Slashdot Mirror
Using Spyware to Report Pirates?
An anonymous reader asks: "I have visibility to AUP complaints we receive at work, and we receive messages from a software vendor that make it obvious that their product is phoning home when it discovers it is running a cracked copy of itself." Apparently the software phones home, and then the publisher's legal department sends the administrator an e-mail. "The message goes on to detail the users IP, a timestamp, the product in question, the users PC name, username, and MAC address.
This falls under -my- definition of 'spyware.' What are your thoughts?" Software has been making surreptitious checks for "piracy" for over a decade, yet these checks are usually limited to the software itself, and not data on the user's machine. Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?
Just WHO is this publisher?
"Flyin' in just a sweet place,
Never been known to fail..."
Its been going on for quite some time now.
You use the illegal software, I don't see any reason why someone who's life work might involve *writing* said software would not want to catch you pirating/using is Illegally.
I'n not all that sure how I feel about the users computer information being fired off in an email, but I have always considered that a possibility in the past. Seems like I was right.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order- Ed Howdershelt Via Tass
DecafJedi
DecafJedi
my weblog: apropos of something
I seem to remeber that a vendor did this to the Dod like in the early 80's. I also thought the DOD took them to court and won. I can't see how it is legal unless it is in the licensing agreement.
There's a legend that Microsoft actually encountered this back with Microsoft Word 1.0 - it formatted the hard drive if the CRC of the program changed. Bad karma there, hosing innocent users if they got infected. (BTW - I've seen Vesselin Bontchev reference it here and other places, but it could just be he picked up a convenient rumor. Anyone have verification of this story?
If it's not documented in the EULA for the product, it might even be a potential civil suit against the company. Doesn't Europe have fairly restrictive privacy laws that could come into effect here? Could be criminal there if so, especially if it misfired on an innocent user. Although of course - IANAL.
BTW - what product?
I write code.
How many packets does your machine send out that you have not looked at personally ? Mine does that *all* the time (I don't have the time nor the resources to check them all).
:)
This means that if say MS is checking the contents of my machine and starts harassing me over possibly illegal software that I would have no way of knowing that the info was retrieved using spyware. it's the stupidity of the 'presentation' that gives this one away, if they were a bit more clever about it you'd never have known that it was spyware related.
The best way to avoid this kind of trouble is to go completely open source or make sure your licenses are paid up
are you on the grapevine yet ?
MP3 Search Engine
With the game Black and White that I own, the cd copy protection gave my computer so much problems and the only solution the publisher gave me was to install a new cdrom, so I was forced to install the cd crack to actually play the game. I'd hate to be labeled a pirate and taken to court because I actually wanted to play a game I legally purchased(Hell I preorded).
Have you ever been to a turkish prison?
I can't tell, but I'm assuming that you work at an ISP (AUP complaint?). Why on earth would you care about this information?
"Oh no! One of our users is doing something illegal and it has nothing to do with us! Quick, pull the plug on him!!!"
Seriously...unless you are law enforcement, what could you possibly do with this information? If I wrote your ISP and told them I saw you smoking pot, should I expect them to pull the plug on your connection??? How is this any less rediculous?!?
"The market alone cannot provide sufficient constraints on corporation's penchant to cause harm." -- Joel Bakan
How exactly would a program go about detecting accurately whether it's cracked? I'd hate to get a virus infection, which changed the executable slightly, and then end up being accused of cracking the software.
Erm...while I grant you that in a civil case the rules of evidence will be much more lenient than in a criminal one, there are statutes related to industrial espionage which you could cover yourself with.
IANAL etc etc, but I am under the impression that, unless you explicitly agree to a function which is not arguably part of the 'core' raison d'etre of the software, things like collecting information without someone's consent on legitimately licensed PCs could be construed as breaking and entering, or the digital equivalent.
If the software only does this for unlicensed copies, I wonder whether you couldn't use a similar strain of argument (license was not active for arcane technical reasons, whatever.)
Admittedly, without starting an argument about it, I don't have strong moral qualms about piracy, and I do believe there are certain limits as to what's allowed in terms of evidence collection/snooping even if you are doing something legally "wrong".
Frankly, I think companies should try to use free/open software anyway if they can, so this never even becomes an issue (ask SCO!
