Congressional Anti-Spyware Bill Introduced

CRCates writes that U.S. "Senator Conrad Burns has introduced new anti-spyware legislation. The bill would make it difficult to for software to download and install itself without the user's knowledge. The bill would also require notification, consent, and procedures for easy removal."

I DON'T LIKE WHITE GUYZ

LOL !!!!???
a galapagos tortoise wearing a scarf just SuCkeD My CoCK OMG!!!
??? PROFIT

ps big ups to gnaa omg

I DON'T LIKE WHITE GUYZ

LOL !!!!???

a galapagos tortoise wearing a scarf just SuCkeD My CoCK OMG!!!

??? PROFIT

ps big ups to gnaa omg

Easy removal

[zcat_NZ]

I have yet to find any spyware that wasn't easily removed

Re:Easy removal

[dickiedoodles]

I have yet to find any spyware that wasn't easily removed

I'm more worried about the stuff I might not of found

Re:Easy removal

[Carnildo]

I have yet to find any spyware that downloads and installs itself.

Re:Easy removal

[00420]

I'm more worried about the stuff I might not of found

Do what I did. Open the task manager and do a Google search for each of the processes.

You may find something that nobody's aware of (I did - and it got submitted to Spybot)

Re:Easy removal

They do exist; I watched as a friend mistyped an address into IE and got sent to a typo-squatter's page which installed Xupiter Toolbar without asking. (He uses Opera now for obvious reasons.)

There's another one I've heard of but never actually seen in the wild called CoolWebSearch. Apparently there's 30-something variants of it, and they use try to use an exploit in the Microsoft VM to install themselves silently on unpatched machines. I hear some of the nastier variants go so far as killing the processes of spyware scanners and rewriting their download links to point to adult sites.

Re:Easy removal

[Kevin143]

It annoys me that it's necessary to run both Ad-Aware and Spybot, even with both newly updated.

If you want to get rid of a virus, it's not necessary to use both AVG and Norton. Perhaps it's because there is much more of a network of the anti-virus developers helping each other.

For me, it isn't much of a hassle running both of the programs, but for the average idiot, running SpyBot and AdAware is much too difficult. The problem won't be stopped with legislation, the problem will be stopped whenever Dell and the other OEMs bundle a combined Antivirus/Anti-spyware program with all of their PCs.

I haven't used Norton AV 2004, which claims to fight spyware, yet. Does it work better than the SpyBot/AdAware combo?

Re:Easy removal

[TykeClone]

I've had a bit of a chance to run it and I'd say no - it doesn't. I was cleaning up a machine and Norton 2004 did catch some stuff, but Adaware caught much, much more.

Re:Easy removal

[dasunt]

I have yet to find any spyware that wasn't easily removed

A lot of spyware has a tendency to destroy TCP/IP networking under windows. In my experience, spyware results in a sizeable percentage of computer repairs. I see less computers obviously damaged by viruses then by spyware.

Re:Easy removal

[jpop32]

Do what I did. Open the task manager and do a Google search for each of the processes.

Which works well if the nasty is listed as a separate process. Which is not always the case. For example, all services go under a couple of master-processes (svchost.exe, services.exe). Furthermore, nasties don't need to be resident, they can be invoked when an activity of interest takes place. So you may miss it, except for a couple of seconds they do their bussiness.

Re:Easy removal

[pnutjam]

Panda detects spyware, adware, and virus hoaxes, not to mention regular viruses, in their Corporate Antivirus Solution and thier Platinum Internet Security version.

I'm currently using thier corporate version and like it alot. It's not quite as good as ad-aware, but the mere fact that they seem to have commited themselves to addressing this issue speaks volumes to me.

I see many more problems caused by adware and spyware then by true viruses.

Re:Easy removal

[TykeClone]

Can't argue with that.

I've fixed a couple of machines that had a combination of just a couple viruses and a bunch of adware that basically rendered them useless.

Re:Easy removal

Good start, but what about impostors? Lots of kits simply install their processes under names you would expect to find and even more troublesome, drop things named kill.exe, etc.

That way, when you can't terminate the problem process using task manager, you'll use the kill.exe tool. (Which if you didn't put it there, it probably is an impostor because it isn't installed with the OS by default. Should get a fresh one anyways.)

