Slashdot Mirror
RetroCoder Threatens Security Vendors
john83 writes "RetroCoder the company that brings you SpyMon, a commercial keylogger is trying to stop vendors of security software from looking at their software. RetroCoder uses a EULA that prohibits anti-spyware publishers / software houses from downloading, running or examining the software in any way. Essentially, they're trying to hide a key logger behind copyright law." While they are certainly not the first to do so, it is interesting that companies still take this approach.
... from 11th November.
Yet Another Dupe
6 8222&tid=123&tid=172&tid=17
This is why I let my subscription lapse. I was sick of paying for duplicate articles:
http://yro.slashdot.org/article.pl?sid=05/11/11/0
..... just go hardware...
http://www.thinkgeek.com/gadgets/electronic/5a05/
k thx gg
Dupe. Funny how fresh, new and on topic submissions get rejected whilst the same old junk (and sometimes dupes too) get through.
What we need is a law that makes research a defence to copyright infringement. It's important that malware authors can't use the force of the law to hide. Hopefully a judge will do the right thing an establish case law in this area that defends us from this scum.
Simon.
lets dupe the comments as well.. :P
"Ah. the popular "Bend Over" EULA."Friends don't let Friends use Internet Explorer.
They're way off track with this one. It should be the responsibility of the person monitoring their PC to ensure that no Anti-Spyware programs are installed. If they can't do this they obviously don't have the authority to deploy a keylogger.
Anti-Spyware companies are only doing their job.
Oh woe is me! A dupe. my eyes, my eyes!
I must purge myself of this evil by adding to the multitute of wailing about duplicate postings, and add some extra comments about how much slashdot sucks, the only reason I come to it is to feel superior.
It burn, oh how it burns!
I'd like to congratulate you on your schemes to increase pageviews. The advertising money is just rolling in! Your dupe strategy has been a remarkable success. But I agree with your assessment that it needs to be replaced, the backlash is getting too great and some people are on to the plot.
Your new strategy of having a continuing thread (the Intelligent Design flood), is even better! You just throw up 1 new piece of news and there is a whole new rehash of the same posts. It's the same crap over and over again, without any new ideas or originality but it's a guaranteed 1,000 posts and multiple thousand pageviews.
Keep up the good work whoring out your site!
Slashdot is owned by the OSTG which is a wholly-owned subsidiary of VA Software Corporation (NASDAQ: LNUX)
By the way, the last few stories had a low number of posts. Consider Intelligent Design for your next topic.
By your boss to see what you are typing?
Or commercial as in installed by a dodgy person at work who gains access to the boss' or sysadmin's workstation for a few minutes?
Or commercial as in bundled with shitty software and then sends out what you type to criminals?
First one - legal, if unethical.
Second one - this type of installation should be removed by Spyware removers.
Third one - the writers of the software should be castrated.
RETROCODER WRITES SPYWARE!!
There, come sue me now you silly fucks.
feh. stuff.
"Essentially, they're trying to hide a key logger behind copyright law."
Copyright law doesn't have provisions for EULAs. They are using faulty contract law logic to harass security vendors. I honestly think people only think an unsigned, after-the-fact EULA means anything because they've been conditioned throughout their lives to blindingly accept authority, whether real or perceived.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
If every piece of spyware presented me with an EULA to agree to before installing itself I'd be much happier!
In otherwords, make it policy to call this crap a threat until it can be proven otherwise. This isn't "innocent until proven guilty" time.
It is a well known fact that several p2p programs were attacked by the minions of various **AA, injecting malicious pseudo-clients into the essentially closed networks. Those attacks wouldn't have been possible without extensive technical analysis of the modus operandi of those networks. At least in most of those cases, it is pretty appearant that the attack was accomplished by downloading and examining the official client for that network.
Couldn't those p2p networks utilize the same defense? I.e. establish in their EULA that their code and protocol may not be examined for the purpose of a malicious sabotage in their operation?
