Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×

MIT Startup Tests Top Million Sites for Spyware 243

torrentami writes "An MIT startup called SiteAdvisor has downloaded over 100,000 programs from the top million Web sites and tested them for adware and spyware using an automated system they've built. They've got a blog entry where they dissect 5 of the worst adware bundles they found. There is some amazingly invasive stuff in there."
This discussion has been archived. No new comments can be posted.

MIT Startup Tests Top Million Sites for Spyware

Comments Filter:
  • What about the rest? (Score:5, Interesting)

    by Anonymous Coward on Saturday January 14, 2006 @08:56PM (#14473573)
    I hope they have a "submit site" function for people to test random sites....
    • by TheSpoom ( 715771 ) * <slashdot@@@uberm00...net> on Saturday January 14, 2006 @10:08PM (#14473801) Homepage Journal
      That is a really good idea. Better yet, have a browser component that tells users, on the fly, what previous attempts at scanning the site have revealed (as they would have to be cached in order to have any sort of performance server-side). If a user notices that a site now offers spyware downloads, they could request that it get reexamined, and popular sites would get automatically reexamined often. This could be done using a cheap subscription model.

      Has someone done this? It seems so obvious now that I've thought about it.
    • While that doesn't seem to be available yet, you can submit a download link for them to analyse. Just search for an existant site and click 'Submit a download'.

      I think they'll probably implement your idea (which is damn good in my opinion) once it leaves 'Preview' stages.
  • by CyricZ ( 887944 ) on Saturday January 14, 2006 @08:56PM (#14473576)
    The one major lesson we can take from their research is that we should probably not be using Windows.

    When you consider how many alternatives (often far cheaper, too) are available, it's a wonder that so many still choose to use software that leaves their systems wide open to exploitation, be it from worms, viruses, or malicious websites.

    But perhaps a secondary lesson is that we need to keep an ever-strong vigil. It's perhaps even our duty as computer-competent individuals to inform others of these issues. Not to preach to them, by any means, but do let those less-astute computer users know what is going on. Advise them that such problems exist, and tell them how to avoid such malicious software.

    We can easily defeat the problem of spyware. But it will involve people helping each other out. Soon enough the ignorance will fall by the wayside, and we will all be better off.

    • by dada21 ( 163177 ) * <adam.dada@gmail.com> on Saturday January 14, 2006 @08:59PM (#14473589) Homepage Journal
      I disagree.

      Windows is, by far, the most insecure operating system out there. It is also the operating system that users find the easiest to use, and it is also the operating system that (in my opinion) has the most flexibility for programmers and software corporations of all sizes.

      While the *nix varieties are definitely more secure (as they are now), a switch to *nix will not lead us to less spyware-ridden applications online. In fact, if Windows were to fail commercially tomorrow and everyone runs *nix, you'll see spyware applications be written for these OSes immediately.

      *nix does not mean secure. It just isn't popular enough for spyware programmers to target, yet. Give it time, I think as it gains popularity, it will begin to be a target for the software companies that try to enter and dissect your life digitally.
      • by BushCheney08 ( 917605 ) on Saturday January 14, 2006 @09:06PM (#14473624)
        In fact, if Windows were to fail commercially tomorrow and everyone runs *nix, you'll see spyware applications be written for these OSes immediately.

        Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...
        • I disagree (Score:3, Insightful)

          Mr. Softy targets the dumb mean of the user distribution, +/- a couple of standard deviants on either side.
          The *nix philosophy requires a great deal more learning on the part of the user.
          Education can't stop a quality cock-up, but it certainly filters a great deal of blatant boo-boos, like coughing up a root password to www.passwordstorage.com.
          • Similar (Score:5, Informative)

            by Mistlefoot ( 636417 ) on Saturday January 14, 2006 @10:09PM (#14473802)
            Education is certainly the key.

            I've been using the HOST file supplied by <URL :http://www.mvps.org/winhelp2002/hosts.htm > the Microsoft MVPS site for the past few years and have not had ANY spyware or Malware or viruses on any of my machines.

            I still run ad-aware and spybot monthly and never see anything but a few cookies.  Once every few weeks I update my HOSTS file and then set it to read-only again and  the 10,000 or so sites it blocks are just that - blocked.

            Web sites load faster too without some of the tracked ad sites loading.  From time to time I get pages that aren't found.....but I can review these as the HOST file is of course text.

            I really do not know why HOST files are not a more common theme on here when setting one up on your Dad's computer saves you from removing crap from it as a hobby.
            • This is pretty cool and combined with Adblock+ really keeps the noise down.

              ESPN.com, which I stopped visiting when possible before Adblock now sends all links through x.go.com which is filtered out by this HOST file. Had to edit that one out.

              I wonder if this is intentional by ESPN.

