Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
The Internet

First Worm with a EULA? 800

ErikRed1488 writes "There is a new virtual postcard from Friend Greetings, owned by Permissioned Media that prompts you to install their software to view the card. You are then presented with a EULA granting them permission to e-mail all the Contacts in your Outlook Address Book. Those people are presented with an e-mail from you telling them they have a greeting card to pick up. So, this thing spreads like a worm, but includes a EULA that 95% of users won't take the time to read. Symantec isn't detecting this as a virus, but does have information about it on their site. In addition to the worm-like way it spreads, it also installs spyware designed to deliver ads to your computer. You also give them permission to install further software any time they want. In my opinion this is completely nasty, but it's all clearly in the EULA that you must agree to before it installs the software."
This discussion has been archived. No new comments can be posted.

First Worm with a EULA?

Comments Filter:
  • by stephenisu ( 580105 ) on Friday October 25, 2002 @02:04PM (#4531486)
    Need I say more?
    • by sgtpudding ( 603461 ) on Friday October 25, 2002 @02:24PM (#4531732)
      speaking of lawyers... are eula's treated like contracts, legally speaking? if so (and i'm pulling from a business law class from several years ago), illegal or unethical points of a contract are null and unenforcable by default, regardless of what you sign. i.e. - if you sign a contract to mow my lawn, and it states that if you cut down my roses, i get to kill your firstborn in a satanic ritual - well, that's just not enforcable.

      too bad online legislation moves so slowly... i think i'm going to register for every spam list i can with my representatives' email addresses, and see if that gets things moving along... umm.. just kidding, secret service guy reading this over my shoulder.

      a
      • by cduffy ( 652 ) <charles+slashdot@dyfis.net> on Friday October 25, 2002 @03:04PM (#4532128)
        EULAs try to be contracts -- but think back to your business law class, and look at the requirements for that contract:

        - The parties must give the appearance that they're serious about signing a contract (one party can't be obviously joking).

        - The parties must be competant (old enough, sane enough, sober enough).

        - There must be consideration (both parties must gain something or force some new obligation on the other party).

        - The purpose of the contract must be legal.

        The third element doesn't matter if one doesn't get past the second: In your average software purchase, what does the EULA give you that you wouldn't otherwise have, or restrict the other party from doing that they otherwise could?

        Now, if it's a free download, and you're only offered the download if you click through the EULA, that's an entirely different matter: there's clear consideration in that you're being allowed the download at all. On the other hand, if you purchase the software without the EULA being a condition of the purchase, unless the EULA offers some further consideration it may not be binding at all.

        Another question raised: What if you aren't competant to agree to the EULA for a piece of software (due to being drunk, or insane, or a minor, etc)? Well, if the situation is such that you really have no right to use the software without agreeing to the EULA (which is likely the case with a free download conditional on clicking through the EULA, but unlikely to be the case if you purchased the software from a 3rd-party vendor who didn't make you agree to the EULA before the purchase), then you're using it illegally. If, on the other hand, you had the right to use the software even without agreeing to the EULA (say, because you purchased it from a 3rd-party vendor who didn't force you to agree to the EULA beforehand) then the EULA is invalid in any case because of the lack of consideration (unless, of course, the EULA gives you some other rights you didn't have before agreeing to it, or some obligations to the vendor which they didn't have beforehand) and you can still use the software even if you don't agree to the EULA -- and even if the EULA is legally binding (say because it obligates the software manufacturer to provide phone support which they wouldn't otherwise be obligated to provide), if you have the right to use the software without agreeing you can legally skip the EULA (say, by tricking the installer) and go your merry way -- but don't try to pretend you agreed to the EULA when calling for that phone support! That's the theory, anyhow. Before relying on it working that way in practice, talk to a real IP lawyer licensed in your jurisdiction, and hope you get a reeeal friendly judge. :)

        Coming back to this particular case: Is sending email to everyone in your address book illegal? Probably not (though of course this may vary on your jurisdiction). Hence, is this EULA invalid due to the illegal-purpose clause? Once again, probably not.
        • by GigsVT ( 208848 )
          There must be consideration (both parties must gain something or force some new obligation on the other party).

          IANAL - Have taken some business law classes. Not legal advice - Not FDIC Insured - May Lose Value.

          It's for this same reason that EULAs on free-of-charge software cannot be enforced, unless you are giving them some consideration (like agreeing to look at their ads).

          This makes this case even more complicated, since the spam company could argue that "in exchange for the good and valuable consideration of the right to run the program, you agree to let us use your good and valuable consideration of the right to use the contacts in your address book for marketing purposes" A clear exchange of consideration!

          This may even apply to some free-speech software licenses that include restrictions above and beyond simply terms of copyright licensure, i.e. restrictions on non-distribution related use. Most free-speech licenses don't have such clauses, but a couple do.

