Slashdot Mirror
Morpheus Hijacks Browsers For Affiliate Links
An anonymous reader submits: "According to this news.com article, morpheus (aka streamcast) has begun silently installing a browser plugin on its users' machines that basically hijacks the web browser even when not running Morpheus. An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination. The user will not be aware that this is happening... however the site doing the redirecting will benefit because they are set up as an affiliate partner and will get a commission on the backs of the user. On a horrible scale of 1 - 10 for sleazy business practices, I rate this a 9.
Comments?"
Now that Morpheus is just a hacked-up (or down ;-) version of Gnucleus, there's really no point in using it anyway. I don't see what it provides that Gnucleus doesn't, other than annoyance.
Don't blame me, I get all my opinions from my Ouija board.
The truth of it is this could be seen as a virus. It is just a profitable one. They will get smacked on this one as soon as it comes out in the light of day.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
Man-in-the-middle attack is the only phrase that flash across my mind... I have no way to check the identity of the "referer".
You can call me a paranoid. Each time when I need to buy stuff online using credit card. I will reboot to a cleaner "environment" -- a clean copy of OpenBSD or something similar. God knows who the hell the various windows plugins are doing..
An afflicted browser will sense if a user is going to visit a shopping site like Yahoo! or Amazon, and secretly send them to a different site instead and then redirect them from this site to the user's intended destination.
The final destination is more or less the same. The difference is the intermediary. Morpheus isn't stopping me from going to Amazon by instead redirecting me to Borders.com...They're just stealing referral dollars.
Honestly, though...I wonder how long it'll be before these online vendors lock out Morpheus' referral IDs, or even worse, deny the connections altogether (since the most recent source IP will be Morpheus' proxy, not your own).
And I assume that if there's a pre-existing Referral ID, Morpheus will strip it out and replace it with its own. Doesn't this constitute actual monetary theft?
"Mod, mod, mod...and another troll bites the dust."
These folks really must think that they own the user once the user buys their product, becuase even a "respectable" company like Intuit doesn't seem to have any problem with monkeying around with the private parts of the user's computer for their own purposes. Certainly those icons are paid placements.
Bruce
Bruce Perens.
This isn't that bad really for the user, Yahoo and Amazon will give a commision to somebody anyways
WRONG!!!!! - What's happening here is when a user types in amazon.com, Morpheus redirects the request through their amazon referrer page. Hence, amazon is now paying out referals that it otherwise would not have. Direct navigation does not incurr referal fees, only refered navigation
I'm out of my mind right now, but feel free to leave a message.....
If software which does this sort of sleezy tactic put as a clear, easily obvious disclaimer "You are indirectly paying for this by allowing us free reign over your PC", then I'd wager that about 5 people on the planet Earth would actually install it. Instead, however, companies that do this sort of tactic either sneak it in entirely unintended, or they hide the details 40,000 words deep into a EULA which they know that no one reads, all the while promoting their "free" software. Why stop at redirecting the browser though? I mean surely there's some worthwhile nuggets of information on that harddrive somewhere that could be sold to the highest bidder. All's fair in the land of free software, right? (Why say just free though? Using this "anything goes" justification, anyone who believes that they are providing a more valuable service than they are charging can go nuts)
.NET Framework supposedly offers this but I wouldn't trust it until its evaluated and proven) or a legal solution. It's obvious that a "Dirtier-than-thou" cat fight is taking place with every sleezy vendor out slimeballing the next.
This sort of activity is atrocious, and I don't see how these people aren't facing the same punishment as the Kevin Mitnicks and Melissa virus writers are. Without any doubt there is a serious need for either a technical solution (one could say that it exists by way of Java : Sandbox every application to ensure it has no rights outside of its little world. The
I should get some mod points for that subject :-)
Seriously though, the article says it can only affect IE. This makes sense, given that it's easier to do sneaky things in the registy and elsewhere which, while invisible to the user, will cause drastically different behavior in parts of the operating system, like IE.
Aren't you glad you use Netscape? Don't you wish everyone else did?
