Slashdot Mirror
Using Spyware to Report Pirates?
An anonymous reader asks: "I have visibility to AUP complaints we receive at work, and we receive messages from a software vendor that make it obvious that their product is phoning home when it discovers it is running a cracked copy of itself." Apparently the software phones home, and then the publisher's legal department sends the administrator an e-mail. "The message goes on to detail the users IP, a timestamp, the product in question, the users PC name, username, and MAC address.
This falls under -my- definition of 'spyware.' What are your thoughts?" Software has been making surreptitious checks for "piracy" for over a decade, yet these checks are usually limited to the software itself, and not data on the user's machine. Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?
I have no problem with this, as long as it is in the agreement box, or they make it clear that it till collect the user data and send it to the company if the software checks itself to be a crack.
You don't like it then don't use it.
In any application where data is sent from within the company (or home) consent is vital. Perhaps you would argue that stealing the software removes the obligation to ask for consent, but the potential for the software to mistakenly think it is pirated is too high.
POPFile has an option to check to see if there's a new version available. It's incredibly innocuous: it hits a server and check it's version number, the server junks its logs daily. I keep no record. This was initially on by default but people were upset, it's now off.
The simplest solution is that a piece of software that thinks it is pirated start warning 30 days before it's going to shut itself off to give the user a chance to do something and finally disable itself. That is effective and friendly.
And get yourself a copy of ZoneAlarm so that you can see which apps would like to talk to the outside world.
John.
> You use the illegal software
But doesn't this imply owners of the legal software are also being spied upon?
-- Don't Tase me, bro!
But, as someone who is innocent until proven guilty, what right do they have to {spy on, steal from, stalk} me? Seriously, if you're going to back the "stealing is a crime" part of the law, you also have to accept that the alleged thief is innocent until proven otherwise. No one (without subpoena or warrant) has a right to that kind of information without consent.
It's not spyware, it's a fucking anti-theft system. Don't like it? Don't steal it.
Okay, this one seems simple enough.
Let's say I am a small book publisher. I publish books about historical battles. I find out that there is someone out in the world who, instead of buying a copy of my book, has simply photocopied a friend's purchased copy of the book.
Now, let's say I track this person down. Then let's say I break into their house. Then let's say I rifle through all of their belongings. Let's say I get their credit card number, bank PIN number, passwords, social security number, medical history, personal communications, personal habits and all of this information for each person in their family, too. Then let's say I take all of this data and give it to the police or the government. Or maybe I even go much further and just burn the house down with everyone in it.
Was I justified? I mean, I must be right? After all the person had a photographed copy of my book and didn't pay me the $39.95 for a legitimate right to read it...!
Ultimately if you get taken to court because of a copyright violation that was discovered because the cracked software phoned home, I doubt the court will grant you much leighway.
If the software's anti-theft tracking was being put in place by the police, that would be a violation of the fourth amendment. On the other hand, this is being done by a private corporation which has far more rights.
Think about LoJack, the car anti-theft mechanism, that tracks the car. Isn't that effectively the same thing? That's perfectly legal.
I don't like the notion of a company installing such spyware because there's little guarantee that they are only reporting pirates. Furthermore, what's to keep them from reporting subtle violations of the license agreement that aren't in fact illegal under copyright law. Once the spyware is there, there's effectively no limit on what it can do.
This sig has been temporarily disconnected or is no longer in service
Installing spy programs on someone elses computer and misapproriating their resources to send information about that computer back to you, OTOH, may certainly be a crime.
Ok, so if the program is smart enough to discover that it's a cracked copy of itself, why doesnt it just not start up and prevent the user from using the cracked copy.
[alk]
you need to tighten up your firewall!
If you don't even know which software or machine is communicating with which outside hosts, don't be surprised when you find out some inside box is relaying spam or leaving out the welcome mat for unwelcomed visitors.
In any case, what exactly prevents you from naming the offending software? Why speak in generalities and obfuscation?
Call the company. Say you found the user and pirated software, and appreciate their notice. Tell them the software has been deleted and the user has been reprimanded. Tell them you have banned said software company wide because your company does not use pirated software - or spyware.
I write code.
There's always the danger that a disgruntled employee could plant a cracked version of the software on a company computer.
And what about shared laptops. Somebody loads on some software while attending a conference and then hands the machine back.
Some floating software licensing schemes work on using IP addresses, MAC addresses, monitoring the real-time clock to make sure dates don't change. What if one of these circuits fails (stray cosmic rays, power surge), does that automatically make the user a criminal?
