The article is poorly written, but I believe it is referring to drive-by-download code. This is typically malicious JavaScript and/or ActiveX code that exploits a flaw in IE's security model to install and run executable code on your computer as a side-effect of your visiting the Web page, and often without your knowledge or consent.
The blog angle is a bit of a red herring. Drive-by download attacks can happen on any web page, not just blog web pages. There are two phenomena going on with respect to blogs these days: attackers are uploading attack code to legitimate blogs as comments, and attackers are setting up bogus blogs of their own to deliver attack code.
Computer science has had unbelievable advances in the past decades, and not just in AI:
- parallel computing and supercomputing
- the Web
- scalable clusters and Internet services
- mobile computing
- breakthroughs in graphics
- breakthroughs in vision
- stunning advancements in computer architecture
- fundamental advances in theory, algorithms, etc.
It's true that the 50s, 60s, and 70s were wonderful in that many concepts were first discovered, but computer science had its greatest impact over the past two decades. Think of it this way: in the 70s, nearly nobody had touched a computer, let alone us having our national infrastructure depend on computing and internetworking!
Xen is *very* different than plex86. Xen is a virtual machine monitor - it directly executes most instructions, and achieves performance that is within a few percent of non-virtualized operating systems.
Plex86 is an emulator - it interprets most instructions, and it is dog-slow.
It's true that Xen requires the guest OS to be ported to the Xen virtual architecture, but this has been done for linux.
It actually says 5.1% of computers were infected with one of Gator, SaveNow, Cydoor, and eZula - just 4 out of the hundreds of spyware programs out there.
It didn't answer how many of the computers were infected with any spyware program, just those four.
Here's the really interesting exclusion (i.e., something that does not count as an overt act that is liable):
(A) 13 14 distributing any dissemination technology capable of substantial noninfringing uses knowing that it can be used for infringing purposes, so long as that technology is not designed to be used for infringing purposes;
P2P networks are capable of substantial noninfringing uses (whether or not they experience substantial noninfringing uses).
So the question comes down to whether or not a P2P network is designed to be used for infringing purposes -- it seems there is some measure or intent that is required for this to be true, and that seems awfully hard to decide or prove one way or another. But, this is sufficiently ambiguous that it would need to be decided in a very messy court battle. Plus, this clause doesn't place any limitations on the extent of infringing purposes for which the technology must be designed - one could argue that if it allows even a single infringing use, it was designed that way, and therefore it was designed to be used for infringing purposes.
Of course, one could make the same claim about email.
as Felten and others noted on their blogs, the money quote is:
As to the question at hand, the district court's grant of partial summary judgment to the Software Distributors is clearly dictated by applicable precedent. The Copyright Owners urge a re-examination of the law in the light of what they believe to be proper public policy, expanding exponentially the reach of the doctrines of contributory and vicarious copyright infringement. Not only would such a renovation conflict with binding precedent, it would be unwise. Doubtless, taking that step would satisfy the Copyright Owners' immediate economic aims. However, it would also alter general copyright law in profound ways with unknown ultimate consequences outside the present context.
Further, as we have observed, we live in a quicksilver technological environment with courts ill-suited to fix the flow of internet innovation. AT&T Corp. v. City of Portland, 216 F.3d 871, 876 (9th Cir. 1999). The introduction of new technology is always disruptive to old markets, and particularly to those copyright owners whose works are sold through wellestablished distribution mechanisms. Yet, history has shown that time and market forces often provide equilibrium in balancing interests, whether the new technology be a player piano, a copier, a tape recorder, a video recorder, a personal computer, a karaoke machine, or an MP3 player. Thus, it is prudent for courts to exercise caution before restructuring liability theories for the purpose of addressing specific market abuses, despite their apparent present magnitude.
Indeed, the Supreme Court has admonished us to leave such matters to Congress. In Sony-Betamax, the Court spoke quite clearly about the role of Congress in applying copyright law to new technologies. As the Supreme Court stated in that case, "The direction of Art. I is that Congress shall have the power to promote the progress of science and the useful arts. When, as here, the Constitution is permissive, the sign of how far Congress has chosen to go can come only from Congress." 464 U.S. at 456 (quoting Deepsouth Packing Co. v. Laitram Corp., 406 U.S. 518, 530 (1972)).
