The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/jan19,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

Permalink | Top

Digital Restriction Management (DRM) is software designed to limit what you can do with digital products such as software programs, digital music and movies. Most commonly DRM attempts to prevent copying of software, such as ripping CD music into MP3 files. DRM also attempts to enforce limits such as allowing you to play a sample music or movie file a certain number of times for free.

I say "attempt" because software pirates always find ways to circumvent the restrictions. Only the average, law abiding consumer is inconvenienced by such technologies.

Windows Media Player (WiMP) has DRM features that allow music and video files to be restricted. The restriction may be that you can only listen to the file a certain number of times or for a certain period of time. To determine this, when the file is loaded into WiMP, it will contact an internet server to retrieve information about the license and any restrictions. If a license is not found, WiMP will bring up a dialogue box pointing to a URL with information on how to purchase the track or for further details before providing a playback license.

An antipiracy company named Overpeer has been exploiting this behavior to infect unsuspecting computer users with spyware and adware. They have been flooding file sharing networks with fake music files with embedded DRM instructions. When played in WiMP, these files cause a pop-up with a link to more information. Anyone clicking that link is brought to a page which tries to install spyware using various security flaws.

Microsoft denies that this is a flaw in their DRM technology. And they are right. It is the result of unscrupulous companies exploiting flaws in Internet Explorer. As I understand it, Microsoft is examining whether or not this behavior is a violation of their DRM licensing agreements. I hope they find that it is and sue these companies.

As some people have pointed out, the victims of this mainly are people trying to download copyrighted music for free. They suggest that these people are "getting what they deserve". That is childish and absurd for two reasons. First, since these companies are working directly on behalf of the RIAA (and possibly the MPAA), they are permitted legally to distribute these copyrighted files, so technically the victim has done nothing wrong. Second, vigilantism is illegal. If someone violates a contract, you don't vandalize their car for revenge.

I would suggest that the safest course of action is simply to not use Windows Media Player and to not attempt to play .wma audio files. My own preference is Winamp 5, which plays virtually all known video and audio formats (except Quicktime and Real). If you do use WiMP, you should disable the setting in Media Player to automatically acquire licenses for protected content. That is found in the Windows Media Player Options panel. In WiMP versions 9 and 10, that is under the Privacy tab. I forget where versions 7 and 8 put it but the option is there somewhere.

Permalink | Top

Program: Window Washer
Author: Webroot Software
Platform: Windows 95, 98, ME, NT, 2000, XP
License: $39.95
Free copy of SpySweeper for SpywareInfo readers. (Valid for purchases until January 26, 2005)
Important Note: You will receive an email with instructions on downloading SpySweeper within 24 hours.
Purchase: Click here to purchase (http://www.webroot.com/products/specialsdb.php?code=sp15x&rc=325)

We've set up one hell of a deal for this week. And we thank WebRoot for this generous offer to the Spywareinfo readers. I don't think there ever has been a deal like this from them. We looked online and could not find anything to compare. If you buy a copy of Window Washer between now and January 26, you'll receive a free copy of SpySweeper with a one year update subscription. Spy Sweeper is an antispyware program from Webroot. It has received some very favorable reviews and awards. Spy Sweeper was named PC Magazine's Editors' Choice in March 2004.

Window Washer is a very cool, very useful program. You could spend an hour rummaging through your computer deleting your browser cache, cookies, temp files, address bar history, and even those nearly impossible to delete index.dat files. With Windows Washer, you don't have to waste all that time and energy. Window Washer makes doing these tasks quick and easy.

When I tested a new version of Window Washer last year, it cleared out an amazing 700MB worth of garbage files, most of it temporary files left over from programs that hadn't cleaned up after themselves. It deleted all of these files very quickly. Since then, it has deleted over 7GB of trash files through regular cleanings.

Window Washer also deleted the index.dat file in my browser cache, a file that Windows normally refuses to let you alter. It reduced it from 1.8MB all the way down to 32KB. There is an optional setting to clean out the browser cache, address bar history, cookies, and other internet usage traces every time the browser is closed.

There is an option to overwrite "slack space". "Slack space" refers to areas of the hard drive that show as empty to the system, but might contain data that was deleted previously. Another option adds "bleach to the washing". That is Window Washer's way of saying that it overwrites data with gibberish several times to prevent data recovery programs from putting deleted files back together. The number of times it will overwrite these files can be configured to NSA (7 passes), DoD (3 passes), and Gutmann standards (35 passes). You can also set it to whatever number you want.

