Slashdot Mirror
An interview with Ad-Aware's Nicholas Stark
Andrew Leonard writes: "In the wake of the Ad-Aware/RadLight spyware vs. anti-spyware showdown, Salon has an interview with Ad-Aware's Nicholas Stark, who explains in no uncertain terms Lavasoft's determination to match every move by the spyware developers."
I think that it is almost impossible to read much less understand the license agreements that are bound to almost all software. I would be vey interested to see a licensing agreement go to court... The way I understand it both parties of a legally binding contract must understand the contract in order for it to be valid, sooo it would be my guess that most of these agreements/contracts would be invalid due to the fact that most people are not lawers and would not be able to understand the agreement even if they did read it.
"Alcohol, cause of, and solution to, all of life's problems" -Homer Simpson
I'm pretty sure we can assume that aborting the installation does not restore Ad-Aware. To me, this seems like even more compelling evidence that RadLight's activities are illegal.
I design user interfaces for a free network management application,
In the article, they ask about removal of spyware removing revenue for the producers of the free software. I didn't think the ad-aware guy answered that very well. I would have pointed out that ultimately, the customer (user of free software) decides what it's worth to use their software. Most will look at ads. Heck, most will tolerate pop-ups. What they tolerate is anti-ad-aware software. I never heard of RadLight until this came up. Free publicity, yes, but you can be sure no one that I know ever uses any of their products. There's a line & they crossed it. Not all free publicity is good, regardless of what they say.
jred
I'm not a mechanic but I play one in my garage...
Well, except that's *not* what Ad-Aware and similar products do. They *don't* make a clear connection between uninstalling 'spyware' and decreasing functionality of a program.
I've worked personally on both sides of this fence, with one of the companies named in the interview. I can't tell you how many times I had email exchanges with users that ran like this:
USER: Suddenly my version of [Product] won't work! I get a message it's missing [filename]; what happened?
RESPONSE: You may have installed a program that "removes spyware" that has removed that program element. Programs like that are designed to remove advertising software from your computer. You're welcome to do that, but if you don't want to see ads, the free version of [Product] is not for you. You should try [Pay Version of Product] or some other product that is not ad sponsored.
USER: But I don't understand! The program said it would get rid of evil viruses and bad programs! It didn't say it would remove parts of the programs I use. Why doesn't it say your programs might not work any more?
RESPONSE: We suggest writing to the support address of the "spyware removal" program with your concern. Maybe they will change their documentation to make that more clear.
I myself was *personally* responsible for making sure that software that included ad components had clear, readable EULAs. The software had to all but slap the user in the face with the information -- it had a first line that said, in all caps, that the program was AD SUPPORTED and would DISPLAY ADS. It urged, in all caps, that users *read* before they agreed. I fought with developers who wanted to make the EULA less visible, to ensure that it couldn't be dragged off the desktop or otherwise avoided.
The bottom line is that it didn't matter. I could explain to a user in simple plain language what was going on, and the user would still *ignore* the whole text.
I've become increasingly frustrated by the topic of late. From what I can tell, there are people who feel justified in robbing others of income by repackaging software to remove advertising components. For almost all advertising supported software I'm aware of, an ad-free version is offered for a cost. If you don't want ads, or don't want "spyware", pay for the software. It's that simple. But to actively take income from people simply because you don't approve of their business model is heinous.
Actually, now that I think about it, this is not the first instance of this sort of activity. I remember a developer with a popular product which was ad-supported that used to check for ad-removal programs and bring up a popup window that said something like:
"[Anti-adware program] has been found on your system. It may remove files that this software needs. Do you want to remove [Anti-adware program]?"
A pretty nice bit of turnaround, I always thought.
This calls to mind the old story of Robin Hood and Friar Tuck. Essentially instead of having one program that can be killed off/removed, you have two programs each keeping an eye on the other, and starting/reinstalling the other as required.
