Slashdot Mirror
RetroCoder Threatens Security Vendors
john83 writes "RetroCoder the company that brings you SpyMon, a commercial keylogger is trying to stop vendors of security software from looking at their software. RetroCoder uses a EULA that prohibits anti-spyware publishers / software houses from downloading, running or examining the software in any way. Essentially, they're trying to hide a key logger behind copyright law." While they are certainly not the first to do so, it is interesting that companies still take this approach.
... from 11th November.
Yet Another Dupe
6 8222&tid=123&tid=172&tid=17
This is why I let my subscription lapse. I was sick of paying for duplicate articles:
http://yro.slashdot.org/article.pl?sid=05/11/11/0
..... just go hardware...
http://www.thinkgeek.com/gadgets/electronic/5a05/
k thx gg
Dupe. Funny how fresh, new and on topic submissions get rejected whilst the same old junk (and sometimes dupes too) get through.
What we need is a law that makes research a defence to copyright infringement. It's important that malware authors can't use the force of the law to hide. Hopefully a judge will do the right thing an establish case law in this area that defends us from this scum.
Simon.
lets dupe the comments as well.. :P
"Ah. the popular "Bend Over" EULA."Friends don't let Friends use Internet Explorer.
They're way off track with this one. It should be the responsibility of the person monitoring their PC to ensure that no Anti-Spyware programs are installed. If they can't do this they obviously don't have the authority to deploy a keylogger.
Anti-Spyware companies are only doing their job.
Nope, sorry but you have failed again. Better luck next time.
Oh woe is me! A dupe. my eyes, my eyes!
I must purge myself of this evil by adding to the multitute of wailing about duplicate postings, and add some extra comments about how much slashdot sucks, the only reason I come to it is to feel superior.
It burn, oh how it burns!
I'd like to congratulate you on your schemes to increase pageviews. The advertising money is just rolling in! Your dupe strategy has been a remarkable success. But I agree with your assessment that it needs to be replaced, the backlash is getting too great and some people are on to the plot.
Your new strategy of having a continuing thread (the Intelligent Design flood), is even better! You just throw up 1 new piece of news and there is a whole new rehash of the same posts. It's the same crap over and over again, without any new ideas or originality but it's a guaranteed 1,000 posts and multiple thousand pageviews.
Keep up the good work whoring out your site!
Slashdot is owned by the OSTG which is a wholly-owned subsidiary of VA Software Corporation (NASDAQ: LNUX)
By the way, the last few stories had a low number of posts. Consider Intelligent Design for your next topic.
By your boss to see what you are typing?
Or commercial as in installed by a dodgy person at work who gains access to the boss' or sysadmin's workstation for a few minutes?
Or commercial as in bundled with shitty software and then sends out what you type to criminals?
First one - legal, if unethical.
Second one - this type of installation should be removed by Spyware removers.
Third one - the writers of the software should be castrated.
RETROCODER WRITES SPYWARE!!
There, come sue me now you silly fucks.
feh. stuff.
"Essentially, they're trying to hide a key logger behind copyright law."
Copyright law doesn't have provisions for EULAs. They are using faulty contract law logic to harass security vendors. I honestly think people only think an unsigned, after-the-fact EULA means anything because they've been conditioned throughout their lives to blindingly accept authority, whether real or perceived.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
It's dupe, dupe, dupe, dupeilicious!
Ignorance is curable, stupid is forever.
If every piece of spyware presented me with an EULA to agree to before installing itself I'd be much happier!
Wasn't this duped from the other day? Even so I didn't get a chance to comment on it... so...
While I do read most EULAs that I get with my software, software like this that has no purpose on my machine is something I want to have removed. What gives them the right to say "While this has been installed on your machine (probably without your consent), you cannot have anything remove it from you system.
I picture a small bald guy sitting in the background rubbing his hands together and cackling madly thinking he will get away with this. If you intend on breaking the security on my system, damn straight I will find a way to remove it. Stop whining about how your EULA supposedly gives you legal rights to keylog people. Blah.
