MIT Startup Tests Top Million Sites for Spyware

torrentami writes "An MIT startup called SiteAdvisor has downloaded over 100,000 programs from the top million Web sites and tested them for adware and spyware using an automated system they've built. They've got a blog entry where they dissect 5 of the worst adware bundles they found. There is some amazingly invasive stuff in there."

The major lesson of all this.

[CyricZ]

The one major lesson we can take from their research is that we should probably not be using Windows.

When you consider how many alternatives (often far cheaper, too) are available, it's a wonder that so many still choose to use software that leaves their systems wide open to exploitation, be it from worms, viruses, or malicious websites.

But perhaps a secondary lesson is that we need to keep an ever-strong vigil. It's perhaps even our duty as computer-competent individuals to inform others of these issues. Not to preach to them, by any means, but do let those less-astute computer users know what is going on. Advise them that such problems exist, and tell them how to avoid such malicious software.

We can easily defeat the problem of spyware. But it will involve people helping each other out. Soon enough the ignorance will fall by the wayside, and we will all be better off.

Re:The major lesson of all this.

[dada21]

I disagree.

Windows is, by far, the most insecure operating system out there. It is also the operating system that users find the easiest to use, and it is also the operating system that (in my opinion) has the most flexibility for programmers and software corporations of all sizes.

While the *nix varieties are definitely more secure (as they are now), a switch to *nix will not lead us to less spyware-ridden applications online. In fact, if Windows were to fail commercially tomorrow and everyone runs *nix, you'll see spyware applications be written for these OSes immediately.

*nix does not mean secure. It just isn't popular enough for spyware programmers to target, yet. Give it time, I think as it gains popularity, it will begin to be a target for the software companies that try to enter and dissect your life digitally.

Re:The major lesson of all this.

[BushCheney08]

In fact, if Windows were to fail commercially tomorrow and everyone runs *nix, you'll see spyware applications be written for these OSes immediately.

Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...

Re:The major lesson of all this.

[CTalkobt]

This is not a windows issue (as much as I dislike windows).

It's a user issue. Like any information on the web you need to consider the source of where you're getting your programs from. I wouldn't get cancer information from the tobacco companies websites - just as similairly I wouldn't get software utilities from my company from a page that has a bunch of advertisement links along with some porn.

Rational users would cure 95% of the virus / trojan issues. The other 5% are usually inadvertant mistakes from legit websites. For those a checker is needed if you want to immediatly download files. That or let others be your guinea pigs and only download ones older than 3 months old.

( I know - there is no such thing as a rational user but I can dream... )

Re:The major lesson of all this.

[TimTheFoolMan]

It's no surprise that we who write software are seen as arrogant when we see the *average* user, the person who makes technically uninformed decisions, and our response is, "the problem isn't with our system, the problem is that you Mr. User are an idiot."

The world has idiots. Why can't technology people (us) accept this without derision? The world also has many people who don't know technology, and don't care too. They are not necessarily the same people.

Emerson said "Every man is in some way my superior, and in that i can learn from him." We seem to be so busy casting aspersions that we don't have time to listen. We're so quick to insult, perhaps because we (developers and technology people) don't *care* about users. Are we so superior to Emerson that there's nobody we can learn from?

Why can't *someone* care enough about the technologically illiterate to protect them against themselves? Why isn't there a company out there that will make it difficult for a regular user to install something that has potentially deep affects to the OS, but makes the OS accessible to that same user?

Oh wait... there already is one.

Tim

Re:The major lesson of all this.

[gcatullus]

I don't think that the problem is people who don't know technology, making uninformed decicions. So much as people having a flagrant disregard for the concept that what they do with their own PC effects everyone. For example, if I never learned to program the clock on my VCR and it flashed 12:00 all teh time, it only effects me. But if all I want to use it for is watching videos from Blockbuster, then who cares, there is absolutly no harm.

People apply the same logic to their PCs. As long as they can check their AOL mail and play solitaire, they think everything is fine. The classic car analogy mentioned above doesn't capture what most people think is happening. If their PC is full of spyware and crap, it is only a nuisance to them alone they believe. Like if their car didn't have a working gas gauge, or if the radio would not work. An anoyance, yes, but not the end of the world and in no way effecting anyone else.

The avergae person wouldn't want to drive a car that was leaking gasoline and oil all over the place all the while spewing clouds of polluting black smoke, but they don't understand that this is the state that they let their PCs get to.

The challange is not to teach them the technology, nor even design a system that protects people from their own dum actions, but to teach them that their actions can create havoc for other people.

It's not, "Don't open any email attachments from anyone ever, or your computer will be screwwed.", it should be "Don't open email attachments from anyone ever, or your PC will start infecting other peoples computers and be used to host kiddie porn."

Re:The major lesson of all this.

[WindBourne]

I always laugh at that argument. Basically, so many windows encourage all the hackers. So not true. Even back in the 80's when Mac was bigger than Dos, attacks were being designed for DOS. Why? ease of doing so. Apache has shown this,as well as numerous other examples. The best example out there, is that banks during the 60's and 70's were heavily robbed until the 7-11 stores became the easy marks (and loaded with small money). Finally 7-11 decided to change their attitude and make it near impossible to make any amount of money over 50. So what are robbers hitting these days? banks. Why? do to ease of hit combined with the amount of money.
 
