Slashdot Mirror
First Worm with a EULA?
ErikRed1488 writes "There is a new virtual postcard from Friend Greetings, owned by Permissioned Media that prompts you to install their software to view the card. You are then presented with a EULA granting them permission to e-mail all the Contacts in your Outlook Address Book. Those people are presented with an e-mail from you telling them they have a greeting card to pick up. So, this thing spreads like a worm, but includes a EULA that 95% of users won't take the time to read. Symantec isn't detecting this as a virus, but does have information about it on their site. In addition to the worm-like way it spreads, it also installs spyware designed to deliver ads to your computer. You also give them permission to install further software any time they want. In my opinion this is completely nasty, but it's all clearly in the EULA that you must agree to before it installs the software."
I think this should actually shield the virus-writer from any sort of prosecution, shouldn't it? I suppose you could do all sorts of nasty stuff and be completely protected so long as you could prove the user clicked "ok" to the license.
Maybe this will be the tool which turns the tide on the EULA.
RIP: Senator Paul Wellstone.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
this is hilarious! these guys made my day :)
besides, it's about time someone taught us a lesson about clicking 'accept' on EULAs of everything and anything we use.
Hopefully this will do people some good, the whole story just needs to get decent exposure in the media.
Human history becomes more and more a race between education and catastrophe.
H.G. Wells, "The Outline of History"
Wait ... so you're saying that this ought to be illegal?
IMO, if you click "yes", you deserve exactly what you get.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
So what happens when two different EULA's claim 100% control of your machine?
I've been just waiting for this very thing to happen! My edge-of-the-chair suspense is finally climaxed with a barrage of laughter. Great stuff. :P
I thought of doing this quite a few times myself, but have always lacked the resources. This is pure genius, really. You get people to propigate the virus willingly, all the while having them agree to transmit it without their knowledge - despite the fact that they agreed.
This brings forth some fairly serious implications and issues involving EULAs. I'm not exactly sure what they are, but I'm sure they're there, and have probably already have been discussed in this or that post concerning MS's dastardly EULA garbage.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
There's a big difference between an EULA limiting liability for the program's distributor and an EULA which claims to actually take something from the person running the software.
You mean you don't agree with my EULA for my worm that says it has the right to format your hard drive if you agree to this EULA on page 15 paragraph 3? I'm really waiting for someone to try that. "Hey, they agreed to let me wipe out their system! It's not MY fault they're stupid."
What's the difference between this and the Spyware that Kazaa packages. What % of the users do you think read, let alone understand the EULA that they just agreed to.
Bonzi Buddy and some global time (spywayre) thing does almost the same thing. It sends your personal info to companies and sells it.
The only diffence I can see here is that this is not done by a major company....
Tibbon
tibbon.com
Now what reasonable person would expect this to be called a worm? The sysadmins are of course up in arms about any piece of software that threatens their delicate Windows networks. While I'm aware that most of the Slashdot audience consists of MS-certified admins fresh out of college, their lips adorned with sharp objects, I plead with readers to approach this with some sort of objectivity. Is any program that offers the ability to distribute itself to others now to be deemed a worm? That's hardly fair.
In fact, given that the GPL'd software that's touted so often on this site is propogated through a similar device, villainizing this program borders on hypocricy. I don't even understand why traditional "worms" are given that name. Someone sends you an unknown executable that happens to distribute itself to your contact list, and you run it without Googling first to find out what it is...who's to blame here? The program's function is well-known, so the informed user won't be surprised when he fires it up and it does exactly what it's supposed to do.
Let's use some common sense here, please.
Karma: Good (despite my invention of the Karma: sig)
i got an email a while ago (during the .com bubble) telling me that i got that email because somebody was romantically interested in me (i don't use dating services of any sort, online or not).
...literally.
