MIT Startup Tests Top Million Sites for Spyware 243
torrentami writes "An MIT startup called SiteAdvisor has downloaded over 100,000 programs from the top million Web sites and tested them for adware and spyware using an automated system they've built. They've got a blog entry where they dissect 5 of the worst adware bundles they found. There is some amazingly invasive stuff in there."
The major lesson of all this. (Score:4, Insightful)
When you consider how many alternatives (often far cheaper, too) are available, it's a wonder that so many still choose to use software that leaves their systems wide open to exploitation, be it from worms, viruses, or malicious websites.
But perhaps a secondary lesson is that we need to keep an ever-strong vigil. It's perhaps even our duty as computer-competent individuals to inform others of these issues. Not to preach to them, by any means, but do let those less-astute computer users know what is going on. Advise them that such problems exist, and tell them how to avoid such malicious software.
We can easily defeat the problem of spyware. But it will involve people helping each other out. Soon enough the ignorance will fall by the wayside, and we will all be better off.
Re:The major lesson of all this. (Score:4, Insightful)
Windows is, by far, the most insecure operating system out there. It is also the operating system that users find the easiest to use, and it is also the operating system that (in my opinion) has the most flexibility for programmers and software corporations of all sizes.
While the *nix varieties are definitely more secure (as they are now), a switch to *nix will not lead us to less spyware-ridden applications online. In fact, if Windows were to fail commercially tomorrow and everyone runs *nix, you'll see spyware applications be written for these OSes immediately.
*nix does not mean secure. It just isn't popular enough for spyware programmers to target, yet. Give it time, I think as it gains popularity, it will begin to be a target for the software companies that try to enter and dissect your life digitally.
How do they define the "top million" sites? (Score:1, Insightful)
Re:The major lesson of all this. (Score:5, Insightful)
Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...
I don't agree. (Score:5, Insightful)
I disagree (Score:3, Insightful)
The *nix philosophy requires a great deal more learning on the part of the user.
Education can't stop a quality cock-up, but it certainly filters a great deal of blatant boo-boos, like coughing up a root password to www.passwordstorage.com.
Re:No reason to be vulnerable to spyware. (Score:3, Insightful)
Thats great. What happens when they go to Wal-Mart and want to buy some software?
Or when they want to hook up their brand-spanking new digital camera/mp3 player/PDA?
Lots of people are more bleed-edge than seniors.
>You may deny it, but the fact of the matter is that Linux systems won't get infected with spyware at this time. Sure, that may change in the future, but I'm doubtful about that.
You don't need a better code to prevent spyware, you need better users. Better system design/code will never beat out a user, unless the design is involves cutting the power to the computer.
Re:The major lesson of all this. (Score:3, Insightful)
I disagree. Mac OS X is considered by many much easier to use than Windows (in fact, the classic Mac OS, IMO, is considered by some to be the hallmark of usability; memory management issues aside, in some ways it is more "user-friendly" than OS X is), even though I do agree that Windows is easier to use than Linux is (I'm talking more than just the interface; even though KDE and GNOME have reached Windows as far as usability (IMO), it is the whole package that counts, and some things such as installing certain drivers are tougher in Linux than in Windows. That's why I still have a Windows partition). I also find the Unix-based OSes to be more flexible for programming than Windows is; Unix has tons of command-line based programming tools at your disposal, and programming GUIs in Unix has gotten better with GTK+ and QT (even though Mac OS X leads the pack here with Carbon/Cocoa). Unix has widespread support for nearly all programming languages and programming styles, as well.
I do agree with you on the rest of your points, however. Spyware isn't necessarily a security issue (even though Microsoft's security issues don't help the issue); it is about users who don't know any better. It doesn't matter if Microsoft creates a version of Windows built on top of BSD or Linux. Nothing in Unix prevents a user from running a script that says "rm -rf ~", which ends up deleting all of their files. After all, part of the Unix philosophy is not holding the hands of users ;). It doesn't matter if that script is a program saying "Download FREE revealing pictures of Pamela Anderson" or "Click this icon and win an iPod" or something else that many people will fall for.
Even the most secure OpenBSD system will fall victim to *nix spyware if you let the most foolish (l)user mess around with the system.
You get what you pay for... (Score:5, Insightful)
Somebody has to pay for the server bandwidth and the time to write the programs, and one viable model is adware. I deplore the installation of software that's a)not in the EULA or installer screens and b)damn hard to get rid of, but the 'legit' adware is what's paying the bills of the guys giving you free stuff.