-- Josh
"Whoopie! Man, that may have been a small one for Neil, but that's a long one for me!" - Pete Conrad
That's what you get when copyright laws are as draconian as they have become. Technically, they have every right to prevent others from examining their software.
Sticking feathers up your butt does not make you a chicken - Tyler Durden
In otherwords, make it policy to call this crap a threat until it can be proven otherwise. This isn't "innocent until proven guilty" time.
It is a well known fact that several p2p programs were attacked by the minions of various **AA, injecting malicious pseudo-clients into the essentially closed networks. Those attacks wouldn't have been possible without extensive technical analysis of the modus operandi of those networks. At least in most of those cases, it is pretty appearant that the attack was accomplished by downloading and examining the official client for that network.
Couldn't those p2p networks utilize the same defense? I.e. establish in their EULA that their code and protocol may not be examined for the purpose of a malicious sabotage in their operation?
I seem to recall that some p2p EULAs actually had such a clause. Was it ignored with no consequnces?
I got an email once (as the right recipient, unfortunately!) that had something along the lines of this disclaimer at the bottom:
"If you are not the intended recipient of this email you are forbidden to read, retain, disseminate, distribute or integrate in any medium it and/or its contents. You must immediately delete it from your system and notify the sender."
I got a compelling desire to forward it to random people, and then say "Well, I started reading at the bottom of it, and once I got to the part that says I couldn't read I had to stop reading, but I forwarded it so that other people could see that I am popular at least".
..someone else downloads the software and lets you use it? The EULA applies to them, not to you, right? Sure, the EULA can say that you can't let someone use the software, but that would have no binding effect on the person who uses it and does research on it.
What am I missing?
You can find more about his company here:
http://www.doubledutchdesigns.co.uk/
http://www.doubledutchdesigns.co.uk/about.htm
output from 'whois spymon.com':
Registrant:
Double Dutch Designs Limited
329 Preston Road
Grimsargh
Preston, Lancashire PR2 5JT
GB
Domain name: SPYMON.COM
Administrative Contact:
Ball, Anthony anthony@doubledutchdesigns.co.uk
329 Preston Road
Grimsargh
Preston, Lancashire PR2 5JT
GB
+44.8701217399
Technical Contact:
Ball, Anthony anthony@doubledutchdesigns.co.uk
329 Preston Road
Grimsargh
Preston, Lancashire PR2 5JT
GB
+44.8701217399
Registration Service Provider:
UK Reg, domains@fasthosts.co.uk
+44 1452 541252
+44 1452 538485 (fax)
http://www.ukreg.com/
It's not copyright but contract law they're relying on.
In Germany, it's normal that any company has some terms & conditions (TNC) to which other businesses have to agree, if they do business with them.
It's time that end users also create a software TNC for their computer. If your software runs on my computer, using my resources, then it will have to comply to the following rules:
- It has to use the resources to my direct(!) benefit.
- It has to give me full control over it's behavior (e.g., uninstall possible)
That's all. Simple, but powerful.
It would be interesting to really put this in a written legal letter and send it to the businesses. Then *I* could sue the spyware companies.
EULAs != copyright law -> true
This kind of thing is not likely to stand up in court. Spyware has been proven to be a malicious type of software that voilates one's privacy, therefore I would be shocked if the courts find in favor of the spyware maker. The spyware maker might have thought it was clever adding that clause in their EULA, but essentially what they've stipulated was people cannot investigate how their software works in order to prevent it's unwanted installation on to one's system. Not likely to stand up in court.
In addition to posting a duplicate, the Slashdot editor "ScuttleMonkey" seems to have some funny ideas about what copyright is. Perhaps it would be good to know something about the subject before posting Slashdot articles.
He who lights his taper at mine, receives light without darkening me.
Anyway, it's a totally worthless approach. The anti-spyware programmers could handle it in at least three ways.
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
No, they edit it. If they would read it, they would be called readers.
The Tao of math: The numbers you can count are not the real numbers.
