Month: September 2005

A while back, AskJeeves approached us to have their products delisted from the CounterSpy database.

There are a number of antispyware programs that list AskJeeves toolbars and a number that don’t. You can see the current status of AskJeeves detections here. It’s a mixed bag: Companies that don’t detect any AskJeeves programs are Lavasoft, Microsoft, WebRoot, PC Tools and FBM Software. Companies that do are Sunbelt, McAfee, Computer Associates, Spybot, Tenebril, Trend and Facetime

The AskJeeves question is not new. See this article in Newsweek in June and Ben Edelman’s discussion in May. Clearly, there’s room for a definitive answer, especially with business customers who buy antispyware programs.

So we proceeded to perform a comprehensive study of the AskJeeves programs in question. That study can be found here.

The AskJeeves programs referred to are all search tools that are added to your browser: MySearch Bar, MyWay Speedbar and MyWeb Search and their variants (AskJeeves re-brands or makes changes to these toolbars, to come up with types of toolbars that offer free cursors, screen savers, etc.).

What we found in some cases was troubling. Now, don’t get us wrong: The AskJeeves toolbars are NOT adware or spyware. They are arguably relatively innocuous additions to the browser. However, methods of current and past distribution, notice and disclosure are of concern. After reviewing the results, one has to ask oneself the question: If an AskJeeves toolbar is on a user’s system, did they really want it on there in the first place? Did they even know they were getting it?

When AskJeeves’ products are downloaded and installed directly from AskJeeves’ own web sites, notice and disclosure of the products and their functionality is generally good, though there is room for improvement in some cases (e.g., the failure to describe FunWeb Products as browser toolbars). However, several of AskJeeves’ products are plagued with poor installation practices when distributed by third-parties or when advertised at third-party web sites. Putting aside concerns about aggressive advertising practices (treated at length in the whitepaper), we found issues with the following:

Poor notice and disclosure with software bundlers. AskJeeves bundling in software bundlers like Grokster and Kazaa, where poor notice and disclosure are provided. The worst case we observed was a bundle with the Bald Eagle Screensaver which installed MyGlobalSearch Toolbar even after the user cancelled the installation. You can see the video taken August 28th of exactly this occurring here.

Installation through ActiveX controls.While Internet Explorer’s user notification about ActiveX controls has improved measurably since the release XP Service Pack 2, there is still an issue with these types of downloads. AskJeeves’ products have been installed through automated ActiveX installations that initiate when users land on third-party web pages. These ActiveX popups, which launch without warning in arguably confusing circumstances, can prove bewildering to users. For example, this ActiveX popup was found on Smiley Central:

Examples of ActiveX installations of AskJeeves’ software include IOWrestling.com (Sept. 2004), Letssingit.com (Apr. 2005), and Prowrestling.com (Apr. 2005).

Past installation through Windows Media Player exploit. While not as relevant today, an issue several months ago was the installation of software through Windows Media Player files (the Microsoft Digital Rights Management feature, or DRM, allowed publishers to re-direct viewers of a file to a 3rd party website — this was being used by unscrupulous vendors to attempt spyware/adware installations).

In testing during January 2005 with one such WMP file (aria_giovanni_full7.wmv), an ActiveX install prompt for Popular Screensavers/MyWebSearch toolbar was encountered amidst a series of other installation prompts for XXXToolbar (IST), “Free Jenna Jameson Screensaver” (ABetterInternet), and “Video Secret & Chat” (ABetterInternet).

Force installs through security exploits. By far the worst documented installation practices for AskJeeves’ products have been the past force-installs of AskJeeves toolbars through security exploits, as reported by Ben Edelman back in May.

Changes to the CounterSpy database.

Products that have been marked by problematic installation practices through third-party advertising and distribution include My Global Search, My Global Search, My Search Bar, Need2Find Toolbar, and My Speedbar; as well as variants of MyWebSearch Toolbar which include CursorMania, FunBuddyIcons, HistorySwatter, MyFunCards, My Mail Signature, My Mail Stationary, PopSwatter, Popular Screensavers and Smiley Central. These will all be listed in the CounterSpy database.

