The Spyware Inferno

An anonymous reader writes "Ever thought there should be a scale for quantifying the evil Spyware does? In an editorial article at news.com.com, a Silicon Valley Venture Capitalist uses the levels of hell in Dante's Inferno to do just that. The article also goes into depth on how vendors, and Claria in particular, make money - of particular interest, 31% of Claria's revenue came through Overture. This may explain why Yahoo took so long to list Claria as Adware in its anti-spyware toolbar."

Where do you draw the line?

[VAXGeek]

What's the difference between advertising supported software which gathers marketing demographics and spyware?

Sweet sweet kickbacks to Yahoo, that's what.

Re:Where do you draw the line?

[NoMercy]

Disclosure is one point, the other is advert supported programs have nice little boxes and parts of the GUI they fill with an advert.

Spyware tends to work out what your doing tells it's servers that and then optionally feeds you with replacement adverts or popups, so youre looking at a shop which sells trading cards and an advert pops up for another store which claims lower prices say.

But then more and more advert supported software is going back to plain old demo/shareware/timebomb arangements (case in point getright).

Re:Where do you draw the line?

[saintp]

When was the last time you read an EULA in full? What about your grandma? Name the last EULA she read in full.

Disclosure really doesn't matter when "NiftyFreeWebApp" buries the fact that it requires the sacrifice of your firstborn on page 972 of a EULA written in obfuscated legalese.

Re:Where do you draw the line?

[saintp]

I'm aware of this. I use Opera (and love it!), used NetZero for the brief time that it was free, and other ad-supported software. Most of those practice true disclosure: You're getting a service in exchange for your eyes. And I'm fine with that.

But if someone is hawking something like EUniverse or Claria, then they're not going to be upfront and forthcoming about it, because their service isn't valuable enough. Opera is (or was; Firefox is gaining ground) a nice enough browser that I'm willing to put up with some ads, so I accept the EULA precisely because they're upfront about being ad-supported.

In contrast, no one would ever install a 404-redirect program if they knew what it would do up front. Instead, somewhere in the EULA is a paragraph explaining in euphemism a mile deep that the app hijacks your browser.

I'm not anti-ad-supported software; I think it allows some outstanding software to get into the world for free. (Obviously I'd prefer they GPL'd Opera, but I'll take what I can get.) I'm saying that forcing disclosure is basically masturbatory.

Re:Where do you draw the line?

[BobTheLawyer]

Do you read other contracts you sign, when you sign up for a credit card or buy a plane ticket? Most people don't. This doesn't prevent those contracts being generally enforceable.

An EULA is no different.

Whether unreasonable stuff in an EULA is enforceable is a different question. Here in the UK, our various national and EU consumer protection laws mean it's probably not. I've no idea what the answer is in the US, but it probably varies State to State.

Re:Where do you draw the line?

[antic]

I generally do read terms, contracts, etc. I read the T&C when buying a Dell laptop and then made them take it back when there was a single dead pixel. The T&C didn't say that 4 or so stuck pixels were required for a display to be considered faulty (as their support were claiming), so I was able to argue that it was not good enough.

Know the Terms/Contracts you've signed and be persistent -- do both of these things and you're one step closer to not being totally screwed by every service you use or product you buy.

Re:Where do you draw the line?

[pslam]

Do you read other contracts you sign, when you sign up for a credit card or buy a plane ticket? Most people don't. This doesn't prevent those contracts being generally enforceable.

An EULA is no different.

Actually, when I "agree" to an EULA, I don't expect to have someone knocking on my door in a few days time to repossess my house. I don't expect that to be followed by woman with very large hands coming through the door saying I married her by clicking on that button.