There's always a subset of users who can circumvent the installation of the unasked-for bundles, but the average user without updated anti-spyware, firewall or anti-virus software will make enough money for the vendors to keep us in freebies for quite some time to come...
Where is the accountability? (Score:4, Insightful)
Yet, all these thousands of products do this with absolutely zero accountability. As far as I am concerned, the programmers and companies who promote this behavior should be just as culpable as any petty crook who selfishly holds no regard for their victims.
Re:The major lesson of all this. (Score:5, Insightful)
It's a user issue. Like any information on the web you need to consider the source of where you're getting your programs from. I wouldn't get cancer information from the tobacco companies websites - just as similairly I wouldn't get software utilities from my company from a page that has a bunch of advertisement links along with some porn.
Rational users would cure 95% of the virus / trojan issues. The other 5% are usually inadvertant mistakes from legit websites. For those a checker is needed if you want to immediatly download files. That or let others be your guinea pigs and only download ones older than 3 months old.
( I know - there is no such thing as a rational user but I can dream... )
Re:The major lesson of all this. (Score:5, Insightful)
The world has idiots. Why can't technology people (us) accept this without derision? The world also has many people who don't know technology, and don't care too. They are not necessarily the same people.
Emerson said "Every man is in some way my superior, and in that i can learn from him." We seem to be so busy casting aspersions that we don't have time to listen. We're so quick to insult, perhaps because we (developers and technology people) don't *care* about users. Are we so superior to Emerson that there's nobody we can learn from?
Why can't *someone* care enough about the technologically illiterate to protect them against themselves? Why isn't there a company out there that will make it difficult for a regular user to install something that has potentially deep affects to the OS, but makes the OS accessible to that same user?
Oh wait... there already is one.
Tim
Re:No reason to be vulnerable to spyware. (Score:3, Insightful)
I used to use FreeBSD and I tried Ubuntu (gnome version) and decided not to keep it. Its a hassle to upgrade to Openoffice 2.0 and Java5. Sure I could probably do it if I had time on my hands but its a pain to redo the apt.sources and download unstable software from god knows where. I am afraid it would make my system buggy with the nasty dependancies that are beta or RC level.
I got the Gentoo cd and I am going to try again with that but still its not for average Joes.
Windows is nice because it just works. With school and a shift from pc support to programming at work I dont care about some of the things linux has to offer from a server level. I just want to point and click and work.
During spring break I will put unix back on my system but for now I am sticking with windows. I am at least knoweldge to know better than to install most software that comes with malware.
Re:The major lesson of all this. (Score:3, Insightful)
It's not such a wonder at all.
Open Sourceforge.net. Search for projects that are aimed at users without a trace of the Geek in them. The pickings can be mighty slim.
Turn to a site like Amazon.com for a look at what these users want. It is a very different world.
No, CyricZ is right, we need to educate users. (Score:5, Insightful)
My brother supports a family of 4 on his one salary. They live very well considering the cost of living in their small, midwestern town, but computers still cost the same and he hasn't been able to afford to buy a new one. He's quite proficient with computers when it comes to using and configuring them for what he and his family needs it to do. He just doesn't have time to keep up on all the security issues and patches since he's too busy working to support his family and trying to be a good father to his kids.
After he got laid off from his job not too long ago, I bought him and his family a new PC with WinXP Home, (I know XP Professional is much better when it comes to security but it would have overwhelmed my brother and the best PC package I could find at the price I could afford only offered XP Home). I walked him through how to secure the new PC by setting up an account for the kids with guest access so they can't install anything, configuring automatic updates, installing spybot and automatic scans, tuning the XP firewall, and having him switch to Firefox. I sent him urls for websites that explained how to secure a PC and maintain it.
I've just emailed him about installing the SiteAdvisor plug-in for Firefox which is absolutely brilliant for users like my brother. Hell, I've installed it just for the novelty of it.
The point is, my brother is taking care of his machine now and he loves Firefox. He has told everyone he knows in his little town about how great it is and to dump IE. All it took was someone taking the time to inform him.
So chill and if you have the time and inclination, take 10-15 minutes to explain to a user how to protect their PC. If that's not the kind of thing you feel like doing, fine, then as far as I'm concerned, you don't have a right to complain about it.
If you're not part of the solution, then you're part of the problem, in my opinion.