... but the notable thing is that i started getting TONS of spam at that address (>20emails/day)
basically, here's the scheme:
a person likes another, but is too shy to ask him/her. this site allows a way to anonymously email that person. the message essentially says "guess who"
i was expected to guess the admirer by giving the site every email i could think of that might be the admirer. if there's a match, each party is informed. for all those non-hits, an email identical to the first was sent out; spam.
i happen to use unique email addresses and handed this address to only four people, two of whom were female, so i knew it was one of them or a friend
this type of ponzi-style scheme with unforseen problems seems to be getting popular now; EULAs often take complete advantage: people blindly give permission to have third-party software downloaded and installed, to become the source of spamming and/or propogation, or to allow use of spyware.
Use my userscript to add story images to Slashdot. There's no going back.
Kind of reminds me of how Congress will pass a bill along and tack in all kinds of "other" language that the common citizen will not notice. How many of you read the EULA !everytime! ?
-516
Almost all commercial database software has the 'can't publish benchmarks' clause. Oracle, MS SQL, etc. That one has become common practice nowadays, because none of the companies actually WANT to know which one is faster. It's "we don't care if we're not fastest, as long as nobody can prove it."
Another non-functioning site was "uncertainty.microsoft.com."
The purpose of that site was not known.
My post may have not been the most insightful ever, but I think it's a valid point. A high profile incident of Bad Company A sneaking obviously bad things into an EULA is bound to draw attention to e.g. Microsoft's EULAs. In fact, I'd wager that C-Net's eventual coverage of this incident would also mention and draw parallels to the recent changes in the Windows XP license.
In other words:
This can only be good for Open Source.
-
Under US law, storing personally identifiable information about children is [largely] illegal.
-
The EULA, as far as I can tell, makes NO mention about this product not being allowed for under 13s.
-
With its infection (uh, I mean, transmission) mechanism, it makes no attempt to discover the age of the user before beginning to log their personal information.
So, as soon as you discover your child has installed this program, sue them for failing to make any attempt to avoid violating their rights. Their EULA get out clauses don't work either as, being a child, they couldn't legally agree to the EULA anyway.Hopefully it'll spread better than they ever hoped. A class action lawsuit for every child in America would probably make a fairly clear point to anyone else trying this.
Yes, I know about Adaware, but average Sally or Joe computer user does not. They think that the copy of Norton bundled with their Gateway or Dell will protect them from everything bad and that it's okay to click on "Yes" when prompted "Do you want to install and run X by Spyware Inc.?"
This worm is no worse than the sites that have javascript to prompt you to install Cometcursor, Gator, Download accelerator, Bonzi Buddy and other spyware apps. I've already seen quite a few shockwave greeting card sites (with a Gator or other spyware install attempt) that ask you to "Send this card to a friend" and I've been sent links to these by my less computer-savvy friends. What's worse, you end up on more spam lists too...
Sooner or later, EVERYONE online ends up being prompted to install some kind of spyware. The companies that produce antivirus software need to include features to actively scan and disable spyware (with a default setting enabling scanning for spyware/adware, but an option to disable it if for some reason you want to). I've personally become sick of explaining to people that NO, their Norton or McAfee isn't going to catch the program that's been giving them all these popups and that they need some free program they've never heard of before (AdAware) to get rid of them.
While AdAware is great for power users, for the average population of PC users, automatic background protection like virus scanners provide for viruses is what is required. When a worm like this or a web page tries to install some new spyware, the user won't even be prompted - the antivirus software just says NO.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
..not just in software.
Enter to win a "Free Trip" at the mall, (and have your long distance service switched), for one example.
I know it's hard, but you have to read (and attempt to understand) what they are actually asking you to do. But, I guess the result of that will be ever more obfuscated wording, so that no real human could get the true meaning of what it is doing.
Legalese could expand a common, two line description into many, many pages. NO ONE would read and understand its true meaning.
Store files on my computer? Oh, that must mean the graphics that come with the card.
No, Virginia, they mean they will store whatever they feel like putting there.
