Ad Supported Software is NOT Free

March 8, 2008 – 3:52 PM

One of the things you will hear about spyware is that “it keeps free software free”. The spin doctors and apologists go on about how you are able to install software for free because of the advertisements. To hear spyware companies tell it, they sponsor these poor, starving software developers out of the goodness of their hearts.

That is not entirely accurate. It is not, in fact, accurate in any way.

Spyware and adware makers want to install their software by any means they can come by, legally or otherwise. Once installed, they want it to remain installed regardless of the wishes of the computer’s owner and they want it to run the entire time the PC is running. The fact is that installing a free program usually is not worth the hassle of dealing with a third party spyware or adware bundle. It is not a fair trade.

A fair and equitable exchange would be if the adware/spyware ran only when the free program which installed it was running. No spyware does this. Instead, it runs as soon as the PC starts up, often with the use of cleverly hidden start up entries.

This confuses me. If the deal is that the user has to endure the spyware in order to use the free software, then why does the spyware not close down when the user is not using the free software? That is the deal: free software in exchange for dealing with ads. The deal is not supposed to be a never-ending barrage of pop-up ads in exchange for the occasional use of a free program. That is not a fair trade.

Another fair exchange would be that the adware/spyware be removed entirely if the “user” decides to remove whatever free software installed it. However, every time this is suggested, the spyware makers dismiss it out of hand. What I would like to know is: “why?”.

If the free program is no longer installed, why is it still being sponsored? The “user” permitted the adware or spyware to be installed only in exchange for using the free program. That assumes that the “user” was properly informed about the presence of the adware/spyware in the first place. Why should the sponsor software remain if the sponsored software is removed? That makes no sense.

One argument put forth is that removing the spyware when one free program is removed might interfere with another free program which installs exactly the same spyware. That is absurd. Assuming someone did actually install two separate programs which bundled the same spyware and then removed one of them, the remaining program would just reinstall the spyware the very next time it was run.

When the free program is removed, the spyware should be removed right along with it. However, no spyware maker will do that voluntarily. They are not interested in a fair and equitable trade. They just want their spyware installed and running by any means necessary.

Now, on to those software developers who decide to sell their users out to the adware and spyware makers.

You will hear the most heartwrenching stories from these developers, as they try to explain to their users why the newest version of their software has begun to set off virus alarms. They will say that no one paid for the upgrade to the pro version. They will say that no one clicked the “donate” button. They will say that, to keep up with their development and hosting costs, they had no choice but to bundle the spyware.

All of that may be true but it is not the whole truth.

The truth is that spyware and adware companies pay large amounts of money to have their software distributed. Some of them even create their own “free” software just so that they can bundle their own spyware or adware into it. Claria did exactly that with their Gator password manager and Precision Time Manager.

The “free” software developers will say that they bundled spyware into their products because not enough people spent the 30 bucks to upgrade to the pro version. If that is the honest truth, then why isn’t their software designed to remove the bundled spyware, as soon as it has generated thirty dollars worth of advertising revenues?

For that matter, why do these developers even need third party adware at all? Simply embed an advertising banner directly into the program’s main window. As soon as the program has shown the user thirty dollars worth of ad banners, it can remove the advertising module automatically.

If all ad supported software worked this way, I imagine that most software would be ad supported. I also imagine that most users wouldn’t mind the arrangement one bit. The cost of the program would be paid for without the users ever having to pull out their credit cards. It would be a fair and equitable trade, something we do not have now.

The sad thing is that these developers would make a hell of a lot more money if they followed this much more consumer-friendly route. I don’t know what the going rate is for a bundle install of Claria’s ad serving software. Whatever it is, I’ll bet it isn’t thirty dollars per copy. If the developers of Kazaa and other spyware-ridden programs started doing this, the problem of bundled spyware would disappear virtually overnight.

