Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
The Internet Your Rights Online

Pop-Under Deception and Private Property 103

Posted by CmdrTaco from the sleeping-in-the-bed-you-made dept.
RogerRamjet98 writes "I was browsing the web today and I got hit with a pop-under ad. Annoying but no big deal, right? Wrong. This one managed to change my home page to (CT:Link removed. Why would we send these dicks traffic?) Which pretends to be yahoo, and is convincing enough to fool the average computer user, but is really a platform for launching more pop-under ads. Combine this with the AOL/WinXP news, and it makes me think that the settings on my computer ought to enjoy legal protection as private property: Changing them without my permission (such as adjusting my home page, or whatnot) should constitute assault or trespass." Or turn of JavaScript. Or don't run IE. But good luck on that trespass case. With a history of laws like the DMCA, Uncle Sam can only make it worse.
This discussion has been archived. No new comments can be posted.

Pop-Under Deception and Private Property More

Pop-Under Deception and Private Property

Comments Filter:
  • As the post suggests, there are probably a couple of potential solutions to something as sick as this: legal and/or technological.

    Tech law, cyber law, or whatever one wants to call it is too early in its development to provide much help here. As CmdrTaco pointed out, the few times lawmakers get involved in this field, they really screw things up (eg, DMCA, patenting obivous things with lots of prior art, etc.). There aren't a lot of helpful precedents and/or laws on the books, so we are probably out of luck here.

    There are some novel legal theories one could try from (NON-intellectual) property law concerning trespassing, personality, etc. But, again, things are too unsettled in this area for these types of legally novel theories to have a high probability of success as causes of action.

    My thought is that the best possible solution to all of this is some combination of technological and legal solutions.

    Technologically, there have been a lot of work done on blocking pop-up ads and maybe something like that can be used here.

    Legally, it would be great if people could do something like what RMS has done with GNU GPL and give individuals A LOT of legal protections over their privacy and presence on the Internet and let them contract -- under their own informed free will -- with others on what terms individuals are willing to interact with businesses on the web.

  • you copyrighted your preferences, then put some lame arse encrption on them, defeatable simply by accessing them through javascript, you could get these guys thrown in jail without bail...
  • I can't comment on what browser the original poster is using, but taking the IE theme further, I will say that is one browser that is too integrated with its environment, at least under Windows. There are one or two websites that will install an application, without you even knowing, to change your cursor to something else. Sure this is a harmless installation, if not irritating, but imagine if the that application was a virus?

    If you combine this behaviour with the recent IIS targeted virus, then you could easily have a virus that modifies web pages to include javascript to install itself into the machines of the vistors to the site.

    I definetly ask myself why Javascript is not limited to a sandbox, in the same way Java is? Until then best use some other navigator to surf the web.
  • Something roughly along the same lines happened with UPS shortly after I quit working as an underpaid and overworked tech support for them. Their new software, Worldship (which customer were being told they had to upgrade to) installed IE 5.5, made it the default browser, deleted all the customers bookmarks, and set ups.com as the homepage, all without asking the customer. I was extremely glad I quit before this happened. Last I heard some people had filed a class action lawsuit, although I don't know where it went from there.

  • This should be illegal! (Score:4, Insightful)

    by Pedrito ( 94783 ) on Wednesday August 01, 2001 @07:37PM (#4452)
    Changing them without my permission (such as adjusting my home page, or whatnot) should constitute assault or trespass.

    Actually, this may constitute breaking the law. After all, if you hack into someone's computer and change any data on their computer, then you've broken the law. If you write a virus that goes in and changes data on someone's computer without their knowledge, again, you've broken the law. Seems to me that this qualifies. You don't have to do any damage, per se, but changing the data on their computer is enough.

    IANAL, but I don't see a real distinction between a virus and what these ads are doing. Just MHO.
    • Nope it is acceptable to add your site to peoples bookmarks. You can even download a dreamweaver extension to do such a thing. It takes very litle work to make this the homepage (i now add - like icq and aol do)
    • Yeah...all we have to do is figure out how to sue them under the DMCA.

      Let's see...

