Slashdot Mirror
MIT Startup Tests Top Million Sites for Spyware
torrentami writes "An MIT startup called SiteAdvisor has downloaded over 100,000 programs from the top million Web sites and tested them for adware and spyware using an automated system they've built. They've got a blog entry where they dissect 5 of the worst adware bundles they found. There is some amazingly invasive stuff in there."
The one major lesson we can take from their research is that we should probably not be using Windows.
When you consider how many alternatives (often far cheaper, too) are available, it's a wonder that so many still choose to use software that leaves their systems wide open to exploitation, be it from worms, viruses, or malicious websites.
But perhaps a secondary lesson is that we need to keep an ever-strong vigil. It's perhaps even our duty as computer-competent individuals to inform others of these issues. Not to preach to them, by any means, but do let those less-astute computer users know what is going on. Advise them that such problems exist, and tell them how to avoid such malicious software.
We can easily defeat the problem of spyware. But it will involve people helping each other out. Soon enough the ignorance will fall by the wayside, and we will all be better off.
Cyric Zndovzny at your service.
What is their criteria for deciding if a site is within the "top million" on the WWW? Are they using data from a service such as Alexa, or is it mere speculation on their part as to the traffic of the sites they have tested?
Cyric Zndovzny at your service.
THe security paradigm of Windows and the Unix World are Apples and Green peppers. There will still be spyware threats out there if Windows didn't exist. But they would be different threats, and they could eeven be worse in some cases, but they would be fewer in number and the Internet wouldn't be such a darkened Hell hole it is steadily becoming. The Data miners would get more resistance from the Unix world than they have a Windows world that can't fight back.
Mr. Softy targets the dumb mean of the user distribution, +/- a couple of standard deviants on either side.
The *nix philosophy requires a great deal more learning on the part of the user.
Education can't stop a quality cock-up, but it certainly filters a great deal of blatant boo-boos, like coughing up a root password to www.passwordstorage.com.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
>I was recently asked to set up some computer systems at a seniors home.
Thats great. What happens when they go to Wal-Mart and want to buy some software?
Or when they want to hook up their brand-spanking new digital camera/mp3 player/PDA?
Lots of people are more bleed-edge than seniors.
>You may deny it, but the fact of the matter is that Linux systems won't get infected with spyware at this time. Sure, that may change in the future, but I'm doubtful about that.
You don't need a better code to prevent spyware, you need better users. Better system design/code will never beat out a user, unless the design is involves cutting the power to the computer.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
Somebody has to pay for the server bandwidth and the time to write the programs, and one viable model is adware. I deplore the installation of software that's a)not in the EULA or installer screens and b)damn hard to get rid of, but the 'legit' adware is what's paying the bills of the guys giving you free stuff.
There's always a subset of users who can circumvent the installation of the unasked-for bundles, but the average user without updated anti-spyware, firewall or anti-virus software will make enough money for the vendors to keep us in freebies for quite some time to come...
If I designed a product that allowed me to invade your home without your knowledge, spy on your behavior, and report it back to me - I would be arrested (or hired by NSA/homeland security).
Yet, all these thousands of products do this with absolutely zero accountability. As far as I am concerned, the programmers and companies who promote this behavior should be just as culpable as any petty crook who selfishly holds no regard for their victims.
Still its no windows.
I used to use FreeBSD and I tried Ubuntu (gnome version) and decided not to keep it. Its a hassle to upgrade to Openoffice 2.0 and Java5. Sure I could probably do it if I had time on my hands but its a pain to redo the apt.sources and download unstable software from god knows where. I am afraid it would make my system buggy with the nasty dependancies that are beta or RC level.
I got the Gentoo cd and I am going to try again with that but still its not for average Joes.
Windows is nice because it just works. With school and a shift from pc support to programming at work I dont care about some of the things linux has to offer from a server level. I just want to point and click and work.
During spring break I will put unix back on my system but for now I am sticking with windows. I am at least knoweldge to know better than to install most software that comes with malware.
http://saveie6.com/
I have a brother who is marred and has 2 kids between the ages of 12-15. Those kids killed his last computer, unwittingly installing all sorts of nonsense when they downloaded games and graphics. That was on a Win98 SP2 machine which, as hard as I tried, I simply could not secure or revive from all of the trojans and malware that had infected it.
