. The operating system however is still designed around the idea that everything the sofware does was intended by the user. (No, I don't have an idea for a better design.)
Sig (appended to the end of comments I post, 54 chars)
If it looks like c|net is taking a stand in this article, perhaps it's because c|net's reporters will lose their jobs if c|net can't generate income through affiliate links. Note that many of the banner and button ads you see on c|net and other web sites (probably including Slashdot) are actually affiliate links -- the site is not getting paid unless sales are generated and tracked to the content site.
When Morpheus or any other app checks the URLs and replaces other affiliate codes with its own, Morpheus is trying to take revenue from someone else, without providing any benefit to the consumer or anyone else.
The good news is that most affiliate managers refuse to pay commissions to any "affiliate" who uses "predatory methods" like this. The affiliate managers realize that smart affiliate sites won't do business with any merchant who pays the "hijackers" in this situation.
The bad news is that if the hijacker replaces the affiliate link, even if the hijacker does not get paid, there is no way for the sale to be credited to the "real" affiliate. The hijacker is also likely to mis-manage the multiple redirects that often happen when a link passes through two or more ad servers (common with affiliate links that look just like paid banner or button advertising).
In the end, if these predatory software tools become more pervasive, content providers will lose all incentive to provide "free" content on the internet.
This issue is not unique to "predatory browser add-ins." Other content providers are threatened with loss of "the benefit of their bargain" in other ways. For example, that the TV networks have battled hard to discourage marketing of TiVo and ReplayTV as "commercial skippers" because if too many people find ways to skip TV commercials, then the advertisers won't pay the rates, and the networks eventually won't be able to spend $10 million on the next episode of "E.R."
Maybe, in the end, we just won't have advertising-supported content like we do now. Certainly, the current revenue model isn't working to pay the salaries of content producers: even with intrusive pop-up and pop-under advertising, and rows of banners and buttons, big content sites often earn net rates of a few pennies per thousand visitors, and some earn only a few mils (tenths of a cent) per thousand visitors. Those earnings might be enough to cover the server and bandwidth costs, but not to pay a single part-time reporter's salary.
So maybe in the end, the only free content will be sponsored directly by big corporations, who have good reason to pay to control the content and viewpoints of the news we read.
Or maybe some of us will break down and start paying for web content, if only someone would come up with some workable mechanism to allow micropayments (payments of a few mils or a penny to view a web site for a day, or to read an article).
-- http://www.MarkWelch.com/ Pleasanton California
10: fucking over billions of people (living and yet to be born) by sacrificing their only habitat for short term financial gain
...
9: torturing people and supporting psychotic murdering tyrants
much, much lower: some scum suckers leaching a few dollars with a Trojan horse