Slashdot Mirror
Spyware Analysis of P2P Software
rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."
When someone who's both a lawyer and an economist says a license is difficult to interpret, I tend to believe them. Even his assertion that these licenses are obfuscated is, itself, obfuscated.
adam b.
It would be interesting to compare against the popular Open Soure ports to see if they're any less invasive by nature.
What about Shareaza?
...that the only P2P client I use didn't even need to be reviewed. :)
(It rhymes with "BitTorrent.")
The coolest voice ever.
I am aware that eMule has no spyware/addware since its opensource. In this case, the issues the author raises do not concern me. Since this discussion is primarily based on Windows, Linux is offtopic, but in that area, we have KMLdonkey and Limewire.
Serves them right for installing that evil bad software that only pirates use..
For the slower moderators out there today, this is referred to as sarcasm.
---- Booth was a patriot ----
all i get is page not found.
And here all this time I was thinking my computer is a piece of shit because it's a pentium II 333MHz PC with 64megs of ram running Windows 98...
but NO...it's the P2P programs!
:::: the insomniac's digest
Just wanted to note that this article is paid for by LimeWire. Obviously because there is no third party apps with limewire and no license whatsoever.
http://www.benedelman.org.nyud.net:8090/spyware/p2 p/
So, which client does he recommend people use?
JK. Serves those people right. Keep things legal cheapos!
whats the best p2p program to use? (and is free)
Anyone who is capable of getting themselves made President should on no account be allowed to do the job. - HHGTTG
The relevant parts, for people who can't or don't want to RTFA:
My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.
Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.
There is a site called "MuffTorrent."
However, the think that really worries me is the intersection between P2P and black-hat-hacking skills. That's too much power in one place, and we already know that power corrupts. (The only redeeming point is that sometimes the corruption is pretty funny, like the Gannon/Guckert case.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
pssh. Spyware? P2P? NEVER!
- User will be required to supply their own vaseline, and will receive neither a kiss nor a call the next morning.
- User agrees to transmit any virus as required by the Program, including, but not limited to, SoBig, MyDoom, Gator, Realplayer, MS Windows, AIDS, and bubonic plague.
- User agrees toi call the writer of this program "Big Daddy."
- All your base are belong to us.
- Do not taunt Happy Fun Ball.
- Crow T. TrollbotLimeWire
Whereas the Kazaa installer showed so many lengthy licenses, LimeWire is notable for not showing or referencing any license agreement at all. See screenshots below, installing LimeWire without any mention of a license.
Since LimeWire contains no apparent bundled software, its on-disk presence might be expected to be smaller than its 61 folders and 864 files (the second-largest and largest additions among the programs I tested, as measured along those metrics; though simultaneously the second-smallest in both registry keys and values). My examination of the specific files and folders created by LimeWire reveals the reason for the many additions: More than half the folders created by LimeWire and more than 65% of files were associated with the Java runtime that LimeWire requires. Users who do not otherwise seek to run Java software may see these files as a burden. However, those who already have Java a runtime may not require any of these files or folders, making LimeWire's on-disk burden for such users among the smallest of tested programs.
My hands-on testing of LimeWire's application yielded only ads promoting the paid version of LimeWire, but no advertising for third-party products.
This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
For instance, WinMX doesn't install anything but the p2p program. Where is it on this list?
No such thing as bad PR. If we had such an organization, every little company would want to get on that negative list because it would give the double advertisement. In the end, people will rmemeber the company name - not what they did.
I mod down so you can mod up. Your welcome.
A couple of years back, I serviced a friends computer which was literally deluged with adware and spyware from KaZaA (KaZaA was at its peak then).
Around 300 files, mostly registry entries, aswell as Gator were on his computer, combined it all took up roughly 35% of his RAM to run, on his 128mb chip it was difficult to even play civ or counter-strike without extreme slowdown...
Is it just me, or did KaZaA seem the scourge of commercialism when it first started? Heck, since then its become a veritable beacon of it.
...as opposed to the license agreements. 22,606 words, 182 on-screen pages for a license? Might as well rename it Attorney Full-Employment Act of 2005 or something.
He says at the bottom that much of the research was paid for by LimeWire. I was wondering throughout the article why he was givng LimeWire such a clean bill of health, when my experience has not been so good.
The disclosure does say something for his integrity, but I fear his appraisal may be somewhat biased (intentional or not) in favor of LimeWire.
Comment removed based on user account deletion
c/the think/the thing/
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Flame away....
http://jayceecorder.blogspot.com
Robogun,
Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.
WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.
Or perhaps someone else will be so kind as to take over where I've left off!
Ben
Bubonic plague is a bacterial infection, not a viral infection.
ELOI, ELOI, LAMA SABACHTHANI!?