The moral of this ramble is this: ad supported software is not free! “Free” assumes that you receive something of value in return for nothing of value. The spyware makers and distributors are well compensated while all you receive are pop-up ads. Not a fair trade at all.

http://www.spywareinfo.net/jan19,2005#threethings

Webroot Enlists Bots To Fight Spyware

March 8, 2008 – 3:51 PM

Anti-spyware company Webroot Software Inc. Monday announced what it claims is the industry’s first automated spyware research system. Called Phileas, the system relies on bots–computer programs that perform tasks in lieu of a person–that continually crawl the Web, looking for spyware, adware, and the sites that host such software. Webroot plans to use the information gathered by Phileas to develop anti-spyware products that can better address new threats.

Like the antivirus industry, anti-spyware companies have traditionally developed signatures to block spyware. These are created by comparing the files on spam-infested machines against those on clean machines.

“That’s very labor intensive,” explains Richard Stiennon, VP of threat research at Webroot. “The name of the game in the anti-spyware business is to somehow have as close to 100% of all spyware identified and signatures written for it as we can get. And that’s an unachievable task because the spyware writers are extremely active. They show up for work in the morning and write new versions of their spyware every day. So you have to find it as soon as it’s out in the wild.”

Automation, he contends, is the answer. He estimates that one hour of automated research equals 10 work-days of manual research. When first tested in October of last year, the company identified more than 20,000 sites that made spyware available. By February, Webroot plans to have more than 100 bots active, scouring up to 10 sites a second.

Microsoft also has included a measure of automation in its new anti-spyware product, which appeared in beta form last week. Windows AntiSpyware includes a community reporting function called SpyNet that shares information about newly discovered threats to better immunize other members of the network.

Stiennon observes that automation is a necessity, given the proliferation of spyware.

“The spyware industry is only going to grow because it’s so tremendously profitable for the spyware writers and distributors,” he says. “So we have to try to find it as quickly as we can.”

http://www.securitypipeline.com/57700512

Vulnerability allows scammers to hijack pop-ups

March 8, 2008 – 3:49 PM

Security researchers warned this week of a vulnerability in most Web browsers which could potentially allow scammers to launch phishing attacks from pop-up windows on trusted Web sites.

The vulnerability arises when an Internet user opens browser windows for both a legitimate Web site and a malicious site at the same time. Because of an old functionality that exists in most browsers, the malicious site can potentially display information in a pop-up window from the trusted site, according to Secunia Research.

The vulnerability has yet to be exploited but could present a very effective method for launching online fraud scams, often known as phishing, Secunia Chief Technology Officer Thomas Kristensen said Thursday.

While most users do not intentionally visit malicious Web sites, they often stumble upon them by following links, making it relatively common for Net surfers to have browser windows open for both legitimate and malicious sites at the same time, Kristensen said.

This could be a particularly dangerous situation if exploited to display misleading information on a pop-up window from a legitimate bank Web site, for example, he warned. Even if savvy users check for a the yellow “lock” icon on a Web site, signifying encryption, the pop-up could still display content from the malicious site, he said.

“This could be a surprisingly effective way to seduce or trick people into doing something,” Kristensen said.

The vulnerability affects almost all browsers, including Internet Explorer (IE), Mozilla, Firefox, Opera, Konqueror, Safari and Netscape, the researcher said.

Secunia, based in Copenhagen, went public with its warning Wednesday, after saying that it had alerted browser vendors of the vulnerability months ago.

Microsoft said Thursday that it has investigated the report, and customers who use Windows XP SP2 and follow its advice on spoofing attacks are at a reduced risk.

The functionality described in the report allows a Web site to open or re-use a window without displaying the address bar. However, SP2 users will see a status bar in the pop-up window, allowing them to look for the yellow lock icon and confirm that the site is valid, Microsoft said.

Opera has also included measures to mitigate the vulnerability in the latest beta version of its software, Kristensen said.

He acknowledged that by going public with the warning he was also alerting Internet scammers to a new opportunity, but said that he felt the public should be aware of the threat since not all browser vendors had been responsive.

