Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Spyware to Report Pirates?

Posted by Cliff on from the do-the-ends-justify-the-means dept.

An anonymous reader asks: "I have visibility to AUP complaints we receive at work, and we receive messages from a software vendor that make it obvious that their product is phoning home when it discovers it is running a cracked copy of itself." Apparently the software phones home, and then the publisher's legal department sends the administrator an e-mail. "The message goes on to detail the users IP, a timestamp, the product in question, the users PC name, username, and MAC address. This falls under -my- definition of 'spyware.' What are your thoughts?" Software has been making surreptitious checks for "piracy" for over a decade, yet these checks are usually limited to the software itself, and not data on the user's machine. Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?

19 of 1,013 comments (clear)

  1. What we want to know... by Jeremiah+Cornelius · · Score: 5, Interesting

    Just WHO is this publisher?

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:What we want to know... by wo1verin3 · · Score: 5, Interesting

      I'd still like to know what publisher does this, and if my company is a customer of this company which decides to spy on our systems without permission then I would a) ensure we move to another software vendor and b) make the company aware of why we choose to move to another vendor.

    2. Re:What we want to know... by innosent · · Score: 4, Interesting

      That's a great idea, from all perspectives, but taking it one step further, when it checks for updates, the server should check the serial number against a list of known/suspected pirated numbers. If the serial number is bad, then send dummy updates, ones that force the program to say: "this program is not registered, please call 800-URF-CKED".

      If you do it this way, then the real license holder will call to find out why it doesn't work, at which point you can try to find out why their serial number is pirated. Something like this could have prevented the 112-1111111 M$ thing from ever happening, without screwing things up for the end user. Put reasonable limits on how many duplicate licenses you can have, and if you've seen too many, put that number on the list. You won't stop the first few pirated copies, but you'll stop the last 90,000, and you'll find out who leaked the number in the first place. As an extra feature, for corporate keys, you could restrict it to the corporation's IP block.

      Damn, maybe I should patent that... Oh well, consider it prior art.

      --
      --That's the point of being root, you can do anything you want, even if it's stupid.
    3. Re:What we want to know... by Tongo · · Score: 5, Interesting

      On my machines I run Sygate Personal Firewall. I have it set to block traffic based on application, not port number (although that MAY be possible also). If an application doesn't have defacto permission to access the internet it will ask me. The I set it to allow my most used applications through without prompting. Works quite well actually. It is amazing the amount of stuff that is trying to call out all the time.

    4. Re:What we want to know... by dolo666 · · Score: 5, Interesting

      What if it's wrong? What if you really paid for the software and someone *else* cracked it and passed it around?

      Some of the appz/games in stores get cracked and put back on shelves. It happens all the time. And how many of you keep your sales receipt, box or even CD? I have software running that is paid for but I don't have evidence that I bought some of it; I still have a right to run it.

      The problem is that while this monitoring is a good idea in theory, there are too many variables that would trigger reasonable doubt in court. This would tie up a court for quite some time with possibly unreliable evidence garnered as reasonable.

    5. Re:What we want to know... by DaCypher · · Score: 5, Interesting

      What if that application, say, an FTP client, requires access to the internet to do its job? So you allow it access to the internet for this purpose, but could it still sneak its connections in to its home server since the firewall assumes this is legitimate behavior?

    6. Re:What we want to know... by MrBlue+VT · · Score: 5, Interesting

      I run cracked versions of video games all the time. Why? Because I've stolen it? No, because I don't want to have to stick the damn CD in the drive everytime I want to play the game. Nothing is more annoying than the stupid "copy protection" that makes you hunt around for the particular game cd and then put it in your machine (heaven forbid you are using the cdrom at the same time to play music or burn a cd!).

    7. Re:What we want to know... by _xeno_ · · Score: 5, Interesting
      I'm disappointed by the replys so far. I keep on getting these two conflicting vibes from people on Slashdot - some people who seem to really want Linux to succeed on the desktop and therefore have companies write software for it (like, say, games or video codecs...), and people who seem to want to keep the "non-free polution off their system."

