Who is Brad Greenspan and why is he so mad?

In early 1999, Brad Greenspan founded Entertainment Universe.  Just a few months later, he completed a complex transaction where he raised capital from Lehman Brothers, Eisenberg Partners and others;  acquired CD Universe (an online CD retailer); and went public on the OTC bulletin board by merging with Motorcycle Centers of America (an empty public shell).   This all occurred on the same day, April 14th. 

Within months, he continued his acquisition spree, acquiring MegaDVD.com, an online DVD retailer; entered into an agreement to buy Case’s Ladder;  and signed in a letter of intent to buy Gamer’s Alliance.

Dizzy yet?  Well, that’s the story of the early days of eUniverse, which later became Intermix, a subject of an entanglement with the New York AG’s office.

Brad left eUniverse in the fall of 2003 and the company later became Intermix, got into trouble with the New York AG, came to an agreement with the AG and then got bought by Rupert Murdoch

Now, Brad set up a website that is making some pretty damning allegations against certain members of the Intermix management team.  He alleges that Intermix managers Brett Brewer, Adam Goldenberg, and Thomas Flahie profited by selling stock before the AG’s investigation was announced. Further, he alleges that Vantage Point Partners, an investor in Intermix, sold stock as well during roughly the same period.  Vantage Point is the employer of Intermix chairman David Carlick and board member Andrew Sheehan.

Mix  

(Chart from insiderstocksales.com)

He also claims that Intermix actually increased its online downloads while the AG’s office was investigating.  

And he’s launched a website with slideshows to prove his point.

Is he right?  Well, that’s actually hard to tell.  Many executives in public companies put themselves on automatic selling programs, which sell their stock regardless of their insider knowledge. Whether or not an insider profited while in possession of material and confidential insider information  is a subject of a vast amount of law and really can’t be speculated on without a thorough investigation by the SEC. In other words, don’t jump to conclusions without knowing all the facts.

Alas, I’m not a lawyer and also just don’t have the time to delve into what certainly looks like a fascinating story.  If anyone else wants to get into it, go for it.

Alex Eckelberry
(Thanks Ben)

Trying to make sense out of EULAs

EULAs — End User License Agreements — are those agreements that you usually sign by clicking “I Agree” on a software installation.  They are usually complex  legal documents (one practically needs a law degree to pour through them).

JavaCool Software has come up with a nifty tool that actually parses EULAs into key areas, like Advertising, Privacy, Search Terms, and assigns “interest levels” (basically, almost like a threat level).  The basic version is free, and is available here.

This screen shot is of a Direct Revenue install that was analyzed:

 .

(Click to enlarge)

Alex Eckelberry
(Thanks to Corrine for the tip)

AskJeeves Response to our whitepaper

Kirk Lawrence at AskJeeves responds to our earlier post on AskJeeves.

The article can be found here but I’ve pasted it below as well:

Response to Sunbelt’s Blog Posting

Ask Jeeves recognizes that industry confusion exists around downloadable software products, which can lead to erroneous flagging of user-friendly products by anti-spyware makers. Ask Jeeves’ products are not adware or spyware and we take this issue very seriously. We recently contacted Sunbelt Software to correct, what Sunbelt itself recognizes, is inaccurate flagging of our products as adware and spyware by their software. This gross misrepresentation of our product was misleading to consumers and, as such, we felt it must be corrected.

We support industry efforts to regulate standards and believe strongly in the value of companies dedicated to clarifying vendor practices for the consumer while taking the necessary to steps to ensure that accurate information is provided to the public. Unfortunately, the most recent report released by Sunbelt Software still does not provide accurate information to consumers, further muddling what is already a confusing industry issue. Ask Jeeves takes great pride in the integrity of the Company’s Fun Web Products and family of My Search toolbars and is deeply concerned by the assertions made in Sunbelt’s report. The report includes old and inaccurate data that misrepresents our practices. This erroneous information disseminated to the public only serves to do consumers a disservice by taking the attention off rogue vendors and on to companies who create and distribute legitimate and user-friendly consumer products.

