Slashdot Mirror
The Average PC is Infested with Spyware
WoodenRobot writes "This article claims that Earthlink have discovered that the average user's PC has 28 spyware programs on it. More details can be found on Earthlink's spyware auditing page." Compare to a university study. The FTC is hosting a Spyware Workshop.
While most spyware is adware-related and relatively benign, it's disturbing that over 300,000 of the more serious system monitors and Trojans were uncovered
I don't think most adware is benign since it eats into available RAM. Some adware also affects application performance, or, worse yet, prevents applications from running. Anyway, I am, again, preaching to the choir.....
Happy Trails!
Erick
http://www.busyweather.com/
The average computer or 1 in 20?
Does this include cookies? When I run Ad-aware, it usually finds several "tracking" cookies. Maybe this is artificially inflating the number.
Ask anybody who services PCs...there's not a machine around that isn't riddled with the stuff, but making a headline out of it is like shrieking about the existence of viruses.
No matter how hard you lock a PC down, a sufficiently determined and stupid user will figure out a way to install that really cool "desktop enhancer" he heard about from a friend.
Ditch IE for Firefox. I just did 2 clients' computers today (running slow, yadayada) and guess what? One had 18 spyware trojans installed, the other had 64 (as well as a couple of viruses). Firefox (any Gecko-based browser) is not vulnerable to the crap that IE is. I always tell my clients to not use IE anymore. When they listen, they always have a better overall experience.
bash: rtfm: command not found
I'm not sure if you're serious, but you are claiming that Earthlink's spyware removal tool includes spyware? I find this quite hard to believe, if only because that's not their business model, and for a major ISP, customer trust is worth more than spyware revenues. Care to provide links to back up this accusation?
Note that of those 30 pieces of spyware per PC, 24 of them are labeled as "cookies."
That's not "slightly" misleading, that is *extremely* misleading. The BBC article makes no mention of "cookie". They do say "average of 28 spyware programs", but isn't a Cookie generally more benign then a "program"? A program is usually active; a cookie sits there.
By the way, the BBC sets a Cookie on your system. Perhaps we should sue?
"Can of worms? The can is open... the worms are everywhere."
Almost right, but better phrasing would be 'the average computer user is ignorant'. They're not stupid, they just don't know how it works.
This is, in my mind, actually worse - you can't help being dumb but you can help not knowing what the hell you're doing. If I bought a car I would make a point of knowing roughly how it worked, how I should maintain it and how to fix basic faults when it goes wrong. I am not a mechanic but it seems to me common sense to understand how somthing I use often works. I would think that non-techies would have this attitude about computers (which they don't neccesarily care about but need every day) just as I have the attitude about cars (which I don't really care about but would use daily).
Yeah, that's one of the most annoying things. Your friend calls you up to help with their slow computer. Turns out they've got a million and one things running in the system tray, and a million more processes they don't need. So you clean it up. It works like it should afterwords.
A few days later, something goes wrong, and all they say is "well, it didn't do this before you touched it!" To which I usually reply: "Okay, I almost never have problems with my computers, and your computer worked well after I touched it, did it not? And who used the computer after I touched it? Oh, you did? Okay then."
Fortunatly, that scenario doesn't really happen anymore, if ever. And from the get go, one of my friends realised he's the one screwing everything up. Now he buys me beer to fix up his computer, so I'm happy.
WWJD.... for a Klondike bar?
But don't programs like SpyBot S&D install "fake" cookies and such, and then lock them down to prevent the real cookies from being installed?
If that's the case, how many of these cookies (or actual programs) are variations on that theme? Would Earthlinks audit utility see a Spybot S&D cookie and count it as spyware, when it's really not?
If that's the case, then if you've Immunized your computer with S&D, you have every known spyware cookie on your computer according to the audit. This would inflate those numbers dramatically.
Isn't this illegal on several levels? How are these companies not being sued left and right? I can't believe this has become an acceptible standard.
Why isnt there a list of the ones found most often to least often? Isnt that the kind of info that could bring these things to light? Simply mentioning that X number of people died doesnt tell anyone how to avoid death...
Technically, Linux is not less susceptible, but culturally it is. The Windows culture that it established for itself is one of "Don't look under the hood, we'll take care of the details". While the Linux culture is to always look under the hood at the details, or at least make sure that someone else is taking care of that.
In addition, with Linux, you can have distributions aimed at neophytes which prevent this sort of thing, and then other distributions for experienced users who just want to be uber-productive.