      If Linux is to succeed on the desktop, then third parties must be allowed to write closed-source applications for Linux. (If, for no other reason, than to allow custom buisness software to continue to run on the systems.) In that case, a vendor very well could include spyware, and being able to block just that application would be very nice.

      Can Linux block net access by individual program? I don't know - I think netfilter may be able to be hacked to do it, but I'm not 100% sure. (It looks like it might be possible to write a netfilter module to do it, but it may require modifying the netfilter system itself, which would involve kernel hacking. When I wrote this, www.netfilter.org was not responding, so I'm guessing based on documentation on other sites and what was available through the Google cache.)

      Does this make Linux on the desktop less secure than Windows? Well, erm, not really. The Windows default firewall only exists in XP (or maybe some SP added it to previous versions, I dunno), and it blocks based on ports. Third-party firewalls like ZoneAlarm and the aforementioned Sygate Personal Firewall can block based on application.

      So Linux is no more secure than Windows on its own. Add in some more software, and it can be. The next question is: if Windows had this feature, and Linux did not, would Linux on the desktop be less secure than Windows? I think the answer is yes, based on the idea that Linux on the desktop must be capable of using closed-source software, and that such software would be prevelant on a successful Linux desktop, and that there would exist users for the software.

      Dismissing Linux as safe because there currently is no real spyware out for the Linux desktop does not really address the question. Assuming there were, it would be nice to be able to block just one application. Blocking a port would not be enough (since it could just use 80, then no web browsing for you...). Blocking an IP is the obvious "right way" but it still might not be the best solution if that cuts your off from the webpage or other important service.

      So being able to block by a given application is probably better than only by packet info (like IP, port, flags, etc.). If the question were simply "OS/A can block net access by application, is it more secure than OS/B that cannot" would people still say "OS/A is more secure because it's open source?" Or is this an emotional response based on the fact that it was Linux vs Windows?

      --
      You are in a maze of twisty little relative jumps, all alike.
    8. Re:What we want to know... by Lshmael · · Score: 5, Interesting

      That's the point. That conflicts with the entire practice of people being innocent until proving guilty. Since it is a former attorney general saying it, the poster was implying that the government does not care about trampling on civil rights in its relentless pursuit for "justice." Meese was saying, "If we think you did something wrong, you did. No questions. Stop talking. 2 + 2 = 5."

      Where does the madness stop? What is the publisher had disabled the computer or reformatted the hard drive? Would that be justified? What is the software was actually *NOT* pirated?

  2. Depends on how you look at it I suppose. by ShadowBlasko · · Score: 4, Interesting

    Its been going on for quite some time now.

    You use the illegal software, I don't see any reason why someone who's life work might involve *writing* said software would not want to catch you pirating/using is Illegally.

    I'n not all that sure how I feel about the users computer information being fired off in an email, but I have always considered that a possibility in the past. Seems like I was right.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order- Ed Howdershelt Via Tass
  3. Another question... by Decaffeinated+Jedi · · Score: 5, Interesting
    Is it spyware if it's mentioned in the User Agreement that you accepted?

    DecafJedi

    --
    DecafJedi
    my weblog: apropos of something
  4. Active copy protections... by Satan's+Librarian · · Score: 4, Interesting
    It's spyware. I think active copy protections such as that are stupid anyway - what happens if the user is legitimate, but either had a file corrupted or a virus infected it? I'd assume they are just doing an MD5 hash of their software at best for the check for cracks, and a parasitic .exe virus would set it off right away. So would some older methods of file innoculation, random disk/transfer corruption, and a whole lot of other things.

    There's a legend that Microsoft actually encountered this back with Microsoft Word 1.0 - it formatted the hard drive if the CRC of the program changed. Bad karma there, hosing innocent users if they got infected. (BTW - I've seen Vesselin Bontchev reference it here and other places, but it could just be he picked up a convenient rumor. Anyone have verification of this story?

    If it's not documented in the EULA for the product, it might even be a potential civil suit against the company. Doesn't Europe have fairly restrictive privacy laws that could come into effect here? Could be criminal there if so, especially if it misfired on an innocent user. Although of course - IANAL.