Send emails to my friends? COOL!
No, send anything they want, any time they want. And possibly have their interface hacked by some OTHER fool next month.
"Oh, we reserve the right to change this EULA at any time. The new one will be posted on our website." (Way back 7 levels deep, at the bottom of the page in a font no human can read).
What might a new EULA do? Again, Virginia, anything they want.
From http://www.permissionedmedia.com/license.htm:
3. Updates/New Information. Permissioned Media reserves the right to add additional features or functions to the version of PerMedia you install, or to add new applications to PerMedia, at any time. As more fully disclosed in our Privacy Statement, PerMedia is designed to regularly communicate and provide information regarding your Internet use to Permissioned Media. Accordingly, Permissioned Media has the right and you hereby authorize it to update or automatically install a new version of PerMedia on your computer when a new version is released to the general public and/or when new features are available. Notwithstanding the foregoing, Permissioned Media and its business associates have no obligation to make available to you any subsequent versions of PerMedia. You may not distribute or copy PerMedia (r)other than for backup purposes).
So you can't distribute their program in any way? Isn't that the whole point of the program? These guys really are a bunch of idiots!
Granted the microsoft one isn't dling the contacts, but you agree to having microsoft search your machine for installed software(automatic update) and then download and in some cases automatically install any code that it deems is a critical update. I would imagine that the makers of this worm felt that if microsoft can get away with it then they could too. The fact remains is that Microsoft should have no right to demand access to data on my machine nor the right to install code on my machine. The worm just shows an example of just how rediculous Microsofts use of the EULA is.
The only difference between this and a conventional worm is that it doesn't come with a payload package that will cause damage to the system, although spyware isn't much better. From what I can tell, this software serves no legitimate purpose. You have to install it to read the greeting card, which is sent by someone else installing the software. Does anyone ever actually send a legitimate "greeting card?" If not, there would be no reason to install this software. The only functional aspect of this application is to provide the user with advertisements, which even the most clueless user probably wouldn't install intentionally for only that purpose.
:)
Because the user has no legitimate reason to WANT to install this software, he/she has to be coerced into doing so with false pretenses. If this is legal to do, it would be no less legal to install a dangerous payload, so long as the EULA explains it and gives the user an option to cancel.
Perhaps this would be a good time to try to challenge the validity of the EULA. Can't have it both ways. Either it's a binding contract and therefore if you agree to spam your contacts and have your harddrive formmated, you can't hold the author liable. Or EULA's will have to NOT be considered contracts and therefore this will apply to ALL EULA's. Or we can hope.
-Restil
Play with my webcams and lights here
The one that I loathe is the "hotbar" IE/outlook menu customiser (http://www.hotbar.com) which allows someone that has hotbar to send a card to a friend... but what the card does is download the hotbar and install it on the unknowning friends system...
It also contains some social engineering.. "Upgrade outlook - add COLOR to your Emails" link...
bah..
just had to remove these from about a gazillion corp machines... and the virus scanners dont see it as a virus...
even though it KILLS the systems efficency....
--
Time is on my side
It's the oldest piece of scumware like that that I'm aware of (perhaps Bonzi buddy is similar age).
... "Give me a woman who loves beer and I will conquer the w
I'd be suprised if anyone has the desire and wherwithall to go challenging questionable EULAs throught he legal system. But perhaps that's not necessary -- the onerous terms sneaking in depend largely on the fact that nobody notices them, or that most people installing the software are ignorant of their implications.
So I've registered:
badlicense.org (and badlicence.org)
I'd be happy to let that be used for a site dedicated to explaining the EULAs of software. Perhaps an overview, and details on particular products.
Reasonably carefully worded it wouldn't even matter if the EULA had been interepreted in detail by a lawyer. Just highlighting the apparent detail should be enough to raise eyebrows and invite some clarification (perhaps, even, modification) from those issuing the EULA.
So, anyone interested?
