Slashdot Mirror
Using Spyware to Report Pirates?
An anonymous reader asks: "I have visibility to AUP complaints we receive at work, and we receive messages from a software vendor that make it obvious that their product is phoning home when it discovers it is running a cracked copy of itself." Apparently the software phones home, and then the publisher's legal department sends the administrator an e-mail. "The message goes on to detail the users IP, a timestamp, the product in question, the users PC name, username, and MAC address.
This falls under -my- definition of 'spyware.' What are your thoughts?" Software has been making surreptitious checks for "piracy" for over a decade, yet these checks are usually limited to the software itself, and not data on the user's machine. Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?
Just WHO is this publisher?
"Flyin' in just a sweet place,
Never been known to fail..."
So that's why my copies of OpenServer and UNIXWARE keep pingflooding kernel.org...
You can't judge a book by the way it wears its hair.
Its been going on for quite some time now.
You use the illegal software, I don't see any reason why someone who's life work might involve *writing* said software would not want to catch you pirating/using is Illegally.
I'n not all that sure how I feel about the users computer information being fired off in an email, but I have always considered that a possibility in the past. Seems like I was right.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order- Ed Howdershelt Via Tass
Seriously folks I think lately we've forgotten that stealing is stealing, and if you're stealing a piece of software you should be punnished for stealing a piece of software. It seems as if we look beyond the crime far too often lately and we forget the obvious... STEALING IS A CRIME... end of story.
transmission_err
I have no problem with this, as long as it is in the agreement box, or they make it clear that it till collect the user data and send it to the company if the software checks itself to be a crack.
You don't like it then don't use it.
DecafJedi
DecafJedi
my weblog: apropos of something
Or should we brutally rape blue haired old ladies?
What kind of question is that?
Software has every right to phone home. It's what software does, i.e. it executes code that it was told to execute. If you believe (as I believe) that software has the right to be Free (as in Freedom), then you have to be in favor of software publishers reserving the right to verify that you are not using their software in violation of agreement (or lack thereof in the case of warez).
Freedom for software also entails Freedom for developers, though sometimes these are quite at odds. In those cases the developers' Freedom ought to take priority over the software.
In any application where data is sent from within the company (or home) consent is vital. Perhaps you would argue that stealing the software removes the obligation to ask for consent, but the potential for the software to mistakenly think it is pirated is too high.
POPFile has an option to check to see if there's a new version available. It's incredibly innocuous: it hits a server and check it's version number, the server junks its logs daily. I keep no record. This was initially on by default but people were upset, it's now off.
The simplest solution is that a piece of software that thinks it is pirated start warning 30 days before it's going to shut itself off to give the user a chance to do something and finally disable itself. That is effective and friendly.
And get yourself a copy of ZoneAlarm so that you can see which apps would like to talk to the outside world.
John.
I seem to remeber that a vendor did this to the Dod like in the early 80's. I also thought the DOD took them to court and won. I can't see how it is legal unless it is in the licensing agreement.
There are clauses in some EULAs that note these features. Shareware/crippleware uses "call home" functionality with a good rate of success since the software is not modified by pirates/crackers who simply supply a serial or keygen and a link to download the crippled version.
It's not spyware, it's a fucking anti-theft system. Don't like it? Don't steal it.
Arrrr Matey, light the canons and blow them uptight anglo uppity software developers to smithereens!
Okay, this one seems simple enough.
Let's say I am a small book publisher. I publish books about historical battles. I find out that there is someone out in the world who, instead of buying a copy of my book, has simply photocopied a friend's purchased copy of the book.
Now, let's say I track this person down. Then let's say I break into their house. Then let's say I rifle through all of their belongings. Let's say I get their credit card number, bank PIN number, passwords, social security number, medical history, personal communications, personal habits and all of this information for each person in their family, too. Then let's say I take all of this data and give it to the police or the government. Or maybe I even go much further and just burn the house down with everyone in it.
Was I justified? I mean, I must be right? After all the person had a photographed copy of my book and didn't pay me the $39.95 for a legitimate right to read it...!