As someone commented in the last thread on this topic, this all rather reminds me of Core Wars, played out at large. We just need a better way of keeping score...
Ewen
Regarding the problem of spy ware uninstalling another program, perhaps it is a technical problem which there is a solution. Not an easy one but a system can be made to prevent such a thing.
;)
1. First, software installation should be passive. On Windows (as well as other OS), you download some binary executable and run them. This foreign binary essentially has full reign over your system. Instead it should be a compressed package file with instruction embedded in it that describes what and where the package manifest should be installed. This package should be signed by the originator so that the package is tamper resistant and has some privilege to modify package that was originated from same source. This way the OS and user is in control rather than untrusted binary running amok on your system.
2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default. For example, multimedia player should not be allowed to delete files or initiate outgoing network connection. Even file read can be made more granular by restricting the file mime type that an application can read. Multimedia player has no business reading any other files than ones that it knows what to do with. This sort of sandbox could make it harder for application from whacking competitor's application.
Ultimately an implicit trust should be abandoned and implementing mandatory security may be the solution. Unfortunately this is not something that can be easily added easily but rather it must be designed into the underlying system itself.
Disclosure: I'm writing this at 6:00am after staying up all night writing code so I'm sure lot of loopy ideas are leaking from my brain at the moment. This may be one of them. Then again even a broken clock tells right time twice a day.
---
jk
I think that as more spyware programs take tactics like that bundled with Radlight, a boot-disk image version of Ad-Aware is going to be needed for it to run properly, just like Virus scanners allow you to create a rescue disk. Eventually spyware programs are going to kill the ad-aware process as it starts. A boot disk version would allow you to run Ad-Aware (or similar) without interference from the spyware.
If Ad-Aware retaliates it will have to try and protect itself from the unistaller - how will it do that - clearly changes at the level of the user agreement are more or less useless (what user is going know or care that they have two confliciting user agreements in use...). So it'll be at the code level - what kind of a software war could that set off? Couple that with software that regularly uploads patches and updates (to protect against the latest rival software...).
Personally I'd rather refrain from having my destop turned into a competitive software eco-system!
.sig
so if i put a license agreement on a virus, it's legal :?
I see lots of people talking about how Radlight doesn't inform the user (except in the EULA) that it will remove Adaware. They common arguement is that no one reads the EULA and it's not clear what is goin on, because the EULA is confusing. Is this much different than what Adaware does? IT just gives me a list of files it thinks are "offending" and asks if I want to remove them. It doesn't tell me what they are (outside of a name of the "spyware"), what they do, or any consequences of removing them. If I run Adaware and remove Cydoor, it doesn't give me any indication that it will stop Kazaa from working, and the average person has no idea that would be a consequence. Putting the notice in the EULA is not a good tactic as it somewhat obfuscates what is going on, but is Adaware not telling you the consequences of uninstalling the "spyware" (most of which isn't spyware, it's just software that shows ads) that mucg better?
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
There are quite a few ways - from passive ones making the detection very problematic (remeber self-mutating virii when there were real virus writers and not only silly worm bozos?) to active monitoring for accessing their files in a way the virus scanners do. BTW, anyone noticed the radlight admin's nick "davenger". Guess what? - dark avenger was a bulgarian virus writer who created a quite clever mutation engine.
:-)
:-)
The real name of RadScorpion seems to be Igor Janos. Any slovak student here knowing Igor Janos?
I am posting anonymously as I am a Slovak, probably live in the same town as he does and he can track me based on my user info - I don't quite want to get his attention
The problem I see is that you are not TOLD about the advertising software upon installation of certain software. I'm sure there are a few people who are willing to put up with some ads, or donate a few CPU cycles, in exchange for something free, but, I am not. However, I was not told about that fact and allowed to make my decesion based on the fact that program XXX would also covertly install advertising and distributed computing apps as well.
