Jump to navigation
Enemies of the Internet, Part 2
R. Alex Whitlock
Spam's rotten partner in Internet annoyance is spyware. Owen Courreges provides a link to an InformationWeek article
on the subject:
Business-technology managers are looking for all the help they can get. "We're starting to see more spyware issues," says Gene Fredriksen, VP for information security at financial-services firm Raymond James & Associates. New and better tools are needed because those available aren't able to "effectively handle the problem for a large company," he says.
Florida Cardiology P.A., which provides heart-disease diagnosis and treatment in six locations around Orlando, has 88 PCs. IT administrator Nick Butler discovered earlier this year that virtually every computer had been infected with some type of spyware. It created a serious drag on productivity, with some systems taking more than 12 minutes to start and others unable to properly connect to the Internet.
Since Florida Cardiology handles personal medical information, the presence of spyware scared Butler. "No one knows for sure what this stuff is doing," he says. "What if one of these things is keystroke logging or captures patient information? That's an unacceptable risk."
Owen surprisingly goes all
big-government on the issue. The truth is that most spyware doesn't just creep on to someone's computer. Very much of the time it's part of that largely unread "terms of usage" disclaimer at the beginning of a software install. A lot of the office infections start when an employee downloads a screen-saver or some sort of freebie program. Free software is rarely free, folks; they have to get their money from somewhere. KaZaA is notorious for installing all kinds of crud you don't want on your computer unless you buy the "Plus" version. For my part, I have a freebie program that tells me the temperature and weather conditions. It has random pop-ups, but no spyware.
There are instances where such tracking is done via something viral. Those ought to be (and are, I'm pretty sure) illegal. There is also an argument to be made for a recent senate bill that legislates that users must be informed of every program being installed. Truthfully, though, I'm not sure how much good that's going to do when most of this stuff gets started after a user neglects to read (or simply consents to) a "terms of usage" contract. There isn't much the law can do about that. On the matter of notices, though, I'd imagine this is something that the private sector can handle.
My father recently cracked down on their spyware with Spybot, which has been pretty successful in that regard. A big part of all of this is just staying on top of it. So if we neglect to do so, should the government be asked to step in?
The issue at hand here is how much privacy a computer user is allowed to give up. Obviously, it's a terrible thing when a private company gets ahold of keystroke-monitoring software. Furthermore, I'm not sure what legitimate use there is for such a product. That said, I'm a believer that anyone ought to be able to sell or barter any privacy if that's there choice. It's often been said that Americans value their privacy, but would sell a splice of their DNA for a free Big Mac. In the past, I've handed over my drivers license to
my friend Phil in return for some knicknacks (on a side note, I forgot to tell Phil that I moved, dangit!). People are also willing to have programs on their computer that watch the websites they go to in return for the ability to download illegal files. Well, they're willing by omission (neglecting to read the Terms) as much as anything, but it's not really the government's job to make people read a contract before they sign it (or click on it). Actually, I willingly allowed the late, great AudioGalaxy to do just that.
So what about the medical records? Well, companies with sensitive documents need to be careful about what they let employees do on their computers. Programs need to be in place to prevent employees from so much as saving an .exe file to their computer. Much of this is already done, but the private sector ought to be able to pick up the slack.
In short, I'm unconvinced that the government needs to get involved here to save the ignorant computer user from himself. A better solution would be for OS developers to come up with a rating system of intrusiveness. OS developers may then be able to prevent programs that don't subject themselves to the rating system from being installed. The ones that do submit (which is most of them, I'd wager) will also benefit because if they have a lower intrusiveness rating (if they just have pop-up ads for example), their rating will be fairly benign and people can make their decisions accordingly. Those programs that monitor keystrokes or whatnot would then have a lot more trouble making headway on most peoples' PC. Those that do so covertly could be subjecting themselves to criminal prosecution for hacking.
Update: I take back what I said about most of them being partners of free software. I apparently had security on highest, so my check came out clean. I should have noticed this, but I figured that the web sites I couldn't access were due to a slow modem's sloppy handling of the net, which has happened (to a lesser degree) in the past. In any case, I turned the security down a couple notches and I was able to start accessing all sites. Then I ran a check and sure enough, as Owen said, two peeping cookies have appeared in the last couple of hours.
buy cheap softwarecheap softwareoem softwarecheap adobe acrobat
Observations
Alex,
Most spyware is NOT in software downloads, but in cookies. In one night of web surfing you can get a few tracking spyware programs installed on your system without knowing it, and it is a problem and a blatant misuse of another person's private property. I consider it to be the same as spamming, and just as harmful.
Moreover, some spyware gets installed in the system registry and can actually do damage. Sure, this is more likely to happen to 'ignorant computer users,' but it can really happen to anybody just casually surfing around. With group computers that have multiple users, the problem becomes even worse.
The government doesn't have to set up some net gestapo, but I'd like for this to at least be driven underground. Currently, spyware makers can operate in the open and some legitimate companies patronize them. A great deal could be done with just a few laws and a modicum of enforcement to back them up. It would save more money than it would cost, and hey -- it's right.
