how-to block ads
|
eburger68
Premium,MVM
join:2001-04-28
1 edit | Re: WMP Adware: A Case Study in Deception Ed:
You wrote:
said by edbott  :As I've said since Day One, I believe that this is a security flaw and that Microsoft needs to issue a patch to Windows Media Player 9 and release it as a Critical Update. That's a far cry from an "attempt to minimize and pooh-pooh the risk or to subtly suggest that users are the problem for not upgrading to XP SP2 and for clicking through installation prompts." I'm glad that you agree that MS needs to patch this behavior, but your comments have not always been as clear and unambiguous as you have suggested. First, you tried to throw cold water on the story:
»www.edbott.com/weblog/archives/000334.html
Then when you had the sample file in hand, you spent most of your next blog entry explaining why this wasn't such a serious problem:
»www.edbott.com/weblog/archives/000340.html
A comment like this...
said by Ed Bott:
The programs in question are digitally signed and are from known companies. The terms of service make it clear what you're getting. It takes one click and 10 seconds of reading to realize that the correct answer is no.
...is so misguided one hardly knows where to begin. And it was only after Ben, Suzi, and Andrew protested that you began clarifying your remarks.
Even after explaining in your next blog entry that you weren't trying to blame the user ( »www.edbott.com/weblog/archives/000341.html ), you ended your denial with these odd quips:
said by Ed Bott:
But really, isn't that the real problem here? People running old operating systems, with only a dim awareness of the need to do updates and a willingness to install anything? ... But how likely is it that the type of user Suzi is describing will download and install that patch?
As for contacting Microsoft Security, to the best of my knowledge they are already aware of this problem.
Regards,
Eric L. Howes | |
|  edbott
join:2005-01-02
Scottsdale, AZ
| Re: WMP Adware: A Case Study in Deception I have a detailed response here:
»www.edbott.com/weblog/archives/000351.html
Quick summary:
My initial response was skeptical, and accurately so. The PC World article said, "PC World has learned that some Windows Media files on peer-to-peer networks such as Kazaa contain code that can spawn a string of pop-up ads and install adware." [emphasis added]. The clear implication was that simply playing a music or video file will install a program on your machine. That turned out not to be true, as you and I have both shown.
My remarks about digital signatures were not intended to justify the purveyors of this garbage or to imply that signed programs are somehow safe. My remarks were aimed at the readers of this forum and my Web site, who are already well informed about spyware and viruses and would be deeply suspicious of these dialog boxes. I was shocked at how honest the license agreements were in describing the crappy things these programs would do. I don't expect a sophisticated, suspicious user to be fooled by this stuff. I also don't expect a naive user to read license agreements ever.
As for "blaming the user," I stand by the remark I made. You are demanding that Microsoft patch this vulnerability. I agree that that should be done. But the reason that viruses and spyware spread is because no matter how hard we try to educate the masses, many people simply don't install patches after they're released. I get virus-infected e-mail messages every day, and my mail server blocks many more. In most cases those viruses can be prevented by a patch that were released three or four years ago. If someone hasn't installed a Critical Update from 2001, why would they install a new one to fix this vulnerability when it's available? | |
| | eburger68
Premium,MVM
join:2001-04-28
2 edits | Re: WMP Adware: A Case Study in Deception Ed:
I'm happy to let readers peruse your several comments on this issue and make up their own minds as to whether they were appropriate or not.
There are, however, two minor points that you make that I want to repond to:
said by edbott :The clear implication was that simply playing a music or video file will install a program on your machine. That turned out not to be true, as you and I have both shown. That's one way to read that particular sentence from PC World. Another way is to read it is as literally as possible. Is the code contained in the WMP files *capable* of installing adware? Answer: yes. Now, assuming the user's IE is fully patched, the user's click-through is required, but that's a minor detail. PC World certainly could have qualified that statement just a bit, but strictly speaking what PC World wrote was correct.
said by edbott :I was shocked at how honest the license agreements were in describing the crappy things these programs would do. But, Ed, they were *not* honest -- far from it. That's the whole point. I have seen spyware/adware EULAs that were scrupulously honest in the detail they provided about the software to be installed, but these two particular EULAs were not anywhere near that detailed, esp. the Ultra Web Host LLC EULA which said next to nothing. Failing to disclose the installation of 31 separate spyware/adware programs is the very definition of "unfair" and "deceptive" business practices.
