Slashdot Mirror
The Pure Software Act of 2006
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
Anyway, did anyone else read this and think immediately of the Evil Bit? The whole thing has got to be a joke, right?
John
Anyone see the name as "Simon and Garfunkle"?
I'll go back to work now...
How do they plan on labeling software solely distributed over the internet? I'd venture to say that 90% of the spyware that's out there comes through download-only software (DivX, peer to peer software, etc...).
Implementation would be far too much trouble. Developers would fight you at every turn. Would my software be spyware if I had it collect general system stats if you choose to register, so that I know the average machine speed of my clients? Would that carry the same label as a program that logged every keystroke and sent that back?
to denote buggy code?
Spyware is a big problem which isn't Window's fault. Because windows is the biggest, it gets targetted by spyware. You can still right a program which uses 100% CPU Usage and makes everything really slow,etc. for another OS, no matter how secure. Unfortunetly, its targeted at windows. My friend thought that windows XP was horrible because it was running so slow. On a 2ghz, it would take 5 minutes to load IE. I showed him Ad-Aware from lavasoft. It detected 589 spyware objects, quite a few of them different. I found that a big problem with spyware, is not only the spying, yet the fact that it slows your system to a hault. If this works, and makes spyware go away, or atleast well known spyware label itself (such as gator), I will rejoice.
Help Fight SPAM today!
to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products.
By opening or removing the seal to this package you agree to abide by the terms explained in the enclosed EULA. By the way, this product contains software code, which, by installing on your computer, could render you utterly defenseless from intrusion, viruses, worms, trojans, popup advertising, loss of data, loss of privacy, NOT TO MENTION putting you on an endless treadmill of planned obsolescence, making you a pawn in the global theater of consumer rape by corporations. Enjoy!! Oh, yeah, we don't guarantee that the software works, and, no refunds.
As that article says, most of the proposals to control spyware get bogged down in trying to define spyware without catching sofware that is clearly legitimate, such as an antivirus program trying to "phone home" automatically to update its virus signatures.
I would much rather see regulation that required all software to clearly declare its intentions, and to get explicit and verified permission to install.
That is contrary to the nature of the software, which is to hide, report on your actions, enable remote operations, reproduce and the like.
Spammers are going to ignore this, just like an unsubscribe link.
Software vendors will have no incentive to put negative labels on their products; even if it's the law, they'll find some loopholes to avoid the labels. Instead, they would have more incentive to use labels that are positive. Instead of making a vendors say, "Yes, I use spyware," it makes more sense to award well-behaved programs a positive seal of approval which means, "This software uses no spyware, is uninstallable, etc."
Looks like this software contains 36% of my daily value of spam, but it does contain 200% of my daily requirements for internet messaging.
Free Flat Screen
The people who get spyware are the stupid and the elderly. Switching to linux would make things even worse for them.
I believe you just made the case for Mac OS X.
The Pure Software Act of 2006
100 years ago, Congress passed a law requiring honest labeling of food and drugs. Now the time has come to do the same for software.
By Simson Garfinkel
The Net Effect
April 7, 2004
Spyware is the scourge of desktop computing. Yes, computer worms and viruses cause billions of dollars in damage every year. But spyware--programs that either record your actions for later retrieval or that automatically report on your actions over the Internet--combines commerce and deception in ways that most of us find morally repugnant.
Worms and viruses are obviously up to no good: these programs are written by miscreants and released into the wild for no purpose other than wreaking havoc. But most spyware is authored by law-abiding companies, which trick people into installing the programs onto their own computers. Some spyware is also sold for the explicit purpose of helping spouses to spy on their partners, parents to spy on their children, and employers to spy on their workers. Such programs cause computers to betray the trust of their users.
Until now, the computer industry has focused on technical means to control the plague of spyware. Search-and-destroy programs such as Ad-Aware will scan your computer for known spyware, tracking cookies, and other items that might compromise your privacy. Once identified, the offending items can be quarantined or destroyed. Firewall programs like ZoneAlarm takes a different approach: they don't stop the spyware from collecting data, but they prevent the programs from transmitting your personal information out over the Internet.
But there is another way to fight spyware--an approach that would work because the authors are legitimate organizations. Congress could pass legislation requiring that software distributed in the United States come with product labels that would reveal to consumers specific functions built into the programs. Such legislation would likely have the same kind of pro-consumer results as the Pure Food and Drug Act of 1906--the legislation that is responsible for today's labels on food and drugs.
The Art of Deception
Mandatory software labeling is a good idea because the fundamental problem with spyware is not the data collection itself, but the act of deception. Indeed, many of the things that spyware does are done also by non-spyware programs. Google's Toolbar for Internet Explorer, for example, reports back to Google which website you are looking at so that the toolbar can display the site's "page rank." But Google goes out of its way to disclose this feature--when you install the program, Google makes you decide whether you want to have your data sent back or not. "Please read this carefully," says the Toolbar's license agreement, "it's not the usual yada yada."