We found no issues with AskJeeves Bar, Excite Speedbar, and iWon Co-Pilot and hence they will not be included unless unless and until hard evidence emerges that these products are being distributed or advertised in ways that trip Sunbelt’s Listing Criteria, as AskJeeves’ other products do.

My Global Search or Need2Find toolbars are not currently detected and will be added, and a number of housekeeping changes will be made to the database to put all the offending programs into the correct taxonomy and labeling standards we have established.

Our whitepaper goes into great and exhaustive detail on all of these points, and I would recommend reading it here.

eWeek writes about it here. Internet Week here.

Alex Eckelberry

Addendum: AskJeeves says that with the FasterXP install documented in the whitepaper, the toolbar “implodes” after installation. That’s true. After installed, the toolbar’s buttons are disabled and it only has an “uninstall” button.

This handy little gadget purports to spot hidden spy cameras.

I’m not sure if it actually works, but it’s a cute idea.

Link here. (via BoingBoing)

Alex Eckelberry

Good stuff here.

“And that’s the key issue – you have to trust the endpoints in a given Web transaction, not just the security “on the wire”. Security on the wire is important – SSL is how you ensure that none of the myriad networks your little packet might traverse between you and the bank has an easy opportunity to steal your account details without even needing to be present – but it’s only part of the end-to-end security story, and with on-the-wire security generally accepted to be “good enough” to stop the casual hacker, my gut tells me the local endpoint – and that’s typically the client – is the most frequent point of compromise.”

Yup.

Alex Eckelberry 

Pesach Lattin, CEO of AdBUMb (a big newseletter for the online advertising community) has taken a stand on spyware.

His blog entry here.

“…there can be no doubt anymore that much of the adware industry is not legit. And there is no doubt that much of this industry is plainly illegal. Even the largest companies have, at the least, benefited from illegal actions—and, at the most, they have actively participated in methods of infiltrating/hacking into computers in order to install their adware. Consumers have said over and over again that they do not want this software on their computers, never asked for it and are not going to take it. Run a search on any adware company, and you get millions of hits of consumers complaining about it being installed on their computers without permission.”

Alex Eckelberry

 

I hope the FTC gets on this one.  Some website, security2k.net (careful going there) is masquerading as the Windows Security Center, trying to sell security software (notably some program called SpyTrooper) with grossly misleading scare tactics.

 

(Click to enlarge)

 

Alex Eckelberry

According to this article, Yahoo gave information on a Chinese journalist to the Chinese government.  The journalist went to prison for 10 years for divulging “state secrets”.

“The state secret was a message to Shi’s newspaper warning journalists of the dangers associated with dissidents returning to mark the 15th anniversary of the Tiananmen Square massacre, according to the group. Shi admitted sending the e-mail but disputed whether it was a secret document.”

I’m sick.  I really am.  To lock away a guy for ten years for something so patently idiotic. 

There’s a morale dilemma for companies operating in China.  Do you cooperate with the Borg to keep it happy and to forward your commercial interests — and possibly risk your own integrity?  Perhaps one can just become “forgetful” or “lose the data”?  

There’s a lot of good people at Yahoo, and I’m sure they were horrified to learn about this.  If this story is true, it’s likely Yahoo got a request from the Chinese government and released the information to them, not realizing this poor guy was going to go to jail.  It’s hard to blame them… their own employees would have probably gone to jail themselves for not honoring the request.  Or Yahoo might have lost vital access they need to get their Chinese markets going.  But that is a tough decision. 

Alex Eckelberry 

 

180 Solutions has announced plans to clean up their distribution channels.

Basically:

• The new technology, dubbed S3, is designed to help “prevent the suppression or manipulation of the user consent experience prior to installation”
• All new affiliates are required to use this new technology. Current (and sometimes naughty) distributors have until the end of the year to transition to it.
• From what we can tell it looks like a re-coded version of the CBC Force Prompt. The CBC Force Prompt is a prompt that is supposed to come up no matter how 180 Solutions software is installed, to make sure the user is getting the software on their system. It hasn’t always been doing that, ostensibly because of “rogue distributors” bypassing it. I got one today. It looks very similar to this prompt that Ben Edelman talks about here.