Engineering and the Ultimate
Better still to say "the average Slashdot editor is an idiot". If you had seen the Arstechnica coverage this would be apparent - what we're looking at here is a tabloid-tyle headline as a cheesy attention-getter. I see the same mind-numbing stupidity whenever I check hotmail!
The "Spyware" reported consists of cookies. Not trojans, backdoors, browser redirectors etc - cookies. Cookies can track you but they don't exercise code, and the ones that this software reports are not even fully researched. They're "potential" spyware - which is the same as finding a kid with three marijuana seedlings and charging him with posession of "potential" street value of $3 million.
Why would Earthlink do that? The Arstechnica article suggests it is because Earthlink advertise their Spyware-blocking service right next to the page that shows you the incredible amounts of spyware found on your system! Hmmm....
I don't know why I bother with slashdot. It must be a reflex built into my fingers or something but it certainly has turned to shit.
Now mod me down, editors. Show us how you censor those who disagree.
Most people don't think they have the time to become less ignorant, this stuff looks (and is) very complicated, and they don't know how they'd even go about it. It's really easy to overlook just how much more you know than the average person does, and it's easy to forget how much time it took you to accumulate this knowledge.
if you want "No More Hiroshimas" then I say "You First. No More Pearl Harbors."
Another similar program is StartupCPL. Small (it's only an 80k binary), simple, works with pretty much every version of Windows out there (95, NT, 98, 98SE, 2000, ME, XP), free-as-in-beer (though go ahead and send the author a couple bucks).
It doesn't handle services, but it covers most everything else, except maybe autoexec.bat. And it's a lot faster than digging through the registry.
Thank god my parents have a Mac. I'm reading these horror stories and I am cringing thinking if I had to support a PC for the P's... I do support one for a friend, and my god what a clusterf**k. The're going to Mozilla for good.
I would mod you down if I had the points, not because you disagree, but because you are a dick about it. If the information is wrong, you should be pointing the finger at BBC news, which the headline here is entirely consistant with. Yes, the Arstechnica article has a good point that the article is perhaps wrong, but that is hardly the fault of the slashdot editor. I nice "well, arstechnica has evidence that casts doubt on the validity of this article" would have served the purpose just as well, and you would not looked like an ass doing it. And posting a link would have been nice too like Link would have been nice too.
Based on the repair costs I've seen people pay for both computers and cars, I'd guess a lot of consumers don't have that basic understanding. I hate to argue this for Microsoft, but I think that if they can improve their "firewall" to the feature set of ZoneAlarm, you could reduce the amount of spyware on people's computers. They would have a reason to do this to. The type of consumer that doesn't regularly run a firewall/antyspyware tools, won't know what is causing the massive bottlenecks on their PC's. This only give the Windows OS a bad name. I'd be all for some kind of default toolset that would provide a basic firewall and spyware removal tool for the "ignorant." I know for me, it would greatly reduce the hours I sit at friends' and family's computers removing the crap.
Tech News, Reviews and Tutorials
And the same thing would probably be true if people took the same attitude toward keeping their computer running that they do toward keeping their car running. People accept that cars are complicated and require routine service. They understand that if they're not competent to do the service themselves that it makes sense to pay a professional to do it for them. They're willing to plunk down some serious coin to get the thing fixed if/when it breaks.
The problem is that many, if not most, people don't take the same attitude toward computers. They're encouraged to believe that computers are so easy to use that anyone can use and maintain one with little or no training. When problems do come up, they tend to try to solve them by asking a friend who is supposed to know this stuff what to do rather than spending money on a professional. Combine that attitude with deliberate attacks against computers by things like worms and spyware, and it should be no surprise that the average car is much better maintained than the average computer.
There's no point in questioning authority if you aren't going to listen to the answers.
> Now mod me down, editors. Show us how you censor those who disagree.
Nice; preemptively insulting anyone who disagrees with you. Good move for a politician, interested in "winning" at the expense of sense.
The only reason I know how to care for my car is because it cost $15,000. The car I drove in college cost was a 15 year old POS I got for a couple hundred bucks so I could get groceries once a week, and I never changed the oil once. I drove on bald, half flat tires for a long time (I never went on the freeway, or over 45, so I didn't really care), and I let the radiator fluid (tap water) get really low on several occasions because of a slow leak.
I didn't care. That car did what I needed it to do for as long as I needed to do it before I could afford a better one. In other words, it was exactly like a computer to most people.
It's nothing but crumpled porno and Ayn Rand.
I think you mis-interpretted him. He said Earthlink's software includes spyware. I think that he is reffering to the Earthlink software that a user would install to connect to the Internet, not the Earthlink software that is supposed to remove spyware.
