Slashdot Mirror
First Worm with a EULA?
ErikRed1488 writes "There is a new virtual postcard from Friend Greetings, owned by Permissioned Media that prompts you to install their software to view the card. You are then presented with a EULA granting them permission to e-mail all the Contacts in your Outlook Address Book. Those people are presented with an e-mail from you telling them they have a greeting card to pick up. So, this thing spreads like a worm, but includes a EULA that 95% of users won't take the time to read. Symantec isn't detecting this as a virus, but does have information about it on their site. In addition to the worm-like way it spreads, it also installs spyware designed to deliver ads to your computer. You also give them permission to install further software any time they want. In my opinion this is completely nasty, but it's all clearly in the EULA that you must agree to before it installs the software."
I think this should actually shield the virus-writer from any sort of prosecution, shouldn't it? I suppose you could do all sorts of nasty stuff and be completely protected so long as you could prove the user clicked "ok" to the license.
Maybe this will be the tool which turns the tide on the EULA.
RIP: Senator Paul Wellstone.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
Wait ... so you're saying that this ought to be illegal?
IMO, if you click "yes", you deserve exactly what you get.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
So what happens when two different EULA's claim 100% control of your machine?
I've been just waiting for this very thing to happen! My edge-of-the-chair suspense is finally climaxed with a barrage of laughter. Great stuff. :P
I thought of doing this quite a few times myself, but have always lacked the resources. This is pure genius, really. You get people to propigate the virus willingly, all the while having them agree to transmit it without their knowledge - despite the fact that they agreed.
This brings forth some fairly serious implications and issues involving EULAs. I'm not exactly sure what they are, but I'm sure they're there, and have probably already have been discussed in this or that post concerning MS's dastardly EULA garbage.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
There's a big difference between an EULA limiting liability for the program's distributor and an EULA which claims to actually take something from the person running the software.
What's the difference between this and the Spyware that Kazaa packages. What % of the users do you think read, let alone understand the EULA that they just agreed to.
Bonzi Buddy and some global time (spywayre) thing does almost the same thing. It sends your personal info to companies and sells it.
The only diffence I can see here is that this is not done by a major company....
Tibbon
tibbon.com
Now what reasonable person would expect this to be called a worm? The sysadmins are of course up in arms about any piece of software that threatens their delicate Windows networks. While I'm aware that most of the Slashdot audience consists of MS-certified admins fresh out of college, their lips adorned with sharp objects, I plead with readers to approach this with some sort of objectivity. Is any program that offers the ability to distribute itself to others now to be deemed a worm? That's hardly fair.
In fact, given that the GPL'd software that's touted so often on this site is propogated through a similar device, villainizing this program borders on hypocricy. I don't even understand why traditional "worms" are given that name. Someone sends you an unknown executable that happens to distribute itself to your contact list, and you run it without Googling first to find out what it is...who's to blame here? The program's function is well-known, so the informed user won't be surprised when he fires it up and it does exactly what it's supposed to do.
Let's use some common sense here, please.
Karma: Good (despite my invention of the Karma: sig)
i got an email a while ago (during the .com bubble) telling me that i got that email because somebody was romantically interested in me (i don't use dating services of any sort, online or not).
...literally.
... but the notable thing is that i started getting TONS of spam at that address (>20emails/day)
basically, here's the scheme:
a person likes another, but is too shy to ask him/her. this site allows a way to anonymously email that person. the message essentially says "guess who"
i was expected to guess the admirer by giving the site every email i could think of that might be the admirer. if there's a match, each party is informed. for all those non-hits, an email identical to the first was sent out; spam.
i happen to use unique email addresses and handed this address to only four people, two of whom were female, so i knew it was one of them or a friend
this type of ponzi-style scheme with unforseen problems seems to be getting popular now; EULAs often take complete advantage: people blindly give permission to have third-party software downloaded and installed, to become the source of spamming and/or propogation, or to allow use of spyware.
Use my userscript to add story images to Slashdot. There's no going back.
My post may have not been the most insightful ever, but I think it's a valid point. A high profile incident of Bad Company A sneaking obviously bad things into an EULA is bound to draw attention to e.g. Microsoft's EULAs. In fact, I'd wager that C-Net's eventual coverage of this incident would also mention and draw parallels to the recent changes in the Windows XP license.