Is that most files on P2p are Viruses or have trojans in them.
I tried messaging one person on Kazaalite about the worm in the software he was uploading and he didn't even know where to get antivirus software.
lets see, is this about the gist of it?
(1) all P2P is bad, cuz it bundles spyware and hides it wiht evil obscure EULA agreements.
(2) except for LimeWire. they make a happy little P2P client, that only fills your computer up with JRE files. and occasional friendly reminders to buy their full version.
(3) Oh and by the way, thanks to LimeWire for underwriting my academic research.
From TFA:
"One program in my sample is notable not for its inclusion of bundled software but for its omission of such software. Not only did LimeWire not include bundled software, but in my testing it also did not show any advertisements beyond promotions for the paid version of LimeWire."
"This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public."
Something stinks...
Disclosures
This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
Here's what I do: Bitty Browser & Andromeda
Comment removed based on user account deletion
CC
CKSCIII
http://www.benedelman.org.nyud.net:8090/spyware/p2 p/
Installing sketchy software puts more sketchy software on your machine? Preposterous!
And then the spyware/adware companies sue you for libel, slander, and defamation. Who cares if it's not true? You'll still get soaked for the legal bills. Oh, and where is the money for this anti-spyware organization going to come from?
sigh,
Schwab
Editor, A1-AAA AmeriCaptions
Information wants to be FREEEEEE!!!!1111
http://www.benedelman.org.nyud.net:8090/spyware/p2 p/
Really sad that so many consumers are so jerked about by lies. Actually, it's more than sad. It's downright tragic. Reality is *always* going to win out in the long term.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
how is it that soulseek stays off EVERYONES RADAR? in all my "research" of what the RIAA is busting this week, i have never once even heard soulseek get namedropped. it's almost like they don't even realize it exists. which, of course, makes me very very happy.
but yeah, go soulseek. eff these other p2ps.
"when the sun sets on the ghetto, all the broken stuff gets cold"
The author only tests P2P software known to have spyware in it so the results aren't surprising. eMule runs on the eDonkey network, it's open source, no spyware/malware and it's an amazing program.
If you use any decent software, such as AdAware or Spybot or Microsoft Anti-Spyware, you'll see that LimeWire indeed has absolutely no bundled software. If you use software whose only claim to fame is that it can find spyware where no spyware exists, well... good luck keeping your computer working.
but won't cough up dough to pay for other software and music? It always amuses me how everyone complains that their P2P program gives them spyware while they illegally download. As Dan Rather would say "We used to say if a frog had side pockets, he'd carry a handgun." That has nothing to do with what I wrote, but I think my point is clear.
One thing threatening Open Source today--piracy.
As we have already seen, the GPL is under attack from evil forces known as "pirates." These shadowy folk silently steal source code and violate the GPL, infringing on the rights of GPL authors. They are nothing more than thieves getting a free ride off the work of others, and I for one am disgusted at the idea of it. As you can see in the previous article, clearly Slashdot is also sickened by the idea of copyright infringement and piracy.
Some have even called for a lawsuit against these pirate thieves. Suing individual infringers has always been a position that Slashdot and its readership has supported, so it's only fair that the original GPL authors protect their rights and safeguard their material from being stolen in the future. I think we should all support any lawsuits against these infringers to protect the rights of GPL authors everywhere.
I appluad Slashdot and its readers for always taking a proactive stance against piracy and copyright infringement in general, and I would like to join the cause against this "source code theft." Piracy is a major threat facing OSS today.
Skyshock21,
You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).
Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?
I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).
Ben
You're absolutely right. Yup. No such thing as bad PR...
Anyway, this is offtopic, but does anyone know where I can buy a copy of "SCO Unix"? I don't remember how I heard about em, but I know they've been in the news and stuff, so they must be pretty good...
On spybot Search&Destroy before, 0 on spybot Search&Destroy during aprox. 43, after, about 1 or 2!
Funny, you'd think "stealing" would be easier/better on PC's... On this OS X machine we have the following tools:
1) Acquisition. All the search hits with none of the spyware, plus a snazzy interface.
2) Azureus. Everyman's BitTorrent client (only gripe is the high CPU usage)
3) eetee. Interesting p2p app. No spyware.
4) HandBrake. Easiest-to-use DVD ripper in existence, on any platform.
5) Many other p2p clients in various levels of development... all with no spyware
Still snickering at the Windows holdouts...
Been using it since november. Only pain is when it goes down messy it can take an hour to check the 10gb downloads before it restarts downloading them. My only problem is lack of hard drive space. Got a spare terabyte laying around? I kid you not, I'm at a half a terabyte now. I do advise you to avoid "hot button" downloads because your I.P. is out there. I've had no problems collecting all the old shows I love that are not on DVD (Get Smart, Hogan's Heroes, etc.)