There's a legend that Microsoft actually encountered this back with Microsoft Word 1.0 - it formatted the hard drive if the CRC of the program changed. Bad karma there, hosing innocent users if they got infected. (BTW - I've seen Vesselin Bontchev reference it here and other places, but it could just be he picked up a convenient rumor. Anyone have verification of this story?
If it's not documented in the EULA for the product, it might even be a potential civil suit against the company. Doesn't Europe have fairly restrictive privacy laws that could come into effect here? Could be criminal there if so, especially if it misfired on an innocent user. Although of course - IANAL.
BTW - what product?
I write code.
filter the ports at your firewall. Problem solved, right?
Beware, Nugget is watching... See?
Ultimately if you get taken to court because of a copyright violation that was discovered because the cracked software phoned home, I doubt the court will grant you much leighway.
If the software's anti-theft tracking was being put in place by the police, that would be a violation of the fourth amendment. On the other hand, this is being done by a private corporation which has far more rights.
Think about LoJack, the car anti-theft mechanism, that tracks the car. Isn't that effectively the same thing? That's perfectly legal.
I don't like the notion of a company installing such spyware because there's little guarantee that they are only reporting pirates. Furthermore, what's to keep them from reporting subtle violations of the license agreement that aren't in fact illegal under copyright law. Once the spyware is there, there's effectively no limit on what it can do.
This sig has been temporarily disconnected or is no longer in service
How many packets does your machine send out that you have not looked at personally ? Mine does that *all* the time (I don't have the time nor the resources to check them all).
:)
This means that if say MS is checking the contents of my machine and starts harassing me over possibly illegal software that I would have no way of knowing that the info was retrieved using spyware. it's the stupidity of the 'presentation' that gives this one away, if they were a bit more clever about it you'd never have known that it was spyware related.
The best way to avoid this kind of trouble is to go completely open source or make sure your licenses are paid up
are you on the grapevine yet ?
MP3 Search Engine
Does anyone know where there's a list of spyware that does this? I'd like to see what programs to avoid stealing.. uhr.. I mean buying.
riding round the world on an old motorcycle
With the game Black and White that I own, the cd copy protection gave my computer so much problems and the only solution the publisher gave me was to install a new cdrom, so I was forced to install the cd crack to actually play the game. I'd hate to be labeled a pirate and taken to court because I actually wanted to play a game I legally purchased(Hell I preorded).
Have you ever been to a turkish prison?
Acceptable Use Policy, standard to most Internet Services Providers (AKA ISPs).
:)
PS - AKA Stands for Also Known As.
PPS - PS stands for... eh, forget it
I can't tell, but I'm assuming that you work at an ISP (AUP complaint?). Why on earth would you care about this information?
"Oh no! One of our users is doing something illegal and it has nothing to do with us! Quick, pull the plug on him!!!"
Seriously...unless you are law enforcement, what could you possibly do with this information? If I wrote your ISP and told them I saw you smoking pot, should I expect them to pull the plug on your connection??? How is this any less rediculous?!?
"The market alone cannot provide sufficient constraints on corporation's penchant to cause harm." -- Joel Bakan
How exactly would a program go about detecting accurately whether it's cracked? I'd hate to get a virus infection, which changed the executable slightly, and then end up being accused of cracking the software.
Acceptable Use Policy - a document you sign that states regulations, etc. for the system/network you're part of. My school makes me sign one that disallows, for example, installing software on school computers and other stuff like that.
I meta-mod all positive moderation Unfair, because it's abuse of the system.
Ok, so if the program is smart enough to discover that it's a cracked copy of itself, why doesnt it just not start up and prevent the user from using the cracked copy.
[alk]
you need to tighten up your firewall!
If you don't even know which software or machine is communicating with which outside hosts, don't be surprised when you find out some inside box is relaying spam or leaving out the welcome mat for unwelcomed visitors.
In any case, what exactly prevents you from naming the offending software? Why speak in generalities and obfuscation?
Anyway, they absolutely should be free to use such methods. Of course, we are all free to not use their software if we don't like their methods.
That is, if whoever started all this would step up to the plate and tell us who the publisher is...
Given that you undoubtedly agreed to allow the proprietary software to do a full body cavity search on you when you clicked through the EULA, the publisher has the right to do just that. Even if you're using a "legal" copy.