Cole's Law: Thinly sliced cabbage
As someone who makes a living writing peer-to-peer software, I completely disagree that "STEALING IS STEALING" as you say.
I don't want to get into semantics with you, but here goes:
Stealing involves the deprivation of someone's property, removing thier ability to benefit from it. (paraphrase)
Information "theft" is not really theft or stealing.
Thousands of my users probably "steal" my software, but guess what! I DON'T CARE! It is information, which I CANNOT OWN!
Noone, corporation or individual, has a right to profit.
Everyone has a NATURAL right to consume and reproduce information. How do I know? Look how we are physically built, for crying out loud!
Let me close with this somewhat fanatical thought: Every month new ground is broken in the attempt to produce objects by piecing them together molecule by molecule.
Now, it will probably take longer than my lifetime to occur, but EVENTUALLY you all will be able build a generic THING from its component molecular pieces.
Consider this "future" world for a moment: No more scarcity, no more hunger, no more epidemics caused by lack of medicines.
Now consider the same world, with *your* "STEALING IS STEALING end of story" claim: Should the first person/company that creates a new molecular structure have a monopolistic control over said structure? Should you be able to produce (from scratch, not by "physically stealing") a replacement Brake Pad for your car without paying Ford for the privelidge? What about creating your very own "claritin-like" substance for your allergies? Should you have to pay Mosanto?
I stated before, and firmly believe, that information wants to be worthless, in an economic sense. Information has no "owner" that I recognize, and, as such, I do not consider the "copying" of information to be "theft".
If someone broke into my office and stole the computer I was writing my source code on, then THAT is theft of information, as it has deprived me of it.
If someone copies (without my permission) my program and uses it without paying me, oh well! I haven't been deprived of anything! I still have my program! The only thing I *may* have lost is potential profits, but NOONE HAS A NATURAL RIGHT TO PROFIT! NOONE!
(Thats why "Step 2: ???" is so common! heh)
In the above "idealistic copying world" example above, noone could profit! There would be no object scarcity, therefore (almost) no intrinsic value to *ANYTHING*, let alone "strictly informational things."
Time to end this rant, but PLEASE PLEASE consider:
The end result of personal "posession & ownership" of information, combined with monopolistic control, and the added "Lets consider artificial entities with the stated goal of financial wealth accumulation (corporations) the same as people, with the same 'rights' to own information, etc, is a CORPORATE FEUDAL SYSTEM, not the (what I consider) ideallic, everything-copying society that we COULD have then.
The road we are starting down today is leading us towards the scarier of the two, I believe.
-vDave-
{dave -at- bearshare -dotcom-}
Help me out, and use BearShare for all of your p2p (INFORMATION COPYING) needs!
The pig browse. With Google. Sigh is to the chicken. Chicken is fool. Giggle. The DailyWTF giggle.
>It is theft.
No it isn't. If it were, pirating windows would get me a $100 fine and a weekend in jail.
In fact, as far as the courts go, it SPECIFICALLY isn't theft because the crime of theft has a much more reasonable sentence. If I were to compare it (copyright infringement) to a similarly punished crime, it's like raping dead corpses.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
Seriously folks I think lately we've forgotten that stealing is stealing, and if you're stealing a piece of software you should be punnished for stealing a piece of software.
And for those situations where stealing doesn't mean stealing?
Two trivial examples that I suspect most us us could get "caught" for:
First, a friend purchased (completely legal, nothing unkosher whatsoever, not even grey-market) a copy of Age of Empires - AoK. It has a rather annoying copy protection scheme, however, which annoys legitimate users (whereas pirates just run a cracked version with no hassles at all). So the solution? He uses a cracked copy of the game. A stupid software test for known program cracks would flag him as "stealing", yet he did no such thing.
Second, and even more difficult to deal with - I have all of my CD collection on my HDD, since I only ever listen to them while at the computer. Legal format-shifting as allowed even by the DMCA. Yet, can I "prove" to some stupid spyware bot that yes, in fact, I really do own the CD? Nope. And even if I could, I shouldn't NEED to; my computer serves me, I do not serve my computer.
