Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Software

Using Spyware to Report Pirates? 1013

An anonymous reader asks: "I have visibility to AUP complaints we receive at work, and we receive messages from a software vendor that make it obvious that their product is phoning home when it discovers it is running a cracked copy of itself." Apparently the software phones home, and then the publisher's legal department sends the administrator an e-mail. "The message goes on to detail the users IP, a timestamp, the product in question, the users PC name, username, and MAC address. This falls under -my- definition of 'spyware.' What are your thoughts?" Software has been making surreptitious checks for "piracy" for over a decade, yet these checks are usually limited to the software itself, and not data on the user's machine. Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?
This discussion has been archived. No new comments can be posted.

Using Spyware to Report Pirates?

Comments Filter:
  • by Jeremiah Cornelius ( 137 ) on Thursday August 21, 2003 @06:11PM (#6759991) Homepage Journal
    Just WHO is this publisher?
    • by wo1verin3 ( 473094 ) on Thursday August 21, 2003 @06:35PM (#6760240) Homepage
      I'd still like to know what publisher does this, and if my company is a customer of this company which decides to spy on our systems without permission then I would a) ensure we move to another software vendor and b) make the company aware of why we choose to move to another vendor.
  • by SHEENmaster ( 581283 ) <travis&utk,edu> on Thursday August 21, 2003 @06:12PM (#6760002) Homepage Journal
    So that's why my copies of OpenServer and UNIXWARE keep pingflooding kernel.org...
    • Re:SCO OpenServer (Score:5, Informative)

      by GigsVT ( 208848 ) on Thursday August 21, 2003 @06:17PM (#6760059) Journal
      You're joking, but SCO OpenServer does actually scout your network for other unlicensed copies of OpenServer and other SCO products. As far as I know, it just causes an output to console every few minutes warning you of the unlicensed software.
  • by ShadowBlasko ( 597519 ) <shadowblasko.gmail@com> on Thursday August 21, 2003 @06:12PM (#6760003)
    Its been going on for quite some time now.

    You use the illegal software, I don't see any reason why someone who's life work might involve *writing* said software would not want to catch you pirating/using is Illegally.

    I'n not all that sure how I feel about the users computer information being fired off in an email, but I have always considered that a possibility in the past. Seems like I was right.
    • by Col. Klink (retired) ( 11632 ) on Thursday August 21, 2003 @06:15PM (#6760036)
      > You use the illegal software

      But doesn't this imply owners of the legal software are also being spied upon?
      • Many new vehicles have gps.

        Not an issue for most vehicle owners. But you steal it and you get caught easier.

        Is this spying? While I won't say the analogy is perfect this is still very similar....
      • by WIAKywbfatw ( 307557 ) on Thursday August 21, 2003 @07:51PM (#6760857) Journal
        > You use the illegal software

        But doesn't this imply owners of the legal software are also being spied upon?


        OK, I'll take serious stick for saying this but here goes (and there goes my karma).

        Sometimes, people observe/stake out/spy on others and their suspicions/paranoia prove to unfounded and sometimes they prove to be well-placed. Not everyone who's under police surveilance, has a background check run on them or gets asked for additional ID verification when using a credit card is going to be guilty of wrong-doing, but does that mean the cops, your kids' schools or Amex should never be allowed to verify basic details?

        If the software license made it clear up front that the package could and would periodically check that its use was within the boundaries set by the license (eg, full licensing) then I don't see anything wrong with a publisher checking up on its users in this way. After all, permission had been given, just as it had been given (implicitly or otherwise) in the real world examples I gave above.

        One thing you need to ask yourself before you potentially start bashing this company's spyware (or whatever you want to call it): am I in violation of a software license or any laws? Make damn sure that their aren't any illegal copies of the software floating around your organisation before kicking up a major fuss otherwise this could really backfire for you.
      • Well...yeah. And some legal software (e.g. Gator, Kazaa, etc) spy on you in ways you might not like. But in the end it's all a trade off -- how much do you trust your software manufacturer?

