Dr. DB's Help Page

Spyware . . . (cont.)

Spyware is considered (technically) to be a privacy issue, since neither data nor software are destroyed. However, it demonstrably degrades computer function, and, for dial-up users, can easily overload their bandwidth until ordinary activities (like getting mail or loading web pages) become almost impossibly slow or (for older platforms) the system crashes. Also, in many ways privacy and security are intertwined: the differences between a trojan horse program and a spyware program are mostly in the nebulous realm of "intent." Both are installed without the user's knowledge or permission, both are designed to achieve their own ends; and, almost always, users object strenuously to the presence of either when they become aware of it.

The issue is one of control; and, it is going to get much worse as users are hustled into "cloud computing," where most user files and software applications are online and not  local to their own machines: users will have no control over access to data that is not stored on their own hard drive and no effective control at all over apps that are not installed on their own machine.  Moreover, someone is paying for maintaining these nominally free online database and software servers: and that someone is you.1, (2)
Most popular websites already generate their cash flow by displaying advertisements; and, since you are unlikely to read or respond to an ad unless the advertised product or service interests you, to maximize their income most internet advertisers collect information about people that allows them to 'target' their ads. With fewer services on your own machine and more relegated to the Cloud, all  forms of user-profiling are going to increase.(1 ff.)
But the problem is much broader than merely personal privacy, because there are also issues of both the security and the integrity of data entrusted to commercial servers. Recently one online storage service announced that user data on a Microsoft server had been lost: any messages or cell-phone pictures that were not backed up on user's own machines were irretrievably lost. And, worse, both online software servers and large online customer databases will provide tempting targets for blackhat hackers.
 
Microsoft's Hotmail service is an existing example of "cloud computing;" and, anyone who thinks their Hotmail accounts are either private or secure should spend some time reading  [1],  [2],  [3  §4.1.6],  and/or [4].
Moreover, since all cloud-based services have to paid for,() Microsoft's business model is not unique: “Google reads our Gmail and inserts context-dependent ads[, and]...Gmail…saves everything, even if you delete it.”
 [Bruce Schneier, quoted from Schneier on Security; Wiley Publishing, Inc.  ISBN 978–0–470–39535–6]

Before submitting to the blandishments of businesses that stand to make enormous profits, users should keep two salient points in mind —
(1)  You don't own your data when it's in the Cloud 
In 1998, Congress updated Federal copyright law to cover changes posed by digital reproduction and transmission of intellectual properties. The resulting legislation — the Digital Millennium Copyright Act — was essentially a "wish list" for the entertainment, publishing, and software industries.
Using provisions of the DMCA, Amazon servers recently deleted Orwell's 1984  and Animal Farm  on user readers; and, Microsoft has reserved the right to access your computer and exercise control over your multimedia software:
    “Microsoft has found a creative way to obtain authorization from users to access their workstations at will. …The language is contained in the Product Use Rights (PUR) document that can be found at www.microsoft.com/licensing/resources. As the PUR document is part of most customers' volume license agreements [the type of license that, for example, Dell or HP buys] and is subject to periodic change, in theory Microsoft customers should check it regularly to see what rights Microsoft has decided to grant or take away. …In the section on Windows XP Professional, …the "Internet-Based Services Components" paragraph …said in part,
     You acknowledge and agree that Microsoft may automatically check the version of the Product and/or its components that you are utilizing and may provide upgrades or fixes to the Product that will be automatically downloaded to your Workstation Computer.’
    …In terms of "Security Updates," users grant Microsoft the right to [automatically] download updates to Microsoft's DRM (Digital Rights Management) technology to protect the intellectual property rights of "Secured Content" providers. …Currently, DRM technology is associated just with music or video content, but there's no legal reason it can't be used with software applications as well. Microsoft officials say that the language in the PUR agreement…is also in the Windows XP EULA (End User License Agreement) itself… .
    ‘If the user elects not to update the security component, he or she will be unable to play content protected by our DRM from that point forward, although content previously obtained would still be usable.’ ”
    [From “Check the fine print ,” by Ed Foster (February 2002); as cited in the sh  Passport Risks database]
Furthermore, by law, your personal  information belongs to whomever collects and collates it.(1 ff.; 2)  Facebook may have changed its policies after users protested, but when it originally decided to keep user account information in perpetuity — regardless of account-holders' wishes in the matter — it was acting within the law. And Amazon long ago added a clause that it owned all user information submitted in the process of ordering merchandise or collected as users browsed the site; and, since the information was a company asset, Amazon reserved the right to sell it in whole or in part. Both website privacy policies are also subject to change at any time; and, users with concerns about the use of their information must check the company privacy policy posted on the Internet.

