Slashdot Mirror
An interview with Ad-Aware's Nicholas Stark
Andrew Leonard writes: "In the wake of the Ad-Aware/RadLight spyware vs. anti-spyware showdown, Salon has an interview with Ad-Aware's Nicholas Stark, who explains in no uncertain terms Lavasoft's determination to match every move by the spyware developers."
I think that it is almost impossible to read much less understand the license agreements that are bound to almost all software. I would be vey interested to see a licensing agreement go to court... The way I understand it both parties of a legally binding contract must understand the contract in order for it to be valid, sooo it would be my guess that most of these agreements/contracts would be invalid due to the fact that most people are not lawers and would not be able to understand the agreement even if they did read it.
"Alcohol, cause of, and solution to, all of life's problems" -Homer Simpson
I do not believe that it is legal to bind the usage of their software to the removal of an unrelated product.
But how is it an unrelated product? Ad-Aware goes out and specifically prevents programs like those put out by Radsoft from working properly. While I agree it isn't right that Ad-Aware is removed from the user's program without due warning, it is far from unrelated.
"You are not allowed to use any third party program (e.g. Ad-Aware) to uninstall applications bundled with RadLight."
As far as I know a license statement should only apply to when one is using software, I think legally a court would uphold that a license cannot tell someone what hardware or other software they can or cannot use.
The interesting thing with this is that the are forcing users to comply with a license which is probably not even legal.
As for uninstalling software without any other warning, wouldn't this be on the same level as a destructive virus? I sure as hell wouldn't pout my name on a virus.
Also it never states that the software will be removed. It says you cannot use other applications to uninstall their spyware. So you can have anti-spyware installed on your computer without breaking this (probably illegal) license.
I would think the company is liable for criminal damage to property much like a virus writer would be.
Chicago2600.net more than a lifestyle, its a survival trait.
That's what he's been doing to them - so why the big ho-ha when he gets a bit of his own medicine?
Simple, because that is what is his users ASK of him. Most people download spyware don't know that it's there. When was the last time you intentionally installed Cydoor? When was the last time your version of p2p software said in big letters "This software will install spyware now Yes/No"?
Now if he packaged ad-aware inside of kazaalite and didn't tell anyone what he was doing, THEN he'd be getting a taste of his own medicine. This, however, is completely different.
"Your superior intellect is no match for our puny weapons!"
I'm pretty sure we can assume that aborting the installation does not restore Ad-Aware. To me, this seems like even more compelling evidence that RadLight's activities are illegal.
I design user interfaces for a free network management application,
I'm still curious as to how he's going to change Ad-Aware to prevent it being uninstalled by this other program. Does anybody know?
Video Game cheats, hints a
In the article, they ask about removal of spyware removing revenue for the producers of the free software. I didn't think the ad-aware guy answered that very well. I would have pointed out that ultimately, the customer (user of free software) decides what it's worth to use their software. Most will look at ads. Heck, most will tolerate pop-ups. What they tolerate is anti-ad-aware software. I never heard of RadLight until this came up. Free publicity, yes, but you can be sure no one that I know ever uses any of their products. There's a line & they crossed it. Not all free publicity is good, regardless of what they say.
jred
I'm not a mechanic but I play one in my garage...
We do offer an enhanced version of Ad-Aware called Ad-Aware Plus, [which costs $15]. But money is not the primary goal and has never been; it's mainly used to pay the server and bandwidth costs. We all have "regular" jobs or are students, and do this in our spare time (although it uses up a lot).
Perhaps if they included some sort of advertising program with ad-aware, they could make some real money!
I'd LOVE to see some puckish programmer bury a phrase at the very bottom of a click-through license to the effect of: "User agrees to sell nude pictures of themselves on ebay and donate the procedes to RJ Reynolds and/or the Church of Scientology." Might demonstrate the idiocy of click-throughs and highlight their dubious legal status. At worst, it'd provide a few yuks.
As I believe that some of the "spyware" are just regular legal programs I really feel for their authors to see how their program is being uninstalled," RadScorpion wrote. "I WANTED ADAWARE TO SEE IT TOO and to revalue their pose to their 'enemies.'
No, I feel really bad. If it weren't for AdAware, I, too, could have received an extra $500 from (Insert online casino of choice).
*$500 dollar offer only valid after betting $50,000 or more and receipt of firstborn child. Other restrictions may apply
Well, except that's *not* what Ad-Aware and similar products do. They *don't* make a clear connection between uninstalling 'spyware' and decreasing functionality of a program.
I've worked personally on both sides of this fence, with one of the companies named in the interview. I can't tell you how many times I had email exchanges with users that ran like this:
USER: Suddenly my version of [Product] won't work! I get a message it's missing [filename]; what happened?
