Slashdot Mirror
The Battle Against Junk Mail and Spyware
wildfrontiersman writes "A New York Times editorial by Brent Staples, The Battle Against Junk Mail and Spyware on the Web, laments 'The story of technology is the story of noble aspirations overtaken by a hard-core huckster reality. This process is on vivid display in the debate about electronic junk mail, which makes up more than half of all the e-mail that travels on the Internet.' He criticizes the new spam law, the lack of attention to spyware and how it threatens our beloved internet."
for the tin-foil hat crowd, posted AC to avoid Karma-whoring, here.
A year ago, spyware wasn't nearly as bad as it is now. I was at a friend's house trying to show him some stuff from my gallery on his P4 2.0ghz, and it choked by starting Internet Explorer. 3 toolbars over each other, hard drive spinning like hell because all the ram is eaten up by spyware...
Had to run Spybot, ad-aware, spybot, ad-aware over and over for like 2 hours while rebooting to get rid of everything...
At least the latest Norton Antivirus scans some of it and so does Network Associate's antivirus. I wish Trend Micro's would do it too, it probably will soon...
The new spam law does nothing about the invisible programs that invade our computers as we move from one Web site to the next. These insidious programs -- variously known as adware, spyware and snoopware -- can cause computers to call up aggressive ads or can actually track a user's movements through the Internet for use by marketers later on. The most sinister programs can record everything the user does, whether offline or surfing the Net.
And what the article does not discuss at any length is that we have Microsoft security (or lack thereof) to blame for most of the spyware problems. If Windows had better security, then most of these problems would not be there to the same degree as they currently are.
Visit Jonesblog and say hello.
as this biography (warning, embedded Quicktime!) points out:
Brent Staples is an editorial writer for The New York Times. He holds a PhD in psychology from The University of Chicago. His memoir, Parallel Time: Growing up in Black and White, was the winner of the Anisfield Wolff Book Award, previously won by such writers as James Baldwin, Ralph Ellison and Zora Neale Hurston.
In most other forms of media, it seems that advertising has had its day. Television is no longer able to subject us to ads and is threatened, Radio ads in internet radio are able to be skipped. So we only have to deal with the advertisements that arrive in our inbox.
There are a variety of ways of dealing with this detritus, the easiest one is make it a social stigma to admit to buying anything from spam.
Have any enlargements or pharmaceuticals ever been sold using this method? Has anyone ever received one of these messages and replied and then eagerly waited for their postie to drop by with their delivery of "Hot Teens"?
Turn Spam purchasing into the Venereal Disease of the new century and it will cost these folks more to send the messages than is returned in sales.
Legislation is pointless in an area where geography is no longer a method of control.
Both problems, the spammer and the salesman, can be solved with the use of a good 12-gauge shotgun.
Trespassers will be shot. Survivors will be shot again.
Mea navis aericumbens anguillis abundat
I was visiting my parents when they got their Dell and out of the box it required over 20Mb of security fixes and had a virus scanner (Mcafee) that was set to explode after 90 days if they didn't subscribe and the firewall off by default. Oh and of course their account that they setup with the instructions made them an administrator. We got that patched up and hardened quickly but your average Joe who buys a system and plugs it in is just a sitting duck and he has no clue. It's pathetic that companies like Dell can't harden the things a little before shipping them out.
Even though spyware may be annoying, it's the price that must be paid to allow for a more user-friendly computer.
Care to justify that stance?
When visiting someone who asks me to help them with some computer-related task, as my very first action I download and run AdAware. It usually find at least 30-40 scattered chunks of spyware (I've seen in the thousands more than once), with perhaps half a dozen actual fully-functioning programs (the abundance of spyware has the amusingly ironic side effect that they all tend to break one another over time).
After removing all the spyware found, the computer's owner without fail notices the improved responsiveness and reduced desktop and browser clutter. I have not once had someone then ask me annoyedly where their "favorite" browser hijack vanished to; more often, I get a thankful "Oh, you finally got rid of that damn thing... I agreed to it from some website a few months ago, and no matter what I do couldn't make it go away".
So, what part of any of the above do you believe makes a computer more user-friendly?
From article:
The story of technology is the story of noble aspirations overtaken by a hard-core huckster reality.
I think that's a little too narrow of a generalization to make about all of technology. But it is a symptom of a larger truth about technology. The story of technology is the story of technical progress outpacing social progress. We have not, as a society, come to a consesus on privacy, security, information as property, and who should regulate these matters. Similar, perhaps tougher, problems in biotech. This characteristic of technology driving questions about social morality is something I don't think was ever seen before the 20th century.
