Slashdot Mirror
The Pure Software Act of 2006
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
Anyway, did anyone else read this and think immediately of the Evil Bit? The whole thing has got to be a joke, right?
John
Anyone see the name as "Simon and Garfunkle"?
I'll go back to work now...
First he writes "Bridge Over Troubled Waters" and now this!!
"Would you, could you, with a goat?" Dr Seuss
Because pretty pictures are so meaningful to everyone. Heck, why not just color code? Spyware? Color red. Ads? Color orange. Other unsavory practices? Yellow. It'll obviously be easy to understand.
How do they plan on labeling software solely distributed over the internet? I'd venture to say that 90% of the spyware that's out there comes through download-only software (DivX, peer to peer software, etc...).
Implementation would be far too much trouble. Developers would fight you at every turn. Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients? Would that carry the same label as a program that logged every keystroke and sent that back?
From the guys who divulged KFC's secred recipite. Sorry, I couldn't resist...
Quid festinatio swallonis est aetherfuga inonusti?
Africus aut Europaeus?
to denote buggy code?
I hate this stuff, I'm glad I switched to Linux. I've had to completely wipe out pc's at work because of adware/spyware. Some program called "Hotbar" is the worst.
Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware. You can still right a program which uses 100% CPU Usage and makes everything really slow,etc. for another OS, no matter how secure. Unfortunetly, its targeted at windows. My friend thought that windows XP was horrible because it was running so slow. On a 2ghz, it would take 5 minutes to load IE. I showed him Ad-Aware from lavasoft. It detected 589 spyware objects, quite a few of them different. I found that a big problem with spyware, is not only the spying, yet the fact that it slows your system to a hault. If this works, and makes spyware go away, or atleast well known spyware label itself (such as gator), I will rejoice.
Help Fight SPAM today!
How do you fit all those icons onto MS packaging?
Shouldn't he stick to writing music instead?
To implement it. Software is created internationally, especially some of the riskier/more questionable stuff. Congress can pass laws all the want, but it's going to be difficult to get a programmer in Uzbekistanajanina to follow.
to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.
By opening or removing the seal to this package you agree to abide by the terms explained in the enclosed EULA. By the way, this product contains software code, which, by installing on your computer, could render you utterly defenseless from intrusion, viruses, worms, trojans, popup advertising, loss of data, loss of privacy, NOT TO MENTION putting you on an endless treadmill of planned obsolescence, making you a pawn in the global theater of consumer rape by corporations. Enjoy!! Oh, yeah, we don't guarantee that the software works, and, no refunds.
Did your ivory tower come equiped with an ivory backscratcher? And if so, where can I buy one?
As that article says, most of the proposals to control spyware get bogged down in trying to define spyware without catching sofware that is clearly legitimate, such as an antivirus program trying to "phone home" automatically to update its virus signatures.
I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
Read up on how she's bought-and-paid for by a loan from Real Networks - a loan that Ms. Cantwell got to pay for her campaign by using her insider shares she got from Real - and a loan that was supposed to have been called in when Real's stock price tanked.
And that's just Real - anyone wonder how many Senators, Congressmen, and President's Bill Gates has on his payroll?
That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.
Spammers are going to ignore this, just like an unsubscribe link.
While those with a little more knowledge can block access to their computer or remove harmful software; for Joe User this sounds like a good idea. They'll clearly see what harmful or risky behaviour any particular piece of software can bring with it. Of course many software companies (particularly big ones with an interest in collecting information without necessarily letting people know they're doing that...) would fight it. But if it's legislated then they'd either have to comply, or be a lot more underhanded in how they do it. In either case, it still sounds better than a 50 page EULA (which they can be underhanded with anyway).
This is left as an exercise for the reader.
I really like this idea; users too easily click "Yes" on licenses designed to sell your soul to the developers. Creating clear icons specifying the software's behavior could potentially wake up users to the fact that they're being shammed.
:-) Given that most of the software in question is online only, and given the ambiguous lines of law over the internet, I don't see this working.
However, as some previous posters mentioned, most naughty software is available only online; I can't go to Best Buy and purchase a Windows Clock synchronizer.
Tech, life, family, faith: Give me a visit
I'm interested in an intelligent discussion of ideas in the marketplace, and whether the government should be in the position of enforcing the openness of information. Trolls need not participate; we know how tempting it is for you.
Basic economic principles, such as supply/demand curves, are based on the principle of a marketplace with "open information": all buyers and sellers know the same things.
Yet, even when it comes to the FDA ingredients label, we hear companies bitching and moaning and finding new ways to confuse people. Case in point: Cholesterol-free Mazola Corn Oil! Good for the heart!
So, who exactly (besides the corporations themselves) is against the idea of government forcing the opening of information to buyers? Is it really such a hard line to draw (between what buyers *should* know and what is proprietary information)?
This is fine by me, as long as the "honest labels on software" are written all in hex ;)
Change your name to Homer Junior! Your friends can call you Hoju
Software vendors will have no incentive to put negative labels on their products; even if it's the law, they'll find some loopholes to avoid the labels. Instead, they would have more incentive to use labels that are positive. Instead of making a vendors say, "Yes, I use spyware," it makes more sense to award well-behaved programs a positive seal of approval which means, "This software uses no spyware, is uninstallable, etc."
Does that mean that later down the line some software is gonna advertise haing 20% less adware / spyware than the leading software? Great...
"Well, I am mad, and I'm a crazy fucka when it comes to tea"
Inspiration your sig is:
"Would you, could you, with a goat?"
New Verse
Could you would with a goat in a boat?
Could you would you with a goat in a fridge?
Coud you with a goat even a smidge?
No I don't like doing it with goats!
Not in a boat, Not in a fridge!
I don't like doing with goats,
Not even a smidge!
Hey, doing it with a goat isn't all that bad!
Just remember to face them towards a ledge so they push back harder.
And remember to tuck their hind legs into your boots.
It's like wearing a t-shirt with the words " I am the one your mom warned you about". Yeah, right....
Open Source acts as a trust mark. I've never even heard of a spyware program released under the GPL.
Yes, I may need to use a DOS prompt and run cdrao and vcdimager with a bunch of confusing flags to burn a VCD from my TV tuner card, but it still works, it doesn't notify a database that I like CSI, it doesn't intentionally degrade the output, and I don't get any unwanted popup messages.