More important than false positives, though, we should consider the issue of why we buy software in general. If I buy a game, I buy it to play that game. If nowhere in the documentation (or preferably, on the outside of the packaging) does it describe its "RIAA-friendly anti-piracy technology", it damn well better not have any. I don't buy software to spy on me, I buy it to do the task it describes itself as performing. Nothing more, and nothing less.
- Unplug the phone jack/ethernet card
- Find out where its' sending packets to, and edit your hosts file on your proxy/firewall accordingly
- Remove the software (duh!)
Or, to take the parent posters' idea of a virus (actually, a worm) to the next step, have it scout the net looking for legit copies, and installing the crack on their machines. So even legit customers would end up "phoning home".Seriously, just remove the software. If it does something you want/need, you have three choices:
- buy a legit copy
- develop a competing product
- put up with the knowledge that it is phoning home
Mind you, if I wrote it, I wouldn't have it phone home, - I'd have it phone a (very) expensive 900 number (say, $50.00 a call) that I'd own, and you'd end up paying for your license when you got your next phone billSo the (alleged) spyware sends copies of certain information about your computer back to the company that produced the software.
The user still has all the information they started with. No one has been deprived of any information. All that has happened is that an additional copy of this information has been created and distributed.
In order to object to this, you have to admit that some information does have owners, and also that it is wrong to copy information without the consent of the owner.
Then, this being slashdot, you have to do a little song and dance, like this: "when other people create music and software and movies, and I make a copy of their stuff, it's fine. But when someone else makes a copy of information from me without my consent, that's wrong!"
Your information wants to be free; my information wants to be private. See?
My own beliefs are the same as Linus Torvalds: "He who writes the code chooses the license". If you don't like spyware, don't friggin run it. I don't.
Here are two more i have noticed that do the exact same thing :
1. Admuncher http://www.admuncher.com/
2. Evidence Eliminator http://www.evidence-eliminator.com/
I found a quick (& better)replacement for Admuncher in the new google toolbar (http://toolbar.google.com/) to get rid of popups.
Evidence eliminator is crap, dont need a replacement.
In either of these cases they take you to a page showing your IP address with what they think is a scary message. If you do use a cracked version make sure your windows installation does not carry your Original Name / Location and that your IP address is dynamic.
Siggy Say, Siggy Do
And besides that... they'd probably rather track you down, catch you in the act and the sue your ass to make an example out of you.
Deltron 3030 - Virus (music video)
If I was a home user, I'd be using a firewall. Oops, trying to phone home, are we? (Quake3 Voice) DENIED (/Quake3 Voice).
If I were in a corporate environment, I'd tell the creators of the software that I'd be more than happy to help them out in their search for pirated software. I'd also let them know that we'd be terminating our contract with them immediately, as, if they're sending out that information, who knows what else they might be sending back to themselves? I'd also inform them to expect a letter from the legal department due to the fact that they may be snatching private corporate information from our boxxen.
Say you're a small shop. You have need of 3 copies of s/w package X.
You go down to BigBox store, and buy 3 copies of X.
Back at the office, you use one CD to load all the machines. Leave the other 2 in the shrinkwrapped boxes, on the shelf. Perfectly normal...happens all the time.
The running s/w sees 2 other copies of the same s/n on the LAN, and phones home. PIRATE! PIRATE!
You're 'legal'. You have paid your fees for the 3 copies. But Company X, due to their incorrect reporting and intrusive networking, thinks you are in violation. They send the BSA after you, with all the attendant fees.
At this point, you're guilty until you can prove your innocence.
Absolute BS, I say.
Personally, when I crack software to remove limitations, nags, or enable hidden functionality for proper evaluation purposes, I always have faith in my firewall to detect these sorts of 'protections'. If it reports that the software is trying to phone home, then I deny it that ability for the current session. After that, I fire up my port monitor, re-load the software and log what's going on. It's usually a simple matter to prevent the execution the offending code, and in the end I've produced another quality crack.
My motto has always been: if a cracker is good enough to unlock the software without a serial number (or otherwise), then they should be good enough to circumvent the code that phones home.
At the software company I work for, we have in the past had suggestions to employ similar phone-home schemes. Sometimes it's in the context of catching cheaters; more often it's a way to find what parts of the software do people most use. That kind of data can be priceless; the user often isn't really concious of what he uses, and only remembers the best and worst parts.
