The Battle Against Junk Mail and Spyware 312
wildfrontiersman writes "A New York Times editorial by Brent Staples, The Battle Against Junk Mail and Spyware on the Web, laments 'The story of technology is the story of noble aspirations overtaken by a hard-core huckster reality. This process is on vivid display in the debate about electronic junk mail, which makes up more than half of all the e-mail that travels on the Internet.' He criticizes the new spam law, the lack of attention to spyware and how it threatens our beloved internet."
Spyware is getting really bad (Score:5, Interesting)
Had to run Spybot, ad-aware, spybot, ad-aware over and over for like 2 hours while rebooting to get rid of everything...
At least the latest Norton Antivirus scans some of it and so does Network Associate's antivirus. I wish Trend Micro's would do it too, it probably will soon...
Spyware a necessary evil for some (Score:2, Interesting)
One way to solve it - stop buying (Score:5, Interesting)
In most other forms of media, it seems that advertising has had its day. Television is no longer able to subject us to ads and is threatened, Radio ads in internet radio are able to be skipped. So we only have to deal with the advertisements that arrive in our inbox.
There are a variety of ways of dealing with this detritus, the easiest one is make it a social stigma to admit to buying anything from spam.
Have any enlargements or pharmaceuticals ever been sold using this method? Has anyone ever received one of these messages and replied and then eagerly waited for their postie to drop by with their delivery of "Hot Teens"?
Turn Spam purchasing into the Venereal Disease of the new century and it will cost these folks more to send the messages than is returned in sales.
Legislation is pointless in an area where geography is no longer a method of control.
Re:Spyware is getting really bad (Score:5, Interesting)
Needless to say: I did like you... Spent hours cleaning the damned thing. Then I did what any sensible person does: download Mozilla, set the skin to IE (so that the idiot users won't notice), enable pop-up blocking, and set it as default browser.
Never heard any complains of that person again, and he can play The Sims now. Sometimes, people need to be forced to use the right software.
Can't we just let the economics sort this out? (Score:4, Interesting)
As for spyware, maybe it's just me, but how about say, not letting files download onto your local disk and set up with executable permissions? You'd think that maybe a modern OS would have some kind of setting to disable this kind of thing? Maybe even just lock out c:\program files\ from being able to create new directories? Yeah I didn't think so. I'm sure the new "security focused" development has better things to secure than the filesystem from malicious executables, because we all know this is a new and infrequent problem right?
One of these days I'll run into someone who gives you these "free offers to improve your life" and talks about how beneficial they are. Then I'll give them some nice theraputic blows to the face to increase the supply of oxygen giving blood to the skin. Look, it works! I can see it turning purple with extra blood now. You should thank me for preemptivly solving a case of skin irritation from lack of bloodflow. How about I remove some of those teeth so you're protected from dangerous cavities too?
See it all the time- (Score:5, Interesting)
Now that win2k (and winxp) is out, the stability issue has been resolved. Now the most common thing I see is tons of spyware slowing the PC down to a crawl (obligatory slashdot humor: The difference between a PC infested with spyware that crawls, and Windows XP hogging all the resources making the PC crawl, is sometimes hard to discern.)
And of course lovely viruses from that oh-so-wonderful default-installed e.mail program, Outlook Express.
Most (nearly all) the *major* spyware issues stem from PEBKAC, a little knowledge (on the end-users part) would go a long way, but much of the spyware out there cloaks itself in "official" looking popups, all happily Verisigned, which can sometimes even trip up sys admins.
The next version of windows is rumored to fix this (to what extent is unknown) but undoubtedly will introduce a ton of new spyware.
Now isn't it nice that we BeOS and *nix users are immune to all that crap? I know I'm glad I use BeOS.
Re:I pity no one (Score:2, Interesting)
Have you scanned for spyware? I can tell you that all it takes to get spyware is to follow one of the links on http://news.google.com using IE with ActiveX enabled. Needless to say, I don't do ever do this.
Congress's misunderstanding (Score:4, Interesting)
Spam works by entirely different rules. It is not enough to deter MOST spammers. It takes only a sufficiently capable handful to bring the mail systems of the entire country to their knees. The economies don't work in the same way: a typical murderer affects the lives of anywhere between one and a hundred people; a spammer affects between one and a hundred MILLION every week.
So relying on a citizen to be rational -- to realize that it's not in his best interest to spam, given the consequences -- will not work. There are more irrational actors than it takes for spamming to remain alive and well. There must be some sort of technological barrier in place -- with the support of the law, I believe -- to ensure that even these irrational actors are incapable of spamming.