              As things like these become more prevelant, some sites might just start setting up a proxy for their ad content so that it appears to come from the main content domain. The only option to avoid ads then will be to stop using the
        • everyone runs *nix, you'll see spyware applications be written for these OSes immediately.

          No, as a matter of fact, that's a falsehood based on ignorance of what free software is all about. In Linux, *all* software is free, from the kernel out. You're trying to say the absence of spyware opportunites would overnight make Richard Stallman start dumping tons of malware into the next Emacs release?

          Quite a bit of the garbage in the Windows environment is there because they know Windows users will tolerate it

        • The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there.

          I don't really disagree with you that spyware could be a problem if there's motivation, but in my own experience Linux does have some fundamental architectural and use differences that I think would benefit more than you're suggesting. One that someone else pointed out in another respons

        • Can't agree (Score:5, Insightful)

          by guet ( 525509 ) on Sunday January 15, 2006 @05:19AM (#14475026)
          Agreed. Especially when you consider that all of the programs in TFA were installed after the user clicked the "I Agree" button five, six, seven times. The OS could be totally secure and only allow the installed apps to affect the logged-in user. They'll still be there annoying that one user, though, since the user is the one who said it was okay to put them there. This is where informing the user comes in. And the user has already shown many times over that they don't care to be informed. This sort of crap is gonna be around for a long long time...

          Yes and No. The user has to agree, but on XP the user has been trained to agree -

          A big difference I notice between Windows XP and OS X (one of those nix) is the number of times I have to click 'Next' or 'Previous' in dialogs in Windows, just to get anything done at all. In my opinion the main reason for the growth of spyware on Windows (before ubiquity) is the way the OS trains you to click,click, click to do anything at all. You end up not reading any of the dialogs because you read the first few words and guess the rest. The user is inured to warning dialogs of any sort, and starts to click through the forest of 'Next' buttons to get to where they want to go (or thought they wanted to go :). There's also the problem with users running as admin all the time, meaning the only line of defence is the security policy of the web browser, not the users' permissions.

          In contrast on OS X you very rarely have to say 'ok, do this, then that, next, next, finish', you are asked one simple question (usually) with an 'OK' the first time you open a document type with an application. And you very, very rarely have to enter your admin password, practically only when you are installing big applications like Photoshop which need to install libraries. So if a website pops up an authentication dialog (which they can't anyway BTW), you know something is wrong; you stop and think about it.

          That said user ignorance of what constitutes safe computing is a problem too.
      • by CyricZ ( 887944 ) on Saturday January 14, 2006 @09:08PM (#14473628)
        Have you tried the recent Kubuntu releases? If not, give it a try. It is by far one of the most easiest systems to install these days. Even easier to keep up to date, as well.

        I was recently asked to set up some computer systems at a seniors home. Now, many of these people have never used a PC. So we were able to acquire several used PCs for almost no cost, and I installed Kubuntu on their systems. We got them set up so that they could check their email, browse the WWW, use various instant messengers to chat with relatives, and even play games (bridge and backgammon were big favourites).

        Now, why did I go with Kubuntu? Mainly because it is free, and it is quality software that is quite easy to use. But more importantly, I wanted these systems to always be available to these people. I know that they might visit malicious sites. I wouldn't want that resulting in their systems being compromised just because of that.

        You may deny it, but the fact of the matter is that Linux systems won't get infected with spyware at this time. Sure, that may change in the future, but I'm doubtful about that. The basic (yet significant) differences in code quality and architecture are enough to leave Linux (and other non-Microsoft) systems far more secure and usable, even in the fact of malicious software.

        • >I was recently asked to set up some computer systems at a seniors home.

          Thats great. What happens when they go to Wal-Mart and want to buy some software?

          Or when they want to hook up their brand-spanking new digital camera/mp3 player/PDA?

          Lots of people are more bleed-edge than seniors.

          >You may deny it, but the fact of the matter is that Linux systems won't get infected with spyware at this time. Sure, that may change in the future, but I'm doubtful about that.

          You don't need a better code to prevent spy
          • You don't need a better code to prevent spyware, you need better users. Better system design/code will never beat out a user, unless the design is involves cutting the power to the computer.

            So damn true. As Rich Cook once said:

            Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.

          • by CyricZ ( 887944 ) on Saturday January 14, 2006 @09:37PM (#14473719)
            I advised them not to buy software from WalMart, or even to download it for themselves. I asked them to contact me, and I'd come over and find something that worked for them. I know I could find software that I know I could trust, or at least have access to the source code to inspect and build myself if I felt there could be security problems. Then again, Kubuntu includes all the software they seem to need.

            I haven't heard anything from them regarding cameras and other devices which did not work. I did, however, hear of one grandson bringing over his camera and taking pictures of the seniors so they could email them to their relatives. One of the grandparents who had some PC experience as a secretary told me that she was really surprised how easy it was to get the camera to work. All they did was plug it in, and the storage device on the camera was automatically mounted. They could copy over the files without problem. The kid was reportedly stunned that the seniors could use the system so effectively.