          In any case, this isn't simple, but I hope to god it is illegal somehow, or becomes so in the near future.
        • by Keighvin ( 166133 ) on Friday October 25, 2002 @04:50PM (#4533038)
          To invalidate all of those pesky EULA's through points 1 and 2 (be serious and sober) get together with friends and thoroughly wasted before installing the worst offenders. If the software actually makes it onto the computer it's a nice bonus, otherwise it's the typical plus of a keg party.

          Problem solved, you were boisterously drunk at the time of install.
      • by Jhan ( 542783 )
        ...are eula's treated like contracts, legally speaking?

        Nope. Neither are "shrink wrap" contracts (you know, the kinds that are kept inside the sealed plastic covering that start "By breaking this seal you agree to..." , and continues "...Microsoft does not garantue the usefuleness of this software for any purpose what-so-ever, even including purposes stated by Microsoft or Microsoft employees."

        Yes, that's more-or-less an actual "shrink wrap" "agreement" I once had with Microsoft. Anyway, it's all illegal, if you live in Sweden, or any European country, or come to think of it most any country in the world except the US.

        <simpsons>Haha!</simpsons>

  • AOL? (Score:5, Funny)

    by mogorman ( 618512 ) on Friday October 25, 2002 @02:04PM (#4531487)
    How is this any different then AOL?
  • LOL... (Score:2, Insightful)

    by brad-x ( 566807 )

    Can you really count it as a virus if it preys on people's lack of regard for Internet safety precautions? :P

    I'd call it darwinistic, if Apple [apple.com] weren't so letigious.

  • Beautiful (Score:5, Insightful)

    by jmd! ( 111669 ) <jmd@poboCURIEx.com minus physicist> on Friday October 25, 2002 @02:06PM (#4531503) Homepage
    Just beautiful. The more insane EULAs get, the more people will start taking a harder look at all of the ones they currently sign their souls over to.

    This can only be good for Open Source.
    • Re:Beautiful (Score:4, Interesting)

      by mustangsal66 ( 580843 ) on Friday October 25, 2002 @02:24PM (#4531735)
      ok... I'm writing the next one of these. It has no purpose, but here's the functionallity. operates just this last one, but emails everyone in your contact list the follwoing statment, "I'm a security risk, I'm a bigger security risk then most crackers. I don't read, and /or understand EULAs that I agree to. In the EULA that I just agreed to, I accepted the fact that I'm a moron, and give full permission to everyone to abuse me." dumb asses!
  • No surprise (Score:5, Insightful)

    by silhouette ( 160305 ) on Friday October 25, 2002 @02:06PM (#4531509)
    This may be a cynical thing to say, but I think it was only a matter of time before some shady software like this was made.

    I would remark "How could the makers of such a thing sleep at night?" - but I already know the answer: they sleep just fine. People like that don't believe that they're doing anything wrong.
  • by Zebbers ( 134389 ) on Friday October 25, 2002 @02:07PM (#4531512)
    to help force the govt to evaluate the merits of EULAs. While it can be argued..."you shouldve read the license before you agreed"

    I would rather say "There shouldn't exist any such licensing format. And we as the people should not allow it to ever exist."
  • by twoslice ( 457793 ) on Friday October 25, 2002 @02:07PM (#4531515)
    The company is called permissionedmedia! Well, they did ask for permission first...
  • GPL (Score:5, Interesting)

    by Skyshadow ( 508 ) on Friday October 25, 2002 @02:07PM (#4531522) Homepage
    And they said the GPL was like a virus...

    I think this should actually shield the virus-writer from any sort of prosecution, shouldn't it? I suppose you could do all sorts of nasty stuff and be completely protected so long as you could prove the user clicked "ok" to the license.

    Maybe this will be the tool which turns the tide on the EULA.

    RIP: Senator Paul Wellstone.

  • by plover ( 150551 ) on Friday October 25, 2002 @02:08PM (#4531525) Homepage Journal
    This points out the absolute absurdity of click-through EULAs. Hopefully, a case against them could be used as a legal defense against other badly-licensed software.
    • by aardvarkjoe ( 156801 ) on Friday October 25, 2002 @02:10PM (#4531557)
      Wait ... so you're saying that this ought to be illegal?

      IMO, if you click "yes", you deserve exactly what you get.
  • by Haxx ( 314221 ) on Friday October 25, 2002 @02:08PM (#4531528) Homepage

    I am workin on a EULA that gives me power of attorney over for the user.
  • subterfuge (Score:5, Funny)

    by eric6 ( 126341 ) on Friday October 25, 2002 @02:08PM (#4531529) Journal
    for kicks, we (and by "we", I mean somebody else) need to have an EULA that contains and absurd clause (firstborn child upon installation), then try to collect. It'd be like challenging the concept of EULAs, but from the other side. Try real hard to get sued.
  • by abh ( 22332 ) <ahockley@gmail.com> on Friday October 25, 2002 @02:08PM (#4531536) Homepage

    I got in trouble for saying the following to one of our users (after he installed it, agreeing to all of the nasty terms):

    What the fuck were you thinking?

    Apparently that's not a valid response, at least according to my boss.