The world will not get better through technology. We must seek to be better people.
Here you go!
is nothing sacred
Looks like this software contains 36% of my daily value of spam, but it does contain 200% of my daily requirements for internet messaging.
Free Flat Screen
Trolls seem to be helping each other out today. Interesting.
Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.
Of course not, but the makers of legitimately well behaved products will. You look at two food cans... one has a label with ingredients and such and the other one doesn't. Which one will you eat?
This to work would require one or more bodies like the ESRB to test products, assign the correct labeling, and go after abusers.
Tom the Sigless
It's merely 6 years since The Gator Corporation chomped a hole in the privacy of the boxen of our friends and families and you people are talking about honest software labeling??? MY GOD, people, GET SOME PRI0- .oh.
. .
Carlories: 0
Serving Size: 3000 per second
The Pure Software Act of 2006
100 years ago, Congress passed a law requiring honest labeling of food and drugs. Now the time has come to do the same for software.
By Simson Garfinkel
The Net Effect
April 7, 2004
Spyware is the scourge of desktop computing. Yes, computer worms and viruses cause billions of dollars in damage every year. But spyware--programs that either record your actions for later retrieval or that automatically report on your actions over the Internet--combines commerce and deception in ways that most of us find morally repugnant.
Worms and viruses are obviously up to no good: these programs are written by miscreants and released into the wild for no purpose other than wreaking havoc. But most spyware is authored by law-abiding companies, which trick people into installing the programs onto their own computers. Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers. Such programs cause computers to betray the trust of their users.
Until now, the computer industry has focused on technical means to control the plague of spyware. Search-and-destroy programs such as Ad-Aware will scan your computer for known spyware, tracking cookies, and other items that might compromise your privacy. Once identified, the offending items can be quarantined or destroyed. Firewall programs like ZoneAlarm takes a different approach: they don't stop the spyware from collecting data, but they prevent the programs from transmitting your personal information out over the Internet.
But there is another way to fight spyware--an approach that would work because the authors are legitimate organizations. Congress could pass legislation requiring that software distributed in the United States come with product labels that would reveal to consumers specific functions built into the programs. Such legislation would likely have the same kind of pro-consumer results as the Pure Food and Drug Act of 1906--the legislation that is responsible for today's labels on food and drugs.
The Art of Deception
Mandatory software labeling is a good idea because the fundamental problem with spyware is not the data collection itself, but the act of deception. Indeed, many of the things that spyware does are done also by non-spyware programs. Google's Toolbar for Internet Explorer, for example, reports back to Google which website you are looking at so that the toolbar can display the site's "page rank." But Google goes out of its way to disclose this feature--when you install the program, Google makes you decide whether you want to have your data sent back or not. "Please read this carefully," says the Toolbar's license agreement, "it's not the usual yada yada."
Spyware, on the other hand, goes out of its way to hide its true purpose. One spyware program claims to automatically set your computer's clock from the atomic clock operated by the U.S. Naval Observatory. Another program displays weather reports customized for your area. Alas, both of these programs also display pop-up advertisements when you go to particular websites. (Some software vendors insist that programs that only display advertisements are not spyware, per se, but rather something called adware, because they display advertisements. Most users don't care about this distinction.)
Some of these programs hide themselves by not displaying icons when they run and even removing themselves from the list of programs that are running on your computer. I've heard of programs that list themselves in the Microsoft Windows Add/Remove control panel--but when you go to remove them, they don't actually remove themselves, they just make themselves invisible. Sneaky.
Yet despite this duplicity, most spyware and adware programs aren't breaking any U.S. law. That's because many of these programs disclose what they do and then get the user's explicit consent. They do this with something that's called a click-wr
They don't just ignore the unsubscribe link, they use it to see if the address is valid. It's done more harm than good.
"Well, it took an hour to write, I thought it would take an hour to read."
As I understood the article, the idea is to make this obligatory and, presumably subject to legal sanction. If you mislablel a drug, the FDA can cause you a world of grief. This would make the creators of scumware subject to the same level of punishment. The risk could become too great for the reward.
Why not use Mr. Yuck! stickers and icons all software that uses unsavory practices?
No need to make it complicated...if it's got any characteristics like spyware it's crap and gets a Mr. Yuck. Simple.
Then they would have been required by law to tell me how bad Daikatana was before I bought it.
A feeling of having made the same mistake before: Deja Foobar
No thanks. I have more trust for "disinterested" third parties that verify and publish on their own. A more helpful law would be one that protects the researchers (even amateur ones) from harassment (legal or otherwise). It's a slippery slope, it will not end with labeling.
I *don't* want that to happen with software! I'd much rather retain the right, as fair use, to legally modify crap-ware, and also have the right to discuss the details of that modification with other people.
Fred
"A fool and his freedom are soon parted"
-RMS
or perhaps there would be a breakdown into Active and Inert and Harmful ingredients?
Help end the use of Sigs. Tomorrow
I see this as a step towards obliging software vendors to offer some sort of guarantee, and that IMHO is something that has been a long time coming. For too long, closed-source software vendors have hidden behind the words "No Warranty" and the confidentiality of their source code to avoid acknowledging bugs.
Open Source software should be perfectly capable of complying with this requirement, since the source code is the guarantee document (you can truthfully state that it will do whatever the source code says it will do, and if it doesn't then it's your equipment that is faulty).
Je fume. Tu fumes. Nous fûmes!
The food and drug industry is heavily regulated, and is substantially easier to control than software because producers need to be licensed with various governmental bodies, depending upon the country. Rightfully so, as lives are at stake.
If this sort of labeling scheme is to achieve widespread adoption, it will need the same sort of tight regulations. I don't believe that the majority of developers would enjoy this at all... imagine having to have upgrade releases and patches approved by the Federal Software Administration, before being allowed to legally distribute it to the public. Throw in the fact that it would take several decades just to get a minority of the world's countries on the same wagon, and consider that most "scumware" (to generalize) comes from outside the U.S.
It's a great idea, but the execution is all wrong. More appropriate would be to grant developers the ability to have their software approved as "Popup free" or "Doesn't Phone Home" or the inverse of the many other icons that Simson Garfinkel (sounds like a joke) proposes. This legislation would prove a lot harder to fight from an industry perspective.