Spyware, on the other hand, goes out of its way to hide its true purpose. One spyware program claims to automatically set your computer's clock from the atomic clock operated by the U.S. Naval Observatory. Another program displays weather reports customized for your area. Alas, both of these programs also display pop-up advertisements when you go to particular websites. (Some software vendors insist that programs that only display advertisements are not spyware, per se, but rather something called adware, because they display advertisements. Most users don't care about this distinction.)
Some of these programs hide themselves by not displaying icons when they run and even removing themselves from the list of programs that are running on your computer. I've heard of programs that list themselves in the Microsoft Windows Add/Remove control panel--but when you go to remove them, they don't actually remove themselves, they just make themselves invisible. Sneaky.
Yet despite this duplicity, most spyware and adware programs aren't breaking any U.S. law. That's because many of these programs disclose what they do and then get the user's explicit consent. They do this with something that's called a click-wr
No thanks. I have more trust for "disinterested" third parties that verify and publish on their own. A more helpful law would be one that protects the researchers (even amateur ones) from harassment (legal or otherwise). It's a slippery slope, it will not end with labeling.
I *don't* want that to happen with software! I'd much rather retain the right, as fair use, to legally modify crap-ware, and also have the right to discuss the details of that modification with other people.
Fred
"A fool and his freedom are soon parted"
-RMS
If anyone cries that this would be like a scarlet letter and harm his sales, remind him that proponents of DRM (while wielding effective monopolies in their product areas) were saying to "let the market sort it out." Free markets require good information, which such a law will provide.
Call (206) 338-5780 COLLECT for information about a genuine BA, BS, MA, MS, MBA, or Ph.D.
Ya, I use Windows XP. Even though I have a firewall and keep my patches up to date, I still get adware/spyware once in a while.
I would get 0 adware/spyware if Microsoft wrote a little bit of security into their operating system in a few ways:
- Record log of installed files (prompt for any files being installed in non-specified directlories.. ie: If realplayer trys to install realisawesome.dll in C:\windows\system32, WINDOWS itself prompts me.)
- Prompt for any programs trying to start up with the computer
- Have only one method for a program starting up with a pretty little 'startup' icon in the control panel
- Disable IE's install on demand by default (probby most common method for spyware)
- Allow users to disable popups without a fucking extra program (fuck developers and their incessant popups - MS gives way too much control to them and none to the end user)
- Have Windows control the uninstall and not some crappy script written by the same company that wrote the crappy software that user wants to uninstall cause' it was crappy
- Allow the user to enable plugins only when desired (disable flash advertisements and stuff)
- Quit allowing programs to install a shortcut in startup, the quicklaunch bar, the desktop, every goddamn folder on the computer, favorites, and quit launching a secondary program just to launch a button that launches the main program!!!
This is how you could fix things in Windows.. Linux is pre-fixed.
So, you Linux nerds, why the hell aren't we trashing Microsoft in this thread? They're fixing 'security', but not the type of shit Mr. Stupid Enduser cares about.
--- We need more Ron Paul!
Further, there are several games that ship with Microsoft DirectX. That modifies your operating system. The program's package can't be labelled without the (wrench icon), unless it comes with installation instructinos about how and where to download the required ActiveX features.
In otherwords, sometimes the labelling will simply get in the way of the whole truth.
Kinetic stupidity has a new brand leader: Allen Zadr.
You're talking about viruses, and of course anyone who wants to break the law can do so. Right now though, there is a large class of software created by companies that say what they are doing is perfectly legal. They claim that by having a user click OK on a dialog box they can do pretty much anything they want on that user's PC. And they are doing this brazenly, out in the open, and in the clear view of the governing agencies. LOP.COM is one of the most-despised pieces of spyware around and still the guy from C2/LOP has the ballz to file a comment for the upcoming FTC spyware conference saying LOP is the future of Internet advertising!
Most spyware/adware makers feel the same way, they don't have to hide because they are not breaking any laws. And if you download the software directly from their web sites you will be presented with various screens and buttons you have to click to agree. However, the details of what you are agreeing to is anything but clear. The Claria license is 20 pages for example, and to paraphrase: "Once you click YES we can automatically download and install new software, even new versions of other vendor's software like Media Player or Flash if we need it to display ads. We can even send back an list of all the software installed on your system."
Should it be legal to bury that in a 20-page document and then say that clicking YES on a dialog box is legally binding?
Aside from the pop-ups one (which may be difficult to "guage"), all of these features could be good or bad depending on the circumstances. The logic being, IF it has a lot of icons, AND you trust the company, then it's still safe to buy.
OTH, if it has a lot of icons and you DON'T trust the company, it's probably NOT safe to buy. If it has one or no icons and you don't trust the company (or you do), it probably can't hurt.
