Month: October 2005

Great article on some of the nutty things you find in EULAs.

-You are not allowed to criticize this product publicly.

-You are not allowed to use this product with a packet sniffer.

-You agree that by agreeing, we can make any changes to the agreement in the future which you automatically agree to.

And more.  Article here via /.

Alex Eckelberry

According to an article in Mathaba, at least one country, Saudi Arabia, is using packet sniffing technology from Narus to identify (and possibly block) VoIP traffic on their telephone system. 

In some countries, such as Saudi Arabia, regulations protect a phone company’s revenues, prohibiting customers from saving money by making phone calls using any service other than the national carrier, Saudi Telecom, based in Riyadh. Skype  users there have gleefully flouted those regulations, paying cheap local tariffs to access the Internet and use it for their calls, instead of directly using Saudi Telecom’s expensive long-distance and international calling services.

…a seven-year-old Mountain View, Calif., company, Narus Inc., has devised a way for telephone companies to detect data packets belonging to VoIP applications and block the calls. For example, now when someone in Riyadh clicks on Skype ‘s “call” button, Narus’s software, installed on the carrier’s network, swoops into action. It analyzes the packets flowing across the network, notices what protocols they adhere to, and flags the call as VoIP. In most cases, it can even identify the specific software being used, such as Skype ‘s.

In this Narus press release in April, we see that it does look like the Saudi’s intend to block VoIP calls to convert them normal telecom revenue:

Narus…announced that it was selected by Saudi Telecom…to provide Voice over Internet Protocol (VoIP) detection services. By employing Narus’ VoIP detection application, Saudi Telecom has recovered revenue that would otherwise be lost through unregulated VoIP traffic.

The Narus IP Platform captures and analyzes all VoIP traffic in the Saudi Telecom network; the VoIP detection application identifies and blocks traffic destined for unregistered international VoIP gateways thus enforcing that traffic must be directed through regulated, tariffed gateways. Narus is the leading choice for managing IP services in the Middle East largely because of its ability to successfully address critical business issues like VoIP detection in real-time. Narus’ Partner, Giza Systems, deployed and configured the Narus IP Platform for VoIP detection at Saudi Telecom.

Mathaba article here.

Alex Eckelberry
(Thanks Jarrett)

HD DVD or Blue-ray?

It’s great to have choices, but not so great when you want to adopt a new technology now, but you have to pick between competing, incompatible versions of it – and you know it’s likely that only one of those versions will survive. Do you invest your money and time into one or the other, or does it make more sense to wait around until the technologies battle it out to see who the winner is before you buy?

For those of us old enough to have been around for the VCR wars, it’s a familiar situation. The ability to record TV shows and buy prerecorded movies was a fantastic thing, but if you were going to be the first on the block to buy a shiny new VCR, you had to first agonize over the decision: which format should you support, VHS or Betamax?

To many, the choice seemed like a no-brainer. Betamax, developed by Sony and introduced in 1975, had a number of other electronics vendors behind it: Toshiba, Sanyo, Pioneer, NEC, Aiwa and the venerable Zenith. But more importantly, the video quality was noticeably better than that of JVC’s VHS format, and the cassettes were smaller and more compact.

Unfortunately, those who bet on the higher quality option found themselves on the losing side. Matsushita/Panasonic, Hitachi, Mitsubishi, Sharp and Akai supported VHS, and by the late 1980s, Betamax was little more than a memory. Of course, if you did buy a Betamax machine and held onto it, you may have found yourself with a collector’s item eagerly sought after by members of the small but loyal cult following that grew around the Betamax.

Today, VCRs themselves are becoming obsolete, replaced by DVD players. Until now, we’ve avoided a similar situation with prerecorded digital discs (although not with recordable and rewritable CDs and DVDs, where a confusing plethora of formats still compete). That’s because two technologies called MultiMedia Computer Disc and Super Density Disc, developed by Sony and Toshiba, respectively, were combined to create the current DVD standard before either ever came to market.

As high definition programming starts to finally come into its own, it appears that we’re set for yet another format war over high capacity high def DVD. The first high definition players are expected to hit the market in 2006.

The two competing standards are HD DVD, supported by Microsoft, Intel, Universal Studios and Warner Bros, and Blu-ray, supported by Apple, HP, Dell, Sony, Paramount Pictures, Disney, Twentieth Century Fox and Warner Bros. (who is apparently determined to back the winner one way or another).