This comment is fully compliant with RFC 527.
Are the makers of porn dialers, trojans, email relays and viruses going to put a helpful icon on their software? No.
I don't think this legislation is going after criminals, per se, but software like Gator and the like that are "legitimate" businesses with sleasy tactics. By making such underhanded tactics illegal, it will severely limit how much money etc can be collected by such a scheme. That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.
Yes, and any corporation that wants to stay in business will comply with this law, reducing the effectiveness of such programs, and discouraging it.
Spammers are going to ignore this, just like an unsubscribe link.
Eh, spammers aren't the worst problem with this kind of software. Gator etc. are, as their software looks genuinely useful to the average user.
Cheers,
Justin
1. Hook: Runs at Boot
Check
2. Dial: Places a Phone Call
Activation procedure, Messenger, etc.
3. Modify: Alters Your Computer's Operating System
Duh. It *is* the OS.
4. Monitor: Keeps Track of What You're Doing
Windows Media player / IE's index.dat come to mind.
5. Displays Pop-Ups
At least before XP SP2 comes out.
6. Remote Control: Lets Other Programs Take Over Your Computer
Just how many exploits *are* there at the moment?
7. Self-Updates: This Program May Change Its Behavior
Windows Update, anybody?
8. Stuck: Cannot be Uninstalled
Unless you count formatting the hard drive as such.
If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
One of the biggest problems my friends and relatives bother me about is buggy $12 software they get in the bargain bins.
It's so hard to explain to them that software built for win95 with ancient versions of quicktime/acroread will probably not work very well on WinXP.
They say, but the box says it works for WinXP.
And I say, "it depends on the definition of 'works'". And don't be cheap, do not buy any software that "works" on Win95 for WinXP.
A gov't enforced standard label would help:
Built Around: Win95
Fully Supported: Win95, Win98, WinME
Emulation Supported: WinXP
Consumer Warning: Some software/hardware
combinations do not work well with emulation
support
Worst. Act name. Ever.
A noble idea, with an ignoble name. Reminds me of a Pure Earth movement of some kind.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
The Pure Food and Drug Act, while seemingly innocuous in its time, paved the way for the current prohibition against certain drugs in the US (and most of the world) and led to all of the excesses and perversions of the government's "War on Drugs". How could this proposal (well-meaning and topical as it seems today) come back and bite us in the future?
Perhaps deeply immersive and psychologically convincing virtual reality of the future will be deemed to be software with the potential to cause harm and no redeeming properties. Then the government would be well within its "rights" to prohibit the software's use and impose draconian penalties for possession or distribution (especially if you have the source code).
People in 1906 let the government have say over what they put in their bodies because of fear of contamination (and outright fraud), are we going to let the government have say over what we put on our computers because of fear of ad- and spy-ware?
while true, food isn't as easily distributed as software. I still think you make a good point. Public awareness can help to insure that foreign software not exhibiting these rules should not be downloaded except with extreme caution.
LOL
/. and the info was on Mandrake's site. tick me off!
Yeah, I was rejected the day Mandrake e-mailed everyone about coming out of Chapter 11, 4 days before it was actually posted on
{{rolls eyes}}
Oh yes! this is just what Linux needs. Legislation to force Unix developers to follow Windows conventions.
I can see it now.
$>tar -xvzf myapp.tar.gzip
$>./configure
$>make install
Warning: this program doesn't come with an uninstaller. It scatters files all over your machine in undocumented locations some of which are dependent on environment variables.
$>make uninstall
Uninstall failed.
$>
Ya, I use Windows XP. Even though I have a firewall and keep my patches up to date, I still get adware/spyware once in a while.
I would get 0 adware/spyware if Microsoft wrote a little bit of security into their operating system in a few ways:
- Record log of installed files (prompt for any files being installed in non-specified directlories.. ie: If realplayer trys to install realisawesome.dll in C:\windows\system32, WINDOWS itself prompts me.)
- Prompt for any programs trying to start up with the computer
- Have only one method for a program starting up with a pretty little 'startup' icon in the control panel
- Disable IE's install on demand by default (probby most common method for spyware)
- Allow users to disable popups without a fucking extra program (fuck developers and their incessant popups - MS gives way too much control to them and none to the end user)
- Have Windows control the uninstall and not some crappy script written by the same company that wrote the crappy software that user wants to uninstall cause' it was crappy
- Allow the user to enable plugins only when desired (disable flash advertisements and stuff)
- Quit allowing programs to install a shortcut in startup, the quicklaunch bar, the desktop, every goddamn folder on the computer, favorites, and quit launching a secondary program just to launch a button that launches the main program!!!
This is how you could fix things in Windows.. Linux is pre-fixed.
So, you Linux nerds, why the hell aren't we trashing Microsoft in this thread? They're fixing 'security', but not the type of shit Mr. Stupid Enduser cares about.
--- We need more Ron Paul!
Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.
In otherwords, sometimes the labelling will simply get in the way of the whole truth.
Kinetic stupidity has a new brand leader: Allen Zadr.
We'll soon see labels like: "Spyware-free Gator, included free with Kazaa!". Or even better, "Ad-free USB cable, buy it now!". Ever saw in your convenient store the "Margarine with no cholesterol"?
You're talking about viruses, and of course anyone who wants to break the law can do so. Right now though, there is a large class of software created by companies that say what they are doing is perfectly legal. They claim that by having a user click OK on a dialog box they can do pretty much anything they want on that user's PC. And they are doing this brazenly, out in the open, and in the clear view of the governing agencies. LOP.COM is one of the most-despised pieces of spyware around and still the guy from C2/LOP has the ballz to file a comment for the upcoming FTC spyware conference saying LOP is the future of Internet advertising!
Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."
Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?
I totally agree with this concept.. In the age of the "shrink wrap license", the groups defining the terms and conditions need to take more responsibility to clarify the terms than they currently do. Who has the time, or the legal knowledge, to wade through 10 pages of legalese before installing some random program? I simply cancel the install when confronted with those licenses, but obviously many people don't.