Back in May, Daniel Todd of 180 Solutions and I had a chat about using technology to clean up their distribution channels. I wrote about it here.

Well it’s ironic since this is exactly the kind of thing I suggested to Daniel Todd about back in May.

Every few months 180 announces a new “reform” that will supposedly make its installation practices kosher. This has been going on for over a year, and at the end of all previous efforts we still have examples of unethical installs. So we welcome their continued publicly announced efforts at reform but admit to viewing another promised reform with a somewhat cautious view.

In its press release 180 says that this new technology “helps prevent the suppression or manipulation of the user consent experience prior to installation.” All fine and well, but if the “user consent experience” itself consists of these kinds of notice screens used in recent installations, then is that really enough? See the screenshots here and Ben Edelman’s analysis here.

Anyway, it’s good they are not going to pay affiliates for prior versions after December of this year. The primary problem in spyware is the economic model — it is just too profitable for some distributors to get honest. But we have several months to go before we can see if this plan really works — we’ll be checking 180 installs on January 1…

In the end, as we’ve seen with Katrina, PR means nothing without action. The definition of PR is “good works well publicized”. Get the good works done first, then publicize.

Alex Eckelberry
(Tip of the hat to Eric Howes for his contribution to this blog).

9/7/2005 4:39:22 PM Update: Seattle PI story here.

I don’t know if this is related to Cisco’s public flagellation of Michael Lynn, but this new flaw caught my eye.

Alex Eckelberry

Last week, I blogged on a new site,  Phishfighting.com .  There was some concerned reaction from readers, as can be seen here.

Some of the comments:

“Uhm… no, sorry. This is a terrible service. This site does no checking whatsoever on the supposed “phishing source”. One could easily turn this into a denial of service against legitimate sites. A terrible idea, if you ask me.”

“That is the coolest thing I have seen all day. Brilliant idea! Some phishers are getting it right now.”

“Now if he had more servers/IP’s to do this from it would keep them from banning his IP address. Right now I know of several sites that are up, but don’t come up on his site. They must be banning his IP/domain

It is a great idea, but I do see the ramifications that could come out of it, Like a DOS attack against legit. BTW, he does do some checking, type in the real eBay sign-in address.”

Robin, the developer of the site, responds:

1. “Dos attack”: A DOS attack is by definition a denial of service attack. By adding a 20 second interval between entries, the site is specifically designed NOT to create a DOS attack, which is illegal. Three entries a minute (180/hr) is nowhere near enough entries to take down a website.

2. “Phishers blocking my IP”: The entries are actually coming from the browser, so the Phishers would need to block the users IP, not the servers. And if blocking IP’s creates more work for the Phishers then Cool.

3. “Attacking Legitimate sites”: As Eddie pointed out, I am blocking on the most common legitimate sites. Paypal, Ebay etc. I’m logging and watching the entries. As I find submissions against real sites, I’m adding them to the blocked list.

I have no illusions that this will solve the Phishing problem. But is sure does feel good to fight back and, as one user put it, add the Phishers needles to a haystack.

Please contact me at Support@PhishFighting.com if you have questions, tips, suggestions, or just to tell me I’m an idiot. :^)”

From one of our newsletters, WXPnews:

Did you know that there is a “toolbox” full of XP utilities that aren’t installed on your computer by default, but are available on the installation CD? These include tools to provide information about the encrypting file system, directory disk usage, network connectivity and more. The Windows Installer Cleanup Utility removes old installation configuration information that can interfere with reinstalling a software product. The Memory Profiling Tool takes a snapshot of the system and records details of the memory resources being used by the system in a log file. For more information about the support tools and how to install them from the installation CD, click here.

Alex Eckelberry

 

Off topic, but as a boater here on the Gulf, this caught my attention: Civilian flotillas are needed to rescue people trapped in homes — a week after Katrina.