Regards,
Eric L. Howes | |
| | | edbott
join:2005-01-02
Scottsdale, AZ
| Re: WMP Adware: A Case Study in Deception I should have put "honest" in quotes. How many more ways do I have to say these people are sleazy scumbags?
The one license agreement says it will pop up porn ads on my computer. The other says it will do a whole paragraph's worth of awful things, including installing more spyware. I'm not sure which program is doing the installation of the 31 extras, because I didn't actually allow my test machine to be taken over.
And the fact that it was in the license agreement doesn't make it right or acceptable or "honest." My point is that someone who is suspicious will find plenty of reasons not to click Install; someone who is naive may well be fooled by the social engineering techniques. | |
| | | | eburger68
Premium,MVM
join:2001-04-28
| Re: WMP Adware: A Case Study in Deception Ed:
You wrote:
said by edbott :The one license agreement says it will pop up porn ads on my computer. The other says it will do a whole paragraph's worth of awful things, including installing more spyware. I'm not sure which program is doing the installation of the 31 extras, because I didn't actually allow my test machine to be taken over. It was the first one that installed most of the software in my testing, and that matches what Ben found as well.
The second one did install a few things, but not much beyond what was already there. I'm guessing that much of what it could have and would have installed independently was already installed by the time I clicked through the iDownload.com installation prompt.
Eric L. Howes | |
| | | edbott
join:2005-01-02
Scottsdale, AZ
| I'm not the only one who interpreted the PC World story as meaning that the Windows Media files in question actually contained spyware code.
Techdirt wrote:
Overpeer, a subsidiary of Loudeye, has been caught hiding adware and spyware within Windows Media files. [emphasis in original] Boing Boing, which picked up the story from Techdirt, read it that way too:
According to PCWorld and TechDirt, Windows DRM contains a flaw that allows for attakcers [sic] to create music files that contain trojans that attack your computer when you play them. [emphasis added] My original post was skeptical about both of these reports, which were posted on very high traffic Web sites (Boing Boing is insanely popular, with more than 200,000 unique visitors a day and countless RSS subscribers). It turns out my skepticism was justified.
These "poisoned" files don't contain spyware. Rather, they use a DRM mechanism to open a dialog box that hosts a Web page that can try to fool a user into installing hostile software. That's not good, and the techniques used to push the crapware contained on those Web pages are sleazy. But the files themselves do not contain any hostile code, and the user has to be tricked into cooperating before anything gets installed. That's a far cry from what was in the three original and sensationalist stories.
There are no corrections at any of those three sites, by the way. So what the average user thinks is "the Internet is riddled with WMA files that contain viruses and trojan horses and spyware." Even though that simply isn't true. | |
| | | | eburger68
Premium,MVM
join:2001-04-28
| Re: WMP Adware: A Case Study in Deception Ed:
You wrote:
said by edbott :My original post was skeptical about both of these reports, which were posted on very high traffic Web sites (Boing Boing is insanely popular, with more than 200,000 unique visitors a day and countless RSS subscribers). It turns out my skepticism was justified. Fair enough. The Techdirt and Boing-Boing stories were not the best. Indeed, that's the kind of careless/clueless reportage that would have gone on no matter what PC World had written. The real story here is rather involved and difficult to understand, and Techdirt and Boing-Boing predictably made a hash of it. I see that all the time with spyware/adware issues, which are inherently confusing.
The PC World story, on the other hand, was well done for the most part. I just re-read it, and for the complexity of the issues covered, it does a respectable job of conveying the essentials. Here and there I might prefer a slightly different choice of words, but it's pretty close to what we understand now. Certainly nothing in there is outright false.
Just for the record, PC World was the first out with the word on this story. I wrote about it here at DSLR in the other discussion thread on this topic. DSLR/BBR news then picked it up, pointing both to the PC World story and the Security forum discussion thread. Techdirt got it from BBR/DSLR news, and Boing-Boing from Techdirt. In retrospect, it all looks like a high-tech game of "telephone."
Eric L. Howes | |
| | | | | edbott
join:2005-01-02
Scottsdale, AZ
| Re: WMP Adware: A Case Study in Deception >> In retrospect, it all looks like a high-tech game of "telephone." Exactly, and that was my point in my original post. I certainly wasn't trying to "throw cold water" on the story, and please note that as soon as I heard that a sample file existed I contacted you to get a copy so I could do my own tests.
I do wish the larger sites would pick up on the real story, which is important and which people like you and Ben and Andrew and Suzi and me have dug out the hard way. But I guess that isn't sexy enough. | |
| | | |
|
