The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/oct27,2005.

Wherever the term "adware" is used, it is referring to a category of software, not to any particular company or product.

The contents of this newsletter is commentary. It should not be mistaken for unbiased, objective journalism.

Permalink | Top

• A Creepy New Level Of Advertising
• Spyware Doctor
• Better Spyware Defenses Needed
• How Not To Build A Firewall
• Chinese Dissident Writes To Yahoo
• Godwin's Law

Permalink | Top

Microsoft seems determined to outdo Google at every turn.

Google is the gold standard for search engines. So Microsoft improves their own MSN search engine in an effort to compete.

Google provides web site advertisements based on the content of the site being visited. Microsoft soon will provide a similar service, called Adcenter.

Google stirs up privacy advocates by scanning email to provide contextual ads. Not to be outdone, Microsoft rewrites their instant messenger program so that it will display advertisements based on the text of the conversation people are having.

Take that Google! Who do you think you're kidding? Microsoft is the acknowledged master when it comes to sending privacy advocates into shock.

I don't know about you, but I would be freaked out if I started seeing advertisements based on a conversation I was having with someone. That is just.... CREEPY. Fortunately, I don't use Microsoft's instant messenger program. This is something which I will never see.

I talk to people on AIM, ICQ, MSN and Yahoo. These companies refuse to let their chat programs access other instant messaging networks. I am not about to install four different instant messenger programs, so I use Trillian instead. Trillian can access all of those networks simultaneously. Even better, there is no advertising window. Another good instant messaging program, which works with all of the chat networks, is GAIM. GAIM has versions for both Windows and Linux.

There doesn't seem to be any information anywhere about these contextual ads. I don't know if the program itself, locally, is deciding which ads are relevant to the conversation or if MSN is monitoring the conversations on their servers. For all I know, they could be tracking the surfing behavior of msn.com visitors and tying that into the Messenger ads. That is a level of "convergence" of which I would rather not be a part.

Remember when people learned that Gmail was scanning email in order to serve ads? Multiply that reaction by ten and you will have a pretty good indication of what will happen when the general public learns about MSN Messenger's chat scanning. Microsoft needs to say something, and fast, about this new "feature".

Permalink | Top

Program: Spyware Doctor
Author: PC Tools
Platform: Windows XP, Me, 98, 95 and 2000
Purchase Spyware Doctor: $19.95 (Normally $29.95. Discount applied automatically until Nov 3, 2005.) http://www.pctools.com/spyware-doctor/purchase/?ref=afl_spywareinfo

Purchase Privacy Guardian: $19.95 (Normally $29.95. Discount applied automatically until Nov 3, 2005.) http://www.pctools.com/privacy-guardian/purchase/?ref=afl_spywareinfo

Purchase both programs: $39.90 (Normally $59.90. Discount applied automatically until Nov 3, 2005.) http://www.spywareinfo.com/rd/pct102705

Read my review of Privacy Guardian for more information about that program.

I gave Spyware Doctor a test drive on my computer a couple of months ago. After playing with it for awhile, I consider Spyware Doctor to be a very good program. On a scale from 1 to 10, I would give this program a 9 1/2.

Spyware Doctor is a very nice and very polished antispyware protection program. The interface is uncluttered and easy to navigate. A system scan is initiated with the click of a single button. The same goes for updating the program. You could give a copy of this program to your grandmother for her first computer and she would have no trouble running it with the default settings.

You may remember my marathon spyware killing experiment from a while back. I still have a copy of that infected virtual machine. On my "infected" test system, Spyware Doctor found a staggering 2,400+ infection items, kicked several processes out of memory and blocked 19 malicious start up entries. Every item found was organized by the name of the malware and included a short description, as well as a detailed listing of every file and registry entry it believed to be associated with it. Every item is labeled with a "threat level", showing how serious PC Tools considers that particular piece of malware to be.

OnGuard, the real-time protection module, protects against several methods used by browser hijackers and other malware. All of these components optionally will pop up an alert if something is detected. If a piece of malware exploits a browser flaw and tries to install itself, you will know about it immediately.

This is an excellent program. I consider it to be my favorite spyware scanner. Spyware Doctor has my recommendation - it is that good.

The discounts should be applied automatically when using the links above. You will see the discount applied when you click the green purchase button. If you have any problems with the ordering page, please email Catherine http://www.spywareinfo.com/email2.php.

Anyone buying as a corporate customer and needing many copies of this program, please contact Catherine.

Permalink | Top

Correction:

The mailing list mentioned in this story is "Focus Virus", not Bugtraq. Please excuse the error.

---

Warning: Long ramble ahead.

A lengthy discussion has popped up on the Bugtraq mailing list Security Focus' "Focus Virus" mailing list. It began with an observation from a user that Microsoft Antispyware missed software from Claria and a whole raft of cookies. It is not surprising that it did not detect the Claria software, since Microsoft has decided that adware will not be detected by default.