I think you'll find, if you read the slashdot EULA, you are NOT ALLOWED to check for dupe articles.
Lawers will be contacting YOU!
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
I mean there is no way one can use that legally?
... and if you using it illegally why would you pay for it anyway, to have
If you are employer and monitoring your employees, you are violating law about privacy in workplace.
If you are monitoring your wife/hiusband then you are quilty of
secret listening.
If you are law enforcement you can install a keyboard bug based on "pakkokeinolaki".
you r credit card linked with illict activity, if you can copy it illegally and not link your credit card.
fsck em & feed em fishheads, their product is easily used for malicious purposes such as stealing creditcard numbers & identity theft, and i would imagine anyone clever enough could take their product and make it even worse in any number of ways & methods...
Politics is Treachery, Religion is Brainwashing
I see copyrighting a keylogger as similar to patenting "breaking and entering."
It is too damn early to have a beer...
With EULAs like thisthat give the rest of us who still support copyright (at least in principle) a bad name.
I hope Sunbelt have the courage and money to stand up to this in court. EULAs that attempt to impose restrictions such as this on end users are morally wrong and need to be declared unenforcable. I have no problem with the usual "no warranty, no guarantee, you're not allowed to copy this and give it to your friends, etc" sort of stuff, but this is bullshit.
It's official. Most of you are morons.
You can't take the sky from me...
Copyright law doesn't have provisions for EULAs.
Of course it does. The right to copy something (ie: copyright) can be Licensed to another party (say, an End User), who would have to accept the Agreement in order to receive the copyright license.
I honestly think people only think an unsigned, after-the-fact EULA means anything because they've been conditioned throughout their lives to blindingly accept authority, whether real or perceived.
Due to the faulty (IMO) notion that running a program is "copying" it in such a manner as to involve copyright law, merely running a program requires a license to use a copyrighted work. That's the foundation of the GPL (for example), as well as all your standard EULAs. Your license depends on you agreeing to the EULA. If you don't agree (or break the agreement) your license is revoked.
If the EULA means nothing, then every copyrighted program you are running that isn't licensed to you via other means is, legally, a copyright violation.
It's just another troll. We all know slashhash's love for duping - that's half of what makes it fun. :D
The 'company' behind RetroCoder Ltd. appears to be Double Dutch Designs Limited.
http://www.doubledutchdesigns.co.uk/
whois spymon.com:
Registrant:
Double Dutch Designs Limited
329 Preston Road
Grimsargh
Preston, Lancashire PR2 5JT
GB
Domain name: SPYMON.COM
Administrative Contact:
Ball, Anthony anthony@doubledutchdesigns.co.uk
329 Preston Road
Grimsargh
Preston, Lancashire PR2 5JT
GB
+44.8701217399
Technical Contact:
Ball, Anthony anthony@doubledutchdesigns.co.uk
329 Preston Road
Grimsargh
Preston, Lancashire PR2 5JT
GB
+44.8701217399
they're tying to enforce a EULA on 3rd and 4th parties. Who the hell installs keyloggers on their own computer? Obviously, the "user" of the software is installing this discretely on someone else's computer. So the EULA is trying to prevent this 3rd party from scanning and removing the illicitely installed software, and trying to prevent the 4th party (anti-spyware/virus vendors) from facilitating the 3rd party in keeping their machine clean.
And if a piece of software is installed without my permission on my own computer, I'm sure as hell not bound by any EULA's. This is really a moronic attempt to legitimize their malware.
The next trend in internet worms: hidden EULA's to prevent AV software from removing them?
The standard EULA is long, dull, and filled with legalese. The problem, as I see it, is that this gives software vendors the chance to hide malicious intent deep withen the contents of the EULA which customers can not reasonabily be expected to read.
I'd like to see law be written that requires a second part of the EULA, in it's own sepearte 'click yes to continue' box that outlines anything the software or service does that users may find questionable. It should be written in plain, simple words that outlines the potential for more malicious uses, and requires a user to click a 'yes I understand' next to each item.
