Slashdot Mirror
RetroCoder Threatens Security Vendors
john83 writes "RetroCoder the company that brings you SpyMon, a commercial keylogger is trying to stop vendors of security software from looking at their software. RetroCoder uses a EULA that prohibits anti-spyware publishers / software houses from downloading, running or examining the software in any way. Essentially, they're trying to hide a key logger behind copyright law." While they are certainly not the first to do so, it is interesting that companies still take this approach.
..... just go hardware...
http://www.thinkgeek.com/gadgets/electronic/5a05/
k thx gg
What we need is a law that makes research a defence to copyright infringement. It's important that malware authors can't use the force of the law to hide. Hopefully a judge will do the right thing an establish case law in this area that defends us from this scum.
Simon.
It is a well known fact that several p2p programs were attacked by the minions of various **AA, injecting malicious pseudo-clients into the essentially closed networks. Those attacks wouldn't have been possible without extensive technical analysis of the modus operandi of those networks. At least in most of those cases, it is pretty appearant that the attack was accomplished by downloading and examining the official client for that network.
Couldn't those p2p networks utilize the same defense? I.e. establish in their EULA that their code and protocol may not be examined for the purpose of a malicious sabotage in their operation?
I seem to recall that some p2p EULAs actually had such a clause. Was it ignored with no consequnces?
In Germany, it's normal that any company has some terms & conditions (TNC) to which other businesses have to agree, if they do business with them.
It's time that end users also create a software TNC for their computer. If your software runs on my computer, using my resources, then it will have to comply to the following rules:
- It has to use the resources to my direct(!) benefit.
- It has to give me full control over it's behavior (e.g., uninstall possible)
That's all. Simple, but powerful.
It would be interesting to really put this in a written legal letter and send it to the businesses. Then *I* could sue the spyware companies.
This kind of thing is not likely to stand up in court. Spyware has been proven to be a malicious type of software that voilates one's privacy, therefore I would be shocked if the courts find in favor of the spyware maker. The spyware maker might have thought it was clever adding that clause in their EULA, but essentially what they've stipulated was people cannot investigate how their software works in order to prevent it's unwanted installation on to one's system. Not likely to stand up in court.
You can't take the sky from me...
they're tying to enforce a EULA on 3rd and 4th parties. Who the hell installs keyloggers on their own computer? Obviously, the "user" of the software is installing this discretely on someone else's computer. So the EULA is trying to prevent this 3rd party from scanning and removing the illicitely installed software, and trying to prevent the 4th party (anti-spyware/virus vendors) from facilitating the 3rd party in keeping their machine clean.
And if a piece of software is installed without my permission on my own computer, I'm sure as hell not bound by any EULA's. This is really a moronic attempt to legitimize their malware.
The next trend in internet worms: hidden EULA's to prevent AV software from removing them?
The standard EULA is long, dull, and filled with legalese. The problem, as I see it, is that this gives software vendors the chance to hide malicious intent deep withen the contents of the EULA which customers can not reasonabily be expected to read.
I'd like to see law be written that requires a second part of the EULA, in it's own sepearte 'click yes to continue' box that outlines anything the software or service does that users may find questionable. It should be written in plain, simple words that outlines the potential for more malicious uses, and requires a user to click a 'yes I understand' next to each item.
For example:
EULA PART II:
THIS SOFTWARE MAY/WILL DO THE FOLLOWING.
PUT AN 'X' NEXT TO EACH BULLET STATING YOU UNDERSTAND THE INTENT BEFORE CONTINUING
[ ] o This software will collect personally identifible information and send it to third parties
[ ] o This software will access your email contact lists and send them to third parties
[ ] o This software will log your keystrokes and sufring habits and send them to third parties
[ ] o This software does not have an easy 'uninstall' feature
[ ] o This software will destroy data on your hdd
[ ] o This software will install additional programs on your computer that has nothing to do with this software
PUT AN 'X' IN THE BOX NEXT TO EACH STATEMENT STATING YOU UNDERSTAND AND CLICK YES TO CONTINUE BEFORE SOFTWARE IS INSTALLED.
It won't happen, but it'd be nice.
The Internet is generally stupid
RetroCoder can't stop anyone from examining their code, unless they're going to encrypt it somehow. If it winds up on someone's machine, and that someone happens to work for a software security company, and he/she is an industrious hacker with the time and patience, they'll rip open the pathetic key-logging code, figure out its secrets at home on their PC, then bring the knowledge to work and poof -- key-logger neutralized. What's RetroCoder going to do, hire spys to follow everyone who works for all the software security firms (would like to see that happen - fastest way to put them out of business)?
