Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Spyware to Report Pirates?

Posted by Cliff on from the do-the-ends-justify-the-means dept.

An anonymous reader asks: "I have visibility to AUP complaints we receive at work, and we receive messages from a software vendor that make it obvious that their product is phoning home when it discovers it is running a cracked copy of itself." Apparently the software phones home, and then the publisher's legal department sends the administrator an e-mail. "The message goes on to detail the users IP, a timestamp, the product in question, the users PC name, username, and MAC address. This falls under -my- definition of 'spyware.' What are your thoughts?" Software has been making surreptitious checks for "piracy" for over a decade, yet these checks are usually limited to the software itself, and not data on the user's machine. Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?

28 of 1,013 comments (clear)

  1. What we want to know... by Jeremiah+Cornelius · · Score: 5, Interesting

    Just WHO is this publisher?

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
    1. Re:What we want to know... by wo1verin3 · · Score: 5, Interesting

      I'd still like to know what publisher does this, and if my company is a customer of this company which decides to spy on our systems without permission then I would a) ensure we move to another software vendor and b) make the company aware of why we choose to move to another vendor.

    2. Re:What we want to know... by Anonymous Coward · · Score: 5, Insightful

      ...or C) the software thinks it's pirated and it isn't. After all, 100% of fully automated piracy detection methods are flawed. The only sure fire way to prove something is pirated is a BSA-style audit. And even those are flawed because of people who don't save original packaging/media.

      You are seriously deluded if you think that fact that a piece of software thinks it's pirated is de facto evidence that it is in fact pirated.

    3. Re:What we want to know... by Tongo · · Score: 5, Interesting

      On my machines I run Sygate Personal Firewall. I have it set to block traffic based on application, not port number (although that MAY be possible also). If an application doesn't have defacto permission to access the internet it will ask me. The I set it to allow my most used applications through without prompting. Works quite well actually. It is amazing the amount of stuff that is trying to call out all the time.

    4. Re:What we want to know... by dolo666 · · Score: 5, Interesting

      What if it's wrong? What if you really paid for the software and someone *else* cracked it and passed it around?

      Some of the appz/games in stores get cracked and put back on shelves. It happens all the time. And how many of you keep your sales receipt, box or even CD? I have software running that is paid for but I don't have evidence that I bought some of it; I still have a right to run it.

      The problem is that while this monitoring is a good idea in theory, there are too many variables that would trigger reasonable doubt in court. This would tie up a court for quite some time with possibly unreliable evidence garnered as reasonable.

    5. Re:What we want to know... by DaCypher · · Score: 5, Interesting

      What if that application, say, an FTP client, requires access to the internet to do its job? So you allow it access to the internet for this purpose, but could it still sneak its connections in to its home server since the firewall assumes this is legitimate behavior?

    6. Re:What we want to know... by MrBlue+VT · · Score: 5, Interesting

      I run cracked versions of video games all the time. Why? Because I've stolen it? No, because I don't want to have to stick the damn CD in the drive everytime I want to play the game. Nothing is more annoying than the stupid "copy protection" that makes you hunt around for the particular game cd and then put it in your machine (heaven forbid you are using the cdrom at the same time to play music or burn a cd!).

    7. Re:What we want to know... by wo1verin3 · · Score: 5, Funny

      Particular CD? Hah, I guess you're too young to remember having to check page 46, line 3, word 12 in the manual. :)

      More details on that old thing (+1 nostalgia) here:
      http://www-cse.stanford.edu/classes/cs201/projects -99-00/software-piracy/copyright.html

    8. Re:What we want to know... by _xeno_ · · Score: 5, Interesting
      I'm disappointed by the replys so far. I keep on getting these two conflicting vibes from people on Slashdot - some people who seem to really want Linux to succeed on the desktop and therefore have companies write software for it (like, say, games or video codecs...), and people who seem to want to keep the "non-free polution off their system."

      If Linux is to succeed on the desktop, then third parties must be allowed to write closed-source applications for Linux. (If, for no other reason, than to allow custom buisness software to continue to run on the systems.) In that case, a vendor very well could include spyware, and being able to block just that application would be very nice.