            Insult inexperienced users all you want. Frankly, I think that a well-designed system can easily avoid the problems caused by unwitting users. Indeed, any quality software system would be designed in such a way as to completely minimize the harm that an inexperienced user could do. Linux and much open source software appears to do this quite well, and as such spyware just isn't a problem when dealing with Linux systems.

          • Or when they want to hook up their brand-spanking new digital camera/mp3 player/PDA?

            I'm running Ubuntu (Well, Edubuntu, for my son's edification) and I have no problems connecting and utilizing my digital cameras, mp3 players, and PDAs.... It's time to crawl out from under that rock there, dude.

            You don't need a better code to prevent spyware, you need better users. Better system design/code will never beat out a user, unless the design is involves cutting the power to the computer.

            Actually, much

        • Still its no windows.

          I used to use FreeBSD and I tried Ubuntu (gnome version) and decided not to keep it. Its a hassle to upgrade to Openoffice 2.0 and Java5. Sure I could probably do it if I had time on my hands but its a pain to redo the apt.sources and download unstable software from god knows where. I am afraid it would make my system buggy with the nasty dependancies that are beta or RC level.

          I got the Gentoo cd and I am going to try again with that but still its not for average Joes.

          Windows is nice be
        • I've been an Ubuntu user for about a year, and I've used FreeBSD for many more. I like Ubuntu, but I used KDE on my FreeBSD machines, and ended up installing the KDE packages on the Ubuntu machine.

          So, when my hard drive failed I thought I'd just cut to the chase, and install Kubuntu.

          I certainly didn't expect problems, as it is essentially Ubuntu, right?

          I'm not going to iterate the various problems I had - the main one was getting wireless to work (which I did after manually hacking the config) - but I will
        • I wonder though, as long as the user is allowed to run code from their own home directory, there is always a risk they'll agree to something they shouldn't. Sure, it likely won't dig into the OS but could still send garbage out and even host a server.
      • I don't know if users really find it easiest to use. It's just "what's installed on the computer". I would say that way under 5% of the user community has made any kind of comparison between alternative operating systems and decided, as a personal choice, which one they want to use.

        I know that after trying MacOS, Linux and various flavors of Windows, I find MacOS X much easier to use than Windows - but at lot of this is just that MacOS X doesn't move their preferences around constantly between OS versions
      • by Kickboy12 ( 913888 ) on Saturday January 14, 2006 @09:21PM (#14473664) Homepage
        I disagree.

        People have been saying the same thing for IE vs. Firefox for a couple years now.

        Guess what? I still don't see very many sites getting around Firefox's pop-up blocker, significantly exploiting it's weaknesses, or finding new security holes by the dozen. And yet... I continue to see it with IE. And don't be saying; "Firefox isn't popular, it'll happen eventually". My ass. It's been advertised into the ground.

        Thus, the same concept with *nix vs. Windows. Windows is inherintly insecure, and by the nature of how it works and how it was designed, it makes it easier for advertisers to create software that'll mask itself from everything else. You simply CANT do this on Linux/Unix to the same degree, just as you simply CANT exploit Firefox the same way you can IE. Trust me, I've tried.
      • [Windows] is also the operating system that users find the easiest to use, and it is also the operating system that (in my opinion) has the most flexibility for programmers and software corporations of all sizes.

        I disagree. Mac OS X is considered by many much easier to use than Windows (in fact, the classic Mac OS, IMO, is considered by some to be the hallmark of usability; memory management issues aside, in some ways it is more "user-friendly" than OS X is), even though I do agree that Windows is easie

        • Nothing in Unix prevents a user from running a script that says "rm -rf ~", which ends up deleting all of their files. After all, part of the Unix philosophy is not holding the hands of users ;).

          Actually, there is - it is called permissions. Windows does not really understand the execute permission - it just looks at what file type it is, not what the user (or administrator) desires. That is not to say there are not ways to overcome it, or even ways to exploit programs - there are; but the impact is min
      • While the *nix varieties are definitely more secure (as they are now), a switch to *nix will not lead us to less spyware-ridden applications online. In fact, if Windows were to fail commercially tomorrow and everyone runs *nix, you'll see spyware applications be written for these OSes immediately.