Nope. Neither are "shrink wrap" contracts (you know, the kinds that are kept inside the sealed plastic covering that start "By breaking this seal you agree to..." , and continues "...Microsoft does not garantue the usefuleness of this software for any purpose what-so-ever, even including purposes stated by Microsoft or Microsoft employees."
Yes, that's more-or-less an actual "shrink wrap" "agreement" I once had with Microsoft. Anyway, it's all illegal, if you live in Sweden, or any European country, or come to think of it most any country in the world except the US.
<simpsons>Haha!</simpsons>
I choose to remain celibate, like my father and his father before him.
...okay, so no one will read this at this late point, but for any and all software developers who are hunting for a useful product to build, why not create an EULA-distiller? Let it run in the background, and watch for installations. When it sees an EULA appear, it can display 2 or 3 bullet points that succinctly explain what the hell all the legal text means.
To get really tricky, you could create a Web site that allows users to upload the text of each EULA, and a distilled summary. Perhaps other people could even vote on the most accurate, most understandable summaries. Then your app could be constantly up-to-date. Perhaps by doing this, people who blindly click through these things will be made aware of what the real consequences will be.
My Greasemonkey scripts for Digg &
Hey I don't think this click licences are legal here. Maybe down there in the USA but not here.
They call it blackmail here.
Don't think so?
Example
Buddie of mine got killed at work. Remember that piece of paper you got to sign that says you read the safety book that you usually sign before you get to read the book? My lawyers threw that piece of paper out of court so fast it not only had wings it was rocket propelled.
Ya can't do that here in this country.
It's ILLIGAL
Who actually clicked on the EULA? I never click on mine. I place the cursor over it and get my kid (2 years old) to press the button..
Nice kid.. It is no longer binding on me cause I never actually clicked it and my kid must of and is too young to have read it let alone agree to it.
Virus writers of the world please read this story and please include a EULA in the future please.
It will put a end to this stupidity once and for all.
so if i laugh while clicking 'ok' then i am not contractually bound to the user license? what if i set reverse-dns on my ip to something like 'not-sersious-bout-nuthin.example.com'? that way any place i download from has the capability to see that i am not serious about what i am doing.
thanks for the informative post, by the way.
I had two people in my company hit with this stupid ass program. They received the email from a verified vendor's email address, and being the dumb little lusers they are, clicked on the link at hand.
Wait... the page that opens up, it started some kind of installer... and BEFORE ANY EULA MENTIONED, it was ALREADY mailing fucking spam through Outlook!
Wait a second. These people never agreed to any kind of EULA. The installer automatically started up (fucking ActiveX, I hate you!). And best of all, it was already mailing to everyone in the global address book. If there wasn't a patch in place to mandate user permission for programs outside of outlook, it would've spammed thousands of mailboxes.
How, in the name of anything vaguely holy, is this NOT a worm or a virus? Nary a EULA was agreed to, and it abused my fucking machines!
There must be consideration (both parties must gain something or force some new obligation on the other party).
IANAL - Have taken some business law classes. Not legal advice - Not FDIC Insured - May Lose Value.
It's for this same reason that EULAs on free-of-charge software cannot be enforced, unless you are giving them some consideration (like agreeing to look at their ads).
This makes this case even more complicated, since the spam company could argue that "in exchange for the good and valuable consideration of the right to run the program, you agree to let us use your good and valuable consideration of the right to use the contacts in your address book for marketing purposes" A clear exchange of consideration!
This may even apply to some free-speech software licenses that include restrictions above and beyond simply terms of copyright licensure, i.e. restrictions on non-distribution related use. Most free-speech licenses don't have such clauses, but a couple do.
In any case, this isn't simple, but I hope to god it is illegal somehow, or becomes so in the near future.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Now, if it's a free download, and you're only offered the download if you click through the EULA, that's an entirely different matter: there's clear consideration in that you're being allowed the download at all. On the other hand, if you purchase the software without the EULA being a condition of the purchase, unless the EULA offers some further consideration it may not be binding at all.