There's an expectation that people have when they sign a contract. If I'm signing a credit card or mortgage agreement, I expect lots of scary stuff to appear in the fine print. If I'm agreeing to a software license, I do NOT expect that it says "by the way we are going to spy on your every mouse click from now on" somewhere in point 23 of 54. That's underhanded and I would love think that it's somewhat illegal (fraud?), and void because it's not made in good faith. Of course it's not as simple as that otherwise they'd all be in jail by now. I can only dream.

You only have to look at the average amount of spyware installed on a computer (most people have 5+) to realise just how many people don't know what they're signing up for. Caveat empor? No, I think that idea should have died out with the Romans. It's an excuse for otherwise evil acts.

Re:Where do you draw the line?

[AstroDrabb]

An EULA is different. Most software EULA are _only_ readable after you purchase the software. That would be like me selling you a house and getting payment and then showing you the terms that I wasn't _really_ selling it to you, just leasing it and I can take it away at any time. Now, if I did something like that, a judge would throw it out without question. However, would a judge be just as willing to throw out an EULA? I would hope so, but you never know with the US justice system.

I cannot see a judge holding up an EULA that you only got to read _after_ the purchase. I don't think any of those EULA would be enforceable.

Cliche

[dmayle]

It's like the old detective cliche, follow the money. The problem with both spyware/adware, and spam, is that they're profitable. Beating this stuff with technological measures alone is never going to be easy. If we really want something done, we've got to find ways to make sure these people and/or companies can't make money doing it...

Re:Cliche

[ciurana]

Way to go, dmayle.

The URI in your .sig leads us to what at first sight seems to be a iPod pyramid scam. I find myself hard pressed to take your comments on the current topic seriously.

Cheers,

E

Re:Cliche

[gl4ss]

*The problem with both spyware/adware, and spam, is that they're profitable*

well, actually, they don't even need to be profitable. it just needs to APPEAR profitable for some people to try it, which will fuel other people into trying it because 'it must work since someone is doing it'.

true, mega corps like claria are on a bit different level but anyways..

Re:Cliche

[multimed]

This is the point I've been trying to make for awhile. Everyone always thinks it's all about the fact that spam is so cheap that it only takes a few clicks thru or purchases out of millions for them to be profitable. If this were really the case, spam would probably be about gone already because between filters at the ISP and user level and the fact the in my life, I know exactly zero people who have bought something from spam. It's not about response rate--spammers get paid to send the spam and manage to convince greedy people that if only 1% of a million buy it they'll be rich. They also get paid by selling their lists of email addresses. Think about it--if you send out a million spams, you'll get X% back as undeliverable and can update you database. In this manner they can charge a "business" to send out their "targetted marketing message" and throw in a few thousand randomly generated addresses. The undeliverables get pulled, lather rince repeat. Turn around & sell the database. And when times are slow, just send a blank message or gibberish or whatever to keep testing for new addresses. This is why you get spam with no message sometimes.

Re:Cliche

Erm.. what do you think a pyramid scheme is?

Re:Remember Kids...

[sik0fewl]

.. is apparently a good way to make cash.

I think people should be forced to take classes or seminars before using the Internet, teaching them how *not* to be fooled to install adware and spyware. They should also be told not to use Internet Explorer.

Of course, with this seminar, everyone would get a free software CD with Claria included.

It's not just the shady companies

[gbulmash]

Besides spyware, what annoys me is "user agents". Quicktime, RealPlayer, and Winamp all have little TSR's that load at start-up and eat megabytes of memory for "quality assurance" and "ease of use" purposes. I don't know how many times I've tried to disable qttask.exe or realsched.exe in my start up only to have it come back unexpectedly. Winamp's is easy to disable at setup, but Quicktime and Real require you to dig.

I don't say they're delivering ads or sending back personally identifiable info to their manufacturers, but they are using my resources without giving me what I consider to be any perceptible advantage.

If we're going to legislate spyware, these user agents need to be considered and the law needs to require Apple and Real to provide better notice of them and make them easier to shut down permanently.

- Greg

Re:It's not just the shady companies

[throughthewire]

...TSRs only leave a piece of themselves in memory...

