Spyware . . . (cont.)
Spyware is considered (technically) to be a privacy issue, since neither data nor software are destroyed. However, it demonstrably degrades computer function, and, for dial-up users, can easily overload their bandwidth until ordinary activities (like getting mail or loading web pages) become almost impossibly slow or (for older platforms) the system crashes. Also, in many ways privacy and security are intertwined: the differences between a trojan horse program and a spyware program are mostly in the nebulous realm of "intent." Both are installed without the user's knowledge or permission, both are designed to achieve their own ends; and, almost always, users object strenuously to the presence of either when they become aware of it.
|The issue is one of control; and, it is going to get much worse as users are hustled into "cloud computing," where most user files and software applications are online and not local to their own machines: users will have no control over access to data that is not stored on their own hard drive and no effective control at all over apps that are not installed on their own machine. Moreover, someone is paying for maintaining these nominally free online database and software servers: and that someone is you.1, (2)
Most popular websites already generate their cash flow by displaying advertisements; and, since you are unlikely to read or respond to an ad unless the advertised product or service interests you, to maximize their income most internet advertisers collect information about people that allows them to 'target' their ads. With fewer services on your own machine and more relegated to the Cloud, all forms of user-profiling are going to increase.(1 ff.)But the problem is much broader than merely personal privacy, because there are also issues of both the security and the integrity of data entrusted to commercial servers. Recently one online storage service announced that user data on a Microsoft server had been lost: any messages or cell-phone pictures that were not backed up on user's own machines were irretrievably lost. And, worse, both online software servers and large online customer databases will provide tempting targets for blackhat hackers.
Before submitting to the blandishments of businesses that stand to make enormous profits, users should keep two salient points in mind —
(1) You don't own your data when it's in the Cloud
In 1998, Congress updated Federal copyright law to cover changes posed by digital reproduction and transmission of intellectual properties. The resulting legislation — the Digital Millennium Copyright Act — was essentially a "wish list" for the entertainment, publishing, and software industries.
Using provisions of the DMCA, Amazon servers recently deleted Orwell's 1984 and Animal Farm on user readers; and, Microsoft has reserved the right to access your computer and exercise control over your multimedia software:
You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.…In terms of "Security Updates," users grant Microsoft the right to [automatically] download updates to Microsoft's DRM (Digital Rights Management) technology to protect the intellectual property rights of "Secured Content" providers. …Currently, DRM technology is associated just with music or video content, but there's no legal reason it can't be used with software applications as well. Microsoft officials say that the language in the PUR agreement…is also in the Windows XP EULA (End User License Agreement)
If the user elects not to update the security component, he or she will be unable to play content protected by our DRM from that point forward, although content previously obtained would still be usable. ”[From “Check the fine print ,” by Ed Foster (February 2002); as cited in the sh Passport Risks database]
(2) And you don't own your apps, either
The problem of user control becomes even more acute with Cloud-based software.† Low-level distributed computing protocols such as DCOM (which allows programs to interact over a network) and SOAP (which is designed to bypass firewalls) have already caused concern among security experts1, 2 because, as one tech remarked, when you double-click on an application, you are turning control of your machine over to the progammer who wrote the code. But, locally-installed software can be configured and its network accesses controlled [e.g. Red Sheriff, below]; and, users who have privacy concerns about their data or personal information can use encryption software[†] or proxy-filters to control online website accesses — none of which will be possible when both your software and data are stored online.
Sadly, users today have few legal rights — even with licensed software legitimately purchased and installed on their own personal computers. For example, NAI (McAfee) has included the following in its PGP 8.1 EULA;
For a more detailed examination of the issues, you can ask Emerald Technologies for a copy of the sh reference file Lost in The Cloud .
Unfortunately, not all spyware is installed with programs: some types can infect your computer (especially if you are running Windows XP) merely by visiting web pages with inadquate/incorrect security settings ("driveby install"). For example, the Doctor has discovered that users who visit the BBC News website with default security settings will find their computer infected with Red Sheriff.
This spyware is a java applet: you are vulnerable if your computer has Java loaded or enabled. (NB: Java is cross-platform; so, for once, Macintosh users need not feel neglected.) You can find more information on Red Sheriff from cexx.org or (after securing your system!) from its vendor, Red Sheriff Ltd. (imrworldwide.com).
|Note: Since Red Sheriff is a Java applet, it can bypass personal firewalls (such as ZoneAlarm). However, although you cannot use most firewalls to block the installation of the applet, you can stop it from connecting to its server by blocking the imrworldwide.com IP addresses:
220.127.116.11 [imrworldwide.com]TIP: you can use your firewall to block connections to any questionable/annoying websites [see (1)]. To find the IP address, you can go to Sam Spade.org, whois.crsnic.net or any other DNS/IP address lookup service. [Note: if you can use command-line, Windows has a built-in NSLOOKUP utility that you can access from a command shell window (START > RUN > CMD), and the '/?' option will (usually) give you the command/option list.]
For Windows users, there are several options to prevent this (and other) Java-based security and privacy threats:
For Windows XP:
First, check to see if you are vulnerable:
For all Windows platforms:
If, like the Doctor, you are using Proxomitron to filter your web pages, download and merge the Red Sheriff filter (written by Bill Webb at cexx.org).
**You can download a zip archive with additional information on spyware, step-through help on using Ad-aware and Spybot S&D, and a collection of links to online information on spyware and other privacy issues. For more advanced users, the Doctor has provided archives with network and firewall security references and, from his esteemed colleague "sh", a technical analysis of security and privacy issues affecting Windows users.