If you have any problems with the ordering page , please email Catherine http://www.spywareinfo.com/email2.php.

Permalink | Top

The Consortium Of Anti-Spyware Technology vendors (COAST) has a new member. That new member is 180solutions, creator of the infamous nCase software. nCase is one of the worst parasites I have ever seen.

I am at a loss for a comment to this. Honestly, I don't think anything I could say would do it justice.

180solutions has claimed to have cleaned up their act recently. They even sued a distributor after that company used an undocumented security flaw in Windows to distribute 180solutions software. Beyond that, I haven't seen very many changes in the company or their software compared to their old ways. Their software still is detected and removed by most, if not all, antispyware programs.

Membership in COAST requires, basically, that members not behave the way 180solutions has in the past. No spyware. No ActiveX drive bys. That any software be disclosed, approved by the user and will uninstall at the user's request. If 180solutions now meets COAST's requirements, it is certainly a surprise to me. I am looking into this and I will report what I find in a future newsletter.

Permalink | Top

One of the things you will hear about spyware is that "it keeps free software free". The spin doctors and apologists go on about how you are able to install software for free because of the advertisements. To hear spyware companies tell it, they sponsor these poor, starving software developers out of the goodness of their hearts.

That is not entirely accurate. It is not, in fact, accurate in any way.

Spyware and adware makers want to install their software by any means they can come by, legally or otherwise. Once installed, they want it to remain installed regardless of the wishes of the computer's owner and they want it to run the entire time the PC is running. The fact is that installing a free program usually is not worth the hassle of dealing with a third party spyware or adware bundle. It is not a fair trade.

A fair and equitable exchange would be if the adware/spyware ran only when the free program which installed it was running. No spyware does this. Instead, it runs as soon as the PC starts up, often with the use of cleverly hidden start up entries.

This confuses me. If the deal is that the user has to endure the spyware in order to use the free software, then why does the spyware not close down when the user is not using the free software? That is the deal: free software in exchange for dealing with ads. The deal is not supposed to be a never-ending barrage of pop-up ads in exchange for the occasional use of a free program. That is not a fair trade.

Another fair exchange would be that the adware/spyware be removed entirely if the "user" decides to remove whatever free software installed it. However, every time this is suggested, the spyware makers dismiss it out of hand. What I would like to know is: "why?".

If the free program is no longer installed, why is it still being sponsored? The "user" permitted the adware or spyware to be installed only in exchange for using the free program. That assumes that the "user" was properly informed about the presence of the adware/spyware in the first place. Why should the sponsor software remain if the sponsored software is removed? That makes no sense.

One argument put forth is that removing the spyware when one free program is removed might interfere with another free program which installs exactly the same spyware. That is absurd. Assuming someone did actually install two separate programs which bundled the same spyware and then removed one of them, the remaining program would just reinstall the spyware the very next time it was run.

When the free program is removed, the spyware should be removed right along with it. However, no spyware maker will do that voluntarily. They are not interested in a fair and equitable trade. They just want their spyware installed and running by any means necessary.

Now, on to those software developers who decide to sell their users out to the adware and spyware makers.

You will hear the most heartwrenching stories from these developers, as they try to explain to their users why the newest version of their software has begun to set off virus alarms. They will say that no one paid for the upgrade to the pro version. They will say that no one clicked the "donate" button. They will say that, to keep up with their development and hosting costs, they had no choice but to bundle the spyware.

All of that may be true but it is not the whole truth.

The truth is that spyware and adware companies pay large amounts of money to have their software distributed. Some of them even create their own "free" software just so that they can bundle their own spyware or adware into it. Claria did exactly that with their Gator password manager and Precision Time Manager.

The "free" software developers will say that they bundled spyware into their products because not enough people spent the 30 bucks to upgrade to the pro version. If that is the honest truth, then why isn't their software designed to remove the bundled spyware, as soon as it has generated thirty dollars worth of advertising revenues?

For that matter, why do these developers even need third party adware at all? Simply embed an advertising banner directly into the program's main window. As soon as the program has shown the user thirty dollars worth of ad banners, it can remove the advertising module automatically.

If all ad supported software worked this way, I imagine that most software would be ad supported. I also imagine that most users wouldn't mind the arrangement one bit. The cost of the program would be paid for without the users ever having to pull out their credit cards. It would be a fair and equitable trade, something we do not have now.

