Language Selection

English French German Italian Portuguese Spanish

Little Agreement on Spyware Guidelines

Filed under
Security

Many anti-spyware programs scour computer hard drives for those data-tracking files called cookies that we often get from Web visits. Microsoft Corp.'s tool does not. And there are disputes aplenty about whether certain widely used advertising programs circulating on the Internet are clean of spyware.

No surprise, then, that there's little agreement on what should be considered spyware, and what adware is exactly. Or on whether adware, which delivers ads, is a form of spyware or a breed apart.

Consumers are confounded. Is their computer-cleaning overzealous or not thorough enough? Are they removing useful programs with the dreck?

No less vexed are makers of anti-spyware software. They're beset by legal headaches, constantly challenged for what their products define and target as malware.

"It certainly distracts us from the job at hand," said David Moll, chief executive of Webroot Software Inc.

Help may be on the way. Led by the tech-advocacy group Center for Democracy and Technology, the anti-spyware industry is crafting definitions and plans to eventually set up dispute-resolution procedures. A draft is expected by late summer.

"A definition is the foundation," said Ari Schwartz, the center's associate director. "If a consumer's going to make a decision in the marketplace about what they have and what software they are going to use, it's helpful to have a basis to do that on."

Similar efforts, however, have failed before.

Part of the challenge stems from how the term "spyware" evolved.

"It started out as being called spyware because a lot of it was spying on people and sending personal information," said Dave Methvin, chief technology officer with tech diagnostic site PC Pitstop. "It's a catchy, quick word that is always easy for people to understand and say."

But the term stuck even as some of these programs, in response to consumer complaints, began sending back less data and became less sneaky.

In some people's minds, spyware came to include programs that change Web browser settings without asking or trick users into racking up huge phone bills by making the equivalent of "900" calls to foreign porn sites.

"`Spyware' has sort of become the euphemism for any software I don't want," said Wayne Porter, co-founder of SpywareGuide.com.

The result is chaos.

Microsoft, for instance, chose not to scan cookies because many sites need them to remember passwords and otherwise customize a surfer's experience. Cory Treffiletti of the online ad agency Carat Interactive says cookies help sites identify repeat visitors so the same ads aren't shown over and over.

But other spyware hunters flag cookies on the grounds that they help advertisers track behavior. EarthLink Inc.'s Scott Mecredy says anti-spyware programs have gotten sophisticated enough to distinguish good cookies from bad.

Then there's the question of whether "spyware" includes adware.

Claria Corp., formerly known as Gator Corp., has sued several anti-spyware companies and Web sites for calling its advertising software "spyware." PC Pitstop rewrote some of its materials as part of a settlement.

Even "adware" isn't good enough for some.

Joseph Telafici, director of operations for McAfee Inc.'s security research unit, says the company now gets one or two complaints a week, compared with two or three per quarter last year from companies whose programs it has dubbed spyware or adware.

McAfee is in the process of assigning a full-time lawyer.

Symantec Corp. sought to pre-empt a lawsuit by filing one itself, asking a federal court to declare that it had the right to call Hotbot.com Inc.'s toolbar adware. Hotbot did not respond to requests for comment.

Symantec still faces a lawsuit by Trekeight LLC, whose product Symantec brands adware.

Though it has yet to sue, 180solutions Inc. takes issue with "adware," preferring "searchware" or "sponsorware." "Adware" has become too linked with bad actors, and the industry needs more differentiation, said its chief executive, Keith Smith. Most anti-spyware vendors, however, still put 180solutions in that category.

Aluria Software LLC says one company, WhenU.com Inc., has changed its practices enough that it is now spyware- and adware-safe.

But America Online Inc., though it uses Aluria's technology, prefers a different test: What its users think.

AOL found that users overwhelmingly choose to rid their computers of WhenU's SaveNow application when anti-spyware scans uncover it, so AOL continues to list as adware.

Adding to the confusion is the fact that many legitimate programs -- including Microsoft Corp.'s Windows operating system and Web browser -- send out data without making the user fully aware, one of the common attributes of spyware.