  • by Dr.Luke ( 611066 ) on Friday October 25, 2002 @02:08PM (#4531539)
    Eulas like these should be regulated by the government. It is pretty common in contract law that unreasonable provisions are not enforceable and illegal. Like for example a credit card agreement cannot mention it deep in the fineprint that if you default they own your house or are allowed to enter your home and steal your pants. This kind of EULAs are a consumer protection issue.
  • by kontos ( 560271 )
    If the AV vendors are going to be able to keep any credibility that they have left, they are going to have to detect and block this type of software.
  • two thumbs up! (Score:2, Interesting)

    by boomka ( 599257 )
    this is hilarious! these guys made my day :)
    besides, it's about time someone taught us a lesson about clicking 'accept' on EULAs of everything and anything we use.
    Hopefully this will do people some good, the whole story just needs to get decent exposure in the media.
  • by kenp2002 ( 545495 ) on Friday October 25, 2002 @02:09PM (#4531547) Homepage Journal
    Literacy is important, no it seems we cannot afford to skip reading the EULAs. I have seen some funny stuff thrown in EULAS including:

    - the right to borrow your car at any time -
    - the right to sleep with your spouse at our discretion -
    - the right to submit and enforce decorating standards in your home -
    - the right to reduce you and your pets to a dissarrayed, sub-atomic goo-

  • So the virus companies ignore this on what grounds ? are they saying that if a virus/worm has a EULA its not hostile/malicious code and therefore immune from detection/removal

    what exactly constitues a virus/worm and why should the virus companies ignore this yet still target [insert worm without eula name here] ?

  • by FortKnox ( 169099 ) on Friday October 25, 2002 @02:10PM (#4531558) Homepage Journal
    but includes a EULA that 95% of users won't take the time to read

    Didn't you know that 48% of all statistics are completely made up? ;-)
  • Legal vs. Ethical (Score:5, Insightful)

    by laetus ( 45131 ) on Friday October 25, 2002 @02:10PM (#4531565)
    This to me is a primary example of the sometimes dichtomous nature between was is legal and what is ethical.

    Is what these business professionals done legal? Probably.

    Is it ethical? Absolutely not. Otherwise, why hide the email's worm nature in the EULA?

    I know there are those that are going to say, "Hey, you had the opportunity to read the EULA, you didn't, and you clicked it anyway."

    But caveat emptor, though a fact of life, does not exempt the screwer from his reponsibility of what he did to the screwee.

    May be legal. But in my mind, definitely not ethical.
  • by masonbrown ( 208074 ) on Friday October 25, 2002 @02:10PM (#4531568) Homepage
    So what happens when two different EULA's claim 100% control of your machine?
  • by abh ( 22332 ) <ahockley@gmail.com> on Friday October 25, 2002 @02:11PM (#4531576) Homepage
    RTFEULA
  • a good legal test (Score:3, Insightful)

    by jcphil ( 243106 ) on Friday October 25, 2002 @02:11PM (#4531577)
    This could make a good legal test, since many people have questioned the legal validity of click-through EULA's. If you could successfully argue that this EULA wasn't valid, then the others would be on very shaky ground.
  • Finally! (Score:4, Interesting)

    by CAIMLAS ( 41445 ) on Friday October 25, 2002 @02:11PM (#4531581) Homepage
    I've been just waiting for this very thing to happen! My edge-of-the-chair suspense is finally climaxed with a barrage of laughter. Great stuff. :P

    I thought of doing this quite a few times myself, but have always lacked the resources. This is pure genius, really. You get people to propigate the virus willingly, all the while having them agree to transmit it without their knowledge - despite the fact that they agreed.

    This brings forth some fairly serious implications and issues involving EULAs. I'm not exactly sure what they are, but I'm sure they're there, and have probably already have been discussed in this or that post concerning MS's dastardly EULA garbage.
  • What's the difference between this and the Spyware that Kazaa packages. What % of the users do you think read, let alone understand the EULA that they just agreed to.

    Bonzi Buddy and some global time (spywayre) thing does almost the same thing. It sends your personal info to companies and sells it.

    The only diffence I can see here is that this is not done by a major company....

  • by Lover's Arrival, The ( 267435 ) on Friday October 25, 2002 @02:13PM (#4531601) Homepage
    But this company is still within the letter of the law, if not within the bounds of morality.

    Some may scream that the law should enforce morality, but then you must wonder "Who's Morality?".

    I read a very interesting book recently, called Human Action, by a lovely looking grey haired man called Ludwig von Mises. It was left by my old boyfriend in the bathroom, and I picked it up and smelled it unhappily one evening, but before long found myself readin Mises' interesting take on the fundamental sovereignty of man.

    Mises [mises.org] would warn us all against enforcing a common morality, for that is a sure way to tyranny, in the end. This company should not be legislated against. We should instead encourage people to read EULAs and to take responsibility over themselves, over their own bodies, over their computers. Anything else is slavery to government.

    I thought I had left slavery to the state behind in my native Scotland. As a Catholic girl, I understand only too well the attractions of worshipping an idol like the state. But we are better to resist laws that seem fair and moral, and instead trust in common deceny and responsibility.