        Some of them I do trust. If I find out Adobe is spying on me to be sure I bought my boxed copy of Photoshop 7, I'm not that worried, because I did. I see this in the same light as I see cameras in retail stores...sure, it's a little annoying that they might be laughing at my fat ass trying to squeeze into size 34 pants, but I can deal with that because I respect their right to stop shoplifters. When the guy who came to paint my house asked me to leave my garage open, I did so, because I was paying him scads of money and I trusted him not to walk out with my TV as well.

        Really, with proprietary software it's all a matter of trust. It always has been -- it's why my uncle wouldn't let my cousin use his Renegade pirated floppies in his c64, he was afraid of some stupid code going haywire and messing up his $500 machine.

        You worried about this spyware stuff? Go whole hog OSS, it's the only way to be sure. I happen to prefer the user interface and trustworthy behavior of some of my proprietary software and don't mind paying a little extra for it, money or privacy. Still, the day I catch ImageReady sending lists of my porn directories back home to corporate is the day i switch to (shudder, ew) The Gimp.
  • No Problem (Score:4, Insightful)

    by Iron Monkey543 ( 676232 ) on Thursday August 21, 2003 @06:14PM (#6760019)
    I have no problem with this, as long as it is in the agreement box, or they make it clear that it till collect the user data and send it to the company if the software checks itself to be a crack.

    You don't like it then don't use it.
  • Another question... (Score:5, Interesting)

    by Decaffeinated Jedi ( 648571 ) on Thursday August 21, 2003 @06:14PM (#6760021) Homepage Journal
    Is it spyware if it's mentioned in the User Agreement that you accepted?

    DecafJedi

  • Consent (Score:5, Insightful)

    by JohnGrahamCumming ( 684871 ) * <`slashdot' `at' `jgc.org'> on Thursday August 21, 2003 @06:15PM (#6760026) Homepage Journal
    In any application where data is sent from within the company (or home) consent is vital. Perhaps you would argue that stealing the software removes the obligation to ask for consent, but the potential for the software to mistakenly think it is pirated is too high.

    POPFile has an option to check to see if there's a new version available. It's incredibly innocuous: it hits a server and check it's version number, the server junks its logs daily. I keep no record. This was initially on by default but people were upset, it's now off.

    The simplest solution is that a piece of software that thinks it is pirated start warning 30 days before it's going to shut itself off to give the user a chance to do something and finally disable itself. That is effective and friendly.

    And get yourself a copy of ZoneAlarm so that you can see which apps would like to talk to the outside world.

    John.
  • This isn't spyware (Score:5, Insightful)

    by mosch ( 204 ) * on Thursday August 21, 2003 @06:16PM (#6760047) Homepage
    It's not sending your credit cards, your clickstream or your data files.

    It's not spyware, it's a fucking anti-theft system. Don't like it? Don't steal it.

    • by netruner ( 588721 ) on Thursday August 21, 2003 @06:29PM (#6760187)
      I can understand this viewpoint to an extent. However, this doesn't take int account when the antitheft system "misfires" and causes problems for legit users. In my opinion, spyware that acts so intrusively should be allowed under the condition that there are real consequences for false alarms. In this case, if it's not a legit alarm, I would think the company should be prosecuted like a vendor that exercised a backdoor into one of your systems.

      In other words: you better be damn certain that you're tracking a pirate before you start sucking data off his machine.

      However, if the alarm is legit- you really don't have a leg to stand on. Kind of like stealing a design for a new widget and having your prototype explode halfway through construction.

      When you take a step into the illegal side of things, don't look to the law for help.
    • by Iscariot_ ( 166362 ) on Thursday August 21, 2003 @06:29PM (#6760188)
      "It's not spyware, it's a fucking anti-theft system."

      Not so. If you remember a few years ago, a judge ruled against Blizzard using spyware in their software even though all it was doing was helping them to squash bugs and prevent cheating.