The new DVD formats provided for storing much larger files than current DVDs: up to 50 GB per double layered disc (today’s DVDs hold 4.7 GB). That kind of capacity is necessary for high quality, high definition video. Both use blue lasers (hence the name Blu-ray), instead of the red lasers used for current DVD players. The shorter wavelength of the blue laser lets you write the information to the disc more densely.

So what’s the difference? Well, first of all, Blu-ray theoretically has the highest capacity: 50 GB vs. HD DVD’s 30 GB. How much does that matter? Some folks think one big reason VHS won the VCR war was because its recording capacity of up to six hours was greater than the Betamax’s 60 minutes. However, Blu-ray’s higher capacity discs cost more, and many also think VHS won over Betamax because it was less expensive. And to complicate matters more, Toshiba has create a prototype of a triple density HD DVD disc that can hold 45 GB. Finally, HD DVD supports a feature that lets consumers make legal copies of their DVD movies to their computers’ hard disks. Although some of Blu-ray’s supporters, most noteably Hewlett-Packard, are pushing to get this feature included, at present Blu-ray doesn’t have it.

Even though they both use the same type of laser, the thickness of the surface layers and the pitch of the tracks on the discs are different, which means you can’t play a Blu-ray disc in an HD DVD player and vice versa.

The two sides had been in talks to try to work out a compromise, as was done with the original DVD standard, but those negotiations broke down last summer and Sony (which proposed the possible merger earlier this year) announced that the formats would not be coming together. How about a player that will play both disc types? Experts say that would be cost-prohibitive. Thus both sides will be trying hard to convince consumers that their product is the DVD format of the future.

HD DVD is expected to be first to market. The HD DVD discs can be made with the same equipment used for current DVDs, but duplication of Blu-ray discs requires a different manufacturing process and equipment would have to be retooled. That means HD DVD may have an advantage, at least at first, in the number of titles available in their format.

The good news is that both types of new DVD players are expected to be backward-compatible with today’s DVDs even if they aren’t compatible with each other; the new machines will include both the blue laser and a red laser for reading the older discs.

What do you think? Should the factions try harder to create a single standard, merged technology or is competition good because it’ll drive prices down? Are you more inclined to wait around to see who emerges the winner or will you run out and buy a new high capacity player as soon as your budget allows? Which do you care about most: slightly higher capacity or more available content? If one technology allows you to copy the movies you buy to your computer and the other doesn’t, would that influence your choice? Or do you not give a darn about high definition video at all, and plan to stick with your regular DVD player as long as possible?

Deb Shinder

IT staffers at the University of Indiana put together a little cocktail to nab nasties using Snort, Amavisd and nmap (a brew which they dubbed “Shelob”, after the giant spider in Lord of the Rings). 

Shelob integrates with the school’s own version of the open source NetReg application, which is used to register an unknown DHCP client before it’s granted full network access. When Shelob identifies an infected PC, NetReg assigns it a new IP address. Then, OpenVMPS (an open source version of Cisco’s VLAN Membership Policy Server) reassigns the port to which the PC is connected to a virtual LAN that contains only other infected computers.

Shelob then redirects the PC’s DNS lookup requests to a Web server, which then delivers a page that tells the end user about the infection and tells how to clean it. The same Web page can be used to distribute McAfee’s VirusScan, virus definition files and Windows updates or patches.

The PC is quarantined on the VLAN until the virus is killed or the spyware activity on the PC stops.

Good for them.

Link here via Catherine.

Alex Eckelberry

Totally unscientific, but Slashdot is running a survey which highlights the depressing state of EULAs.

They asked the following question:

I read EULAs:

• with my lawyer
• with deep suspicion and paranoia
• with due care and attention
• with my scroll wheel
• with CowboyNeal
• I Agree

Of course, the hip and brilliant inteligencia that frequent this blog would all answer “with due care and attention” (or more likely “with deep suspicion and paranoia”).   

But what did Slashdot readers say?

Survey results:

• 1% with my lawyer  
• 5% with deep suspicion and paranoia   
• 1% with due care and attention   
• 20% with my scroll wheel   
• 3% with CowboyNeal   
• 67% I Agree  

<sob> I tell you, it’s all for naught!! <sob>

Seriusly, though, how can we expect anyone to read through War and Peace in under 1 minute, much less a EULA?  And why do we need a special program just to decipher these things?

Slashdot results here.

Alex Eckelberry

Listen here.