      First, we copyright our web browser configuration. Then, we define our homepage as a copyright protection measure. Then, anyone who changes the ad is circumventing a copyright protection measure for profit! A pirate! Sic the federales on 'em! Yeah!

      Hey, the DMCA could be a lot of FUN if we just abused it the right way. :)
  • You were just trying out a neat new javascript trick on the front page for a few min and THOSE DICKS are really the slashdot crew. ::grins::
  • IE makes no difference, Nutscrape is just as bad.
    As for disabling Javascript, say goodbye to quite a few websites that make extensive use of javascript.

    • "a few websites that make extensive use of javascript" are certainly no great loss. Any site excluding text-based clients (and blind users) don't deserve to be visited.

      • Any site excluding text-based clients (and blind users) don't deserve to be visited.

        cough..troll..cough

      • Hmmm, so I guess a gaming website for a first-person-shooter really needs to be accessed by a blind user? Sorry but I don't buy it, we can't change everything on earth to accomodate every disability, certainly we should try to make our world as accessable as possible for people with disabilities, but how much sense does it make to accomodate a blind person visiting a website for realtime graphics-intensive games? Would you really worry about if a person paralyzed from the waist down could access a section of a gym containing excusively things like bikes and walk machines?
        I don't like the way the web has gone, with graphics all over and absurdly fancy layouts and irritating colors, but that's me hating complexity where it need not exist, I live with it, and just because a website uses javascript, doesn't mean it doesn't deserve to be visited.
  • You could turn off scripting, or use a browser that doesn't permit that kind of manipulation.

    Sorry, but while these covert actions are annoying, and the people behind it definitely ought to be smacked hard, it's not cause for legislation - unless, perhaps, they are taking advantage of security holes to alter your settings in destructive ways.

    • unless, perhaps, they are taking advantage of security holes to alter your settings in destructive ways.

      Exactly. We're talking about the potential for someone inspecting or modifying data stored on your computer without permission, explicit or implicit. Although the browser manufacturers are partially responsible, in my opinion it would be an easy sell to have lawmakers consider this in the same way as cracking. Especially if you embellish it a bit for your congressperson: "Just think -- one of these could pop up and change your homepage to pr0n! Or Ralph Nader's homepage! Think of the children!"

    • It's an unauthorized modification of data.
      It's no different than someone defacing a website, the latter is just more visible.
      • So what qualifies as an unauthorized modification of data? You are the one receiving data and running the code; they are not executing it remotely. It is, to some extent, your responsibility to see that mailicious code isn't executed on your computer. This is why browsers have security settings.
        • If a person intentionaly writes a virus to cause unauthorized modification of data and sends it to you, and convinces you to run it without telling you that it's a virus, that's unauthorized modification of data. The *exact* same thing happened here, except here they're doing it without you even realizing you're RECIEVING something from them, and you don't explicitly RUN this code at all.
          Yes a person should be responsible enough to keep up on security patches and set proper security settings in their browser, but that doesn't mean we shouldn't hold the people writing this malicious code responsible.
          To use a common analogy, do we let a mugger go because the victim shouldn't have been in that part of town at night?
    • Perhaps a solution would be JavaScript policy files, anaogoulos to those used by sysadmins in the systems they admin. A lot of sites use Javascript ethically and for legit purposes, but some sites exploit JavaScript functions that have no real purpose except to annoy people (like pop-under ads, changing homepages, pop ups when leaving a site, etc). By having policy files, one could configure their browser to allow some JavaScript, but not all. This way we dont shutoff JavaScript entirely and lose the benefits it adds to some sites. Maybe someone could integrate this into Mozilla?
  • CLI users are immune to this, right?
  • Changing them without my permission (such as adjusting my home page, or whatnot)
    I guess this guy isn't using IE (which prompts you before allowing the home page to be changed via script). So which browser is this guy using? Allowing a site to change settings without any kind of prompt is ridiculous.

    • Re:Bad Browser! Bad! (Score:2, Informative)

      by alteridem ( 46954 )
      I have a link on my homepage that allows you to set your browser homepage to that page. If you click on it, IE displays a message box confirming the change. Either this guy is not running IE, he clicked Okay, or there is some security setting that I don't know about that turns off warnings. In the second and third case, its his own damn fault for either accepting the change or having his security settings so open.

  • That's a nasty one, kinda like the old DOS programs that would put up a screen or message that looked like your network log-in prompt, and then record your password before logging you in as normal.

    I don't see how you're ever going to legislate against something like that, though. You immediately raise unanswerable questions about what consistutes an e-trespass, and what constitutes giving permission to change something on your system.

    Fortunately, there is always an easy answer. People forget in this world of scripting and viruses that no-one can ever force you to run something on your own PC -- not even MS, though they wish they could :-). If you don't like it, just run with a browser where you can switch off cookies, Javascript, and all the other rubbish. Such things are freely available; all you have to do is go get them. 'Course, it would be nicer if switching them off was the default, so the people who want them get them, but the people who aren't informed enough to know about them don't get screwed...

  • WTF? (Score:2)

    by zpengo ( 99887 )
    Yeah, I just got hit with that one too. I wasn't aware that JavaScript could wreak so much havoc to my favorites and settings. Shows what I get for using IE, I suppose.

    This doesn't sound *too* bad, but it won't stop there. It won't be long until some script kiddie figures out a way to change all the URLs on people's favorites to theirs. And by the time that people find out, it's too late -- They don't even know where the popup was (or that it even was a popup! I had no idea until just now...)

  • Is internet explorer the only one vulnerable to these malicious javascript?
    • I was thinking there is a site safeweb [safeweb.com] that offers anonymous, encrypted web browsing that can turn off cookies, malicious javascript, and pop-up windows. It works good on internet explorer, but is really buggy on my mozilla release.
    • I thought that changes to your setting via javascript, or java had to be approved by you. I guess I'm mistaken...

    • Re:what about IE? (Score:2, Informative)

      by nutsy ( 33125 )

      Is internet explorer the only one vulnerable to these malicious javascript?

      Probably not. In fact iexplore has considerably finer-grained controls for javascript (or as it says, "scripting of java applets") than netscape (or at least current versions of netscape).

      Options -> Internet Settings -> Security -> The Internet -> Custom -> Scripting

      and set everything to either "Prompt" or "Disable" as whim requires.

  • Something similar has happened to me before, while other sites ask "Would you to set your homepage to ...?" I wonder if the ability for a site to do that without a pop up asking permission could be considered a security hole that MS should make a patch for, as one site modified my Windows registry to make that site the 'default' home page.

  • Technical Details (Score:3, Interesting)

    by Self Bias Resistor ( 136938 ) on Wednesday August 01, 2001 @07:39PM (#25254)

    Are there any people (who have enough knowledge of Internet Explorer or the Windows OS in general) how this could be achieved? I find it very disturbing that such settings (such as your browser's home page) could be altered remotely without your permission, which could constitute a breach of computer security. As far as I know, (depending on your jurisdiction) there isn't any specific legislation that marks your computer's settings as your private property. The only thing you can do is, like Taco said, disable JavaScript or don't run IE. Which makes sense anyway.

    • Are there any people (who have enough knowledge of Internet Explorer or the Windows OS in general) how this could be achieved?

      Most recent browsers provide a function in their scripting that lets you set the home page for the browser. This is what sites use when they provide a button that says "Click to make this site your home page" or some such. If you've got sensible browser security settings in place, you'll get prompted before the browser will actually do it, but many people have security settings too low for that. For those people, all it takes is a web site that hooks up the script to set the home page to run when the page is finished loading, and bang, one reconfigured browser.

    • Re:Technical Details (Score:2, Informative)

      by gr3g ( 119302 )
      I don't know much about javascript but what I have worked with is that there is a command to actually change your homepage. it was originally intended to be like "click here to make this your homepage" kind of thing. unfortunately javascript also allows things to happen automatically like linking automatically, etc. so these people put 2 and 2 together and voila. annoyance without a lot of effort.
      I would look up the commands for you, but I thought it wouldn't be that great to post 'em all over.
      p.s. not tested for accuracy ;)
    • Here is a really quick guess (keep in mind I have no idea what site we're talking about here so I can't verify anything). Ever seen "Comet Cursor?" It's a little ActiveX (I think) program that installs itself without asking when you visit a webpage with its control embedded, and when your IE Security settings are low enough that a prompt isn't forced for running ActiveX stuff. Comet Cursor is a real pain -- you've got it before you know it, and they make it annoying to uninstall ("reboot required", etc). But anyway, I wouldn't be surprised if changing your homepage without asking could be done fairly easily using some sort of ActiveX (though if your IE security settings are low enough maybe there's even a way to do it with javascript). The more insidious thing about automatically installing applications like Comet Cursor, however, is that along with the "useful" app comes spyware galore. Just a few little mumblings...

  • And which dicks would those be? (Score:5, Interesting)

    by devphil ( 51341 ) on Wednesday August 01, 2001 @07:35PM (#25741) Homepage


    Granted, I agree that we shouldn't send "those dicks" any traffic. And I agree that companies who do this sort of thing are indeed dicks. And I also agree that it would be most amusing to see an entire /. comment page referring to an unnamed corporation only as "those dicks" because we don't have a name or a domain.

    But it would also get old quickly. So, Taco, what's the name of the organization whose link-to you removed? Not a domain or anything, just a noun that we can use instead of "those dicks."

  • Some states have laws against unauthorized access to a computer's resources. Surely a "pop under" advertisement has not been granted permission to your resources, and changing your settings is definitely a form of "access". Why not go after them with that angle.

  • Where's the script? (Score:1, Interesting)

    by Anonymous Coward
    Could someone post the script that changed the home page (suitably neutralized, of course)? I know of no way to change someone's home page without permission; if such a way exists, it would be a bug.

    I suspect the poster was tricked into approving it, but is too proud to admit it... its seems the usual reaction to being duped is to cryout, "there outta be a law..."
  • I wish there were a better solution. Unfortunately, some of the sites I like to hit use javascript. Javascript is occasionally useful (more often than not, in fact). It seems that forsaking a technology simply because some people choose to abuse it isn't the way to go about doing things (*cough*napster*cough*).

    So besides disabling Javascript, what else can we do? Is legislation a viable option? Complaining to the webmaster of the site with the evil js?

    What have you tried that has worked for you?

    FP

    • Re:I wish there were a better solution (Score:1, Funny)

      by Anonymous Coward
      Switch browser..?
    • Well, doesn't the Mozilla project already have code in place for "selective" javascript, ie: choosing which sites can or cannot use javascript, much the same way that Mozilla allows one to define the use of cookies and images? As soon as Mozilla includes a GUI for the backend code they've already written to do this kind of filtering, we'll have our solution:

      Run Mozilla/Galeon/K-Meleon, and encourage others to do the same, explaining to them *why* they should consider changing over!

    • If you have an OS that utilizes file permissions, such as one in the Unix extended family, simply remove write permission for everyone from your configuration files. Even chown them to root to be extra safe.

      You'll have to go through a few more steps if your want to change your settings afterwards, but I don't see how javascript will be able to change anything behind your back.

    • Unfortunately, some of the sites I like to hit use javascript. Javascript is occasionally useful

      This has probably been mentioned before, but... One workaround in Internet Explorer is to go to the security tab and disable (or force prompting for) cookies and javascript for "Internet", and then to "opt-in" the sites that you trust by placing them on your "Trusted Sites" list (and allow cookies/javascript for trusted sites). Ideally, you should have finer-grained control than to put all sites into just two categories, but if you're stuck using IE and you don't want to go with a web filter like Proxomitron [spywaresucks.org], it's better than nothing.

  • I dont suppose anyone reading this has any pull with the various w3c commitees?

    There should have been an overhaul of javascript a long time ago. PARTICULARLY since stylesheets require javascript [Who the hell got bought out to get that one in the spec??]

    There should be a subset of javascript that is only related to validating forms, playing around with formatting on the same page, etc. but has all of the secret nasty stuff like changing preferences and cookies TAKEN OUT. That that version, and only that version, could be the required scripting component for CSS, etc.

    javascript could be turned into an actual force for good, instead of the deep pit of evil it is currently.

  • I don't know if DOS retaliation is the right tact to take, but it sure is a shame we can't have a real life doberman that will sick whoever makes a pop-under ad... Wonder where X-10 HQ is?

    If you don't think too good, don't think too much
    www.jdhodges.com [jdhodges.com]

  • The disintegration of the commercial wing of the web has led to this sort of desperate "we have to show a profit NOW" sort of behavior - only companies that show a very-short-term profit have any hope of added investor funding, and the few web-content survivors like Yahoo and Salon are thrashing around for *any* opportunity to differentiate themselves and make a quick ad buck.

    When web advertising was less invasive, this was not such a big deal to readers. In fact, it was the business-model-of-last-resort: "ads will pay for an essentially free internet." (Let's play find-the-fallacy.) Web publishers ("content providers") promised the moon to advertising customers - that they could instantly generate sales and site visits, measure the results with click-throughs, and do this all without alienating their own base. It didn't work that way.

    If the expectations of web advertising had been more moderate to begin with - in line with those of print ads - this sort of thing wouldn't be happening now. But I don't expect it to get better. I don't believe in rational markets with good information finding optima, I believe that irrational expectations create bad situations, vicious cycles develop, and things fall apart. The nice bit about it is that we are, ultimately, getting the internet back from the suits that are failing to selling it to us.

  • la la la la la la la la la la (Score:5, Insightful)

    by legLess ( 127550 ) on Wednesday August 01, 2001 @07:52PM (#43394) Journal
    Or turn of JavaScript. Or don't run IE.
    Or bury your head in the sand. "Hey, it's not my problem ... yet." Don't miss the core issues here: (1) shoddy software design, and (2) asshole marketers.

    There are any number of really good reasons to run both JavaScript and IE. As a web developer I love JavaScript. If I validate a form with JavaScript I save the user time since they don't have to wait for the server to validate and respond (the server its own validation, of course, so I don't save any CPU cycles). This is a win for both of us: the user gets a faster response and I get a happier user.

    For people running Windows (nearly everyone, last I checked), IE is the fastest, most stable, and most feature-rich browser available. Yes, it's chock-full of security holes. That's by design. Microsoft is pretty explicit in trading usability for security, and it shows. [Some of] Their products are very user-friendly.

    To avoid getting modded down as a troll, I'll say that Microsoft sucks and only lusers use IE. Lusers like my mom, of course, who has trouble enough on the web without me updating Mozilla to milestone "slightly faster than a melting glacier" every other week on her P200. I use Mozilla, and it kicks IE's ass for my use, and on my computer.

    My point? The problems here are (a) lack of security focus by Microsoft. There should be no setting, anywhere, that allows changes to local software without explicit user consent. They have fucked this up royally, time and time again, and I don't think it's ever going to change. Plus, if they have their way, the concept of "local software" will go away entirely.

    The other problem ((b), if you're keeping track) is human capacity for evil. Some PHB had a brilliant idea: "Ok, we need to change every directory name on the computer to 'Porn-R-Us.com'. You can do that, right?". Some low-life programmer said, "Sure, there's an ACtiveX control for it."

    It all comes down to human decisions. Somewhere along the line a human being decided to fuck another human being to make a buck. The only way to stop this is to remove the buck. This is often done with a lawsuit, or other legal action. So I say yes, sue these bastards 'til they can't walk straight.

  • CT:Link removed. Why would we send these dicks traffic?

    How 'bout this: We attempt to have the server slashdotted and possibly go offline. Everyone turn off JavaScript in your browsers and we'll allow Taco to post the link. Everyone cuth with that? Even if that doesn't work, just reprogram Code Red to set it's sights on that server as opposed to the whitehouse

  • Here are some interesting examples of embedded scripting:

    My page [geocities.com]
    KernelPanic.com [kernelpanic.com]

    And this demo only works on 95/98 machines:
    My 95/98 demo [geocities.com]

  • Guide to changing user prefs in JS... (Score:3, Informative)

    by gmezero ( 4448 ) on Wednesday August 01, 2001 @07:48PM (#43462) Homepage

    Hit his URL:
    http://developer.netscape.com/support/faqs/champio ns/javascript.html#7 [netscape.com] for Netscape's guide to how to use JS to change user prefs...

  • you know most people program for the windows world.. sometimes its a good thing!

    Now that I have a super fast computer I am beginning to like mozilla and some of its features of turning off things, like images from certain servers. Maybe someone will implement turning off JS from hostile sites (like mozilla's cookie rejecting) or prompting you for this.

    NOTE I am NOT talking about turing off ALL javascript, just allowing users more control over it.

    This user may want to try proximitron (sp) it is a proxy that allows you to set up some filters. Thus turing off pop ups and pop back....

  • Arghh... make up your mind... (Score:3, Interesting)

    by killbill ( 10058 ) on Wednesday August 01, 2001 @07:46PM (#43524) Homepage
    So when somebody portscans my system, I can't prosecute them because they "did nothing illegal". Even if they root my box, I can't prosecute because they "were just exposing how flawed my security system is"...

    When somebody distributes a copy of an MP3 ripped from a licensed piece of music, it's OK because you would not have bought the album anyway ;) and information wants to be free.

    But somebody changes your homepage, and suddenly it's a job for the federal government.

    BTW, the DCMA, as stupid and flawed as it is, probably gives you some legitimate avenues to address this sort of offensive behavior.

    I know the DCMA is the only reason you won't be seeing those dreaded "smart links" in the next version of Internet Explorer.
  • ...the settings on my computer ought to enjoy legal protection as private property: Changing them without my permission (such as adjusting my home page, or whatnot) should constitute assault or trespass"

    It's your fault for letting the web sites change your home page and popping up windows. Since the default installation of IE set by Microsoft apparently lets this happen, you have to set your settings higher if you don't want these things from happening.

  • Sure...if you set your Security to "Rape Me" (Score:4, Informative)

    by JoeShmoe ( 90109 ) <askjoeshmoe@hotmail.com> on Wednesday August 01, 2001 @07:45PM (#43537)
    I've been to several pages with code that tries to alter my homepage and every time this little IE window pops up with a home icon and says "Such-And-Such is trying to make this your homepage, do you want to proceed? [OK][Cancel]"

    This is on IE's Medium security level. On High I'm sure it is even more protective. So can we please be clear about this? Is this new trick able to bypass these kinds of protections? Is this a problem only on Netscape or IE or any JavaScript enable browser?

    Keeping in mind that MS wants everyone's homepage to be MSN.com (the first thing IE goes to after installing is a page with code to make MSN your homepage) I can't believe they would allow any website to so easily snatch this setting without user interaction of some kind.

    - JoeShmoe
    • Actually...come to think of it...it is very surprising that trying to change your homepage from msn.com doesn't result in some kind of Microsoft FUD-ish message like:

      "Warning! If your homepage is changed from MSN.Com you will not receive valuable updates and integrated web functionality! Are you sure you want to proceed with this reckless course of action?"

      :)

      - JoeShmoe
    • After just reinstalling, I would just like to point out that yes, IE does take you to a page to set MSN to your home page. BUT, even if you don't choose to make it your home page, it still wisks you off there until you set a new homepage. So many, many people hit msn.com just out of shear laziness. And people wonder why msn.com is like 2nd most popular site on the internet.

  • Whoa there, Taco (Score:3, Insightful)

    by szcx ( 81006 ) on Wednesday August 01, 2001 @07:45PM (#43561)
    Or don't run IE
    Unless you edited it from the submission, the poster didn't say what browser he was using. And you know what they say about assumptions, right?

    • Re:Whoa there, Taco (Score:1, Funny)

      by Anonymous Coward
      you know what they say about assumptions, right?

      Yeah, they make an ASS of U and .... HEY!!!

  • A number of people are suggesting disabling javascript as a solution. The problem of course is that many sites use javascript for the forces of good rather than evil.

    One solution is for browsers to have an option to disable javascript's ability to open new windows. I use OmniWeb [omnigroup.com] on Mac OS X and it has exactly this option. In fact your choices are to allow javascript to open windows always, only in response to a link being clicked, or never. A very useful feature and one reason I will ultimately hand money over for this software.

Slashdot Top Deals

The one day you'd sell your soul for something, souls are a glut.

Close