His comments do not surprise me one bit. Everything seems to come with spyware now, even divx.
I know how to drive my car, but I don't have a clue how to maintain it. We have people called mechanics who do that. A car can still be run safely as long as you bring it to someone every few months to be checked.
There are two things about computers, however, that really make this metaphor break down.
If I had to understand how a car worked, I'm sure I could. A car is orders of magnitude simpler than a computer. In fact, I'll bet Internet Explorer alone has more complexity than the average car, and there are thousands of subsystems within Windows, many of comparable complexity, and most hidden and completely unknown by most users or even programmers.
I don't think it's possible at this point for anyone to have a complete idea of how Windows works as a whole. You don't know the whole API; you know the API calls you need. Even as a programmer, it's quite unlikely that you have the big picture of how everything fits together.
But really, you shouldn't have to. I have no clue how my electric drill works; I just switch it on and it does its job. I think most people feel computers should work in the same way - and quite honestly I think they're right.
D
Now mod me down, editors. Show us how you censor those who disagree.
/. editors, or mods (not usu. the same thing, btw)?
He has a point about the cookies. WTF does that have to do with
That's why we can discuss the articles - because every issue is more complicated than it seems in the headline. Ever notice those "RTFA" comments? That's because the comments are often more informative (and interesting) than the story itself.
Great, chip in and share when you can. But don't expect the editors to only post stories that are perfectly balanced and fact-checked... there'd be nothing to talk about.
Besides, mod-baiting is a cheap and transparent trick. "Oh, he dared me to mod him down... now I have to mod him UP or I'm a tool!". Ugh. If I had mod points today I'd mod you troll.
I'm certain that Linux isn't 100% safe, but I reckon it's a lot safer than Windows for the following reasons.
There are other reasons that will only hold true until Linux becomes more popular. So these are good reasons for now, but won't hold true forever.
Yes, they do. They know that if smoke starts coming out from somewhere else than the exhaust pipe, they'd better stop and get out of the car, fast. They know that if lights start flashing in the dashboard with no apparent reason the car needs to be serviced. They know that they must not pour water into the gasoline tank, and that if the tires are flat they need to be reinflated, and so on. They also know that it's a good idea to lock the doors when you leave the car.
On the other hand, people don't know that you shouldn't open strange e-mail attachments, that you should run a firewall, and that you should install updates at least weekly (which is not difficult - both Linux and Windows come with automatic tools that search, download and install the neccessary updates at your command).
So basically, people do know what to expect from a car, and can reognize when something is wrong with it. On the other hand, people do not know what to expect from a computer, and when something is wrong with it (and thus can't have it fixed).
Computers are not like other tools, nor will they ever be. People expect to use them without understanding any of the concepts and theory behind them, and then get angry and frustrated when they can't make the computer understand what they want. It is absurd.
Personally, I think every computer should ship with a 200-page book explaining the basic concepts and theory behind the computers. And I mean basic theory, not "install a new printer this way". All support should be denied before this book has been both read and understood.
Anyone who is incapable of understanding how computers work shouldn't be using them without supervision, for his sake and everyone else's. Harsh, but the only solution sort of running a truly sentient AI in every computer.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
IE has vulnerabilities which can cause software to be downloaded WITHOUT a user clicking Yes or OK.
So far I haven't seen anything like that associated with Firefox...
Combine open source (more eyeballs), active development where they "release early, release often" (how long as it been since IE was updated?) and some security by obscurity (I think everyone can agree it helps but shouldn't be used exclusively) and then you have a browser that is MUCH more secure than IE.
So perhaps when Firefox becomes used by a significant number of people then it might become a problem.. for a week until they release a patch.
Plus I thought that XPInstall files were used to only modify the behaviour of mozilla based apps?
groklaw, wired and slashdot. The holy trinity of work based time wasting.
This is one reason why many new cars (and lawn mowers, etc.) come with VHS tapes, but even those are ignored.
The trick is to make everything so simple that performing tasks are easy enough for the uninformed person to figure out quickly. To do that, you have to do lots of role analysis, use cases, and user testing.
Yeah, right.
I use S&D, and it don't tell nobody what I found.. so how come earthlink knows?
the proof is in the subject, THEY KNOW HOW MANY THEY FOUND....
every day http://en.wikipedia.org/wiki/Special:Random
Spyware removal software typically counts the number of files + the number of cookies + the number of registry keys related to spyware it finds. So it's not uncommon to get a report with over 150 items when the user has only installed Gator.
A badly-spyware-ridden machine could have thousands of those items.