The sad thing is that these developers would make a hell of a lot more money if they followed this much more consumer-friendly route. I don't know what the going rate is for a bundle install of Claria's ad serving software. Whatever it is, I'll bet it isn't thirty dollars per copy. If the developers of Kazaa and other spyware-ridden programs started doing this, the problem of bundled spyware would disappear virtually overnight.

The moral of this ramble is this: ad supported software is not free! "Free" assumes that you receive something of value in return for nothing of value. The spyware makers and distributors are well compensated while all you receive are pop-up ads. Not a fair trade at all.

Permalink | Top

I was going to write something entirely different about RFID (Radio Frequency Identification) technology. Then I started snooping around the Spychips web site and found this interesting study. It seems that the Auto-ID Centre, the group pushing RFID technology, has done an international study of consumer reaction to the technology.

This study quite nicely summarizes the objections people have to RFID tracking technology. Not surprisingly, privacy is the most common concern. Universally, people want the tracking chips to be disabled or removed when the tagged product is purchased. Surprisingly, the conclusion of the study suggests that this should be done.

That always has been my opinion of RFID. I don't care how a product is tracked before I put my hands on it. Once I buy it, however, it ceases to be merchandise and becomes my private property. At that point, all tracking of the item should cease unconditionally.

If the companies using these chips agree to having them disabled at purchase, that would be great. However, I still would prefer that the option to do otherwise be removed by legislation. I would like to see a federal law that mandates that all RFID tracking chips be removed at the point where the merchandise is handed over to the consumer. If live RFID tags are permitted to remain on consumer goods after they have been purchased, it is only a matter of time before someone abuses the technology.

Permalink | Top

There have been computer bugs ever since the beginning of the computer age. The first bug was discovered inside of a primitive computer at Harvard University in 1945. The bug turned out to be a moth that had become trapped inside the machine and had shorted out two relay points. When it was removed, the technicians reported in the log that the computer had been "debugged".

Today, there is an entire subculture of bug hunters. Many online communities exist exclusively to expose and discuss flaws in today's computer software and hardware. Recently, there has been heated discussions about the most responsible way to announce the existence of a software bug which has security implications. While everyone argues about the proper way to handle information about a security flaw, many of them forget that helpless users of the buggy software are at risk.

There exists three schools of thought on the subject of how to go about announcing a newly discovered bug. One group would like to hide all information about a security flaw. Their idea is that if no one knows about the flaw, it cannot be exploited.

The second group, advocates of a practice known as "full disclosure", rejects the idea of hiding information regarding security flaws. They call that "security through obscurity".

The full disclosure crowd believes that the best way to make software safe is to announce immediately all known details of the flaw. Sometimes that includes "proof of concept" programming code that shows how to take advantage of the flaw. All of the details of how the flaw works and how to exploit it is conveniently emailed to every script kiddie in the world all at once.

The third group advocates "responsible disclosure". Recognizing that security through obscurity does not work, this group prefers first to contact the maker of the software or hardware that contains the flaw. They give the maker an appropriate amount of time to fix the problem and release an update before making any of the details public. In the spirit of "full disclosure", I will state that I believe in this third approach.

Security through obscurity does not work. If there is a flaw that allows a piece of software to be attacked, it will be discovered, no matter how well hidden it is. On the other hand, releasing full details of the flaw publicly, without giving the creator time to fix the problem, is far worse than keeping the flaw a secret. Releasing the details of a flaw that is not fixed, especially when "proof of concept" exploit code is included, tends to lead directly to attacks by hackers and script kiddies.

To give you one example that I am sure you will recognize, there was the MSBlaster virus. MSBlaster was a direct result of posts made to security mailing lists which included "proof of concept" exploit code. First, the flaw was announced. It was the infamous RPC flaw in Windows 2000 and XP. Next, a person in China created code which automatically would exploit the flaw and then posted it on one of the bug hunting mailing lists.

An American playing with the exploit code realized that it was limited in what it could do, so he rewrote it to make it far more dangerous. He then released the new and improved exploit code publicly. Less than two weeks later, MSBlaster was released into the wild. The MSBlaster virus was based directly on the exploit code that was posted to the bug hunter mailing lists.