For example:
EULA PART II:
THIS SOFTWARE MAY/WILL DO THE FOLLOWING.
PUT AN 'X' NEXT TO EACH BULLET STATING YOU UNDERSTAND THE INTENT BEFORE CONTINUING
[ ] o This software will collect personally identifible information and send it to third parties
[ ] o This software will access your email contact lists and send them to third parties
[ ] o This software will log your keystrokes and sufring habits and send them to third parties
[ ] o This software does not have an easy 'uninstall' feature
[ ] o This software will destroy data on your hdd
[ ] o This software will install additional programs on your computer that has nothing to do with this software
PUT AN 'X' IN THE BOX NEXT TO EACH STATEMENT STATING YOU UNDERSTAND AND CLICK YES TO CONTINUE BEFORE SOFTWARE IS INSTALLED.
It won't happen, but it'd be nice.
The Internet is generally stupid
So their EULA prevents you from investigating it. Big fucking deal.
Get Joe Random User to install it and agree to EULA.
Get Joe Random User to agree to let *you* inspect his PC.
You did not install the software or read the EULA, so you do whatever you feel like, and proceed to tell the world.
Tada! Obnoxious EULA bypassed.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
I have a lot of music and movies I'd like to research.
RetroCoder can't stop anyone from examining their code, unless they're going to encrypt it somehow. If it winds up on someone's machine, and that someone happens to work for a software security company, and he/she is an industrious hacker with the time and patience, they'll rip open the pathetic key-logging code, figure out its secrets at home on their PC, then bring the knowledge to work and poof -- key-logger neutralized. What's RetroCoder going to do, hire spys to follow everyone who works for all the software security firms (would like to see that happen - fastest way to put them out of business)?
The idea of patenting and protecting software from infringement is absurd. Open source is a natural extension of programming. You make a bit of useful code, you share that code with others so a lot of reinventing-the-wheel doesn't take place. You find out that a piece of software does something malicious and you tell everyone else. Let's face it: there are enough programmers out there with time on their hands and mad hacking skills to make the idea of "protected software" a fantasy.
GetOuttaMySpace - The Anti-Social Network
I just got some feedback from Spymom.
r eshold=1&commentsort=5&tid=123&mode=thread&cid=140 09674
We are not suing SunBelt - SlashDot got it wrong!
From Sunbelt themselves:
http://yro.slashdot.org/comments.pl?sid=167981&th
The original article:
http://news.zdnet.com/2100-1009_22-5944208.html
If you read the text on SlashDot linked to above you will see that we are not unreasonable, we just don't want our app that people have bought to be deleted without the owners permission or knowledge - as has happened with numerous "big" companies.
When contacting these "big" companies - including Symantec about the problem they simply refuse to reply - we initially tried to contact them all about 9 months ago in order to bring about some kind of cooperative agreement, with information about detecting out program as a commercial keylogger and about uninstalling our program safely (if the user decided to do so).
Our point is that commercial programs are different that trojans written by criminals. It is fair that they are pointed out by the anti-virus/trojan program, but not fair that they are automatically deleted. The user should be told that they are a commercial keylogger or similar and the default action should be to not delete. AVG by comparison deleted them without informing the user.
We are open about what ports are being used and we do not try to bypass firewalls or shutdown anti-virus programs. All are easily possible as you probably well know and we feel that comparing it to programs written by criminals is unfair.
We, as a company, are very easy to contact - if we had been contacted/replied to by the anti-virus companies (initially - before we had to put the download notice up) we would have told them how to safely uninstall the client program, and we would have also told them of a special flag - that if present would stop the client from installing again in the future. They would also have been given information that would have told the user WHO was attempting to spy on them! The condition would have been as above - that the user be informed that it was a commercial program and the default action would have been not to uninstall.
Sunbelt will soon be given this information in the hope that other companies will follow in the way they list the program (if detected).
Best regards,
Anthony
I'm really sick of this hiding behind licenses. Spyware makers claiming that by downloading, looking at, thinking of, pissing on, or whatnot you can't create a signature or identify it in any way. There are a ton of stories like this, but it's rediculous.