So, basically they can have you clean up after them and hide the evidence, or what not. None the less, you can only assume you've fixed it. Best to just rebuild and patch.

There's no safe computing besides abstinence.

No spyware?

[Gothic_Walrus]

There goes all of AOL's profits from Instant Messenger...

Consent

The bill would also require notification, consent, and procedures for easy removal.

You mean the way they notify you and gain your consent by burying it a dozen pages into the EULA that nobody reads? The way you can uninstall the spyware by reformatting?

Thin line...

[ERJ]

Although I hate spyware as much as the next person, I am not so sure that the government should control it. The problem I see with the above is that it defines spyware more by the distribution method then the purpose.

I can definetely see a purpose for software to download updates, patches, etc automatically. Privacy concerns is what spyware is really about.

Re:Thin line...

[the+real+chahn]

But, the software should still ask for your permission to download those patches. I have no problem with my computer telling me that there are new patches, device drivers, etc. available. I do have a problem when it downloads and installs them without telling me, because it could mess up my computer. I've had devices that were working perfectly fine all of a sudden crash because of a new driver, and I want to be the one that decides whether or not I need to update.

Re:Thin line...

[cicho]

That much is true, but even if the program asks you before installing, you often don't have sufficient data to make an informed decision. Windows Update asks me every time, but how do I know if I want a particular patch or not? The only solution is to keep declining for a week or so, then check Google to see if anyone's reporting problems. I.e., a disappointingly low-tech, unreliable solution.

Which is to say - asking for permission is nice and should IMO be required, but it's not nearly enough. the manufacturer should provide reliable, conspicuous and clear information about what it is installing, what it does, how it was tested, what known issues exist and how it can be uninstalled. Otherwise they'll just keep you guessing as they do now. And using the phrase "enhances your Internet experience" in any such document should carry an exceedingly harsh penalty, too.

Where are those two comments?

[ObviousGuy]

Off-topic, I admit, but there seem to be 2 more comments than are displayed here in this story. Where'd they go?

Spyware is a scourge, but how likely is it that this kind of weak-willed legislation will make spyware any better? Not likely, IMO. Not to mention that the law puts a muzzle on the 'free speech' of spyware authors, this law will probably go down in flames like all other anti-spam measures.

Re:Where are those two comments?

[Carnildo]

Off-topic, I admit, but there seem to be 2 more comments than are displayed here in this story. Where'd they go?

Good question. Viewing at -1 lists 18 articles, but I only see 16 of them. Might this be related to the bug that's messing up people's user pages?

Re:Where are those two comments?

[SpaceLifeForm]

This happens too frequently (years now).

Personally, I suspect a RDBM bug.

This is almost completely meaningless

[lightspawn]

Most spyware actually informs users somewhere in the very long license agreement, and would not be affected by this.

Completely criminal spyware - installed completely without the user's knowledge (such as that found on some discs claiming to be music CDs) is already illegal.

This is just a 'feel-good' measure which will not actually change anything; at least the intent, unlike CAN-SPAM, wasn't evil here.

Re:This is almost completely meaningless

[zcat_NZ]

Interesting point;

Although it's not spyware (afaik) many of those 'copy protected' CD's do install software without warning, for the sole purpose of interfering with the normal operation of the computer.

How the hell is this _NOT_ illegal already?!!

And why is nobody being prosecuted for it? There's no shortage of hard evidence.

Re:This is almost completely meaningless

[spooky_nerd]

Of course that wouldn't happen if it wasn't for the fact that Windows has autoplay turned on by default. And it will happily run executables without user intervention. All this to save people from the horrible inconvenience of clicking "OK" on a dialog box.

Am I crazy?

[HotNeedleOfInquiry]

Or was this just covered last night?

Re:Am I crazy?

[Carnildo]

was this just covered last night?

Last night's article was about the Iowa legislature. This one is about the US Congress.

Re:Am I crazy?

[ndevice]

it seems that it was? Iowa Senate Proposes Making Spyware A Crime

not really affecting the /. crowd

[cyborch]

things are not going to change for the average /. user, but things are going to change for the better for the average user. Now, gator can't legally annoy the hell out of the average joe using his computer. I'd say that is a change for the better.