Example:
Auto-Update, Uninstallable, and Modify system for a service pack from MS is no worse than Modify System + Popups from a "Free Web Accelerator" from some random website.
I can see them sticking those icons right next to the "recommended system requirements". It'd start looking like a Nutrition Facts label. They just need one for "Requires Administratrive Privledge", and maybe they should either add one that says "Directly Controls Hardware" too.
And I think the telephone calls one and pop-up ones are too specific. The telephone call one should be more like "can incur incremental cost automatically" (so it'd apply to MMRPGs or Click n' Run as well) and the pop-up one should simply be "Adware".
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
Like many people, Garkfinkel is proposing a legislative solution to something that'd be better handled technically.
.Net also makes overtures in this direction. It will be a challenge for OS vendors to allow users to have this amount of control, without overwhelming them with so many choices they'll give up and just give full permissions to everythig (in the pattern of "I always run as administrator, because it's the only way to get stuff done"). But those challenges can be surmounted with skilled interface design.
(Legislative solutions are suboptimal/dangerous for many reasons. They are over-broad, in that they apply even to consenting adults who wish to engage in the behavior without meddlesome government oversight; cf prostitution. And they're too-narrow, in that they can by necessity only apply within the country's legal jurisdiction, whereas software distribution is an international operation)
Turn now to the second page the Pure Software proposal. The list of potential warning-labels it suggests is: Hook, Dial, Modify, Monitor, Popup, Remote Control, Self-Updates, and Stuck.
All of those things are basically technical features which a well-designed operating system could prohibit programs from using, without permission. The root of the problem is that even after 30+ years of software publication, most programs are still just completely arbitrary lists of instructions: once they're executing, they do whatever they do, and nothing can stop them.
The big exception there is that most OSes, at least, restrict programs on a per-user basis. A program cannot read or edit files to which the executing user has no permission. That's an important step, but one that Unix has had firmly in place since the 80s. As time passes, we need to go further: program priviledges should be restricted not just at the per-user level, but also at finer granularity.
When I download and install a program, I don't want just the option of "run it or don't". I should be able to run it, but without it being able to read any files except those it came with. Or being allowed to read files, but only if I pick them from a system-supplied dialog box. Or read any files, but not write to them, except in a directory I've chosen (and that it can't override). Or write files, but only in specific approved formats (such as those which can't possibly contain executable code). Similar kinds of restrictions suggest themselves for GUI and network areas (including the important points of "phone home" and "data tainting")
To a small extent, Java frameworks (like "Web Start") have attempted to do this, with a list of features the user can individually permit a program to execute. Microsoft
The best way to prevent software from doing something is to use software that prevents it from doing it. (As Lawrence Lessig said, the best and most effective laws for code are more code)
But you're kidding yourself if you don't think the main reason there's more malware for Windows/IE than anything else is because of their popularity.
To agree with you, I'd have to accept that popularity, and not design, is what creates security flaws. No, sorry, I'm not buying it. Netscape, with it's 6 major vulnerabilities that have long since been patched, I can sit here and surf all day without picking up any malware. Windows is the problem, and IE is the enabler, if you will. I'm going to be switching our network workstations over to Netscape, and EULA-be-damned, I'm going to find a way to cripple IE.
Fred
"A fool and his freedom are soon parted"
-RMS
"If you don't know what you're buying...don't buy it."
So, you believe you shouldn't buy something if you don't know what it does, but are against a requirement that forces the maker to explain what it does?
Only on
Lets say Netscape was THE browser to have. Do you think anyone would be bothering to write IE exploits?
Your argument is based on the premise that IE and Netscape are the same in terms of design. Netscape/Mozilla can't be "hijacked" in the same manner because it doesn't use Windows' registry classes to determine what to do with a downloaded file, and it isn't integrated with the Explorer shell. A Netscape browser window instance can't be silently started (without a "head"), and a new filetype can't be opened without the user knowing, or taking action. Likewise, Sun Java and Javascript is limited to things done inside the browser, it doesn't have access to the rest of the operating system.
But disabling IE is not the answer. I predict within a few weeks of you doing this you are undoing it for some higher ranking manager. Then his buddy will find out, and so on. Soon you are supporting not 1 browser but 2. HAVE FUN with your crippling!
Obviously, I can't completely remove it, that would break Windows. I want to use it as a tool for running Windows Update, but I will have to make exceptions for certain trusted sites. It won't be my undoing because my superiors are well aware of the problems that malware causes, and would be happier without pop-ups and system instability. I'm not doing this in secret. I've explained to them the reasons, the effects, and the exceptions where some may have to use IE.
Make the people who are making your job misserable RESPONSABLE for their actions.
I can't go Stalin on my network users. Where there are standard configurations, we use DeepFreeze to restore the computers to the original configuration. Unfortunately, we can't use this everywhere, because it is to inflexible for the users with non-standard configurations.
Fred
"A fool and his freedom are soon parted"
-RMS