Slashdot Mirror
MIT Startup Tests Top Million Sites for Spyware
torrentami writes "An MIT startup called SiteAdvisor has downloaded over 100,000 programs from the top million Web sites and tested them for adware and spyware using an automated system they've built. They've got a blog entry where they dissect 5 of the worst adware bundles they found. There is some amazingly invasive stuff in there."
I hope they have a "submit site" function for people to test random sites....
The one major lesson we can take from their research is that we should probably not be using Windows.
When you consider how many alternatives (often far cheaper, too) are available, it's a wonder that so many still choose to use software that leaves their systems wide open to exploitation, be it from worms, viruses, or malicious websites.
But perhaps a secondary lesson is that we need to keep an ever-strong vigil. It's perhaps even our duty as computer-competent individuals to inform others of these issues. Not to preach to them, by any means, but do let those less-astute computer users know what is going on. Advise them that such problems exist, and tell them how to avoid such malicious software.
We can easily defeat the problem of spyware. But it will involve people helping each other out. Soon enough the ignorance will fall by the wayside, and we will all be better off.
Cyric Zndovzny at your service.
I can tell you from the experience of working on a network where the end users have very unwisely been made local admins on their workstation that the *only* thing required for a full spyware infection is a nice little surf around the 'net. This is compounded by the problem that they all seem to have some touch of OCD that compels them to click "OK" on anything thing that wants to install itself despite all of our efforts to educate them.
I will say that it is nice to see someone put quantifable numbers to the things I have long known from practical experience, but this isn't exactly news.
2 cents,
Queen B
HDGary secures my bank
Here's a mirror: http://www.mirrordot.org/stories/01c106c874a385230 2ab3ebb3303acc6/index.html
"We've also made our data available under Creative Commons License 2.5". Data is ineligible for copyright cover in the United States, so no license is needed or can apply.
:)
:)
They wouldn't bundle an unnecessary license with useful data just after writing about bundling unnecessary software with desired applications, would they?
It is useful outside the US, though, so this is actually a but tongue in cheek.
They should add a feature on the SiteAdvisor toolbar: "this site is often down".
lucm, indeed.
In my quick look though the blog, they quoted Alexa ranking figures. I'd say they're using those to determine how popular sites are.
Have you tried the recent Kubuntu releases? If not, give it a try. It is by far one of the most easiest systems to install these days. Even easier to keep up to date, as well.
I was recently asked to set up some computer systems at a seniors home. Now, many of these people have never used a PC. So we were able to acquire several used PCs for almost no cost, and I installed Kubuntu on their systems. We got them set up so that they could check their email, browse the WWW, use various instant messengers to chat with relatives, and even play games (bridge and backgammon were big favourites).
Now, why did I go with Kubuntu? Mainly because it is free, and it is quality software that is quite easy to use. But more importantly, I wanted these systems to always be available to these people. I know that they might visit malicious sites. I wouldn't want that resulting in their systems being compromised just because of that.
You may deny it, but the fact of the matter is that Linux systems won't get infected with spyware at this time. Sure, that may change in the future, but I'm doubtful about that. The basic (yet significant) differences in code quality and architecture are enough to leave Linux (and other non-Microsoft) systems far more secure and usable, even in the fact of malicious software.
Cyric Zndovzny at your service.
THe security paradigm of Windows and the Unix World are Apples and Green peppers. There will still be spyware threats out there if Windows didn't exist. But they would be different threats, and they could eeven be worse in some cases, but they would be fewer in number and the Internet wouldn't be such a darkened Hell hole it is steadily becoming. The Data miners would get more resistance from the Unix world than they have a Windows world that can't fight back.
How can they be testing the top 1000000 web sites, if they're only downloading 100000 programs? That would leave a lot of sites untouched. It seems that in order to test 1000000 web sites, they would have to download at *least* 1000000 programs. Unless, of course, they grabbed programs from *some* of the top 1000000 web sites, in which case they would have programs from, say, site #1, #10, #20, etc.
Their may be a grammatical error, misspeling, or evn a typo in this post.
I would enjoy seeing some of the nastier data put forth in a simple list so that I can add them to my banned domain listing on my firewall.
Currently, I knock down ads(from the ~1800 most active servers), with the wonderful help of the following gentleman.
For the Lazy...
Now, about that warez/malware/stupid screensaver and other utilities list....