To give you another example that effects you directly, SpywareInfo's MySQL database was once hacked into by a European teenager. At the time, I was using message board software called YabbSE. Someone discovered a security flaw in YabbSE that would allow direct access to the database by an unauthorized person. Rather than inform the developers of YabbSE about the flaw, this person posted the information, complete with instructions on how to exploit it, to a bug hunter mailing list. He did this in the middle of a Friday night.

Less than three hours later, I received an email from a hacker explaining that he had hacked into my server. To prove it, he included the first five entries of the message board's database. It included my user name and password. He explained that he was looking for neo-Nazi hate sites to deface. Since that doesn't describe my site, he simply warned me of the security flaw so that I wouldn't get hacked by anyone else.

That same database also included every email address subscribed to this newsletter at the time. Thankfully, I don't think he got into anything other than the message board database.

There are countless other examples of how irresponsible disclosure of security flaws have led directly to attacks on the flawed software. I believe, however, that I have made my point.

It is unfortunate that most of the advocates of full and immediate disclosure don't understand its dangers. What is truly sad is that many of them do understand but simply do not care. If you try to make this point at any of the bug hunting communities, you are confronted with an angry mob of geeks all chanting "security through obscurity doesn't work!".

What disturbs me is the fact that this irresponsible behavior is being taught in information technology courses at some universities in the USA. Professor D.J. Bernstein teaches Math, Statistics and Computer Science at the University of Illinois in Chicago. Several weeks ago, he had his students examine open source software to look for bugs. They found 44 security flaws.

The professor then released every one of these flaws on a public mailing list. While he did contact the developers of the software in question, he did so on the same day he released the information about the security flaws. There was no time at all for these developers to reexamine their code to figure out how to fix the problems before all of the details were made public.

Several follow-up posts on the Bugtraq mailing list scolded the professor for failing to give the vendors any time to produce fixed updates. His responses showed nothing but contempt to the idea of giving the developers advance warning about the problems. As far as Bernstein is concerned, the developers shouldn't have written buggy software in the first place and deserved no time to fix the problems before the information was released.

An associate professor from the same university, Jonathan Rockway, posted to defend Professor Bernstein. I'll reproduce the statement below:

Now in regards to full disclosure, I think you should all be happy that we bothered to tell you all about these exploits. We could have selfishly used them to compromise machines, but instead we wrote them up and mailed them off to the users and the authors! That is very nice of us.

If you would like notification sooner than the "public", find the exploit yourself. If I can find them, then surely anyone can.

Regards,
-- Jonathan Rockway

As someone else later pointed out, bragging that you could have broken into compromised computers illegally if you had wanted to is not the best way to demonstrate your ethics. This is the attitude and behavior being taught to computer science students at the University of Illinois. Lord help us all when those students graduate.

I wrote to Professor Bernstein several weeks ago inviting him to explain his point of view. He did not respond.

You may be wondering why the details of a security flaw should be disclosed at all. Considering the damage that can and often does result from these disclosures, why not simply keep it all a secret?

In an ideal world, the details of a security flaw would not need to be disclosed to the public. The person who discovers the flaw would simply contact the vendor privately so that the problem could be fixed. Unfortunately, this is not an ideal world. In the past, the majority of software makers would simply allow the flaw to exist and hope no one ever found out about it. This left users of that software open to attack by any malicious hacker who did discover the flaw.

Out of frustration with software developers who ignored security flaws, people began posting the details of the flaws to the public. While it did put the users of the software in danger, it also forced the vendors to deal with the security problems. Unfortunately, those who remember those bad old days have the attitude that all vendors are this way and must be forced virtually at gun point to fix their security bugs.

Sadly, this is where full disclosure fails in its stated function. Public disclosure is meant to be a veiled threat to the developer. Either they fix their buggy software or all the details of the bugs will be released. The full disclosure crowd would release all of the information right away, whether or not the developer is trying to fix a security problem. A threat loses its meaning if it is carried out regardless of the response. Why should a developer pay any attention to someone threatening full disclosure if that person is going to do it regardless? Often it means the vendor is forced to throw out an untested patch that might cause more problems than what it is supposed to fix.

Secrecy is irresponsible because then the developer has no reason to fix the security problems in their software. Full Disclosure is irresponsible because it gives the developer no time to fix the problem before every malicious hacker learns of it. There is a balance that can and should be maintained between secrecy and full disclosure. It is called "Responsible Disclosure".