And many programs that spy do have legitimate functions -- people may run a keystroke recorder to monitor spouses whom they suspect of cheating. Or they may willingly accept adware in exchange for a free game or screensaver.

Anti-spyware software companies say they leave removal decisions to customers, though many users simply follow their recommendations, failing to distinguish the mild from the malicious.

"If an anti-spyware company recommends that the software (gets) blocked, consumers will typically block it," said Keith Smith, chief executive of 180solutions. "It doesn't matter how good an experience they have with it."

Alex St. John, chief executive of WildTangent Inc., says anti-spyware companies have an incentive to overlist programs: It makes their products appear effective. Better definitions, he said, would help clear his company's game-delivery product.

"We want to do anything under our power to be clearly defined as a legitimate, upright consumer company," he said. "We would love to have something to adhere to."

Guidelines could give anti-spyware vendors a better defense.

For consumers, said Tori Case of Computer Associates International Inc., "if we start using the correct terminology, we can demystify it a bit and help people understand what the real risks are."

By ANICK JESDANUN
Associated Press

More in Tux Machines

Software: DNS Checkers, Alternatives to Adobe Software, Fake Hollywood Hacker Terminal and More

KDE and GNOME: Kubuntu Site, Marble Maps, Kube in Randa, and UX in GNOME

  • Call for design: Artful Banner for Kubuntu.org website
    Kubuntu 17.10 — code-named Artful Aardvark — will be released on October 19th, 2017. We need a new banner for the website, and invite artists and designers to submit designs to us based on the Plasma wallpaper and perhaps the mascot design.
  • Randa 2017 Report – Marble Maps
    Just came back home yesterday from Randa Meetings 2017. This year, even though my major motive for the sprint was to use Qt 5.8’s Qt Speech module instead of custom Java for text-to-speech during navigation, that could not be achieved because of a bug which made the routes not appear in the app in the first place. And this bug is reproducible both by using latest code, and old-enough code, and is even there in the prod app in the Google Play Store itself. So, although most of my time had gone in deep-diving on the issue, unfortunately I was not able to find the root-cause to it eventually. I will need to pick up on that in the coming weeks again when I get time, to get it fixed.
  • Kube in Randa
    I’ve spent the last few days with fellow KDE hackers in beautiful Randa in the Swiss Mountains. It’s an annual event that focuses on a specific topic every year, and this time accessibility was up, so Michael and me made our way up here to improve Kube in that direction (and to enjoy the scenic surroundings of course).
  • Usability testing for early-stage software prototypes
    In this article, Ciarrai Cunneen and I describe how to do a paper-based usability test, using an early redesign of the GNOME Settings app as an example. The updated Settings features in GNOME 3.26, released on September 13. When writing open source software, we often obsess about making our logic elegant and concise, coming up with clever ways to execute tasks and demonstrate ideas. But we sometimes forget a key fact: Software is not useful if it is not easy to use. To make sure our programs can be used by our intended audience, we need usability testing. Usability is basically asking the question, "Can people easily use this thing?" or "Can real people use the software to do real tasks in a reasonable amount of time?" Usability is crucial to the creative process of building anything user-based. If real people can't use our software, then all the hard work of creating it is pointless. [...] In early 2016, GNOME decided to make a major UI update to its Settings application. This visual refresh shifts from an icon-based menu to drop-down lists and adds important changes to several individual Settings panels. The GNOME design team wanted to test these early-stage design changes to see how easily real people could navigate the new GNOME Settings application. Previously, GNOME relied on traditional usability tests, where users explore the software's UI directly. But this wouldn't work, since the software updates hadn't been completed.