Respectfully yours,
tokengeekgrrl
Re:The major lesson of all this. (Score:4, Insightful)
People apply the same logic to their PCs. As long as they can check their AOL mail and play solitaire, they think everything is fine. The classic car analogy mentioned above doesn't capture what most people think is happening. If their PC is full of spyware and crap, it is only a nuisance to them alone they believe. Like if their car didn't have a working gas gauge, or if the radio would not work. An anoyance, yes, but not the end of the world and in no way effecting anyone else.
The avergae person wouldn't want to drive a car that was leaking gasoline and oil all over the place all the while spewing clouds of polluting black smoke, but they don't understand that this is the state that they let their PCs get to.
The challange is not to teach them the technology, nor even design a system that protects people from their own dum actions, but to teach them that their actions can create havoc for other people.
It's not, "Don't open any email attachments from anyone ever, or your computer will be screwwed.", it should be "Don't open email attachments from anyone ever, or your PC will start infecting other peoples computers and be used to host kiddie porn."
Re:The major lesson of all this. (Score:2, Insightful)
No, as a matter of fact, that's a falsehood based on ignorance of what free software is all about. In Linux, *all* software is free, from the kernel out. You're trying to say the absence of spyware opportunites would overnight make Richard Stallman start dumping tons of malware into the next Emacs release?
Quite a bit of the garbage in the Windows environment is there because they know Windows users will tolerate it. This is the same reason you are charged for software, get rootkits installed with your music, get pressured to upgrade every two months, yada, yada.
Re:No reason to be vulnerable to spyware. (Score:2, Insightful)
Re:The major lesson of all this. (Score:5, Insightful)
The lesson to learn on that, is that crooks go for the easy mark that makes money. *nix will be the target when either:
Neither is likely to happen anytime soon (and many would argue any time far). *nix will be very secure for a long time.
Re:Similar (Score:3, Insightful)
Re:The major lesson of all this. (Score:3, Insightful)
Maybe we can all run OS X. When the built-in OS X Software Update utility needs to install a new security update, the user is prompted for the keychain password. When grandma wants to download a new recipe program, it too prompts for the password. So it must be safe, right? Well, now that the application has root access it can do a hell of a lot of damage to the system. Install all kinds of spy/adware, etc.
Even without root access, you can still do a lot of stuff on OS X for anyone malicious enough to target the system.
Re:No reason to be vulnerable to spyware. (Score:3, Insightful)
In all fairness, I think that's more telling of him than of linux.
Re:The major lesson of all this. (Score:3, Insightful)
I don't really disagree with you that spyware could be a problem if there's motivation, but in my own experience Linux does have some fundamental architectural and use differences that I think would benefit more than you're suggesting. One that someone else pointed out in another response, which I think was a good point, is that people using Linux tend to go to their distro's repository for software rather than directly to the vendor. The nature of Open Source means that it's more realistic for third parties to offer their own customised versions of any package, which is effectively what happens.
Furthermore, one of the biggest problems I've had with Windows spyware is that it simply ties itself so tightly into the operating system. Windows is full of proprietary formats and configurations that are hidden away from the user, making it more difficult to get at them. Windows tends to make it complicated to view and edit configuations without special tools, whereas Unix apps tend to put it all in text files, sometimes with a tool for editing but usually still editible by hand. The reason we need anti-spyware tools in Windows (yet another third party application) is because there's no readily standard way to examine and fix all the configuration information without it.
With an appropriately configured Linux or Unix system, it's much more predictible as to what any spyware can do. Given that most of the configuration exists in open and readily accessible formats, it becomes more realistic to monitor what's going on in a user's configuration files than it is in Windows, and if necessary clean it out.
Re:The major lesson of all this. (Score:3, Insightful)
The OS isn't the biggest problem, it's uneducated users. Computer usage has reached an all time high. We're in an era when most of the people in the world are so busy that they don't have time to learn about things that do not directly affect their ability to earn a living. Most Americans don't understand how presidential elections work. Most Americans don't understand what's in the US Constitution.
Some of it may be laziness, but a lot of it is because it's a complicated subject. If more people were using Linux or OSX the people who don't know any better would go right ahead and enter their root password for any dialog box that asked for it.
LK
Re:The major lesson of all this. (Score:1, Insightful)
no.
There will be all sorts of NEW software (screensavers, games, weather checkers, and download accelerators) written for *nix for all the previous-windows-user-average-joes to download and get infected.