We have always refrained. (But once at another job, a developer surreptitiously added a system call to email to himself a message everytime his library was used; QA caught it, and he had his hand spanked.)
"Seriously folks I think lately we've forgotten that stealing is stealing, and if you're stealing a piece of software you should be punnished for stealing a piece of software."
That's fine provided due process is followed. Calling home and saying "I'm cracked" is not evidence of guilt. I have a piece of cracked software on my laptop. Am I guilty of piracy? Have I stolen anything? Absolutely not! I paid for the software. However, I cannot have a dongle sticking out of the back of my laptop. It's not worth risking breaking of the dongle, or worse, the laptop.
End of story? Me thinks not. If somebody installs cracked software they haven't paid for simply to evaluate it, have they stolen it? Ethically speaking, no. The fact of the matter is that you cannot return software. The only people who are truely guilty of commiting theft are the people who acquire the software without paying for it, and make use of it.
I would advise not trying to oversimplify this down to black and white. It is nowhere near as 'end of story' as you're making it out to be.
Its not the same. When his spyware runs on my computer its using my resources, my electricity. If it causes problems (and it will) it causes them on my computer. Thats not even considering my privacy rights and concerns.
My own beliefs are the same as Linus Torvalds: "He who writes the code chooses the license". If you don't like spyware, don't friggin run it. I don't.
I don't think Linus was talking about either EULA's or spyware, so it's an irrelevant quote.
You want to coerce me into running spyware? Don't bury it in a user agreement, come right out and make me click a radio button mentioning it directly, watch the popularity of the product drop and then decide if its worth it.
It's simply dishonest. I don't care if its buried in some agreement, thats not good enough.
Quack, quack.
Look at the old issues of Wired. It was a reporter for the NY Times that was nailed by the drive reformat. M$ support said it was a cracked copy, reporter got story on the front page. M$ quickly appologized and removed the misfeature.
Dude, if you can't abide by the conditions that the authors have set: eg. price and license
THEN DON'T USE THE FREAKING SOFTWARE
I won't go into quality of the software, but I will touch on that fact that YOU CAN DO ALL OF THIS WITHOUT THEIR SOFTWARE.
I read excel spreadsheets, I write lots of documents. I don't use Microsoft software in my life.
I can afford it. I can't stand its LOW LOW quality (been writing milters to block today's virus/worm that our unix and macs won't get but it clogging up our servers.)
You guys have postgresql, mysql, php, all the BSD and linux you can eat. Laptops that can run what our bigass VAX 780s struggled with. Jesus Freaking Christ. There's better software out there for FREE than was available 5 years ago commercially.
And your whining about how you think XP costs too much.
Don't use it if you can't buy it. You have options. Take them.
How is the following senario any different from what this software is doing?
I have a car. The car has a built in cell phone and GPS. If the car is stolen, the cell phone calls me and tells me the location of my car from the GPS. Am I now spying on the theif? Am I violating his right to privacy?
I'm sure everyone here can sympathize with companies and individuals who are hurt by piracy and I feel that they have every right to pursue it in whatever way they legally can. But that's the problem. As soon as a company uses illegal or unethical methods to combat illegal and unethical abuse, they lose me as well as the moral upper-hand. There are plenty of ways to combat piracy without invading a customer's privacy and I think it behooves a company or developer to explore those avenues. Also, they need to accept that there is always going to be a segment of users who will use pirated software. And I'm not so sure that matters. I would assume that most people doing so wouldn't have paid for the software legitimately anyway, no matter what, so it's hard to say that any potential profit has been lost by anyone. Tactics like "phoning home" and convoluted registration methods, dongles and other nuissaances only irritate paying customers and likely don't stop any piracy at all.
--Rick "If it isn't broken, take it apart and find out why."
Apple has been doing something like this for years. If you run software on a network and you try to use the same copy of software on two different systems at the same time, something will have to give. In this case, MacOS informs you that person x is using a copy of the software and then it quits the application until you close down the other copy or log off the network. I don't see /. breaking out the hayforks over this though.
The first poor thing is that the admin won't be uncomfortalbe with all of his people being spied on (let alone all of the end users that threaten him with death).