    BTW - what product?

    --
    I write code.
  5. What if it was a legit version? by ad0gg · · Score: 4, Interesting

    With the game Black and White that I own, the cd copy protection gave my computer so much problems and the only solution the publisher gave me was to install a new cdrom, so I was forced to install the cd crack to actually play the game. I'd hate to be labeled a pirate and taken to court because I actually wanted to play a game I legally purchased(Hell I preorded).

    --

    Have you ever been to a turkish prison?

  6. Re:why not? by vDave420 · · Score: 5, Interesting
    Troll, but I will bite anyway.

    As someone who makes a living writing peer-to-peer software, I completely disagree that "STEALING IS STEALING" as you say.

    I don't want to get into semantics with you, but here goes:
    Stealing involves the deprivation of someone's property, removing thier ability to benefit from it. (paraphrase)

    Information "theft" is not really theft or stealing.

    Thousands of my users probably "steal" my software, but guess what! I DON'T CARE! It is information, which I CANNOT OWN!

    Noone, corporation or individual, has a right to profit.

    Everyone has a NATURAL right to consume and reproduce information. How do I know? Look how we are physically built, for crying out loud!

    Let me close with this somewhat fanatical thought: Every month new ground is broken in the attempt to produce objects by piecing them together molecule by molecule.

    Now, it will probably take longer than my lifetime to occur, but EVENTUALLY you all will be able build a generic THING from its component molecular pieces.

    Consider this "future" world for a moment: No more scarcity, no more hunger, no more epidemics caused by lack of medicines.

    Now consider the same world, with *your* "STEALING IS STEALING end of story" claim: Should the first person/company that creates a new molecular structure have a monopolistic control over said structure? Should you be able to produce (from scratch, not by "physically stealing") a replacement Brake Pad for your car without paying Ford for the privelidge? What about creating your very own "claritin-like" substance for your allergies? Should you have to pay Mosanto?

    I stated before, and firmly believe, that information wants to be worthless, in an economic sense. Information has no "owner" that I recognize, and, as such, I do not consider the "copying" of information to be "theft".

    If someone broke into my office and stole the computer I was writing my source code on, then THAT is theft of information, as it has deprived me of it.

    If someone copies (without my permission) my program and uses it without paying me, oh well! I haven't been deprived of anything! I still have my program! The only thing I *may* have lost is potential profits, but NOONE HAS A NATURAL RIGHT TO PROFIT! NOONE!
    (Thats why "Step 2: ???" is so common! heh)

    In the above "idealistic copying world" example above, noone could profit! There would be no object scarcity, therefore (almost) no intrinsic value to *ANYTHING*, let alone "strictly informational things."

    Time to end this rant, but PLEASE PLEASE consider:
    The end result of personal "posession & ownership" of information, combined with monopolistic control, and the added "Lets consider artificial entities with the stated goal of financial wealth accumulation (corporations) the same as people, with the same 'rights' to own information, etc, is a CORPORATE FEUDAL SYSTEM, not the (what I consider) ideallic, everything-copying society that we COULD have then.

    The road we are starting down today is leading us towards the scarier of the two, I believe.

    -vDave-

    {dave -at- bearshare -dotcom-}

    Help me out, and use BearShare for all of your p2p (INFORMATION COPYING) needs!

    --
    The pig browse. With Google. Sigh is to the chicken. Chicken is fool. Giggle. The DailyWTF giggle.
  7. Re:why not? by pla · · Score: 5, Interesting

    Seriously folks I think lately we've forgotten that stealing is stealing, and if you're stealing a piece of software you should be punnished for stealing a piece of software.

    And for those situations where stealing doesn't mean stealing?

    Two trivial examples that I suspect most us us could get "caught" for:

    First, a friend purchased (completely legal, nothing unkosher whatsoever, not even grey-market) a copy of Age of Empires - AoK. It has a rather annoying copy protection scheme, however, which annoys legitimate users (whereas pirates just run a cracked version with no hassles at all). So the solution? He uses a cracked copy of the game. A stupid software test for known program cracks would flag him as "stealing", yet he did no such thing.