I would be surprised if a court would review the EULA in total isolation in a purchase situation (i.e. completely separate from the purchase price) for the purpose of determining whether or not consideration was given. Courts generally try very hard to find consideration in contractual relationships when this becomes an issue. More likely, a court would say that in consideration for giving both a sum of money and agreeing to the EULA, the company is permitting you to use the software.
It is the brazen sickness that brings reference to Microsoft. Of course, the fact that it employs a signed application to access the Microsoft designed email resource is probably because they are ubiquitous and easy to give up all of their information.
We feed this, and similar things, with an address list consisting of every published government email address world-wide, every published politician's email address, and every published email address from companies that support spamming (like MasterCard, Visa, ...).
Unless people or companies go completely overboard in abusing the EULA, nothing will probably be done by lawmakers.
These types of abuses will probably become more common until public outcry demands new laws. In the drafting of these new laws, the public can hope to address other EULA issues that have been plaguing us while the spotlight shines on this issue.
They're using some kind of application-level IP restrictions on it:
Trying 207.250.191.48...
Connected to www.permissionmedia.com.
Escape character is '^]'.
_Host 'a.b.c.d' is not allowed to connect to this MySQL serverConnection closed by foreign host.
I want to delete my account but Slashdot doesn't allow it.
This may be the first worm designed to only harm the unwary... it's a first lots of things, and there are lots of jokes that can be made, but, realisticly, information is expensive.
...and read every EULA. But information is expensive. It's very expensive. The people that accept these EULAs should read them, but most people, through no fault of their own, do not know how important the thing is. Nor do they have any reason, like many /. readers do, to suspect how dangerous and insedious they can be. So, because they have 1000+ things to do, and only time for 100, they skip over things which, as far as they know, are benign and mere "legal technicalities."
A number of posts deride those who accept this EULA, but, I believe, that is largley unfair.
How many readers know their senators names? Their representative? How about at the state level? Who's your govenor, your mayor? What's the serial number on your laptop? The VIN number on your car? What's more carcenigenic: aspertane, Sweet n' Low, or potato chips?
These, and many other things, are things we all should, in some sense know, just as we should all follow every debate, write our legislature on every issue...
Ignorance is a necessary result of the human condition. You can protect yourself, but then you would spend time doing nothing else than reading EULAs and case law, and that would certainly be a worse life than getting some spam and ads plopped on your computer. Most of the people reading this would have suspected something might be up, but, I guarantee, it might take more sophistication, but we are all vulnerable to this type of thing.
It's also common knowledge that EULA's aren't read (by gurus and newbies alike).
I agree. I've seen a few posts chastizing the slashdot community because most of us don't read them. However, I would counter and say that most people on slashdot don't have to read them. They know enough to not be downloading some stupid greeting card program. On a tangent, frankly I think e-greeting cards are retarded. The point of giving something away is the giving part. You're not really giving anyone anything when you send them an email. Anyway, most seasoned computer users know enough about programs they do decide to install to know if they need to scan the EULA for anything fishy.
I think this virus will catch new and naive users, but eventually it will receive such bad press that most people will become aware of it, most virus scanners will catch it, and most people won't download it.
Not quite off topic, but my girlfriend came over tonight and she was pissed. She loves playing Scrabble online at playsite.com and earlier today she was over at her mom's house trying to play it on her computer. Well, for some reason or another, she kept getting a popup about every 2 minutes. She couldn't figure out how to turn it off and it was so friggin annoying it made the game unplayable. It pissed her off so much that her whole day had turned sour over this little thing. All she wanted to do was play Scrabble.
Anyway, this little story is just an example of how annoying this kind of shit really is. It drives people insane when their computer is not in their control. On a side note, that's also a reason I think Digital Restrictions Management will never work.
Well, that's the view from my end.
No sig for you.