The same concept should apply to many areas:
- DVD, and other future format, movies. The box should clearly state whether it has advertisements, if they play automatically, and if they can be bypassed. I get really pissed when my DVD player forces me to watch ads when I put a movie in. If I had known about it before purchasing, I would not have bought the movie. This should also include the bullshit FBI warning, and other remote control lockout functions.
- Satellite TV providers - DirecTV keeps talking about "downres'ing" HDTV output if not through copy protected interfaces (crippling most current HDTV's). They are also talking about disabling the Tivo 30 second skip function. Who knows what else they'll do -- remote control lockout on commercials? They need to declare these sorts of things at purchase time, so I'm not stuck with a $1,000 HD-Tivo that won't skip commercials, and a one year committment to DirecTV programming.
- ISP's - what monitoring can/will they do? Can they place any limits on inbound connections, etc.
I'm sure there are many others.
Yeah! Example of great modding! The article is about Congress considering a law requiring software vendors to say something on their packaging and somehow bringing up the First Amendment is Offtopic?
Spyware doesn't come with the products you buy in a store. It comes from web pages in the form of activex driveby installers, with crappy software "bundles" in p2p programs, and so forth. The techniques used to install are deceptive, and will work around whatever laws you try to put on them.
The solution is to have intelligent security (e.g. not everyone is the fucking admin user, and your web browser doesn't happily run code from other web sites). It's not rocket science.
I guess this is a good start, but he states that we should avoid "icon creep." The problem is, the sorts of nastiness that spyware can carry out will likely be lumped up with the same icons that most legitimate software will cover.
I.E. think about how many icons Mozilla could be required to have on it... it can be set to start at boot with that quickstart icon thing. It can can be set to send data back home if you've set up the Talkback crash reporting, which will likely send back monitoring information on what else is running on your PC. Mozilla can also certainly display popups (although, granted, at the behest of web sites). I don't think Mozilla does remote control or self updates, but a future release could, in a non-evil way.
If people install Mozilla, then they'll see three or four icons. Think how many other benign pieces of software will have to display those same icons. Now think how many nasty bits of spyware would also display those same icons. If people repeatedly see the same things over again, they aren't going to be on their guard against a program that does the same sort of thing other programs do, but for nefarious purposes.
Personally, I think a good idea would be to have an independent, third-party review board sort of like Underwriter Labs (those UL label folks you find on most eletrical appliances) to label software as having been tested and being up to published standards for respecting privacy and being a good "software citizen." Then we can train the user to look for the "Certified by Software Testing Labs" as being safe.
Such a board would be hard to set up and keep independant of the industry which it serves... but I think it is possible. We could, hopefully, make such a review board practiclke enough that small software firms, and even open/freeware authors could get certification.
Aside from the pop-ups one (which may be difficult to "guage"), all of these features could be good or bad depending on the circumstances. The logic being, IF it has a lot of icons, AND you trust the company, then it's still safe to buy.
OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.
Example:
Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.
I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.
And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
4. Monitor: Keeps Track of What You're Doing Don't forget:
/windows/applog
which at this point in time is wasting approximately 8 Megabytes of my disk space.
Like a bridge between library and plotter,
I will let you down....
I think the parent poster had it right, and if anything you're arguing for their case, not against it.
In case you haven't noticed, much as Windows is the overwhelmingly dominant OS, IE is the overwhelmingly dominant browser. That's not to say that IE is without its flaws, and it's not to say that other browsers do have flaws (although they do). But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity. Ease of writing malware for them is a far distant second if that.
It's difficult to define and enforce this across the swathe of software products, but one way to start is to require it for government purchasing contracts: forcing major vendors (e.g. microsoft _and_ open source vendors!) to start the ball rolling. Once it gets ironed out after a couple of years, then roll it out further.
Good idea though.
Like many people, Garkfinkel is proposing a legislative solution to something that'd be better handled technically.
.Net also makes overtures in this direction. It will be a challenge for OS vendors to allow users to have this amount of control, without overwhelming them with so many choices they'll give up and just give full permissions to everythig (in the pattern of "I always run as administrator, because it's the only way to get stuff done"). But those challenges can be surmounted with skilled interface design.
(Legislative solutions are suboptimal/dangerous for many reasons. They are over-broad, in that they apply even to consenting adults who wish to engage in the behavior without meddlesome government oversight; cf prostitution. And they're too-narrow, in that they can by necessity only apply within the country's legal jurisdiction, whereas software distribution is an international operation)
Turn now to the second page the Pure Software proposal. The list of potential warning-labels it suggests is: Hook, Dial, Modify, Monitor, Popup, Remote Control, Self-Updates, and Stuck.
All of those things are basically technical features which a well-designed operating system could prohibit programs from using, without permission. The root of the problem is that even after 30+ years of software publication, most programs are still just completely arbitrary lists of instructions: once they're executing, they do whatever they do, and nothing can stop them.
The big exception there is that most OSes, at least, restrict programs on a per-user basis. A program cannot read or edit files to which the executing user has no permission. That's an important step, but one that Unix has had firmly in place since the 80s. As time passes, we need to go further: program priviledges should be restricted not just at the per-user level, but also at finer granularity.
When I download and install a program, I don't want just the option of "run it or don't". I should be able to run it, but without it being able to read any files except those it came with. Or being allowed to read files, but only if I pick them from a system-supplied dialog box. Or read any files, but not write to them, except in a directory I've chosen (and that it can't override). Or write files, but only in specific approved formats (such as those which can't possibly contain executable code). Similar kinds of restrictions suggest themselves for GUI and network areas (including the important points of "phone home" and "data tainting")
To a small extent, Java frameworks (like "Web Start") have attempted to do this, with a list of features the user can individually permit a program to execute. Microsoft
The best way to prevent software from doing something is to use software that prevents it from doing it. (As Lawrence Lessig said, the best and most effective laws for code are more code)
Well, in that case it'll be much less useful for the consumers, since they'll have to think hard about what evils were left unmentioned.
I would say that the labels described in an article are not really negative, they just state the fact. There's nothing wrong with free version of Opera running ads in the corner of its window, of with some personal firewall monitoring my actions. However, I as a consumer, would like to be sure that, say, there're no backdoors and that the software can be uninstalled cleanly.
The whole deal is about helping consumers make informed decisions. Helping companies that have no respect for their clients' privacy to sell a questionable product is not something we should lose our sleep over.