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
no complaints about the article linking to a blog? what's the world coming to? ;)
Mr. Softy targets the dumb mean of the user distribution, +/- a couple of standard deviants on either side.
The *nix philosophy requires a great deal more learning on the part of the user.
Education can't stop a quality cock-up, but it certainly filters a great deal of blatant boo-boos, like coughing up a root password to www.passwordstorage.com.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
They claim to have tested the top million Web sites, but goatse and tubgirl aren't in there, so they can't have.
The technical guys in the company are from MIT's exokernel project.
They worked on delivering high throughput for video with their superior OS technology. It interoperated with Windows, allowing them to make money.
This project looks surprisingly un-technical and uncomplicated in comparison, given how competent and accomplished they are.
Here's an exokernel link:
http://pdos.csail.mit.edu/exo.html
http://www.thebricktestament.com/the_law/when_to_
http://www.siteadvisor.com/sites/slashdot.org/
I plan on contesting the results, they plainly haven't investigated hard enough.
BOO
You know I could flame you to hell and back but I won't. I'd rather just point out something you're obviously missing.
It has been my experience that most Windows systems that end up with this crap installed end up having to be reloaded, wasting hours of time backing up data, reloading, reconfiguring the system. Now in the unlikely event that one of my systems got hold of one of these imaginary UNIX spyware apps, it would leave me having to run a total of 2 commands.
# userdel -r kernelpanicked
# useradd -m kernelpanicked
I'm really not seeing your point here.
Ubuntu: If at first you don't succeed, blindly slap a sudo in front of it
Somebody has to pay for the server bandwidth and the time to write the programs, and one viable model is adware. I deplore the installation of software that's a)not in the EULA or installer screens and b)damn hard to get rid of, but the 'legit' adware is what's paying the bills of the guys giving you free stuff.
There's always a subset of users who can circumvent the installation of the unasked-for bundles, but the average user without updated anti-spyware, firewall or anti-virus software will make enough money for the vendors to keep us in freebies for quite some time to come...
If I designed a product that allowed me to invade your home without your knowledge, spy on your behavior, and report it back to me - I would be arrested (or hired by NSA/homeland security).
Yet, all these thousands of products do this with absolutely zero accountability. As far as I am concerned, the programmers and companies who promote this behavior should be just as culpable as any petty crook who selfishly holds no regard for their victims.
Forget sypware... I'd be afraid of people linking to the goatse.cx guy.
I'll never make that mistake again, reading the experts' opinions. - Feynman
Education is certainly the key.
:http://www.mvps.org/winhelp2002/hosts.htm > the Microsoft MVPS site for the past few years and have not had ANY spyware or Malware or viruses on any of my machines.
I've been using the HOST file supplied by <URL
I still run ad-aware and spybot monthly and never see anything but a few cookies. Once every few weeks I update my HOSTS file and then set it to read-only again and the 10,000 or so sites it blocks are just that - blocked.
Web sites load faster too without some of the tracked ad sites loading. From time to time I get pages that aren't found.....but I can review these as the HOST file is of course text.
I really do not know why HOST files are not a more common theme on here when setting one up on your Dad's computer saves you from removing crap from it as a hobby.
Odds are good that some Slashdot readers are involved in producing and propagating spyware. (Lots of us, lots of it. You do the math.)
How about you fake your IP, make a new account, post as Anonymous Coward -- whatever you need to do -- and give us an insight into your world, and the attitudes of the people you work for?
It just so happens I work for a large spyware/malware company, and I'd like to blow the whistle. My report on our industry is available here. (To access my tell-all, you should all click "yes" on whatever dialogues come up.)
xkcd.com - a webcomic of mathematics, love, and language.
Or when they want to hook up their brand-spanking new digital camera/mp3 player/PDA?
I'm running Ubuntu (Well, Edubuntu, for my son's edification) and I have no problems connecting and utilizing my digital cameras, mp3 players, and PDAs.... It's time to crawl out from under that rock there, dude.
You don't need a better code to prevent spyware, you need better users. Better system design/code will never beat out a user, unless the design is involves cutting the power to the computer.
Actually, much of the security of linux comes with the fact that a) filesystem permission structure is more robust than any Windows FS, and b) that you don't generally log in as root (administrator to you Windows folks) to do the day-to-day operating of the system... as a matter of fact, I've never logged in as root on this system... At most, I'll use sudo for things like installing or configuring firewalls, and then resume my regular privileges.