Alex Eckelberry

EPIC, the Electronic Privacy Information Center, has discovered a number of documents through a Freedom of Information Act request that indicate possible intelligence violations against US residents.

From the EPIC website:

Documents (pdf, 3.1 mb) obtained by EPIC under the Freedom of Information Act describe thirteen cases of possible FBI misconduct in intelligence investigations. The documents were released by the Bureau in response to an EPIC open government request (pdf) for information about the FBI’s use of provisions of the PATRIOT Act. EPIC has written a letter (pdf) to the Senate Judiciary Committee highlighting the need for the Attorney General to report to Congress on potentially unlawful intelligence investigations. For more information, see EPIC’s PATRIOT FOIA Litigation page. (Oct. 24 

Washington Post article (which also tells the government’s side of the story) link here via beSpacific.

Alex Eckelberry

Our VP of Product Management, Greg Kras, took off with his wife and two other Sunbelt employees for a long-planned vacation: A cruise to Cozumel.

They left Thursday. 

Cozumel?  Yup. Where the eye of Wilma was hanging out a few days ago.

They ended up on an “extended cruise to nowhere”.

We got this email from him this morning:

Well, if you hadn’t noticed, I’m not in the office today.   I’m currently somewhere in the Gulf of Mexico floating around in a brightly colored tin can.    Yesterday we hauled ass to make it to the Port of Tampa but when we were about an hour away the Coast Guard shut down the port due to tornado watches that had just gone into effect.

So, it looks like we will get in tomorrow but who knows at this point.  I tried to read my email earlier but it’s frustrating to say the least over this connectivity.   It looks like nothing is on fire so that’s a good thing.  I’ll check in later, make the subject line interesting or I’ll miss it.

Captain Kras 
 

Alex Eckelberry

Content Delivery Networks (CDNs) like Akamai are the current way to deliver large amounts of content over the internet.  If you have a lot of bandwidth that’s going to be consumed, you’ll probably look to a CDN to help you.   For example, when BMW launched those cool online films a few years back, they used Akamai to stream the movies.  You’re talking massive bandwidth here — in BMW’s case, they had something like 200 terabytes of data viewed through Akamai.

But it’s the classic client/server model. 

The p2ps can change all that, which is one reason I’m so concerned about things like the Grokster ruling. We need innovation here, not fear, especially where you are looking at an internet with increasingly massive propagation of rich media.

Media analyst Phil Leigh just did an interview with the CEO of Kontiki, is a legitimate p2p delivery network. From Phil:

As Digital Media becomes increasingly central to the Internet, the economics of content delivery will become ever-more important. Conventional content delivery networks, like those provided by Akamai, have done a good job to date. In point of fact, Akamai is supposed to be mathematically the optimal solution available within the framework of a client/server architecture. However, Peer-to-Peer distribution may actually be a fundamentally superior architecture relative to client/server, especially in terms of the economics of content delivery.

Although Shawn Fanning’s Napster made “P2P” become a controversial term owing to the alleged abuses of copyright infringement, it is often overlooked that one of the reasons that it was successful was because of superior economics. In point of fact, it was so economical that a college student (Fanning) was able to launch a paradigm shifting phenomenon from his college dorm room.

Essentially a P2P network utilizes the existing storage and bandwidth of the community members themselves to both store and transfer the files. Therefore, there is no centralized storage cost and no need for extremely (meaning costly) broadband pipes to a group of central servers.      

You can listen to the interview here.  

Alex Eckelberry 

Note — this is only for highly experienced users.  Don’t play with this thing unless you really know what you are doing.

Although the security community has relied on the “Eicar Antivirus Test File” for years, the complex advances in malware requires a more modern and thorough threat simulation.  To this end the “DFK Threat Simulator” was created.  Bundling a declawed collection of dropper, rootkit, virus, trojan, spyware, keylogger, leaktest, and alternate data stream technology, the DFK Threat Simulator is a serious representation of the modern dangers facing computer users today.  A full description of this simulator, including screenshots and file download, can be found here.

Alex Eckelberry

Sunbelt is very lightly staffed today if you’re trying to get a hold of us.  

While we are not in the direct path (we’re in the Tampa area), we did get some tropical storm conditions.  Last night, we advised all employees not to venture out if there’s any doubts as to road safety.  Also, since schools are closed, many parents have to stay home today to take care of their children.

The people who really got hit are down south from us, in Ft. Myers and Naples.  Now we’re seeing the eye venture over areas like West Palm Beach and it’s still a very strong storm (cat 2). 

