Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spyware Analysis of P2P Software

Posted by CmdrTaco on from the dark-side-to-the-dark-side dept.

rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."

32 of 200 comments (clear)

  1. Law AND Economics? by Onimaru · · Score: 5, Interesting

    When someone who's both a lawyer and an economist says a license is difficult to interpret, I tend to believe them. Even his assertion that these licenses are obfuscated is, itself, obfuscated.

    --
    adam b.
    1. Re:Law AND Economics? by Threni · · Score: 5, Funny

      > When someone who's both a lawyer and an economist says a license is difficult to
      > interpret, I tend to believe them

      Personally I'm not convinced until I'm told it by someone who maintains other people's Perl for a living!

  2. None of the Open Source ones checked? by cybrthng · · Score: 4, Interesting

    It would be interesting to compare against the popular Open Soure ports to see if they're any less invasive by nature.

    What about Shareaza?

    1. Re:None of the Open Source ones checked? by mlinksva · · Score: 4, Informative

      LimeWire is open source and is safe. I did a quick check of several other open source P2P apps (BitTorrent, eMule, Phex, and Shareaza). None are bundled with malware and if they have a license agreement it is only the GPL. All of the proprietary apps checked are unsafe, and it is well known that others not checked (e.g., Grokster) are also not safe.

  3. How satisfying to see... by Faust7 · · Score: 5, Funny

    ...that the only P2P client I use didn't even need to be reviewed. :)

    (It rhymes with "BitTorrent.")

    --
    The coolest voice ever.
    1. Re:How satisfying to see... by Anonymous Coward · · Score: 3, Funny

      TitTorrent?

      I am unable to crack your code.

    2. Re:How satisfying to see... by Anita+Coney · · Score: 5, Funny

      God, I'd pay for that!

      --
      If someone says he and his monkey have nothing to hide, they almost certainly do.
  4. I am aware by bogaboga · · Score: 3, Informative

    I am aware that eMule has no spyware/addware since its opensource. In this case, the issues the author raises do not concern me. Since this discussion is primarily based on Windows, Linux is offtopic, but in that area, we have KMLdonkey and Limewire.

  5. Serves them right by nurb432 · · Score: 4, Funny

    Serves them right for installing that evil bad software that only pirates use..

    For the slower moderators out there today, this is referred to as sarcasm.

    --
    ---- Booth was a patriot ----
  6. Whoda thunk it? by J+Barnes · · Score: 5, Funny

    And here all this time I was thinking my computer is a piece of shit because it's a pentium II 333MHz PC with 64megs of ram running Windows 98...

    but NO...it's the P2P programs!

    --
    :::: the insomniac's digest
  7. Relevant section by Anonymous Coward · · Score: 4, Informative

    The relevant parts, for people who can't or don't want to RTFA:

    My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.

    Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.

  8. It's not the spyware, it's the black hat hackers.. by shanen · · Score: 3, Insightful
    I'm not so worried about spyware. At least not the commercial type, since you can figure out their motivations. Actually, I think the best response there is not spyware blockers, but a commercial response. There should be an anti-spyware organization that gives negative publicity to the companies that benefit in any way from spyware, and positive publicity to their competitors. If they're doing it for money, then you hit them in the wallet and they'll wake up.

    However, the think that really worries me is the intersection between P2P and black-hat-hacking skills. That's too much power in one place, and we already know that power corrupts. (The only redeeming point is that sometimes the corruption is pretty funny, like the Gannon/Guckert case.)

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  9. What? No way! by tmleafsar · · Score: 3, Funny

    pssh. Spyware? P2P? NEVER!