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
Would be nice if his survery also included effective removal methods for each installed item. Then it would be really useful and informative.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I mean, how much does it take to just guess that some of these programs might be loaded with gunk code that doesn't belong on your machine?
eMule runs fine, finds most anything I bother to look for, and doesn't come with crud. Between that and minor torrent useage, who needs Kazaa of any kind?
W/regard to the RIAA and company, how long until they come up with a P2P sharing program put out through a front company to engage in a sting? Tinfoil hat maybe, but as stupid as they are, sheer statistics alone suggest they will eventually hire someone with more than the two brain cells otherwise required to be at the RIAA/MPAA.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
You serviced a friends computer! Gross!
Just install Linux...
Perhaps that applies to a Mac to a lesser extent. If you use Unix/Linux don't get too smug. Might I
suggest one thing: Use a seperate account for anything questionable: All your P2P, "Instant Messaging" and possibly any action that may produce spam. Also consider IRC is faster than "IM" and talk(1) is 'realtime'. Talk(1) is secure, unlike IRC on a trusted server where SSH is used.
"Where's the beef?"
not the best program too choose to compare limewire to.
.... gpl.
instead of e-donkey, he could have choosen e-mule , which happens to be a gpl replacement.
i believe there is also a replacement of morpheus, but i rather use specialsed p2p clients. (I think shareaza is comaparable to morpheus. which happens to be
compare with the worst and you look just fine.
There are two types of p2p networks.
1) The likes of bittorrent. You download from an authoritative server a 'control' file that has an MD5 checksum of a file you want. Very difficult or impossible to spoof the saved file.
2) The likes of kazaa. You query other machines on the network for files and pray it's not riddled with spyware, etc. It's probably far too easy to create a virus, giving it an enticing name like 'xpcrack.exe' and plop it in your shared folder and wait for someone to pick it up.
Why would the makers of kazaa bundle spyware/trojans etc directly into their application when it's easier to allow the user to search for something they want and have a hit not on what they really wanted but spyware masquerading as what they wanted?
I've loaded kazaa on a sandbox computer and downloaded executable files pertaining to cracks of various kinds, and virtually all of them were not cracks at all but were trojans/viruses, etc.
Bundling trojans/spyware into an application is slow, restrictive and pointless when there are so many more effective ways to do so, including activex, email worms, seeded trojans in the p2p network, etc.
Kazaa itself and the multitude of files associated with its install for example is reported as spyware, but probably in the most generic term of the fact that whatever files are set up as shared are accessible and thus the program is considered "spyware" for giving that information up. If you go into its options and set up the shared directory, or what you want to share or not, it's not likely to divulge or give up any serious information or data.
But I don't really care, because I don't really trust apps these days that don't have source code with it.
they forgot about exceem too. exceem claims:
2. Bittorrents are spyware free.
3. Bittorrents are adware free.
but that's misleading since Exceem (not bittorrent) contains spyware: cyberGOLD.
HD Trailers
As to the small size of the article's text: I suspect you're using Firefox. My CSS has the problem recently described at codestore. I've hesitated to put absolute font-sizes ("10px") right into my CSS. But font-size x-small is what I need to use in IE to make my page look "right" to the millions of users with IE; Firefox, of course, has its own (arguably more sensible) ideas as to what's medium and what's in fact x-small. So the same code that looks great in IE looks lousy in Firefox.
Anyone want to suggest a fix for this, other than hard-coding size in CSS? If so, I'd certainly appreciate a tip by email.
Buy your software, movies, and games! I must be a genius!
What the fuck are you smoking?
Shareaza does not, has never, and has no plans to include Gator whatsoever.
Fucking troll.
It is laden with spyware. The thing is huge! It puts 78 programs into your startup folder. It takes 49 GIGS of hard drive space and requires at least 4 gig of memory at runtime! Don't install WinMX. Don't download WinMX. Stay away from the WinMX network. Don't tell anyone about WinMX. Forget you ever heard about WinMX.
Seriously, several people have pointed out that the guy was paid by LimeWire to do this research, followed quickly by "But he was completely honest!" I call BS. There are more ways to do a dishonest study then to actually fake the results. One of those ways is to be selective on your input. You'll notice many comments here along the lines of "But, where is my favorite P2P client X? It doesn't have malware either!" Connect the dots. This guy reviewed LimeWire (no malware!) and four other conveniently chosen P2P programs (malware!) for the specific reason of making LimeWire look good.
Give me a break.
giFT and MlDonkey (don't miss the DOT when typing the URL, wwwmldonkey.net is a spyware), have both clean-room implementation of FastTraker and are both open-source. (and both work under linux).
For now there's nothing wrong with it but depending on the votation in EU about patents, things may get a little problematic.