...why not do a similar thing for everyday software?
In commercial avionics there is a standard that describes the testing (and other) obligations for a software manufacturer. If you see a product certified to DO-178B level A, you know it can be used for a life-critical purpose. If you see DO-178B level E, you know they only slapped the label on something they developed without any formal development (and testing) process.
If software manufacturer are to be obliged to disclose the amount of spyware they distribute, then they should by the same account disclose how many bugs we expect them to distribute. Just make an-easy-to-go-through certification in order to disclose how well you've tested your software to meet the requirements, and you're in business.
C.
the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.
What's to stop someone from saying "This product may contain one or more of the following; ad-ware, spy-ware, automatic updates, and a chance to win $1,000,000"
That last item would be enough to entice most people to buy it anyway.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
WARNING: The contents of this software contains adware, spyware, and several useless annoyances. It has been proven that prolonged exposure to such contents has been known to provoke hysteria, fits of rage, nailbiting, and in many occurrences, system failures
Should you experience any of these symptoms, there is no need to contact a doctor. Simply apply any blunt household bludgeoning instrument forcefully to your computer. You may also contact your local Technical Support hotline for further assistance.
"Would you rather be right, or happy?"
Mod parent up, please.
With all of these icons, will there even be ROOM for the logo on the Windows box?
Would spam software carry the spam label...ummmm...spam
"Look Lois, the two symbols of the Republican Party: an elephant, and a fat white guy who is threatened by change."
This should go for electronics too (especially items such as DVD players etc that have embedded software)
But where is DRM? Thats the most important label of all, and the description of the label must _not_ include the words "Digital Rights Management" which is simply PR crap for "restricting what you can do"
This comment does not represent the views or opinions of the user.
What ever happened to caveat emptor?
If you don't know what you're buying...don't buy it.
I have discovered a truly marvelous
but I read that as in Simon & Garfunkel (the musical duo)
This is my sig, this is my gun. This one's for flaming, this one's for fun.
Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers.
So this guy really feels that employers who monitor company computers are spying on their employees? Should closed circuit cameras be taken down to prevent spying on employees? It's a company computer... they can load whetever software they like on it!
.:diatonic:.
I like the idea in principle, but see plenty of problems in it's practical impelementation.
.deb or .rpm package in your Linux system had a spurious GUI component, just to comply with a well-intentioned but poorly-considered law!
As described, the proposed law would hard-code the concept of using icons to disclose this information. What about fundamentally non-graphical programs (drivers, daemons)? What about overall non-graphical environments (servers, embedded)?
I fear this scheme would further what is already an increasing problem: that everybody wants to attach a GUI to every program, even if it's totally inappropriate (e.g. printer drivers). The proliferation of spurious GUI interfaces leads to the proliferation of inappropriate design choices in exception reporting (pop-ups instead of log files), configuration methods, etc.
I'm not anti-GUI, by the way. I'm anti-inappropriate-GUI, and I fear hard-coding icon requirements into every piece of software makes this trend even worse. Immagine if every
On the other hand, I would definitely like to see these icons displayed on the labels of software packages and disks, or on the web pages that software is downloaded from.
Oh, and something the article didn't mention, but I'd propose this ammendment to the act: Make it hard to add any additional icons (i.e. to make the program behavior worse) in upgrades. If any icons are added, the vendor must either (1) continue to support the old version for future bug fixes, security patches, etc., or (2) refund the purchase price to buyers who choose not to continue using the product. (Obviously, there'd have to be a time limit, but long enough to prevent the use of "incrimental-spyware" as a bait-and-switch technique.)
Use and enjoy!
The Russians have won. They have made the world a cesspool of distrust, greed, fear and hate.
Hmmm...I don't know that I want to work that hard. When I install a new program, I usually don't know very much about it, so it would be rather hard to tell what behaviors are needed. I am a geek, so I could probably get it right most of the time if I took the trouble. Same would be true of reading the EULAs. But most software users are not geeks and letting them pick and choose the options that you suggest seems entirely unworkable regardless of the UI. It might work for you, but it would be a disaster for most.
I think Simson & Garfinkel was a cover band back a few years ago.
And on that note, how does that affect people that use hacks which remove the license or just puts the software in place without using the main installer (so no license)? Are they NOT held responsible to the terms and conditions?
Perhaps we sould create a positive label "programmed in the USA" to go on software as well.
In much the same was that this boosts clothing sales, I wonder if it might boost program sales...
Less look fast, more go fast.
That the human trash who write malware always obey the law. Just like spammers coughCANSPAMcough do. I mean, honestly, since when does someone who feels that it is acceptable to steal your personal information without your permission obey stupid little things like the law?
I doubt that they initially wanted them, but the truth is that the mandated warnings on cigarette packages proved very beneficial to the cigarette companies when they were originally sued for causing cancer, etc. One of their best initial defenses was, "What do you mean you didn't know that cigarettes can cause cancer (heart desease, etc.)? There is a bold face warning on each and very package!"
The same thing could prove true for manufacturers of alleged malware. How can you complain if instead of the existence of the program being disclosed in the fine print of an EULA, its existence is disclosed on the outside of the box by a nice, large, colorful icon? "What do you mean you didn't know what you were getting? Its disclosed on the outside of the box!" "What, you want to interfere with the right of people to freely and consensually contract when both sides have been fully informed about what each of them is getting?"
Only Women Bleed (Sex, Sharia remix)
What if I say that my software is made out of 100% recycled bits? Would that be a good selling point for it?
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
...because Microsoft would have to bloat up to maybe a couple more gigabytes to house all the new icons.
Oh, wait, that's Longhorn.
Of course, they could just put one BIG icon as their boot page. An image of Bill's face, maybe.
After all, as soon as you see his face, you know you're gonna get ripped off. The students at Harvard knew that when he was running poker games.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
As a parent and a software developer, I can say that many, many, MANY children's games absolutely suck. I'm in favor of full disclosure on the labels. I propose a "suck factor" or something. A big sticker on the front. "Suck Factor: 7"... on a scale of 1 to 10, with a suck factor of 0 being the best.