  10. Little-Known Spyware EULA Provisions by Cr0w+T.+Trollbot · · Score: 5, Funny
    • User will be required to supply their own vaseline, and will receive neither a kiss nor a call the next morning.
    • User agrees to transmit any virus as required by the Program, including, but not limited to, SoBig, MyDoom, Gator, Realplayer, MS Windows, AIDS, and bubonic plague.
    • User agrees toi call the writer of this program "Big Daddy."
    • All your base are belong to us.
    • Do not taunt Happy Fun Ball.
    - Crow T. Trollbot
  11. List is far from complete. by robogun · · Score: 5, Interesting

    For instance, WinMX doesn't install anything but the p2p program. Where is it on this list?

    1. Re:List is far from complete. by tmleafsar · · Score: 4, Funny

      WinMX magically installed the complete Rush discography on my hard drive. ....that's my story and I'm sticking to it!

  12. Re:It's not the spyware, it's the black hat hacker by AviLazar · · Score: 3, Insightful

    No such thing as bad PR. If we had such an organization, every little company would want to get on that negative list because it would give the double advertisement. In the end, people will rmemeber the company name - not what they did.

    --

    I mod down so you can mod up. Your welcome.
  13. Very true... by Robotron23 · · Score: 5, Interesting

    A couple of years back, I serviced a friends computer which was literally deluged with adware and spyware from KaZaA (KaZaA was at its peak then).

    Around 300 files, mostly registry entries, aswell as Gator were on his computer, combined it all took up roughly 35% of his RAM to run, on his 128mb chip it was difficult to even play civ or counter-strike without extreme slowdown...

    Is it just me, or did KaZaA seem the scourge of commercialism when it first started? Heck, since then its become a veritable beacon of it.

  14. Lawyer, economist, and paid shill? by halivar · · Score: 4, Interesting

    He says at the bottom that much of the research was paid for by LimeWire. I was wondering throughout the article why he was givng LimeWire such a clean bill of health, when my experience has not been so good.

    The disclosure does say something for his integrity, but I fear his appraisal may be somewhat biased (intentional or not) in favor of LimeWire.

    1. Re:Lawyer, economist, and paid shill? by digitalchinky · · Score: 4, Informative

      What exactly was your experience? LimeWire, to me, appears to do exactly as he said. Nothing more, nothing less. I don't think he sold out there.

      Shareaza is missing from the list, but is very similar to LimeWire - might be a good alternative (note: shareaza, not sharaza!)

      http://www.shareaza.com/

    2. Re:Lawyer, economist, and paid shill? by Vengie · · Score: 4, Informative

      I spent about an hour talking to Ben at the Yahoo! party last week. I can assure you that he is by no means shilling for anyone. His feelings on the matter are pretty strong, and he sells himself on the integrity you mention.

      --
      When in doubt, parenthesize. At the very least it will let some poor schmuck bounce on the % key in vi. (Larry Wall)
    3. Re:Lawyer, economist, and paid shill? by sameb · · Score: 3, Informative

      You're probably the only one. At least if you downloaded LimeWire any time after last August. LimeWire hasn't had bundled software for close to a year.

    4. Re:Lawyer, economist, and paid shill? by Audacious · · Score: 4, Interesting

      I have to say that I think there should be an Open Source set up for independent reviews of things. Sort of like Consumer Reports (versus Consumer Review which was started by the major corporations to try to thwart Consumer Reports' highly accurate ratings). If done correctly, and an unbiased basis can be maintained, it might take off just like many of the software projects have done. Further, it could be used to show the actual state of where Open Source products are versus Closed Source products. In fact, Consumer Reports would be the place to do this since they are fairly independent and back up all of their statements with lots of test data.

      So if anyone from any of the major OSS companies is listening - you might want to help fund the testing of the various OSs via Consumer Reports as well as some of the Open Source Software (OSS) itself versus the Closed Source Software (CSS) versions. Like Open Office versus MS-Office and the like.

      Just a thought.

      --
      Someone put a black hole in my pocket and now I'm broke. :-)
    5. Re:Lawyer, economist, and paid shill? by starfishsystems · · Score: 4, Interesting
      I have a lot of respect for Consumer Reports. We used to have a subscription to it when I was growing up, and I always found it objective, scientific, and informative.

