Slashdot Mirror
Market Research Company Secretly Installs Spyware
An anonymous reader writes "Forbes reports that two security experts are raising new questions about comScore, claiming that company's tracking software is being installed without consent on an unknown number of computers. The widely-used online research company takes screenshots of every Web page viewed by its 1 million participants, even transactions completed in secure sessions, like shopping or online checking. ComScore then aggregates the information into market analysis for its clients, which include such large companies as Ford Motor, Microsoft and The New York Times Co." From the article: "'[The] software is sneaking onto users' computers without the user agreeing to receive it,' says Harvard University researcher Ben Edelman, who documented at least ten unauthorized comScore downloads. Eric Howes, director of malware research at antivirus company Sunbelt Software, and his researchers separately observed hundreds of unauthorized comScore downloads in a three-month period this fall."
Is anyone going to do something about this?
Some justice,revenge,butt chewing,anything?
Do we write our congressman,DOS them or what?
all problems and no solutions.
It must be illegal on some level.
do we file a massive suit and each collect $5 or what?
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
I'm sorry but monocultures and all that. I've given up warning people. It's their own responsibility to look after their computers? What they can't? Dearie me, that'll be hmmm, $$$ then.
Deleted
the previous story mentioned social justice in the headline... social justice here would be to have CD copies of their malicious software being rammed up their backsides "without their consent" so to speak...
Why is the DOJ worried more about aunt Eunice downloading MP3s than they are about people who are maliciously causing harm?
sigh, I'll write but I wonder if my representatives will actually notice...
Support NYCountryLawyer RIAA vs People
First, we have the NSA, DHS, et al target their illegal wiretapping programs at spammers and spyware makers. They've got the infrastructure to track these people down, and this is a justification for the programs everybody can get behind.
Second, when a spammer is caught, we ship them down to Gitmo. It doesn't matter, in this case, whether torture is an effective means of getting information. We don't need information from them, we just want them out of circulation. We can hope that it would be a deterrent, but really they'll be getting it for the simple reason that they deserve it. Republican/Christians get to torture and sodomize to their shrivelled little hearts' content, and we don't have to worry about damaging our reputation in the world community. Everybody's happy!
Gentlemen, there is no way that we can lose on this one!
Keep in mind when reading that by "unauthorized download" they don't mean copyright infringement, they mean that a third party installed ComScore software without *your* authorization.
I want to proactively block any chance of getting caught by this. I just added this to my (Windows/XP HOME SP2) HOSTS file (C:\windows\system32\devices\etc\HOSTS):
I recognize this is but a start. I expect this has been investigated by others already. Rather than re-invent the wheel, I'm looking for some input on what else I can do to protect myself from them. (I already use ONLY firefox, and also have AVG, AdAware, Spybot, and WinPatrol)
Questions:
FYI: Wikipedia's ComScore Entry
The thing that really gets me is that their monitoring software installs a root certificate in the user's browser so that they can do a "man in the middle" attack to https:/// connections at their proxy servers. In many cases, comScore gets permission from end users to do this, but I don't think many users really realize how much information they're exposing by doing this. Most obvious is bank passwords, etc, but comScore says they don't monitor those. comScore DOES however say that they verify their user's name, address, income, etc., which I'd imagine most users wouldn't actually agree to if they were fully informed.
why the hell don't the cops show up at the company's door, break it down, and arrest everyone responsible and make sure CNN news crews are there to record it and make a story out of it. Then maybe these stupid, evil marketing people will stop thinking they can get away with it! It's called illegal for a reason. If they can arrest a guy for putting a distributed processing screensaver on school computers, they can arrest marketing execs!
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
This isn't what the actual article says. It says "virtual photos". Most likely is that it's just collecting URLs.. and maybe the contents of the page.. There would be no reason to do screenshots... It would make things much more difficult to analyze.
-- these are only opinions and they might not be mine.
So what good is the Computer Fraud and Abuse Title Act 18 Section 1030 if the FBI will not enforce it?
They have to install it on the computers of people who don't agree to it, because if they only monitored people who agreed to it, it would skew their results, because they'd be using self-selected samples! Think of the marketers!
I suffer from attention surplus disorder.
Download their software onto a 'tame' computer, and use it to browse 'interesting' sites.
Who would have thought that people who regularly view Ford's web site also like Goats ?
Indeed. That's why I use Minix as my operating system, vi as my word processor, and links as my web browser. Come and get me, you bastards!!!
OK, now you're just being silly.
Sure, abstinence is the only 100% effective way of preventing STD's, but teaching that and nothing else, is an extraordinarly dumb thing to do, because it goes against our natural instincts. We are born with the need for sex, and when it awakens it tends to go a little nuts. Abstinence only education can lead directly to teen pregnancies and the transmission of std's, because kids are not given an alternative method of protection, and in fact statistics show that it simply doesn't work in any way shape or form. Ignorance is not protection.
Your gun lesson analogy is a bad one. Firing guns is not a natural urge written into our genes.
ALL teens have sexual urges, but only a handful of nutcases have the urge to shoot their classmates.
Thus, your argument is a red herring.
That being said, it wouldn't hurt to have an alternative method of protection against guns, such as trigger-locks, and not rely solely on the "don't do it because I said so" method (which incidentally is the same one used in abstinence only education).
A more proper analogy would be:
You have a swimming pool in your back yard. You can tell your kids not to go in it all you want, but one day, when you're not looking, they will, and when that time comes, wouldn't it be safer if they've been taught how to swim?
-- This sig for rent.
I hope that some group or someone special takes the lead on this and not only goes after civil penalties but criminal penalties as well. I was to see someone in control of these decision sent to prison for their decisions to make this happen. I ALSO want to see the programmers and implementers of the methods used here sent to prison for their misdeeds.