    Thanks,
    Margot. XXX

  • Admit it (Score:5, Insightful)

    by anthony_dipierro ( 543308 ) on Friday October 25, 2002 @02:14PM (#4531612) Journal
    How many of you have read the Slashdot EULA [osdn.com]?
  • by tps12 ( 105590 ) on Friday October 25, 2002 @02:14PM (#4531613) Homepage Journal
    Now what reasonable person would expect this to be called a worm? The sysadmins are of course up in arms about any piece of software that threatens their delicate Windows networks. While I'm aware that most of the Slashdot audience consists of MS-certified admins fresh out of college, their lips adorned with sharp objects, I plead with readers to approach this with some sort of objectivity. Is any program that offers the ability to distribute itself to others now to be deemed a worm? That's hardly fair.

    In fact, given that the GPL'd software that's touted so often on this site is propogated through a similar device, villainizing this program borders on hypocricy. I don't even understand why traditional "worms" are given that name. Someone sends you an unknown executable that happens to distribute itself to your contact list, and you run it without Googling first to find out what it is...who's to blame here? The program's function is well-known, so the informed user won't be surprised when he fires it up and it does exactly what it's supposed to do.

    Let's use some common sense here, please.
    • Idiocy (Score:3, Insightful)

      by unicorn ( 8060 )
      If the greeting card popped up with a dialog that said "I will spam everyone in your contacts, and I will install spy-ware on your machine" when you tried to execute it, then nobody in their right mind would. The problem is, that the vendor buried what the application really does, in a bunch of legalese that they *know* end-users never read. And packaged the whole mess up as an innocuous greeting card.

      I have yet to see ANY GPL software that is distributed this way.
  • by doublem ( 118724 ) on Friday October 25, 2002 @02:14PM (#4531614) Homepage Journal
    I haven't found anything on Symantec's site on this, but I did find McAfee's page Here [mcafee.com]

    And the removal instructions [mcafee.com]

    Google has a newsgroup post on the sucker [google.com]

    And here are some sample infection URLS for those who wish to catch the sucker or download the files for analysis:

    Infect Me 1 [friendgreetings.com]

    Infect Me 2 [friendgreetings.com]

    A similar worm is described by Symantec here [symantec.com]

    It works in IE, but not Phoenix (Mozilla based browser)

    You have to download the installer and the MSI file, which takes a while.

    I went so far as to download the files, but didn't go past the first EULA to see the really bad one that's supposed to come during the second install, so I didn't see the text in a live install myself, just in the McAfee
    writeup.

    So I downloaded the Microsoft Installer SDK and decided to crack open the MSI install file. Accroding to Servant Salamander, the word "Outlook" was in "Friend Greetings.msi."

    Then I decided, "To hell with it, it's in there as clear text anyway" and opened the install File with VIM. Here is the offending text:

    1. Consent to E-Mail Your Contacts. As part of the installation process,
    Permissioned Media will access your MicroSoft Outlook(r) Contacts list and
    send an e-mail to persons on your Contacts list inviting them to download
    FriendGreetings or related products. By downloading, installing,accessing
    or using the FriendGreetings, you authorize Permissioned Media to access
    your MicroSoft(r) Outlook(r) Contacts list and to send a personalized e-mail
    message to persons on your Contact list. IF YOU DO NOT WANT US TO ACCESS
    YOUR CONTACT LIST AND SEND AN E-MAIL MESSAGE TO PERSONS ON THAT LIST, DO
    NOT DOWNLOAD, INSTALL, ACCESS OR USE FRIENDGREETINGS.

    If anyone is interested, I'll e-mail out both EULAs. There's some rude stuff in there. (You agree to receive pop-up and pop-under ads and HTML e-mail for example)

    Below is the original e-mail from Cheryl, for the sake of reference and forwarding:

    --- Forwarded Message Follows-----
    FYI...

    It's not so much a virus as it is a potential worm. And it's an interesting one at that because it's a "permissive" worm. It banks on the fact that people install products without reading their EULAs. If you read the EULA they include, it specifically says that by accepting the EULA, you are giving them permission to send email to everyone in your MS Outlook Contact list!!!!! (I included the pics they sent us, but I'm not sure how many of you will actually see them).

    Pretty fascinating, actually. And smart. Because people don't read EULAs! (Er, for Dad: EULA is "End User License Agreement" - and I'm guessing you and Steve read them because you are lawyers... ;) )

    Ilene

    -----Original Message-----
    From: Kronos Norton AntiVirus
    Sent: Friday, October 25, 2002 10:51 AM
    To: All Kronos Employees
    Subject: Please read about a potential virus....
    Importance: High

    Potential virus as a Greeting Card ~ Please be aware of this
    potential threat via a web link.