The second is the assumption that the Admin is unaware that a cracked copy of software is being used, seriously all of this stuff costs well into the ridiculous range and there are more than a few companies who just say to hell with it all and let's just pretend like our lone copy is a site lease. Then they have to go through all sorts of trouble like pretending they care and making sure it doesn't happen the next time around.
There's another good reason to trick a product into not requiring a CD: Security.
Once you put a CD drive on a Windows computer, it no longer is red book class C2 certified. The obvious reason is that you can boot from a CD.
Obviously, you don't download a cracked version from Russia or China to improve security, but using virtual CD drives or modifying registry keys to look other places is quite normal.
And this might be enough to trigger a program into thinking it is running a cracked version -- when in reality it's an attempt to work around the flaws of the program, mainly that it requires a CD to be present.
Regards,
--
*Art
Doesn't this fall under Entrapment laws, or does that just apply to law enforcement agencies?
>*** COMPLAINT *** >Delivered-To: xxxxxx.upenn.edu >Date: Wed, 26 Feb 2003 07:01:33 -0500 >To: dmca@isc.upenn.edu >From: piracy@visualware.com (Visualware Anti-Piracy) >Subject: Copyright Infringement #26764 (Software Piracy) -- >165.123.xxx.xxx (xxxxxxxx.xxx.resnet.group.upenn.edu) > >Someone within your network attempted to activate our software using a >product license key they did not legally obtain. Attempting to convert our >trial software into fully registered software without paying for the >license key is software piracy and is a violation of copyright laws and >international copyright treaties, as well as other intellectual property >laws and treaties -- a violation of most AUP (Acceptable Use Policy) and >TOS (Terms of Service). The full log detail of product activation attempts >by this individual: >ip address: xxx.xxx.xxx.xxx [xxxxxxxx.hrn.resnet.group.upenn.edu] >local ip address: xxx.xxx.xxx.xxx >date/time: Wed Feb 26 05:59:42 EST 2003 (26 Feb 2003 10:59:42 GMT) >ethernet mac: 0040450xxxxx >user name: xxxxxx >computer name: xxxxxx >license key: VR-V7C1-0gHYa6oNysjvP7SsCXxxxxxxxxxxxxxxxxxxxxxxxx xx
>product: VisualRoute (build 1913)
>zone: en_US-05:00
>This log information will enable you to track down the specific computer
>used and many times the individual using the computer. For assistance in
>interpreting this log information, important background / copyright
>information, and tips on tracking down the individual responsible, please
>refer to (consider this document included by reference):
>
>This document also includes (if applicable) DMCA notification information.
>For more information about software piracy and copyright law, visit:
>
>We do not take anyone attempting to steal software licenses from us
>lightly and would appreciate it if you would look into this software
>piracy and take the appropriate corrective actions (have the responsible
>party purchase a legal license or discipline the responsible party
>according to your AUP/TOS).
>Please let me know how this incident is resolved.
>Jerry Jongerius
>Chief Technology Officer
>Visualware, Inc.
>jerry.jongerius@visualware.com
>[NOTE: piracy@visualware.com is an unattended mailbox. If you expect a
>reply, send a plain text email to jerry.jongerius@visualware.com]
It might be a bit tricky to prove condition 1.(1)(c), but I think a good barrister would get it with no question.
So, unless you authorised the original vendor of the software to acquire the information from your computer that it sends back, they can be given 6 months in prison (or more likely just the fine).
<rant>
That's a very loaded question. I don't purport that Slashdot needs to be impartial (like a good newspaper) or anything. But if opening questions are supposed to foster discussion and debate, shouldn't they allow two sides to enter the discussion ground on equal terms?
I believe in privacy of data, and I usually agree with a good deal of what is said in these forums, but I'm not so zealous that I insist on absolute public anonymity (like some people who often post in these privacy-related topics). My view is unpopular, I know. But it seems like the system here is sometimes designed to (very subtly) push a certain agenda. And that's the editors' prerogative, I suppose, but I can't help but wonder if Slashdot would attract a slightly different crowd (and be somewhat more enjoyable to ME, at least) if it were more focused on expansion of awareness of other people's views than on railing on the same issues again and again with few new ideas ever finding a respected place in the discussion.
That said, I DO agree in this case with the suggested opinion, but I still would like to hear what others might have to say.
</rant>
Any sufficiently simple magic can be passed off as mere advanced technology.