I seem to recall that some p2p EULAs actually had such a clause. Was it ignored with no consequnces?
In Germany, it's normal that any company has some terms & conditions (TNC) to which other businesses have to agree, if they do business with them.
It's time that end users also create a software TNC for their computer. If your software runs on my computer, using my resources, then it will have to comply to the following rules:
- It has to use the resources to my direct(!) benefit.
- It has to give me full control over it's behavior (e.g., uninstall possible)
That's all. Simple, but powerful.
It would be interesting to really put this in a written legal letter and send it to the businesses. Then *I* could sue the spyware companies.
I think you'll find, if you read the slashdot EULA, you are NOT ALLOWED to check for dupe articles.
Lawers will be contacting YOU!
Jolyon
Please read my Canon EOS tech blog at http://www.everyothershot.com
You can't take the sky from me...
they're tying to enforce a EULA on 3rd and 4th parties. Who the hell installs keyloggers on their own computer? Obviously, the "user" of the software is installing this discretely on someone else's computer. So the EULA is trying to prevent this 3rd party from scanning and removing the illicitely installed software, and trying to prevent the 4th party (anti-spyware/virus vendors) from facilitating the 3rd party in keeping their machine clean.
And if a piece of software is installed without my permission on my own computer, I'm sure as hell not bound by any EULA's. This is really a moronic attempt to legitimize their malware.
The next trend in internet worms: hidden EULA's to prevent AV software from removing them?
The standard EULA is long, dull, and filled with legalese. The problem, as I see it, is that this gives software vendors the chance to hide malicious intent deep withen the contents of the EULA which customers can not reasonabily be expected to read.
I'd like to see law be written that requires a second part of the EULA, in it's own sepearte 'click yes to continue' box that outlines anything the software or service does that users may find questionable. It should be written in plain, simple words that outlines the potential for more malicious uses, and requires a user to click a 'yes I understand' next to each item.
For example:
EULA PART II:
THIS SOFTWARE MAY/WILL DO THE FOLLOWING.
PUT AN 'X' NEXT TO EACH BULLET STATING YOU UNDERSTAND THE INTENT BEFORE CONTINUING
[ ] o This software will collect personally identifible information and send it to third parties
[ ] o This software will access your email contact lists and send them to third parties
[ ] o This software will log your keystrokes and sufring habits and send them to third parties
[ ] o This software does not have an easy 'uninstall' feature
[ ] o This software will destroy data on your hdd
[ ] o This software will install additional programs on your computer that has nothing to do with this software
PUT AN 'X' IN THE BOX NEXT TO EACH STATEMENT STATING YOU UNDERSTAND AND CLICK YES TO CONTINUE BEFORE SOFTWARE IS INSTALLED.
It won't happen, but it'd be nice.
The Internet is generally stupid
I just got some feedback from Spymom.
r eshold=1&commentsort=5&tid=123&mode=thread&cid=140 09674
We are not suing SunBelt - SlashDot got it wrong!
From Sunbelt themselves:
http://yro.slashdot.org/comments.pl?sid=167981&th
The original article:
http://news.zdnet.com/2100-1009_22-5944208.html
If you read the text on SlashDot linked to above you will see that we are not unreasonable, we just don't want our app that people have bought to be deleted without the owners permission or knowledge - as has happened with numerous "big" companies.
When contacting these "big" companies - including Symantec about the problem they simply refuse to reply - we initially tried to contact them all about 9 months ago in order to bring about some kind of cooperative agreement, with information about detecting out program as a commercial keylogger and about uninstalling our program safely (if the user decided to do so).
Our point is that commercial programs are different that trojans written by criminals. It is fair that they are pointed out by the anti-virus/trojan program, but not fair that they are automatically deleted. The user should be told that they are a commercial keylogger or similar and the default action should be to not delete. AVG by comparison deleted them without informing the user.