    Friendgreetings

    iscovered on: October 24, 2002
    Last Updated on: October 24, 2002 03:20:23 PM PDT
    Symantec Security Response is aware of a widespread E-card which appears to have the characteristics of a worm. Security Response does not classify this as a malicious threat and as such will not detect any files associated with the E-card. The installation of software associated with the E-card requires the user's permission in order to perform it's mass-mailing capabilities. By cancelling the installation of the software, no worm-like activities will be performed. The recipient would recieve an email with the following characteristics:

    Subject: %recipient% you have an E-Card from %sender%.
    Message:
    Greetings!

    %sender% has sent you an E-Card -- a virtual postcard from FriendGreetings.com. You
    can pickup your E-Card at the FriendGreetings.com by clicking on the link below.

    http://www.friendgreetings.com/pickup/pickup.asp x? <extra contentremoved>

    Message:
    %recipient%
    I sent you a greeting card. Please pick it up.
    %sender%

    When the link is followed, the recipient is asked to download some software in order to view the E-card.

    The installer package will require the user to accept 2 End User License Agreements in order to complete the installation. The second EULA (see below) explicitly states that by accepting the agreement the end user is authorizing the software to send an email to all contacts in the Microsoft Outlook Contacts List. The email is formatted as displayed above.

    If this agreement is not accepted, the installation is not complete and the software will not send a link to the www.friendgreetings.com website via email.
  • by Dr. Awktagon ( 233360 ) on Friday October 25, 2002 @02:15PM (#4531631) Homepage

    This just describes what the program does, and by placing it in the license, they hope that you don't read it. Kinda like saying something in 4pt-font fine print: ("note: Happy Fun Toy will explode into sharp shards, killing your child"). Shady practice, but not directly related to the real problems with EULAs ("you may not use this program unless...").

    Just nitpicking.. But it's true, you should always read your EULAs (prounounced EWWWWWWW-lahz).

  • by msheppard ( 150231 ) on Friday October 25, 2002 @02:16PM (#4531638) Homepage Journal
    This thing which automatically sends itself to everyone in your mailbox is saving a lot of people a lot of time. It's only slightly worse than the emails which end, "Send this to everyone you know." Most people believe the crap in them and forward to everyone they know.

    Never: EVER, have I recieved an email which read "Forward to everyone you know" that should actually have been forwarded to anyone.

    NEVER NEVER NEVER NEVER NEVER send to everyone you know! How many times must I say this? There is *NOTHING* that needs to be sent to everyoen you know.

    Execpt this excellent cookie recipie...

    M@
  • by Khopesh ( 112447 ) on Friday October 25, 2002 @02:18PM (#4531659) Homepage Journal
    i got an email a while ago (during the .com bubble) telling me that i got that email because somebody was romantically interested in me (i don't use dating services of any sort, online or not).

    basically, here's the scheme:
    a person likes another, but is too shy to ask him/her. this site allows a way to anonymously email that person. the message essentially says "guess who" ...literally.

    i was expected to guess the admirer by giving the site every email i could think of that might be the admirer. if there's a match, each party is informed. for all those non-hits, an email identical to the first was sent out; spam.

    i happen to use unique email addresses and handed this address to only four people, two of whom were female, so i knew it was one of them or a friend ... but the notable thing is that i started getting TONS of spam at that address (>20emails/day)

    this type of ponzi-style scheme with unforseen problems seems to be getting popular now; EULAs often take complete advantage: people blindly give permission to have third-party software downloaded and installed, to become the source of spamming and/or propogation, or to allow use of spyware.
  • by gila_monster ( 544999 ) <traveler@in@black+sd.gmail@com> on Friday October 25, 2002 @02:20PM (#4531672) Homepage
    ...and a good example of why geeks and lawyers shouldn't mate. :)

  • Yay for evil! (Score:4, Insightful)

    by ChaosDiscord ( 4913 ) on Friday October 25, 2002 @02:29PM (#4531780) Homepage Journal

    It's unfortunate that it has to be this way, but unless people get burned by EULAs they're not going to take EULA's seriously. Discovering that they've agreed to let this software spam their boss, coworkers, and business contacts will hopefully encourage people to seriously read EULAs in the future. I expect that when people start seriously reading EULAs, they'll discover they don't actually agree with many of the terms. (Or at least they'll discover that they can't make heads or tails over the thing.) A little backlash would be help restore balance to EULAs and make the work a more fair place.

  • Anyone have a kid? (Score:5, Interesting)

    by nick_davison ( 217681 ) on Friday October 25, 2002 @02:29PM (#4531785)
    I Am Not A Sentient Being but...
    • Under US law, storing personally identifiable information about children is [largely] illegal.
    • The EULA, as far as I can tell, makes NO mention about this product not being allowed for under 13s.
    • With its infection (uh, I mean, transmission) mechanism, it makes no attempt to discover the age of the user before beginning to log their personal information.
    So, as soon as you discover your child has installed this program, sue them for failing to make any attempt to avoid violating their rights. Their EULA get out clauses don't work either as, being a child, they couldn't legally agree to the EULA anyway.

    Hopefully it'll spread better than they ever hoped. A class action lawsuit for every child in America would probably make a fairly clear point to anyone else trying this.