What are some examples? Require by law that all ISPs -- be they mom and pop shops, tremendous corporations, or colleges and universities -- provide information in an email sufficient to identify the sender. Then prosecute the ISP harshly if it allows a user to spam; hopefully, ISPs can be deterred more consistently than individuals. Overseas ISPs are obviously beyond this jurisdiction, but the FCC might take it upon itself to publish a list of overseas ISPs that comply, and recommend blocking all that don't.
Alternatively, institute a microcharge on email -- be it monetary or computational -- to disrupt the economies of scale. When a user receives an email from an address not on his whitelist, his computer (or the ISP's) responds with an NP-hard computation problem that the sender's computer must solve before the email is delivered. Solving one -- or one hundred -- such problems would be no problem for a user's computer, but solving one to one hundred million would be much harder. Spamming would require computation like Japan's Earth Simulator to pull off, and the amount of computation might scale each year according to Moore's Law.
stealing computer time (Score:4, Interesting)
Re:From the article.... (Score:5, Interesting)
Of course, such code would not have the luxury of tailoring itself to outlook/IE. It would have to learn to work with mail/Safari, neither of which are as instrusive as the MS counterparts.
I leave it as an excersise to the reader as to whether Safari is as much annoyware as IE, or if the OSS base of Safari gives it an edge.
Re:From the article.... (Score:2, Interesting)
Safeguards (Score:5, Interesting)
It doesn't help that spyware databases software databases have gotten so undiscriminating. You run a spyware scanner, and even the best ones raise red flags over stuff that has some of the features of spyware, but simply isn't. These include customer support tools like backweb. Yes, these can be abused, but ultimately anything you install in your system can be abused. It's simply a question of whether you trust whoever provided the software. Gator and Alexa have used up our trust. Backweb and the CS orgs that use it have not.
There's also the cookie issue. Yes, cookies are a grave threat to privacy. But the solution is in your browser: configure it use a good privacy policy, or if you totally hate cookies, not to accept them at all. Scanning the cookie database is a waste of time. Yet all adware scanners insist on doing it.
Junk mail isn't a new problem. (Score:3, Interesting)
Before that messengers on horses of coaches had to be used. This had the effects that letter where relatively expensive and traveled very slow (4 months from east to west coast). And it was insecure due to hostile natives.
However all this changed with railway post transport. And so the amount of advertisment letter increased greatly. It even delayed the transport of legit letters, so that the post office had to use special (more expensive) rates for advertisment transport to keep to flood under control. Note that hiding advertisment letters as normal ones didn't work: the post offices clerk were allowed to open every letter and check which they really did regulary.
A Creative Solution to Spyware (Score:3, Interesting)
If there is spyware sending out packets, one could presumably see what IP address they are going to and maybe even reverse engineer their data format. Then someone could write a program which sends their servers spy packets containing meaningless or misleading information, thereby screwing up whatever market research they are trying to do. Maybe we can create some fake correlations between unrelated items, after all, unlikely correlations come up often enough in real life, like diapers and beer [google.com], that they may not catch on until long after their databases are completely cluttered with meaningless crap.
Irony (Score:4, Interesting)
http://www.nytimes.com/js/s_code_remote_samplin
This fetches a few pieces of data and sends it back to 2o7.net in the form of a URL for a 1x1 gif.
Anyone care to reverse engineer this code and see what it's reporting back?
Unix not immune.. Just not a target (Score:3, Interesting)
Sure, it wont effect other users directly, but it will still slow down the machine and waste bandwidth...
Sure, *nix users arent targeted yet so we are safe for now. But we cant *just* sit back and laugh...
Circumvent the whole issue .... (Score:5, Interesting)
I'm not trolling, nor am I evangelizing, but the truth of the matter is, out of the box, Macs are FAR less prone to be susceptible to any of these nefarious internet annoyances.
Spyware: practically non-existant for Macs, and any application needs to be manually copied or installed w/a password verification, so nothing gets by without you knowing it (assuming you trust every user of your computer).
Spam: Mac OS X's built in Mail client has an excellent and easy to use spam filter built in, and in the 2.5 years I've had my
PopUps - Not only can you block pop ups in the default browser Safari, most of the pop up ads are themed to look like Windows dialog boxes, so they're easy to spot as advertisements and whisk away with a single click.
Just my 2
Re:Good perspective... (Score:3, Interesting)
Well, my inbox consolidates my own account that has existed from 1995, and several support accounts, and I get around 1500-2000 spams per day in that inbox. Fortunately 99% of that is filtered by spamassassin, but it's getting worse and worse.
Is there a correlation between spam and spyware? (Score:4, Interesting)
Does any spyware collect email addresses from adress books?
Does any spyware submit the user's address with it's data?
Do people who's machines are or have been infected with spyware get more spam?
Just wondering.
It seems that spyware that tracks a users web viewing habits would be a no brainer as a data feed for a targeted spam operation.
