Slashdot Mirror
Spyware Analysis of P2P Software
rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."
When someone who's both a lawyer and an economist says a license is difficult to interpret, I tend to believe them. Even his assertion that these licenses are obfuscated is, itself, obfuscated.
adam b.
It would be interesting to compare against the popular Open Soure ports to see if they're any less invasive by nature.
What about Shareaza?
...that the only P2P client I use didn't even need to be reviewed. :)
(It rhymes with "BitTorrent.")
The coolest voice ever.
I am aware that eMule has no spyware/addware since its opensource. In this case, the issues the author raises do not concern me. Since this discussion is primarily based on Windows, Linux is offtopic, but in that area, we have KMLdonkey and Limewire.
Serves them right for installing that evil bad software that only pirates use..
For the slower moderators out there today, this is referred to as sarcasm.
---- Booth was a patriot ----
And here all this time I was thinking my computer is a piece of shit because it's a pentium II 333MHz PC with 64megs of ram running Windows 98...
but NO...it's the P2P programs!
:::: the insomniac's digest
Just wanted to note that this article is paid for by LimeWire. Obviously because there is no third party apps with limewire and no license whatsoever.
The relevant parts, for people who can't or don't want to RTFA:
My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.
Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.
However, the think that really worries me is the intersection between P2P and black-hat-hacking skills. That's too much power in one place, and we already know that power corrupts. (The only redeeming point is that sometimes the corruption is pretty funny, like the Gannon/Guckert case.)
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
pssh. Spyware? P2P? NEVER!
- User will be required to supply their own vaseline, and will receive neither a kiss nor a call the next morning.
- User agrees to transmit any virus as required by the Program, including, but not limited to, SoBig, MyDoom, Gator, Realplayer, MS Windows, AIDS, and bubonic plague.
- User agrees toi call the writer of this program "Big Daddy."
- All your base are belong to us.
- Do not taunt Happy Fun Ball.
- Crow T. TrollbotFor instance, WinMX doesn't install anything but the p2p program. Where is it on this list?
No such thing as bad PR. If we had such an organization, every little company would want to get on that negative list because it would give the double advertisement. In the end, people will rmemeber the company name - not what they did.
I mod down so you can mod up. Your welcome.
A couple of years back, I serviced a friends computer which was literally deluged with adware and spyware from KaZaA (KaZaA was at its peak then).
Around 300 files, mostly registry entries, aswell as Gator were on his computer, combined it all took up roughly 35% of his RAM to run, on his 128mb chip it was difficult to even play civ or counter-strike without extreme slowdown...
Is it just me, or did KaZaA seem the scourge of commercialism when it first started? Heck, since then its become a veritable beacon of it.
He says at the bottom that much of the research was paid for by LimeWire. I was wondering throughout the article why he was givng LimeWire such a clean bill of health, when my experience has not been so good.
The disclosure does say something for his integrity, but I fear his appraisal may be somewhat biased (intentional or not) in favor of LimeWire.
Comment removed based on user account deletion
Robogun,
Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.
WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.
Or perhaps someone else will be so kind as to take over where I've left off!
Ben
Bubonic plague is a bacterial infection, not a viral infection.
ELOI, ELOI, LAMA SABACHTHANI!?
From TFA:
"One program in my sample is notable not for its inclusion of bundled software but for its omission of such software. Not only did LimeWire not include bundled software, but in my testing it also did not show any advertisements beyond promotions for the paid version of LimeWire."
"This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public."
Something stinks...
how is it that soulseek stays off EVERYONES RADAR? in all my "research" of what the RIAA is busting this week, i have never once even heard soulseek get namedropped. it's almost like they don't even realize it exists. which, of course, makes me very very happy.
but yeah, go soulseek. eff these other p2ps.
"when the sun sets on the ghetto, all the broken stuff gets cold"
The author only tests P2P software known to have spyware in it so the results aren't surprising. eMule runs on the eDonkey network, it's open source, no spyware/malware and it's an amazing program.
Not necessarily the "best", but Shareaza is very good, for a number of reasons:
- Works well (IMHO)
- Open source and Free (beer)
- Connects to Gnutella, Gnutella2 and Emule networks
- Built-in bittorrent support.
Beauty is in the eye of the beerholder.
If you use any decent software, such as AdAware or Spybot or Microsoft Anti-Spyware, you'll see that LimeWire indeed has absolutely no bundled software. If you use software whose only claim to fame is that it can find spyware where no spyware exists, well... good luck keeping your computer working.
Skyshock21,
You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).
Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?
I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).
Ben
Funny, you'd think "stealing" would be easier/better on PC's... On this OS X machine we have the following tools:
1) Acquisition. All the search hits with none of the spyware, plus a snazzy interface.
2) Azureus. Everyman's BitTorrent client (only gripe is the high CPU usage)
3) eetee. Interesting p2p app. No spyware.
4) HandBrake. Easiest-to-use DVD ripper in existence, on any platform.
5) Many other p2p clients in various levels of development... all with no spyware
Still snickering at the Windows holdouts...
MOST!!! How on earth can you say that with the vast number of files on the P2P Networks?I have downloaded more files than I care to admit and have actually only found one Virus ( Yep I scan them all just to be sure ) and I am quite sure that my experience is not atypical
I mean, how much does it take to just guess that some of these programs might be loaded with gunk code that doesn't belong on your machine?
eMule runs fine, finds most anything I bother to look for, and doesn't come with crud. Between that and minor torrent useage, who needs Kazaa of any kind?
W/regard to the RIAA and company, how long until they come up with a P2P sharing program put out through a front company to engage in a sting? Tinfoil hat maybe, but as stupid as they are, sheer statistics alone suggest they will eventually hire someone with more than the two brain cells otherwise required to be at the RIAA/MPAA.
If my grammar and spelling are off, I am [distracted/tired/careless] (take your pick)
There are two types of p2p networks.
1) The likes of bittorrent. You download from an authoritative server a 'control' file that has an MD5 checksum of a file you want. Very difficult or impossible to spoof the saved file.
2) The likes of kazaa. You query other machines on the network for files and pray it's not riddled with spyware, etc. It's probably far too easy to create a virus, giving it an enticing name like 'xpcrack.exe' and plop it in your shared folder and wait for someone to pick it up.
Why would the makers of kazaa bundle spyware/trojans etc directly into their application when it's easier to allow the user to search for something they want and have a hit not on what they really wanted but spyware masquerading as what they wanted?
I've loaded kazaa on a sandbox computer and downloaded executable files pertaining to cracks of various kinds, and virtually all of them were not cracks at all but were trojans/viruses, etc.
Bundling trojans/spyware into an application is slow, restrictive and pointless when there are so many more effective ways to do so, including activex, email worms, seeded trojans in the p2p network, etc.
Kazaa itself and the multitude of files associated with its install for example is reported as spyware, but probably in the most generic term of the fact that whatever files are set up as shared are accessible and thus the program is considered "spyware" for giving that information up. If you go into its options and set up the shared directory, or what you want to share or not, it's not likely to divulge or give up any serious information or data.
But I don't really care, because I don't really trust apps these days that don't have source code with it.
Don't forget, there was a story here about an interview with Ben a couple months ago.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)