Sure, software companies have the right to protect their software, but I don't think they have the right to allow their applications to automatically generate crime reports. W It would be more for the application to request new short-term licenses and deny access than do anything destructive. If an application can detect that it has been cracked then it should just refuse to work.
Seriously folks I think lately we've forgotten that stealing is stealing,
fine then you dont mind us installing a new tracking device on your cars to tell the manufacturer and your loan company and officer where your vehicle is at all times.
if you aren't doing anything wrong then why are you against it?
get the idea yet?
Do not look at laser with remaining good eye.
What would happen if a crooked employee at Visualware used or shared this information? He now has a valid username and IP address (even if the IP address was NATed, you could match it with the web server logs to find the outside IP.) He can now fire up his favorite cracking program and have at it. If a vulnerability exists in VisualRoute, he now has a list of computers running it that could be exploited. Food for thought...
...or C) the software thinks it's pirated and it isn't. After all, 100% of fully automated piracy detection methods are flawed. The only sure fire way to prove something is pirated is a BSA-style audit. And even those are flawed because of people who don't save original packaging/media.
You are seriously deluded if you think that fact that a piece of software thinks it's pirated is de facto evidence that it is in fact pirated.
It's still low. Spying on your data and sending info is like shooting people because they might be a criminal. Cracks do have perfectly legitimate uses, despite what the software companies try to tell you. (Just ask anyone who has installed the latest patch for Neverwinter Nights and can't run it due to the retarded Securom protection).
This is why everyone should run a decent firewall. The amount of programs that phone home is alarming!
I couldn't disagree more. That's not obnoxious that's an awesome feature!
/saved/ us money, so we didn't have to go get 5 copies of Photoshop for 5 computers when two did just fine, thanks.
We bought one legal copy of Photoshop. We should have the right to run one copy, regardless of how many computers we own. This enforces that and makes us abide by the licenses we agreed to! It makes it impossible to violate their license!
So what did we do when we got this error message more and more and more? We decided "hey, we really need two copies". And we got another license. This actually
Obnoxious? I guess so if your definition of obnoxious includes railings on ledges and lane turtles on roadways. To the rest of us, such things are considered useful.
True.
And gathering personal information about a user, without his/her consent without a legal warrant is...
Seriously, this information is NOT what anybody can get from public records. If I gathered this information about someone, and that someone found me out, I'd be charged with cyberstalking or whatnot.
In the words of Frank Zappa, "There's the crux of the biscuit"
This is why we have a huge problem with corporations running amok. They have somehow gotten the idea that they are not accountable for their actions. In reality, corporations have no more right to your personal information than the justice system. Even less so since the justice system does indeed need to get a warrant to search your personal space - unless you willingly give them permission, that is. A private company also needs your permission to collect your personal information. They may try to get around this with one of those over-restrictive EULA's, but I would venture to say that most EULA's may not be legally binding. We'll see how they hold up in court in future.
In the meantime, if I decide to install any 'cracked' software, (not that I would), I'll be sure to make sure that machine has no chance of talking to the internet.
"A revolution without dancing is... a revolution not worth having"
um, what? you might have a point if the software in question searched the user's hard disk for these pieces of information, but it's not. According to the post, the information sent from the program to a remote server is:
"the users IP, a timestamp, the product in question, the users PC name, username, and MAC address."
Every single piece of information transferred is accessible through the use of other, perfectly legitimate pieces of software, unlike medical records (which require a plausible reason to access); it should be clear that this program is not 'rifling through anyone's belongings.' And the mentioning of burning down the house is completely absurd; nobody is considering giving this data to law enforcement agencies or blowing up the user's computer if it's running pirated software (to relate your analogy to the situation being discussed). Please take your slippery slope arguments elsewhere.
the coolest club on
>Some people, especially young children, seem to have a difficult time grasping that although nothing physical is taken, theft has still occurred.
No, it hasn't. Most parents (including yourself, I'm sure) tell their children, once they're old enough to read, that they should check the dictionary. I hope you don't mind if I do it for you.
theft
\Theft\, n. [OE. thefte, AS. [thorn]i['e]f[eth]e, [thorn][=y]f[eth]e, [thorn]e['o]f[eth]e. See Thief.] 1. (Law) The act of stealing; specifically, the felonious taking and removing of personal property, with an intent to deprive the rightful owner of the same; larceny.