        Dada,

        While I generally enjoy your rather radical libertarian posts over here (by the way, what happened to your karma, why this is only Score:1, Informative? is Score:0 default for you now that you were outed as TH
      • *nix does not mean secure. It just isn't popular enough for spyware programmers to target, yet. Give it time, I think as it gains popularity, it will begin to be a target for the software companies that try to enter and dissect your life digitally. I strongly disagree with the sentiment. One of the most useful tools available to a really annoying piece of spyware is the Windows Registry. *nix systems (Mac OSX included) do not include this "feature." The registry adds an extremely unecessary layer which
      • by WindBourne ( 631190 ) on Sunday January 15, 2006 @01:01AM (#14474444) Journal
        I always laugh at that argument. Basically, so many windows encourage all the hackers. So not true. Even back in the 80's when Mac was bigger than Dos, attacks were being designed for DOS. Why? ease of doing so. Apache has shown this,as well as numerous other examples. The best example out there, is that banks during the 60's and 70's were heavily robbed until the 7-11 stores became the easy marks (and loaded with small money). Finally 7-11 decided to change their attitude and make it near impossible to make any amount of money over 50. So what are robbers hitting these days? banks. Why? do to ease of hit combined with the amount of money.
         
        The lesson to learn on that, is that crooks go for the easy mark that makes money. *nix will be the target when either:

        1. insecure systems do not have money.
        2. all other systems are more secure than *nix.

        Neither is likely to happen anytime soon (and many would argue any time far). *nix will be very secure for a long time.
    • Spyware and Adware are not caused by microsoft, well not most of it. Thats like saying though that rotten meat causes flies. You can inform your friends and your family, give them the information they need "in a way that they can understand and use it" and you will be fixing their computers less often.

      As ignorant users move to other operating systems you will get spyware and adware on linux and mac also. Rootkits have a long history with unix don't they?
    • You usually have to be root to install software in linux. If you are root and installing software, that software could include nasties that hose your linux system just as easily as your windows system.
      • yeah but for most people using the popular distros, installing software means using some sort of software management tool. this usually means that the software you're trying to install has gone through some sort of checking process, be it formal or informal, and much safer than just downloading some .exe off the web and running it. It's no silver bullet and problems can still arise, but IMHO, it's a lot safer.
      • What is your definition of "usually"? Of the last 30ish things I have downloaded for linux, about 5 didnt have to be installed at all, and the other 25 installed to ~/.local/ just fine
    • Bullshit. We need smarter users.
      • by TimTheFoolMan ( 656432 ) on Saturday January 14, 2006 @10:23PM (#14473841) Homepage Journal
        It's no surprise that we who write software are seen as arrogant when we see the *average* user, the person who makes technically uninformed decisions, and our response is, "the problem isn't with our system, the problem is that you Mr. User are an idiot."

        The world has idiots. Why can't technology people (us) accept this without derision? The world also has many people who don't know technology, and don't care too. They are not necessarily the same people.

        Emerson said "Every man is in some way my superior, and in that i can learn from him." We seem to be so busy casting aspersions that we don't have time to listen. We're so quick to insult, perhaps because we (developers and technology people) don't *care* about users. Are we so superior to Emerson that there's nobody we can learn from?

        Why can't *someone* care enough about the technologically illiterate to protect them against themselves? Why isn't there a company out there that will make it difficult for a regular user to install something that has potentially deep affects to the OS, but makes the OS accessible to that same user?

        Oh wait... there already is one.

        Tim
        • It's no surprise that we who write software are seen as arrogant when we see the *average* user, the person who makes technically uninformed decisions, and our response is, "the problem isn't with our system, the problem is that you Mr. User are an idiot."

          Well, what are techs supposed to think when they tell the user 6 times never ever click OK or yes to install something from the web and the user DOES click OK 7 times, then wonders why things went wrong?

          If people drove cars the way they use computer

          • I think those same techs who are frustrated with users who make the same mistakes over and over would make similar (but different) mistakes if they were suddenly immersed in the Accounts Receivable Department, but only had to work there for a few minutes, and then left that world to return to their own.

            We regularly forget that most people do not think the same way the computer works, and therefore make "silly" mistakes. They make them over and over again, and as a result, otherwise intelligent people look (
        • by gcatullus ( 810326 ) on Sunday January 15, 2006 @12:39AM (#14474370)
          I don't think that the problem is people who don't know technology, making uninformed decicions. So much as people having a flagrant disregard for the concept that what they do with their own PC effects everyone. For example, if I never learned to program the clock on my VCR and it flashed 12:00 all teh time, it only effects me. But if all I want to use it for is watching videos from Blockbuster, then who cares, there is absolutly no harm.

          People apply the same logic to their PCs. As long as they can check their AOL mail and play solitaire, they think everything is fine. The classic car analogy mentioned above doesn't capture what most people think is happening. If their PC is full of spyware and crap, it is only a nuisance to them alone they believe. Like if their car didn't have a working gas gauge, or if the radio would not work. An anoyance, yes, but not the end of the world and in no way effecting anyone else.

          The avergae person wouldn't want to drive a car that was leaking gasoline and oil all over the place all the while spewing clouds of polluting black smoke, but they don't understand that this is the state that they let their PCs get to.

