Slashdot Mirror
Spyware Analysis of P2P Software
rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."
I am aware that eMule has no spyware/addware since its opensource. In this case, the issues the author raises do not concern me. Since this discussion is primarily based on Windows, Linux is offtopic, but in that area, we have KMLdonkey and Limewire.
Just wanted to note that this article is paid for by LimeWire. Obviously because there is no third party apps with limewire and no license whatsoever.
The relevant parts, for people who can't or don't want to RTFA:
My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.
Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.
Comment removed based on user account deletion
Shareaza isn't invasive: I used it for months with no ill-effects. It didn't kill my network, just slowed it down quite a lot, so it is not likely to be something sinister; if anything, it is a general problem, as Gtk-Gnutella on Linux causes connection timeout errors for me on any other apps while it's running.
Guy asked me for a quarter for a cup of coffee. So I bit him.
Indeed. Am I the only one who got the LimeStore (or whatever it's called) installed?
Robogun,
Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.
WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.
Or perhaps someone else will be so kind as to take over where I've left off!
Ben
Bubonic plague is a bacterial infection, not a viral infection.
ELOI, ELOI, LAMA SABACHTHANI!?
What exactly was your experience? LimeWire, to me, appears to do exactly as he said. Nothing more, nothing less. I don't think he sold out there.
Shareaza is missing from the list, but is very similar to LimeWire - might be a good alternative (note: shareaza, not sharaza!)
http://www.shareaza.com/
I spent about an hour talking to Ben at the Yahoo! party last week. I can assure you that he is by no means shilling for anyone. His feelings on the matter are pretty strong, and he sells himself on the integrity you mention.
When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
LimeWire is open source and is safe. I did a quick check of several other open source P2P apps (BitTorrent, eMule, Phex, and Shareaza). None are bundled with malware and if they have a license agreement it is only the GPL. All of the proprietary apps checked are unsafe, and it is well known that others not checked (e.g., Grokster) are also not safe.
how is it that soulseek stays off EVERYONES RADAR? in all my "research" of what the RIAA is busting this week, i have never once even heard soulseek get namedropped. it's almost like they don't even realize it exists. which, of course, makes me very very happy.
but yeah, go soulseek. eff these other p2ps.
"when the sun sets on the ghetto, all the broken stuff gets cold"
You're probably the only one. At least if you downloaded LimeWire any time after last August. LimeWire hasn't had bundled software for close to a year.
The author only tests P2P software known to have spyware in it so the results aren't surprising. eMule runs on the eDonkey network, it's open source, no spyware/malware and it's an amazing program.
LimeWire is open source, the pre-compiled binaries have banner ads, as noted in the article.
But usually, open source P2P clients have typically been fairly free of spyware. However, there have been a lot of cases where some people have taken the binaries, added spyware, then made it available for download. (At least Azureus got hit by that.) Nothing to do with coders, there are just people who want mess up the distribution somehow...
Not necessarily the "best", but Shareaza is very good, for a number of reasons:
- Works well (IMHO)
- Open source and Free (beer)
- Connects to Gnutella, Gnutella2 and Emule networks
- Built-in bittorrent support.
Beauty is in the eye of the beerholder.
If you use any decent software, such as AdAware or Spybot or Microsoft Anti-Spyware, you'll see that LimeWire indeed has absolutely no bundled software. If you use software whose only claim to fame is that it can find spyware where no spyware exists, well... good luck keeping your computer working.
Somehow a "Gnutella of tits" just doesn't seem as satisfying as a "Torrent of tits."
If someone says he and his monkey have nothing to hide, they almost certainly do.
Skyshock21,
You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).
Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?
I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).
Ben
Funny, you'd think "stealing" would be easier/better on PC's... On this OS X machine we have the following tools:
1) Acquisition. All the search hits with none of the spyware, plus a snazzy interface.
2) Azureus. Everyman's BitTorrent client (only gripe is the high CPU usage)
3) eetee. Interesting p2p app. No spyware.
4) HandBrake. Easiest-to-use DVD ripper in existence, on any platform.
5) Many other p2p clients in various levels of development... all with no spyware
Still snickering at the Windows holdouts...
MOST!!! How on earth can you say that with the vast number of files on the P2P Networks?I have downloaded more files than I care to admit and have actually only found one Virus ( Yep I scan them all just to be sure ) and I am quite sure that my experience is not atypical
There are two types of p2p networks.
1) The likes of bittorrent. You download from an authoritative server a 'control' file that has an MD5 checksum of a file you want. Very difficult or impossible to spoof the saved file.
2) The likes of kazaa. You query other machines on the network for files and pray it's not riddled with spyware, etc. It's probably far too easy to create a virus, giving it an enticing name like 'xpcrack.exe' and plop it in your shared folder and wait for someone to pick it up.
Why would the makers of kazaa bundle spyware/trojans etc directly into their application when it's easier to allow the user to search for something they want and have a hit not on what they really wanted but spyware masquerading as what they wanted?
I've loaded kazaa on a sandbox computer and downloaded executable files pertaining to cracks of various kinds, and virtually all of them were not cracks at all but were trojans/viruses, etc.
Bundling trojans/spyware into an application is slow, restrictive and pointless when there are so many more effective ways to do so, including activex, email worms, seeded trojans in the p2p network, etc.
Kazaa itself and the multitude of files associated with its install for example is reported as spyware, but probably in the most generic term of the fact that whatever files are set up as shared are accessible and thus the program is considered "spyware" for giving that information up. If you go into its options and set up the shared directory, or what you want to share or not, it's not likely to divulge or give up any serious information or data.
But I don't really care, because I don't really trust apps these days that don't have source code with it.
# cat
Damn, my RAM is full of llamas.
Don't forget, there was a story here about an interview with Ben a couple months ago.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)