In other words:
This can only be good for Open Source.
-
Under US law, storing personally identifiable information about children is [largely] illegal.
-
The EULA, as far as I can tell, makes NO mention about this product not being allowed for under 13s.
-
With its infection (uh, I mean, transmission) mechanism, it makes no attempt to discover the age of the user before beginning to log their personal information.
So, as soon as you discover your child has installed this program, sue them for failing to make any attempt to avoid violating their rights. Their EULA get out clauses don't work either as, being a child, they couldn't legally agree to the EULA anyway.Hopefully it'll spread better than they ever hoped. A class action lawsuit for every child in America would probably make a fairly clear point to anyone else trying this.
Yes, I know about Adaware, but average Sally or Joe computer user does not. They think that the copy of Norton bundled with their Gateway or Dell will protect them from everything bad and that it's okay to click on "Yes" when prompted "Do you want to install and run X by Spyware Inc.?"
This worm is no worse than the sites that have javascript to prompt you to install Cometcursor, Gator, Download accelerator, Bonzi Buddy and other spyware apps. I've already seen quite a few shockwave greeting card sites (with a Gator or other spyware install attempt) that ask you to "Send this card to a friend" and I've been sent links to these by my less computer-savvy friends. What's worse, you end up on more spam lists too...
Sooner or later, EVERYONE online ends up being prompted to install some kind of spyware. The companies that produce antivirus software need to include features to actively scan and disable spyware (with a default setting enabling scanning for spyware/adware, but an option to disable it if for some reason you want to). I've personally become sick of explaining to people that NO, their Norton or McAfee isn't going to catch the program that's been giving them all these popups and that they need some free program they've never heard of before (AdAware) to get rid of them.
While AdAware is great for power users, for the average population of PC users, automatic background protection like virus scanners provide for viruses is what is required. When a worm like this or a web page tries to install some new spyware, the user won't even be prompted - the antivirus software just says NO.
---
DRM is like antifreeze, to the MPAA/RIAA it's sweet, to the consumers it's poison.
..not just in software.
Enter to win a "Free Trip" at the mall, (and have your long distance service switched), for one example.
I know it's hard, but you have to read (and attempt to understand) what they are actually asking you to do. But, I guess the result of that will be ever more obfuscated wording, so that no real human could get the true meaning of what it is doing.
Legalese could expand a common, two line description into many, many pages. NO ONE would read and understand its true meaning.
Store files on my computer? Oh, that must mean the graphics that come with the card.
No, Virginia, they mean they will store whatever they feel like putting there.
Send emails to my friends? COOL!
No, send anything they want, any time they want. And possibly have their interface hacked by some OTHER fool next month.
"Oh, we reserve the right to change this EULA at any time. The new one will be posted on our website." (Way back 7 levels deep, at the bottom of the page in a font no human can read).
What might a new EULA do? Again, Virginia, anything they want.
From http://www.permissionedmedia.com/license.htm:
3. Updates/New Information. Permissioned Media reserves the right to add additional features or functions to the version of PerMedia you install, or to add new applications to PerMedia, at any time. As more fully disclosed in our Privacy Statement, PerMedia is designed to regularly communicate and provide information regarding your Internet use to Permissioned Media. Accordingly, Permissioned Media has the right and you hereby authorize it to update or automatically install a new version of PerMedia on your computer when a new version is released to the general public and/or when new features are available. Notwithstanding the foregoing, Permissioned Media and its business associates have no obligation to make available to you any subsequent versions of PerMedia. You may not distribute or copy PerMedia (r)other than for backup purposes).
So you can't distribute their program in any way? Isn't that the whole point of the program? These guys really are a bunch of idiots!
The only difference between this and a conventional worm is that it doesn't come with a payload package that will cause damage to the system, although spyware isn't much better. From what I can tell, this software serves no legitimate purpose. You have to install it to read the greeting card, which is sent by someone else installing the software. Does anyone ever actually send a legitimate "greeting card?" If not, there would be no reason to install this software. The only functional aspect of this application is to provide the user with advertisements, which even the most clueless user probably wouldn't install intentionally for only that purpose.
:)
Because the user has no legitimate reason to WANT to install this software, he/she has to be coerced into doing so with false pretenses. If this is legal to do, it would be no less legal to install a dangerous payload, so long as the EULA explains it and gives the user an option to cancel.