:)
RP
By the way, FTLOG means "For the Love of God"... trying to start a new acronym here
It is a great idea in theory. Ideas like this have been discussed by spyware haters, activists, and makers of security software in a number of fora. Each time, they are ultimately rejected on the basis of creating legal liability/difficulties/saber-rattling for whoever is giving software the classifications. Some scenarios:
1) Researcher gives a piece of software from "Vendor A" e.g. a frowny-face icon because it does something semi-questionable, like transmit a GUID or auto-update without notice. Same researcher gives the same classification to another product from "Vendor B", but this product transmits the entire contents of the user's hard drive, harvests their email, and molests children. Vendor A's lawyers object to the classification on the basis that it associates their product with that of Vendor B, "creates confusion", etc.
2) Researcher evaluates a product on Tuesday, finds it spying, and gives it a SPYWARE label. Product's developer updates the program on Wednesday to remove the spyware features. Product's developer (or counsel, etc.) contacts the developer on Friday, demanding removal of the label because (on Friday) it is "false and damaging misinformation" causing damage to their business. Should the researcher label the product based on the sum of every version, only the latest version, the last n versions, or...? How would it play out in court, if the researcher and vendor disagree on which is appropriate? [Expensively, no matter who wins.])
3) Researcher labels a product $blahware, where $blahware is a relatively new term (e.g. Adware, Spyware, Malware, etc.) that does not appear in any official lexical record (OED, or whatever) and thus is not definitively defined. Product's author demands removal of this label on the basis that they can find definitions of $blahware (by other sites, their own affiliates(!), or whatever) that their product does not fit under. Whose definition shall be used? Which is correct? What if the researcher in question is in the minority? (This even can apply to terms the researcher has in fact invented on the spot. Think a hot-headed vendor will stand by while its product is labelled 'Crapware' a month before their big IPO?)
These are just a few scenarios. Unfortunately, most of this research is done by hobbyists and other everyday folks who don't want to, or can't afford to, be drawn into a lengthy battle, even if a judge would most likely find in their favor.
Caveat Emptor is not a business model.
1. Loopholes, loopholes, loopholes.
:P)
:P
As soon as a specific 'naughty' behavior is labeled and given a cutesy little icon, the [spy|ad]ware manufacturers will simply do something similar but that doesn't fall under that exact categorization. For example, a piece of adware might not pop up an ad but might instead intercept your web browser navigator and post an 'in between' ad of its choice within the browser window for 5 seconds or something (this kind of thing is coming.) And then after that gets labeled a few months later, they'll do something else, and something else, etc. It is unlikely that whatever committee is in charge will have either the resources, technical ability, or incentive to keep up with the 'state of the art'.
2. Who will pay to examine all the software?
I seriously doubt that the gov't or whatever agency (FCC/whomever) has the resources to pay a team of talented software engineers to label every piece of software that could be conceivably downloaded. (hell, just look at our patent office's ability to competently evaluate software patents) Sure, like patents or code signing certs, you could have everyone pay a fee, but that fee might be too large for a fledgling software company to cover. And maybe you might get the 'reputable' software companies to foot the bill to some extent, but that creates a conflict of interest in itself (is Gator/Claria a 'reputable' company? Real? Apple?
3. Enforcement?
How will this be enforced? The punishments will need to be more than a slap on the wrist -- otherwise any fines will simply be an operating cost and will not deter anyone (witness the joke that the antitrust ruling was with Microsoft.)
I don't think icons that refer to specific behaviors of a program are going to be helpful; since 'nice' programs like Winamp and antivirus programs would themselves get the same self-update, hook (startup), and wrench (OS update) warning labels, so the average user is going to become conditioned to click "OK" on every install, just like they're conditioned to click through clickwrap agreements/EULAS. Distinctions based on technical behaviors are simply too confusing for the average computer user -- assuming the average user can make the nuanced technical judgment to tell 'nice' software from adware based on behavior is like assuming you or I could find loopholes in a 30 page legal contract.
The annoying thing about spyware is that it's unwanted advertisement from third parties. Regardless of what technical means they use to do so, the key distinction is that spyware providers get paid by third parties to advertise and non-spyware usually does not. Therefore, a simple icon and string of text that states "This software provides advertising from third parties" gets a little more at the heart of the issue, and the law doesn't have to change every 3 months with the advent of new techniques. The same principle could be applied to "phoning home", "spying" behaviors, or collecting usage data outside the context of the program as well as how such data is collected, aggregated, and/or sold.
Again, with such a simple clause spyware companies will inevitably find loopholes (e.g. play games with what constitutes "advertising"
or a "third party") but at least it's better than classifying by a bunch of arbitrary technical behaviors which are employed equally by 'nice' software as well -- and it hits closer to the revenue stream. A spyware provider will have a harder time lying about its advertising behaviors if it is clearly receiving revenue from advertisers, or selling statistics/personal information.
Longest Post Ever.
-fren
"Where are we going, and why am I in this handbasket?"
I have reason to suspect former Caldera exec, Ransom Love, is a member of the Strange Name Mafia. I bet judge Learned Hand also belonged.
"Give a man a fish and he will ask for tartar sauce and French fries!"
When I install a new program, I usually don't know very much about it, so it would be rather hard to tell what behaviors are needed.
True. That's why it should be possible to quickly adjust those permissions after installation, such as when a running program tries to do something unallowed. One obvious thing is that some programs which can use the internet don't always need to do so. The OS can check with you the first time the program tries to connect outside, and allow the connection just that once, or for 30 minutes, or forever. (Some desktop firewall products already do that exact behavior)
It might work for you, but it would be a disaster for most.
It's already a disaster for most. So every little bit of help will be an improvement. And I don't think it'll really be unmanagable. Yes, there are an enormous number of capabilities that could be toggled for each individual program. But in 95% of cases, a new program will fall cleanly into a well defined category like "file viewer", "network client", "video game".
For example, lets look closely at the videogame category. Today if I want to download a free puzzle game, but don't want it uploading my email addressbook to its programmer, my choices are limited. The most elegant approach is to have a separate username on my PC just meant for running games. But that's awkward (at minimum, it prevents me from running the game on the same desktop as my normal apps). If there was some way I could install the program attached to my normal username, but with only a subset of my full permissions, that'd be much better.