      Can Linux block net access by individual program? I don't know - I think netfilter may be able to be hacked to do it, but I'm not 100% sure. (It looks like it might be possible to write a netfilter module to do it, but it may require modifying the netfilter system itself, which would involve kernel hacking. When I wrote this, www.netfilter.org was not responding, so I'm guessing based on documentation on other sites and what was available through the Google cache.)

      Does this make Linux on the desktop less secure than Windows? Well, erm, not really. The Windows default firewall only exists in XP (or maybe some SP added it to previous versions, I dunno), and it blocks based on ports. Third-party firewalls like ZoneAlarm and the aforementioned Sygate Personal Firewall can block based on application.

      So Linux is no more secure than Windows on its own. Add in some more software, and it can be. The next question is: if Windows had this feature, and Linux did not, would Linux on the desktop be less secure than Windows? I think the answer is yes, based on the idea that Linux on the desktop must be capable of using closed-source software, and that such software would be prevelant on a successful Linux desktop, and that there would exist users for the software.

      Dismissing Linux as safe because there currently is no real spyware out for the Linux desktop does not really address the question. Assuming there were, it would be nice to be able to block just one application. Blocking a port would not be enough (since it could just use 80, then no web browsing for you...). Blocking an IP is the obvious "right way" but it still might not be the best solution if that cuts your off from the webpage or other important service.

      So being able to block by a given application is probably better than only by packet info (like IP, port, flags, etc.). If the question were simply "OS/A can block net access by application, is it more secure than OS/B that cannot" would people still say "OS/A is more secure because it's open source?" Or is this an emotional response based on the fact that it was Linux vs Windows?

      --
      You are in a maze of twisty little relative jumps, all alike.
    9. Re:What we want to know... by Lshmael · · Score: 5, Interesting

      That's the point. That conflicts with the entire practice of people being innocent until proving guilty. Since it is a former attorney general saying it, the poster was implying that the government does not care about trampling on civil rights in its relentless pursuit for "justice." Meese was saying, "If we think you did something wrong, you did. No questions. Stop talking. 2 + 2 = 5."

      Where does the madness stop? What is the publisher had disabled the computer or reformatted the hard drive? Would that be justified? What is the software was actually *NOT* pirated?

  2. SCO OpenServer by SHEENmaster · · Score: 5, Funny

    So that's why my copies of OpenServer and UNIXWARE keep pingflooding kernel.org...

    --
    You can't judge a book by the way it wears its hair.
    1. Re:SCO OpenServer by GigsVT · · Score: 5, Informative

      You're joking, but SCO OpenServer does actually scout your network for other unlicensed copies of OpenServer and other SCO products. As far as I know, it just causes an output to console every few minutes warning you of the unlicensed software.

      --
      I've had enough abrasive sigs. Kittens are cute and fuzzy.
  3. Another question... by Decaffeinated+Jedi · · Score: 5, Interesting
    Is it spyware if it's mentioned in the User Agreement that you accepted?

    DecafJedi

    --
    DecafJedi
    my weblog: apropos of something
  4. Consent by JohnGrahamCumming · · Score: 5, Insightful

    In any application where data is sent from within the company (or home) consent is vital. Perhaps you would argue that stealing the software removes the obligation to ask for consent, but the potential for the software to mistakenly think it is pirated is too high.

    POPFile has an option to check to see if there's a new version available. It's incredibly innocuous: it hits a server and check it's version number, the server junks its logs daily. I keep no record. This was initially on by default but people were upset, it's now off.

    The simplest solution is that a piece of software that thinks it is pirated start warning 30 days before it's going to shut itself off to give the user a chance to do something and finally disable itself. That is effective and friendly.

    And get yourself a copy of ZoneAlarm so that you can see which apps would like to talk to the outside world.

    John.

    1. Re:Consent by JohnGrahamCumming · · Score: 5, Insightful

      When did I say that all software should be free? Never, and I don't believe it. Since I make my living selling non-free (either sense) software I would be biting the hand that feeds me.

      Imagine the scenario where I change the NIC card in my PC because of a hardware fault. Software X used the MAC address of the NIC for licensing purposes which has now changed and hence thinks it's been copied. One choice would for it to start secretly informing the company that created it that there's a problem, another would be for it to tell me "I think I'm stolen, I'm going to stop working in X days, here's what to do about this". The latter seems friendler to me and if I did steal it it's going to shut itself off and I wont be able to gain from the
      crime.