Be who you are and say what you feel, because those who mind don't matter and those who matter don't mind. - Dr. Seuss
An open letter to slashdot:
Please stop it with the name-dropping. It's irritating and insulting. The article has plenty of merit on its own, and is indeed a fine bit of information to put on slashdot.
However, the fact that it was started by two MIT alum is completely irrelevant. If this was the direct result of research being done by a group of MIT students or professors, it might be appropriate to place a reference to MIT in the blurb (but probably not the title). We're not an MIT related publication, as hard as that may be to believe (Wired is also a terrible offender of this).
It reminds me of my psychology textbook, which would always drop the name of the institution responsible for a certain piece of research: "Harvard Professor Shelly cline worked with Yale Psychologist Howard Walken to refine Pavlov's theory....." and so on, provided that the institution was in the Ivy League. Flipping through the pages, I found a few references to only Ivy Leavue Universities and overseas institutions (specifically Cambridge and Harvard).
Now, I'm not going to deny that a great deal of mighty fine research comes out of MIT and the Ivy League, but I'm also going to remind everyone here that other institutions also churn out a great amount of significant research, and they are hardly ever credited for it. My tiny public liberal arts school even churns out a fair bit of good research.
So, slashdot. Please stop shamelessly plugging these name-brand schools. They've done nothing wrong, but by publicizing them in such a way, you're dragging down the other 99% of the educational system that the rest of us have to utilize.
(To be fair, I did RTFA, and sideadvisor seems genuinely cool)
-- If you try to fail and succeed, which have you done? - Uli's moose
This is a good project and it has the potential of eventually becoming the "Google of spyware". It's a pitty their methods are not explained at a greater detail in their FAQ, but then it prevents spyware companies from finding a quick workaround to fool their system.
They even have a Firefox extension already: http://www.siteadvisor.com/ffinstall.html
I'm looking forward to them adding cookie support to their database. Maybe I could finally stop blocking all cookies by default.
I've been an Ubuntu user for about a year, and I've used FreeBSD for many more. I like Ubuntu, but I used KDE on my FreeBSD machines, and ended up installing the KDE packages on the Ubuntu machine.
So, when my hard drive failed I thought I'd just cut to the chase, and install Kubuntu.
I certainly didn't expect problems, as it is essentially Ubuntu, right?
I'm not going to iterate the various problems I had - the main one was getting wireless to work (which I did after manually hacking the config) - but I will say that Kubuntu ain't no Ubuntu. They need really need to work on polishing the system integration/config aspects of the tools. Ubuntu has just done a better job of it.
I wasn't happy until I blew away Kubuntu, and installed Ubuntu and the KDE packages. Everything is working just fine, and life is good.
(I'm not trying to start a Kubuntu/Ubuntu flamewar. You asked, and I'm just sayin')
< (To access my tell-all, you should all click "yes" on whatever dialogues come up.)
Oh no, it doesn't seem to work on my computer. Could you maybe help me install it? My IP is 127.0.0.1...
I have a brother who is marred and has 2 kids between the ages of 12-15. Those kids killed his last computer, unwittingly installing all sorts of nonsense when they downloaded games and graphics. That was on a Win98 SP2 machine which, as hard as I tried, I simply could not secure or revive from all of the trojans and malware that had infected it.
My brother supports a family of 4 on his one salary. They live very well considering the cost of living in their small, midwestern town, but computers still cost the same and he hasn't been able to afford to buy a new one. He's quite proficient with computers when it comes to using and configuring them for what he and his family needs it to do. He just doesn't have time to keep up on all the security issues and patches since he's too busy working to support his family and trying to be a good father to his kids.
After he got laid off from his job not too long ago, I bought him and his family a new PC with WinXP Home, (I know XP Professional is much better when it comes to security but it would have overwhelmed my brother and the best PC package I could find at the price I could afford only offered XP Home). I walked him through how to secure the new PC by setting up an account for the kids with guest access so they can't install anything, configuring automatic updates, installing spybot and automatic scans, tuning the XP firewall, and having him switch to Firefox. I sent him urls for websites that explained how to secure a PC and maintain it.
I've just emailed him about installing the SiteAdvisor plug-in for Firefox which is absolutely brilliant for users like my brother. Hell, I've installed it just for the novelty of it.
The point is, my brother is taking care of his machine now and he loves Firefox. He has told everyone he knows in his little town about how great it is and to dump IE. All it took was someone taking the time to inform him.