RESPONSE: You may have installed a program that "removes spyware" that has removed that program element. Programs like that are designed to remove advertising software from your computer. You're welcome to do that, but if you don't want to see ads, the free version of [Product] is not for you. You should try [Pay Version of Product] or some other product that is not ad sponsored.
USER: But I don't understand! The program said it would get rid of evil viruses and bad programs! It didn't say it would remove parts of the programs I use. Why doesn't it say your programs might not work any more?
RESPONSE: We suggest writing to the support address of the "spyware removal" program with your concern. Maybe they will change their documentation to make that more clear.
I myself was *personally* responsible for making sure that software that included ad components had clear, readable EULAs. The software had to all but slap the user in the face with the information -- it had a first line that said, in all caps, that the program was AD SUPPORTED and would DISPLAY ADS. It urged, in all caps, that users *read* before they agreed. I fought with developers who wanted to make the EULA less visible, to ensure that it couldn't be dragged off the desktop or otherwise avoided.
The bottom line is that it didn't matter. I could explain to a user in simple plain language what was going on, and the user would still *ignore* the whole text.
I've become increasingly frustrated by the topic of late. From what I can tell, there are people who feel justified in robbing others of income by repackaging software to remove advertising components. For almost all advertising supported software I'm aware of, an ad-free version is offered for a cost. If you don't want ads, or don't want "spyware", pay for the software. It's that simple. But to actively take income from people simply because you don't approve of their business model is heinous.
Actually, now that I think about it, this is not the first instance of this sort of activity. I remember a developer with a popular product which was ad-supported that used to check for ad-removal programs and bring up a popup window that said something like:
"[Anti-adware program] has been found on your system. It may remove files that this software needs. Do you want to remove [Anti-adware program]?"
A pretty nice bit of turnaround, I always thought.
Shouldn't spyware be illegal? Most of it operates as trojan horses, which are similar to viruses, and those are illegal. They mess up the normal functioning of computers and are unauthorized. Maybe they have privacy policies saying that this is ok, but would these policies stand up in court? Often these policies are only made as such so that the consumer won't challenge them, and they are probably questionable legally. You can't take away rights from the consumer that they can't give up.
I mean, if a virus had a license agreement, would it be ok to use it then? And what if the virus attached on to another program with a license agreement that you probably wouldn't read? That is really what these scumware programs are doing. It is an outrage!
Although I couldn't find a definition for the term trojan horse on CERT's website, a link was provided to the comp.virus FAQ. According to it, a trojan horse is:
What RadWare's software is doing makes it perfectly clear that spyware should be treated as a trojan horse (with legal implications where applicable), beacause that's what it is.
Regarding the problem of spy ware uninstalling another program, perhaps it is a technical problem which there is a solution. Not an easy one but a system can be made to prevent such a thing.
;)
1. First, software installation should be passive. On Windows (as well as other OS), you download some binary executable and run them. This foreign binary essentially has full reign over your system. Instead it should be a compressed package file with instruction embedded in it that describes what and where the package manifest should be installed. This package should be signed by the originator so that the package is tamper resistant and has some privilege to modify package that was originated from same source. This way the OS and user is in control rather than untrusted binary running amok on your system.
2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default. For example, multimedia player should not be allowed to delete files or initiate outgoing network connection. Even file read can be made more granular by restricting the file mime type that an application can read. Multimedia player has no business reading any other files than ones that it knows what to do with. This sort of sandbox could make it harder for application from whacking competitor's application.
Ultimately an implicit trust should be abandoned and implementing mandatory security may be the solution. Unfortunately this is not something that can be easily added easily but rather it must be designed into the underlying system itself.
Disclosure: I'm writing this at 6:00am after staying up all night writing code so I'm sure lot of loopy ideas are leaking from my brain at the moment. This may be one of them. Then again even a broken clock tells right time twice a day.
---
jk
I think that as more spyware programs take tactics like that bundled with Radlight, a boot-disk image version of Ad-Aware is going to be needed for it to run properly, just like Virus scanners allow you to create a rescue disk. Eventually spyware programs are going to kill the ad-aware process as it starts. A boot disk version would allow you to run Ad-Aware (or similar) without interference from the spyware.
If Ad-Aware retaliates it will have to try and protect itself from the unistaller - how will it do that - clearly changes at the level of the user agreement are more or less useless (what user is going know or care that they have two confliciting user agreements in use...). So it'll be at the code level - what kind of a software war could that set off? Couple that with software that regularly uploads patches and updates (to protect against the latest rival software...).
Personally I'd rather refrain from having my destop turned into a competitive software eco-system!