BTW: FastTracker is also the name of a sound module tracker made by Triton (now Starbreeze).
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Ben, thanks for taking the time to look at all the spyware and EULA bullshit that these programs hit us with.
I think a good way to improve your page would be to state, for each tested program:
* Download URL
* Version downloaded
* MD5sum of the downloaded file
Don't forget, there was a story here about an interview with Ben a couple months ago.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Try using 1em instead of 10px. It's similar to saying 100%, but I've had good cross-browser results using this approach.
Have you ever asked yourself, Is It Normal?.
if a virus could infect an mp3, an avi, an mpeg, ect. dont you think someone would have done it by now? if they could carry viruses, the whole fucking internet would be infected.
If you always sound like a negative twit, you'll get ignored a lot.
Excuse me, I just remembered that I have to wash my car, or do some laundry, or maybe my thumbs need twiddling. Whatever it is, it's a much better use of my time.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
From the article: ...the license further provides that DR "may, without any further prior notice ..., remove, disable or render inoperative other adware programs resident on your computer." (Emphasis mine)
I love the way they admit that DR is an adware program!
Don't you have a mcafee virus scan or spybot search to run or something? Yeah, when you get tired of that (and if your time is worth anything- mine is), try the "extreme" 500 buck Mac Mini. If that puts a dent in your budget... just think that you could probably resell it on eBay. Total risk to you: Probably a hundred bucks or so.
::snicker::
Yes, as a person who uses a Windows laptop all day at work and troubleshoots and repairs countless friends' and family members' PC machines, I freely admit that I AM an arrogant Mac user. You would be, too.
Regarding your other responses...
1) It's worth the small fee.
2) I know, and I know.
3) News to me. My bad.
4) Admittedly, no. But I've googled and tried what I could, and from my informal sampling, it really kicked ass IMHO.
5) Mostly I was trying to make the point that Windows far from dominates this little market.
Okay so the licenses are hard to read...why doesn't the guy just come out and tell us which is the best/least crapware and least likely to get caught for downloading pr0n, music, warez etc.?!?
Thanks to the kind Slashdot'er who wrote with CSS suggestions. Those now visiting the site with Firefox will find a much more reasonable font-size, that still looks good in IE. (Solution: Instead of using medium, small, x-small, etc., use 1em, 0.9em, 0.8em, etc. as uf22 suggests.)
c/the think/the thing/
s#^c#s#
Let's say company X advertises on Y-program. Where is the falsehood in advertising the fact that X advertises on Y-program? There is none. You would only get in trouble if you said something like "X advertises on Y-program AND X-founder's wife is an inside trader making money illegally" (presuming you have no information confiming everything after the "AND" -- if everything after the and is confirmably true -- no trouble). Truth, not presenting in a misleadin fashion, is an absolute defense.
Perhaps you are tempted to say "they'll sue anyway!" Maybe, but if their suit was that baseless, they would end up paying your attorney fees and perhaps face additional sanctions for a frivolous suit.
Last, if I knew of such a list, I'd support it with a monetary donation. I don't even use P2P programs - I just think spyware is bad in general and I'd be happy to help anyone fighting it. A wiki model perhaps? With screenshot evidence posted by submitters. Throw in a nice upstanding company willing to donate a little bandwidth and you're set.
You know, companies will not advertise in a way that costs them money -- that is a result completely the opposite of the adertiser's intent. Make the advertising technique counterproductive and guess what -- we win!
What changed under Obama? Nothing Good
I know people (especially here) disagree with adware, but if that is the way these people pay the bills and can afford to produce the software for free then I don't see a problem with that. You are paying for a service by agreeing to view ads instead of paying $30 for software.
False positives o'plenty. Yeah, I've used it.
...duh.
Non-open-source "free" software has come with lots of ugly strings for many years now in the Windows world.
Nothing to see here, move along.
Tough day? How about a free Mac mini?
it takes a phd to read EULAs? This guy is really smart.
really bored? My blog
Here's a good one. You LIKE it when Windows pauses your cursor while it's busy with something else? On a Mac you will NEVER experience much of a UI delay, not nearly as much as I notice on Windows, in any event. Macs have ALWAYS prioritized the UI experience. Even the first Mac prioritized the pointer back when Windows 3.1's pointer had a flickering sprite that they called a mouse pointer...
Bark is the time taken for the triumph of evil is for good men to do nothing.
Well, this is referred to as sarcasm.
That's hard to believe; they're all such shitty applications, you'd think people would've migrated to the better P2P clients by now...
JoloK
What is my observation? I use almost exclusively the Firefox browser (rarely use Safari), and I haven't seen any issues with pop-ups or page hijacking. Of course, I could just be lucky.
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...