          The challange is not to teach them the technology, nor even design a system that protects people from their own dum actions, but to teach them that their actions can create havoc for other people.

          It's not, "Don't open any email attachments from anyone ever, or your computer will be screwwed.", it should be "Don't open email attachments from anyone ever, or your PC will start infecting other peoples computers and be used to host kiddie porn."
          • by ecalkin ( 468811 ) on Sunday January 15, 2006 @12:52AM (#14474418)
            *unbelieving*!!

                i can't tell you how many times i've expressed the dangers to people. if you don't have anti-spyware, anti-virus, firewalls, and etc these are the risks. and they don't beleive. if you look at the large campaigns (at least in certain areas of the U.S.) to get people to wash their hands on a regular basis, it appears that people are disbelieving of germs also.

                how do you fix this?

                there is amazing evidence that the use of seat belts in autos reduces your probability of dying in a colision. but we still have to make laws to make people wear seat belts.

                so far there has been no real cost to a computer user for being stupid. with the exception of lost data, nothing bad is going to happen. if laws get passed that state your are responsible for your computers actions in dos attacks or if your computer is hijacked and made into a child porn depot, things might change.

            eric

      • by tokengeekgrrl ( 105602 ) on Saturday January 14, 2006 @11:38PM (#14474155)
        I have a brother who is marred and has 2 kids between the ages of 12-15. Those kids killed his last computer, unwittingly installing all sorts of nonsense when they downloaded games and graphics. That was on a Win98 SP2 machine which, as hard as I tried, I simply could not secure or revive from all of the trojans and malware that had infected it.

        My brother supports a family of 4 on his one salary. They live very well considering the cost of living in their small, midwestern town, but computers still cost the same and he hasn't been able to afford to buy a new one. He's quite proficient with computers when it comes to using and configuring them for what he and his family needs it to do. He just doesn't have time to keep up on all the security issues and patches since he's too busy working to support his family and trying to be a good father to his kids.

        After he got laid off from his job not too long ago, I bought him and his family a new PC with WinXP Home, (I know XP Professional is much better when it comes to security but it would have overwhelmed my brother and the best PC package I could find at the price I could afford only offered XP Home). I walked him through how to secure the new PC by setting up an account for the kids with guest access so they can't install anything, configuring automatic updates, installing spybot and automatic scans, tuning the XP firewall, and having him switch to Firefox. I sent him urls for websites that explained how to secure a PC and maintain it.

        I've just emailed him about installing the SiteAdvisor plug-in for Firefox which is absolutely brilliant for users like my brother. Hell, I've installed it just for the novelty of it.

        The point is, my brother is taking care of his machine now and he loves Firefox. He has told everyone he knows in his little town about how great it is and to dump IE. All it took was someone taking the time to inform him.

        So chill and if you have the time and inclination, take 10-15 minutes to explain to a user how to protect their PC. If that's not the kind of thing you feel like doing, fine, then as far as I'm concerned, you don't have a right to complain about it.

        If you're not part of the solution, then you're part of the problem, in my opinion.

        Respectfully yours,
        tokengeekgrrl
    • by CTalkobt ( 81900 ) on Saturday January 14, 2006 @10:21PM (#14473834) Homepage
      This is not a windows issue (as much as I dislike windows).

      It's a user issue. Like any information on the web you need to consider the source of where you're getting your programs from. I wouldn't get cancer information from the tobacco companies websites - just as similairly I wouldn't get software utilities from my company from a page that has a bunch of advertisement links along with some porn.

      Rational users would cure 95% of the virus / trojan issues. The other 5% are usually inadvertant mistakes from legit websites. For those a checker is needed if you want to immediatly download files. That or let others be your guinea pigs and only download ones older than 3 months old.

      ( I know - there is no such thing as a rational user but I can dream... )
    • What does this have to do with Windows? Are you telling me that if you ran malware that targeted Linux you wouldn't have a problem? Sure you're likely going to run it as a user instead of root, but the nuisance factor could be just as high.
    • No, what we have learned is that most people need two computers:
      an internet facing box with a browser and email and one box
      for all their real work (balancing their books with GNUcash or
      Money, office work, playing games etc.). Importantly, the box
      for work must be physically disconnected from the net, not even
      via sneakernet.
      This is at home.
      At work, the same is needed, except the work boxes may be wired into
      a network which is still in no way connected to the net. It may
      even be a good idea to make net facing bo
    • When you consider how many alternatives (often far cheaper, too) are available, it's a wonder that so many still choose to use software that leaves their systems wide open to exploitation

      It's not such a wonder at all.

      Open Sourceforge.net. Search for projects that are aimed at users without a trace of the Geek in them. The pickings can be mighty slim.

      Turn to a site like Amazon.com for a look at what these users want. It is a very different world.

