An interview with Ad-Aware's Nicholas Stark 199
Andrew Leonard writes: "In the wake of the Ad-Aware/RadLight spyware vs. anti-spyware showdown, Salon has an interview with Ad-Aware's Nicholas Stark, who explains in no uncertain terms Lavasoft's determination to match every move by the spyware developers."
Software licenses (Score:2, Interesting)
Re:Software licenses (Score:3, Interesting)
1.) a valid offer
a. must be serious
b. must be specific
2.) A valid acceptence
3.) exchange of consideration
As far as I'm concerned, not telling someone that the contract allows them to delete information on your computer, that's not very specific.
As for taking this to court, a remedy would probably be for damages or recission(null) of the contract.
all we need now is someone pissed enough to take this damn company to court.
Re:Software licenses (Score:2, Funny)
"Alchohol, cause of, and solution to, all of life's problems" -Homer Simpson
You wrote:
"all we need now is someone pissed enough to take this damn company to court."
Which is just wonderful in English! (i.e. English English)
It's certainly true, it would be very interesting for this to be brought to a black/white crux point.
FP.
Re:Software licenses (Score:1)
I don't like it any more than you do, but it's worth pointing out.
Re:Software licenses (Score:5, Insightful)
Someone writes a "contract" that says if you happen to walk across a particular stretch of sidewalk, not only will they keep that sidewalk clean for you, but you agree to give them 50% of your salary for the next year. Then they post a copy of it well off the sidewalk, where it isn't easily read (not without binoculars). So, curious, you walk across that sidewalk up closer to it, so you can read the "sign"... is there any reasonable person that would contend you agreed to this contract?
If the dumbass that pulled the stunt took you to court for breach of contract, would the judge even hear it, or would he toss it out, only after chastising the plaintiff's lawyer?
How is a EULA any different?
Re:Software licenses (Score:1)
Re:Software licenses (Score:1, Offtopic)
Re:Software licenses (Score:2)
Re:Software licenses (Score:2)
Re:Software licenses (Score:1)
Radsoft (Score:2, Informative)
I do not believe that it is legal to bind the usage of their software to the removal of an unrelated product.
But how is it an unrelated product? Ad-Aware goes out and specifically prevents programs like those put out by Radsoft from working properly. While I agree it isn't right that Ad-Aware is removed from the user's program without due warning, it is far from unrelated.
Re:Radsoft (Score:3, Insightful)
Re:Radsoft (Score:5, Informative)
Its pretty simple. Radsoft's package can function perfectly well with Ad-Aware also installed. They have nothing directly to do with each other.
Granted, the politics and business of the two clash. I could understand that Radsoft feels threatned by Ad-aware. And it wouldn't be suprising if they took measures to protect their revenue. However, I would expect them to take steps to ensure all installed components remain installed for their application to function.
Of course, Radsoft has done a great job at displaying their attitude towards their users. Not only does their revenue apparently depend on the questionable (and apparently unappreciated by users) practice of spy-ware, but they take the same attitude to underhandedly remove software with which they have a political axe to grind.
One final point. Ad-Aware is considerably different in intent and attitude than any of the software it targets. First, the Ad-Aware user actively selects what components (including applications, libraries, registry entries, and cookies) to remove. Secondly, it is widely supported as it provides even fairly non-technical users the ability to discover hidden software installed on their systems and remove it despite the great lengths that software goes to hide and resist being removed.
If Radsoft and their clients, as well as the apparently growing number of like-minded business and applications developers, dislike the power provided by Ad-Aware then they should seriously re-examine their business plan. There is considerable resistance towards their methods. And simply attempting to remove Ad-Aware does little more than reveal their contempt for their user base.
Re:Radsoft (Score:1, Insightful)
I completely agree with this. But that is not the issue.
They [Ad-Aware and Radsoft] have nothing directly to do with each other.
This is the point I don't understand. How you can you say that? Radsoft actively chose to bundle in a piece of spyware, the kind which Ad-Aware's sole purpose is to destroy. So how are the two unrelated? This has less to do with functionality and more to do with the politics of software distribution.
Essentially, this all boils down to "The enemy of my enemy is my friend" or more appropriately, "The enemy of my friend is my enemy." I may disagree with the method in which the software us removed, but I can certainly understand the justification.
Re:Radsoft (Score:1)
They're not unrelated per se, but rather they shouldn't directly intefere with each other. Radlight can run without the spyware, Ad-Aware has a perfect legal right running on the computer, regardless of whatever else you install.
This has less to do with functionality and more to do with the politics of software distribution.
But one company tells you what they are doing, what exactly the program does, and you install it on your own accord. The other company hides behing a vague EULA, illegal modifies the users computers and uninstalls software, and oringinally didn't even tell of the changes! Everyone likes accountability in politics. Its the exact same here. They are being under-handed and sneaky, and there is no justification, as stated, its illegal. Just because you dislike what another company produces, it doesn't give you the right to break the law to get back at them.
Re:Radsoft (Score:3, Interesting)
I suppose the issue is what one considers "related". The quote from the Lavasoft developer referring to whether one package should remove "unrelated" software is likely to be a technical reference. And technically, Ad-Aware and Radsoft's offering ARE unrelated. But you are very correct in the link politically.
But that's a problem. Just because one has a political dislike for a piece of sotfware, it does not mean one should use one's software as a platform to remove the offending application. We don't have Mozilla removing Internet Explorer (whether that be possible or not)... just to pick an example out of thin air.