We’re proud of the steps Ask Jeeves has taken to protect consumers and feel it necessary to clarify the misstatements issued in the Sunbelt report:

· Ask Jeeves prohibits both its direct advertising and third-party distribution partners from using drive-by download practices. Ask Jeeves has, and will continue to terminate advertising partners that violate our contracts.
· Ask Jeeves also prohibits the use of any type of click fraud to force installations, such as a “fake close x” to mimic user-initiated click activity. The force-installs through security exploits that are cited in the report were in direct violation of our contracts, and those partners were terminated. In addition to the contractual terms we have in place, we have implemented technical measures to prevent rogue advertisers from engaging in this type of activity.
· Ask Jeeves requires clear, concise and complete disclosure to be provided before our applications are downloaded and installed either directly from our sites or through our third-party distribution partners. All Ask Jeeves downloadable software applications must be distributed with an End User License Agreement (EULA) that is easily accessible prior to installation. All Ask Jeeves applications also require the consent of the user prior to installation.

We don’t stop there. Ask Jeeves is consistently looking for ways to be more proactive in our approach to ensure that partners comply with our policies. Several months ago we created a compliance office to monitor the actions of the third party partners and distributors of our toolbars and bring partners who violate our software guidelines (http://sp.ask.com/docs/jeevesinc/policy_download.html) into compliance or, in some cases, terminate the partners that do not comply with required changes. We will actively investigate allegations made by Sunbelt Software against our partners to determine if they are in breach of our policies, and will take swift action if we uncover any violations. We recognize it is difficult to monitor the entire Internet and encourage our users to report violations of our policies by emailing us at reportviolations@askjeeves.com.

In closing, Ask Jeeves condemns practices that deceive users into downloading or installing software and will continue to work to ensure the only people downloading our products are those that choose to affirmatively engage with them for the great functionality they offer.

We appreciate the user and industry feedback that helps make our products better and we’re proud of the steps we’ve taken to protect consumers. We’ll continue to evolve with changing industry standards while delivering great products people that millions of active users enjoy every day.

Kirk Lawrence
Director of Internet Security and Privacy
Ask Jeeves, Inc.

 

 

Vista will come in SEVEN flavors

My head is spinning.  Really. 

According to this article by Paul Thurrot, “Microsoft is creating seven versions of Vista for end users (nine if you count the N Editions that will target European markets). To differentiate these products, the company is carefully matching feature sets to the expected markets that will adopt each product version.
  
Two low-end versions of the product, Vista Starter Edition and Vista Home Basic Edition, won’t feature the much-vaunted Aero UI that will adorn all the other Vista versions. Instead, these versions will use a lower-quality, XP-like UI that’s more appropriate for the low-end hardware that infrequent PC users and emerging markets might use. Vista Starter and Vista Home Basic will also lack the rolodex, tab previews, and task bar preview features that other Vista editions will offer.”

Alex Eckelberry

The debate about PhishFighting.com

A couple of weeks back, I blogged on a new site, called phishfighting.com.

The idea is you enter a URL into the site, and it sends the phishing site fake hits every 20 seconds.

Well it was a hot subject. Lots of comments on the original blog, and I followed up with a new blog entry here. Now, Microsoft MVP Sandi Hardmeier at the SpywareSucks blog had even more damning comments than the prior one:

Here’s the deal. The sentiment is great, but the reality is not. Having “fun“ is of no practical use (although it may make you feel good).

Many phishing sites are hosted on compromised computers – computers that have been hacked. The owners have no idea what has happened to their systems, and invariably each phish site only lasts 5 to 9 days (on average) before the phishers move on.

Who are we punishing here? The victim whose computer has been hacked and who has to pay for the phisher bandwidth, and now the bandwidth generated by sites like
phishfighting? Are we punishing the phishers? They don’t care. When one site is
compromised they simply create a new one.

We’re dealing with professionals who are more than capable of weeding out and
discarding fake data. All they need to do is whip up a little programme that
will retrieve, and test, information provided with no human interaction or
effort. If you think that there is a person, or a series of people, wading
through print-outs trying out each log-on by hand, I’m betting you’re wrong in
that assumption. Think about it. How many millions of phish emails do you think
are sent out every day? The bad guys have the capacity to handle a *lot* of
data.