This is basically an "execute / no-execute" bit in the page-table entries. It means the OS can mark portions of an application's virtual address space as non-executable - such as pages in the heap or the stack. It'll help against buffer-overflow attacks that put new assembly code in the stack and return into it. It won't help against buffer-overflow attacks that return into existing code (e.g., to do a system call). It won't help against worms that take advantage of meta-character expansion vulnerabilities. It won't help against scripting flaws (such as javascript, active-x, or visual-basic/outlook vulnerabilities). It won't help against weaknesses in the OS itself.
Think of this as raising the bar. Of course, the "clever" attackers will still find flaws, and still write code for the script kiddies to use to exploit them.
The main problem with all of this is "where do you draw the line between spyware, adware, and software?"
Unlike viruses or worms, it's not at all clear where the line is between "good" and "bad." It may be that Claria has a valid business model, in which case they have a strong case that their software shouldn't be lumped in with the likes of clientman, or other truly nasty spyware. Certainly, their business model is not illegal today. (Of course, I personally don't like it, and would never use their software.)
Should Yahoo include "windows update" or "redhat update network" in their list of spyware?
Just like with peer-to-peer file-sharing software, there's an interesting debate here about whether companies like Gator should be free to manufacture and distribute software that ostensibly causes damage to certain population segements. For P2P software, the damage is supposedly to the recording industry. For spyware, the damage is supposedly to the consumer and to companies whose brands are targeted by adware.
I'd hate to see the right to produce software get eroded, but on the other hand, something's gotta be done about spyware. This is an interesting approach: go after those that use the spyware (the companies that deliver ads through it) rather than those that vend the spyware. This has similarities to the recording industry going after those that use P2P to violate copyrights instead of those that vend P2P software.
But, my hunch is that displaying brand-targeting ads is a harder sell as illegal activity than distributing media you don't have rights to...
Both HyperCard and the Newton were innovative, influential, and as is often the case, poorly timed relative to technology trends.
HyperCard: here was a programming and publishing framework designed to be approachable and usable by every-day people, with the added bonus of "immediate gratification"- the act of writing code immediately produced a tangible artifact, much like writing HTML today immediately produces a web page that anybody can visit. But, HyperCard predated widespread Internet usage and the Web, and nobody could figure out what it was good for (except fancy slide shows and choose-your-own-adventure style storyboards).
Newton: to be sure, the Newton borrowed heavily from previous projects and products (including stuff from Xerox PARC and Marc Weiser's ubiquitous computing vision). But, once again, Apple innovated. The device was (almost) powerful enough to run useful software while disconnected, the UI was pen-driven, and the device was energy concious enough to be usable throughout the day without docking it for recharging. Here was a physical appliance targetted towards being a useful digital assistant, and here was a computing model radically different than desktop PCs that everybody was used to. Unfortunately, mobile processors weren't fast or energy-miserly enough yet, handwriting recognition was poor and graffiti-like techniques weren't there, the device was the wrong form factor, and a bunch of stuff was thrown in there that wasn't useful (like the "soup" programming paradigm).
Tons of innovation, tons of influence, but before their time and hence market failures.
Slashdot Mirror
http://www.cs.washington.edu/homes/gribble/papers/ spycrawler.pdf
The article is poorly written, but I believe it is referring to drive-by-download code. This is typically malicious JavaScript and/or ActiveX code that exploits a flaw in IE's security model to install and run executable code on your computer as a side-effect of your visiting the Web page, and often without your knowledge or consent.
The blog angle is a bit of a red herring. Drive-by download attacks can happen on any web page, not just blog web pages. There are two phenomena going on with respect to blogs these days: attackers are uploading attack code to legitimate blogs as comments, and attackers are setting up bogus blogs of their own to deliver attack code.
Computer science has had unbelievable advances in the past decades, and not just in AI:
- parallel computing and supercomputing
- the Web
- scalable clusters and Internet services
- mobile computing
- breakthroughs in graphics
- breakthroughs in vision
- stunning advancements in computer architecture
- fundamental advances in theory, algorithms, etc.
It's true that the 50s, 60s, and 70s were wonderful in that many concepts were first discovered, but computer science had its greatest impact over the past two decades. Think of it this way: in the 70s, nearly nobody had touched a computer, let alone us having our national infrastructure depend on computing and internetworking!