How about this: When you start to install the program, it identifies itself (to the OS) as in the "game category", which implies that it doesn't need the ability to read/write arbitrary files (only files inside its directory tree, like savegames and texture maps), but it does need freeform network access (for multiplayer). The OS can just pop up a quick dialog box "Is this really a game?", which encapsulates all the recommended settings for the category.
Only rarely should someone have to exercise more finely-grained control.
A nice idea, but I think your interpreting the icon idea a bit more extreme than I. I think the implication was that the icons would be needed ONLY for the default settings. If a program that runs in the background can be set to start automatically at startup, but you had to manually turn that feature on, it would still not require the warning icon.
(That's what I think is being proposed, legislation could go the other way though.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I'm still new to Linux, but isn't that what the "sticky bit" is for? You can set the file permissions such that any user can run an application, but that it always runs with the permission of it's owner.
(I realize your proposing a step further, but I'm just pointing out a current possibility.)
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
If people started programming with real languages running in secure VMs, then we would be able to know *and* restrict exactly what it can and cannot do at a low level.
Homer: Almost forgot, while I was at the courthouse, I had them change your name.
Marge: To what?!
Homer: Chesty Larue.
Marge: Chesty Larue?!
Homer: Just try it for two weeks. If you're not completely satisfied, you can be Busty St. Claire.
Marge: I don't want to be Chesty Larue or Busty St. Claire.
Homer: Fine, Hootie McBoob it is.
Marge: Good night, Homer.
Homer: Sleep tight, Hootie.
Marge: Let go of those!
Homer: He he!
Why did you even bother to post this drivel?
... of hordes of angry (yet stealthy, with Ninja-like stealth) hackers descending, at a fixed time and day, on software outlets worldwide such as OfficeMax and Best Buy and Circuit City and Future Shop, armed with rolls of silver stickers, bearing the words in the parent, which they affix to all copies of Microsoft Windows(tm)(R) in the store.
It becomes impossible to go into any retail establishment selling Windows without this sticker on it. Sales begin to plummet....
Now, hold on to your chairs, because this is where it gets very surreal, almost running against the laws of possibility as we know them.
Next to these tainted copies of Windows is a box with a reassuringly happy smiling penguin/daemon/whatever on it - yes, it's a user-friendly completely "plug and play" free OS. That opens Office documents. And saves them back. It runs Windows programs, but has such an intuitively set up selection of beautifully designed free software that people really don't need to stoop to that level. And heck, since this is a fantasy, it also runs games designed for Windows, but twice as fast. It also installs with 1 click from a CD.
A guy can dream, can't he?
I bought a tax package written in Java this year. It's a slow and poorly designed piece of shit that pauses for seconds at a time doing nothing. The fact that it was written in Java was not on the box - had I known I would have forked out an extra $10 for Intuit's software.
Consumers should be informed that there are some programs for which there is no going back.
So far, I've been able to uninstall every single piece of spyware I've ever gotten on my comptuer (very few, but Spybot and Ad-aware got them right away).
However, the one program utterly uninstallable on my computer is Windows Media Player 9! This program was installed knowingly and willingly, unlike every other conventional "spyware" program. (I kick myself daily for letting it on, as well.)
I wholeheartedly agree with giving it the proposed "Stuck" label (and I realize that an uninstall does work--reinstall Windows, which I do intend to do in the near future!).
I wouldn't mind a little sticker detailing how many local workers (whever the country) lost thier jobs to produce the product. Not becuase I give a shit about the jobs, just because I've found cheap, offshore work to be fairly shoddy and want to stay away.
For downloaded programs, how about putting the warning label on the installer's EULA screen, above the fold? (The "fold", in human interface design, is the first line of text not visible in the initial state of a scrolling text box.)
Any license that would prevent you from reviewing the software is highly illegal. Reviews are explicitly covered under the Fair Use clause of copyright law.
Not necessarily. A covenant not to publish reviews of a program that have not been approved by the program's copyright owner wouldn't be an agreement governed by a copyright license (like the GPL) but rather a contractual agreement. Non Disclosure Agreements are commonplace in the industry. A lawyer might argue that since October 1998, clickwrap EULAs are binding in the United States because the installer is an effective access control mechanism around the encrypted archive containing the copyrighted computer program, and installing the software without having clicked through the EULA requires circumventing the mechanism in violation of 17 USC 1201. A contract needs an offer, an acceptance, and a consideration; here, the offer is presented in the EULA, a click on the "I Agree" button indicates acceptance, and consideration includes decrypting the program in exchange for everything short of the user's firstborn.
In other words, do you claim that Microsoft Windows XP and later aren't buggy? The Windows XP logo lacks a border; the white space in the image is space rather than white lines, as can be seen from the shadows in this image. I'd rely on a patched installation of Microsoft Windows 2000, whose logo does include such a border, more than a patched Windows XP installation.
My joke was that I pretended to take yours seriously. Good situation comedy writers know how to give a punchline even to a straight character.
-- tepples
You look at two food cans... one has a label with ingredients and such and the other one doesn't. Which one will you eat?
If the one with the label says anything about green peas, I'm going with the mystery meal. Canned green peas are just that bad.
Rod Taylor
You're close, that's the set UID bit. The sticky bit does something else (but I can't remember exactly what right now).
I'm sorry. The idea of a 'software police' with the kind of enforcement powers that the FDA have just frightens me.
resigned
There are three bits in the *IX permission system relating to setting id.
/tmp.
The first is the suid bit, and states that a file shall be executed euid the owner of that file. This is often used for making small programs run with root privileges (like passwd).
The second is the sgid bit. It does the same thing the suid bit does, but for the owning group of the file.
The third is the sticky bit. It once hinted to VMs to cache the file in memory for future executions on an executable file. It is now ignored in this role, but when set on a directory, it changes the way the permission system works for files in that directory. Normally, if a user has write access to a directory, they may remove or rename files/empty directories in that directory. The sticky bit means that the kernel also checks to see whether the user owns either the sticky directory or the file/directory in that directory being named or removed before allowing a remove/rename. The only directory that I know of that this is normally set on in a *IX system is
May we never see th
I want anyone who writes ad-ware that disables anti-virus protection -- the programmer, not just their company -- personally prosecuted as a terrorist. People who use cheesy web games to bait kids to click on 16-page EULAs that grant full access to their parents' computers know damn well that they aren't dealing with adults of legal contract-signing age. Don't tell me it's the parent's fault for not staring over their kid's shoulders every minute they're on the computer. The people to blame for the world being so fucked up are the people who constantly fuck it up, not the ones who just want to mind their own business. This isn't the Middle Ages, and we shouldn't all have to maintain castles and moats around ourselves anymore.