Perhaps this would be a good time to try to challenge the validity of the EULA. Can't have it both ways. Either it's a binding contract and therefore if you agree to spam your contacts and have your harddrive formmated, you can't hold the author liable. Or EULA's will have to NOT be considered contracts and therefore this will apply to ALL EULA's. Or we can hope.
-Restil
Play with my webcams and lights here
The one that I loathe is the "hotbar" IE/outlook menu customiser (http://www.hotbar.com) which allows someone that has hotbar to send a card to a friend... but what the card does is download the hotbar and install it on the unknowning friends system...
It also contains some social engineering.. "Upgrade outlook - add COLOR to your Emails" link...
bah..
just had to remove these from about a gazillion corp machines... and the virus scanners dont see it as a virus...
even though it KILLS the systems efficency....
--
Time is on my side
It's the oldest piece of scumware like that that I'm aware of (perhaps Bonzi buddy is similar age).
... "Give me a woman who loves beer and I will conquer the w
I'd be suprised if anyone has the desire and wherwithall to go challenging questionable EULAs throught he legal system. But perhaps that's not necessary -- the onerous terms sneaking in depend largely on the fact that nobody notices them, or that most people installing the software are ignorant of their implications.
So I've registered:
badlicense.org (and badlicence.org)
I'd be happy to let that be used for a site dedicated to explaining the EULAs of software. Perhaps an overview, and details on particular products.
Reasonably carefully worded it wouldn't even matter if the EULA had been interepreted in detail by a lawyer. Just highlighting the apparent detail should be enough to raise eyebrows and invite some clarification (perhaps, even, modification) from those issuing the EULA.
So, anyone interested?
Nope. Neither are "shrink wrap" contracts (you know, the kinds that are kept inside the sealed plastic covering that start "By breaking this seal you agree to..." , and continues "...Microsoft does not garantue the usefuleness of this software for any purpose what-so-ever, even including purposes stated by Microsoft or Microsoft employees."
Yes, that's more-or-less an actual "shrink wrap" "agreement" I once had with Microsoft. Anyway, it's all illegal, if you live in Sweden, or any European country, or come to think of it most any country in the world except the US.
<simpsons>Haha!</simpsons>
I choose to remain celibate, like my father and his father before him.
...okay, so no one will read this at this late point, but for any and all software developers who are hunting for a useful product to build, why not create an EULA-distiller? Let it run in the background, and watch for installations. When it sees an EULA appear, it can display 2 or 3 bullet points that succinctly explain what the hell all the legal text means.
To get really tricky, you could create a Web site that allows users to upload the text of each EULA, and a distilled summary. Perhaps other people could even vote on the most accurate, most understandable summaries. Then your app could be constantly up-to-date. Perhaps by doing this, people who blindly click through these things will be made aware of what the real consequences will be.
My Greasemonkey scripts for Digg &
There must be consideration (both parties must gain something or force some new obligation on the other party).
IANAL - Have taken some business law classes. Not legal advice - Not FDIC Insured - May Lose Value.
It's for this same reason that EULAs on free-of-charge software cannot be enforced, unless you are giving them some consideration (like agreeing to look at their ads).
This makes this case even more complicated, since the spam company could argue that "in exchange for the good and valuable consideration of the right to run the program, you agree to let us use your good and valuable consideration of the right to use the contacts in your address book for marketing purposes" A clear exchange of consideration!
This may even apply to some free-speech software licenses that include restrictions above and beyond simply terms of copyright licensure, i.e. restrictions on non-distribution related use. Most free-speech licenses don't have such clauses, but a couple do.
In any case, this isn't simple, but I hope to god it is illegal somehow, or becomes so in the near future.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
It is the brazen sickness that brings reference to Microsoft. Of course, the fact that it employs a signed application to access the Microsoft designed email resource is probably because they are ubiquitous and easy to give up all of their information.
They're using some kind of application-level IP restrictions on it:
Trying 207.250.191.48...
Connected to www.permissionmedia.com.
Escape character is '^]'.
_Host 'a.b.c.d' is not allowed to connect to this MySQL serverConnection closed by foreign host.
I want to delete my account but Slashdot doesn't allow it.