.sig
I completely disagree. Jasc Software is a great example of a company who started small with Paintshop. It was a great software package (often called a "poor man's Photoshop") with a strong following. Photoshop was offered as uncrippled shareware without any spy-ware. And even as its author estimated registration as low as 1 in 5 downloads, it soon grew and took over the author's professional life. And as any Quake player knows, id Software has a simular story. And an even more rabid fan base (Remarkably, Quake is still played today).
To be sure, these success stories are dwarfed by the number of shareware and commercial operations who fail in the software business. But then, that's business. Most fail in any industry. Its a tough game.
If a small software developer hopes to survive it, they must have a community. It might be within an Open Source community. It might be created from fans of their commercial offerings. But there must be a support base somewhere.
Lavasoft and Ad-Aware have proven one lesson to any developers willing to pay attention. End users do not like the current methods used by spy-ware. As education spreads, more and more users will take efforts to disable this software. And that is a dire message to anyone who's business model depends on it.
I see lots of people talking about how Radlight doesn't inform the user (except in the EULA) that it will remove Adaware. They common arguement is that no one reads the EULA and it's not clear what is goin on, because the EULA is confusing. Is this much different than what Adaware does? IT just gives me a list of files it thinks are "offending" and asks if I want to remove them. It doesn't tell me what they are (outside of a name of the "spyware"), what they do, or any consequences of removing them. If I run Adaware and remove Cydoor, it doesn't give me any indication that it will stop Kazaa from working, and the average person has no idea that would be a consequence. Putting the notice in the EULA is not a good tactic as it somewhat obfuscates what is going on, but is Adaware not telling you the consequences of uninstalling the "spyware" (most of which isn't spyware, it's just software that shows ads) that mucg better?
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
The problem I see is that you are not TOLD about the advertising software upon installation of certain software. I'm sure there are a few people who are willing to put up with some ads, or donate a few CPU cycles, in exchange for something free, but, I am not. However, I was not told about that fact and allowed to make my decesion based on the fact that program XXX would also covertly install advertising and distributed computing apps as well.
:)
:)
In sort, it's MY computer, _I_ should be the one who decides what is on it. Not only for my own desires, but also to be polite to other people on the 'net. What if one of these spyware programs were to catch (or come with) a virus? My computer would (without my knowledge) spread this virus to other people....
Of course, I run Linux anyway so this does not *really* apply to me. That is, until some large corporation buys the rights to Linux and starts releasing an adware-enabled version...
Bringing up eth0 [OK]
Downloading new artwork and features [OK]
Installing new ads [OK]
Oh the horror...
Excuse the brain wanderings, I've been up all night coding...
-RickTheSleepyWizKid
I was writing a piece of software for which Cydoor was being considered as a revenue stream, so we downloaded the SDK to give it all a go.
1) The network then got hit by the Snowwhite and the seven dwarfs virus (this is primarily an email virus, but when it runs it copies itself into every zip on your computer), I thought it came from the Cydoor SDK zip as that was the first zip file that we noticed it in and nobody here is dumb enough to run executables attached to email (especially dodgy porn sounding ones). Of course I never knew as the virus might have run and copied itself in there before we noticed.
On a later date, after the SDK had been deleted (as you may have guessed, we didn't go with Cydoor), we downloaded the SDK again for some reason. Anyway, the virus was indeed in there. They may have gotten the virus the same way we did, but considering they never even noticed they had a virus (it's not hard to notice, even without antivirus software - it adds another file into all of your zips!) it wouldn't surprise me at all if their staff were so clued up that they routinely run outlook and click on dodgy executables mailed to them by strangers.
2) One of my pet peeves is software that modifies your system unnecessarily, I believe this to be a major reason why windows has a half life (notice how virgin installs never crash, but after a year or two are crashing many times a day). It also has other rammifications, for instance you can't run the software over a network (because all the bits it installed into the system it was installed on aren't on the computer you want to run the program on).
The Cydoor SDK has it's own install and as a cydoor customer, you aren't to change it - you just run it during the course of your own install. As you have no doubt guessed if you've read this far, the Cydoor install modifies the system.
I wouldn't have been quite so annoyed at this if it wasn't for two things:
Anyway, having just said how poorly I think they do things, I at least owe it to them to mention that their SDK was actually very nice, and (not counting the install) it was a breeze to integrate their stuff nicely into the program. IIRC they also give you many ways of doing so, allowing you to choose the most appropriate.
does something undocumented
It's not undocumented! It's in the EULA and it tells you it does it!
My Journal
Have a look at how Java WebStart works. It lets you
elegantly download and install software to multiple
platforms (including Linux).
The downloaded application then works with restric-
tions similar to those of Applets. If the application
needs to perform tasks it is not yet allowed to do
(write to disc, acces network), the runtime will ask
you to give the necessary permission.