The feds and the local rescue teams can’t keep up with the scale of people needing to be rescued. The actor Sean Penn has been driving around in a boat rescuing people and said he saw three civilian boats yesterday, and invited boaters to come in and join the rescue effort. CNN story here (go down to the links on civilian rescues and also the story about Penn).

If you live within a reasonable driving distance (perhaps Houston, Galveston, Tallahasee, Panama City, or even further) and have a boat with a low draft, feel free to drop in on the disaster and start picking people up. Launching is not that difficult, as every dry street has become a boat ramp.

On another note, a fellow I know is up there right now to help and emailed in to say the scale of the disaster is unimaginable, and that the pictures “don’t do it justice”.

Alex

A family member just forwarded me a Wired Story about an interactive map of the horrific disaster in New Orleans.  An incredible tool, and put up in one day.  Scipionus.com. 

Alex Eckelberry

Eric Goldman, Marquette Law faculty professor has blogged about the Direct Revenue court ruling.

It seems he thinks it’s a big deal.

He thinks it may set a precedent that downloading Direct Revenue software could be considered a Trespass to Chattels (“a somewhat obscure tort action arising out of unauthorized dispossession, use, or interference with the tangible property of another.”). Wiki explaining the concept here.

Eric’s words:

“I trust we all can appreciate the floodgates of litigation that may open if undisclosed downloading of software (not just adware) onto a user’s computer can support a trespass to chattels claim (if you’re having trouble visualizing, just think two words: Flash and Java). We’ll have to see if the court puts any better parameters on its thinking at the summary judgment stage.”

Alex Eckelberry 
(Tip o’ the hat to Suzi)

Got this last night as a follow-up to my post on the spyware/kiddie porn/spam zombie connection.   Direct Revenue has also been in contact with us about this.

Alex,

I’m Ken McGraw, Chief Compliance Officer for 180solutions. Thank you for letting us know about the instance you discovered where 180search Assistant had been distributed in conjunction with child pornography. With your help, we have been able to confirm this to be true and will be taking the following actions:

* Based on pressure from us, Simpel Internet has ceased all distribution operations until they can get better control of their affiliates.
* We will cooperate with law enforcement in any way we can to ensure that justice is brought in this case.
* In the next couple of days, once we have the name and contact information of the alleged child pornographer, we will file a civil lawsuit. All proceeds from this suit will be donated to a charity or organization whose mission is to protect children from online pornography or predation.

It goes without saying that child pornography is illegal and morally reprehensible. Fortunately, this is the first time in our six years of existence, to my knowledge, that we have been distributed with this type of illegal content. We deplore it. Distributing our products with such illegal content is specifically against our code of conduct and as such, we will continue to do everything we can to prevent our products from being distributed with it.

Sincerely,

Ken McGraw
Chief Compliance Officer
180solutions, Inc.

 

Ok, this is severely nerdy/techie, but today Time Warner started installing the final few hundred feet of the conduit for our new OC-3 connection. (An OC-3 is a fairly large internet connection — about 155 megabits per second, roughly 100 times the speed of a T-1)

We’ve been running off of a T-3, with redundancy at an off-site facility. It’s taken months to lay the optics (including a delay to get by our nearby railroad tracks), but we’re almost there. Time Warner will probably end up installing an OC-12 for the building, of which we’ll get an OC-3 connection.

The connection is going into our second location here, the Clearwater Tower, which houses our technical staff.

The OC-3 is necessary for the kind of bandwidth we’ll be consuming with current growth, but also with SPECTRE, the web crawler we’re working on to find new spyware installs on the web.

We sometimes forget that internet connectivity relies on things like cutting apart pavements. So just for kicks I’ve posted pics and some videos below (thanks Dan):

(Click on pics to enlarge)

Videos (not optimized for low-bandwidth!): Video 1 Video 2 Video 3 Video 4 Video 5 Video 6

Alex Eckelberry

From the Register:

The site exploits well-known IE vulnerabilities to install a variety of Trojans including Cgab-A, Borobot-P, Borobot-Q, Borodldr-H and Inor-R. Security firm Sophos reports that subject lines used in the malicious emails include, but are not limited to, the following:

Re: g8 Tropical storm flooded New Orleans.