Well, the only thing I've done to invite in spyware is download my weather program, and after a quick scan, the only spyware I've gotten is from such. On top of that, working in IT (both professionally and for family and friends) every spyware program I've run across was due to downloading a free program, screen savor, or net toy.
On a side note, I'd actually consider spyware to be more serious than spamming, for what it's worth. At worst, the former is an annoyance, but the latter is a gross invasion of privacy.
Alex,
I haven't downloaded ANYTHING in at least a week, and I did my last spyware check a few days ago.
However, I just did a scan using Ad Aware 6.0, and had EIGHT tracking cookies on my computer. Clearly, I didn't invite these. They were installed simply because I browsed a certain website, not because I voluntarily downloaded something.
Fascinating. Can AdAware tell you where they're coming from? Is it eight different sites or just one?
I just looked over my settings and realized that somehow security is at the highest level. I was wondering why I couldn't access certain sites, but figured that it was just being on dial-up.
[this message has been edited]
AdAware doesn't tell you source URLs, no. I have no idea where these are coming from; I just delete them regularly to keep them from slowing down my computer.
Sure, I can try to avoid spyware and get rid of it once it's installed, but why should I have to go to this amount of trouble for such a blatantly illegitimate business practice? This is why I propose government step in. When there are clearly externalities, and they aren't easily avoidable, then that's a clear-cut case for government intervention aimed at *protecting* property and privacy.
I'm still not convinced that (unlike spam) this is an issue that the private sector is incapable of taking care of, but I agree that the case for government involvement is stronger to me now than it was when I wrote the post. I'll have to ponder on it further.
Alex,
I can tell you right now - it's about 50% "hidden in the EULA", and 50% out and out viral tactics.
There are a number of sites that exploit holes in IE in particular, which slip a downloader program onto your machine called a "trickler." The spyware companies like Gator will swear up and down that their tricklers are designed to "update or repair damaged installations."
They're lying out their lying asses by the way.
The truth is, tricklers are the real reason that so much spyware is so damn hard to get rid of. They hide themselves in unlikely places - some right in root, but the more sophisticated find some backwards out-of-the-way corner of the Windows directory and proceed to rename themselves to something like, oh, rundll32.exe so as to avoid detection if someone consults task manager to try to kill them. As often as not, they'll also register themselves as system services, to prevent being removed from memory by scanners or disabled when someone logs on who has less-than-administrator access.
Thus the dilemma; on the one hand, the companies (like Gator) will swear up and down that their software is only installed with user permission, and is easy to remove.
And on the other, they're designing them in such a way that they install themselves without telling the user, and reinstall themselves even after the user hits that "uninstall" button the first time.
In regards to Gator specifically, that came bundled with AudioGalaxy and I had little trouble removing it then. Maybe that's changed in the last couple of years?
Is a reason that I've had better luck with spyware (other than the security level, but even before that...) that I almost never use IE and when I do it's to go to particular sites that I know aren't infected?
IE has a cookie-management system built in. Does anyone know for sure that it's insufficient?
-----
For those who didn't know about IE cookie-management, here's how it works:
Go to Tools; Internet Options; General (tab). Click on "Delete Cookies". Click "OK" when it asks if you're sure.
Then, go to the Privacy tab. Click on "Advanced". Check the "override automatic cookie handling" box. Select "Prompt" for both first-party and third-party cookies. Don't check the "Always allow session cookies" box.
Visit sites you normally visit. Note which ones attempt to install cookies. Decide if you trust those cookies.
If you don't trust them:
(1) Don't go to those sites, OR
(2) Go, but don't install the cookies. (Note: Some sites will not function without cookies -- Hotmail being a good example, as it requires cookies for the login.)
If you do trust them:
(1) Choose to accept the cookies.
If you get tired of prompt boxes, have no fear, there are solutions for that, too:
(1) When you get a prompt, decide whether to accept or block the cookies from that site. Whichever you choose, before you click the button, check the "apply my decision to all cookies from this Web site" box. You'll never see the prompts for that site again;
-OR-
(2) Go to Tools; Internet Options; Privacy (tab) again. This time, click on the "Edit" button. Manually type in the websites you will always accept cookies from and hit "allow". Then, manually type in the websites that you have no intention of ever accepting cookies from and hit "block". (Notice that you can always change these commands by managing the list of "allow" and "block" sites that you create.)
One Last Note: When you get a prompt box for a cookie, you can click on "More Info" to find out how long the cookie is programmed to remain on your computer. Useful info in making decisions as to which cookies to accept.
-----
Here endeth the public service announcement. :)
Add an Observation
Comment spam is an ongoing problems that we're trying to address. Previously we required people to create accounts and log in. I am thankful to say that is no longer the case. We're giving Captcha another try and are playing around with a text-based Q&A variant of Captcha. So bear with us as we try to figure out how to best get a handle ont he problem. Please note that any comment on a post more than 30 days old will go into the moderation queue, where I will get to it when I can which could be once a week.