      So the transmission of even benign data without permission by the user is against the law.
      • Most companies nowadays keep blacklists of known cracked/hacked/stolen serial numbers. If someone else lifts my serial number, or their cracking software manages to coincidentally generate the exact same code I'm using, I could get punished along with the rest. Not cool. Comments like, "it should just disable/uninstall itself," aren't very well thought out.

        Far better for the company and the user to simply send out a message saying, "You may be using pirated software, please contact us."

        This doesn't jus
  • by Seumas ( 6865 ) * on Thursday August 21, 2003 @06:16PM (#6760050)
    Okay, this one seems simple enough.

    Let's say I am a small book publisher. I publish books about historical battles. I find out that there is someone out in the world who, instead of buying a copy of my book, has simply photocopied a friend's purchased copy of the book.

    Now, let's say I track this person down. Then let's say I break into their house. Then let's say I rifle through all of their belongings. Let's say I get their credit card number, bank PIN number, passwords, social security number, medical history, personal communications, personal habits and all of this information for each person in their family, too. Then let's say I take all of this data and give it to the police or the government. Or maybe I even go much further and just burn the house down with everyone in it.

    Was I justified? I mean, I must be right? After all the person had a photographed copy of my book and didn't pay me the $39.95 for a legitimate right to read it...!
    • by X_Bones ( 93097 ) <<moc.oohay> <ta> <31zronad>> on Thursday August 21, 2003 @07:25PM (#6760649) Homepage Journal
      um, what? you might have a point if the software in question searched the user's hard disk for these pieces of information, but it's not. According to the post, the information sent from the program to a remote server is:

      "the users IP, a timestamp, the product in question, the users PC name, username, and MAC address."

      Every single piece of information transferred is accessible through the use of other, perfectly legitimate pieces of software, unlike medical records (which require a plausible reason to access); it should be clear that this program is not 'rifling through anyone's belongings.' And the mentioning of burning down the house is completely absurd; nobody is considering giving this data to law enforcement agencies or blowing up the user's computer if it's running pirated software (to relate your analogy to the situation being discussed). Please take your slippery slope arguments elsewhere.
  • by Satan's Librarian ( 581495 ) * <mike@codevis.com> on Thursday August 21, 2003 @06:17PM (#6760054) Homepage
    It's spyware. I think active copy protections such as that are stupid anyway - what happens if the user is legitimate, but either had a file corrupted or a virus infected it? I'd assume they are just doing an MD5 hash of their software at best for the check for cracks, and a parasitic .exe virus would set it off right away. So would some older methods of file innoculation, random disk/transfer corruption, and a whole lot of other things.

    There's a legend that Microsoft actually encountered this back with Microsoft Word 1.0 - it formatted the hard drive if the CRC of the program changed. Bad karma there, hosing innocent users if they got infected. (BTW - I've seen Vesselin Bontchev reference it here [google.com] and other places, but it could just be he picked up a convenient rumor. Anyone have verification of this story?

    If it's not documented in the EULA for the product, it might even be a potential civil suit against the company. Doesn't Europe have fairly restrictive privacy laws that could come into effect here? Could be criminal there if so, especially if it misfired on an innocent user. Although of course - IANAL.

    BTW - what product?

  • Was it VisualRoute? (Score:5, Informative)

    by drdink ( 77 ) * <smkelly+slashdot@zombie.org> on Thursday August 21, 2003 @06:17PM (#6760063) Homepage
    I have recently seen this sort of thing from Visualware [visualware.com], the makers of VisualRoute [visualware.com]. They send data like this:
    ip address: 192.168.55.3 [dhcp77-1.example.com]