Re:No, CyricZ is right, we need to educate users. (Score:4, Insightful)
Max
Can't agree (Score:5, Insightful)
Yes and No. The user has to agree, but on XP the user has been trained to agree -
A big difference I notice between Windows XP and OS X (one of those nix) is the number of times I have to click 'Next' or 'Previous' in dialogs in Windows, just to get anything done at all. In my opinion the main reason for the growth of spyware on Windows (before ubiquity) is the way the OS trains you to click,click, click to do anything at all. You end up not reading any of the dialogs because you read the first few words and guess the rest. The user is inured to warning dialogs of any sort, and starts to click through the forest of 'Next' buttons to get to where they want to go (or thought they wanted to go
In contrast on OS X you very rarely have to say 'ok, do this, then that, next, next, finish', you are asked one simple question (usually) with an 'OK' the first time you open a document type with an application. And you very, very rarely have to enter your admin password, practically only when you are installing big applications like Photoshop which need to install libraries. So if a website pops up an authentication dialog (which they can't anyway BTW), you know something is wrong; you stop and think about it.
That said user ignorance of what constitutes safe computing is a problem too.
Their database quality is in question (Score:1, Insightful)
FreeBSD.ORG = Marked as yellow - "Use caution." ( http://www.siteadvisor.com/sites/freebsd.org [siteadvisor.com] )
In the same time all fraud websites in Google search for "Green card" are green ( http://www.siteadvisor.com/sites/us-green-card-lo
perfect example (Score:2, Insightful)
user: how can I fix my PC to be able to play these songs?
me: listen, you need to clean your PC from that virus first
user: how do I do that?
me: go there and bla, then blabla and bla you're done
user: what? I just want to listen to my music
- user has quit
Re:The major lesson of all this. (Score:3, Insightful)
LOL. OK, I'll award each of us a half-point. You're right in what you say. But this leads to yet another of my favorite hobby-horses: probably one of the least popular opinions in all of computing that I'm about to utter, here, but true nevertheless: "People aren't nearly as stupid as we make them out to be."
Only six years ago, I was still one of "them Windows users". I was banging my skull in frustration at the built-in lameness of the platform. Then I got my hands on Linux. I dual-booted the family PC for awhile until the rest of the family caught up with me, and used Linux exclusively on my own box. And happy ending: we've all been running Windows-free for years, now.
Like any other ex-Windows user, I was a slow convert...we all were. We had to discover how to do things the Linux way. We had to adjust to the security constraints, which we first circumvented running as root, then grudgingly got user accounts, and now fully accept the sysadmin/group/user way as the sanest way to compute.
The number one thing I like most about Linux is: it lets me be as smart as I am! I was *always* computer-savvy, even when I was running a 286/DOS 6.22/Win_3.1 box and spending most of my time on it writing little gopher programs in QBasic (compiled to 'executables' with QB 4.5, of course!) from the DOS prompt. Linux was the first system that trusted me to have the brain I'd always had. The difference is, I can USE it now! Likewise, my family is discovering skills they didn't know they had as well. My spouse now is learning quite a bit of web design; she's discovered that there's more to it that a click 'n' build ISP-linked "home page". My kids are beginning to explore Python from the command line; we have to watch they don't use it to cheat on their math homework!
True, the AIM/AOL/MySpace crowd is almost entirely a loss. But to hypothesize what they'd do if they were to suddenly swoop on Linux would be the same as to ask what they would do if they suddenly got awarded physics degrees. But even if we discover (to our flabbergasted shock) that "Joe Sixpack" has a few tricks in him (hey, he learned Windows 15 years ago; even he was able to grok a copy of "Windows for Dummies" in order to do so.) and discovers Linux, even he's going to observe "I have xscreensaver and more plugins for it than I can possibly use that are risk-free, or I can download this spam-o-matic gizmo that takes over my machine..." Edge-cases, yes, some people will still use adware, no matter what. But adware will not thrive in the Linux world the same way it does in the Windows world, where there is no free xscreensaver option to start with.
Re:Similar (Score:2, Insightful)
Maybe because "From time to time I get pages that aren't found.....but I can review these as the HOST file is of course text."
For you, me and the technically inclined this is no biggy, can you see your Gran doing this? As far as they know the site they want to view doesn't work but it was fine before you set up this funny named file.
Maybe it could be possible to design a two tier security model that flagged up if a site was being blocked, and you could allow it to run under limited privilages, just so you could view the page and no more.