Not only that, the Anti Phishing Working Group advised in their July report that there has been a 100% increase in the number of phishing sites that attempt to infect systems with keyloggers and trojans to capture sensitive information such as usernames and passwords. The implications are far worse, in such circumstances, than the compromise of username and password for one financial institution.

What is phishfighting’s “Method One” for retrieving a phishing URL? They say “Simply click on the link and copy the real url from the browser bar“… NO!!! DON’T DO IT!!!!! Don’t click on the link!!!!!

Edit: Let’s expand on this – don’t even *open* a phishing email. If it includes remote graphics, and your email client is set to download such things, simply by opening the email you are confirming that your email is “live“, making it immediately valuable to all kinds of spammers, and saleable.

Also, some phishing emails attempt to infect computers as soon as an email is
opened by using certain old security vulnerabilities that *should* be patched,
but may not be.

All that we get from services such phishfighting is a misplaced sense of satisfaction that we are somehow hurting the phishers. We’re not.

There is NOTHING on the phishfighting site that teaches users how to report phish sites to ISPs and get them shut down legitimately.

Phishfighters say that they are not using a DOS (denial of service) tactic because they only send one fake alert every 20 seconds. Is that 20 seconds per report, or 20 seconds per URL? The site doesn’t say.

Don’t use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/). Learn how to read emails headers and report spammers to their ISP (http://www.stopspam.org/email/headers.html) but remember, the spamming computer may be a zombie, the owner may have no idea what has happened, so be nice.

Use allwhois (http://www.allwhois.com/) to trace the host of phish sites and report their existence direct to the host ISP – get the site shut down. Again, remember the host computer may have been hacked, and the owner completely unaware of what has happened. Be nice.

Please, don’t use services such as phishfighting and DON’T click on the link in a spam email … please.

Robin Grimes, the developer of PhishFighting.com, responds with this:

As I understand, from reading [his] post, his main premise is that the Phishers are to smart for us and that clicking a phishing email link can be dangerous. So let’s address his concerns:

1. He is correct that clicking a link in a phisher’s email can be hazardous. This is why I’ve posted alternative ways to determine the phisher’s real link. He’s correct that I
should point out that “Option 1” is hazardous, so I’ve updated PhishFighting.com
to make note of this.

2. His premise that Phisher’s are to smart for us, that they all have programs to test and filter false data is a little broad reaching. I’m sure there are some very sophisticated Phishers out there, that won’t be the least bit inconvenienced by receiving false data. But I’m willing to bet that a majority of the Phishers are basically petty thieves and that getting 100’s or 1000’s of fake entries will inconvenience them to some degree. And that’s really the point of PhishFighting.com, to in some small way cause them the inconvenience that they cause us.

3. He say’s “Don’t use services such as phishfighting. Use spamcop to report spam emails (http://www.spamcop.net/)”. His premise is that using spamcop.net or some other reporting agency will stop Phishing, it hasn’t, or will have more impact than PhishFighting.com. Possibly but I haven’t seen any evidence that Phishing is on the decline. I received 4 new phishing emails this weekend. Phishing seems to be growing, not declining.

4. He also states that I don’t offer any alternative ways to fight phishing on my site. That’s true, namely because I have not found any real method that actually has a major impact on Phishing. There are a lot of sites and agencies purporting to offer some solution or impact, but I have not heard of one that can prove it, myself included. I don’t
claim that PhishFighting.com will solve the problem, but then nobody has a
solution. There is no other way for an individual to fight back against Phishers. If PhishFighting.com inconveniences the Phishers in any small way then it’s doing what it is designed to do. Plus there is a certain amount of “Feel Good” factor in being able to do something other than just reporting them.

PhishFighting.com is all about giving the individual a method of striking back,
even if it is in some very small way.

If you have additional questions, tips, suggestions, or just want to tell me I’m a
dipstick, email me at Support@PhishFighting.com Robin


Robin at PhishFighting.com should be congrutulated for at least trying something to fight fishing and it’s sad to see that some people have been piling up on him.

But Sandi at SpywareSucks brings up good points, and one should be careful using such a service. Often, my response to phishing is to report it to eBay, PayPal, or the bank in question; and if a legitimate site is compromised (all too common), I try to alert the siteowner. Phishfighting is another tool in your arsenal, but if used, must be done so with caution.