My brother supports a family of 4 on his one salary. They live very well considering the cost of living in their small, midwestern town, but computers still cost the same and he hasn't been able to afford to buy a new one. He's quite proficient with computers when it comes to using and configuring them for what he and his family needs it to do. He just doesn't have time to keep up on all the security issues and patches since he's too busy working to support his family and trying to be a good father to his kids.
After he got laid off from his job not too long ago, I bought him and his family a new PC with WinXP Home, (I know XP Professional is much better when it comes to security but it would have overwhelmed my brother and the best PC package I could find at the price I could afford only offered XP Home). I walked him through how to secure the new PC by setting up an account for the kids with guest access so they can't install anything, configuring automatic updates, installing spybot and automatic scans, tuning the XP firewall, and having him switch to Firefox. I sent him urls for websites that explained how to secure a PC and maintain it.
I've just emailed him about installing the SiteAdvisor plug-in for Firefox which is absolutely brilliant for users like my brother. Hell, I've installed it just for the novelty of it.
The point is, my brother is taking care of his machine now and he loves Firefox. He has told everyone he knows in his little town about how great it is and to dump IE. All it took was someone taking the time to inform him.
So chill and if you have the time and inclination, take 10-15 minutes to explain to a user how to protect their PC. If that's not the kind of thing you feel like doing, fine, then as far as I'm concerned, you don't have a right to complain about it.
If you're not part of the solution, then you're part of the problem, in my opinion.
Respectfully yours,
tokengeekgrrl
I think that would be his solution no matter which OS was used. Letting inexperienced people install whatever they want is a reciepe for disaster. The whole reason for these spyware epidemic is due to exactly this reason. It also makes complete sense to have one person being the admin for a shared resource, you can't let people who have no idea what they are doing admin a shared system.
You have to sudo cp it to /etc. Or are you just being deliberately obtuse?
It doesn't mean much now, it's built for the future.
Does that sound like Linux works?
In all fairness, I think that's more telling of him than of linux.
Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...
:). There's also the problem with users running as admin all the time, meaning the only line of defence is the security policy of the web browser, not the users' permissions.
Yes and No. The user has to agree, but on XP the user has been trained to agree -
A big difference I notice between Windows XP and OS X (one of those nix) is the number of times I have to click 'Next' or 'Previous' in dialogs in Windows, just to get anything done at all. In my opinion the main reason for the growth of spyware on Windows (before ubiquity) is the way the OS trains you to click,click, click to do anything at all. You end up not reading any of the dialogs because you read the first few words and guess the rest. The user is inured to warning dialogs of any sort, and starts to click through the forest of 'Next' buttons to get to where they want to go (or thought they wanted to go
In contrast on OS X you very rarely have to say 'ok, do this, then that, next, next, finish', you are asked one simple question (usually) with an 'OK' the first time you open a document type with an application. And you very, very rarely have to enter your admin password, practically only when you are installing big applications like Photoshop which need to install libraries. So if a website pops up an authentication dialog (which they can't anyway BTW), you know something is wrong; you stop and think about it.
That said user ignorance of what constitutes safe computing is a problem too.
I wish they better analyze their website.t tery.org )
FreeBSD.ORG = Marked as yellow - "Use caution." ( http://www.siteadvisor.com/sites/freebsd.org )
In the same time all fraud websites in Google search for "Green card" are green ( http://www.siteadvisor.com/sites/us-green-card-lo
This is taken a little out of context, but something that actually happened in an IRC chat channel.
user: how can I fix my PC to be able to play these songs?
me: listen, you need to clean your PC from that virus first
user: how do I do that?
me: go there and bla, then blabla and bla you're done
user: what? I just want to listen to my music
- user has quit
I really do not know why HOST files are not a more common theme
Maybe because "From time to time I get pages that aren't found.....but I can review these as the HOST file is of course text."
For you, me and the technically inclined this is no biggy, can you see your Gran doing this? As far as they know the site they want to view doesn't work but it was fine before you set up this funny named file.
Maybe it could be possible to design a two tier security model that flagged up if a site was being blocked, and you could allow it to run under limited privilages, just so you could view the page and no more.
Warning, comments may not have been passed by the sanity department of my brain.