      Nor did I claim that stealing the software wasn't stealing. It is. That software was copyrighted by someone, copyright law is clear and if they license it to me for money then I have to pay. Pretty simple. That's why I was opposed to Napster and other "services" and said so publically on my web site. They were/are stealing from people.

      Nor do I believe that privacy must be absolute. I just believe in this case that the method used to assist in the enforcement of a license agreement is unreasonable and there are workable alternatives.

      John.

  5. Re:Depends on how you look at it I suppose. by Col.+Klink+(retired) · · Score: 5, Insightful

    > You use the illegal software

    But doesn't this imply owners of the legal software are also being spied upon?

    --

    -- Don't Tase me, bro!

  6. Re:why not? by WTFmonkey · · Score: 5, Insightful

    But, as someone who is innocent until proven guilty, what right do they have to {spy on, steal from, stalk} me? Seriously, if you're going to back the "stealing is a crime" part of the law, you also have to accept that the alleged thief is innocent until proven otherwise. No one (without subpoena or warrant) has a right to that kind of information without consent.

  7. This isn't spyware by mosch · · Score: 5, Insightful
    It's not sending your credit cards, your clickstream or your data files.

    It's not spyware, it's a fucking anti-theft system. Don't like it? Don't steal it.

    1. Re:This isn't spyware by netruner · · Score: 5, Insightful

      I can understand this viewpoint to an extent. However, this doesn't take int account when the antitheft system "misfires" and causes problems for legit users. In my opinion, spyware that acts so intrusively should be allowed under the condition that there are real consequences for false alarms. In this case, if it's not a legit alarm, I would think the company should be prosecuted like a vendor that exercised a backdoor into one of your systems.

      In other words: you better be damn certain that you're tracking a pirate before you start sucking data off his machine.

      However, if the alarm is legit- you really don't have a leg to stand on. Kind of like stealing a design for a new widget and having your prototype explode halfway through construction.

      When you take a step into the illegal side of things, don't look to the law for help.

      --



      DISCLAIMER: This post was not checked for speling and grammar- if you complain- you're a whiner
  8. Was it VisualRoute? by drdink · · Score: 5, Informative
    I have recently seen this sort of thing from Visualware, the makers of VisualRoute. They send data like this:
    ip address: 192.168.55.3 [dhcp77-1.example.com]
    local ip address: 192.168.55.3
    date/time: Mon May 05 07:22:22 EDT 2003
    ethernet mac: censored
    user name: censored
    computer name: censored
    license key: NONE - CRACKED VERSION
    product: VisualRoute (build 1858)
    zone: en_US-06:00
    And yes, that data is falsified to save the identity of who it was. The amount and type of data it collects and sends home is rather disturbing. Can't the damn thing just uninstall itself?
    --
    Beware, Nugget is watching... See?
    1. Re:Was it VisualRoute? by FirstManOnMoon · · Score: 5, Insightful

      What would happen if a crooked employee at Visualware used or shared this information? He now has a valid username and IP address (even if the IP address was NATed, you could match it with the web server logs to find the outside IP.) He can now fire up his favorite cracking program and have at it. If a vulnerability exists in VisualRoute, he now has a list of computers running it that could be exploited. Food for thought...

  9. Re:why not? by beamdriver · · Score: 5, Insightful
    Copying software isn't stealing it's violation of copyrights and it generally isn't a crime, it's a civil tort.

    Installing spy programs on someone elses computer and misapproriating their resources to send information about that computer back to you, OTOH, may certainly be a crime.

  10. Re:why not? by vDave420 · · Score: 5, Interesting
    Troll, but I will bite anyway.

    As someone who makes a living writing peer-to-peer software, I completely disagree that "STEALING IS STEALING" as you say.

    I don't want to get into semantics with you, but here goes:
    Stealing involves the deprivation of someone's property, removing thier ability to benefit from it. (paraphrase)

    Information "theft" is not really theft or stealing.

    Thousands of my users probably "steal" my software, but guess what! I DON'T CARE! It is information, which I CANNOT OWN!