So in the end, I’ll leave it up to your best judgement.

Alex Eckelberry

The AskJeeves question. Hopefully, we’ve answered it.

A while back, AskJeeves approached us to have their products delisted from the CounterSpy database.

There are a number of antispyware programs that list AskJeeves toolbars and a number that don’t. You can see the current status of AskJeeves detections here. It’s a mixed bag: Companies that don’t detect any AskJeeves programs are Lavasoft, Microsoft, WebRoot, PC Tools and FBM Software. Companies that do are Sunbelt, McAfee, Computer Associates, Spybot, Tenebril, Trend and Facetime

The AskJeeves question is not new. See this article in Newsweek in June and Ben Edelman’s discussion in May. Clearly, there’s room for a definitive answer, especially with business customers who buy antispyware programs.

So we proceeded to perform a comprehensive study of the AskJeeves programs in question. That study can be found here.

The AskJeeves programs referred to are all search tools that are added to your browser: MySearch Bar, MyWay Speedbar and MyWeb Search and their variants (AskJeeves re-brands or makes changes to these toolbars, to come up with types of toolbars that offer free cursors, screen savers, etc.).

What we found in some cases was troubling. Now, don’t get us wrong: The AskJeeves toolbars are NOT adware or spyware. They are arguably relatively innocuous additions to the browser. However, methods of current and past distribution, notice and disclosure are of concern. After reviewing the results, one has to ask oneself the question: If an AskJeeves toolbar is on a user’s system, did they really want it on there in the first place? Did they even know they were getting it?

When AskJeeves’ products are downloaded and installed directly from AskJeeves’ own web sites, notice and disclosure of the products and their functionality is generally good, though there is room for improvement in some cases (e.g., the failure to describe FunWeb Products as browser toolbars). However, several of AskJeeves’ products are plagued with poor installation practices when distributed by third-parties or when advertised at third-party web sites. Putting aside concerns about aggressive advertising practices (treated at length in the whitepaper), we found issues with the following:

Poor notice and disclosure with software bundlers. AskJeeves bundling in software bundlers like Grokster and Kazaa, where poor notice and disclosure are provided. The worst case we observed was a bundle with the Bald Eagle Screensaver which installed MyGlobalSearch Toolbar even after the user cancelled the installation. You can see the video taken August 28th of exactly this occurring here.

Installation through ActiveX controls.While Internet Explorer’s user notification about ActiveX controls has improved measurably since the release XP Service Pack 2, there is still an issue with these types of downloads. AskJeeves’ products have been installed through automated ActiveX installations that initiate when users land on third-party web pages. These ActiveX popups, which launch without warning in arguably confusing circumstances, can prove bewildering to users. For example, this ActiveX popup was found on Smiley Central:

Smiley

Examples of ActiveX installations of AskJeeves’ software include IOWrestling.com (Sept. 2004), Letssingit.com (Apr. 2005), and Prowrestling.com (Apr. 2005).

Past installation through Windows Media Player exploit. While not as relevant today, an issue several months ago was the installation of software through Windows Media Player files (the Microsoft Digital Rights Management feature, or DRM, allowed publishers to re-direct viewers of a file to a 3rd party website — this was being used by unscrupulous vendors to attempt spyware/adware installations).

In testing during January 2005 with one such WMP file (aria_giovanni_full7.wmv), an ActiveX install prompt for Popular Screensavers/MyWebSearch toolbar was encountered amidst a series of other installation prompts for XXXToolbar (IST), “Free Jenna Jameson Screensaver” (ABetterInternet), and “Video Secret & Chat” (ABetterInternet).

Pop

Force installs through security exploits. By far the worst documented installation practices for AskJeeves’ products have been the past force-installs of AskJeeves toolbars through security exploits, as reported by Ben Edelman back in May.

Changes to the CounterSpy database.

Products that have been marked by problematic installation practices through third-party advertising and distribution include My Global Search, My Global Search, My Search Bar, Need2Find Toolbar, and My Speedbar; as well as variants of MyWebSearch Toolbar which include CursorMania, FunBuddyIcons, HistorySwatter, MyFunCards, My Mail Signature, My Mail Stationary, PopSwatter, Popular Screensavers and Smiley Central. These will all be listed in the CounterSpy database.