Note: To constitute theft there must be a taking without the owner's consent, and it must be unlawful or felonious; every part of the property stolen must be removed, however slightly, from its former position; and it must be, at least momentarily, in the complete possession of the thief. See Larceny, and the Note under Robbery.
I don't know how much clear it can be than that, sorry.
>it's not the physical manifestation that's holds the majority of the value of the item, it's the intellectual property.
The only real IP I know of is Internet Protocol. "intellectual property" is a buzzword used by various anti-piracy groups to scare users. IMHO, it rates right up there with "speed kills" and "this baby is crying because it's dad was killed by a drunk driver".
>So, your thinking that even though you took it, the fact that they still have it (wow, magic), let's you off the hook is just plain wrong.
I'm not saying that. What I am saying is that piracy is not only a lesser crime (IMHO) than stealing, as it only deprives the owner of an imagined profit, and, in fact, does not cause a direct loss like shoplifting, it really bears no relation to stealing. The similarity ends at the word loss. Speaking of which, murder would be a loss of life, and therefore has the same amount in common with stealing as does piracy.
Again, just my humble opinion.
That being said, I feel that piracy ISN'T a good thing, that it is illegal, but that it is overzealously punished in today's times where steamboat mickey is still copyrighted property. The only way what people will wake up and stop the insanity (put copyright terms back into the hands of the people) is if people stop making it out to be something it isn't.
>By the way, you're not even close in interpreting how copyright laws apply to these situations.
Uhh, seriously, read a law dictionary. Without something being missing from the victim, and without it being in the hands of the perpetrator (preferrably at the same time) there can be no theft.
While the crime of copyright infringement is generally punished in a federal court, and the crime of speeding violations in a municipal or provincial (or, in the US, a state) court, the style of offense is identical. They're both victimless crimes. Sure, you could say I *would* have bought a piece of pirated software rather than pirating it, but at the same time, if I get a stolen (for real) camcorder for $50 that sells for $5,000 do you think there's even a chance in hell I would have bought it if it weren't stolen? The fact is there is normally no specifically identifiable victim from piracy that can prove a loss, which is just like when you receive a speeding ticket -- nobody can prove a loss. It's just illegal, that's all.
It's always a lot more complicated to convince someone a crime is bad when there is no victim, and *THAT'S* why the BSA (et al.) want you to (wrongly) think copyright is theft. Because then they have their victim -- english teachers.
In fact, you'll find my previous dictionary definition a little lax. Merriam Webster says:
theft: 1 a : the act of stealing; specifically: the felonious taking and removing of personal property with intent to deprive the rightful owner of it b : an unlawful taking (as by embezzlement or burglary) of property
When dictionaries start saying specifically, and highlight it; I think they're trying to curb an improper usage of the term.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Oh, come on. That's ridiculous. There's a distinction between public information and private information. Published programs, even if they're copyrighted, are published. They're not private, like the user's MAC address and personal grooming habits.
I'm not trying to justify running pirated programs, I just think you need to make a better argument.
Now, that's a better argument.Lost: one sig, witty, 120 chars, sentimental value. Reward offered.
> You use the illegal software
But doesn't this imply owners of the legal software are also being spied upon?
OK, I'll take serious stick for saying this but here goes (and there goes my karma).
Sometimes, people observe/stake out/spy on others and their suspicions/paranoia prove to unfounded and sometimes they prove to be well-placed. Not everyone who's under police surveilance, has a background check run on them or gets asked for additional ID verification when using a credit card is going to be guilty of wrong-doing, but does that mean the cops, your kids' schools or Amex should never be allowed to verify basic details?
If the software license made it clear up front that the package could and would periodically check that its use was within the boundaries set by the license (eg, full licensing) then I don't see anything wrong with a publisher checking up on its users in this way. After all, permission had been given, just as it had been given (implicitly or otherwise) in the real world examples I gave above.
One thing you need to ask yourself before you potentially start bashing this company's spyware (or whatever you want to call it): am I in violation of a software license or any laws? Make damn sure that their aren't any illegal copies of the software floating around your organisation before kicking up a major fuss otherwise this could really backfire for you.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
More like, the vehicle detects that you had it serviced at an independent mechanic, instead of at the dealership, and phones home to cancel the warranty.
This is ridiculous. Allow me to make random analogies to support myself, because this is Slashdot, after all.
Consider a carpenter. If he builds a chair, it is a physical entity which one person (himself) owns. It cannot be reproduced effortlessly. Therefore, he can sell it and make money to compensate himself for his labor.