:)
:)
In sort, it's MY computer, _I_ should be the one who decides what is on it. Not only for my own desires, but also to be polite to other people on the 'net. What if one of these spyware programs were to catch (or come with) a virus? My computer would (without my knowledge) spread this virus to other people....
Of course, I run Linux anyway so this does not *really* apply to me. That is, until some large corporation buys the rights to Linux and starts releasing an adware-enabled version...
Bringing up eth0 [OK]
Downloading new artwork and features [OK]
Installing new ads [OK]
Oh the horror...
Excuse the brain wanderings, I've been up all night coding...
-RickTheSleepyWizKid
I was writing a piece of software for which Cydoor was being considered as a revenue stream, so we downloaded the SDK to give it all a go.
1) The network then got hit by the Snowwhite and the seven dwarfs virus (this is primarily an email virus, but when it runs it copies itself into every zip on your computer), I thought it came from the Cydoor SDK zip as that was the first zip file that we noticed it in and nobody here is dumb enough to run executables attached to email (especially dodgy porn sounding ones). Of course I never knew as the virus might have run and copied itself in there before we noticed.
On a later date, after the SDK had been deleted (as you may have guessed, we didn't go with Cydoor), we downloaded the SDK again for some reason. Anyway, the virus was indeed in there. They may have gotten the virus the same way we did, but considering they never even noticed they had a virus (it's not hard to notice, even without antivirus software - it adds another file into all of your zips!) it wouldn't surprise me at all if their staff were so clued up that they routinely run outlook and click on dodgy executables mailed to them by strangers.
2) One of my pet peeves is software that modifies your system unnecessarily, I believe this to be a major reason why windows has a half life (notice how virgin installs never crash, but after a year or two are crashing many times a day). It also has other rammifications, for instance you can't run the software over a network (because all the bits it installed into the system it was installed on aren't on the computer you want to run the program on).
The Cydoor SDK has it's own install and as a cydoor customer, you aren't to change it - you just run it during the course of your own install. As you have no doubt guessed if you've read this far, the Cydoor install modifies the system.
I wouldn't have been quite so annoyed at this if it wasn't for two things:
Anyway, having just said how poorly I think they do things, I at least owe it to them to mention that their SDK was actually very nice, and (not counting the install) it was a breeze to integrate their stuff nicely into the program. IIRC they also give you many ways of doing so, allowing you to choose the most appropriate.
I suppose the issue is what one considers "related". The quote from the Lavasoft developer referring to whether one package should remove "unrelated" software is likely to be a technical reference. And technically, Ad-Aware and Radsoft's offering ARE unrelated. But you are very correct in the link politically.
But that's a problem. Just because one has a political dislike for a piece of sotfware, it does not mean one should use one's software as a platform to remove the offending application. We don't have Mozilla removing Internet Explorer (whether that be possible or not)... just to pick an example out of thin air.
One other comment - sure, Radsoft chose to bundle a piece of spyware with their application. But that bundling and installation is often hidden from the user. Even worse, removal of that software is often difficult. Yet the system still belongs to the user. Ad-Aware gives the user the ability to identify and remove undesired software despite spyware's attempt to resist identification and removal.
If Radsoft wishes to ensure all software bundled with their package remains installed, then they should take steps to check that said software has not been removed. Even better yet, perhapse they should level with their users and alert them as to what is being installed and why. They certainly shouldn't be removing software that has not been included with their package.
As a freeware developer, I now have to invest extra time to get the latest list of targeted filenames by Ad-Aware and similar software.
Ad-Aware is simple-ware with a noble cause - I can't fault it for that. Perhaps it needs to do more fuzzy searches, such as "expected registry keys", "expected support files", "exe file size greater than 2mb (to catch patched exes)" to ensure a positive match, and report the results "98% chance it's a positive match.".
Where is this cold war taking us?
Morph-ware: The ability to change the signiature of your software dynamically - filesizes, filenames, icon pixel color variations, title bar text manipulation, and randomizing the internal exe identifiers for windows.