So chill and if you have the time and inclination, take 10-15 minutes to explain to a user how to protect their PC. If that's not the kind of thing you feel like doing, fine, then as far as I'm concerned, you don't have a right to complain about it.
If you're not part of the solution, then you're part of the problem, in my opinion.
Respectfully yours,
tokengeekgrrl
http://www.siteadvisor.com/preview
<pickanick> testing
<toqer|7boo> ya that thing is pretty friggen cool
<toqer|7boo> its like knowin which ho has ghonorhea before you bang her
<toqer|7boo> very sexy
<pickanick> cool analogy
<Drumstix> hah
I'm suprized garbage sites aren't being blocked by WebSense. If Maddox's site is blocked (as tasteless humor), why aren't known adware/spyware sites being blocked?
Firefox needs an MSI installer and some Group Policy mods to take off in a corp. enviroment.
*unbelieving*!!
i can't tell you how many times i've expressed the dangers to people. if you don't have anti-spyware, anti-virus, firewalls, and etc these are the risks. and they don't beleive. if you look at the large campaigns (at least in certain areas of the U.S.) to get people to wash their hands on a regular basis, it appears that people are disbelieving of germs also.
how do you fix this?
there is amazing evidence that the use of seat belts in autos reduces your probability of dying in a colision. but we still have to make laws to make people wear seat belts.
so far there has been no real cost to a computer user for being stupid. with the exception of lost data, nothing bad is going to happen. if laws get passed that state your are responsible for your computers actions in dos attacks or if your computer is hijacked and made into a child porn depot, things might change.
eric
Bombadier,
I'm on SiteAdvisor's advisory board, and I've tested their products at length. I've never seen anything like SiteAdvisor installing the Yahoo Toolbar, and I'm confident that there's some other explanation for what happened to your computer. Can you send me an email so we can troubleshoot what happened? I want to get to the bottom of this and clear SiteAdvisor's good name.
Ben Edelman
As you note, creativity can still prevent a compilation from being in the public domain, if there's some significant original creativity involved. One of the interesting bits of Assessment Technologies v. WIREdata was the requirement to hand over even the bits which might be copyrightable - the database structure - so that the data would be available.
There's more discussion of the general principle at Feist Publications v. Rural Telephone Service, which contains a fair overview of this aspect of US copyright law.
Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...
:). There's also the problem with users running as admin all the time, meaning the only line of defence is the security policy of the web browser, not the users' permissions.
Yes and No. The user has to agree, but on XP the user has been trained to agree -
A big difference I notice between Windows XP and OS X (one of those nix) is the number of times I have to click 'Next' or 'Previous' in dialogs in Windows, just to get anything done at all. In my opinion the main reason for the growth of spyware on Windows (before ubiquity) is the way the OS trains you to click,click, click to do anything at all. You end up not reading any of the dialogs because you read the first few words and guess the rest. The user is inured to warning dialogs of any sort, and starts to click through the forest of 'Next' buttons to get to where they want to go (or thought they wanted to go
In contrast on OS X you very rarely have to say 'ok, do this, then that, next, next, finish', you are asked one simple question (usually) with an 'OK' the first time you open a document type with an application. And you very, very rarely have to enter your admin password, practically only when you are installing big applications like Photoshop which need to install libraries. So if a website pops up an authentication dialog (which they can't anyway BTW), you know something is wrong; you stop and think about it.
That said user ignorance of what constitutes safe computing is a problem too.
If you are in charge of network security in any capacity, you understand that it is "your job" to stop this kind of traffic at the peremiter, if your systems are so complex that you can't configure what you have to do it, get a Barracuda Spyware Firewall, I have said it before in numorous posts about Spyware and Adware and Malware ad nauseaum, why is this concept so hard for Sys admins, engineers etc to embrace? Treat the internet like a singles bar, would you screw anybody you met there with out a condom??? I didn't think so, so treat your computer/network like a dick. Use a third party protection device if necessary.
Do your best to educate home users, but talking about computer security is like discussing Politics, Religion or Sports at the dinner table, everyone has their own beliefs.
Sig Hansen?
This is taken a little out of context, but something that actually happened in an IRC chat channel.
user: how can I fix my PC to be able to play these songs?
me: listen, you need to clean your PC from that virus first
user: how do I do that?
me: go there and bla, then blabla and bla you're done
user: what? I just want to listen to my music
- user has quit