    Noone, corporation or individual, has a right to profit.

    Everyone has a NATURAL right to consume and reproduce information. How do I know? Look how we are physically built, for crying out loud!

    Let me close with this somewhat fanatical thought: Every month new ground is broken in the attempt to produce objects by piecing them together molecule by molecule.

    Now, it will probably take longer than my lifetime to occur, but EVENTUALLY you all will be able build a generic THING from its component molecular pieces.

    Consider this "future" world for a moment: No more scarcity, no more hunger, no more epidemics caused by lack of medicines.

    Now consider the same world, with *your* "STEALING IS STEALING end of story" claim: Should the first person/company that creates a new molecular structure have a monopolistic control over said structure? Should you be able to produce (from scratch, not by "physically stealing") a replacement Brake Pad for your car without paying Ford for the privelidge? What about creating your very own "claritin-like" substance for your allergies? Should you have to pay Mosanto?

    I stated before, and firmly believe, that information wants to be worthless, in an economic sense. Information has no "owner" that I recognize, and, as such, I do not consider the "copying" of information to be "theft".

    If someone broke into my office and stole the computer I was writing my source code on, then THAT is theft of information, as it has deprived me of it.

    If someone copies (without my permission) my program and uses it without paying me, oh well! I haven't been deprived of anything! I still have my program! The only thing I *may* have lost is potential profits, but NOONE HAS A NATURAL RIGHT TO PROFIT! NOONE!
    (Thats why "Step 2: ???" is so common! heh)

    In the above "idealistic copying world" example above, noone could profit! There would be no object scarcity, therefore (almost) no intrinsic value to *ANYTHING*, let alone "strictly informational things."

    Time to end this rant, but PLEASE PLEASE consider:
    The end result of personal "posession & ownership" of information, combined with monopolistic control, and the added "Lets consider artificial entities with the stated goal of financial wealth accumulation (corporations) the same as people, with the same 'rights' to own information, etc, is a CORPORATE FEUDAL SYSTEM, not the (what I consider) ideallic, everything-copying society that we COULD have then.

    The road we are starting down today is leading us towards the scarier of the two, I believe.

    -vDave-

    {dave -at- bearshare -dotcom-}

    Help me out, and use BearShare for all of your p2p (INFORMATION COPYING) needs!

    --
    The pig browse. With Google. Sigh is to the chicken. Chicken is fool. Giggle. The DailyWTF giggle.
  11. Re:why not? by pla · · Score: 5, Interesting

    Seriously folks I think lately we've forgotten that stealing is stealing, and if you're stealing a piece of software you should be punnished for stealing a piece of software.

    And for those situations where stealing doesn't mean stealing?

    Two trivial examples that I suspect most us us could get "caught" for:

    First, a friend purchased (completely legal, nothing unkosher whatsoever, not even grey-market) a copy of Age of Empires - AoK. It has a rather annoying copy protection scheme, however, which annoys legitimate users (whereas pirates just run a cracked version with no hassles at all). So the solution? He uses a cracked copy of the game. A stupid software test for known program cracks would flag him as "stealing", yet he did no such thing.

    Second, and even more difficult to deal with - I have all of my CD collection on my HDD, since I only ever listen to them while at the computer. Legal format-shifting as allowed even by the DMCA. Yet, can I "prove" to some stupid spyware bot that yes, in fact, I really do own the CD? Nope. And even if I could, I shouldn't NEED to; my computer serves me, I do not serve my computer.


    More important than false positives, though, we should consider the issue of why we buy software in general. If I buy a game, I buy it to play that game. If nowhere in the documentation (or preferably, on the outside of the packaging) does it describe its "RIAA-friendly anti-piracy technology", it damn well better not have any. I don't buy software to spy on me, I buy it to do the task it describes itself as performing. Nothing more, and nothing less.

  12. Re:why not? by SoTuA · · Score: 5, Insightful
    STEALING IS A CRIME...

    True.

    And gathering personal information about a user, without his/her consent without a legal warrant is...

    Seriously, this information is NOT what anybody can get from public records. If I gathered this information about someone, and that someone found me out, I'd be charged with cyberstalking or whatnot.