YOU have the right to refuse to use binary-only, spyware infected, jump-through-hoops licenced programs. Use Free Software instead.
"But I depend on the proprietary software to do my job." Then support the Free Software movement so someday you won't need to depend on proprietary software anymore.
Erm...while I grant you that in a civil case the rules of evidence will be much more lenient than in a criminal one, there are statutes related to industrial espionage which you could cover yourself with.
IANAL etc etc, but I am under the impression that, unless you explicitly agree to a function which is not arguably part of the 'core' raison d'etre of the software, things like collecting information without someone's consent on legitimately licensed PCs could be construed as breaking and entering, or the digital equivalent.
If the software only does this for unlicensed copies, I wonder whether you couldn't use a similar strain of argument (license was not active for arcane technical reasons, whatever.)
Admittedly, without starting an argument about it, I don't have strong moral qualms about piracy, and I do believe there are certain limits as to what's allowed in terms of evidence collection/snooping even if you are doing something legally "wrong".
Frankly, I think companies should try to use free/open software anyway if they can, so this never even becomes an issue (ask SCO!
Cole's Law: Thinly sliced cabbage
Personal Firewall is the best approach to keep software from "phoning home".
You need to use your best judgement - when and why an application connects to the internet. Deny all connections by default.
Call the company. Say you found the user and pirated software, and appreciate their notice. Tell them the software has been deleted and the user has been reprimanded. Tell them you have banned said software company wide because your company does not use pirated software - or spyware.
I write code.
There's always the danger that a disgruntled employee could plant a cracked version of the software on a company computer.
And what about shared laptops. Somebody loads on some software while attending a conference and then hands the machine back.
Some floating software licensing schemes work on using IP addresses, MAC addresses, monitoring the real-time clock to make sure dates don't change. What if one of these circuits fails (stray cosmic rays, power surge), does that automatically make the user a criminal?
Sure, software companies have the right to protect their software, but I don't think they have the right to allow their applications to automatically generate crime reports. W It would be more for the application to request new short-term licenses and deny access than do anything destructive. If an application can detect that it has been cracked then it should just refuse to work.
So the (alleged) spyware sends copies of certain information about your computer back to the company that produced the software.
The user still has all the information they started with. No one has been deprived of any information. All that has happened is that an additional copy of this information has been created and distributed.
In order to object to this, you have to admit that some information does have owners, and also that it is wrong to copy information without the consent of the owner.
Then, this being slashdot, you have to do a little song and dance, like this: "when other people create music and software and movies, and I make a copy of their stuff, it's fine. But when someone else makes a copy of information from me without my consent, that's wrong!"
Your information wants to be free; my information wants to be private. See?
My own beliefs are the same as Linus Torvalds: "He who writes the code chooses the license". If you don't like spyware, don't friggin run it. I don't.
Here are two more i have noticed that do the exact same thing :
1. Admuncher http://www.admuncher.com/
2. Evidence Eliminator http://www.evidence-eliminator.com/
I found a quick (& better)replacement for Admuncher in the new google toolbar (http://toolbar.google.com/) to get rid of popups.
Evidence eliminator is crap, dont need a replacement.
In either of these cases they take you to a page showing your IP address with what they think is a scary message. If you do use a cracked version make sure your windows installation does not carry your Original Name / Location and that your IP address is dynamic.
Siggy Say, Siggy Do
Say you're a small shop. You have need of 3 copies of s/w package X.
You go down to BigBox store, and buy 3 copies of X.
Back at the office, you use one CD to load all the machines. Leave the other 2 in the shrinkwrapped boxes, on the shelf. Perfectly normal...happens all the time.
The running s/w sees 2 other copies of the same s/n on the LAN, and phones home. PIRATE! PIRATE!
You're 'legal'. You have paid your fees for the 3 copies. But Company X, due to their incorrect reporting and intrusive networking, thinks you are in violation. They send the BSA after you, with all the attendant fees.
At this point, you're guilty until you can prove your innocence.