    local ip address: 192.168.55.3
    date/time: Mon May 05 07:22:22 EDT 2003
    ethernet mac: censored
    user name: censored
    computer name: censored
    license key: NONE - CRACKED VERSION
    product: VisualRoute (build 1858)
    zone: en_US-06:00
    And yes, that data is falsified to save the identity of who it was. The amount and type of data it collects and sends home is rather disturbing. Can't the damn thing just uninstall itself?
    • by FirstManOnMoon ( 613282 ) * on Thursday August 21, 2003 @06:49PM (#6760357)
      What would happen if a crooked employee at Visualware used or shared this information? He now has a valid username and IP address (even if the IP address was NATed, you could match it with the web server logs to find the outside IP.) He can now fire up his favorite cracking program and have at it. If a vulnerability exists in VisualRoute, he now has a list of computers running it that could be exploited. Food for thought...
  • by sterno ( 16320 ) on Thursday August 21, 2003 @06:18PM (#6760074) Homepage
    Ultimately if you get taken to court because of a copyright violation that was discovered because the cracked software phoned home, I doubt the court will grant you much leighway.

    If the software's anti-theft tracking was being put in place by the police, that would be a violation of the fourth amendment. On the other hand, this is being done by a private corporation which has far more rights.

    Think about LoJack, the car anti-theft mechanism, that tracks the car. Isn't that effectively the same thing? That's perfectly legal.

    I don't like the notion of a company installing such spyware because there's little guarantee that they are only reporting pirates. Furthermore, what's to keep them from reporting subtle violations of the license agreement that aren't in fact illegal under copyright law. Once the spyware is there, there's effectively no limit on what it can do.
    • by fuzzybunny ( 112938 ) on Thursday August 21, 2003 @06:25PM (#6760147) Homepage Journal

      Erm...while I grant you that in a civil case the rules of evidence will be much more lenient than in a criminal one, there are statutes related to industrial espionage which you could cover yourself with.

      IANAL etc etc, but I am under the impression that, unless you explicitly agree to a function which is not arguably part of the 'core' raison d'etre of the software, things like collecting information without someone's consent on legitimately licensed PCs could be construed as breaking and entering, or the digital equivalent.

      If the software only does this for unlicensed copies, I wonder whether you couldn't use a similar strain of argument (license was not active for arcane technical reasons, whatever.)

      Admittedly, without starting an argument about it, I don't have strong moral qualms about piracy, and I do believe there are certain limits as to what's allowed in terms of evidence collection/snooping even if you are doing something legally "wrong".

      Frankly, I think companies should try to use free/open software anyway if they can, so this never even becomes an issue (ask SCO! :-)
  • windows ? (Score:4, Interesting)

    by jacquesm ( 154384 ) <jNO@SPAMww.com> on Thursday August 21, 2003 @06:18PM (#6760077) Homepage
    How many packets does your machine send out that you have not looked at personally ? Mine does that *all* the time (I don't have the time nor the resources to check them all).

    This means that if say MS is checking the contents of my machine and starts harassing me over possibly illegal software that I would have no way of knowing that the info was retrieved using spyware. it's the stupidity of the 'presentation' that gives this one away, if they were a bit more clever about it you'd never have known that it was spyware related.

    The best way to avoid this kind of trouble is to go completely open source or make sure your licenses are paid up :)

    are you on the grapevine yet ? [wwgrapevine.com]

  • by chimpo13 ( 471212 ) <slashdot@nokilli.com> on Thursday August 21, 2003 @06:19PM (#6760082) Homepage Journal
    Does anyone know where there's a list of spyware that does this? I'd like to see what programs to avoid stealing.. uhr.. I mean buying.
    • some more (Score:3, Interesting)

      by ramzak2k ( 596734 )
      Here are two more i have noticed that do the exact same thing :
      1. Admuncher http://www.admuncher.com/
      2. Evidence Eliminator http://www.evidence-eliminator.com/

      I found a quick (& better)replacement for Admuncher in the new google toolbar (http://toolbar.google.com/) to get rid of popups.

      Evidence eliminator is crap, dont need a replacement.