Aaaand as you probably know, TSRs are real-mode DOS giblets that wouldn't run under NT and NT-derived Windows in any case.

Thus the amusement. But we knew what he meant, no need to beat him up, eh?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Sorry for repeating the blindingly obvious, but

[Rosco+P.+Coltrane]

what spywares? what spyware removal software? what worms? what "20 minutes is the average amount of time for your computer to get infected to death"?

I use Linux exclusively and I can relate less and less with what Slashdot talks about these days. Which is ironic if you think about it...

Makes Open Source More Attractive

[TT+Baker]

Of course, this implanting of spyware only works if you give away binary versions of your product. Open source that you compile yourself would not last long in the community if it tried to imbed spyware code. Never trust a free executable. That has been true since I got my first Amiga virus from "cracked" copy protected code, and it is true now.

Re:Makes Open Source More Attractive

[stratjakt]

And these windows users downloaded the source for 7-zip and firefox and compiled them themselves?

If they didn't, what makes these precompiled exe's any more trustworthy than the originals?

Anonymous OSS coders are more trustworthy than WinZip Computing or Microsoft?

Why is firefox.exe any "safer" than iexplore.exe from a "someone might have compiled in some bad shit" point of view?

Frankly, common sense would have me lean the other way. At least if WinZip or MSFT compiled in malware, I'd have someone to hold accountable (by which I mean sue/boycott/call and hangup on).

Re:Makes Open Source More Attractive

[romper]

Fair point, but if an OSS application with a large user base had spyware/malware in it, we'd hear about it on Slasdot and the project would fork.

I guess I should have said I recommend OSS software that I *trust*. So, yes, we're offtopic -- but it's a nice idea. :)

Quicktime is spyware!

How many fucking times are you going to put qttask.exe into my startup after I delete it. Heck, just visiting some sites and you end up with a qttask in your startup without anyone asking for your permission.

Separating Linux users from Windows users

[Thagg]

HTML doesn't have a 'rant' tag, but consider the following as such.

I personally cannot imagine having spyware on my machine, and I similarly cannot imagine any Linux user tolerating it. Most Linux users chose it, in large part, because of the control it gives you over everything that your computer does. Having your computer hijacked by advertisers is antithetical to that concept.

But I watch Windows users tolerate truly mindboggling amounts of adware/spamware/malware. The typical windows users tolerate 100 times what I would consider completely unacceptable.

I know it's elitist to say this, but what happens is that Windows users will make the tradeoff of malware to allow them to steal music and other content. They don't protest, because deep down they know what they're doing is wrong.

Linux users, typically, have no such guilt and therefore don't tolerate that kind of intrusion onto their computer.

Thad

Re:Separating Linux users from Windows users

[Evangelion]

I know it's elitist to say this, but what happens is that Windows users will make the tradeoff of malware to allow them to steal music and other content. They don't protest, because deep down they know what they're doing is wrong.

Not really.

Being both a Linux user and a Windows user, I don't tolerate any kind of adware or spyware either.

The typical windows user:

* Does not understand that AdWare/Spyware/Malware is acutally on thier computer
* Does not understand how AdWare/Spyware/Malware gets on thier computer in the first place.
* When they realize it's on thier computer, they will often belive it's nessecary for software to function. (I tried cleaning up my sister-in-laws Win98 PC, and she immediately blamed me for screwing it up the first time something didn't work the same way -- that's the only real anecdote I have, as I stay the bloody hell away from that kind of job).
* Assuming they realize that it's on thier computer, and they realize they don't have to live with it, then they can get rid of it. Once. But being able to get rid of it by getting a friend to install AdAware and Spybot S&D in no way affects thier ability to detect it on thier computer, or realize that something might be installing it.