      Where CR doesn't distinguish itself is in technical evaluations, software in particular. I could wish for more rigor when it takes on projects like these.

      Historically, the rolloff makes a fair amount of sense, as CR writes for a general rather than technical audience. And, as I often argue, you can't understand computing infrastructure as if it were a kind of appliance. Appliances are finite. Infrastructure exists for its potential.

      But as our daily lives become increasingly involved with technology, I often wish that CR could use its leadership and methodology to inform the technology marketplace as well.

      --
      Parity: What to do when the weekend comes.
  15. Comment removed by account_deleted · · Score: 4, Informative

    Comment removed based on user account deletion

  16. What programs were included by bedelman · · Score: 5, Informative

    Robogun,

    Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.

    WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.

    Or perhaps someone else will be so kind as to take over where I've left off!

    Ben

  17. FYI: (was:Little-Known Spyware EULA Provisions) by Lead+Butthead · · Score: 5, Informative

    Bubonic plague is a bacterial infection, not a viral infection.

    --
    ELOI, ELOI, LAMA SABACHTHANI!?
  18. Re:just a question by MarkGriz · · Score: 4, Informative

    Not necessarily the "best", but Shareaza is very good, for a number of reasons:

    - Works well (IMHO)
    - Open source and Free (beer)
    - Connects to Gnutella, Gnutella2 and Emule networks
    - Built-in bittorrent support.

    --
    Beauty is in the eye of the beerholder.
  19. Allegation of LimeWire Installing Bundled Software by bedelman · · Score: 3, Informative

    Skyshock21,

    You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).

    Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?

    I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).

    Ben

  20. P2P is better on Macs? by 5n3ak3rp1mp · · Score: 3, Informative

    Funny, you'd think "stealing" would be easier/better on PC's... On this OS X machine we have the following tools:

    1) Acquisition. All the search hits with none of the spyware, plus a snazzy interface.
    2) Azureus. Everyman's BitTorrent client (only gripe is the high CPU usage)
    3) eetee. Interesting p2p app. No spyware.
    4) HandBrake. Easiest-to-use DVD ripper in existence, on any platform.
    5) Many other p2p clients in various levels of development... all with no spyware

    Still snickering at the Windows holdouts...

  21. Was this even necessary? by pg110404 · · Score: 3, Informative

    There are two types of p2p networks.

    1) The likes of bittorrent. You download from an authoritative server a 'control' file that has an MD5 checksum of a file you want. Very difficult or impossible to spoof the saved file.

    2) The likes of kazaa. You query other machines on the network for files and pray it's not riddled with spyware, etc. It's probably far too easy to create a virus, giving it an enticing name like 'xpcrack.exe' and plop it in your shared folder and wait for someone to pick it up.

    Why would the makers of kazaa bundle spyware/trojans etc directly into their application when it's easier to allow the user to search for something they want and have a hit not on what they really wanted but spyware masquerading as what they wanted?

    I've loaded kazaa on a sandbox computer and downloaded executable files pertaining to cracks of various kinds, and virtually all of them were not cracks at all but were trojans/viruses, etc.

    Bundling trojans/spyware into an application is slow, restrictive and pointless when there are so many more effective ways to do so, including activex, email worms, seeded trojans in the p2p network, etc.

    Kazaa itself and the multitude of files associated with its install for example is reported as spyware, but probably in the most generic term of the fact that whatever files are set up as shared are accessible and thus the program is considered "spyware" for giving that information up. If you go into its options and set up the shared directory, or what you want to share or not, it's not likely to divulge or give up any serious information or data.

    But I don't really care, because I don't really trust apps these days that don't have source code with it.

  22. Re:Paid for by bill_mcgonigle · · Score: 3, Funny

    Crap, I never got paid for research papers when I was in school. This guy is a good economist.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)