“We thought it would be better to openly talk about this and we are giving advice on how to mitigate it,” Kristensen said.

http://security.itworld.com/4341/041209popupvulnerable/page_1.html

MD5 Flaw Threatens File Integrity

March 8, 2008 – 3:49 PM

According to a report from security researcher Dan Kaminsky, the MD5 cryptographic algorithm may be at risk. This means that files, applications and programs supposedly authenticated and verified by MD5 could potentially be compromised.

In a research paper titled, “MD5 To Be Considered Harmful Some Day,” Kaminsky expanded on the theoretical work done by Chinese security researchers Xiaoyun Wang, Dengguo Feng, Xuejia Lai and Hongbo Yu on “Collisions for MD5 Hash Functions.” Kaminsky released a tool Stripwire to demonstrate some of the attacks he describes.

A hash collision essentially means that you could have two identical outputs from a hash function. That situation may lead to an algorithm that is not considered to be cryptographically secure and can be attacked. In August, French research Antoine Joux presented an unpublished paper at the Crypto 2004 show similar to the original Chinese research that Kaminsky expanded upon.

At the time the disclosure prompted data storage giant EMC to allay its customers that the MD5 algorithm it uses is enhanced and buried in the platform and that it was virtually unexploitable.

“Some people have said there’s no applied implications to Joux and Wang’s research,” Kaminsky wrote. “They’re wrong; arbitrary payloads can be successfully integrated into a hash collision.”

MD5 hashes are widely used today on countless file servers and P2P networks, as well as a way to guarantee file integrity. According to Kaminsky, this makes them blind to any signature embedded within MD5 collisions.

“This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third-party signature,” Kaminsky wrote. “Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely ‘activated’ without the MD5 changing.”

Kaminsky also noted that Digital Signature systems are also potentially vulnerable, as they usually do not sign the data itself but rather a hashed representation of the data. Passwords are also often saved on *nix (UNIX/Linux) systems with MD5, though Kaminsky noted that such passwords really aren’t at all vulnerable to the MD5 attack.

Despite the analysis and proofs proposed by Kaminsky, he does admit that the attacks discovered are obscure.

“The attacks are not wildly practical, and in most cases exposure remains thankfully limited for now,” Kaminsky wrote. “But the risks are real enough that responsible engineers should take note. This is not merely an academic threat; systems designed with MD5 now need to take far more care than they would if they were employing an unbroken hashing algorithm, and the problems are only going to get worse.”

In 1991, MD4 was shown to have weaknesses, which its successor MD5 was supposed to have corrected. As early as 1996 though, the first inklings of weakness in MD5 were exposed by Hans Dobbertin who was same researcher that discovered the weakness in MD4.

http://www.internetnews.com/security/article.php/3446071

AOL Is Spyware

March 8, 2008 – 3:48 PM

Many people go on about AOL’s software being spyware. To be sure, I’ve heard hundreds of times that the advertising AOL members see often begins to reflect their style of web surfing. Someone who visits many car racing or hobbyist sites will notice that the AOL advertising tends to be car-related after a while. There is also the matter of some AOL software tampering with Internet Explorer security settings by adding an AOL web server to the “Trusted Zone”. Still, I’ve never agreed that it was spyware – until now.

AOL’s newest software is specifically designed to be used as surveillance spyware. The intention, while misguided, is good. It is listed as a parental control and allows the “Master User” to monitor the internet usage of every other user. The software creates reports of other users’ web surfing, emails and instant messaging activity. I don’t know if it also takes screenshots. If it doesn’t, that is just about the only feature missing that is found in most commercial spyware products.

While this is billed as a “parental control”, anyone could use this feature to spy on you if you use AOL. Anyone with the “Master” account’s password can turn on this feature and spy on anyone else using that computer. This can even be done remotely, so the person doesn’t have to be right there in the house. If you use AOL, you had better check to make sure someone isn’t using it to spy on you.

http://www.spywareinfo.net/dec01,2004#aol