Comparing Windows to Linux in this regard is just ignorant. There are is basically no Malware/Spyware programs on linux (I know there's some Adware out there, but I can't imagine it being terribly successful). And Linux users as a whole are self-selecting in this regard, and are used to having to live without software that they'd like to use.

That, and there are several pieces of very popular Adware (MSN Messenger for example) that are sufficiently useful to outweigh the cons of it being Adware.

So, really, the windows users who put up with this garbage simply because they don't know any better and trust the companies when they claim this garbage is nessecary, or that they choose to put up with the Adware to use a program that they want to use.

I also find it ironic that you're saying piracy is a tradeoff for running adware, when any person who is going to pirate things won't think anything of cracking adware to get rid of ads...

BTW, if you think Linux users don't pirate media, you're on fucking crack :)

Re:Separating Linux users from Windows users

[Kphrak]

I can't believe something a post as stupid as the parent's gets modded up, even for a few minutes.

Windows users don't allow spamware because they're guilty about piracy. Most of the users I've seen with large amounts of spyware wouldn't even download a free MP3; the only thing they download is their email or the latest forum page refresh, off AOL. They get spyware because of cluelessness about computers, not guilt.

The 15-year-olds who install spyware-filled filesharing programs don't feel guilty either; they use them for the same reason they use Internet Explorer. They don't know any better program, and their friends all use the same thing.

On the other hand, the savvy Linux copyright violator (not thief; copyright violation is not theft according to the law) will just use Mutella to share his MP3s, which has no weird restrictions and runs on the command line if so desired.

Re:Easy trick

[djdavetrouble]

he said
Go start>run>msconfig.exe, then to the startup tab - you can disable anything you want that is set to start up automatically.

EXCEPT most spyware and malware

It is a good reason...

[hsoft]

It is a good reason not to advertise with Overture... Advertising with them is a good way to make yourself a bad name.

PDF document listing the 9 circles of spyware hell

[5amTheButcher]

Here's the link - now, what in that made it necessary to be distributed as a PDF, and not as an HTML/XML document? The proliferation of PDFs for information that can be displayed consistantly in other, more compact and less processor hungry formats, is frankly disturbing.

Need to have a seventh level

For things that are "more evil than evil" like Xupiter. Xupiter was MUCH MUCH worse than anything that Gator has ever done...

Spybot S+D has REALTIME protection

[gelfling]

So use it and it will block nearly everything it is capable of identifying. Keep the sig file up to date and run it off the scheduler every once in a while. Blow your Browser cache away once a week. In fact blow away ALL the cookies on a regular interval.

You will have essentially no spyware.

You must fight evil with another kind of evil*

[idontgno]

Imagine you own a peer-to-peer file-sharing application (for example, Kazaa) that is being used for copyright infringement en masse. People will do almost anything to get it, short of paying for it directly. So you get an adware distributor (say Claria, formerly Gator) to pay per installation of your application if you will bundle its adware.

Given that:

• (MP|RI)AA hates P2P softare;
• Claria is subsidizing the installation of P2P software;
• Claria is profiting from the use of P2P software;
• (MP|RI)AA habitually sues those responsible for the availability or use of P2P software:

Obiously, (MP|RI)AA should be suing Claria. Hard.

*The Chronicles of Riddick

Re:No...

[NighthawkFoo]

As depair.com says,

"If you're not a part of the solution, there's good money to be made by prolonging the problem."

AOL stunned me too

[Lispy]

when I read the button on their homepage:
"You may already have a version of AOL installed on your computer! If you'd like to check us to check for you please click here..."

This is really sad. AOL has penetrated the whole planet with CDs for so many years that they can simply assume that there might already be some version of their adware-dialup-crap on any given machine. They admit with this button that they are well aware that most users are totally clueless of what software they are running on their computers. "Save me, AOL!"

Re:Remember Kids...

[ratamacue]

I think people should be forced to take classes

Sure, we'll hold them at gunpoint and educate the bastards! (What exactly do you think the word "force" means?)