    • Yep, I really hope that Vista doesn't have these same problems. I'm posting from OS X, though like many millions of computer users I use Windows at work, and am looking forward to the really cool Vista GUI. Here are some other specific issues that I hope Vista and future service packs will address:
      1. Some kind of warning, similar to what GMail does with phishing sites, anytime that a program is being downloaded. "Some applications may compromise personal information. Only install this application if you tru
    • The one major lesson we can take from their research is that we should probably not be using Windows.

      Maybe we can all run OS X. When the built-in OS X Software Update utility needs to install a new security update, the user is prompted for the keychain password. When grandma wants to download a new recipe program, it too prompts for the password. So it must be safe, right? Well, now that the application has root access it can do a hell of a lot of damage to the system. Install all kinds of spy/adware,
    • The one major lesson we can take from their research is that we should probably not be using Windows.

      The OS isn't the biggest problem, it's uneducated users. Computer usage has reached an all time high. We're in an era when most of the people in the world are so busy that they don't have time to learn about things that do not directly affect their ability to earn a living. Most Americans don't understand how presidential elections work. Most Americans don't understand what's in the US Constitution.

      Some of i
  • End Users Beware (Score:5, Informative)

    by queenb**ch ( 446380 ) on Saturday January 14, 2006 @09:02PM (#14473603) Homepage Journal
    I can tell you from the experience of working on a network where the end users have very unwisely been made local admins on their workstation that the *only* thing required for a full spyware infection is a nice little surf around the 'net. This is compounded by the problem that they all seem to have some touch of OCD that compels them to click "OK" on anything thing that wants to install itself despite all of our efforts to educate them.

    I will say that it is nice to see someone put quantifable numbers to the things I have long known from practical experience, but this isn't exactly news.

    2 cents,

    Queen B
    • This can be reduced somewhat by making the internet zone very restricted and simply making a whitelist of sites and put them in the trusted sites list.
      It doesn't solve everything like the recent WMF exploit but it does stop what I lovingly refer to as "dumbfuck user" syndrome, which exhibits such symptoms as the inability to read, lack of intelligence and an inherent lack of cognitive reasoning.

      Unforunately the company I work at are currently locked into some bespoke software that REQUIRES lock admin rig
      • ...what I lovingly refer to as "dumbfuck user" syndrome, which exhibits such symptoms as the inability to read, lack of intelligence and an inherent lack of cognitive reasoning.

        It's a shame that DUS isn't only limited to computers...
    • At what point do you move from educating the users to disciplining ones that need their system re-imaged more than once? Your company wouldn't put up with the staff showing up late, why do they tolerate end users installing crap?

      I'm suprized garbage sites aren't being blocked by WebSense. If Maddox's site is blocked (as tasteless humor), why aren't known adware/spyware sites being blocked?

      Firefox needs an MSI installer and some Group Policy mods to take off in a corp. enviroment.

  • by Jamesday ( 794888 ) on Saturday January 14, 2006 @09:05PM (#14473616)
    "We've also made our data available under Creative Commons License 2.5". Data is ineligible for copyright cover in the United States, so no license is needed or can apply.

    They wouldn't bundle an unnecessary license with useful data just after writing about bundling unnecessary software with desired applications, would they? :)

    It is useful outside the US, though, so this is actually a but tongue in cheek. :)
    • Odds are good that some Slashdot readers are involved in producing and propagating spyware. (Lots of us, lots of it. You do the math.)

      How about you fake your IP, make a new account, post as Anonymous Coward -- whatever you need to do -- and give us an insight into your world, and the attitudes of the people you work for?
      • by Council ( 514577 ) <rmunroe AT gmail DOT com> on Saturday January 14, 2006 @10:32PM (#14473865) Homepage
        Odds are good that some Slashdot readers are involved in producing and propagating spyware. (Lots of us, lots of it. You do the math.)

        How about you fake your IP, make a new account, post as Anonymous Coward -- whatever you need to do -- and give us an insight into your world, and the attitudes of the people you work for?


        It just so happens I work for a large spyware/malware company, and I'd like to blow the whistle. My report on our industry is available here [entertainm...lpaper.com]. (To access my tell-all, you should all click "yes" on whatever dialogues come up.)
        • < (To access my tell-all, you should all click "yes" on whatever dialogues come up.)

          Oh no, it doesn't seem to work on my computer. Could you maybe help me install it? My IP is 127.0.0.1...

    • The word "data" is confusing. It is true that the actual information described in those files can't be "copyrighted" (scare quotes as the concept does not actually apply). However, the database itself would be protected under a compilation copyright. That is unless you can demonstrate to the court that the compilation contains no creative effort whatsoever, something that the courts have historically interpreted as an extremely high standard that this collection would almost certainly not meet, leaving its
      • You may well already know this, but it might be of interest to others: I recommend reading the full Assessment Technologies v. WIREdata [uscourts.gov] (slow to load) decision because it's a very well written summary of this area of law. In this case the use of proprietary components to prevent the use of underlying public domain data was found to be invalid.