One other comment - sure, Radsoft chose to bundle a piece of spyware with their application. But that bundling and installation is often hidden from the user. Even worse, removal of that software is often difficult. Yet the system still belongs to the user. Ad-Aware gives the user the ability to identify and remove undesired software despite spyware's attempt to resist identification and removal.
If Radsoft wishes to ensure all software bundled with their package remains installed, then they should take steps to check that said software has not been removed. Even better yet, perhapse they should level with their users and alert them as to what is being installed and why. They certainly shouldn't be removing software that has not been included with their package.
Re:Radsoft (Score:2)
D'oh. I suppose I should have caught that. Instead, I was just feeding off of the origional post and missed the mistake.
I can understand the flame. I'd hate to be associated with RadLight too. Sorry.
license (illegal?) (Score:5, Insightful)
As far as I know a license statement should only apply to when one is using software, I think legally a court would uphold that a license cannot tell someone what hardware or other software they can or cannot use.
The interesting thing with this is that the are forcing users to comply with a license which is probably not even legal.
As for uninstalling software without any other warning, wouldn't this be on the same level as a destructive virus? I sure as hell wouldn't pout my name on a virus.
Also it never states that the software will be removed. It says you cannot use other applications to uninstall their spyware. So you can have anti-spyware installed on your computer without breaking this (probably illegal) license.
I would think the company is liable for criminal damage to property much like a virus writer would be.
What about aborted installations? (Score:2, Interesting)
I'm pretty sure we can assume that aborting the installation does not restore Ad-Aware. To me, this seems like even more compelling evidence that RadLight's activities are illegal.
Re:license (illegal?) (Score:2, Informative)
Re:license (illegal?) (Score:3, Insightful)
"So you can have anti-spyware installed on your computer without breaking this (probably illegal) license." - yes but it'll uninstall Ad-aware without telling you - that's what this whole story was about!
Re:license (illegal?) (Score:2)
Jason
are you posting this to *every* slashdot page? (Score:2)
This isn't merely offtopic, it's spam . .
hawk
Re:license (illegal?) (Score:2)
I think it should be called a Trojan program and properly included in the signature files of McAffee, V-Shield, Network Associates, Fprotect, etc.
Re:license (illegal?) (Score:2)
I haven't seen the actual license or its presentation, so I don't know if it would come under that category of contracts known as "contracts of adhesion". Contracts of adhesion are those piles of fine print you see on the back of parking ticket stubs, dry-cleaning tickets, etc. They're generally ok so long as they contain no terms that might be unexpected, such as "Agreeing to park in this garage assigns title to your car to the garage owners" or some such thing.
The click-through is a problem, because contracts of adhesion generally don't have any form of overt acceptance. You park your car, you get the ticket. Still, a click-through with lots of legalese that the typical consumer wouldn't understand should, at the very least, be open to challenge.
The Ad-Aware person described the right way to handle this: make the RadLight software fail to operate without the other sofware installed.
At the very least, actions like RadLight takes against Ad-Aware are right at the edge of criminal activity.
Idle Thought... (Score:1)
Not enough.
words to live by (Score:3, Interesting)
Re:words to live by (Score:2)
Re:words to live by (Score:1)
But that's what the spyware authors were trying to do! Of course in their case, it was the advertising community.
Economic darwinism -- these guys thought they'd found the quickest way to "mo' money", but now they find that the market won't tolerate it. People on that moral level will try other objectionable stuff until they find something that doesn't make their customers feel like they're being shafted all *that* hard, and then they'll do their best to exploit that weakness. Grim, but that's "the way life is".
Re:words to live by (Score:2)
No. He belongs with the Free Software Movement. Anybody who can use the phrase the success we now enjoy when he is still working his day job should be quite at home with the language manipulation of RMS and friends.
Re:Except for those of us who like shelter (Score:1)
When developing for "Open Source", your designing and programming on the assumption that your part of a community, helping a community, and not getting paid for it. Most spyware-bundled software are from private companies trying to discreetly make money of "free" software. People will do open source because its something they believe in and can help create. Not have an open source project just so they can spyware it and make money at a later date.
Leson to Learn (Score:2)
I completely disagree. Jasc Software [jasc.com] is a great example of a company who started small with Paintshop. It was a great software package (often called a "poor man's Photoshop") with a strong following. Photoshop was offered as uncrippled shareware without any spy-ware. And even as its author estimated registration as low as 1 in 5 downloads, it soon grew and took over the author's professional life. And as any Quake player knows, id Software [idsoftware.com] has a simular story. And an even more rabid fan base (Remarkably, Quake is still played today).
To be sure, these success stories are dwarfed by the number of shareware and commercial operations who fail in the software business. But then, that's business. Most fail in any industry. Its a tough game.
If a small software developer hopes to survive it, they must have a community. It might be within an Open Source community. It might be created from fans of their commercial offerings. But there must be a support base somewhere.
Lavasoft and Ad-Aware have proven one lesson to any developers willing to pay attention. End users do not like the current methods used by spy-ware. As education spreads, more and more users will take efforts to disable this software. And that is a dire message to anyone who's business model depends on it.
having read the article.. (Score:2)
Re:having read the article.. (Score:1)
Re:having read the article.. (Score:2)
The trick of it, is to see it before it can run, it has no power then. If you let it run, I'm pretty sure everything in windows can elevate itself to the equivalent of root without trouble, and kill any process it doesn't like, you have to intercept it before it can do this. After that, it's up to the user and your daemon whether you want to attempt to sandbox the thing or not, and try to salvage some of it.