The discussion has turned into a series of suggestions for reducing the number of malware infections. New posts are arriving as I write this.

It is an interesting question; and it made me start thinking. As long as it is legal and as long as there is money to be made in doing it, people will continue to create unwanted software parasites. How do we stop those parasites from infecting the average computer?

Everyone seems to agree that computer users need to be educated about the risks. I believe that the people most at risk of becoming infected by spyware are those who have connected to the internet for the first time.

The incident that turned me into a crusader against spyware was an ActiveX driveby installation of Comet Cursor. I had been online for just a couple of days and decided that the default browser security settings were too tight - so I loosened them.

Basically, what I did was to leave the keys of a very nice car sitting in the ignition after parking it in a seedy neighborhood. It happened because I was ignorant of the risk. No one told me that the neighborhood was dangerous, so I dropped my guard. If I had known that spyware could appear on my computer just from surfing a web site, I would have been more likely to tighten the security settings, not loosen them.

Education is not the whole answer. Despite all the warnings, people still become infected. I still receive emails with the "I Love You" virus attached; and that virus is six years old!

Laws will help to a certain point. Unfortunately, the people creating the worst of the malware already realize that what they are doing is wrong. Most of them will not care about laws.

The ultimate solution will have be technological. The software which claims to protect against spyware will have to start living up to that claim. I can think of three things that antispyware software can start doing which will prevent the majority of spyware infections.

Number One:

At the moment, the second most popular method used to install unwanted software is to exploit browser flaws. Microsoft releases patches for most of these flaws but many people do not install them. Going to the wrong web page with an unpatched browser is like leaving home with the front door wide open.

This should be the first thing examined by antispyware software. If a patch, which fixes a flaw used in the installation of malware, is available and it is not installed, the software should point that out and tell the user to install it. It should make such a pest of itself about the patch that the user installs it just to make the program shut up.

You couldn't do that with the corporate version, because the IT department may have vetoed a patch for causing more problems than it fixes. In the home version, the antispy program should make it difficult to ignore a patch that fixes a hole used by malware.

Number Two:

The most popular way to install spyware continues to be the third-party bundle. For years, most file sharing programs have been installing spyware. The antispy programs should keep a list of those P2P programs known to bundle third-party software and pop up a strong warning if the user is trying to install any of them.

Even better, why not scan any installer package as soon as it loads into memory? Most installers are just scripts which extract archived files to predetermined locations. With most installers and, with the right software, you can see what files are located inside, as if it were a regular Zip file. If the files for Gator or SaveNow are located within an installer, force the installer out of memory and pop up a warning.

Number Three:

After browser flaws and third-party bundles, the next most common source of malware infestation probably is the ActiveX installer. There is a common misconception about ActiveX. People believe that, if ActiveX has a signed digital certificate, it can be trusted. It is the unsigned ActiveX that is the problem, or so people are told.

The fact that an ActiveX program is signed means exactly NOTHING. Every single piece of ActiveX malware that I have seen has been signed. Every single one of them. Even the porn dialers are signed.

In theory, the certificate issuer will revoke a signature if the software is used for malicious purposes. X-Block once tried to convince Verisign to do just that. Verisign would not do it, despite clear evidence that the program was malicious. The digital signature system is nothing but a scam, since the issuers will do nothing about the malicious use of the signed files.

However, since those programs ARE signed, that makes things a little easier. The Antispy program should install a Browser Helper Object that reads each ActiveX certificate as Internet Explorer downloads it. If the ActiveX is signed by a company associated with malware, block it and pop up a warning.

This presents the malware creator with a cruel choice. They can leave their malicious creation unsigned and risk having the browser block it. Or they can choose to sign the files, making it easier to identify them. They can randomize the file names all they want and it will not matter. Not even the wealthiest of adware companies can afford to buy multiple digital signatures in order to avoid this sort of detection.

I know most of the antispyware developers are reading this. I am suggesting very strongly that they look into seeing if these things are possible. If the antispy programs start doing this, I believe it will put up a roadblock to the three main avenues of spyware infection. With those roads blocked and guarded by armed sentries, the neighborhood will become a little safer for everyone.

Permalink | Top

I promised myself a while back not to go on another anti-Microsoft rant, that I would write calmly about any goofs they make. It has been a hard promise to keep at times. And now, I must break that promise. If I don't rant about this, I will burst at the seams.

The function of a software firewall is simple. It allows the user to control the computer's access to other computers. To do that, it blocks attempts to send unauthorized data out over a network, as well as the attempts of other computers to send data to the protected computer. A proper firewall allows data into or out of the computer, only when the user gives the firewall permission to do so. I think most people will agree that this is an accurate description of the proper function of a software firewall.

So I am left to wonder if the Microsoft programmers who designed the Windows Firewall have lost their freakin minds. While the Windows Firewall will block network access like any other firewall, the settings which determine whether or not an attempt to access the network is permitted is stored in the registry. Any piece of software is allowed to edit that part of the registry and give itself permission to send or receive data over the network.