  • by Jade E. 2 ( 313290 ) <<slashdot> <at> <perlstorm.net>> on Friday October 25, 2002 @02:30PM (#4531801) Homepage
    The worm has been completely stopped (at least for the moment) because their server is slashdotted to hell.

    Who knew reading /. could be a public service?

  • by nick_davison ( 217681 ) on Friday October 25, 2002 @02:37PM (#4531875)
    Now worms are "legal", maybe it's time to go begging to Microsoft?

    "Hi, could you add the following term to your EULA?..."

    Third parties: You agree not to reverse engineer or exploit Microsoft Outlook in such a way as to create "worms" [define to your lawyers hearts' content] on penalty of $1trillion US, to be paid to [add deserving fund].

    Now they can make their worms as legal as they like and, by expecting others to live to their EULA, they have to abide by Microsoft's and file for bankruptcy.

    Never thought I'd like Microsoft having EULAs.

  • by Powercntrl ( 458442 ) on Friday October 25, 2002 @02:40PM (#4531902)
    Yes, I know about Adaware, but average Sally or Joe computer user does not. They think that the copy of Norton bundled with their Gateway or Dell will protect them from everything bad and that it's okay to click on "Yes" when prompted "Do you want to install and run X by Spyware Inc.?"

    This worm is no worse than the sites that have javascript to prompt you to install Cometcursor, Gator, Download accelerator, Bonzi Buddy and other spyware apps. I've already seen quite a few shockwave greeting card sites (with a Gator or other spyware install attempt) that ask you to "Send this card to a friend" and I've been sent links to these by my less computer-savvy friends. What's worse, you end up on more spam lists too...

    Sooner or later, EVERYONE online ends up being prompted to install some kind of spyware. The companies that produce antivirus software need to include features to actively scan and disable spyware (with a default setting enabling scanning for spyware/adware, but an option to disable it if for some reason you want to). I've personally become sick of explaining to people that NO, their Norton or McAfee isn't going to catch the program that's been giving them all these popups and that they need some free program they've never heard of before (AdAware) to get rid of them.

    While AdAware is great for power users, for the average population of PC users, automatic background protection like virus scanners provide for viruses is what is required. When a worm like this or a web page tries to install some new spyware, the user won't even be prompted - the antivirus software just says NO.
  • Many sneaky 'EULA's' (Score:3, Interesting)

    by YrWrstNtmr ( 564987 ) on Friday October 25, 2002 @02:41PM (#4531910)
    ..not just in software.

    Enter to win a "Free Trip" at the mall, (and have your long distance service switched), for one example.

    I know it's hard, but you have to read (and attempt to understand) what they are actually asking you to do. But, I guess the result of that will be ever more obfuscated wording, so that no real human could get the true meaning of what it is doing.
    Legalese could expand a common, two line description into many, many pages. NO ONE would read and understand its true meaning.

    Store files on my computer? Oh, that must mean the graphics that come with the card.
    No, Virginia, they mean they will store whatever they feel like putting there.

    Send emails to my friends? COOL!
    No, send anything they want, any time they want. And possibly have their interface hacked by some OTHER fool next month.

    "Oh, we reserve the right to change this EULA at any time. The new one will be posted on our website." (Way back 7 levels deep, at the bottom of the page in a font no human can read).
    What might a new EULA do? Again, Virginia, anything they want.
  • 95%? Incredible! (Score:3, Insightful)

    by waldoj ( 8229 ) <waldo@@@jaquith...org> on Friday October 25, 2002 @02:43PM (#4531924) Homepage Journal
    Anybody that thinks that 5% of people read a EULA obviously gives a lot more credit to humanity than I do.

    -Waldo Jaquith
  • by rehabdoll ( 221029 ) on Friday October 25, 2002 @02:44PM (#4531929) Homepage
    This is the EULA that pops up when you start a DAMN-keygen. Quite entertaining :)

    DAMN
    Electronic End-User Software License Agreement

    THIS PROGRAM IS PROTECTED BY COPYRIGHT LAW AND INTERNATIONAL TREATIES. BREAKING THE FOLLOWING AGREEMENT WILL RESULT IN SEVERE CIVIL AND CRIMINAL PENALTIES AND WILL BE PROSECUTED TO THE MAXIMUM EXTENT POSSIBLE UNDER LAW.

    THIS AGREEMENT IS A LEGAL DOCUMENT. READ IT CAREFULLY BEFORE USING THE SOFTWARE. IT PROVIDES A LICENSE TO USE THE SOFTWARE. BY CLICKING ON THE "YES" BUTTON AND USING THE SOFTWARE, YOU ARE CONFIRMING ACCEPTANCE OF THE SOFTWARE AND AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT. IF YOU DO NOT WISH TO DO SO, DO NOT RUN THE SOFTWARE AND PRESS "NO" BUTTON.