We found no issues with AskJeeves Bar, Excite Speedbar, and iWon Co-Pilot and hence they will not be included unless unless and until hard evidence emerges that these products are being distributed or advertised in ways that trip Sunbelt’s Listing Criteria, as AskJeeves’ other products do.

My Global Search or Need2Find toolbars are not currently detected and will be added, and a number of housekeeping changes will be made to the database to put all the offending programs into the correct taxonomy and labeling standards we have established.

Our whitepaper goes into great and exhaustive detail on all of these points, and I would recommend reading it here.

eWeek writes about it here. Internet Week here.

Alex Eckelberry

Addendum: AskJeeves says that with the FasterXP install documented in the whitepaper, the toolbar “implodes” after installation. That’s true. After installed, the toolbar’s buttons are disabled and it only has an “uninstall” button.

MS employee blogs about keylogging

Good stuff here.

“And that’s the key issue – you have to trust the endpoints in a given Web transaction, not just the security “on the wire”. Security on the wire is important – SSL is how you ensure that none of the myriad networks your little packet might traverse between you and the bank has an easy opportunity to steal your account details without even needing to be present – but it’s only part of the end-to-end security story, and with on-the-wire security generally accepted to be “good enough” to stop the casual hacker, my gut tells me the local endpoint – and that’s typically the client – is the most frequent point of compromise.”

Yup.

Alex Eckelberry 

Adbumb takes a stand

Pesach Lattin, CEO of AdBUMb (a big newseletter for the online advertising community) has taken a stand on spyware.

His blog entry here.

“…there can be no doubt anymore that much of the adware industry is not legit. And there is no doubt that much of this industry is plainly illegal. Even the largest companies have, at the least, benefited from illegal actions—and, at the most, they have actively participated in methods of infiltrating/hacking into computers in order to install their adware. Consumers have said over and over again that they do not want this software on their computers, never asked for it and are not going to take it. Run a search on any adware company, and you get millions of hits of consumers complaining about it being installed on their computers without permission.”

Alex Eckelberry

 

Why couldn’t they have convienently “lost” that information?

According to this article, Yahoo gave information on a Chinese journalist to the Chinese government.  The journalist went to prison for 10 years for divulging “state secrets”.

“The state secret was a message to Shi’s newspaper warning journalists of the dangers associated with dissidents returning to mark the 15th anniversary of the Tiananmen Square massacre, according to the group. Shi admitted sending the e-mail but disputed whether it was a secret document.”

I’m sick.  I really am.  To lock away a guy for ten years for something so patently idiotic. 

There’s a morale dilemma for companies operating in China.  Do you cooperate with the Borg to keep it happy and to forward your commercial interests — and possibly risk your own integrity?  Perhaps one can just become “forgetful” or “lose the data”?  

There’s a lot of good people at Yahoo, and I’m sure they were horrified to learn about this.  If this story is true, it’s likely Yahoo got a request from the Chinese government and released the information to them, not realizing this poor guy was going to go to jail.  It’s hard to blame them… their own employees would have probably gone to jail themselves for not honoring the request.  Or Yahoo might have lost vital access they need to get their Chinese markets going.  But that is a tough decision. 

Alex Eckelberry 

 

180 Solutions will try to clean up its distribution channels

180 Solutions has announced plans to clean up their distribution channels.

Basically:

  • The new technology, dubbed S3, is designed to help “prevent the suppression or manipulation of the user consent experience prior to installation”
  • All new affiliates are required to use this new technology. Current (and sometimes naughty) distributors have until the end of the year to transition to it.
  • From what we can tell it looks like a re-coded version of the CBC Force Prompt. The CBC Force Prompt is a prompt that is supposed to come up no matter how 180 Solutions software is installed, to make sure the user is getting the software on their system. It hasn’t always been doing that, ostensibly because of “rogue distributors” bypassing it. I got one today. It looks very similar to this prompt that Ben Edelman talks about here.

Back in May, Daniel Todd of 180 Solutions and I had a chat about using technology to clean up their distribution channels. I wrote about it here.

Well it’s ironic since this is exactly the kind of thing I suggested to Daniel Todd about back in May.