Xen is *very* different than plex86. Xen is a virtual machine monitor - it directly executes most instructions, and achieves performance that is within a few percent of non-virtualized operating systems.
Plex86 is an emulator - it interprets most instructions, and it is dog-slow.
It's true that Xen requires the guest OS to be ported to the Xen virtual architecture, but this has been done for linux.
It didn't answer how many of the computers were infected with any spyware program, just those four.
- (A) 13 14 distributing any dissemination technology capable of substantial noninfringing uses knowing that it can be used for infringing purposes, so long as that technology is not designed to be used for infringing purposes;
P2P networks are capable of substantial noninfringing uses (whether or not they experience substantial noninfringing uses).So the question comes down to whether or not a P2P network is designed to be used for infringing purposes -- it seems there is some measure or intent that is required for this to be true, and that seems awfully hard to decide or prove one way or another. But, this is sufficiently ambiguous that it would need to be decided in a very messy court battle. Plus, this clause doesn't place any limitations on the extent of infringing purposes for which the technology must be designed - one could argue that if it allows even a single infringing use, it was designed that way, and therefore it was designed to be used for infringing purposes.
Of course, one could make the same claim about email.
This is basically an "execute / no-execute" bit in the page-table entries. It means the OS can mark portions of an application's virtual address space as non-executable - such as pages in the heap or the stack. It'll help against buffer-overflow attacks that put new assembly code in the stack and return into it. It won't help against buffer-overflow attacks that return into existing code (e.g., to do a system call). It won't help against worms that take advantage of meta-character expansion vulnerabilities. It won't help against scripting flaws (such as javascript, active-x, or visual-basic/outlook vulnerabilities). It won't help against weaknesses in the OS itself.
Think of this as raising the bar. Of course, the "clever" attackers will still find flaws, and still write code for the script kiddies to use to exploit them.
The main problem with all of this is "where do you draw the line between spyware, adware, and software?"
Unlike viruses or worms, it's not at all clear where the line is between "good" and "bad." It may be that Claria has a valid business model, in which case they have a strong case that their software shouldn't be lumped in with the likes of clientman, or other truly nasty spyware. Certainly, their business model is not illegal today. (Of course, I personally don't like it, and would never use their software.)
Should Yahoo include "windows update" or "redhat update network" in their list of spyware?
Just like with peer-to-peer file-sharing software, there's an interesting debate here about whether companies like Gator should be free to manufacture and distribute software that ostensibly causes damage to certain population segements. For P2P software, the damage is supposedly to the recording industry. For spyware, the damage is supposedly to the consumer and to companies whose brands are targeted by adware.
I'd hate to see the right to produce software get eroded, but on the other hand, something's gotta be done about spyware. This is an interesting approach: go after those that use the spyware (the companies that deliver ads through it) rather than those that vend the spyware. This has similarities to the recording industry going after those that use P2P to violate copyrights instead of those that vend P2P software.
But, my hunch is that displaying brand-targeting ads is a harder sell as illegal activity than distributing media you don't have rights to...
Both HyperCard and the Newton were innovative, influential, and as is often the case, poorly timed relative to technology trends.
HyperCard: here was a programming and publishing framework designed to be approachable and usable by every-day people, with the added bonus of "immediate gratification"- the act of writing code immediately produced a tangible artifact, much like writing HTML today immediately produces a web page that anybody can visit. But, HyperCard predated widespread Internet usage and the Web, and nobody could figure out what it was good for (except fancy slide shows and choose-your-own-adventure style storyboards).
Newton: to be sure, the Newton borrowed heavily from previous projects and products (including stuff from Xerox PARC and Marc Weiser's ubiquitous computing vision). But, once again, Apple innovated. The device was (almost) powerful enough to run useful software while disconnected, the UI was pen-driven, and the device was energy concious enough to be usable throughout the day without docking it for recharging. Here was a physical appliance targetted towards being a useful digital assistant, and here was a computing model radically different than desktop PCs that everybody was used to. Unfortunately, mobile processors weren't fast or energy-miserly enough yet, handwriting recognition was poor and graffiti-like techniques weren't there, the device was the wrong form factor, and a bunch of stuff was thrown in there that wasn't useful (like the "soup" programming paradigm).
Tons of innovation, tons of influence, but before their time and hence market failures.