    Second, and even more difficult to deal with - I have all of my CD collection on my HDD, since I only ever listen to them while at the computer. Legal format-shifting as allowed even by the DMCA. Yet, can I "prove" to some stupid spyware bot that yes, in fact, I really do own the CD? Nope. And even if I could, I shouldn't NEED to; my computer serves me, I do not serve my computer.


    More important than false positives, though, we should consider the issue of why we buy software in general. If I buy a game, I buy it to play that game. If nowhere in the documentation (or preferably, on the outside of the packaging) does it describe its "RIAA-friendly anti-piracy technology", it damn well better not have any. I don't buy software to spy on me, I buy it to do the task it describes itself as performing. Nothing more, and nothing less.

  8. Re:why not? by tomhudson · · Score: 4, Interesting
    Simple solutions:
    1. Unplug the phone jack/ethernet card
    2. Find out where its' sending packets to, and edit your hosts file on your proxy/firewall accordingly
    3. Remove the software (duh!)
    Or, to take the parent posters' idea of a virus (actually, a worm) to the next step, have it scout the net looking for legit copies, and installing the crack on their machines. So even legit customers would end up "phoning home".

    Seriously, just remove the software. If it does something you want/need, you have three choices:

    1. buy a legit copy
    2. develop a competing product
    3. put up with the knowledge that it is phoning home
    Mind you, if I wrote it, I wouldn't have it phone home, - I'd have it phone a (very) expensive 900 number (say, $50.00 a call) that I'd own, and you'd end up paying for your license when you got your next phone bill :-)
  9. Where is the crime in spyware? by mec · · Score: 4, Interesting

    So the (alleged) spyware sends copies of certain information about your computer back to the company that produced the software.

    The user still has all the information they started with. No one has been deprived of any information. All that has happened is that an additional copy of this information has been created and distributed.

    In order to object to this, you have to admit that some information does have owners, and also that it is wrong to copy information without the consent of the owner.

    Then, this being slashdot, you have to do a little song and dance, like this: "when other people create music and software and movies, and I make a copy of their stuff, it's fine. But when someone else makes a copy of information from me without my consent, that's wrong!"

    Your information wants to be free; my information wants to be private. See?

    My own beliefs are the same as Linus Torvalds: "He who writes the code chooses the license". If you don't like spyware, don't friggin run it. I don't.

  10. Too easy for a false 'pirate' by YrWrstNtmr · · Score: 4, Interesting

    Say you're a small shop. You have need of 3 copies of s/w package X.
    You go down to BigBox store, and buy 3 copies of X.
    Back at the office, you use one CD to load all the machines. Leave the other 2 in the shrinkwrapped boxes, on the shelf. Perfectly normal...happens all the time.

    The running s/w sees 2 other copies of the same s/n on the LAN, and phones home. PIRATE! PIRATE!

    You're 'legal'. You have paid your fees for the 3 copies. But Company X, due to their incorrect reporting and intrusive networking, thinks you are in violation. They send the BSA after you, with all the attendant fees.

    At this point, you're guilty until you can prove your innocence.

    Absolute BS, I say.

  11. Re:why not? by Anonvmous+Coward · · Score: 4, Interesting

    "Seriously folks I think lately we've forgotten that stealing is stealing, and if you're stealing a piece of software you should be punnished for stealing a piece of software."

    That's fine provided due process is followed. Calling home and saying "I'm cracked" is not evidence of guilt. I have a piece of cracked software on my laptop. Am I guilty of piracy? Have I stolen anything? Absolutely not! I paid for the software. However, I cannot have a dongle sticking out of the back of my laptop. It's not worth risking breaking of the dongle, or worse, the laptop.

    End of story? Me thinks not. If somebody installs cracked software they haven't paid for simply to evaluate it, have they stolen it? Ethically speaking, no. The fact of the matter is that you cannot return software. The only people who are truely guilty of commiting theft are the people who acquire the software without paying for it, and make use of it.

    I would advise not trying to oversimplify this down to black and white. It is nowhere near as 'end of story' as you're making it out to be.