    1. Definitions
    "Software" means the programs supplied by DAMN herewith.

    2. License Restrictions
    You MAY NOT use this Software AT ALL. Using the Software will be prosecuted to the maximum extent possible under law. You also may not make or distribute copies of the Software, or electronically transfer the Software from one computer to another or over a network. You may not decompile, reverse engineer, disassemble, or otherwise reduce the Software to a human-perceivable form. You may not rent, lease or sublicense the Software. You may not modify the Software or create derivative works based upon the Software.

    3. Ownership
    This license gives you NO rights to use the Software. Although you own the media on which the Software is recorded, you do not become the owner of, and DAMN retains title to the Software. All rights including Federal and International Copyrights, are reserved by DAMN.

    4. Limitations of Damages
    DAMN SHALL NOT BE LIABLE FOR ANY INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF DAMN HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES AND EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.
  • by SoCalChris ( 573049 ) on Friday October 25, 2002 @02:46PM (#4531949) Journal
    From http://www.permissionedmedia.com/license.htm [permissionedmedia.com]:

    3. Updates/New Information. Permissioned Media reserves the right to add additional features or functions to the version of PerMedia you install, or to add new applications to PerMedia, at any time. As more fully disclosed in our Privacy Statement, PerMedia is designed to regularly communicate and provide information regarding your Internet use to Permissioned Media. Accordingly, Permissioned Media has the right and you hereby authorize it to update or automatically install a new version of PerMedia on your computer when a new version is released to the general public and/or when new features are available. Notwithstanding the foregoing, Permissioned Media and its business associates have no obligation to make available to you any subsequent versions of PerMedia. You may not distribute or copy PerMedia (r)other than for backup purposes).

    So you can't distribute their program in any way? Isn't that the whole point of the program? These guys really are a bunch of idiots!
  • by kbielefe ( 606566 ) <karl,bielefeldt+slashdot&gmail,com> on Friday October 25, 2002 @02:49PM (#4531971)
    This gives me an idea.

    I can create a virus and then sue anti-virus companies for distributing my virus "signature" in their software, which is obviously a derivative work.

    Another idea is to apply for a patent and then sue for patent infringement. Does anyone know if the buffer overflow technique has been patented yet?

  • by YrWrstNtmr ( 564987 ) on Friday October 25, 2002 @02:53PM (#4532002)
    permissionedmedia.com is still up? Jeez, guys...let's get on the ball here. If any company's server needed to die, this is it.
  • by unicorn ( 8060 ) on Friday October 25, 2002 @02:54PM (#4532010)
    As of yesterday afternoon, Trend was classifying this as a virus, and will catch it.

    I knew there was a reason I migrated us from Symantec to Trend at the office here.
  • I've said it before. (Score:3, Interesting)

    by Restil ( 31903 ) on Friday October 25, 2002 @02:55PM (#4532029) Homepage
    The only difference between this and a conventional worm is that it doesn't come with a payload package that will cause damage to the system, although spyware isn't much better. From what I can tell, this software serves no legitimate purpose. You have to install it to read the greeting card, which is sent by someone else installing the software. Does anyone ever actually send a legitimate "greeting card?" If not, there would be no reason to install this software. The only functional aspect of this application is to provide the user with advertisements, which even the most clueless user probably wouldn't install intentionally for only that purpose.

    Because the user has no legitimate reason to WANT to install this software, he/she has to be coerced into doing so with false pretenses. If this is legal to do, it would be no less legal to install a dangerous payload, so long as the EULA explains it and gives the user an option to cancel.

    Perhaps this would be a good time to try to challenge the validity of the EULA. Can't have it both ways. Either it's a binding contract and therefore if you agree to spam your contacts and have your harddrive formmated, you can't hold the author liable. Or EULA's will have to NOT be considered contracts and therefore this will apply to ALL EULA's. Or we can hope. :)

    -Restil
  • EULAs (Score:3, Insightful)

    by pizza_milkshake ( 580452 ) on Friday October 25, 2002 @02:57PM (#4532061)
    yes, I think there's a valid argument for EULAs, however, I think there should be some kind of regulation. for instance...

    • important items in the EULA are often hidden or hard to find. EULAs should be ordered in chronological order of what will happen when the software is installed. also, items should be ordered in order of probability of happening, i.e. any actions the program is written to do (like spam your mailbox's email addies) would have to come before the 15 pages of lawyer-speak about how we can't sue the developer in the case that the software malfunctions (which, hopefully, it wasn't programmed to do) and your house burns down.
    • 90% of EULA content is the same. when software is released under the GPL or Apache or Artistic licenses, the user (assuming they've reviewed the license once before) has a reasonable idea of what they can or cannot do. common EULA sections, such as "you can't sue us, even if our program blows your machine up" (and the pages of related wording afterwards) can be summarized, or pointed to hyperlink-style. i.e. "this software is covered under the 'You Cannot Sue Us' clause, which could be a link to a standardized, common document that explains all the ugly details. the actual EULA could contain this statement, as well as any modifications the developers have made... that way, there's hopefully less to look at ("ah, they support the 'We Won't Ever Touch Any Non-Directly-Related Files on Your Computer', but they do take a snapshot of my entire filesystem and send it back to the mothership every night. *clicks 'NO'*
    i think there are alot of very reasonable ways to standardize and govern EULAs. of course, I'm just a programmer, so what do i know.
  • Want to complain? (Score:3, Informative)

    by AyeRoxor! ( 471669 ) on Friday October 25, 2002 @02:58PM (#4532070) Journal
    Registrant:
    Permissioned Media Inc.
    Sun Towers, 1st Floor, Office #39
    Ave. Ricardo J. Alfaro
    Panama City, El Dorado Zona 6
    PA