Re: g7 80 percent of our city underwater.

Re: q1 Katrina killed as many as 80 people.

Alex

Update: See latest entry here.

Fun! Go to Phishfighting.com and fight slimeball phishers.

According to Debra Cliff at Online Crime Bytes,

“…there’s a way to get back at phishers … by inputting the phisher’s URL to a template at Phishfighting.com, which will send fake responses to the phish site every 20 seconds.

Phishfighters is the brainchild of Robin Grimes, a Web developer by day, who got sick of submitting junk mail data on the 5-10 phishes he receives each day and set out to do something about it.

“The point is to send so many fake responses to the phishers that they have to sort through too much data to determine what’s real and what’s fake,” he told me in a telephone interview this morning.”

Alex Eckelberry

On the heels of reports that Direct Revenue (makers of wunderspy programs like Aurora) has had a fairly large layoff,  they get another nasty: A court ruling not entirely in their favor.  The ruling can be downloaded here.

The ruling was part of a class action lawsuit by The Collins Law Firm. 

David Fish, the lawyer leading the charge against Direct Revenue, emailed this comment to me today:

 In permitting claims to go forward for trespass to personal property, consumer fraud, negligence, and computer tampering, the Court noted that “many companies and computer users consider pop-up advertisements and Spyware an Internet scourge” (p. 17) and that the allegations in the lawsuit “reflect the frustration of many computer users” (p. 18). 

 The advertising defendants argued that they had no knowledge of a trespass taking place or “knowledge of DirectRevenue’s unlawful activities”.  However, the Court relied on legal precedent that “it is not necessary that the actor [i.e. the advertiser] should know or have reason to know that such intermeddling [i.e., the pop-up advertisement] is a violation of the possessory rights of another” (p. 19-20). 

 

In response to an argument that individual advertisements can be easily closed, so they cannot cause a legal injury, the Court ruled that this:

 

“ignores the reality of computer and Internet use, and plaintiff’s allegation that part of the injury is the cumulative harm caused by the volume and frequency of the advertisements.  The fact that a computer user has the ability to close each pop-up advertisement as it appears does not necessarily mitigate the damages alleged by plaintiff, which include wasted time, computer security breaches, lost productivity, and additional burdens on the computer’s memory and display capabilities”  (p. 21). 

 

The next step in this case is that the Plaintiff will ask the Court to permit the claims of hundreds of thousands of computer users to be heard in a single lawsuit (i.e. a “class action”). 

 

Suzi at ZDNet blogs more on the issue here.   Quoting Suzi:

 

“..Direct Revenue argued that the court ought to dismiss the case because Plaintiffs (i.e., the users) must have seen the End User License Agreement (EULA) and clicked through to agree to it, thus effectively telling a court of law that its software is always installed with the user’s full knowledge and consent, despite numerous statements indicating otherwise by users seeking help to remove it… The judge, in fact, evidently did not agree.” 

 

Alex Eckelberry

 

Misc links:

Directnic is a domain name registrar in New Orleans that has employees there trying to keep the servers up.

One of their employees is running a blog here. Pictures, and graphical moment-by-moment descriptions of the choas that has gripped the city are on the blog.

Moment by moment news here. GREAT list of blogs here.

Hans Eisenman mentions two good links: A collection of photos of Katrina devastation and the latest on Katrina charity scams. Be careful. See FEMAs offical list of donor sites.

Other links: The Katrina Help wiki and an incredible amount of stuff going on at Craigslist/New Orleans; as well as this one on before and after sat pics. Tech community helping.

More sat pics of Katrina.

Help: Quick and easy is the Red Cross, as low as a $5 donation. There’s also eBay GivingWorks, where you can buy products that direclty benefit charities. More recognized charities on this offical list of donor sites.

Alex Eckelberry