It's up to the consumer to decide what goes on their computer, and if an anti-spyware maker wants to warn users of the threats, they have every right to. Otherwise, they're not doing the service THEY are promissing the customer, by identifying those things that spy on them. It really does perplex me how much people try and push with flawed licenses and poor IP laws. If there's any sign it needs to be revamped, this is it.
-M
when you see the word 'Linux', drink!
DRM at its best? I'm not sure that a EULA forbidding anyone from reverse engineering/detecting/removing their crapware would hold up in court. I imagine that the Sony/BMG rootkit deal will end up in court somewhere and that will tell us all just how far gone our rights are in this regard.
Sunbelt should include in their EULA:
CounterSpy cannot be used by creators of spyware, virus, worms, or other forms of malware to determine if their malware is detected by CounterSpy.
Can't we just go the ultra-silly route and have the spyware companys make EULA's that claim that spyware manufacturer's are not allow to use, download, discuss or benchmark their spyware program without first getting written permission from the anti-spyware maker? This way, RetroCoder would be violating the EULA of the spyware detection developer by installing and discovering that the spyware detection program "finds" their spyware.
Then we can build caged arena's where two men enter...one man leaves. Seem's an easier way to resolve these issues.
Why do overlook and oversee mean opposite things?
Commercial as in it costs money...
What the fuck? Are you stupid?
You can't force something on someone unbeknownst to them and then outlaw any possibility they may have to find out about it. Someone banning spyware would be harming ALL the OTHER software on the machine. They can't legally do that. They're not the government.
That farking malware needs to have no protection based on its EULA. Just re-did a XP install because the user had forgotten to turn on the firewall on their sp1. Result: slowdowns, popups,autorun programs; re-formatting and firewall fixed it. And those ##$*@ are just waiting on the internet ready to pounce on new installs w/o firewall enabled. And that's just the stuff you didn't want. These days, ANY program installed could set off some security risk (see SONY) so the spyware and virus protection folks need to take into account ANY possible security risk. Say this keylogger's stored file is accessable via some process. Then, keylogger=security risk: instead of some internal security measure, it turns into a virtual radio of what you type. This seems to be a way to CYA over a poorly written program that introduces a security risk. Malware being primarily designed to introduce external data, is also a risk. Danger>EULA. Guess someone will have to take this to court to settle down the differences between code-ripping and code-detection data. Affording protection to all software due to EULA is just asinine. All I have to do is include in the rarely-read EULA 'And it is a violation of the Agreement to attempt to detect, remove, or otherwise modify the Software.' Oh wait, that's what they write now.
Infinity is overrated, Infinity+1, now that's cool!
In other words, I think that RetroCoder is going to have to prove that the people on who'se computers this stuff is running have seen the EULA. Then, of course there's the fact that RetroCoder is engaged in contributory violation of people's privacy, which means that they're coming to court with 'Unclean Hands".
Of course Retro Coder could avoid this condrom if they always make sure that, whenever the progam starts up, it displays the EULA, notifying a 'user' that the software is running, how they can identify it (so that they can avoid 'infringement'), and automatically (and safely) removing itself from the computer it the end-user does not accept the EULA....
Under any other conditions, I'd say that it's Retro that would be toast in court.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Far better to back out the laws that allow this; DMCA being just one.
Otherwise, we would be building law on a number of bad laws.
I prefer the "u" in honour as it seems to be missing these days.
Copyright and other IP law is an attempt to extend the principle of contract over the more basic principle of property.
It's nothing but coercion masquerading as "agreement". That's why it's frequently hidden in EULAs and other "contracts" that nobody is likely to read and which depend on "opt-out" rather than "opt-in" such as actually having to sign a real contract and exchange value.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
My point, tardwit, is regarding where that money is coming from - the boss, the industrial spy, or the scum.
Don't allow the "if any part is not applicable, this shall not affect the other clauses herein". Make it that if a contract of adhesion is presented with an item that cannot be applied, then the signer of the contract can ignore any part of the agreement they wish. What cannot be done is to change from accepting in one case to denying the same clause in another.