FSF, GNU and FSFE

  • LibrePlanet 2018: Let's talk about Freedom. Embedded.
    The call for sessions is open now, until November 2nd, 2017. General registration and exhibitor and sponsor registration are also open. Pre-order a LibrePlanet 10th anniversary t-shirt when you register to attend! Do you want to discuss or teach others about a topic relevant to the free software community? You've got until Thursday, November 2nd, 2017 at 10:00 EDT (14:00 UTC) to submit your session proposals. LibrePlanet is an annual conference for free software enthusiasts and everyone who cares about the intersection of technology and social justice. For the past nine years, LibrePlanet has brought together free software developers, policy experts, activists, hackers, students, and people who are at the beginning of their free software journeys. LibrePlanet 2018 will feature programming for all ages and experience levels.
  • LibrePlanet free software conference celebrates 10th anniversary, CFP and registration open now
    The call for proposals is open now, until November 2, 2017. General registration and exhibitor and sponsor registration are also open. LibrePlanet is an annual conference for free software enthusiasts and anyone who cares about the intersection of technology and social justice. For the past nine years, LibrePlanet has brought together free software developers, policy experts, activists, hackers, students, and people who are at the beginning of their free software journeys. LibrePlanet 2018 will feature programming for all ages and experience levels.
  • dot-zed extractor
  • FSFE Newsletter - September 2017

    To push our demand, the FSFE launched a new campaign last week: "Public Money Public Code". The campaign explains the benefits of releasing publicly funded Software under free licences with a short inspiring video and an open letter to sign. Furthermore, the campaign and the open letter will be used in the coming months until the European Parliament election in 2019 to highlight good and bad examples of publicly funded software development and its potential reuse.

  • Free Software Foundation Europe Leads Call For Taxpayer-Funded Software To Be Licensed For Free Re-use
    Considered objectively, it's hard to think of any good reasons why code that is paid for by the public should not be released publicly as a matter of course. The good news is that this "public money, public code" argument is precisely the approach that open access advocates have used with considerable success in the field of academic publishing, so there's hope it might gain some traction in the world of software too.

Security: WordPress 4.8.2, CCleaner 5.33, Apache Patch and Cryptocurrencies

  • WordPress 4.8.2 Security and Maintenance Release
    WordPress 4.8.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
  • Attack on CCleaner Highlights the Importance of Securing Downloads and Maintaining User Trust
    Some of the most worrying kinds of attacks are ones that exploit users’ trust in the systems and softwares they use every day. Yesterday, Cisco’s Talos security team uncovered just that kind of attack in the computer cleanup software CCleaner. Download servers at Avast, the company that owns CCleaner, had been compromised to distribute malware inside CCleaner 5.33 updates for at least a month. Avast estimates that over 2 million users downloaded the affected update. Even worse, CCleaner’s popularity with journalists and human rights activists means that particularly vulnerable users are almost certainly among that number. Avast has advised CCleaner Windows users to update their software immediately. This is often called a “supply chain” attack, referring to all the steps software takes to get from its developers to its users. As more and more users get better at bread-and-butter personal security like enabling two-factor authentication and detecting phishing, malicious hackers are forced to stop targeting users and move “up” the supply chain to the companies and developers that make software. This means that developers need to get in the practice of “distrusting” their own infrastructure to ensure safer software releases with reproducible builds, allowing third parties to double-check whether released binary and source packages correspond. The goal should be to secure internal development and release infrastructure to that point that no hijacking, even from a malicious actor inside the company, can slip through unnoticed.
  • Apache bug leaks contents of server memory for all to see—Patch now
    There's a bug in the widely used Apache Web Server that causes servers to leak pieces of arbitrary memory in a way that could expose passwords or other secrets, a freelance journalist has disclosed. The vulnerability can be triggered by querying a server with what's known as an OPTIONS request. Like the better-known GET and POST requests, OPTIONS is a type of HTTP method that allows users to determine which HTTP requests are supported by the server. Normally, a server will respond with GET, POST, OPTIONS, and any other supported methods. Under certain conditions, however, responses from Apache Web Server include the data stored in computer memory. Patches are available here and here.
  • The Pirate Bay Takes Heat for Testing Monero Mining
    Cryptocurrencies usually are mined with CPU power initially, she told LinuxInsider. Users then find ways to speed up the hashing before going to GPU. They build specialized hardware and field programmable gate array (FPGA) chips to carry out the hashing function in order to mine much faster. [...] The notion that The Pirate Bay effectively would borrow resources from its own users is not the problem, suggested Jessica Groopman, principal analyst at Tractica.