I do tech support for ~10,000+ clients. When Windows 98 was common, the biggest problems were stability and trying to keep it that way.
Now that win2k (and winxp) is out, the stability issue has been resolved. Now the most common thing I see is tons of spyware slowing the PC down to a crawl (obligatory slashdot humor: The difference between a PC infested with spyware that crawls, and Windows XP hogging all the resources making the PC crawl, is sometimes hard to discern.)
And of course lovely viruses from that oh-so-wonderful default-installed e.mail program, Outlook Express.
Most (nearly all) the *major* spyware issues stem from PEBKAC, a little knowledge (on the end-users part) would go a long way, but much of the spyware out there cloaks itself in "official" looking popups, all happily Verisigned, which can sometimes even trip up sys admins.
The next version of windows is rumored to fix this (to what extent is unknown) but undoubtedly will introduce a ton of new spyware.
Now isn't it nice that we BeOS and *nix users are immune to all that crap? I know I'm glad I use BeOS.
So rise up, all ye lost ones, as one, we'll claw the clouds.
mayebe I dont remember the law very well, but wasn't there some type of law back like 20 or more years that made it illegal to steal computer time. This applied mainly to mainframes. Couldn't this be applied to spyware,adware, and snoopware, stealing computer time on pc's?
I can think of one, just ONE example where this is the case. The Google Toolbar. It's an incredibly useful thing if you can use it (only works with IE5.5 or better) but it does contain one optional feature what might be classed as "Spyware". Specifically, in return for providing Google with some details of your browsing habits you gain access to some PageRank related features. Google does however provide extensive clickthroughs and documentation that detail just what this entails, which is more than most of the crap out there with a penchant to phone home.
UNIX? They're not even circumcised! Savages!
It doesn't help that spyware databases software databases have gotten so undiscriminating. You run a spyware scanner, and even the best ones raise red flags over stuff that has some of the features of spyware, but simply isn't. These include customer support tools like backweb. Yes, these can be abused, but ultimately anything you install in your system can be abused. It's simply a question of whether you trust whoever provided the software. Gator and Alexa have used up our trust. Backweb and the CS orgs that use it have not.
There's also the cookie issue. Yes, cookies are a grave threat to privacy. But the solution is in your browser: configure it use a good privacy policy, or if you totally hate cookies, not to accept them at all. Scanning the cookie database is a waste of time. Yet all adware scanners insist on doing it.
If you know what you're doing with email, and use a statistical filter such as spamprobe (or SA/other bayesian) from procmail, consider joining the community wpbl experiment. This is essentially an IP blocklist built automatically, in real-time, from many statistical filters (no manual user action ). IPs from mail are automatically extracted, classified as spam or good by your bayesian filter, then reported to the central server 24 hours a day. This is not like spamcop.
The irony is that at the end of the NYT article, if one inspects the source code, there is this little gem of javascript code from:
g .j s
http://www.nytimes.com/js/s_code_remote_samplin
This fetches a few pieces of data and sends it back to 2o7.net in the form of a URL for a 1x1 gif.
Anyone care to reverse engineer this code and see what it's reporting back?
I assume that spam is one of the last places where people believe that an ad driven business model will survive. In most other forms of media, it seems that advertising has had its day.
What world are you living in? In the one that I inhabit, advertising is a multi-billion dollar industry. All of that brain sapping drivel pushed out on network television every night creates a captive audience to push sodas, alcohol, cars, and everything else that makes the (Western) world go round.
The fact that you and your friends use Tivo or listen to internet radio stations is only slightly more important than the fact that you use Linux at home. The rest of the world still uses M$ products and buys things because a commercial told them it will get them more pu$$y.
As for e-mail advertising, this is the latest (not even latest, but relatively recent) intrusion of advertising into communications mediums. Until people are willing to PAY for things (e.g. HBO) instead of being cheap greedy hypocrites, advertising will continue to infiltrate all communication and entertainment mediums.
Even when people are willing to pay for things, the advertisements will become more subtle and embedded, with product placements as perfectly nailed in the movie The Truman Show.
And the reason advertising continues to happen in e-mail is that the costs to advertise are getting less and less to the point that now if 1/10000 people buys Herbal Viagra or whatever crap is being sold, then it becomes worthwhile. So good luck convincing 100% of the people to stop buying stuff. Let's come up with realistic solutions.
Buy a Mac.
.Mac email addy, I haven't had a bit of spam come thru at all.
I'm not trolling, nor am I evangelizing, but the truth of the matter is, out of the box, Macs are FAR less prone to be susceptible to any of these nefarious internet annoyances.