Re:From the article.... (Score:1, Interesting)
Hell, I wouldn't be surprised if a lot of computer manufacturers disable automatic updates because it could cause more support calls (ie, if they break something or change a feature slightly). Their bottom line supercedes EVERYTHING else, of course, including being a good 'net citizen and allowing their customers to have a good experience with their new computer.
*cough* Dell-selling-computers-and-requiring-RealONE-to-b
Few buy from spam anyway, but that's irrelevant. (Score:4, Interesting)
The boycott you propose has already been around for a long time. It's called the "Boulder Pledge". Unfortunately, it doesn't work.
The people who advertise through spam are fly-by-night operations. They typically hope to make a quick buck by shoving a message at a million people and getting a 0.0001% conversion rate. (Do the math.) Often they aren't even the ones with products to sell; rather, they're "basement operations" with little in the way of resources or business sense hawking merchandise on behalf of the less-reputable amongst affiliate programs.
The people who make the real money off spam don't make the money selling stuff through spam. Instead, they get paid by aforementioned fly-by-nights to send the spam. They are the few fat sleazeballs sitting at the top of the pyramid being supported by everybody else. Just ask Alan Ralsky (if you can get a letter through to him under the massive number of catalogues he receives).
This convoluted chain of middlemen is the reason why normal market forces haven't stamped out spam, even though spam is net unprofitable. Losers pour money into the spam system and are dealt out of the game with a high turnover rate; but there are always enough new losers coming in to keep the system afloat. Meanwhile, professional scam artists know every trick in the book to squeeze money out of an activity that truthfully causes a net loss for everybody else involved.
From the fly-by-nighters lured in by the promise of easy riches and duped into paying hard cash for spam advertising to the victimized ISPs and end users who have server, bandwidth, and support costs shifted to them, everybody else comes out in the red anyway. So how, exactly, is a boycott supposed to work?
Re:But the Solution to Spyware is ... (Score:5, Interesting)
Your post advocates a
(x) technical ( ) legislative (x) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
(x) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
(x) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(x) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(x) Requires immediate total cooperation from everybody at once
(x) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
(x) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
(x) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(x) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
(x) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
(x) Outlook
and the following philosophical objections may also apply:
(x) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
(x) Countermeasures must work if phased in gradually
(x) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your house down!
'Conspiracy' of social factors (Score:3, Interesting)
Really, many things together contribute to this problem. In no particular order:
A rabid consumerist/capitalist economy. Everyone wants you to buy something. Everyone NEEDS you to buy something or the whole thing unravels.
As a result, advertising in general has become a tragedy of the commons. It's so pervasive that it's becoming ineffective. Nearly everywhere you turn, there's an ad for something. Most advertising doesn't even improve sales, it just keeps them from slipping. The culture of advertising has gotten so embedded in business that few have realized that superbowl ads are usually a net loss. Perhaps the crassness of spam would turn off the 1/10th of a percent who buy if all other advertising wasn't so crass.
A general acceptance of legalese. If products carrying a EULA over three paragraphs (normal paragraphs) long or using words that have not otherwise been in use for 3 centuries was simply rejected, there would be none. With EULAS cut short, there'd be no fine print on page 123 to hide the spyware disclosure in.
Another way to accomplish that would be for the legal system to admit that it's just not practical (or even financially possible) to hire a lawyer everytime someone shoves a document at you. Further, it should recognize that a contract must be understandable to an average person with an average amount available to devote to such things. Anything not meeting that criterion is null and void. Fine print on page 123 does NOT constitute disclosure.
Loosened community ties have opened the door to scam artists like never before. In a worldwide community where the number of people you actually know is vanishingly small, social shame is not very effective.
Society is well behind the growth of technology. When it becomes more socially acceptable to proclaim that you sell drugs to 8 year olds than to admit you're a spammer, much of it will stop (OK, they may not be that bad, but it's close).
We need for it to be socially and legally acceptable to spit on a spammer's shoes in disgust. It's good that we as a society are (slowly) learning to accept diversity, but at the same time, some things are NOT reletive. An obnoxious ass who deliberatly annoys millions of people a week does NOT deserve understanding, he deserves contempt. Nevermind jail, ostracise them.
Law enforcement. If you or I produced the very same spyware that's out there with the very same barely existant (or non-existant) disclosures, we'd be up on charges. Just because it's incorperated doesn't make it OK!
</soapbox>
I blame anti-virus vendors (Score:3, Interesting)
Any one know of any free checksum-checkers-on-execute, preferably with some sort of centralized checksum database, for windows?
Good news! (Score:3, Interesting)
Now, Windows is well-entrenched because it's what the current user base is used to. We can't get them to budge because we can't persuade them that the change is worth the effort. But if millions of college students are getting a thorough education in how totally insecure Windows is....