Re:having read the article.. (Score:2, Interesting)
This calls to mind the old story of Robin Hood and Friar Tuck [csd.uwo.ca]. Essentially instead of having one program that can be killed off/removed, you have two programs each keeping an eye on the other, and starting/reinstalling the other as required.
As someone commented in the last thread on this topic, this all rather reminds me of Core Wars, played out at large. We just need a better way of keeping score...
Ewen
Re:having read the article.. (Score:1)
I'm still curious as to how he's going to change Ad-Aware to prevent it being uninstalled by this other program. Does anybody know?
There's a program provided with the $15 version which is like a virus monitor, but it monitors for spyware. It stops the spyware from running, or installing itself. Lavasoft just needs to add detection for this new bit of spyware.
Re:having read the article.. (Score:1, Interesting)
The real name of RadScorpion seems to be Igor Janos. Any slovak student here knowing Igor Janos?
I am posting anonymously as I am a Slovak, probably live in the same town as he does and he can track me based on my user info - I don't quite want to get his attention
spyware as sources of revenue (Score:2, Interesting)
How do you make money? (Score:5, Funny)
Perhaps if they included some sort of advertising program with ad-aware, they could make some real money!
Re:How do you make money? (Score:1)
But then the first time the program was run it would uninstall itself. Where's the benefit in that?
Re:How do you make money? (Score:2)
Calling all programmers ... (Score:2, Funny)
Re:Calling all programmers ... (Score:3, Funny)
With my geek physique, they shouldn't hold their breath waiting for the funds.
I feel bad for the spyware creators... (Score:2, Funny)
As I believe that some of the "spyware" are just regular legal programs I really feel for their authors to see how their program is being uninstalled," RadScorpion wrote. "I WANTED ADAWARE TO SEE IT TOO and to revalue their pose to their 'enemies.'
No, I feel really bad. If it weren't for AdAware, I, too, could have received an extra $500 from (Insert online casino of choice).
*$500 dollar offer only valid after betting $50,000 or more and receipt of firstborn child. Other restrictions may apply
Just Boycott (Score:1)
Oh and screw the EULAs, if I want to remove spyware from something on _my_ hard-drive then what are they going to do about it?
Re:Just Boycott (Score:1)
What ever the legal aspects are, there is a much simpler way to get rid of spyware - don't download the programs.
Until I started reading computer news sites more regularly, I didn't even know that these things were installing "spyware" on my machine. I just clicked-through on those EULAs, like 98% of everyone. The "just don't do that" argument needs to be prefaced with "you're doing that", which is what programs like AdAware help bring to light. I commend Salon for bringing it to the attention of less tech-hardened people. Even if anti-anti-spyware programs become more popular, the mentality behind AdAware has a better chance of reaching more people.
Appologies to Alfred Perlstein... (Score:1, Funny)
"Miss! D-11."
"Hit! C-3."
"Miss! D-12."
"Hit! Dang! You sank my business model!"
Guess they now know how RIAA and MPAA feel about their file sharing software...
The Legality Of Spyware (Score:5, Insightful)
I mean, if a virus had a license agreement, would it be ok to use it then? And what if the virus attached on to another program with a license agreement that you probably wouldn't read? That is really what these scumware programs are doing. It is an outrage!
Re:The Legality Of Spyware (Score:4, Informative)
First, the Latin word "virus" meant slimy liquid or offensive odor or taste. It was an abstract noun that didn't lend itself to pluralization, and in fact Latin had no plural for it. Modern languages have all invented their own plurals when "virus" entered their vocabulary: German, Viren, French and Italian, virus (they use the same word for singular and plural, like we use "deer").
Second, and most important, the OED gives only "viruses" as a proper plural for "virus."
More details on the etymology of "viruses" can be found here [perl.com].
Oh, and before you ask, it's "boxes" and not "boxen."
Thus endeth the lesson.
Re:The Legality Of Spyware (Score:2)
Ah, but you forget the cardinal rule of the English language: "If enough people use it - even though incorrect - it becomes a word by sheer force of numbers."
Take "Arkansas" being pronounced "Ark-an-saw". Enough people in that state hated their state being referred to as related to Kansas (or OUR-KANSAS) and thusly it became a rule (a stupid rule yet a rule nonetheless).
Another example is "Nonetheless" being one word. Is it proper to have a phrase become one word "alike" other words "awhile" we find more examples? Well, that's just too bad. If enough people decide "Virii" is the proper plural for "Viruses" then it becomes proper (though wrong by grammatical standards). Think about that and perhaps you could explain the "Rite = Right" or "Lite = Light" trend.
What exactly is the "Rite-Aid" chain of stores? The location to buy supplies for rituals? Or is it the place where "Right" people find "Aid"?
We can gripe all we wish, but the tyranny of the majority wins in the grammar wars.
Re:The Legality Of Spyware (Score:3, Insightful)
"Light" versus "lite" actually has a pretty interesting back-story. The FDA mandates terms like "low fat," "fat free," and "light." But there's no such regulation of the pseudo-term "lite." So it's "lite" ice cream even though it's 43% butterfat. That's a marketing thing.
Ah, but you forget the cardinal rule of the English language: "If enough people use it - even though incorrect - it becomes a word by sheer force of numbers."