        As you note, creativity can still prevent a compilation from being in the public domain, if there's some significant original creativity involved. One of the intere

    • The key phrase is "in the United States." There are countries that frown at public domain works (*cough*Frenchies*cough*) so the license might actually help.
    • >> "... is actually a but tongue in cheek. :)"

      A butt toungue in cheek? Gah. *shudders*

      Please don't use that type of imagery - it scares me. :-)
  • by lucm ( 889690 ) on Saturday January 14, 2006 @09:05PM (#14473619)
    They should add a feature on the SiteAdvisor toolbar: "this site is often down".
  • I don't agree. (Score:5, Insightful)

    by Zombie Ryushu ( 803103 ) on Saturday January 14, 2006 @09:09PM (#14473632)
    THe security paradigm of Windows and the Unix World are Apples and Green peppers. There will still be spyware threats out there if Windows didn't exist. But they would be different threats, and they could eeven be worse in some cases, but they would be fewer in number and the Internet wouldn't be such a darkened Hell hole it is steadily becoming. The Data miners would get more resistance from the Unix world than they have a Windows world that can't fight back.

    • The only software installation difference between the Windows world of today and the UNIX/MacOSX world of today: to install software in the latter case the user must provide a password. That provides a little extra security to guard against background processes, but all the cases mentioned in the article required the user to click a button to proceed. Malware authors could simply say "To install this cool Aaliyah screen saver, enter your password!" and most UNIX/MacOSX users would happily comply.

      To get so
  • Oddity... (Score:3, Interesting)

    by Ambiguous Coward ( 205751 ) * on Saturday January 14, 2006 @09:10PM (#14473635) Homepage
    How can they be testing the top 1000000 web sites, if they're only downloading 100000 programs? That would leave a lot of sites untouched. It seems that in order to test 1000000 web sites, they would have to download at *least* 1000000 programs. Unless, of course, they grabbed programs from *some* of the top 1000000 web sites, in which case they would have programs from, say, site #1, #10, #20, etc.
    • Re:Oddity... (Score:2, Informative)

      by CyricZ ( 887944 )
      That is still one site of every ten which offers software for download. Remember, there are many more sites offering just information or other services than there are offering software for download. If anything, I'd think that 10% of the top million sites is an awfully high percentage to be offering downloadable software.

    • Umm news flash...

      Not every site has downloads! Hard to believe, but true!
    • Did they test Slashdot? I hope they release a full report as I've been having a hard time finding the downloads section.
       
  • Very interesting... (Score:5, Informative)

    by skogs ( 628589 ) on Saturday January 14, 2006 @09:14PM (#14473644) Journal
    This is a very neat process that I would enjoy having the ability to root around in. Very nice tool, and looks like it has created some excellent data.

    I would enjoy seeing some of the nastier data put forth in a simple list so that I can add them to my banned domain listing on my firewall.

    Currently, I knock down ads(from the ~1800 most active servers), with the wonderful help of the following gentleman.

    # last updated: 2005-12-18 15:17:02

    # The latest version of this list and other ways of viewing it are at:

    # //pgl.yoyo.org/adservers/

    # - Peter Lowe // pgl@yoyo.org

    #

    For the Lazy... [yoyo.org]

    Now, about that warez/malware/stupid screensaver and other utilities list....

  • wow (Score:2, Funny)

    no complaints about the article linking to a blog? what's the world coming to? ;)
  • by Anonymous Coward
    They claim to have tested the top million Web sites, but goatse and tubgirl aren't in there, so they can't have.
  • Exokernel Guys (Score:5, Interesting)

    by putko ( 753330 ) on Saturday January 14, 2006 @09:26PM (#14473684) Homepage Journal
    The technical guys in the company are from MIT's exokernel project.

    They worked on delivering high throughput for video with their superior OS technology. It interoperated with Windows, allowing them to make money.

    This project looks surprisingly un-technical and uncomplicated in comparison, given how competent and accomplished they are.

    Here's an exokernel link:
    http://pdos.csail.mit.edu/exo.html [mit.edu]
  • by znx ( 847738 ) <znxster AT gmail DOT com> on Saturday January 14, 2006 @09:28PM (#14473695) Homepage
    http://www.siteadvisor.com/sites/slashdot.org/ [siteadvisor.com]

    I plan on contesting the results, they plainly haven't investigated hard enough.
  • by ian_mackereth ( 889101 ) on Saturday January 14, 2006 @09:44PM (#14473736) Journal
    If the word "Free!" is enough to get users to download the screensaver, game, utility, etc., then this sort of thing will continue.