I think there is a point that needs to be driven home into our culture that it's NOT okay to do anything for money. Because I believe that at some level we all somehow forgive these people for their tresspasses because their motivation was for profit... and we all understand the need for profit right? No, there are limits to what is acceptable behavior with a profit motive and like HP's spying (which arguably wasn't directly a profit motive but performed by a profit seeking competitive organization) we should not simply dismiss this as yet another "white collar crime" and move on. If people felt like they were risking more than a few hundred thousand of their millions of dollars, they just might think twice before ordering these things be done.
Maybe you're 12 and your time's worthless. Mine isn't and I now charge $$$ to fix computers. You don't want to pay? YeeHaw! Go away, fix it yourself then, or find some rather dim student who has nothing better to do. People have the right to privacy and surf the net unmolested, no matter the OS they use. Awww, how sweet. Welcome to the real world, not the idealised socialist one you have in your head.
Deleted
Is it necessarily a winblows problem or a browser plug-in/extention problem?
*Repent!Quit Your Job!Slack Off!The World Ends Tomorrow and You May Die!
- AOL
- Best Buy
- Borders
- CareerBuilder.com
- Clear Channel Communications
- Columbia House
- Digitas
- Discover Financial Services
- Eli Lilly and Company
- Expedia
- ESPN
- Ford Motor Company
- General Mills
- Google
- HP Home & Home Office Store
- Hyatt Corporation
- Interpublic Group
- iVillage
- Johnson and Johnson
- Knight Ridder Digital
- Mattel
- Medscape (Web MD)
- Mercado Libre
- Microsoft
- Monster Worldwide
- NASDAQ
- NAVTEQ
- Nestlé USA
- The Newspaper Association of America
- New York Times Digital
- Office Depot
- OMD Digital
- Orbitz
- Pepsi
- Procter and Gamble
- Starcom IP
- Terra Networks
- Ticketmaster, LLC
- T-Mobile
- Tribune Interactive
- Verizon
- Viacom International
- Washington Mutual
- Yahoo!
Retrieved from http://www.comscore.com/about/clients.aspI find it sort of funny that whenever I want to find a place to download the garbage mentioned in stories, I can't.. I can only remember Gator letting you go on their website to directly download what it is you wanted.
(For those wondering, sometimes I feel like downloading things just so I can play with it if I wanted to, in a VM for example, where a snapshot can make everything go away)
There is another kind of evil which we must fear most, and that is the indifference of good men. -- Boondock Saints
They commission third parties to do it. That's plausible deniability.
Enticing a third party to commit a crime should carry heavier penalties than doing the crime yourself. Especially when as in this case multiple third parties are enticed.
And comShare is receiving stolen property - property stolen only because they offered to buy it. But do we need new law in this area to properly jail these fuckers?
"with their freedom lost all virtue lose" - Milton
from the article:
"Two years ago, university IT managers busted comScore for tricking students into installing tracking software packaged with a free Web-accelerator program."
Why are university students downloading a "Web-accelerator program"? Because they're too stupid to know that these programs are worthless bullshit. Once again, we see that the biggest problem is not viruses or "spyware" -- it's user stupidity.
You have a swimming pool in your back yard. You can tell your kids not to go in it all you want, but one day, when you're not looking, they will, and when that time comes, wouldn't it be safer if they've been taught how to swim?
That's a nice analogy, but it doesn't fit. Almost every friend I've set up with Firefox, firewalls, anti-virus programs, etc. has, within days, DISABLED those programs and gone back to surfing bareback.
Why? I ask.
Every bogus reason in the book:
"It was too *slow*" (It wasn't)
"I didn't *like* it!" (Won't say why)
"It *messed up my computer*" (How, they can't say).
"The Icons look wrong" (no joke)
Now I just walk away. Why waste my time with bozos when actual work is available for which I'll not only get paid, but get a "thank you" along with the check?
If comScore isn't being devious or underhanded, why don't they have a clear install/operation routine that warns you every time you fire up a web-browser session?
All it would take is a box, perhaps giving you an opt-out for that session or simply just recording URLs. This would still provide accurate and interesting data. Especially in the latter.
Then the marketing droids would see which kinds of information people didn't want them to track.
I'm guessing they chose the spyware/malware route (which I see this software as) because they realized the obvious: who, in their right minds, would allow all their web surfing habits to go to someone else?
Additionally, how long do you think it is going to take for someone to alter the URL/IP in the software to send that data to another proxy? How long would it take any non-very-technical user to figure out this had been done?
Yet another reason to own a Mac.
:-)
Snob.. Own a Mac.
Sensible about security.. Own a non-Windows computer.
Smile
The truth shall set you free!
Don't be alarmed ! It affects only Windows.
We Linux users are safe.
It's not really a Windows technical problem (what comScore did could probably be done on Linux), but more of a Windows culture problem. I don't know about you, but I get nervous when I download source code for a program and run it without looking over the code. I get doubly nervous if I download a binary and run it. Back when I ran Windows (many years ago), I had no problems downloading and running programs from the Internet. If I happen to use Windows today, I still do that (though I'm pretty selective of the sources of the binaries).
Of course, the question is if people migrated en mass to Linux, would they bring their bad Windows habits with them? Probably. Most people don't understand computers and don't really know why running binaries from the Internet is a bad thing. They do it all the time, and really they have no choice since most MS computers have no compilers on them.
Technically, it's possibly to have spyware on Linux. Culturally and socially, it's much less likely.
"Save the whales, feed the hungry, free the mallocs" -- author unknown