No law enforcement exceptions

[Randym]

SEC. 2. UNAUTHORIZED INSTALLATION OF COMPUTER SOFTWARE.

(a) NOTICE, CHOICE, AND UNINSTALL PROCEDURES- It is unlawful for any person who is not the user of a protected computer to install computer software on that computer, or to authorize, permit, or cause the installation of computer software on that computer, unless--

(1) the user of the computer has received notice that satisfies the requirements of section 3;

(2) the user of the computer has granted consent that satisfies the requirements of section 3; and

(3) the computer software's uninstall procedures satisfy the requirements of section 3.

Did anyone else notice that there is no exception in here for law enforcement agencies? In other words, bye-bye big brother spyware!

Re:No law enforcement exceptions

[exi1ed0ne]

Try no enforcement period. What the law makers have to realize is that the Internet consists of the whole world. If I don't like the laws and restrictions in the US, I'll move my operations to Sealand or some other place. Just look at the shipping industry and whare all those tankers, cargo, and cruise ships register. Sure the US could put pressure on some countries, but I don't see them blocking Korea or China any time soon.

Spyware

[skreet]

Hey, I use windows xp. I know that this particular O/S isn't that popular on this site. Downloaded several programs that were designed to stop spyware and lo and behold it did eradicate the spyware on the pc and place their on spyware in place of the deleted program. Browsers would not refresh as fast. I use several and a host of other strange maladies occured. Looks like everyone is going to have to write their own software next.

Re:Spyware

Don't know about popular. I use WinXP and I think it is quite ok for an OS, but the security holes it has when installed out-of-the-box concerns me. But what comes to other software, with the exception of WinAmp, I try to use open/free software.

I really do believe open/free software applications solve the spyware problem. At least no spyware on my PC!

Now don't get me wrong, I have many times installed Debian and FreeBSD to my desktop, only to find out what should I do with it and what software to use. Not that many open source products are for both Windows and *nix platforms..

And I like the GUI stuff, because I don't want to do my stuff on the console if I have done it in a GUI until now. CDex, Miranda, etc should also be ported to *nix platforms.

But come to think of it, I can do my usual stuff in other OS:ses also, but try to get a commercial embedded C compiler to other platforms than windows.. Like that's ever going to happen.

hmm...

Is it me or does the government only care about normal internet gripes and complaints when one of their own has a problem with their computer. Spam a government official, they don't like spam they decide to pass a law and throw you in jail. Buy a domain point it to where you want it to go, they don't like where you pointed it they pass a law and throw you in jail. Now they had software installed on one of their systems and they want to pass a law and throw someone in jail. Next thing you know they are going to pass a law saying if you talk bad about a government official on a web page they are going to demit illegal then send the FBI to take the web servers it was on find out who all viewed the web site and throw them in jail.

You missed any drivers, etc

[BoomerSooner]

You can also load spyware via drivers. Those are more difficult to root out.

Re:You missed any drivers, etc

[00420]

Wow, I did not know that.

I never used anything except the drivers that came with Windows and the ones that came with my video card, so I would assume I was safe there.

Don't have Windows anymore, but I'll make sure to let my friends know to be careful about things like that (they're pretty careful already, so I'm sure they're cool)

Wait a sec...

[Fubar420]

Do the ActiveX controls that ask Y/N in IE count?

I use mozilla so that hardly bothers me, but a lot of people just assume that if a link (see AIM virii/trojans/"games" and the like) is sent to them, that the warning is part of the game?

Most activeX controls say 'I'd like to install something now...' and people just assume yes as the correct answer... They _do_ give consent, even if its kinda foolish to do so.

Re:Unfortunate consequence

One unfortunate consequence of this talk of "user granting consent" takes us closer to the position that the act of clicking OK on a EULA can somehow be binding on the person.

As far as I'm concerned I should always be able to click anything on my own computer without thereby entering into a contract with some company such as Microsoft. Ugh.

Thou shalt not develop illegal spyware.

[max+born]

Now the lawyers will be debating the definition of spyware all the way to the Supreme Court over the next 10 years, tied in tangles of litigious obfuscation, destined to hedious ruin.

What a stupid waste of society's resources.