And we'll make the taxpayers fund it all, whether they like it or not! ("Force" implies government, and we all know how government gets its revenue.)

But hell, if you're in power, what do you have to lose?

Don't touch that Gator! - Claria's going *public*

[AndroidCat]

Adware anxiety gives Claria cold feet The decision by adware leader Claria to postpone its initial public offering comes as the fast-growing business of advertising-supported software is increasingly coming under pressure.

For years, millions of people have acquired adware as the price of using free applications such as file-trading software from the likes of Kazaa. The adware, designed to track Web-surfing behavior and deliver targeted ads such as pop-ups, has become profitable enough to draw investors' interest. (snip)

Poor babies. I hope their public offering is a burnt one.

Rise of Black Marketing

[einhverfr]

One of the trends I pointed out to the article (yes, I rtfa'd a while ago) is that spyware and adware models are endgangered by another trend-- the rise of what I call "black marketing" or marketing products via international cybercryme syndicates. We already have viruses which help to relay spam, and some of these (particularly online gambling and pornography) may have ties to organized crime. Remember that there *is* a connection between human trafficking and pornography but not all pornography is bad in this way. I do however suspect a connection in the rise of porn spam and organized crime.

We are also seeing a rise in the connection of spyware and adware to these gray markets. Some sites clearly cross the line and install horrible adware on one's system by exploiting security holes in Internet Explorer.

If I was releasing shareware, I would be going as fast as I could away from these techniques which are being adopted in far more visible ways by these syndicates. So it is no wonder that spyware and adware is starting to collapse as a legitimate market. But passing laws will probably further drive the market towards illegal activies.

Copyright => Spyware

[Philip+Dorrell]

The copyright system says that the only way you can expect to receive substantial revenue from your efforts to create useful content is to prevent free access to your content. If you provide your content in the most useful form, to the largest number of people who might find it useful, your income is guaranteed to be arbitrarily close to $0.

Spyware/adware is a natural response to this problem. Closed source is less useful than open source to users of software, but the intellectual property regime says it is a better business model, precisely because customers don't know what is in the software. Spyware just takes this principle to its logical conclusion: if it is good for the customer not to know what is in their software, let's exploit this ignorance to the maximum extent possible.

This will gradually kill the market for individual developers of mass-market software. Previously you had to convince your customers that it is worth the effort to download and try out your software, and then you had to convince them to pay you for it if they liked it, even though it is dead easy for them to not pay you and to keep on using the software anyway. Now you also have the hopeless task of convincing your customers that someone they have never heard of is not a spyware author.

Re:Remember Kids...

[0racle]

And while their at it they can sue Clarica, because obviously everything that starts 'Clari' must belong to Apple since they have a piece of software called claris. In fact, why don't we just give Apple ownership of the letters c,l,a,r,i, and s so they can sue everyone who uses them.

How in gods name was the parent modded interesting when its perfectly obvious why Apple doesn't sue, there's nothing to sue over.

Are you all insane?

[Slur]

I can't believe how nearly everyone in this topic seems to accept spyware and adware as a fact of life, and that you accept the necessity of buying programs to detect and remove this stuff.

Have you all been completely brainwashed by Microsoft? The existence of spyware is Microsoft's fault, and all the time you waste over this crap is owed to you by Microsoft.

First of all, it should not be possible for software to get surreptitiously installed on your computer without your being aware of it. To the degree that this is possible it is the fault of the OS developer.

I just don't get it. If adware and spyware started showing up on Mac OS X you can bet Apple would institute sweeping changes to prevent it from happening.

Frankly I don't know why there isn't a huge class-action suit against Microsoft for encouraging spyware and adware development. And how much crossover is there between spyware and adware developers and the developers of detection/removal software.

Seriously, someone explain why you put up with it?

Trust

[MightyYar]

What kind of world do we live in where we can't even trust a giant faceless corporation?