But you forget the cardinal rule of language: linguistic drift happens over centuries, not decades or years. Find me a use of "virii" in English that dates to 1890 or earlier and we'll talk. Until we do, "virii" is still wrong, wrong, wrong.
precision (Score:2)
hawk
Re:The Legality Of Spyware (Score:2)
So precision and accuracy are related ideas, but kind of orthogonal to one another.
In my case, I was trying to say that geeks-- like us-- tend to try to speak both correctly (i.e., accurately) and precisely. So I think my statement was just fine.
Re:The Legality Of Spyware (Score:2)
Nope. First of all, pluralization isn't a matter of applying rules; it's a matter of the declension of nouns. Nouns are declined in patterns, but those patterns aren't rules. Words that are declined differently than the common pattern aren't "exceptions," they're "irregularities."
Many of those irregularities come from words imported from other languages. For example, stimulus becomes stimuli, but genus becomes genera. Ignoramus is a Latin-sounding word, and indeed is of Latin origin. But it wasn't a noun in its original language; it was a first-person plural verb! So ignoramus is pluralized in the typical English fashion: ignoramuses.
And don't fob me off on the OED plz, talking about the actual proper rules of grammer. *shrugs*
It's "grammar."
Re:The Legality Of Spyware (Score:2)
And datum becomes data.
It's "grammar."
Ouch...
Re:The Legality Of Spyware (Score:2)
But octopus isn't even a Latin noun. It's Greek: oktopous, meaning "eight-footed." The correct Greek plural would be octopodes, pronounced "oc-toh-poh-dees." So the plural "octopi," while admittedly not uncommon, is incorrect. The correct English plural is "octopuses."
There are many examples of Latin-derived or "Latin-sounding" irregular nouns: cactus (cacti), fungus (fungi), terminus (termini), nucleus (nuclei); but consider syllabus (syllabuses), hippopotamus (hippopotamuses), omnibus (omnibuses).
And to whomever it was up-thread who said that languages evolve, you're right. But that doesn't change the fact that right now, today, the correct English plural of "virus" is "viruses," not "virii." The possibility that this may change sometime in the next hundred years doesn't make any difference now; incorrect is still incorrect.
Re:The Legality Of Spyware (Score:2)
Spyware -> Trojan horse (Score:3, Informative)
Although I couldn't find a definition for the term trojan horse on CERT's website [cert.org], a link was provided to the comp.virus FAQ [faqs.org]. According to it, a trojan horse is:
What RadWare's software is doing makes it perfectly clear that spyware should be treated as a trojan horse (with legal implications where applicable), beacause that's what it is.
Not a trojan horse (Score:2)
It's not undocumented! It's in the EULA and it tells you it does it!
This problem can be solved by... (Score:3, Interesting)
1. First, software installation should be passive. On Windows (as well as other OS), you download some binary executable and run them. This foreign binary essentially has full reign over your system. Instead it should be a compressed package file with instruction embedded in it that describes what and where the package manifest should be installed. This package should be signed by the originator so that the package is tamper resistant and has some privilege to modify package that was originated from same source. This way the OS and user is in control rather than untrusted binary running amok on your system.
2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default. For example, multimedia player should not be allowed to delete files or initiate outgoing network connection. Even file read can be made more granular by restricting the file mime type that an application can read. Multimedia player has no business reading any other files than ones that it knows what to do with. This sort of sandbox could make it harder for application from whacking competitor's application.
Ultimately an implicit trust should be abandoned and implementing mandatory security may be the solution. Unfortunately this is not something that can be easily added easily but rather it must be designed into the underlying system itself.
Disclosure: I'm writing this at 6:00am after staying up all night writing code so I'm sure lot of loopy ideas are leaking from my brain at the moment. This may be one of them. Then again even a broken clock tells right time twice a day.
---
jk
Re:This problem can be solved by... (Score:2)
With regards to point two - I suppose you could do this by having the person packaging the app specifiying what permissions the app needs and before installation the user has to okay the permissions the app wants. Again this would depend on a package based installer as you say
Anyway, I'm rambling too..
Re:This problem can be solved by... (Score:2)
Re:This problem can be solved by... (Score:2, Informative)
Exactly. The self-installing executable is a fine example of convenience being the enemy of security: At first, it sounds like a good idea. The program knows how to install the program you want with no interference from you. But if the program installs something you don't want, you're screwed. Why a program should have that level of trust on an OS is another issue you address in your next point:
2. This is more difficult one to implement. I think application should have some levels of access on your system and they should be disabled by default. For example, multimedia player should not be allowed to delete files or initiate outgoing network connection. Even file read can be made more granular by restricting the file mime type that an application can read. Multimedia player has no business reading any other files than ones that it knows what to do with. This sort of sandbox could make it harder for application from whacking competitor's application.
That is a tough nut to implement, I'd imagine, but the work has been done: *nix file permissions. A file has only the permissions its creator (or the superuser, root) gives it (so 'image files' can't run as programs), and an executable created by a certain user only has the permissions of that user, so it can't whack anything the user himself couldn't whack. So, on a *nix-y system, you could make AdAware untouchable to normal users and then only install software (other than AA) as a normal user. Problem solved.
Ultimately an implicit trust should be abandoned and implementing mandatory security may be the solution.
I think all multi-user OSes have reached this conclusion.
Unfortunately this is not something that can be easily added easily but rather it must be designed into the underlying system itself.
True. The file-permission system wasn't bolted on to Unix.