As soon as this happens, EULAs will have only what they must have and only what they know is applicable.
The FSF takes a very clear stance that no license whatsoever is needed to *use* software, just as we do not need a license to read copyrighted material (for example, a newspaper left on the train). Copyright law covers copying and distribution, not use. Software EULAs pretend to be contracts, but they do not meet legal standards for contracts (AFAIK, IANAL) because the user has no opportunity to review the EULA until after the purchase, and also may not even be able to meaningfully assess the product until after the EULA.
Can you imagine an author putting an EULA on the front of a book, saying "You may not read this book unless you agree not to engage in any activities that are counter to the business interests of the publisher", and expect a court to uphold such a provision? Copyright law does *not* give authors control over how their works are used, and EULAs are a bogus attempt to circumvent that.
... to be an anti-spyware software publisher.
Now, will they be in violation of their own EULA when their junk ends up on any PC that I use through no fault of my own? I certainly won't ask for their software to be installed of my own free will, but that is not how their model works, now is it?
So, if we all sign on as developers of a FOSS anti-spyware project, are we all effectively protected from these people, as it is against their EULA for their software to be pushed to us? And who gets in trouble, us, or the operators of the sites that are responsible for feeding us this garbage?
Green's Law of Debate: Anything is possible if you don't know what you're talking about.
> Our point is that commercial programs are different that trojans written by criminals.
No they're not! Unless they make it explicit that they're running (e.g. the difference between something like BO and VNC), they ARE functionally equivalent, and security programs should treat them exactly the same (e.g. remove them--and if they're going to use the uninstall feature, fine, just so long as it actually *works* like it's supposed to...)
Just because it was written by $BigCorp does NOT mean that they won't be used by black hats!
"If you do produce a program that will affect this softwares ability to perform its function then you may have to prove in criminal court that you have not infringed this warning. Infringement of a copyright licence is a criminal offence," RetroCoder's End User Licensing Agreement (EULA) states.
IANAEB (I am not an English Barrister), and I admit I have no idea how things work in that part of the world. In the U.S. civilians can't bring criminal actions, only a prosecuting attorney (e.g., District Attorney, Attorney General) can. It would surprise me if this was so in England. Note the clever wording "may have to prove" -- at best this is just a civil action.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Isn't this the same thing as putting a EULA on the front of a warez site that says law enforcement, x company etc cant look at this website? When will a virus writer try this?
This comment does not represent the views or opinions of the user.
put in yourEULA that if you are employed by a company that writes anti-spyware software you are not allowed to install, use or examine this product.
The Kruger Dunning explains most post on
http://www.spymon.com/downloads/install.exe
Throw that into wget, and you never have to read the agreement.
--Lord Nimula
the term is no longer really relevant. Contracts can be broken as easily as they are made these days. I could give anyone a piece of paper saying "I own everything you have" and if they signed it then by contract law their stuff is mine. Of course, the person I have duped into signing this contract could then go to court and say, "This contract was obviously unfair" and the judge would more than likely say that yes it was, and rip the contract up.
Same goes for EULAs that are obviously designed to pull one over on the user. Something as malicious as a keylogger (whilst used in a commercial sense or not) could never hide behind a EULA. Let the dicks that code these things take anti-spyware companies to court. All the anti-spyware people have to say is "this software could be used to steal personal data in a direct disregard for Data Protection Acts worldwide" and voila - Judge goes all mental over Retrocoder's sorry ass.
just my twopenneth there.
You could put in your EULA that the customer has to give you his daughter's hand in marriage too. EULAs are not valid if they break the law. And requiring someone to harm themselves is breaking the law.
My feeling is that this could only have happened in God's own country. Further, I think it could only have been perpetrated by God (it would be considered offensive if done by anyone else). Do these chaps have their own church ? I hope that you fellows don't put too much in the collection plate. Sometimes shooting a member of the human race is a good idea.
How many beans make five, anyhow ?