It’s a pretty incredible storm, much like Charley in its speed but much larger. 

Btw—our weather right now is beautiful.  High winds with temperatures in the 60s.  We’re looking at a relatively “cold” Florida this week as we get down to the 50s.  

Alex Eckelberry

I’m a little late on this one, but as a follow-up from my previous post on Blizzard and the Warden Client (which allegedly has spyware-like attributes):

Greg Hoglund (co-author of “Exploiting Software, How to Break Code”) has released a program called “The Governor”, which shows exactly what Warden is doing.

The fact is that the warden client reads information from other processes on the computer. Regardless of the reasons, this technically counts as ‘spying’ on a user. So, reasons aside, the term ‘spyware’ is fitting.

Rather than debate the morality of this behavior, I would like to give the consumers the power to make this decision for themselves. I am releasing a program called ‘The Governor’. The Governor is very simple – it watches the activities of World of Warcraft, and clearly reports which data is being read from other processes. The Governor makes no attempt to subvert or alter the behavior of the warden client, or World of Warcraft. The Governor will not assist you in cheating. The Governor exists for one reason, to tell you the truth.

Link here via EFF Deep Links (also worth reading).

Alex Eckelberry

I saw something earlier about Vmware coming out with a new free player.  I didn’t pay it much attention — didn’t quite know what it was and didn’t have time to check it out.

Then I read ToaSecurity’s mention of it and realized…this is a Vmware that anyone can use.

If you do ANY spyware research, beta testing, playing with software, you need this.

We run Vmware ourselves but it’s usually too pricey for the average user.  

So now is your chance — get the free Vmware Player.  Link here.

And hats off to Vmware for doing this wonderful service.

Alex Eckelberry

I’m starting a new series of blog posts, called “Seen in the Wild”.  These are various odds-and-ends we see during our research.

This was picked up today by Sunbelt spyware researcher Adam Thomas.  It shows a certified ActiveX install of 180 Search Assistant, offering “Free Porn Access By 180 Search Tools”.

What’s interesting is not that 180 was installed through a porn site (I suppose it’s something they have every right to do). Rather, it’s that the ActiveX control is so explicit in saying what the purpose of the install is (“Free Porn Access By 180 Search Tools”).  This is classic CDT stuff (CDT is the distributor 180 bought).

Incidentally, the install came off a crack site, which also sometimes passes you off to a Super Search page which installs various malware through an IFRAME exploit.

Alex Eckelberry

Eric Howes has updated his “State of Adware Detections”.  This is a good tool to see what the state of delistings, downgrades, etc. are in the antispyware business.

Link here.

Alex Eckelberry

Well worth reading.  Link here.

As patient as fishermen, the young men toil day and night, trawling for replies to the e-mails they shoot to strangers half a world away.

Most recipients hit delete, delete, delete, delete without ever opening the messages that urge them to claim the untold riches of a long-lost deceased second cousin, and the messages that offer millions of dollars to help smuggle loot stolen by a corrupt Nigerian official into a U.S. account.

But the few who actually reply make this a tempting and lucrative business for the boys of Festac, a neighborhood of Lagos at the center of the cyber-scam universe. The targets are called maghas — scammer slang from a Yoruba word meaning fool, and refers to gullible white people.

But what’s disgusting to read is stuff like this:

The e-mail scammers here prefer hitting Americans, whom they see as rich and easy to fool. They rationalize the crime by telling themselves there are no real victims: Maghas are avaricious and complicit.

To them, the scams, called 419 after the Nigerian statute against fraud, are a game.

…”Nobody feels sorry for the victims,” Samuel said.

Scammers, he said, “have the belief that white men are stupid and greedy. They say the American guy has a good life. There’s this belief that for every dollar they lose, the American government will pay them back in some way.”

They have no clue.  No clue about the many lives absolutely destroyed by these scams.  No clue about the hurt and harm they create.

Alex Eckelberry
(Thanks Sam)

If you’re in the Miami Dade/Ft. Lauderdale area, feel free to drop by.  Registration info at the bottom of this post.  

Date and Time:
November 11, 2005
9:00 AM – 12:00 PM

Driving Directions

Click here to register.

Law professor Eric Goldman has come out with an attack on the recent work of anti-spyware superstar Ben Edelman, comparing his work to the McCarythism and the puritan witchhunts.  