We are open about what ports are being used and we do not try to bypass firewalls or shutdown anti-virus programs. All are easily possible as you probably well know and we feel that comparing it to programs written by criminals is unfair.
We, as a company, are very easy to contact - if we had been contacted/replied to by the anti-virus companies (initially - before we had to put the download notice up) we would have told them how to safely uninstall the client program, and we would have also told them of a special flag - that if present would stop the client from installing again in the future. They would also have been given information that would have told the user WHO was attempting to spy on them! The condition would have been as above - that the user be informed that it was a commercial program and the default action would have been not to uninstall.
Sunbelt will soon be given this information in the hope that other companies will follow in the way they list the program (if detected).
Best regards,
Anthony
I'm really sick of this hiding behind licenses. Spyware makers claiming that by downloading, looking at, thinking of, pissing on, or whatnot you can't create a signature or identify it in any way. There are a ton of stories like this, but it's rediculous.
It's up to the consumer to decide what goes on their computer, and if an anti-spyware maker wants to warn users of the threats, they have every right to. Otherwise, they're not doing the service THEY are promissing the customer, by identifying those things that spy on them. It really does perplex me how much people try and push with flawed licenses and poor IP laws. If there's any sign it needs to be revamped, this is it.
-M
when you see the word 'Linux', drink!
That farking malware needs to have no protection based on its EULA. Just re-did a XP install because the user had forgotten to turn on the firewall on their sp1. Result: slowdowns, popups,autorun programs; re-formatting and firewall fixed it. And those ##$*@ are just waiting on the internet ready to pounce on new installs w/o firewall enabled. And that's just the stuff you didn't want. These days, ANY program installed could set off some security risk (see SONY) so the spyware and virus protection folks need to take into account ANY possible security risk. Say this keylogger's stored file is accessable via some process. Then, keylogger=security risk: instead of some internal security measure, it turns into a virtual radio of what you type. This seems to be a way to CYA over a poorly written program that introduces a security risk. Malware being primarily designed to introduce external data, is also a risk. Danger>EULA. Guess someone will have to take this to court to settle down the differences between code-ripping and code-detection data. Affording protection to all software due to EULA is just asinine. All I have to do is include in the rarely-read EULA 'And it is a violation of the Agreement to attempt to detect, remove, or otherwise modify the Software.' Oh wait, that's what they write now.
Infinity is overrated, Infinity+1, now that's cool!
In other words, I think that RetroCoder is going to have to prove that the people on who'se computers this stuff is running have seen the EULA. Then, of course there's the fact that RetroCoder is engaged in contributory violation of people's privacy, which means that they're coming to court with 'Unclean Hands".
Of course Retro Coder could avoid this condrom if they always make sure that, whenever the progam starts up, it displays the EULA, notifying a 'user' that the software is running, how they can identify it (so that they can avoid 'infringement'), and automatically (and safely) removing itself from the computer it the end-user does not accept the EULA....
Under any other conditions, I'd say that it's Retro that would be toast in court.
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Far better to back out the laws that allow this; DMCA being just one.
Otherwise, we would be building law on a number of bad laws.
I prefer the "u" in honour as it seems to be missing these days.
Copyright and other IP law is an attempt to extend the principle of contract over the more basic principle of property.
It's nothing but coercion masquerading as "agreement". That's why it's frequently hidden in EULAs and other "contracts" that nobody is likely to read and which depend on "opt-out" rather than "opt-in" such as actually having to sign a real contract and exchange value.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
... to be an anti-spyware software publisher.
Now, will they be in violation of their own EULA when their junk ends up on any PC that I use through no fault of my own? I certainly won't ask for their software to be installed of my own free will, but that is not how their model works, now is it?
So, if we all sign on as developers of a FOSS anti-spyware project, are we all effectively protected from these people, as it is against their EULA for their software to be pushed to us? And who gets in trouble, us, or the operators of the sites that are responsible for feeding us this garbage?
Green's Law of Debate: Anything is possible if you don't know what you're talking about.