The lesson to learn on that, is that crooks go for the easy mark that makes money. *nix will be the target when either:

1. insecure systems do not have money.
   
2. all other systems are more secure than *nix.
   

Neither is likely to happen anytime soon (and many would argue any time far). *nix will be very secure for a long time.

I don't agree.

[Zombie+Ryushu]

THe security paradigm of Windows and the Unix World are Apples and Green peppers. There will still be spyware threats out there if Windows didn't exist. But they would be different threats, and they could eeven be worse in some cases, but they would be fewer in number and the Internet wouldn't be such a darkened Hell hole it is steadily becoming. The Data miners would get more resistance from the Unix world than they have a Windows world that can't fight back.

You get what you pay for...

[ian_mackereth]

If the word "Free!" is enough to get users to download the screensaver, game, utility, etc., then this sort of thing will continue.

Somebody has to pay for the server bandwidth and the time to write the programs, and one viable model is adware. I deplore the installation of software that's a)not in the EULA or installer screens and b)damn hard to get rid of, but the 'legit' adware is what's paying the bills of the guys giving you free stuff.

There's always a subset of users who can circumvent the installation of the unasked-for bundles, but the average user without updated anti-spyware, firewall or anti-virus software will make enough money for the vendors to keep us in freebies for quite some time to come...

Where is the accountability?

[Presence2]

If I designed a product that allowed me to invade your home without your knowledge, spy on your behavior, and report it back to me - I would be arrested (or hired by NSA/homeland security).

Yet, all these thousands of products do this with absolutely zero accountability. As far as I am concerned, the programmers and companies who promote this behavior should be just as culpable as any petty crook who selfishly holds no regard for their victims.

No, CyricZ is right, we need to educate users.

[tokengeekgrrl]

I have a brother who is marred and has 2 kids between the ages of 12-15. Those kids killed his last computer, unwittingly installing all sorts of nonsense when they downloaded games and graphics. That was on a Win98 SP2 machine which, as hard as I tried, I simply could not secure or revive from all of the trojans and malware that had infected it.

My brother supports a family of 4 on his one salary. They live very well considering the cost of living in their small, midwestern town, but computers still cost the same and he hasn't been able to afford to buy a new one. He's quite proficient with computers when it comes to using and configuring them for what he and his family needs it to do. He just doesn't have time to keep up on all the security issues and patches since he's too busy working to support his family and trying to be a good father to his kids.

After he got laid off from his job not too long ago, I bought him and his family a new PC with WinXP Home, (I know XP Professional is much better when it comes to security but it would have overwhelmed my brother and the best PC package I could find at the price I could afford only offered XP Home). I walked him through how to secure the new PC by setting up an account for the kids with guest access so they can't install anything, configuring automatic updates, installing spybot and automatic scans, tuning the XP firewall, and having him switch to Firefox. I sent him urls for websites that explained how to secure a PC and maintain it.

I've just emailed him about installing the SiteAdvisor plug-in for Firefox which is absolutely brilliant for users like my brother. Hell, I've installed it just for the novelty of it.

The point is, my brother is taking care of his machine now and he loves Firefox. He has told everyone he knows in his little town about how great it is and to dump IE. All it took was someone taking the time to inform him.

So chill and if you have the time and inclination, take 10-15 minutes to explain to a user how to protect their PC. If that's not the kind of thing you feel like doing, fine, then as far as I'm concerned, you don't have a right to complain about it.

If you're not part of the solution, then you're part of the problem, in my opinion.

Respectfully yours,
tokengeekgrrl

Re:No, CyricZ is right, we need to educate users.

[maxpublic]

I have no idea why you couldn't revive his computer. At worst you'd have to reformat the disks and reinstall; no virus, trojan, or piece of spyware is going to survive that. No matter how bad the software it isn't going to be able to rewire his hardware.

Max

Can't agree

[guet]

Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...

Yes and No. The user has to agree, but on XP the user has been trained to agree -

A big difference I notice between Windows XP and OS X (one of those nix) is the number of times I have to click 'Next' or 'Previous' in dialogs in Windows, just to get anything done at all. In my opinion the main reason for the growth of spyware on Windows (before ubiquity) is the way the OS trains you to click,click, click to do anything at all. You end up not reading any of the dialogs because you read the first few words and guess the rest. The user is inured to warning dialogs of any sort, and starts to click through the forest of 'Next' buttons to get to where they want to go (or thought they wanted to go :). There's also the problem with users running as admin all the time, meaning the only line of defence is the security policy of the web browser, not the users' permissions.

In contrast on OS X you very rarely have to say 'ok, do this, then that, next, next, finish', you are asked one simple question (usually) with an 'OK' the first time you open a document type with an application. And you very, very rarely have to enter your admin password, practically only when you are installing big applications like Photoshop which need to install libraries. So if a website pops up an authentication dialog (which they can't anyway BTW), you know something is wrong; you stop and think about it.

That said user ignorance of what constitutes safe computing is a problem too.