The idea of patenting and protecting software from infringement is absurd. Open source is a natural extension of programming. You make a bit of useful code, you share that code with others so a lot of reinventing-the-wheel doesn't take place. You find out that a piece of software does something malicious and you tell everyone else. Let's face it: there are enough programmers out there with time on their hands and mad hacking skills to make the idea of "protected software" a fantasy.
GetOuttaMySpace - The Anti-Social Network
I just got some feedback from Spymom.
r eshold=1&commentsort=5&tid=123&mode=thread&cid=140 09674
We are not suing SunBelt - SlashDot got it wrong!
From Sunbelt themselves:
http://yro.slashdot.org/comments.pl?sid=167981&th
The original article:
http://news.zdnet.com/2100-1009_22-5944208.html
If you read the text on SlashDot linked to above you will see that we are not unreasonable, we just don't want our app that people have bought to be deleted without the owners permission or knowledge - as has happened with numerous "big" companies.
When contacting these "big" companies - including Symantec about the problem they simply refuse to reply - we initially tried to contact them all about 9 months ago in order to bring about some kind of cooperative agreement, with information about detecting out program as a commercial keylogger and about uninstalling our program safely (if the user decided to do so).
Our point is that commercial programs are different that trojans written by criminals. It is fair that they are pointed out by the anti-virus/trojan program, but not fair that they are automatically deleted. The user should be told that they are a commercial keylogger or similar and the default action should be to not delete. AVG by comparison deleted them without informing the user.
We are open about what ports are being used and we do not try to bypass firewalls or shutdown anti-virus programs. All are easily possible as you probably well know and we feel that comparing it to programs written by criminals is unfair.
We, as a company, are very easy to contact - if we had been contacted/replied to by the anti-virus companies (initially - before we had to put the download notice up) we would have told them how to safely uninstall the client program, and we would have also told them of a special flag - that if present would stop the client from installing again in the future. They would also have been given information that would have told the user WHO was attempting to spy on them! The condition would have been as above - that the user be informed that it was a commercial program and the default action would have been not to uninstall.
Sunbelt will soon be given this information in the hope that other companies will follow in the way they list the program (if detected).
Best regards,
Anthony
That farking malware needs to have no protection based on its EULA. Just re-did a XP install because the user had forgotten to turn on the firewall on their sp1. Result: slowdowns, popups,autorun programs; re-formatting and firewall fixed it. And those ##$*@ are just waiting on the internet ready to pounce on new installs w/o firewall enabled. And that's just the stuff you didn't want. These days, ANY program installed could set off some security risk (see SONY) so the spyware and virus protection folks need to take into account ANY possible security risk. Say this keylogger's stored file is accessable via some process. Then, keylogger=security risk: instead of some internal security measure, it turns into a virtual radio of what you type. This seems to be a way to CYA over a poorly written program that introduces a security risk. Malware being primarily designed to introduce external data, is also a risk. Danger>EULA. Guess someone will have to take this to court to settle down the differences between code-ripping and code-detection data. Affording protection to all software due to EULA is just asinine. All I have to do is include in the rarely-read EULA 'And it is a violation of the Agreement to attempt to detect, remove, or otherwise modify the Software.' Oh wait, that's what they write now.
Infinity is overrated, Infinity+1, now that's cool!
In other words, I think that RetroCoder is going to have to prove that the people on who'se computers this stuff is running have seen the EULA. Then, of course there's the fact that RetroCoder is engaged in contributory violation of people's privacy, which means that they're coming to court with 'Unclean Hands".
Of course Retro Coder could avoid this condrom if they always make sure that, whenever the progam starts up, it displays the EULA, notifying a 'user' that the software is running, how they can identify it (so that they can avoid 'infringement'), and automatically (and safely) removing itself from the computer it the end-user does not accept the EULA....
Under any other conditions, I'd say that it's Retro that would be toast in court.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Copyright and other IP law is an attempt to extend the principle of contract over the more basic principle of property.
It's nothing but coercion masquerading as "agreement". That's why it's frequently hidden in EULAs and other "contracts" that nobody is likely to read and which depend on "opt-out" rather than "opt-in" such as actually having to sign a real contract and exchange value.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
... to be an anti-spyware software publisher.
Now, will they be in violation of their own EULA when their junk ends up on any PC that I use through no fault of my own? I certainly won't ask for their software to be installed of my own free will, but that is not how their model works, now is it?
So, if we all sign on as developers of a FOSS anti-spyware project, are we all effectively protected from these people, as it is against their EULA for their software to be pushed to us? And who gets in trouble, us, or the operators of the sites that are responsible for feeding us this garbage?
Green's Law of Debate: Anything is possible if you don't know what you're talking about.