If I had the power to impose a standard procedure for reporting security bugs, this is how it would work. Someone discovers a bug that would allow a malicious hacker to take over a piece of software. This person would write to the developer of the software to explain the problem. The developer acknowledges the message and starts looking at the code. The developer then should immediately begin working on a way to fix the flaw. The person who discovered the flaw should remain quiet about it while the developer works on the problem.

After the developer discovers what causes the flaw and creates a fix, it should be tested to make sure there are no adverse effects. Once the problem is fixed, an update should be made available for all users of the software. Ideally, the person who discovered the flaw would never say anything at all about it. If he feels the need to go public with the flaw, he should wait until at least 30 days after the updated version is made available. This gives people adequate time to install the update. Going public with the details of a flaw the same day a fix is made available is just as irresponsible as not contacting the vendor at all. Doing that gives users absolutely no time at all to update to the more secure software.

If the developer does not start working to fix the problem after being contacted or does not even answer the person, then the details of the problem would be posted publicly. The person should give the developer at least a week to answer his message before deciding to go public. This is where public disclosure becomes useful. Developers are not given the option of simply ignoring the security flaw. If they do, they risk the wrath of their angry users who demand to know why the developer is not fixing a security flaw that puts their equipment at risk of attack.

This is, in my opinion and in the opinion of many security researchers, the proper balance that must be struck in bug reporting. Public disclosure should be the threat that forces a software developer to fix security flaws as quickly as possible. It should not be a way for obscure programmers to make a name for themselves or their security business. It should not be a game of "ha ha Gotcha!" played at the expense of software users.

The full disclosure crowd apparently has no consideration for the helpless users who are put at risk by their behavior. Something they should consider is their own legal liability.

Right now, a young Frenchman is facing prison time and hundreds of thousands of dollars in fines and court damages for revealing details of software flaws in a French antivirus program. Technically, he committed copyright infringement by republishing some of the antivirus program's code without permission. Everything I can find on the case is written in French (a language I cannot read), so I don't know whether or not he contacted the company before going public about the flaws. If he didn't, then I have no sympathy for him.

The American DMCA also makes public disclosure a potentially dangerous thing to do. Conceivably, a person can be prosecuted under the DMCA if they reveal information about a security flaw. HP actually threatened a group with doing just that a few years ago. HP backed down in the face of massive public outrage.

Will the online security community follow the practice of "responsible disclosure"? For all of our sakes, I hope so. I don't know about you but I am sick and tired of the massive virus and spyware epidemics that tend to break out after someone makes a full disclosure.

Permalink | Top

I want to thank Stompsoft Inc for helping me with my dead hard drive. After I wrote that I had lost a hard drive and all sorts of important data, Stompsoft mailed off a copy of their RecoverX data recovery program.

The program worked nicely and did find the lost files on the hard drive. Unfortunately, I believe the drive is damaged physically. I ran the program three times and each time it slowed down dramatically at the same point. At the rate it was going, it would take several days to recover the entire drive. I don't believe this is the program's fault. I think the disk is just so damaged at certain spots that it causes the recovery process to slow down. Maybe the reader arm is damaged or something.

I can't have the computer tied up for several days, so I will wait until I go get my old test computer. I left it behind when I moved last year. Once I have that, I'll install the hard drive there and let the program take however long it wants to take.

I did manage to recover some files however. I saved the database of people who had volunteered to talk to the press and I managed to save the submissions people had sent in for T-shirts. I had hoped to have those t-shirts ready by Christmas but the hard drive screwed that up. I hope to have those ready to go the first week of February.

As for my current method of backing up files, I have a much better system now. I went out and bought an external Seagate USB hard drive. Mine is 120GB, not the 160GB featured on that web page. All of my backups and most of my documents go to that hard drive now. I can use that thing to back up my laptop, which I couldn't do previously. It even works perfectly with Linux, so I am very happy with it.

Permalink | Top

Republishing my two browser hijacker articles in last week's newsletter seems to have gone over very well, judging by the email it produced. While I did warn that the articles were slightly dated, I tried to spruce them up before I sent them out last week. Unfortunately, I missed at least one mistake.

An alert reader noticed that I suggested that the setting "Launching programs and files in an IFRAME" be set to "Prompt". Last November, I warned readers to change that same setting to "Disable" because of a flaw in the way Internet Explorer handles IFrames in certain situations. I forgot to update that particular part of the article before sending it out last week.

If you changed your own security settings last week to match those in the newsletter, make sure you go back and change that particular setting to "Disable". I think Microsoft did finally patch that flaw. Still, better to be safe than sorry.