Open the source -- problem solved.

Only "Difficult"?

[DynaSoar]

"The bill would make it difficult to for software to download and install itself without the user's knowledge."

I could have sworn it was already illegal. Making it "difficult" would be a step down.

what a joke

[TEB_78]

This will have absolutely no effect. The US political system is too corrupt for these kind of laws to end up functional. Gator and their fellow trash just need to donate enough money for the coming election and the new law will be watered out to have no effect.

Anti Competitive

They are stifling American companies from competing with Eastern European credit card stealing business. We'll just end up with shadier spyware.

The real trouble with spyware

[Whatchamacallit]

As I see it, and I have removed over a million pieces of spyware from my customer's computers...

The trouble with spyware is:

1. It's damn sneaky. No indication other then a license agreement that no one reads because it's all legalease and effectively gibberish to the average person.

2. Some spyware is loading onto computers via popup advertisements that are using obvious MSIE flaws to allow it to install. Most of the spyware changes your homepage to their search page which also happens to re-install their software. This means they are using virus/trojan techniques to invade your system.

3. Most spyware will re-install or auto update itself if you try to remove it and miss a portion. Some spyware appears to team up with other spyware packages that reload each other.

4. Several spyware companies actually advertise anti-spyware software that just loads more spyware onto a system.

5. The security in Windows is horrible. Looks like we might have to resort to a signing method for all approved software and allow only company approved signatures to install. I don't think Windows fully allows this for everything. I know they do it for drivers but it should be available for all software.

Spyware is begining to be a real problem in enterprise environments, we locked down our WinXP computers pretty tight and yet the spyware still manages to get installed. It takes hours to remove spyware from a user's machine. In some cases, when Ad-Aware and SpyBot both failed to remove a package, we ended up having to rebuild the OS and restore the user's data.

Windows is so very broken that I don't think it can ever be fixed. No law will make a difference, companies will just move off shore and then still deliver the spyware goods.

The only sure fire way I see Windows getting repaired is if Microsoft bites the bullet and stops development on Longhorn and then literally starts over. They should make a FreeBSD base and build the Windows API into the system. This will ensure multiple user abilities and more importantly, security. Of course this will break all old software that requires drive letters and other things that will have changed but it's becoming necessary. The holy grail for MS is backwards compatibility and it's also a curse they will never give up.

I know, Apple did the same thing with OS X. It's a custom Mach kernel with a FreeBSD foundation. They build a backwards compatible Classic environment as well as a porting environment called Carbon in addition to the NeXTStep Cocoa NS API. The security is there and you are prompted to install software whenever an application tries to install. If it installs in your user home directory structure, you may not be prompted, but at least you will be able to rebuild the user account and migrate your data.

Microsoft needs to follow suit. Of course they should do it their own way but they really need to focus on security as well as separating the OS from the Applications and System wide software from individual user software as well as user settings from system settings. The trouble is Windows has always had a hard time isolating things because of the backwards compatibility issues. WinXP moved the user profiles to Documents and Settings but it needs to be better isolated across everything everywhere. All the security issues come down to a serious flaw in design which directly stems from the Win3.x and the strong desire to keep old software running on new systems. Windows systems are wide open out of the box. Most good Unix distributions are closed out of the box. i.e. in Unix you need to turn things on. In Windows you need to turn things off. This makes a heck of a lot harder to lock down.

removal of spyware

[andrewp111]

I have had spyware that was damm hard to remove. It was one of those "browser hijackers" that would direct to one of those sites that sell domain names. A spyware removal program found it but couldn't remove it. This was because it became part of the windows 98 operating system and any attempt to delete the file from the directory or the windows registry would give a "file in use" error. I ended up having to boot the computer in DOS mode and delete the file then reboot in windows.

How about Anti-Darwinian?

[bob_calder]

If one posits the users' systems are insecure because the OS can't protect itself. The legislation is *good* because it will prepetuate insecure systems by keeping them alive.

Personally, I'm against anti-virus software.
Of course, I never attach to the net either. This message was tied to a brick.

You could, of course, use two bricks. Oh, you do use two bricks!

No Spyware here...

[AngstAndGuitar]

I've never had any problems with spyware...
I guess the target environment is not linux :)