Absolute BS, I say.
um, what? you might have a point if the software in question searched the user's hard disk for these pieces of information, but it's not. According to the post, the information sent from the program to a remote server is:
"the users IP, a timestamp, the product in question, the users PC name, username, and MAC address."
Every single piece of information transferred is accessible through the use of other, perfectly legitimate pieces of software, unlike medical records (which require a plausible reason to access); it should be clear that this program is not 'rifling through anyone's belongings.' And the mentioning of burning down the house is completely absurd; nobody is considering giving this data to law enforcement agencies or blowing up the user's computer if it's running pirated software (to relate your analogy to the situation being discussed). Please take your slippery slope arguments elsewhere.
the coolest club on
At the software company I work for, we have in the past had suggestions to employ similar phone-home schemes. Sometimes it's in the context of catching cheaters; more often it's a way to find what parts of the software do people most use. That kind of data can be priceless; the user often isn't really concious of what he uses, and only remembers the best and worst parts.
We have always refrained. (But once at another job, a developer surreptitiously added a system call to email to himself a message everytime his library was used; QA caught it, and he had his hand spanked.)
Its not the same. When his spyware runs on my computer its using my resources, my electricity. If it causes problems (and it will) it causes them on my computer. Thats not even considering my privacy rights and concerns.
My own beliefs are the same as Linus Torvalds: "He who writes the code chooses the license". If you don't like spyware, don't friggin run it. I don't.
I don't think Linus was talking about either EULA's or spyware, so it's an irrelevant quote.
You want to coerce me into running spyware? Don't bury it in a user agreement, come right out and make me click a radio button mentioning it directly, watch the popularity of the product drop and then decide if its worth it.
It's simply dishonest. I don't care if its buried in some agreement, thats not good enough.
Quack, quack.
Look at the old issues of Wired. It was a reporter for the NY Times that was nailed by the drive reformat. M$ support said it was a cracked copy, reporter got story on the front page. M$ quickly appologized and removed the misfeature.
Your information wants to be free; my information wants to be private. See?
You're mixing up private and public with commercial and free.
Private means that noone else should have, the rest, free or commercial is public.
Commerical means that you can have it - for a price, and free means just that, for free.
When people say that information should be free, they mean that all public information should be free. If you make a speech at a meeting, or a concert performance, they claim that you should be able to do whatever the hell they want with the information you gave, including but not limited to recordings of it.
That does not mean they have the right to read your personal diary to find out what you mean about the same issues, or record you singing in the shower. What you're looking at here is a program that is illegally* transmitting private information to others. (* they may have a CYA clause in the EULA)
Copyright could be abolished, but there would still be private and public, and laws against invasion of privacy. Whether that would be a wise decision or not though, is another story...
Kjella
Live today, because you never know what tomorrow brings
That's not to say that I necessarily agree with all IP related laws. I think the reason for copyright given in the US constitution (to promote the progress of science and useful arts) is a reasonable one but the protections given should be a minimum to achieve the desired effect of promoting invention.
In the long term I see that there could be great danger in steering an economy to a place where it relies too much on artificial scarcity. It could well turn out to be a house of cards.
Boffoonery - downloadable Comedy Benefit for Bletchley Park
Dude, if you can't abide by the conditions that the authors have set: eg. price and license
THEN DON'T USE THE FREAKING SOFTWARE
I won't go into quality of the software, but I will touch on that fact that YOU CAN DO ALL OF THIS WITHOUT THEIR SOFTWARE.
I read excel spreadsheets, I write lots of documents. I don't use Microsoft software in my life.
I can afford it. I can't stand its LOW LOW quality (been writing milters to block today's virus/worm that our unix and macs won't get but it clogging up our servers.)
You guys have postgresql, mysql, php, all the BSD and linux you can eat. Laptops that can run what our bigass VAX 780s struggled with. Jesus Freaking Christ. There's better software out there for FREE than was available 5 years ago commercially.
And your whining about how you think XP costs too much.
Don't use it if you can't buy it. You have options. Take them.
How is the following senario any different from what this software is doing?
I have a car. The car has a built in cell phone and GPS. If the car is stolen, the cell phone calls me and tells me the location of my car from the GPS. Am I now spying on the theif? Am I violating his right to privacy?