I'm writing this at 6:00am after staying up all night writing code so I'm sure lot of loopy ideas are leaking from my brain at the moment. This may be one of them.
These loopy ideas are what make *nix boxes so tough to crack.
Re:This problem can be solved by... (Score:2)
How is it more convinient for each program to have its own installer?
* It forces me to learn a new installer interface each time I download a new program.
* It allows software makers to get away with ridiculously worded English-only EULAs, where a single installer could have a set "named expandable-block" format which would look like "We are Netscape and you are about to install Netscape Navigator. We don't guarantee that it will work on your system, but it worked on ours. Not to be used in real-time systems." when collapsed. In addition to hurting users, this hurts software makers, since each software maker must hire expensive lawyers to write a program-specific EULA.
* It makes it easy for an individual installer to screw something up like not taking block size and breathing room into account when checking whether I have enough disk space. (Total file size 200MB, 209MB disk space free, plenty of free space!)
* It lets programs decide whether to be "Program Files\Mozilla" or "Program Files\Mozilla 0.9.9" or "Program Files\mozilla.org\Mozilla", instead of letting the user decide once.
* It makes downloads bigger, since each program feels a need to include its own installer.
* It makes uninstallation unreliable.
Throw in spyware and viruses, and it's much less convinient for users if each program has its own installer.
Re:This problem can be solved by... (Score:1)
Doesn't matter. The first time it runs it can do all it's untrusted binary crap that it needs to do to work properly / wants to do to fuck you over.
Look at Java WebStart (Score:2)
elegantly download and install software to multiple
platforms (including Linux).
The downloaded application then works with restric-
tions similar to those of Applets. If the application
needs to perform tasks it is not yet allowed to do
(write to disc, acces network), the runtime will ask
you to give the necessary permission.
Re:This problem can be solved by... (Score:2)
Won't work. It's necessary for software installers to have the freedom to execute arbitrary scripts during installation or removal. For instance, if you installed an FTP server, it would be necessary for that server to modify your
All the install package has to do is install a little script or binary, execute it during an exitop, then remove it when it's finished running. The little script or binary has, in the meantime, searched out and deleted AdAware, or whatever.
Re:This problem can be solved by... (Score:2, Informative)
Unfortunately, this won't work in Windows.
Example: you want to install a network print driver. Now, your driver needs to do a couple of things: copy itself (it's a dll) into the system directory to be loaded by the windows printing subsystem and create a bunch of registry keys the printing subsystem expects out of each "port monitor". It also needs to inform the printing subsystem to load your dll, either now (NT/2000) or after a reboot (9x). This is where it gets hairy.
The way this is done differs with every version of windows. To ameliorate the problem, MS has a win32 function that you call that does this semi-automatically (I forget what it's called, search MSDN Platform SDK for "install port monitor"). Your print driver won't work unless you call this function.
So, my basic point is that in order to install this software, you need the ability to call arbitrary functions with particular arguments. This basically means the install program must have a place where it runs an arbitrary bit of code written by the developer. You could also do whatever you like in that bit of code, such as uninstalling adaware.
I don't know about MS's new installation procedures, but I'd imagine they're pretty similar to what InstallShield does. The way InstallShield works is that you get this little GUI where you describe your app's files, registry settings, etc. From this, the InstallShield program generates a .ins file which is distributed with a more-or-less generic "setup.exe" program. The setup program also allows you to put in any code that you would like to run (the GUI has you do this in VB, but I believe you could also have it do it in C if you'd like - moot point, since you can do this stuff from VB as well as C). So, the existing installation procedures are something like what you describe except that the developer also gets to run a script of their choosing. In a way, you get the exact same capabilities as with RPM.
Now, you may say that this example is a bit unfair because this is really a device driver and you could say this "systems level" stuff is quite different from regular "application level" software.
Problem with that argument is that in Windows, there is no clear distinction between systems-level and application-level stuff. I'm a unix guy, and it's amazing how much stuff in Win32 is considered "systems level." I'd say almost any non-trivial win32 application would need to have a run of arbitrary code in the installer, whereas most RPMs don't need post-install or pre-install scripts. Underlying problem is that MS got a lot of abstractions wrong.
Capabilites is the answer? (Score:2)
The last time I asked about this I was told that I was asking about something called "capabilities", and that there was a group working on adding it to Linux. I don't know whether it is scheduled for 2.6 or not, but it obviously didn't make it into 2.4.
I believe that Red Hat has a non-Linux OS that is capabilities based, but that it's aimed at embedded systems. (This is probably quite confused, but it's the best I can do off the top of my head.)
Essentially what capabilities does is strip default access from all users (including root). root gets the default capability to assign capabilities. A capability might be something like the right to access some particular port (no more counting all ports less than 1000? to be special! All ports are assigned or not on a per user basis.) I don't know whether there would be defined capability groups, though it seems like a good idea. So one could set up a default user group that would, e.g., be allowed to access the floppy drive. But that wouldn't come automatically, and it could be revoked.
The difference here is that you seem to be suggesting that capabilities be assigned to programs rather than to users. This sound interesting, but I would suggest that no program be allowed to exercise a capability that was denied to the current user. That way if a virus rewrote, say, the mail program, it would only be allowed access to the e-mail folders. Tricky, but could add a level of safety. So instead of configuring programs with a blanket "exec" flag there would be a much more complex setup.
This sounds like it could be quite safe, but also like it might have an immense amount of overhead. (Perhaps that's why capabilities are still being studied rather than included in the kernel.)