    Somebody has to pay for the server bandwidth and the time to write the programs, and one viable model is adware. I deplore the installation of software that's a)not in the EULA or installer screens and b)damn hard to get rid of, but the 'legit' adware is what's paying the bills of the guys giving you free stuff.

    There's always a subset of users who can circumvent the installation of the unasked-for bundles, but the average user without updated anti-spyware, firewall or anti-virus software will make enough money for the vendors to keep us in freebies for quite some time to come...

  • There are already numerous companies that are looking for malware (including spyware) on the web, developing signatures, and making that information available over the web. They even provide handy little desktop applications that will scan and evaluate software not just by site-of-origin but by actual content. An example of this is "Spybot" (www.safer-networking.org).

    It seems like what this company is trying to add into the mix is automated testing, but it's doubtful that identifying spyware is the limiti
  • by Presence2 ( 240785 ) on Saturday January 14, 2006 @09:54PM (#14473759)
    If I designed a product that allowed me to invade your home without your knowledge, spy on your behavior, and report it back to me - I would be arrested (or hired by NSA/homeland security).

    Yet, all these thousands of products do this with absolutely zero accountability. As far as I am concerned, the programmers and companies who promote this behavior should be just as culpable as any petty crook who selfishly holds no regard for their victims.
    • If I designed a product that allowed me to invade your home without your knowledge, spy on your behavior, and report it back to me - I would be arrested (or hired by NSA/homeland security).
      Possibly. Forget the hacking skills - how good are you at judging Arabian horses?

      You do have a point, computer crime has gone mainstream and is now only considered a dubious business practice.

  • While the extension itself may be useful, it's ugly as a sin, the icons are criminal and the one in the status bar is horribly distorded under a 1280*1024 resolution, making it butt-ugly and hard to read.

    Seriously, I'm afraid that I can't keep something THAT ugly in my browser, it's just too much.

  • by moosesocks ( 264553 ) on Saturday January 14, 2006 @10:53PM (#14473947) Homepage
    An open letter to slashdot:

    Please stop it with the name-dropping. It's irritating and insulting. The article has plenty of merit on its own, and is indeed a fine bit of information to put on slashdot.

    However, the fact that it was started by two MIT alum is completely irrelevant. If this was the direct result of research being done by a group of MIT students or professors, it might be appropriate to place a reference to MIT in the blurb (but probably not the title). We're not an MIT related publication, as hard as that may be to believe (Wired is also a terrible offender of this).

    It reminds me of my psychology textbook, which would always drop the name of the institution responsible for a certain piece of research: "Harvard Professor Shelly cline worked with Yale Psychologist Howard Walken to refine Pavlov's theory....." and so on, provided that the institution was in the Ivy League. Flipping through the pages, I found a few references to only Ivy Leavue Universities and overseas institutions (specifically Cambridge and Harvard).

    Now, I'm not going to deny that a great deal of mighty fine research comes out of MIT and the Ivy League, but I'm also going to remind everyone here that other institutions also churn out a great amount of significant research, and they are hardly ever credited for it. My tiny public liberal arts school even churns out a fair bit of good research.

    So, slashdot. Please stop shamelessly plugging these name-brand schools. They've done nothing wrong, but by publicizing them in such a way, you're dragging down the other 99% of the educational system that the rest of us have to utilize.

    (To be fair, I did RTFA, and sideadvisor seems genuinely cool)
  • Neat (Score:2, Informative)

    by rune.w ( 720113 )
    This is a good project and it has the potential of eventually becoming the "Google of spyware". It's a pitty their methods are not explained at a greater detail in their FAQ, but then it prevents spyware companies from finding a quick workaround to fool their system.

    They even have a Firefox extension already: http://www.siteadvisor.com/ffinstall.html [siteadvisor.com]

    I'm looking forward to them adding cookie support to their database. Maybe I could finally stop blocking all cookies by default.
  • I'd like to turn them into a hosts.txt file, resolve ALL of them to 127.0.0.1 and then put that file on my dad's computer.

    Then he won't call me so often to fix it when it's bogged down with all that junk.
    • I'd like to turn them into a hosts.txt file, resolve ALL of them to 127.0.0.1 and then put that file on my dad's computer.

      I don't have a list of the top million sites, but I do know a few in the top 10. You can start by banning yahoo.com, google.com, and msn.com. Soon, your dad will be surfing only the bottom of the barrel on the internet.
       
  • by t0qer ( 230538 ) on Saturday January 14, 2006 @11:39PM (#14474159) Homepage Journal
    <toqer|7boo> http://www.siteadvisor.com/preview
    <pickanick> testing
    <toqer|7boo> ya that thing is pretty friggen cool
    <toqer|7boo> its like knowin which ho has ghonorhea before you bang her
    <toqer|7boo> very sexy
    <pickanick> cool analogy
    <Drumstix> hah

"Hello again, Peabody here..." -- Mister Peabody

Working...