  13. Re:why not? by shepd · · Score: 5, Insightful

    >Some people, especially young children, seem to have a difficult time grasping that although nothing physical is taken, theft has still occurred.

    No, it hasn't. Most parents (including yourself, I'm sure) tell their children, once they're old enough to read, that they should check the dictionary. I hope you don't mind if I do it for you.

    theft

    \Theft\, n. [OE. thefte, AS. [thorn]i['e]f[eth]e, [thorn][=y]f[eth]e, [thorn]e['o]f[eth]e. See Thief.] 1. (Law) The act of stealing; specifically, the felonious taking and removing of personal property, with an intent to deprive the rightful owner of the same; larceny.

    Note: To constitute theft there must be a taking without the owner's consent, and it must be unlawful or felonious; every part of the property stolen must be removed, however slightly, from its former position; and it must be, at least momentarily, in the complete possession of the thief. See Larceny, and the Note under Robbery.

    I don't know how much clear it can be than that, sorry.

    >it's not the physical manifestation that's holds the majority of the value of the item, it's the intellectual property.

    The only real IP I know of is Internet Protocol. "intellectual property" is a buzzword used by various anti-piracy groups to scare users. IMHO, it rates right up there with "speed kills" and "this baby is crying because it's dad was killed by a drunk driver".

    >So, your thinking that even though you took it, the fact that they still have it (wow, magic), let's you off the hook is just plain wrong.

    I'm not saying that. What I am saying is that piracy is not only a lesser crime (IMHO) than stealing, as it only deprives the owner of an imagined profit, and, in fact, does not cause a direct loss like shoplifting, it really bears no relation to stealing. The similarity ends at the word loss. Speaking of which, murder would be a loss of life, and therefore has the same amount in common with stealing as does piracy.

    Again, just my humble opinion.

    That being said, I feel that piracy ISN'T a good thing, that it is illegal, but that it is overzealously punished in today's times where steamboat mickey is still copyrighted property. The only way what people will wake up and stop the insanity (put copyright terms back into the hands of the people) is if people stop making it out to be something it isn't.

    >By the way, you're not even close in interpreting how copyright laws apply to these situations.

    Uhh, seriously, read a law dictionary. Without something being missing from the victim, and without it being in the hands of the perpetrator (preferrably at the same time) there can be no theft.

    While the crime of copyright infringement is generally punished in a federal court, and the crime of speeding violations in a municipal or provincial (or, in the US, a state) court, the style of offense is identical. They're both victimless crimes. Sure, you could say I *would* have bought a piece of pirated software rather than pirating it, but at the same time, if I get a stolen (for real) camcorder for $50 that sells for $5,000 do you think there's even a chance in hell I would have bought it if it weren't stolen? The fact is there is normally no specifically identifiable victim from piracy that can prove a loss, which is just like when you receive a speeding ticket -- nobody can prove a loss. It's just illegal, that's all.

    It's always a lot more complicated to convince someone a crime is bad when there is no victim, and *THAT'S* why the BSA (et al.) want you to (wrongly) think copyright is theft. Because then they have their victim -- english teachers.

    In fact, you'll find my previous dictionary definition a little lax. Merriam Webster says:

    theft: 1 a : the act of stealing; specifically: the felonious taking and removing of personal property with intent to deprive the rightful owner of it b : an unlawful taking (as by embezzlement or burglary) of property

    When dictionaries start saying specifically, and highlight it; I think they're trying to curb an improper usage of the term.

    --
    If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
  14. Re:Where is the crime in spyware? by boojum.cat · · Score: 5, Insightful
    Your information wants to be free; my information wants to be private. See?

    Oh, come on. That's ridiculous. There's a distinction between public information and private information. Published programs, even if they're copyrighted, are published. They're not private, like the user's MAC address and personal grooming habits.

    I'm not trying to justify running pirated programs, I just think you need to make a better argument.

    If you don't like spyware, don't friggin run it.
    Now, that's a better argument.

    --
    Lost: one sig, witty, 120 chars, sentimental value. Reward offered.
  15. Re:Depends on how you look at it I suppose. by NoMoreNicksLeft · · Score: 5, Insightful

    More like, the vehicle detects that you had it serviced at an independent mechanic, instead of at the dealership, and phones home to cancel the warranty.