I'm sure everyone here can sympathize with companies and individuals who are hurt by piracy and I feel that they have every right to pursue it in whatever way they legally can. But that's the problem. As soon as a company uses illegal or unethical methods to combat illegal and unethical abuse, they lose me as well as the moral upper-hand. There are plenty of ways to combat piracy without invading a customer's privacy and I think it behooves a company or developer to explore those avenues. Also, they need to accept that there is always going to be a segment of users who will use pirated software. And I'm not so sure that matters. I would assume that most people doing so wouldn't have paid for the software legitimately anyway, no matter what, so it's hard to say that any potential profit has been lost by anyone. Tactics like "phoning home" and convoluted registration methods, dongles and other nuissaances only irritate paying customers and likely don't stop any piracy at all.
--Rick "If it isn't broken, take it apart and find out why."
Apple has been doing something like this for years. If you run software on a network and you try to use the same copy of software on two different systems at the same time, something will have to give. In this case, MacOS informs you that person x is using a copy of the software and then it quits the application until you close down the other copy or log off the network. I don't see /. breaking out the hayforks over this though.
I have long been wondering why Microsoft doesn't employ this technique in Windows. (And don't flame me for using those two cuss words here. *grin*) Their licensing issues would stop, 'Windows Product Activation' would disappear, and all the headaches associated with pirated copies of their software would just stop. And they would save a lot of money that way. Any time a Windows box boots, it calls home and identifies itself with its product key. If that product key is already identified as running, both machines then shutdown. Makes more sense to me than Activation.
... And I really don't like the idea of software programs running as spyware. How do I *know* that it's not transmitting out personally identifiable information? I don't. That's an inherent danger of the Internet age. When you plug your computer into a network, you take the risk that something on your computer could be retrieved or sent without your permission. Should it happen? No, of course not. But then again, consumers are getting screwed left and right.
...
Personally, I'm not an advocate of spyware. Almost on a daily basis, I run my spyware checker and delete any unidentified directories under 'C:\Program Files'
Hey, we could just do away with the Internet, unplug our computers, and go back to DOS in the 1980's
Who's with me?
Seth Anderson BTW, I'm not 23 anymore -- I am TexasCowboy26 now. =)
The first poor thing is that the admin won't be uncomfortalbe with all of his people being spied on (let alone all of the end users that threaten him with death).
The second is the assumption that the Admin is unaware that a cracked copy of software is being used, seriously all of this stuff costs well into the ridiculous range and there are more than a few companies who just say to hell with it all and let's just pretend like our lone copy is a site lease. Then they have to go through all sorts of trouble like pretending they care and making sure it doesn't happen the next time around.
If a software publisher prices their software "out of the market" then a potential user has two recourses: 1. don't use it; 2. pirate it.
If the software publisher's decision is inappropriate (i.e., the value is $50 but they charge $2,000), then the user can't be blamed for pirating it. I mean, they can be, but let's face it you can't return software you don't like (because "you might pirate it"), so the default behavior is, pirate it to make sure you like it. Then, if you so choose, pay for it.
I think it's super cool though, that publishers are going to more and more draconian levels in order to "protect their profits" because it just makes open source/free software that much more attractive.
See the Ernie Ball story for more details. (I love that I saw the Ernie Ball and the optic-fiber sponge stories on Excite last night, and then saw those two posted here today.)
I feel fantastic, and I'm still alive.
In civil cases, the standard is "a preponderence of evidence." Remember, civil cases involve two private entities coming to the state to settle a dispute. At the outset, the law has no judgement about which private party is correct; final judgement is issued based on who presents the most compelling evidence to support their side of the story.
There's another good reason to trick a product into not requiring a CD: Security.
Once you put a CD drive on a Windows computer, it no longer is red book class C2 certified. The obvious reason is that you can boot from a CD.
Obviously, you don't download a cracked version from Russia or China to improve security, but using virtual CD drives or modifying registry keys to look other places is quite normal.
And this might be enough to trigger a program into thinking it is running a cracked version -- when in reality it's an attempt to work around the flaws of the program, mainly that it requires a CD to be present.