Spyware: practically non-existant for Macs, and any application needs to be manually copied or installed w/a password verification, so nothing gets by without you knowing it (assuming you trust every user of your computer).
Spam: Mac OS X's built in Mail client has an excellent and easy to use spam filter built in, and in the 2.5 years I've had my
PopUps - Not only can you block pop ups in the default browser Safari, most of the pop up ads are themed to look like Windows dialog boxes, so they're easy to spot as advertisements and whisk away with a single click.
Just my 2
The boycott you propose has already been around for a long time. It's called the "Boulder Pledge". Unfortunately, it doesn't work.
The people who advertise through spam are fly-by-night operations. They typically hope to make a quick buck by shoving a message at a million people and getting a 0.0001% conversion rate. (Do the math.) Often they aren't even the ones with products to sell; rather, they're "basement operations" with little in the way of resources or business sense hawking merchandise on behalf of the less-reputable amongst affiliate programs.
The people who make the real money off spam don't make the money selling stuff through spam. Instead, they get paid by aforementioned fly-by-nights to send the spam. They are the few fat sleazeballs sitting at the top of the pyramid being supported by everybody else. Just ask Alan Ralsky (if you can get a letter through to him under the massive number of catalogues he receives).
This convoluted chain of middlemen is the reason why normal market forces haven't stamped out spam, even though spam is net unprofitable. Losers pour money into the spam system and are dealt out of the game with a high turnover rate; but there are always enough new losers coming in to keep the system afloat. Meanwhile, professional scam artists know every trick in the book to squeeze money out of an activity that truthfully causes a net loss for everybody else involved.
From the fly-by-nighters lured in by the promise of easy riches and duped into paying hard cash for spam advertising to the victimized ISPs and end users who have server, bandwidth, and support costs shifted to them, everybody else comes out in the red anyway. So how, exactly, is a boycott supposed to work?
Microsoft Windows is, fittingly, the official Desktop OS of Olig
But the Solution to Spyware is fairly simple. Make the sender pay, like normail post. That is why I don't get hundreds of posts in my physical mailbox. (and the fact I don't participate in competitions every chance I get) Simply put, for somebody to send me email they have to perform a task. Say calculate the first five primes that end in five. For one persons computer this will be trivial. But for somebody mailing out millions of posts it becomes impossible. In fact I can increase the computation difficulty depending on what I want to filter out.
Your post advocates a
(x) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
(x) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
Spammers need images to get past word filters and to make an ad "stand out." Images can't be sent with the e-mail so src tags are used. href tags are also used for links they expect people to click on. "http://" is a unique identifier that absolutly cannot be obfuscated or it will not work. You can add a lot of junk before an @ symbol but eventually the real link must be there. Simply block that link and poof, no more spam from spammers advertising using that domain. You can block countless spammers by blocking a single 100% unique URL that no legitimate e-mail will ever contain.
The full write up of my take on what I see as horribly flawed ways to combat spam and source code for the custom programs I use to strip links out of e-mails.
I have an example of spam posted there where everything is just a mess in the e-mail. The headers are forged, the text is all obfuscated. But there, clear as day is an "HTTP://"
Poof, killed the spam domain. And there's no way to circumvent my method except by not having links of any form in the e-mail. If you put a link in a spam, I will find it and I will block it.
Ben
Work Safe Porn
$5 / month hosted VPS on linux = awesome!
I can personally attest to this. I've been doing on-site PC service for a local company for the last couple months, and our #1 call by far is for problems that end up being spyware/ad-ware related.
In my experience, SpyBot works extremely well, but it has a few quirks in its interface that lead people to not get everything cleaned up that it can clean up.
Most importantly, when it finds spyware it tells you requires a reboot to remove, you'll notice that it rescans everything during the system restart. The thing is, though, it isn't *removing* everything during this stage. It's only setting itself up so it *can* remove what it finds successfully, if you click to "fix problems" on its console window after everything finishes and the Windows desktop comes back up!
Also, I'm seeing more and more virii/trojan horse type infections that are smart enough to kill processes of any known virus scanner. These wouldn't have the chance to infect a PC in the first place if people kept their virus scanner running and updated, but many people don't. Then when someone like myself comes in and tries putting an updated one on the PC, the install won't even complete successfully. (This also manifests itself as a scanner that shows itself as "disabled" in the system tray, but which won't ever stay enabled when you try to toggle it back on.)
I'm at a loss as to why Symantec, McAfee, AVG, and the other popular scanners don't allow doing a "reboot and scan/remove virii before system startup", so the virus code can't get a jump on the scanner??