    Registrar: Dotster (http://www.dotster.com)
    Domain Name: PERMISSIONEDMEDIA.COM
    Created on: 18-JUL-02
    Expires on: 18-JUL-07
    Last Updated on: 18-JUL-02

    Administrative Contact:
    Alfaro, Jay alfaro@hushmail.com
    Permissioned Media Inc.
    Sun Towers, 1st Floor, Office #39
    Ave. Ricardo J. Alfaro
    Panama City, El Dorado Zona 6
    PA
    571-628-5535
    571-628-5535

    Technical Contact:
    Alfaro, Jay alfaro@hushmail.com
    Permissioned Media Inc.
    Sun Towers, 1st Floor, Office #39
    Ave. Ricardo J. Alfaro
    Panama City, El Dorado Zona 6
    PA
    571-628-5535
    571-628-5535
  • by TeddyR ( 4176 ) on Friday October 25, 2002 @03:04PM (#4532131) Homepage Journal
    The one that I loathe is the "hotbar" IE/outlook menu customiser (http://www.hotbar.com) which allows someone that has hotbar to send a card to a friend... but what the card does is download the hotbar and install it on the unknowning friends system...

    It also contains some social engineering.. "Upgrade outlook - add COLOR to your Emails" link...

    bah..

    just had to remove these from about a gazillion corp machines... and the virus scanners dont see it as a virus...

    even though it KILLS the systems efficency....

  • Don't forget GoHip! (Score:4, Interesting)

    by CaptainPhong ( 83963 ) on Friday October 25, 2002 @03:06PM (#4532161) Homepage
    Gohip, I think is actually the first worm with an EULA (though I don't know if it still works that way.) Someone infected with it would have a signature attached to the end of all their e-mails saying something like "Get a free movie" with a link that installed (after, I believe, a click-through license) the GoHip scumware. It then attached itself to your outgoing e-mail, forced your homepage to gohip, and did other mangling to your browser.

    It's the oldest piece of scumware like that that I'm aware of (perhaps Bonzi buddy is similar age).

  • by 1984 ( 56406 ) on Friday October 25, 2002 @03:06PM (#4532162)
    I'd be suprised if anyone has the desire and wherwithall to go challenging questionable EULAs throught he legal system. But perhaps that's not necessary -- the onerous terms sneaking in depend largely on the fact that nobody notices them, or that most people installing the software are ignorant of their implications.

    So I've registered:

    badlicense.org (and badlicence.org)

    I'd be happy to let that be used for a site dedicated to explaining the EULAs of software. Perhaps an overview, and details on particular products.

    Reasonably carefully worded it wouldn't even matter if the EULA had been interepreted in detail by a lawyer. Just highlighting the apparent detail should be enough to raise eyebrows and invite some clarification (perhaps, even, modification) from those issuing the EULA.

    So, anyone interested?
  • by Anthony Boyd ( 242971 ) on Friday October 25, 2002 @03:10PM (#4532213) Homepage

    ...okay, so no one will read this at this late point, but for any and all software developers who are hunting for a useful product to build, why not create an EULA-distiller? Let it run in the background, and watch for installations. When it sees an EULA appear, it can display 2 or 3 bullet points that succinctly explain what the hell all the legal text means.

    To get really tricky, you could create a Web site that allows users to upload the text of each EULA, and a distilled summary. Perhaps other people could even vote on the most accurate, most understandable summaries. Then your app could be constantly up-to-date. Perhaps by doing this, people who blindly click through these things will be made aware of what the real consequences will be.

  • by jasonditz ( 597385 ) on Friday October 25, 2002 @04:02PM (#4532594) Homepage
    It seems like a lot of you guys are really down on Symantec and McAfee for not filtering this with their AntiVirus software, but consider this.

    By clicking "I agree" on the EULA you are telling your computer "I want to do X". If you tell your computer you want to do X and Symantec's software tells your computer "he can't" how is that any different from all the DRM crap like Paladium?

    I know the intention in this case would be to protect the user, but then again isn't that the tack that Microsoft is taking as well?
  • by TheViffer ( 128272 ) on Friday October 25, 2002 @04:02PM (#4532600)
    3306/tcp open mysql

    Guess we know where all those email addresses are being fed into.

    Might make a great project for someone to pull the login/passwd from the executable, and start force feeding that thing.

    But dont let me give you any ideas.

"But what we need to know is, do people want nasally-insertable computers?"

Working...