      In either of these cases they take you to a page showing your IP address with what they think is a scary message. If you do use a cracked version make sure your wind
  • by ad0gg ( 594412 ) on Thursday August 21, 2003 @06:19PM (#6760083)
    With the game Black and White that I own, the cd copy protection gave my computer so much problems and the only solution the publisher gave me was to install a new cdrom, so I was forced to install the cd crack to actually play the game. I'd hate to be labeled a pirate and taken to court because I actually wanted to play a game I legally purchased(Hell I preorded).
  • by GreenCrackBaby ( 203293 ) on Thursday August 21, 2003 @06:20PM (#6760093) Homepage
    I can't tell, but I'm assuming that you work at an ISP (AUP complaint?). Why on earth would you care about this information?

    "Oh no! One of our users is doing something illegal and it has nothing to do with us! Quick, pull the plug on him!!!"

    Seriously...unless you are law enforcement, what could you possibly do with this information? If I wrote your ISP and told them I saw you smoking pot, should I expect them to pull the plug on your connection??? How is this any less rediculous?!?
  • Uh? (Score:5, Insightful)

    by loconet ( 415875 ) on Thursday August 21, 2003 @06:20PM (#6760101) Homepage
    Ok, so if the program is smart enough to discover that it's a cracked copy of itself, why doesnt it just not start up and prevent the user from using the cracked copy.
    • Re:Uh? (Score:4, Insightful)

      by salmacis2 ( 643788 ) on Thursday August 21, 2003 @06:43PM (#6760319)
      Bingo! The software can't know without any degree of certainty whether it is patched or not. So this data is sent back for *all* installations. The software company then checks product ID numbers against those which were registered. So even legitimate copies of this software are sending their customer's details back. *That* has to be a problem.
  • by Dr. Ion ( 169741 ) on Thursday August 21, 2003 @06:21PM (#6760107)
    you need to tighten up your firewall!

    If you don't even know which software or machine is communicating with which outside hosts, don't be surprised when you find out some inside box is relaying spam or leaving out the welcome mat for unwelcomed visitors.

    In any case, what exactly prevents you from naming the offending software? Why speak in generalities and obfuscation?
  • Use Free Software (Score:4, Informative)

    by no_choice ( 558243 ) on Thursday August 21, 2003 @06:22PM (#6760122)

    Given that you undoubtedly agreed to allow the proprietary software to do a full body cavity search on you when you clicked through the EULA, the publisher has the right to do just that. Even if you're using a "legal" copy.

    YOU have the right to refuse to use binary-only, spyware infected, jump-through-hoops licenced programs. Use Free Software instead.

    "But I depend on the proprietary software to do my job." Then support the Free Software movement [fsf.org] so someday you won't need to depend on proprietary software anymore.

  • by sublimespot ( 265560 ) on Thursday August 21, 2003 @06:27PM (#6760173)
    Personal Firewall is the best approach to keep software from "phoning home".

    You need to use your best judgement - when and why an application connects to the internet. Deny all connections by default.

  • by Satan's Librarian ( 581495 ) * <mike@codevis.com> on Thursday August 21, 2003 @06:34PM (#6760224) Homepage
    Call the company. Say you found the user and pirated software, and appreciate their notice. Tell them the software has been deleted and the user has been reprimanded. Tell them you have banned said software company wide because your company does not use pirated software - or spyware.
  • by SmackCrackandPot ( 641205 ) on Thursday August 21, 2003 @06:44PM (#6760321)
    There's always the danger that a disgruntled employee could plant a cracked version of the software on a company computer.

    And what about shared laptops. Somebody loads on some software while attending a conference and then hands the machine back.

    Some floating software licensing schemes work on using IP addresses, MAC addresses, monitoring the real-time clock to make sure dates don't change. What if one of these circuits fails (stray cosmic rays, power surge), does that automatically make the user a criminal?