Now, if only one computer out of 10 has Gator, you'll still find that on average, each computer has 15 items. Most typically - specially in corporate environments - you'll find a few machines with thousands of spyware items and a lot of computers with no spyware - since employees aren't _all_ fucking around with company time.
So, um, another ignorant Slashdot story. Grr.
This is exaclty why I can't stand Windows. Every little program has spyware and leaves crap all over your system. It's either that or god-awful adware that makes a desktop look like a carnival. A Linux desktop is quite refreshing to look at.
Time makes more converts than reason
It's a telling freudian slip that people automatically assume that PC == Windows. When my clueless friends & relatives complain that their "damn computer is broken.. again" what they mean is their "damn Windows OS is broken.. again" OK zealots mod me into the ground now.
Medicine is complicated, but most people know enough that if they have a headache, aspirin will make it go away. They don't need to know exactly what aspirin does at the molecular-biology level.
Almost every complex thing breaks down into simpler parts, or concepts.
This can be applied to cars - you've got a seat, an engine, wheels. The engine is connected to the wheels by something (we could call it the drivetrain if we so wished). The front wheels are connected to the steering wheel, and can turn left and right.
Using just this basic information you can start to diagnose problems - if the engine is going, but the car's not moving, the problem must be either a lack of wheels or something's wrong with the drivetrain. That kind of thing.
Same thing works for computers - except because it's mostly software (where the problems lie) it's a bit harder to grasp. People just need to be told the basic steps computers go through (after all, that's all they do, just step through instructions).
If my mother was to ask me how Internet Explorer works, I wouldn't start by telling her the names of API calls (not that I know them). I would tell her you type in a URL (which includes the name of a server), it asks another computer where that server lives and then goes to that server and asks for a document.
My point is that just because something's complicated isn't an excuse, or an invitation, to be ignorant. Almost everything can be abstracted to high enough a level for anyone to understand, at a basic level.
So I take a look. In my experience, most people have about 3 programs they use most of the time. For most people using Windows, that would be Explorer, Outlook, and then something else, like Word or something. But, and this NEVER EVER fails, they ALWAYS have about 175 programs installed that take up tons of space, many of which have all kinds of daemons that run in the background, causing the hard drive to grind around all the time, causing all kinds of weird and questionable messages and popups to appear, and best of all, make the whole thing run so damn slow that it's a wonder they can get any work done.
Unfortunately, no matter how hard you try to explain it, 99% of the users DON'T understand: Use this computer for its intended purpose, and DON'T download or install all kinds of shit! Don't go to all kinds of web sites that you aren't familiar with! Don't run or open something when you don't know 100% for sure what it is!
But do they listen? NO!!! Of course not!
The solution is to develop a finely grained security model where not only is the user and his files protected, but so are processes, pipes, and just about any other "object", as it were. And these damn things should ship, by default, to do what most users need to do, but under extremely limiting circumstances, so that their computer will refuse even to download some attachment to an email unless some really complicated process is first carried out. Something requiring commands to be entered into a terminal window. Because even if you ask, "Are you ABSOLUTELY POSITIVELY SURE you want to open this attachment, which will MOST LIKELY **D**E**L**E**T**E your files, beginning with those that are most important to you??? Push any key to answer "no" or type, "I, [your name here], do hereby solemnly swear, under penalty of deletion of all of my files, that I am absolutely positively sure that I WANT TO OPEN THIS ATTACHMENT, which will most likely delete my files, beginning with those that are most important to me," you can rest assured that MOST users will simply punch all of that in to answer "yes" and then wonder why in the hell their computer doesn't work properly.
But the best part is when they don't understand that the malfunction is all in software, which should, at that point, be blown off and reinstalled, and instead think that replacing the entire computer will solve their problem. And then they download all of the same **S**H**I**T** into it and end up in the same situation.
I use IE on Windows, more due to apathy than anything else. I have also not had to remove ANY spyware AT ALL from my PC (other than cookies) in the last four years.
The secret to my success is to lock down ActiveX and restrict scripting. Most of these spyware apps do drive-by installations through ActiveX applets, so if ActiveX is disabled then spyware cannot be installed.
I have included many websites in the Restricted zone, where scripting and ActiveX are both disabled. The default setting for new websites is to prompt for ActiveX, and I always say No unless I know in advance what the ActiveX control is.
I have to say No several times a day, but this is no more onerous than closing a popup, and if it annoys me I could always disable ActiveX.
I also scan with Adaware and Spybot Search and Destroy periodically, and I use a popup blocker and Zonealarm. Not much gets through all of that.
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke