Forgot your password?
typodupeerror
Privacy

An interview with Ad-Aware's Nicholas Stark 199

Posted by timothy
from the combatting-annoyance dept.
Andrew Leonard writes: "In the wake of the Ad-Aware/RadLight spyware vs. anti-spyware showdown, Salon has an interview with Ad-Aware's Nicholas Stark, who explains in no uncertain terms Lavasoft's determination to match every move by the spyware developers."
This discussion has been archived. No new comments can be posted.

An interview with Ad-Aware's Nicholas Stark

Comments Filter:
  • Software licenses (Score:2, Interesting)

    by vespazzari (141683)
    I think that it is almost impossible to read much less understand the license agreements that are bound to almost all software. I would be vey interested to see a licensing agreement go to court... The way I understand it both parties of a legally binding contract must understand the contract in order for it to be valid, sooo it would be my guess that most of these agreements/contracts would be invalid due to the fact that most people are not lawers and would not be able to understand the agreement even if they did read it.
    • Re:Software licenses (Score:3, Interesting)

      by cdf12345 (412812)
      In order for a contract to be valid there must be:

      1.) a valid offer
      a. must be serious
      b. must be specific

      2.) A valid acceptence
      3.) exchange of consideration

      As far as I'm concerned, not telling someone that the contract allows them to delete information on your computer, that's not very specific.

      As for taking this to court, a remedy would probably be for damages or recission(null) of the contract.

      all we need now is someone pissed enough to take this damn company to court.
      • Following up to a post with the sig:
        "Alchohol, cause of, and solution to, all of life's problems" -Homer Simpson

        You wrote:
        "all we need now is someone pissed enough to take this damn company to court."

        Which is just wonderful in English! (i.e. English English)

        It's certainly true, it would be very interesting for this to be brought to a black/white crux point.

        FP.
      • IIRC, the click-thru licence does tell you that it's going to delete information on your computer, and it is specific about what it will remove. Just because people blindly click "Next" and don't read isn't the company's fault, although they are taking advantage of it.

        I don't like it any more than you do, but it's worth pointing out.
    • by NoMoreNicksLeft (516230) <john.oylerNO@SPAMcomcast.net> on Sunday April 28, 2002 @05:11AM (#3423948) Journal
      Dude, while I agree in general with you, who says this needs to go to court? Think of it this way...

      Someone writes a "contract" that says if you happen to walk across a particular stretch of sidewalk, not only will they keep that sidewalk clean for you, but you agree to give them 50% of your salary for the next year. Then they post a copy of it well off the sidewalk, where it isn't easily read (not without binoculars). So, curious, you walk across that sidewalk up closer to it, so you can read the "sign"... is there any reasonable person that would contend you agreed to this contract?

      If the dumbass that pulled the stunt took you to court for breach of contract, would the judge even hear it, or would he toss it out, only after chastising the plaintiff's lawyer?

      How is a EULA any different?
  • Radsoft (Score:2, Informative)

    From the article:

    I do not believe that it is legal to bind the usage of their software to the removal of an unrelated product.

    But how is it an unrelated product? Ad-Aware goes out and specifically prevents programs like those put out by Radsoft from working properly. While I agree it isn't right that Ad-Aware is removed from the user's program without due warning, it is far from unrelated.

    • Re:Radsoft (Score:3, Insightful)

      by Disevidence (576586)
      Doesn't Ad-Aware remove the SaveNow bundled with the software? This wouldn't specifically stop Radlight from working, or even intefere with its use. Its affecting the spyware bundled, so removing Ad-Aware without the users express intent is illegal.
    • Re:Radsoft (Score:5, Informative)

      by _Sprocket_ (42527) on Sunday April 28, 2002 @06:30AM (#3424058)


      But how is it an unrelated product? Ad-Aware goes out and specifically prevents programs like those put out by Radsoft from working properly. While I agree it isn't right that Ad-Aware is removed from the user's program without due warning, it is far from unrelated.


      Its pretty simple. Radsoft's package can function perfectly well with Ad-Aware also installed. They have nothing directly to do with each other.


      Granted, the politics and business of the two clash. I could understand that Radsoft feels threatned by Ad-aware. And it wouldn't be suprising if they took measures to protect their revenue. However, I would expect them to take steps to ensure all installed components remain installed for their application to function.


      Of course, Radsoft has done a great job at displaying their attitude towards their users. Not only does their revenue apparently depend on the questionable (and apparently unappreciated by users) practice of spy-ware, but they take the same attitude to underhandedly remove software with which they have a political axe to grind.


      One final point. Ad-Aware is considerably different in intent and attitude than any of the software it targets. First, the Ad-Aware user actively selects what components (including applications, libraries, registry entries, and cookies) to remove. Secondly, it is widely supported as it provides even fairly non-technical users the ability to discover hidden software installed on their systems and remove it despite the great lengths that software goes to hide and resist being removed.


      If Radsoft and their clients, as well as the apparently growing number of like-minded business and applications developers, dislike the power provided by Ad-Aware then they should seriously re-examine their business plan. There is considerable resistance towards their methods. And simply attempting to remove Ad-Aware does little more than reveal their contempt for their user base.

      • Re:Radsoft (Score:1, Insightful)

        by Anonymous Coward
        Radsoft's package can function perfectly well with Ad-Aware also installed.

        I completely agree with this. But that is not the issue.

        They [Ad-Aware and Radsoft] have nothing directly to do with each other.

        This is the point I don't understand. How you can you say that? Radsoft actively chose to bundle in a piece of spyware, the kind which Ad-Aware's sole purpose is to destroy. So how are the two unrelated? This has less to do with functionality and more to do with the politics of software distribution.

        Essentially, this all boils down to "The enemy of my enemy is my friend" or more appropriately, "The enemy of my friend is my enemy." I may disagree with the method in which the software us removed, but I can certainly understand the justification.

        • This is the point I don't understand. How you can you say that? Radsoft actively chose to bundle in a piece of spyware, the kind which Ad-Aware's sole purpose is to destroy. So how are the two unrelated? This has less to do with functionality and more to do with the politics of software distribution.

          They're not unrelated per se, but rather they shouldn't directly intefere with each other. Radlight can run without the spyware, Ad-Aware has a perfect legal right running on the computer, regardless of whatever else you install.

          This has less to do with functionality and more to do with the politics of software distribution.

          But one company tells you what they are doing, what exactly the program does, and you install it on your own accord. The other company hides behing a vague EULA, illegal modifies the users computers and uninstalls software, and oringinally didn't even tell of the changes! Everyone likes accountability in politics. Its the exact same here. They are being under-handed and sneaky, and there is no justification, as stated, its illegal. Just because you dislike what another company produces, it doesn't give you the right to break the law to get back at them.
        • Re:Radsoft (Score:3, Interesting)

          by _Sprocket_ (42527)


          Radsoft actively chose to bundle in a piece of spyware, the kind which Ad-Aware's sole purpose is to destroy. So how are the two unrelated? This has less to do with functionality and more to do with the politics of software distribution.


          I suppose the issue is what one considers "related". The quote from the Lavasoft developer referring to whether one package should remove "unrelated" software is likely to be a technical reference. And technically, Ad-Aware and Radsoft's offering ARE unrelated. But you are very correct in the link politically.


          But that's a problem. Just because one has a political dislike for a piece of sotfware, it does not mean one should use one's software as a platform to remove the offending application. We don't have Mozilla removing Internet Explorer (whether that be possible or not)... just to pick an example out of thin air.


          One other comment - sure, Radsoft chose to bundle a piece of spyware with their application. But that bundling and installation is often hidden from the user. Even worse, removal of that software is often difficult. Yet the system still belongs to the user. Ad-Aware gives the user the ability to identify and remove undesired software despite spyware's attempt to resist identification and removal.


          If Radsoft wishes to ensure all software bundled with their package remains installed, then they should take steps to check that said software has not been removed. Even better yet, perhapse they should level with their users and alert them as to what is being installed and why. They certainly shouldn't be removing software that has not been included with their package.

  • license (illegal?) (Score:5, Insightful)

    by cdf12345 (412812) on Sunday April 28, 2002 @04:55AM (#3423915) Homepage Journal
    "You are not allowed to use any third party program (e.g. Ad-Aware) to uninstall applications bundled with RadLight."

    As far as I know a license statement should only apply to when one is using software, I think legally a court would uphold that a license cannot tell someone what hardware or other software they can or cannot use.

    The interesting thing with this is that the are forcing users to comply with a license which is probably not even legal.

    As for uninstalling software without any other warning, wouldn't this be on the same level as a destructive virus? I sure as hell wouldn't pout my name on a virus.

    Also it never states that the software will be removed. It says you cannot use other applications to uninstall their spyware. So you can have anti-spyware installed on your computer without breaking this (probably illegal) license.

    I would think the company is liable for criminal damage to property much like a virus writer would be.
    • Another question to consider is whether the RadLight installation program removes Ad-Aware if you cancel the installation before it is completed. I'm not sure about the specifics, but I don't think a license counts if you never fully install the software onto your computer.

      I'm pretty sure we can assume that aborting the installation does not restore Ad-Aware. To me, this seems like even more compelling evidence that RadLight's activities are illegal.

    • I believe in the latest release, the removal of ad-aware is explained (albeit in legalese) in the EULA. While the legality is extremely questionable, they do actually tell you vaguely.
    • by 56ker (566853)
      "I think legally a court would uphold that a license cannot tell someone what hardware or other software they can or cannot use" - I don't think it would! What law are you basing this on? After all the person has clicked a button saying that they agree to the terms!
      "So you can have anti-spyware installed on your computer without breaking this (probably illegal) license." - yes but it'll uninstall Ad-aware without telling you - that's what this whole story was about!
    • As for uninstalling software without any other warning, wouldn't this be on the same level as a destructive virus?
      I think it should be called a Trojan program and properly included in the signature files of McAffee, V-Shield, Network Associates, Fprotect, etc.
    • I haven't seen the actual license or its presentation, so I don't know if it would come under that category of contracts known as "contracts of adhesion". Contracts of adhesion are those piles of fine print you see on the back of parking ticket stubs, dry-cleaning tickets, etc. They're generally ok so long as they contain no terms that might be unexpected, such as "Agreeing to park in this garage assigns title to your car to the garage owners" or some such thing.

      The click-through is a problem, because contracts of adhesion generally don't have any form of overt acceptance. You park your car, you get the ticket. Still, a click-through with lots of legalese that the typical consumer wouldn't understand should, at the very least, be open to challenge.

      The Ad-Aware person described the right way to handle this: make the RadLight software fail to operate without the other sofware installed.

      At the very least, actions like RadLight takes against Ad-Aware are right at the edge of criminal activity.

  • With clickthrough rates in the absolute toilet, how much money is AdAware and popup blockers really costing those that get so upset by them?

    Not enough.
  • words to live by (Score:3, Interesting)

    by CmdrTaco (editor) (564483) on Sunday April 28, 2002 @05:07AM (#3423941)
    When asked if he had a specific plan to recommend to developers of spyware programs, Nicholas Stark of Lavasoft said
    A specific plan? No. However we do have some pertinent advice. Lavasoft began as nothing more than a dream. With hard work and a specific plan for the future, we have been able to achieve the success we now enjoy. We feel that the ad-sponsored model is nothing more than a quick fix. What we would say is that developers need to find a community willing to support their efforts and help them to grow in their art and to learn from experience.
    Sounds like someone the open source community could really rally behind.
    • Yes but most people who use open-source software are smart enough not to install spyware. If it was truly open-source the source would be available.
    • What we would say is that developers need to find a community willing to support their efforts and help them to grow in their art and to learn from experience.

      But that's what the spyware authors were trying to do! Of course in their case, it was the advertising community. :)

      Economic darwinism -- these guys thought they'd found the quickest way to "mo' money", but now they find that the market won't tolerate it. People on that moral level will try other objectionable stuff until they find something that doesn't make their customers feel like they're being shafted all *that* hard, and then they'll do their best to exploit that weakness. Grim, but that's "the way life is".

    • No. He belongs with the Free Software Movement. Anybody who can use the phrase the success we now enjoy when he is still working his day job should be quite at home with the language manipulation of RMS and friends.

  • I'm still curious as to how he's going to change Ad-Aware to prevent it being uninstalled by this other program. Does anybody know?
    • find a way to let ad-aware run in the background and alert the user if another program attempts to access its files...
    • I'd simply have a daemon sitting there, waiting for a user to attempt to run such a program... when the user doubleclicks hiddenspyware.exe, have my daemon block it, and inform the user that this exe woulc attempt to remove the daemon they intentionally installed.

      The trick of it, is to see it before it can run, it has no power then. If you let it run, I'm pretty sure everything in windows can elevate itself to the equivalent of root without trouble, and kill any process it doesn't like, you have to intercept it before it can do this. After that, it's up to the user and your daemon whether you want to attempt to sandbox the thing or not, and try to salvage some of it.

    • I'm still curious as to how he's going to change Ad-Aware to prevent it being uninstalled by this other program. Does anybody know?

      This calls to mind the old story of Robin Hood and Friar Tuck [csd.uwo.ca]. Essentially instead of having one program that can be killed off/removed, you have two programs each keeping an eye on the other, and starting/reinstalling the other as required.

      As someone commented in the last thread on this topic, this all rather reminds me of Core Wars, played out at large. We just need a better way of keeping score...

      Ewen

    • I'm still curious as to how he's going to change Ad-Aware to prevent it being uninstalled by this other program. Does anybody know?

      There's a program provided with the $15 version which is like a virus monitor, but it monitors for spyware. It stops the spyware from running, or installing itself. Lavasoft just needs to add detection for this new bit of spyware.

    • by Anonymous Coward
      There are quite a few ways - from passive ones making the detection very problematic (remeber self-mutating virii when there were real virus writers and not only silly worm bozos?) to active monitoring for accessing their files in a way the virus scanners do. BTW, anyone noticed the radlight admin's nick "davenger". Guess what? - dark avenger was a bulgarian virus writer who created a quite clever mutation engine.

      The real name of RadScorpion seems to be Igor Janos. Any slovak student here knowing Igor Janos? :-)

      I am posting anonymously as I am a Slovak, probably live in the same town as he does and he can track me based on my user info - I don't quite want to get his attention :-)
  • In the article, they ask about removal of spyware removing revenue for the producers of the free software. I didn't think the ad-aware guy answered that very well. I would have pointed out that ultimately, the customer (user of free software) decides what it's worth to use their software. Most will look at ads. Heck, most will tolerate pop-ups. What they tolerate is anti-ad-aware software. I never heard of RadLight until this came up. Free publicity, yes, but you can be sure no one that I know ever uses any of their products. There's a line & they crossed it. Not all free publicity is good, regardless of what they say.
  • by mgblst (80109) on Sunday April 28, 2002 @05:18AM (#3423960) Homepage
    We do offer an enhanced version of Ad-Aware called Ad-Aware Plus, [which costs $15]. But money is not the primary goal and has never been; it's mainly used to pay the server and bandwidth costs. We all have "regular" jobs or are students, and do this in our spare time (although it uses up a lot).

    Perhaps if they included some sort of advertising program with ad-aware, they could make some real money!
    • Perhaps if they included some sort of advertising program with ad-aware, they could make some real money!

      But then the first time the program was run it would uninstall itself. Where's the benefit in that? :)

    • I know you're joking, but it might work. Depends on what kind of advertising. Spyware is right out, but maybe an Opera-style ad window would be acceptable. I can only speak for myself, of course, not for other Ad-Aware users.
  • by Anonymous Coward
    I'd LOVE to see some puckish programmer bury a phrase at the very bottom of a click-through license to the effect of: "User agrees to sell nude pictures of themselves on ebay and donate the procedes to RJ Reynolds and/or the Church of Scientology." Might demonstrate the idiocy of click-throughs and highlight their dubious legal status. At worst, it'd provide a few yuks.
  • As I believe that some of the "spyware" are just regular legal programs I really feel for their authors to see how their program is being uninstalled," RadScorpion wrote. "I WANTED ADAWARE TO SEE IT TOO and to revalue their pose to their 'enemies.'

    No, I feel really bad. If it weren't for AdAware, I, too, could have received an extra $500 from (Insert online casino of choice).

    *$500 dollar offer only valid after betting $50,000 or more and receipt of firstborn child. Other restrictions may apply

  • What ever the legal aspects are, there is a much simpler way to get rid of spyware - don't download the programs. boycott KaZaA and everything else that includes spyware until they stop. People these days are just not taking their right to boycott, its the same with DVDs, CDs, and MS Windows, all these things are trying to do stuff we don't want, but if everyone stops buying them, they will have no choice but to give the customers what they want.

    Oh and screw the EULAs, if I want to remove spyware from something on _my_ hard-drive then what are they going to do about it?
    • What ever the legal aspects are, there is a much simpler way to get rid of spyware - don't download the programs.

      Until I started reading computer news sites more regularly, I didn't even know that these things were installing "spyware" on my machine. I just clicked-through on those EULAs, like 98% of everyone. The "just don't do that" argument needs to be prefaced with "you're doing that", which is what programs like AdAware help bring to light. I commend Salon for bringing it to the attention of less tech-hardened people. Even if anti-anti-spyware programs become more popular, the mentality behind AdAware has a better chance of reaching more people.

  • by Anonymous Coward
    "B-12."

    "Miss! D-11."

    "Hit! C-3."

    "Miss! D-12."

    "Hit! Dang! You sank my business model!"

    Guess they now know how RIAA and MPAA feel about their file sharing software... ;^).
  • by I Want GNU! (556631) on Sunday April 28, 2002 @05:44AM (#3424004) Homepage
    Shouldn't spyware be illegal? Most of it operates as trojan horses, which are similar to viruses, and those are illegal. They mess up the normal functioning of computers and are unauthorized. Maybe they have privacy policies saying that this is ok, but would these policies stand up in court? Often these policies are only made as such so that the consumer won't challenge them, and they are probably questionable legally. You can't take away rights from the consumer that they can't give up.

    I mean, if a virus had a license agreement, would it be ok to use it then? And what if the virus attached on to another program with a license agreement that you probably wouldn't read? That is really what these scumware programs are doing. It is an outrage!
  • by Anonymous Coward on Sunday April 28, 2002 @05:55AM (#3424013)

    Although I couldn't find a definition for the term trojan horse on CERT's website [cert.org], a link was provided to the comp.virus FAQ [faqs.org]. According to it, a trojan horse is:

    A TROJAN HORSE is a program that does something undocumented that the programmer intended, but that some users would not approve of if they knew about it.

    What RadWare's software is doing makes it perfectly clear that spyware should be treated as a trojan horse (with legal implications where applicable), beacause that's what it is.

  • by bluelarva (185170) on Sunday April 28, 2002 @06:08AM (#3424032)
    Regarding the problem of spy ware uninstalling another program, perhaps it is a technical problem which there is a solution. Not an easy one but a system can be made to prevent such a thing.

    1. First, software installation should be passive. On Windows (as well as other OS), you download some binary executable and run them. This foreign binary essentially has full reign over your system. Instead it should be a compressed package file with instruction embedded in it that describes what and where the package manifest should be installed. This package should be signed by the originator so that the package is tamper resistant and has some privilege to modify package that was originated from same source. This way the OS and user is in control rather than untrusted binary running amok on your system.

    2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default. For example, multimedia player should not be allowed to delete files or initiate outgoing network connection. Even file read can be made more granular by restricting the file mime type that an application can read. Multimedia player has no business reading any other files than ones that it knows what to do with. This sort of sandbox could make it harder for application from whacking competitor's application.

    Ultimately an implicit trust should be abandoned and implementing mandatory security may be the solution. Unfortunately this is not something that can be easily added easily but rather it must be designed into the underlying system itself.

    Disclosure: I'm writing this at 6:00am after staying up all night writing code so I'm sure lot of loopy ideas are leaking from my brain at the moment. This may be one of them. Then again even a broken clock tells right time twice a day. ;)
    ---
    jk
    • In regards to point one, isn't that how things like MSI (The new Microsoft Installer) work? That is, you download an MSI package and the installer is a Windows component. However I would think that for flexibility MSI still lets you run your own code. So basically it'd be a locked down version of MSI - however it still would need to be flexible for some "complicated" apps.

      With regards to point two - I suppose you could do this by having the person packaging the app specifiying what permissions the app needs and before installation the user has to okay the permissions the app wants. Again this would depend on a package based installer as you say :)

      Anyway, I'm rambling too..
    • 2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default
      It sounds like you're describing some of the fundamental features of a "capability-oriented" operating system, such as EROS [eros-os.org].
    • 1. First, software installation should be passive. On Windows (as well as other OS), you download some binary executable and run them. This foreign binary essentially has full reign over your system. Instead it should be a compressed package file with instruction embedded in it that describes what and where the package manifest should be installed. This package should be signed by the originator so that the package is tamper resistant and has some privilege to modify package that was originated from same source. This way the OS and user is in control rather than untrusted binary running amok on your system.

      Exactly. The self-installing executable is a fine example of convenience being the enemy of security: At first, it sounds like a good idea. The program knows how to install the program you want with no interference from you. But if the program installs something you don't want, you're screwed. Why a program should have that level of trust on an OS is another issue you address in your next point:

      2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default. For example, multimedia player should not be allowed to delete files or initiate outgoing network connection. Even file read can be made more granular by restricting the file mime type that an application can read. Multimedia player has no business reading any other files than ones that it knows what to do with. This sort of sandbox could make it harder for application from whacking competitor's application.

      That is a tough nut to implement, I'd imagine, but the work has been done: *nix file permissions. A file has only the permissions its creator (or the superuser, root) gives it (so 'image files' can't run as programs), and an executable created by a certain user only has the permissions of that user, so it can't whack anything the user himself couldn't whack. So, on a *nix-y system, you could make AdAware untouchable to normal users and then only install software (other than AA) as a normal user. Problem solved.

      Ultimately an implicit trust should be abandoned and implementing mandatory security may be the solution.

      I think all multi-user OSes have reached this conclusion.

      Unfortunately this is not something that can be easily added easily but rather it must be designed into the underlying system itself.

      True. The file-permission system wasn't bolted on to Unix.

      I'm writing this at 6:00am after staying up all night writing code so I'm sure lot of loopy ideas are leaking from my brain at the moment. This may be one of them.

      These loopy ideas are what make *nix boxes so tough to crack.
      • Exactly. The self-installing executable is a fine example of convenience being the enemy of security: At first, it sounds like a good idea. The program knows how to install the program you want with no interference from you. But if the program installs something you don't want, you're screwed.

        How is it more convinient for each program to have its own installer?

        * It forces me to learn a new installer interface each time I download a new program.

        * It allows software makers to get away with ridiculously worded English-only EULAs, where a single installer could have a set "named expandable-block" format which would look like "We are Netscape and you are about to install Netscape Navigator. We don't guarantee that it will work on your system, but it worked on ours. Not to be used in real-time systems." when collapsed. In addition to hurting users, this hurts software makers, since each software maker must hire expensive lawyers to write a program-specific EULA.

        * It makes it easy for an individual installer to screw something up like not taking block size and breathing room into account when checking whether I have enough disk space. (Total file size 200MB, 209MB disk space free, plenty of free space!)

        * It lets programs decide whether to be "Program Files\Mozilla" or "Program Files\Mozilla 0.9.9" or "Program Files\mozilla.org\Mozilla", instead of letting the user decide once.

        * It makes downloads bigger, since each program feels a need to include its own installer.

        * It makes uninstallation unreliable.

        Throw in spyware and viruses, and it's much less convinient for users if each program has its own installer.
    • First, software installation should be passive.

      Doesn't matter. The first time it runs it can do all it's untrusted binary crap that it needs to do to work properly / wants to do to fuck you over.
    • Have a look at how Java WebStart works. It lets you
      elegantly download and install software to multiple
      platforms (including Linux).

      The downloaded application then works with restric-
      tions similar to those of Applets. If the application
      needs to perform tasks it is not yet allowed to do
      (write to disc, acces network), the runtime will ask
      you to give the necessary permission.

    • First, software installation should be passive.

      Won't work. It's necessary for software installers to have the freedom to execute arbitrary scripts during installation or removal. For instance, if you installed an FTP server, it would be necessary for that server to modify your /etc/inetd.conf file. (Don't shoot holes in my example. It's the best one I could think of off the top of my head.)

      All the install package has to do is install a little script or binary, execute it during an exitop, then remove it when it's finished running. The little script or binary has, in the meantime, searched out and deleted AdAware, or whatever.
    • First, software installation should be passive.

      Unfortunately, this won't work in Windows.

      Example: you want to install a network print driver. Now, your driver needs to do a couple of things: copy itself (it's a dll) into the system directory to be loaded by the windows printing subsystem and create a bunch of registry keys the printing subsystem expects out of each "port monitor". It also needs to inform the printing subsystem to load your dll, either now (NT/2000) or after a reboot (9x). This is where it gets hairy.

      The way this is done differs with every version of windows. To ameliorate the problem, MS has a win32 function that you call that does this semi-automatically (I forget what it's called, search MSDN Platform SDK for "install port monitor"). Your print driver won't work unless you call this function.

      So, my basic point is that in order to install this software, you need the ability to call arbitrary functions with particular arguments. This basically means the install program must have a place where it runs an arbitrary bit of code written by the developer. You could also do whatever you like in that bit of code, such as uninstalling adaware.

      I don't know about MS's new installation procedures, but I'd imagine they're pretty similar to what InstallShield does. The way InstallShield works is that you get this little GUI where you describe your app's files, registry settings, etc. From this, the InstallShield program generates a .ins file which is distributed with a more-or-less generic "setup.exe" program. The setup program also allows you to put in any code that you would like to run (the GUI has you do this in VB, but I believe you could also have it do it in C if you'd like - moot point, since you can do this stuff from VB as well as C). So, the existing installation procedures are something like what you describe except that the developer also gets to run a script of their choosing. In a way, you get the exact same capabilities as with RPM.

      Now, you may say that this example is a bit unfair because this is really a device driver and you could say this "systems level" stuff is quite different from regular "application level" software.

      Problem with that argument is that in Windows, there is no clear distinction between systems-level and application-level stuff. I'm a unix guy, and it's amazing how much stuff in Win32 is considered "systems level." I'd say almost any non-trivial win32 application would need to have a run of arbitrary code in the installer, whereas most RPMs don't need post-install or pre-install scripts. Underlying problem is that MS got a lot of abstractions wrong.

    • Adressing point 2.
      The last time I asked about this I was told that I was asking about something called "capabilities", and that there was a group working on adding it to Linux. I don't know whether it is scheduled for 2.6 or not, but it obviously didn't make it into 2.4.

      I believe that Red Hat has a non-Linux OS that is capabilities based, but that it's aimed at embedded systems. (This is probably quite confused, but it's the best I can do off the top of my head.)

      Essentially what capabilities does is strip default access from all users (including root). root gets the default capability to assign capabilities. A capability might be something like the right to access some particular port (no more counting all ports less than 1000? to be special! All ports are assigned or not on a per user basis.) I don't know whether there would be defined capability groups, though it seems like a good idea. So one could set up a default user group that would, e.g., be allowed to access the floppy drive. But that wouldn't come automatically, and it could be revoked.

      The difference here is that you seem to be suggesting that capabilities be assigned to programs rather than to users. This sound interesting, but I would suggest that no program be allowed to exercise a capability that was denied to the current user. That way if a virus rewrote, say, the mail program, it would only be allowed access to the e-mail folders. Tricky, but could add a level of safety. So instead of configuring programs with a blanket "exec" flag there would be a much more complex setup.

      This sounds like it could be quite safe, but also like it might have an immense amount of overhead. (Perhaps that's why capabilities are still being studied rather than included in the kernel.)

      But something like this is going to be needed eventually. And it will need to be machine specific, so things can't be sent out configured to take over everyone's computer. Say a cross betweem capabilities and package signing, with each user signing packages for his own machine.
  • by Barbarian (9467) on Sunday April 28, 2002 @06:16AM (#3424043)
    I think that as more spyware programs take tactics like that bundled with Radlight, a boot-disk image version of Ad-Aware is going to be needed for it to run properly, just like Virus scanners allow you to create a rescue disk. Eventually spyware programs are going to kill the ad-aware process as it starts. A boot disk version would allow you to run Ad-Aware (or similar) without interference from the spyware.
    • Boy are we onto dodgy territory here! If we have a boot disk ad-aware package we could end up with software from the other companies which require you to insert a floppy to give the software a key which it needs to run. The floppy could contain the ad-software which is part of the "key". Basically, you would have to launch the ad-software from floppy in order to launch the application you have downloaded.

      As far as I can tell there is no software workaround to this problem as long as you are using applications like RadLight, you will be saddled with these problems.

      It is clear that software houses are finding it harder to make income from their products and have to resort to this type of approach. This situation can only get worse as the use of open source software increases. The margins available to vendors are (and will continue) to contract. Even the mighty Microsoft are looking at other methods to make a buck i.e. Software Rental or Pay-per-use strategies. Ultimately even these models are flawed. If we go back 10 or so years (in the UK) televisions and VCRs could be rented from several high street stores, however as the number of people who could afford the systems outright increased, the market for rental dropped and these stores have all but gone.

      In the software realm the number of people who can "afford" software has increased because the amount of software that is "affordable" has increased. Therefore the number of people willing to pay for applications will drop. Combine this with the "End of Free" transition that is taking place on the internet, where companies are increasingly charging for content, there is even less disposable income available for frivalous applications.

      In my opinion the only way through this minefield, as a user, is to BUY yourself an open source distro, or donate cash to open source projects, and only use open source software. This way you avoid the ethical, moral and legal minefield that is Intellectual Property.

      As an investor I would make a slow but measured transition of my stock-holding from closed-source vendors to open vendors. I would include the likes of IBM or SUN in this, at least they are moving in the right direction.

    • by Technician (215283) on Sunday April 28, 2002 @08:23AM (#3424192)
      Actually I run AdAware over my LAN. I attach the drives of all my machines and scan them from the admin console periodicaly. None of the workstation machines have privilages of any kind on the admin machine which does the scanning over the LAN. The admin machine is not sharing any drives. The scan is done at the same time the LAN is swept for viruses in additon to the local machines anti-virus software.

      This catches any software that tries to attack the anti-virus software and the AdAware software.
  • Seriously scary (Score:2, Interesting)

    by nyjx (523123)
    This issue raises the very scary possibility of people regularly writing software which deliberately changes your system configuration when they are installed - and under guise of their user agreement. Bascally this is viral behaviour.

    If Ad-Aware retaliates it will have to try and protect itself from the unistaller - how will it do that - clearly changes at the level of the user agreement are more or less useless (what user is going know or care that they have two confliciting user agreements in use...). So it'll be at the code level - what kind of a software war could that set off? Couple that with software that regularly uploads patches and updates (to protect against the latest rival software...).

    Personally I'd rather refrain from having my destop turned into a competitive software eco-system!

    • just add a password protection to the uninstaller
    • Some commercial software already does this. I've previously ranted on /. about what Intuit's TurboTax did, but it bears repeating: TTax forcibly installed IE5.5, with NO prior clue that it would do so. This FUBAR'd several functions on my system, and now it looks like I'm going to have to reinstall Windows because even tho I've removed IE5.5, it must have changed something critical (funny how my CDRW never once came NEAR a buffer underrun before this, and now BurnProof fends off up to 130 underruns per CD).

      Really pisses me off, and I'll NEVER buy another Intuit product.

  • virii (Score:1, Interesting)

    by Mr Coward (576592)
    so if i put a license agreement on a virus, it's legal :?
  • by dirk (87083) <dirk@one.net> on Sunday April 28, 2002 @07:58AM (#3424151) Homepage
    I see lots of people talking about how Radlight doesn't inform the user (except in the EULA) that it will remove Adaware. They common arguement is that no one reads the EULA and it's not clear what is goin on, because the EULA is confusing. Is this much different than what Adaware does? IT just gives me a list of files it thinks are "offending" and asks if I want to remove them. It doesn't tell me what they are (outside of a name of the "spyware"), what they do, or any consequences of removing them. If I run Adaware and remove Cydoor, it doesn't give me any indication that it will stop Kazaa from working, and the average person has no idea that would be a consequence. Putting the notice in the EULA is not a good tactic as it somewhat obfuscates what is going on, but is Adaware not telling you the consequences of uninstalling the "spyware" (most of which isn't spyware, it's just software that shows ads) that mucg better?
    • I'm not sure if you could argue that Ad-Aware is necessarily guilty of the same hidden-in-the-EULA offenses that something like Radlight would be. Simply by downloading and installing Ad-Aware, you know full well that you're getting a program that can deep-scan your system and remove files from it. Also, don't forget that Ad-Aware always lists the location of the content you're about to remove - and that may point out that it's part of KaZaA, revealing to the user that they've been duped.

      If you're really serious about pruning out spyware from your system, you probably shouldn't be running KaZaA (or at least the regular version) in the first place, I think. That's like having a security specialist who insists on running a firewall, but leaves the settings at "low" all the time so that he can run a particular game. You can't claim to be actively concerned when you knowingly compromise your system.

      Speaking of spyware, as I work tech support I can't believe how many people manage to 'infect' their systems with programs like Bonzi Buddy, Gator, and GoHip. Part of it is simply apathy; occasionally programs like Gator come as options with other apps, and from experience the casual user is terrified of ACTUALLY HAVING TO MAKE A CHOICE with their computer and accepts the default install options. Then there's the people who don't seem to realize that, when an installer for a program they don't need mysteriously pops up when they visit a site, they shouldn't install it. This is how viruses are spread... "but it was from someone I knew!"

      The real kicker is that, at least once, I've actually had people blame these apps on the ISP I work for! Mind you, in the incident I'm thinking of (which only occurred last week) the customer assumed that paying for an ISP meant guaranteed technician visits for ANYTHING wrong with his service (even a five-minute "change your e-mail settings" problem) and had cancelled 3 prior ISPs to that effect, so I think it was more a question of his mental instability than any kind of major trend, but you get the idea of what kind of flak we can get at work...
    • The difference is that Ad-Aware gives you a list of things that it can remove. RadLight simply removes ad-aware without any prompts or warnings.

      If radlight gave a prompt, and let the user decide whether to uninstall or not, then they would be in better waters.

      Travis
  • One thing we forget (Score:4, Interesting)

    by rickthewizkid (536429) on Sunday April 28, 2002 @08:33AM (#3424211)
    The problem I see is that you are not TOLD about the advertising software upon installation of certain software. I'm sure there are a few people who are willing to put up with some ads, or donate a few CPU cycles, in exchange for something free, but, I am not. However, I was not told about that fact and allowed to make my decesion based on the fact that program XXX would also covertly install advertising and distributed computing apps as well.

    In sort, it's MY computer, _I_ should be the one who decides what is on it. Not only for my own desires, but also to be polite to other people on the 'net. What if one of these spyware programs were to catch (or come with) a virus? My computer would (without my knowledge) spread this virus to other people....

    Of course, I run Linux anyway so this does not *really* apply to me. That is, until some large corporation buys the rights to Linux and starts releasing an adware-enabled version...

    Bringing up eth0 [OK]
    Downloading new artwork and features [OK]
    Installing new ads [OK]

    Oh the horror... :)

    Excuse the brain wanderings, I've been up all night coding... :)

    -RickTheSleepyWizKid
  • Cydoor (Score:2, Interesting)

    by Anonymous Coward
    Many of these bundled "ad systems" are poorly written.
    YES

    I was writing a piece of software for which Cydoor was being considered as a revenue stream, so we downloaded the SDK to give it all a go.

    1) The network then got hit by the Snowwhite and the seven dwarfs virus (this is primarily an email virus, but when it runs it copies itself into every zip on your computer), I thought it came from the Cydoor SDK zip as that was the first zip file that we noticed it in and nobody here is dumb enough to run executables attached to email (especially dodgy porn sounding ones). Of course I never knew as the virus might have run and copied itself in there before we noticed.

    On a later date, after the SDK had been deleted (as you may have guessed, we didn't go with Cydoor), we downloaded the SDK again for some reason. Anyway, the virus was indeed in there. They may have gotten the virus the same way we did, but considering they never even noticed they had a virus (it's not hard to notice, even without antivirus software - it adds another file into all of your zips!) it wouldn't surprise me at all if their staff were so clued up that they routinely run outlook and click on dodgy executables mailed to them by strangers.

    2) One of my pet peeves is software that modifies your system unnecessarily, I believe this to be a major reason why windows has a half life (notice how virgin installs never crash, but after a year or two are crashing many times a day). It also has other rammifications, for instance you can't run the software over a network (because all the bits it installed into the system it was installed on aren't on the computer you want to run the program on).

    The Cydoor SDK has it's own install and as a cydoor customer, you aren't to change it - you just run it during the course of your own install. As you have no doubt guessed if you've read this far, the Cydoor install modifies the system.

    I wouldn't have been quite so annoyed at this if it wasn't for two things:
    Given what cydoor does, there is no need to modify the system upon program install, infact it appears that the Cydoor files
    as they are currently written can be bundled with your application in your applications program directory and still figure everything out and function fine. I did not test this thorougly tho as you have to use their install anyway - however even if there are problems doing that, none will be hard for Cydoor to fix (just to head off any replies, the benifits of an application playing nicely with your system is going to far outweight saving 200K on a 40gig drive, and a few more K in the swap file).

    It turns my program (sure I'm just somebody's code monkey and it's not really my program, but I do have some professional dignity) from something clean into a program that shits all over your system and then breaks when run over a network. Sentimental and pedantic maybe, but it is completely unnecessary for Cydoor to require me to do that.


    Anyway, having just said how poorly I think they do things, I at least owe it to them to mention that their SDK was actually very nice, and (not counting the install) it was a breeze to integrate their stuff nicely into the program. IIRC they also give you many ways of doing so, allowing you to choose the most appropriate.
  • I know that when I installed radlight, every copy I've ever installed has 2 very distinct, clear checkboxes that allow me to not install Savenow and new.net.

    Neither of these are required for radlight to work.

    So... *aside* from the evil uninstalling of ad-aware, what is so bad about radlight? Is it even really spyware when they actually *ask* you if you want it to be installed in the first place?
  • by hopeless case (49791) <christopherlmarshall&gmail,com> on Sunday April 28, 2002 @11:57AM (#3424761)
    This issue is one of the reasons I started studying linux. Control of my machine.

    The only real way to be sure you are free of viruses and trojans is to wipe the hard disk and reinstall your operating system and personal software.

    With linux, it turns out to be simple to arrange things so that even with a lot of complicated, customized software installed on a machine, you can reformat your root partition, reinstall linux, and have your non-standard software installed and configured in under an hour. This makes it feasible to do every few weeks for your home computer.

    The main reason is that most of the software configuration consists of ascii text files in /etc and a few other locations which in any event are well known, or easy to figure out.

    Keep your compiled software directories on a separate partition and write a script to descend into each of them and run a "make install". Then keep copies of all the /etc files you modify in your post install config in another directory (again, off of the root partition), and have a script that copies each file to its proper place on the root partition.

    When it comes time to reinstall, reformat the root partition, reinstall linux, and then run your 2 scripts and you are back where you started, minus any viruses and trojans and exploits that managed to infest you since the last time you did this.

    I wrote up an article with more detail on this on rootprompt at:

    http://www.rootprompt.org/article.php3?article=3 91 2
  • We discussed this in Fair Software Installation [slashdot.org]. I didn't think it would come true so fast. What this really points to is the necessity to have good defenses in an operating system against malicious installations.

For every bloke who makes his mark, there's half a dozen waiting to rub it out. -- Andy Capp

Working...