Every few months 180 announces a new “reform” that will supposedly make its installation practices kosher. This has been going on for over a year, and at the end of all previous efforts we still have examples of unethical installs. So we welcome their continued publicly announced efforts at reform but admit to viewing another promised reform with a somewhat cautious view.

In its press release 180 says that this new technology “helps prevent the suppression or manipulation of the user consent experience prior to installation.” All fine and well, but if the “user consent experience” itself consists of these kinds of notice screens used in recent installations, then is that really enough? See the screenshots here and Ben Edelman’s analysis here.

Anyway, it’s good they are not going to pay affiliates for prior versions after December of this year. The primary problem in spyware is the economic model — it is just too profitable for some distributors to get honest. But we have several months to go before we can see if this plan really works — we’ll be checking 180 installs on January 1…

In the end, as we’ve seen with Katrina, PR means nothing without action. The definition of PR is “good works well publicized”. Get the good works done first, then publicize.

Alex Eckelberry
(Tip of the hat to Eric Howes for his contribution to this blog).

9/7/2005 4:39:22 PM Update: Seattle PI story here.

Phishfighthing developer responds

Last week, I blogged on a new sitePhishfighting.com .  There was some concerned reaction from readers, as can be seen here.

Some of the comments:

Uhm… no, sorry. This is a terrible service. This site does no checking whatsoever on the supposed “phishing source”. One could easily turn this into a denial of service against legitimate sites. A terrible idea, if you ask me.”

That is the coolest thing I have seen all day. Brilliant idea! Some phishers are getting it right now.”

Now if he had more servers/IP’s to do this from it would keep them from banning his IP address. Right now I know of several sites that are up, but don’t come up on his site. They must be banning his IP/domain

It is a great idea, but I do see the ramifications that could come out of it, Like a DOS attack against legit. BTW, he does do some checking, type in the real eBay sign-in address.”

Robin, the developer of the site, responds:

1. “Dos attack”: A DOS attack is by definition a denial of service attack. By adding a 20 second interval between entries, the site is specifically designed NOT to create a DOS attack, which is illegal. Three entries a minute (180/hr) is nowhere near enough entries to take down a website.

2. “Phishers blocking my IP”: The entries are actually coming from the browser, so the Phishers would need to block the users IP, not the servers. And if blocking IP’s creates more work for the Phishers then Cool.

3. “Attacking Legitimate sites”: As Eddie pointed out, I am blocking on the most common legitimate sites. Paypal, Ebay etc. I’m logging and watching the entries. As I find submissions against real sites, I’m adding them to the blocked list.

I have no illusions that this will solve the Phishing problem. But is sure does feel good to fight back and, as one user put it, add the Phishers needles to a haystack.

Please contact me at Support@PhishFighting.com if you have questions, tips, suggestions, or just to tell me I’m an idiot. :^)”

Installing the Windows XP Support Tools

From one of our newsletters, WXPnews:

Did you know that there is a “toolbox” full of XP utilities that aren’t installed on your computer by default, but are available on the installation CD? These include tools to provide information about the encrypting file system, directory disk usage, network connectivity and more. The Windows Installer Cleanup Utility removes old installation configuration information that can interfere with reinstalling a software product. The Memory Profiling Tool takes a snapshot of the system and records details of the memory resources being used by the system in a log file. For more information about the support tools and how to install them from the installation CD, click here.

Alex Eckelberry

 

Civilian flotillas needed in New Orleans

Off topic, but as a boater here on the Gulf, this caught my attention: Civilian flotillas are needed to rescue people trapped in homes — a week after Katrina.

The feds and the local rescue teams can’t keep up with the scale of people needing to be rescued. The actor Sean Penn has been driving around in a boat rescuing people and said he saw three civilian boats yesterday, and invited boaters to come in and join the rescue effort. CNN story here (go down to the links on civilian rescues and also the story about Penn).

If you live within a reasonable driving distance (perhaps Houston, Galveston, Tallahasee, Panama City, or even further) and have a boat with a low draft, feel free to drop in on the disaster and start picking people up. Launching is not that difficult, as every dry street has become a boat ramp.

On another note, a fellow I know is up there right now to help and emailed in to say the scale of the disaster is unimaginable, and that the pictures “don’t do it justice”.

Alex