But something like this is going to be needed eventually. And it will need to be machine specific, so things can't be sent out configured to take over everyone's computer. Say a cross betweem capabilities and package signing, with each user signing packages for his own machine.
boot disk ad-aware needed (Score:3, Interesting)
Re:boot disk ad-aware needed (Score:1)
As far as I can tell there is no software workaround to this problem as long as you are using applications like RadLight, you will be saddled with these problems.
It is clear that software houses are finding it harder to make income from their products and have to resort to this type of approach. This situation can only get worse as the use of open source software increases. The margins available to vendors are (and will continue) to contract. Even the mighty Microsoft are looking at other methods to make a buck i.e. Software Rental or Pay-per-use strategies. Ultimately even these models are flawed. If we go back 10 or so years (in the UK) televisions and VCRs could be rented from several high street stores, however as the number of people who could afford the systems outright increased, the market for rental dropped and these stores have all but gone.
In the software realm the number of people who can "afford" software has increased because the amount of software that is "affordable" has increased. Therefore the number of people willing to pay for applications will drop. Combine this with the "End of Free" transition that is taking place on the internet, where companies are increasingly charging for content, there is even less disposable income available for frivalous applications.
In my opinion the only way through this minefield, as a user, is to BUY yourself an open source distro, or donate cash to open source projects, and only use open source software. This way you avoid the ethical, moral and legal minefield that is Intellectual Property.
As an investor I would make a slow but measured transition of my stock-holding from closed-source vendors to open vendors. I would include the likes of IBM or SUN in this, at least they are moving in the right direction.
Re:boot disk ad-aware needed (Score:4, Informative)
This catches any software that tries to attack the anti-virus software and the AdAware software.
Seriously scary (Score:2, Interesting)
If Ad-Aware retaliates it will have to try and protect itself from the unistaller - how will it do that - clearly changes at the level of the user agreement are more or less useless (what user is going know or care that they have two confliciting user agreements in use...). So it'll be at the code level - what kind of a software war could that set off? Couple that with software that regularly uploads patches and updates (to protect against the latest rival software...).
Personally I'd rather refrain from having my destop turned into a competitive software eco-system!
not that hard.. (Score:1)
Re:Seriously scary (Score:2)
Really pisses me off, and I'll NEVER buy another Intuit product.
virii (Score:1, Interesting)
Adaware, while good, is similar to Radlight (Score:3, Interesting)
Re:Adaware, while good, is similar to Radlight (Score:2, Informative)
If you're really serious about pruning out spyware from your system, you probably shouldn't be running KaZaA (or at least the regular version) in the first place, I think. That's like having a security specialist who insists on running a firewall, but leaves the settings at "low" all the time so that he can run a particular game. You can't claim to be actively concerned when you knowingly compromise your system.
Speaking of spyware, as I work tech support I can't believe how many people manage to 'infect' their systems with programs like Bonzi Buddy, Gator, and GoHip. Part of it is simply apathy; occasionally programs like Gator come as options with other apps, and from experience the casual user is terrified of ACTUALLY HAVING TO MAKE A CHOICE with their computer and accepts the default install options. Then there's the people who don't seem to realize that, when an installer for a program they don't need mysteriously pops up when they visit a site, they shouldn't install it. This is how viruses are spread... "but it was from someone I knew!"
The real kicker is that, at least once, I've actually had people blame these apps on the ISP I work for! Mind you, in the incident I'm thinking of (which only occurred last week) the customer assumed that paying for an ISP meant guaranteed technician visits for ANYTHING wrong with his service (even a five-minute "change your e-mail settings" problem) and had cancelled 3 prior ISPs to that effect, so I think it was more a question of his mental instability than any kind of major trend, but you get the idea of what kind of flak we can get at work...
Re:Adaware, while good, is similar to Radlight (Score:2)
If radlight gave a prompt, and let the user decide whether to uninstall or not, then they would be in better waters.
Travis
One thing we forget (Score:4, Interesting)
In sort, it's MY computer, _I_ should be the one who decides what is on it. Not only for my own desires, but also to be polite to other people on the 'net. What if one of these spyware programs were to catch (or come with) a virus? My computer would (without my knowledge) spread this virus to other people....
Of course, I run Linux anyway so this does not *really* apply to me. That is, until some large corporation buys the rights to Linux and starts releasing an adware-enabled version...
Bringing up eth0 [OK]
Downloading new artwork and features [OK]
Installing new ads [OK]
Oh the horror...
Excuse the brain wanderings, I've been up all night coding...
-RickTheSleepyWizKid
Cydoor (Score:2, Interesting)
I was writing a piece of software for which Cydoor was being considered as a revenue stream, so we downloaded the SDK to give it all a go.
1) The network then got hit by the Snowwhite and the seven dwarfs virus (this is primarily an email virus, but when it runs it copies itself into every zip on your computer), I thought it came from the Cydoor SDK zip as that was the first zip file that we noticed it in and nobody here is dumb enough to run executables attached to email (especially dodgy porn sounding ones). Of course I never knew as the virus might have run and copied itself in there before we noticed.
On a later date, after the SDK had been deleted (as you may have guessed, we didn't go with Cydoor), we downloaded the SDK again for some reason. Anyway, the virus was indeed in there. They may have gotten the virus the same way we did, but considering they never even noticed they had a virus (it's not hard to notice, even without antivirus software - it adds another file into all of your zips!) it wouldn't surprise me at all if their staff were so clued up that they routinely run outlook and click on dodgy executables mailed to them by strangers.