Consider, again if you will, a programmer. If he writes a program, it is a theoretically non-physical (yeah, it exists on disk/memory somewhere, but that's irrelevent) creation which he owns. However, it can be copied, meaning someone can reproduce it freely and infinitely with no cost to said person and no compensation for the programmer.
Where do you get the idea that a program is information from? That's like saying the chair you're sitting on to read slashdot from is information. And obviously there's the kneejerk reaction to this claim of "that's absurd! I didn't say that," but look again. You did.
People do not create information. Information exists. Therefore, if one creates anything, be it a chair, a program, or a cowboyneal voodoo doll, it cannot be information.
You make the false assumption that because it is not a physical thing, your programs are information. This only barely makes a semblence of sense because in essence, they are information for how the computer should run. But that's because they don't physically exist. Just because they cannot be canned and shoved on a store shelf doesn't mean they are information.
Finally, to reiterate and conclude the beating of the dead horse, allow me to give examples of information:
The difference between those and a computer program is obvious.
-dave
If a person is innocent of a crime, then he is not a suspect.
So all suspects are guilty? That doesn't make any sense to me.
Can Linux do this?"
Yes. Look into Firestarter. Look into iptables/ipchains.
"If not, Windows is more secure than Linux for a desktop user."
Thats flawed and uninformed reasoning. Amng many reasons why Linux is more secure for a desktop user is that a normal desktop user runing Linux has almost zero chance of double clicking on an atachment and hosing their system w/a virus.
This guy is way out there
Well...yeah. And some legal software (e.g. Gator, Kazaa, etc) spy on you in ways you might not like. But in the end it's all a trade off -- how much do you trust your software manufacturer?
Some of them I do trust. If I find out Adobe is spying on me to be sure I bought my boxed copy of Photoshop 7, I'm not that worried, because I did. I see this in the same light as I see cameras in retail stores...sure, it's a little annoying that they might be laughing at my fat ass trying to squeeze into size 34 pants, but I can deal with that because I respect their right to stop shoplifters. When the guy who came to paint my house asked me to leave my garage open, I did so, because I was paying him scads of money and I trusted him not to walk out with my TV as well.
Really, with proprietary software it's all a matter of trust. It always has been -- it's why my uncle wouldn't let my cousin use his Renegade pirated floppies in his c64, he was afraid of some stupid code going haywire and messing up his $500 machine.
You worried about this spyware stuff? Go whole hog OSS, it's the only way to be sure. I happen to prefer the user interface and trustworthy behavior of some of my proprietary software and don't mind paying a little extra for it, money or privacy. Still, the day I catch ImageReady sending lists of my porn directories back home to corporate is the day i switch to (shudder, ew) The Gimp.
Hey freaks: now you're ju
If a software publisher prices their software "out of the market" then a potential user has two recourses: 1. don't use it; 2. pirate it.
If the software publisher's decision is inappropriate (i.e., the value is $50 but they charge $2,000), then the user can't be blamed for pirating it. I mean, they can be, but let's face it you can't return software you don't like (because "you might pirate it"), so the default behavior is, pirate it to make sure you like it. Then, if you so choose, pay for it.
I think it's super cool though, that publishers are going to more and more draconian levels in order to "protect their profits" because it just makes open source/free software that much more attractive.
See the Ernie Ball story for more details. (I love that I saw the Ernie Ball and the optic-fiber sponge stories on Excite last night, and then saw those two posted here today.)
I feel fantastic, and I'm still alive.
I agree that I certainly wouldn't want the software to scan around my network looking for illicit copies of stuff. But that's not what we're talking about here. We're talking about a cracked program that, when started, determines that it is cracked, then reports that fact back to the publisher, along with information that will identify where the stolen property is.
This is almost like a Lojak system - the car is stolen, then the security system reports back to the police exactly where the car is. What if you stole the car and it's parked in your garage with the door closed? Yes, I understand that this example doesn't exactly parallel that of the article, but it is similar. The Lojak system doesn't check around the house to see if there are any other stolen things there...it's just concerned about one thing - the car. Much like the software that is described in this article.
Incidentally, neither I nor the article said anything about snooping around the network looking for stuff. And in the case of the software in question, it appears, at least from the limited information available to us in the article, that if this software is reporting information back to the "home office", it would be very hard to suggest that the user is anything remotely resembling a "customer". Unless you consider the guy who steals money from the bank to be a customer.
-h-