(apologies to the old Dial ads)
There is no sig, there is only Zuul.
First, they took an open source app, Gnucleus, and repackaged it as their own, adding nothing while actually degrading the software by adding popup ads.
Second, they started banning from their chat room anyone who mentioned this fact and posted the url to Gnucleus.
Now, they're installing scumware in order to control your browser for their own profit even while you're not using Morpheus.
Anyone left who still wants to argue with me about whether or not Music City is a company of degenerate sleazebags? Anyone who still disagrees with me that the proper course of action is to delete Morpheus and install Gnucleus immediately? (at least until something better comes along).
The article said that StreamCast will:
1. Redirect users to another site to collect usage statistics before sending them to the site they wanted to go to. This might be seen as invading people's privacy, but no personal data will be collected, merely usage statistics.
2. Put up a shopping section in Morpheus. That sounds perfectly legitimate to me.
3. Put referrals to online stores inside the browser window in some unspecified manner.
Please note that 1) and 3) are two separate points. They won't redirect you to another site when you're trying to go to Amazon.com, and then claim the referral bonus. The redirection is only for collecting usage statistics.
And the referrals inside the browser window have nothing to do with the redirection.
There's nothing in the article saying that StreamCast will hijack other people's referrals.
There's nothing in the article saying that StreamCast will pretend to refer people to sites (like Amazon.com) when they go there themselves.
Ah, but the point is that the Morpheus user isn't the customer. The Morpheus user is the product that is sold to these advertisers, the real customers. The Morpheus software is bait.
...that comes up all the time, particularly with reguard to virii and warez. If you can't trust the software - don't install it. When you run any .exe in Windows, you accept that you do not know that it is going to do - at all! It may format your hard-drives, and mail all your porn to your mother.
/usr/local for others, so I never need to log in as anything but that unpriviledged user.
So, if you don't want all the crap, don't use software you can't trust. How do you know if you can trust it? Well, you could audit the source code and compile it yourself. You could write the software yourself. Or you could get the software maker to sign into a legally binding contract which says that their software will not do anything but its primary intended use (for Morpheus, this would be stealing music), and that they must disclose everything that it's going to do to your computer. Fat chance of that.
What do I do? I run Linux. I only login as a unpriviledged user (I have access to my home directory, that's all.) All the software I install I only install into my home directory (again, as the unpriviledge user.) I'm the sole user of my machine - I don't need to be putting it in
The security then isn't perfect, but strangely enough, most open source projects don't include spyware/scumware of any sort. So I don't worry about it.
Running any priviledged executable is the ultimate shrinkwrap EULA, saying, "I give you permission to do what ever you want to my computer." We'd all be a little better off if people were more paranoid about their computer - but if they don't mind untrusted software messing around, who am I to stop them? Maybe we'll get lucky, and the next version of Morpheus or Kazaa will automagically lock out any user that downloads it. That would provide a nice lesson. Would it be a virus? Well, you chose to download it and run it yourself. So, I say no.
What do you think?
Jake
Dating: while( 1 ){ call_girl(); get_rejected(); drink_40(); } return 0;
Well, maybe that's because they effectively do own the user? Operating systems are still designed around the idea that any application has all priviledges the user running it has. This is a good idea if you have small tools -- e.g., cat may read all the files that I have read permission on. When you have larger applications, like a complete office suite, this solution is somewhat less good. Once the user installs software from the internet, this design is a fundamentally flawed one.
Users expect that e.g. on a UNIX system, cat will only read files, and therefore it is a perfect idea to let cat read all files that the user has read permission on. The user's perception will be "I may read this file," when technically it is actually "software I run may read this file."
As soon as the user installs software that does things they don't expect, because the software doesn't advertise all of its functionality, this model breaks. Most users won't even find out, and if they did, they'd probably ask "why is Morpheus allowed to do this?" The user will no longer have the perception that he is doing things, and will have to realize that actually it is the software doing things. The operating system however is still designed around the idea that everything the sofware does was intended by the user. (No, I don't have an idea for a better design.)
Sig (appended to the end of comments I post, 54 chars)