Regards,
--
*Art
Doesn't this fall under Entrapment laws, or does that just apply to law enforcement agencies?
We found hin, the guy/gal that actually READS the Eulas...
/. crowd ? How does it feel, just after you read a few thousand lines of Mumbo-Jumbo ? do you understand it all ? Do you think you can now remove the IANAL from your posts ? Or did you thonk it is just "the right thing to do" ?
So, dear sweet Tooth, can you answer a few questions for the
Next, on Slashdot : AC, or not AC !!!
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
I dunno, I run the same pirated copy of Norton Antivirus and Norton Internet Security on every windows pc I've got, and the Live Update works correctly on all of them
Most OEM versions of AV expire in 90 days, retail in 365, but most computers just come with the 90 days worth. The goal being to get you to pay the $10 to extend your access to their network for another year. Personally, I just set the clock back a year when i run update. I guess you could boot your new computer with a floppy the first time, and set the clock ahead two years before it fires up, so the AV software time stamps that it expires two years and 3 months from now.
Or buy the retail version and set your clock ahead while you install, and put it on all your computers.
Or just uninstall and reinstall the AV every year (if its retail version and you have the disk)
Yea, there are lots of ways to pirate it. But they still really want you to pay THEM directly to update for another year, since they don't have to share that money with retailers. They pretty much give away that 90 day version anyway.
Tequila: It's not just for breakfast anymore!
It might be a bit tricky to prove condition 1.(1)(c), but I think a good barrister would get it with no question.
So, unless you authorised the original vendor of the software to acquire the information from your computer that it sends back, they can be given 6 months in prison (or more likely just the fine).
I wouldn't have a problem with it either if it didn't require that I copy the entire contents of the CD to my hard drive *and* require the CD.
nohup rm -rf ~/. >& zen &
<rant>
That's a very loaded question. I don't purport that Slashdot needs to be impartial (like a good newspaper) or anything. But if opening questions are supposed to foster discussion and debate, shouldn't they allow two sides to enter the discussion ground on equal terms?
I believe in privacy of data, and I usually agree with a good deal of what is said in these forums, but I'm not so zealous that I insist on absolute public anonymity (like some people who often post in these privacy-related topics). My view is unpopular, I know. But it seems like the system here is sometimes designed to (very subtly) push a certain agenda. And that's the editors' prerogative, I suppose, but I can't help but wonder if Slashdot would attract a slightly different crowd (and be somewhat more enjoyable to ME, at least) if it were more focused on expansion of awareness of other people's views than on railing on the same issues again and again with few new ideas ever finding a respected place in the discussion.
That said, I DO agree in this case with the suggested opinion, but I still would like to hear what others might have to say.
</rant>
Any sufficiently simple magic can be passed off as mere advanced technology.
> And, duh, how do you propose to complete the loop on that one? The only thing that could "prove" someone guilty is software that is checking itself in the first place, which you appear to declare shouldn't be done unless one is guilty to being with. Hoist by your own petard, or caught by your own 22 as it were.
Hoist by your own, sir. The fact that it's difficult to prove someone guilty does not excuse violation of my privacy rights to make their jobs easier. If they have reason to believe I'm stealing, they can press for a BSA-style audit. If they can't get enough proof for that, that's not my problem. Would you allow police to come into your home without a warrant or probable cause to search for illegal drugs just because that would make it easier for the police to catch drug dealers?
> Any piece of software that has a price tag has the absolute right to 'protect' itself against use that is inconsistent with the software license.
Um, this is limited by proper consequence. That protection must not break any laws or perform actions that are considered excessive. Besides, if I buy a piece of software legally, and then it serreptitiously sends my MAC address to its author, you'd have a very hard case proving that it's defending itself from inconsistent use, unless you agree with the logic put forward in the last paragraph.
> This hue and cry over privacy in this regard is so tiresome and is mainly from those trying to keep 'private' the fact that they're too damned cheap to pay for something they want to use.
Here's the relevance problem: the same hue and cry that pirates use is also applicable to falsely accused, legitimate users (and in the cases of some spyware, innocent bystanders). The fact that some of the affected parties are guilty does not excuse the fact that some are not.
Virg