Why use legislation when you can just start a company that hands out badges like "spyware free" and "no pop ups" etc. and verifies that anyone trying to use the logo actually is spyware free and free of pop ups? Anyone who uses the logo without permission would be in violation of copyright laws, false advertising laws, etc. Good companies would all sign up for the logo, 'coz "Hey, what's to lose? It just proves that we're good." Then over time bad companies would feel the pinch as people stop using software without the logo in the installer. It's a pure market solution, with the independent verification company standing to make a bit of cash from licenses, if it can first gain a toehold in the market. Maybe they should give away the logo to GNU software, in order to grow the brand at first and grow OSS in general at the same time. Meanwhile, commercial software could get use of the logo for say a fixed fee of $3k or something small, since not much staff would be needed for the company besides some lawyers to sue people misusing the logo and some marketers to shake hands with vendors to get the logo added to new software before it gets popular.
Wouldn't I be looking for a _technical_ fix for this problem? Or are you going to rename the school MIL?
Or to put it another way, "New! From the people who brought you software patents...."
How about make it mandatory that the box with the text be resizable, and require a reasonable font size. Anyone seen a program (or a web page offering a service) that uses 8 point font for it's license agreement? Small fonts are entirely unnecessary when real paper is not being used.
Then there is the matter of a captive audience; when downloading a utility or a game, the downloader presumably wants to try out or use this, and will not be deterred by dire warnings. After all, a lot of the worms going around are from people opening E-mail attachments not knowing what these are, how can we expect people to refrain from downloading and installing stuff they actually have found out about and which they want?
This whole debacle underlines a more fundamental flaw: that there is no sharp distinction between operating system software and application software on MS-Windows. The fact that arbitrary non-OS programs are able to modify the operating system they run on, and basically do a number of the activities that Simson Garfinkel made up icons for, indicates that the way it is constructed is wrong. This seems to be further supported by the folklore of Windows needing periodic updates and the common observation that any Windows installation that has been running for a while has become sluggish.
Having said this, let's have a look at where the big problems are and what constitutes the biggest headache? Some of these behaviors are legitimate, but the design of Windows makes it hard to figure out what is or has happened, even in these cases where the OS cannot be blamed.
Hook - The automatic start-up of a program is a legitimate function of an OS. The main problem with Windows is not that this is possible but that the actual mechanism is so obscure -- is it the Startup folder, some autorun script somewhere, some key in the Registry, and if so, where inside there is it?
Dial - This kind of behavior of automatic dialling to arbitrary numbers is never reasonable and could be generally prohibited by the design of the OS itself. Automatic and unattended dialling is reasonable only for dedicated alarm-transmitting hardware. Which by the nature of its application is fairly secure by design anyway, including a pre-set number. This same limitation could be used to advantage on other computers -- have a list of approved numbers which is guarded and relatively difficult to modify, and let the OS be the guardian of this.
Modify the OS -- This is the big no-no. No application (user-land) program should have the rights to modifying the operating system. This boundary should be hard. In fact, this behavior alone opens the gate for all the other vulnerabilities that all in some way or another depend on the rules of the OS being bent to accomodate nasty behavior.
Monitoring Activities -- The big problem here is that this happens with the user unaware. There is nothing the OS itself can do to stop this, other than making it possible to detect this kind of behavior and close the outbound channels. The hard part here is that there is a lot of legitimate outbound traffic, and how can the OS tell the difference?
Pop-up -- Unsolicited messages are generally a bad thing. Again, the OS is helpless to stop running processes doing such annoying things since it cannot tell the difference between a good or bad process already running.
Remote Control -- The problem here is as with monitoring. How can the OS or anyone else determine whether the controlling entity is a friend or a foe? Information about such activity happening when it happens might help, but it may also get in the way of legitimate remote-controlling.
Self-Update -- Related to the remote-control and OS-modification issu
SIGBUS @ NO-07.308
Also, let's not forget "Protein" which has an RDA, which conveniently it isn't mandatory to list (your "Hungry Man XXL Beefocalypse Now" dinner isn't required to say "Protein - 850%").
On a related note, you've gotta figure the beef and other meat industries are falling over themselves to support the popularity of "Atkins"-like diet plans. Sigh.
ObOnTopic: the same industry-friendly shenanigans would surely take place if big software manufacturers "voluntarily" adopted anything like this proposal.
Shop as usual. And avoid panic buying.
This link was commented out of the article. It may be interesting to /. readers. It's about the FDA of 1906.
I now understand why USA citizens are so fat.
would be good enough for me...preferably before installing the program...That way I can decide how much I want risk my system, or at least uninstall everything manually, if the uninstaller poops out.
"Program was unable to remove all files. Please remove manually." WHICH files, dammit?
What?
In addition to the "wrench" icon for "Modifies the operating system", maybe a less severe ('screwdriver' ?) icon for "updates the operating system" (i.e. installs unmodified components supplied by originally by the OS vendor) - that would allow programs to continue installing directx, etc, when necessary.
We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
Oh, the irony....
While I was reading this article I noticed Norton Internet Security was flashing a little icon. Guess what? A site called techreview.127.2o7.net (216.52.17.116) screenshot here was sending packages that appeared to be a Perl script overflow. Although I'm pretty sure this was a false hit (a few minutes later I got the same warning of an attack from 127.0.0.1), it's still ironic that this would happen when I was looking at an article about computer security.
Long live the Speaker Bracelet
Rolo D. Monkey
There are OS (mostly academic/research) that do exactly this. EROS is one, though it looks like the project has stagnated. While it was active, some work was being done to create a *NIX compatability layer (including X) that would allow traditional GNU utilities to run on top of the capability system. (Obviously, you'd need to (re)written programs to get the most security/etc. from this system.)
It's a pretty hefty paradigm shift, but eventually, I think any system that needs to guarantee security will need to be a capaiblity based system like this one. As you indicated, user-based security just doesn't offer enough control.