2) One of my pet peeves is software that modifies your system unnecessarily, I believe this to be a major reason why windows has a half life (notice how virgin installs never crash, but after a year or two are crashing many times a day). It also has other rammifications, for instance you can't run the software over a network (because all the bits it installed into the system it was installed on aren't on the computer you want to run the program on).
The Cydoor SDK has it's own install and as a cydoor customer, you aren't to change it - you just run it during the course of your own install. As you have no doubt guessed if you've read this far, the Cydoor install modifies the system.
I wouldn't have been quite so annoyed at this if it wasn't for two things:
Anyway, having just said how poorly I think they do things, I at least owe it to them to mention that their SDK was actually very nice, and (not counting the install) it was a breeze to integrate their stuff nicely into the program. IIRC they also give you many ways of doing so, allowing you to choose the most appropriate.
One question, please (Score:2)
Neither of these are required for radlight to work.
So... *aside* from the evil uninstalling of ad-aware, what is so bad about radlight? Is it even really spyware when they actually *ask* you if you want it to be installed in the first place?
Linux reinstall Philosophy (Score:3, Informative)
The only real way to be sure you are free of viruses and trojans is to wipe the hard disk and reinstall your operating system and personal software.
With linux, it turns out to be simple to arrange things so that even with a lot of complicated, customized software installed on a machine, you can reformat your root partition, reinstall linux, and have your non-standard software installed and configured in under an hour. This makes it feasible to do every few weeks for your home computer.
The main reason is that most of the software configuration consists of ascii text files in
Keep your compiled software directories on a separate partition and write a script to descend into each of them and run a "make install". Then keep copies of all the
When it comes time to reinstall, reformat the root partition, reinstall linux, and then run your 2 scripts and you are back where you started, minus any viruses and trojans and exploits that managed to infest you since the last time you did this.
I wrote up an article with more detail on this on rootprompt at:
http://www.rootprompt.org/article.php3?article=
Even easier solution... (Score:2)
I hate being right :) (Score:2)
Re:well I'm not surprised... (Score:5, Insightful)
Simple, because that is what is his users ASK of him. Most people download spyware don't know that it's there. When was the last time you intentionally installed Cydoor? When was the last time your version of p2p software said in big letters "This software will install spyware now Yes/No"?
Now if he packaged ad-aware inside of kazaalite and didn't tell anyone what he was doing, THEN he'd be getting a taste of his own medicine. This, however, is completely different.
Pot. Kettle. Black. (Score:5, Interesting)
I've worked personally on both sides of this fence, with one of the companies named in the interview. I can't tell you how many times I had email exchanges with users that ran like this:
USER: Suddenly my version of [Product] won't work! I get a message it's missing [filename]; what happened?
RESPONSE: You may have installed a program that "removes spyware" that has removed that program element. Programs like that are designed to remove advertising software from your computer. You're welcome to do that, but if you don't want to see ads, the free version of [Product] is not for you. You should try [Pay Version of Product] or some other product that is not ad sponsored.
USER: But I don't understand! The program said it would get rid of evil viruses and bad programs! It didn't say it would remove parts of the programs I use. Why doesn't it say your programs might not work any more?
RESPONSE: We suggest writing to the support address of the "spyware removal" program with your concern. Maybe they will change their documentation to make that more clear.
I myself was *personally* responsible for making sure that software that included ad components had clear, readable EULAs. The software had to all but slap the user in the face with the information -- it had a first line that said, in all caps, that the program was AD SUPPORTED and would DISPLAY ADS. It urged, in all caps, that users *read* before they agreed. I fought with developers who wanted to make the EULA less visible, to ensure that it couldn't be dragged off the desktop or otherwise avoided.
The bottom line is that it didn't matter. I could explain to a user in simple plain language what was going on, and the user would still *ignore* the whole text.
I've become increasingly frustrated by the topic of late. From what I can tell, there are people who feel justified in robbing others of income by repackaging software to remove advertising components. For almost all advertising supported software I'm aware of, an ad-free version is offered for a cost. If you don't want ads, or don't want "spyware", pay for the software. It's that simple. But to actively take income from people simply because you don't approve of their business model is heinous.
Actually, now that I think about it, this is not the first instance of this sort of activity. I remember a developer with a popular product which was ad-supported that used to check for ad-removal programs and bring up a popup window that said something like:
"[Anti-adware program] has been found on your system. It may remove files that this software needs. Do you want to remove [Anti-adware program]?"
A pretty nice bit of turnaround, I always thought.
Re:Pot. Kettle. Black. (Score:4, Funny)
You're right, I'll write my state representatves this instant, and insist that they repeal fines for drug dealers. Throw them in jail, yes, but taking money because I don't approve of their business model is truly heinous.
Re:Pot. Kettle. Black. (Score:2, Insightful)
You and your product may have been very clear on the ad/spyware issue, but I'm absolutely sure I have never been asked by an installer if it was ok to replace my winsock.dll by something that resolves .cool and .new tlds etc. Or to redirect all my http traffic through some hit counter. Yet this happens when installing some of these "freeware" tools.
The problem is that these companies are not upfront about it. Morpheus has an anti-spyware logo on it's site for chrissakes. Only when everybody comes bitching to them, they change their EULA's and say, hey, we told you all along, and you agreed, so what are you complaining about?