So here’s what happened:

In a recent writeup, Ben questioned Claria’s practice of buying advertising on networks that ultimately end up as pop-ups in spyware installs.  He gave two primary examples:

1. Claria purchased advertising through Zedo.com, which through a lengthy chain of other third party networks, ultimately ended up as a Claria advertisement popped-up after an install of ContextPlus adware (which, incidentally, was installed without Ben’s consent).

2. An advertisement by Amazon.com placed through Claria’s new BehaviorLink advertising network was shown through a pop-up from adware KVM Media.  (It got to the user through a Savings-Card.Com popup, which got the ad from BehaviourLink.) 

Implicit and explicit questions raised by Ben’s article:

a) Should Claria be advertising its products through adware that was installed with no consent, even through a chain of intermediaries?

b) Should Claria’s BehaviorLink network provide advertising that ultimately gets shown to the user through adware that has a history of being installed with poor notice and consent?

Before you answer that question, consider this:  You run a reputable company selling teddy bears.  You get approached by an advertising network that offers to get you lots of advertising on the internet.  They tell you they run ads through adware installs.  Would you still run the ads with them?  Or would you say “thanks, I’d rather just advertise on normal vehicles like CNN.com and yahoo.com”.

So have you answered that question? Most people would say “no”. 

So Ben’s question is valid: If Claria is trumpeting a cleaned-up image, why is it advertising its own (and its clients products) on adware that may not have been installed in the most acceptable fashion? 

Eric Goldman has a different take:

….That threat isn’t spyware; it is witchhunts where mere association, even if attenuated, equals guilt. We saw similar manias in the Seventeenth century witchhunts of Puritan New England, with the 1940s and 50s Red Scare of McCarthyism, and now with the latest round of zealotry, the anti-spyware crusade. I think each of us has the personal responsibility to vigilantly guard against the temptation of a taint-by-association mania and the resulting significant negative consequences it can produce for the falsely accused

…To be clear, I recognize that Claria, in theory, derives an economic benefit from the ad placed by Venus123.com and delivered via ContextPlus. But once again, SO WHAT? Everyone upstream from Claria derives the same economic benefit–its investors, its landlord, its Internet access providers, etc. Using this rationale, shouldn’t they be on the hook too?

…I would like to know: (a) the full universe of people who could be X (and does it include their vendors? customers? investors? employees?), and (b) is X’s responsibility based on the law (if so, which legal doctrines?), morality (if so, what moral doctrines?), blinding emotional outrage, or some other basis?

Ok, in the interest of fairness, it’s actually quite difficult to always control where your advertising ends up when you do a deal with a third party media network.  You buy advertising “inventory” and they deliver you impressions/clicks/whatever. But even a large online advertiser like AskJeeves actually has a policy not to advertise through adware products. Does Claria?  We don’t know the answer to that question (and anyone from Claria is welcome to post a comment clarifying that question).

So what is wrong with Ben questioning the fact that Claria is mixing it up with sleaze?  Since Eric uses comparisions drawn from McCarthyism and burning witches at the stake, let’s draw another parallel:  If you were trumpeting that you were cleaned-up, would you then advertise your products in a brothel?   I would call that a moral judgment, not a legal issue.  And Ben wasn’t questioning the legality.  He was implicitly questioning Claria’s judgement.  

The comment wars on Eric’s site have begun.  

Alex Eckelberry

Update:  I have removed the statement that Eric compared Ben’s work to the Holocaust.  Eric’s original blog quoted Martin Niemoller’s famous (and powerful) words about the Holocaust as a metaphor of how each of us has a personal responsibility to stand up for the falsely accused, because ultimately in such situations there’s a risk that we’ll be the next ones falsely accused.  Eric has since removed that reference from his blog.  

Click here for related SunbeltBlog posts on Eric Goldman

Note: Since I realize that not all the people reading this blog actually follow how online advertising works, read this for a quick primer only if you need it:  In the ad business, “inventory” means available advertising space.  When you place advertisements online, you often buy them through what are called “third party media networks”. These third party networks maintain an inventory of popups and ads on the web.  Examples of third-party advertising networks are Almondnet, 247RealMedia, Tribal Fusion, BurstMedia, Advertising.com, Zedo.com and ValueClick.  If you were a website owner and wanted to make money, you sign up with a third party advertising network which then displays advertising on your site and they pay you for that privilige (you usually have little or no control over what ads are displayed). Claria recently started its own third party network, called BehaviorLink.    

Great site, Ogle Earth.  Link here.