There are several viruses, worms and spyware programs that edit the registry settings for the Windows Firewall. Even if the user discovers a virus infection and cleans it successfully, that computer can be reinfected at any time, if the virus edited the firewall settings. Many network worms can infect a computer if it discovers certain unsecured network ports. It happened to me once, when I turned off my firewall and forgot to turn it back on.

Changes to a firewall's settings should be possible only through the firewall program's interface. Those changes should be saved into an encrypted file, which cannot be altered by any other program. Those settings should not EVER be written to the registry, where they can be altered by any other program running on the PC. It takes only the smallest shred of common sense to realize this.

Where was the common sense when they were creating the Windows Firewall? This is like hiring security guards to keep gate crashers away from a party but allowing the guests to write their own invitations.

But wait, there's more!

Someone discovered recently that the Windows Firewall interface won't even tell the user about an opened port, if the registry entry granting it permission has a malformed name. Not only can a malicious programmer give his evil creation permission to bypass the firewall, he can hide the fact that he's done it!

It is boneheaded mistakes like this which make it difficult to use Windows safely. God help us all when Microsoft begins to make its own antivirus software. The only reason Microsoft's antispyware program works well probably is because Microsoft didn't write it.

This is the point where I should recommend a proper firewall. Unfortunately, the company that created the firewall that I used to recommend, Kerio, plans to exit the firewall market.

I use an older version of Kerio firewall, version 2.15. I never liked any of the more recent versions. If you plan to try it, I suggest you download it quickly. The download page might disappear soon.

Permalink | Top

Chinese dissident Liu Xiaobo has written an open letter to Yahoo regarding their collaboration with the government of China.

Several months ago, Yahoo revealed the identity of a Chinese journalist who used his Yahoo email account to pass along a memorandum, written by some government official, regarding the anniversary of the Tiananmen Square massacre. The Chinese government found this journalist, put on a show trial and then sent him to prison with a ten-year sentence.

The letter condemns Yahoo's active participation in the suppression of Human Rights in China in very powerful language. In a society where the gravest insult is couched in very polite terms, Xiaobo's letter is the written equivalent of a molotov bomb thrown through Yahoo's window. Just to give you a small sample:

Here, I want to express my heartfelt thanks to the investigation of Reporters Without Borders, which offers insight to the whole world, especially the free countries of the West, into two types of ugliness: the ugliness of the CCP, which trades China's business profits for the cooperation of foreign enterprises in China in order to maintain its Internet control and to intimidate political dissidents, and the ugliness of Western enterprises, which bow before the communist dictatorship and trade human rights and business ethics for China's business opportunities.

It is a long letter, so brew up a cup of coffee before you start reading it.

Permalink | Top

Have you ever heard of Godwin's Law? It is a generally accepted observation that, when a participant in an online debate makes an irrelevant comparison to Hitler, the Nazis or the Holocaust, the discussion is over. Whatever point was being debated will become lost in the outrage by one side of being labeled Nazis by the other.

Over the weekend, Catherine pointed me to a posting on Sunbelt’s blog that knocked me flat. Evidently, while writing a hatchet job on a recent article by Ben Edelman, Law professor Eric Goldman compared the entire antispyware movement to Nazi genocide.

He didn't come right out and say it, of course. While calling the antispyware movement a McCarthy-style witchhunt, he quoted a very famous and chilling poem written by Martin Niemoller, a priest who spent over eight years in a Nazi concentration camp.

First they came for the Jews
and I did not speak out--because I was not a Jew.
Then they came for the communists
and I did not speak out--because I was not a communist.
Then they came for the trade unionists
and I did not speak out--because I was not a trade unionist.
Then they came for me--
and there was no one left to speak out for me.

I want this newsletter to make it past the content filters, so I won't repeat what I said of Professor Goldman after I saw that.

Several people called him out for using that reference, so eventually he deleted it from his blog/article. He apologized for "the confusion" caused by the reference, but he did not apologize for using it in the first place. He even attempted to justify making the comparison while answering a comment.

It is too bad, really. The point Goldman was trying to make in his article was a good one. Whether his Nazi reference was a publicity stunt or just plain stupidity, all it accomplished was to invoke Godwin's Law and draw attention away from his conclusions.

Permalink | Top

SpywareInfo has a new(ish) feature, listing news headlines relevant to spyware, privacy and safely using the computer. There is a saying that "all politics are local". It seems that this also applies to the internet. It is a close community in that problems can spread from anywhere. If you see a local story that you think deserves attention, please let us know. Use this mail form, tell us some details and we will follow the story.

This Spywareinfo News Section is updated every day - and several times during the day. It is a section of Spywareinfo that we hope will keep you informed on a daily basis - and keep your internet time a bit safer. Go have a look.