"[Anti-adware program] has been found on your system. It may remove files that this software needs. Do you want to remove [Anti-adware program]?"
If it gave a warning like this, fine, I'd cancel and that would be it. If it gives you a choice (like ad-aware does), it's ok, otherwise it's not.
Not quite right (Score:1)
So let me repeat : "if the USER find the activity unacceptable then we will meet their need". the point beeing the USER.
Secondly do you know how ad-aware function ? It let you choose what to remove. IF you click blindly to remove everything then it is your problem not AD-aware fault. Like i always says : RTFM. If you use low level system removing component then either know what you do or shut up.
Re:Pot. Kettle. Black. (Score:3, Insightful)
The confused user is your problem. Ad-Aware is, in fact, doing exactly what it advertises: removing spyware. Your application does more than it advertises - it installs spyware that the user is apparently unaware of. How do we know this? Because they actively removed components they had no idea was on their system much less that they were installed by your product.
And please. Who really reads the EULA? You KNOW the end user is not going to read it no matter how plainly you write it and how much verbage you use to explain "ad supported" software.
So how do you educate your user? Make it an active part of the installation process.
The user downloads the WidgetMeister app to view their favorite widgets. During the install of the app, it notifies the user that WidgetMeister is ad supported software and is sponsored by several software packages. List the packages. Explain their use. Give the user a chance to not install specific components, or abort completely.
Of course - I suspect that this would also effectively cut deeply in to WidgetMeister's user base as many users will decide not to use it. And that's the crux of the problem.
This is not about ad-suported software. It is not about confused users. It is about the subterfuge of the spy-ware industry and the battle for control between end users and developers for the user's system.
Re:Pot. Kettle. Black. (Score:2)
The user downloads the WidgetMeister app to view their favorite widgets. During the install of the app, it notifies the user that WidgetMeister is ad supported software and is sponsored by several software packages. List the packages. Explain their use. Give the user a chance to not install specific components, or abort completely.
Agreed. Specifically, show all parts that will be installed and allow the user to uncheck any of them. Briefly describe each part if highlighted.
Just like any other program, if the user unchecks a part that is "necessary", warn them about what will/will not work and why. If there's an ad-free version, this is the time to promote it or offer the option to upgrade on the spot.
Re:Pot. Kettle. Black. (Score:1)
Eventually, they screwed up their ad Javascript to the point where IEW kept crashing. At tha6t point, I figured they had lost their 'right' to do things on my machine.
I started with the hosts file fix and then eventually, after the Kazaa debacle I have no guilt about nobbling Cydoor and blocking all ads.
Ad supported software is one thing, but when it starts causing s/w problems then, sorry, I will use the cracked version only.
Kid. Stupid. Money. (Score:2)
I also like how you draw no distinction between adware and spyware. If you don't go out of your way to tell the user what is being installed and what it does (if any additional functionality than what the 'parent' installation is for), then you are installing a trojan horse. Since you don't deign to say which company you work for, I'll take my examples from the majority of malware purveyors: the notification is buried in the EULA, if it's there at all. Line 45? Line 1284? How much of the Microsoft Office EULA did you read when you installed it? How about the OS EULA? "People like you" know full and well how often EULAs are read, because you don't read them either. This can be used against the user, requiring them to ask their government representatives for help or to turn to software like Ad-Aware when this fact is abused.
Go ahead and cry for user-hostile business models to be accepted without question, but know that it's not the user's responsibility to provide you with surreptitious income. Consider it civil disobedience against obfuscated EULAs.
Re:Pot. Kettle. Black. (Score:2)
Anti-spyware programs are no more robbing you of income than VCR makers rob advertisers by including fast-forward buttons. You've chosen a business model (a poor one, IMHO) that relies on consumers accepting and responding to advertising. You have that right, but you have no right to control their systems to enforce that model.
You do have a valid point that anti-spyware programs should fully inform the user as to the effects of removing spyware. But attacking users who are trying to assert some control over what runs on their machines is preposterous.
Re:well I'm not surprised... (Score:1)
It's about as far from medicine as I can imagine. Unless it involved leeches.
It's like buying a game that automatically searched for any other game on your computer, and then removed them without asking. Kinda. That may be a bit of an exaggeration, but you get the idea. Steathily remove all opposition to leave the path clear for your own product.
Bitten by Ad-Aware, start the cold war. (Score:4, Interesting)
As a freeware developer, I now have to invest extra time to get the latest list of targeted filenames by Ad-Aware and similar software.
Ad-Aware is simple-ware with a noble cause - I can't fault it for that. Perhaps it needs to do more fuzzy searches, such as "expected registry keys", "expected support files", "exe file size greater than 2mb (to catch patched exes)" to ensure a positive match, and report the results "98% chance it's a positive match.".
Where is this cold war taking us?
Morph-ware: The ability to change the signiature of your software dynamically - filesizes, filenames, icon pixel color variations, title bar text manipulation, and randomizing the internal exe identifiers for windows.
Re:Bitten by Ad-Aware, start the cold war. (Score:2)
How hard would it be to include an md5 hash along with the filename? Maybe that will happen in the next edition. Of course, then the spyware folks might start serving software from machines that embed random codes in the software. That would wreck md5 or any other scheme... unless you hash chunks of the offending file and base the match on matching 90% of the chunks. Bottom line? Just matching filenames is way too simple.
Re:"Our users are our strength. " (Score:1)
OMG