    Sure, software companies have the right to protect their software, but I don't think they have the right to allow their applications to automatically generate crime reports. W It would be more for the application to request new short-term licenses and deny access than do anything destructive. If an application can detect that it has been cracked then it should just refuse to work.
  • by YrWrstNtmr ( 564987 ) on Thursday August 21, 2003 @07:15PM (#6760575)
    Say you're a small shop. You have need of 3 copies of s/w package X.
    You go down to BigBox store, and buy 3 copies of X.
    Back at the office, you use one CD to load all the machines. Leave the other 2 in the shrinkwrapped boxes, on the shelf. Perfectly normal...happens all the time.

    The running s/w sees 2 other copies of the same s/n on the LAN, and phones home. PIRATE! PIRATE!

    You're 'legal'. You have paid your fees for the 3 copies. But Company X, due to their incorrect reporting and intrusive networking, thinks you are in violation. They send the BSA after you, with all the attendant fees.

    At this point, you're guilty until you can prove your innocence.

    Absolute BS, I say.
  • by inkswamp ( 233692 ) on Thursday August 21, 2003 @09:41PM (#6761564)
    I'm sure everyone here can sympathize with companies and individuals who are hurt by piracy and I feel that they have every right to pursue it in whatever way they legally can. But that's the problem. As soon as a company uses illegal or unethical methods to combat illegal and unethical abuse, they lose me as well as the moral upper-hand. There are plenty of ways to combat piracy without invading a customer's privacy and I think it behooves a company or developer to explore those avenues. Also, they need to accept that there is always going to be a segment of users who will use pirated software. And I'm not so sure that matters. I would assume that most people doing so wouldn't have paid for the software legitimately anyway, no matter what, so it's hard to say that any potential profit has been lost by anyone. Tactics like "phoning home" and convoluted registration methods, dongles and other nuissaances only irritate paying customers and likely don't stop any piracy at all.
  • Apple anyone? (Score:3, Interesting)

    by stubear ( 130454 ) on Thursday August 21, 2003 @10:00PM (#6761656)
    Apple has been doing something like this for years. If you run software on a network and you try to use the same copy of software on two different systems at the same time, something will have to give. In this case, MacOS informs you that person x is using a copy of the software and then it quits the application until you close down the other copy or log off the network. I don't see /. breaking out the hayforks over this though.
  • by Thing 1 ( 178996 ) on Thursday August 21, 2003 @10:22PM (#6761772) Journal
    Do you feel software publishers should have the right to peer into users data, if their software suspects foul play on the machine, or should it do the easy and intelligent thing and just stop working?

    If a software publisher prices their software "out of the market" then a potential user has two recourses: 1. don't use it; 2. pirate it.

    If the software publisher's decision is inappropriate (i.e., the value is $50 but they charge $2,000), then the user can't be blamed for pirating it. I mean, they can be, but let's face it you can't return software you don't like (because "you might pirate it"), so the default behavior is, pirate it to make sure you like it. Then, if you so choose, pay for it.

    I think it's super cool though, that publishers are going to more and more draconian levels in order to "protect their profits" because it just makes open source/free software that much more attractive.

    See the Ernie Ball story for more details. (I love that I saw the Ernie Ball and the optic-fiber sponge stories on Excite last night, and then saw those two posted here today.)

  • Entrapment (Score:4, Interesting)

    by Zerbey ( 15536 ) * on Friday August 22, 2003 @12:51AM (#6762471) Homepage Journal
    Doesn't this fall under Entrapment laws, or does that just apply to law enforcement agencies?
    • Re:Entrapment (Score:3, Interesting)

      by praksys ( 246544 )
      ...or does that just apply to law enforcement agencies?

      Yes, and in any case it wouldn't be a good example of entrapment. In order to qualify as entrapment it has to be the case that the defendant would not have committed the crime in question if not for some sort of enticement or encouragement on the part of a law enforcement officer. There is no encouragement to pirate software here.

As you will see, I told them, in no uncertain terms, to see Figure one. -- Dave "First Strike" Pare

Working...