I know that when I installed radlight, every copy I've ever installed has 2 very distinct, clear checkboxes that allow me to not install Savenow and new.net.
Neither of these are required for radlight to work.
So... *aside* from the evil uninstalling of ad-aware, what is so bad about radlight? Is it even really spyware when they actually *ask* you if you want it to be installed in the first place?
This issue is one of the reasons I started studying linux. Control of my machine.
/etc and a few other locations which in any event are well known, or easy to figure out.
/etc files you modify in your post install config in another directory (again, off of the root partition), and have a script that copies each file to its proper place on the root partition.
3 91 2
The only real way to be sure you are free of viruses and trojans is to wipe the hard disk and reinstall your operating system and personal software.
With linux, it turns out to be simple to arrange things so that even with a lot of complicated, customized software installed on a machine, you can reformat your root partition, reinstall linux, and have your non-standard software installed and configured in under an hour. This makes it feasible to do every few weeks for your home computer.
The main reason is that most of the software configuration consists of ascii text files in
Keep your compiled software directories on a separate partition and write a script to descend into each of them and run a "make install". Then keep copies of all the
When it comes time to reinstall, reformat the root partition, reinstall linux, and then run your 2 scripts and you are back where you started, minus any viruses and trojans and exploits that managed to infest you since the last time you did this.
I wrote up an article with more detail on this on rootprompt at:
http://www.rootprompt.org/article.php3?article=
As a freeware developer, I now have to invest extra time to get the latest list of targeted filenames by Ad-Aware and similar software.
Ad-Aware is simple-ware with a noble cause - I can't fault it for that. Perhaps it needs to do more fuzzy searches, such as "expected registry keys", "expected support files", "exe file size greater than 2mb (to catch patched exes)" to ensure a positive match, and report the results "98% chance it's a positive match.".
Where is this cold war taking us?
Morph-ware: The ability to change the signiature of your software dynamically - filesizes, filenames, icon pixel color variations, title bar text manipulation, and randomizing the internal exe identifiers for windows.
This isn't merely offtopic, it's spam . .
hawk
hawk
Adressing point 2.
The last time I asked about this I was told that I was asking about something called "capabilities", and that there was a group working on adding it to Linux. I don't know whether it is scheduled for 2.6 or not, but it obviously didn't make it into 2.4.
I believe that Red Hat has a non-Linux OS that is capabilities based, but that it's aimed at embedded systems. (This is probably quite confused, but it's the best I can do off the top of my head.)
Essentially what capabilities does is strip default access from all users (including root). root gets the default capability to assign capabilities. A capability might be something like the right to access some particular port (no more counting all ports less than 1000? to be special! All ports are assigned or not on a per user basis.) I don't know whether there would be defined capability groups, though it seems like a good idea. So one could set up a default user group that would, e.g., be allowed to access the floppy drive. But that wouldn't come automatically, and it could be revoked.
The difference here is that you seem to be suggesting that capabilities be assigned to programs rather than to users. This sound interesting, but I would suggest that no program be allowed to exercise a capability that was denied to the current user. That way if a virus rewrote, say, the mail program, it would only be allowed access to the e-mail folders. Tricky, but could add a level of safety. So instead of configuring programs with a blanket "exec" flag there would be a much more complex setup.
This sounds like it could be quite safe, but also like it might have an immense amount of overhead. (Perhaps that's why capabilities are still being studied rather than included in the kernel.)
But something like this is going to be needed eventually. And it will need to be machine specific, so things can't be sent out configured to take over everyone's computer. Say a cross betweem capabilities and package signing, with each user signing packages for his own machine.
I think we've pushed this "anyone can grow up to be president" thing too far.
Heh, I'm sure that conversation is from a verbatim transcript!
I also like how you draw no distinction between adware and spyware. If you don't go out of your way to tell the user what is being installed and what it does (if any additional functionality than what the 'parent' installation is for), then you are installing a trojan horse. Since you don't deign to say which company you work for, I'll take my examples from the majority of malware purveyors: the notification is buried in the EULA, if it's there at all. Line 45? Line 1284? How much of the Microsoft Office EULA did you read when you installed it? How about the OS EULA? "People like you" know full and well how often EULAs are read, because you don't read them either. This can be used against the user, requiring them to ask their government representatives for help or to turn to software like Ad-Aware when this fact is abused.
Go ahead and cry for user-hostile business models to be accepted without question, but know that it's not the user's responsibility to provide you with surreptitious income. Consider it civil disobedience against obfuscated EULAs.
When I was a kid, we only had one Darth.
Build the system like you want and then Ghost it. Even faster.
We discussed this in Fair Software Installation. I didn't think it would come true so fast. What this really points to is the necessity to have good defenses in an operating system against malicious installations.