(2)  And you don't own your apps, either
The problem of user control becomes even more acute with Cloud-based software.  Low-level distributed computing protocols such as DCOM (which allows programs to interact over a network) and SOAP (which is designed to bypass firewalls) have already caused concern among security experts1, 2  because, as one tech remarked, “when you double-click on an application, you are turning control of your machine over to the progammer who wrote the code.”  But, locally-installed software can be configured and its network accesses controlled [e.g. Red Sheriff, below]; and, users who have privacy concerns about their data or personal information can use encryption software[] or proxy-filters to control online website accesses — none of which will be possible when both your software and data are stored online.
Sadly, users today have few legal rights — even with licensed software legitimately purchased and installed on their own personal computers. For example, NAI (McAfee) has included the following in its PGP 8.1 EULA;
    “6.   Ownership Rights.  The Software is licensed and not sold. The Software and the Documentation are protected by United States copyright laws and international treaty provisions. PGP Corp and its suppliers own and retain all right, title, and interest in and to the Software and the Documentation, including all copyrights, patents, trade secret rights, trademarks, and other intellectual property rights therein. Your possession, installation, or use of the Software, Hardware Accessories, or the Documentation does not transfer to you any title to the intellectual property in the Software, Hardware Accessories, or Documentation.
and, if you are a business owner who has purchased the software,
    “12.   Audit.  PGP Corp reserves the right to periodically audit your use of the Software to ensure that you are in compliance with this Agreement. During your standard business hours and upon at least ten (10) days prior written notice, PGP Corp may visit your facility(ies) and you will make available to PGP Corp or its representatives any requested records pertaining to the Software, provided that PGP Corp shall be entitled to conduct no more than two (2) audits in any twelve (12) month period. The cost of any requested audit will be solely borne by PGP Corp, unless such audit discloses (a) an underpayment or amount due to PGP Corp in excess of five percent (5%) of the initial license fee for the Software, or (b) you are not substantially in compliance with this Agreement, in which case you shall pay all costs related to the audit. Any underpayment of fees disclosed by any such audit shall be paid to PGP Corp immediately, together with the applicable late payment charges.”
You will be told that cloud computing will allow computers to be smaller and cheaper, and this is true; and, vendors are already aggressively marketing tablet computers and G3/G4 networked smart phones whose hardware limitations and tiny operating systems require  Cloud resources.  But users should ask themselves, who will pay  for all the programmers, servers, and administrators providing the "free" online data storage and services.  For the benefit of those who believe that there is, indeed, a free lunch, I offer the fine German word Wolkenkuckucksland — literally, "cloud cuckoo-land."
For a more detailed examination of the issues, you can ask Emerald Technologies for a copy of the sh reference file “Lost in The Cloud ”.
 

Unfortunately, not all spyware is installed with programs: some types can infect your computer (especially if you are running Windows XP) merely by visiting web pages with inadquate/incorrect security settings ("driveby install"). For example, the Doctor has discovered that users who visit the BBC News website with default security settings will find their computer infected with Red Sheriff.

This spyware is a java applet: you are vulnerable if your computer has Java loaded or enabled. (NB: Java is cross-platform; so, for once, Macintosh users need not feel neglected.) You can find more information on Red Sheriff from cexx.org or (after securing your system!) from its vendor, Red Sheriff Ltd. (imrworldwide.com).

Note:  Since Red Sheriff is a Java applet, it can bypass personal firewalls (such as ZoneAlarm). However, although you cannot use most firewalls to block the installation of the applet, you can  stop it from connecting to its server by blocking the imrworldwide.com IP addresses:
203.166.18.221   [imrworldwide.com]
203.166.18.106   [au.imrworldwide.com]
62.189.244.232   [uk.imrworldwide.com]
TIP: you can use your firewall to block connections to any  questionable/annoying websites [see (1)].  To find the IP address, you can go to Sam Spade.org, whois.crsnic.net or any other DNS/IP address lookup service. [Note: if you can use command-line, Windows has a built-in NSLOOKUP utility that you can access from a command shell window (START > RUN > CMD), and the  '/?'  option will (usually) give you the command/option list.]
 

For Windows users, there are several options to prevent this (and other) Java-based security and privacy threats:

For Windows XP:
First, check to see if you are vulnerable:

If you have Service Pack 1a (SP1a), you are not at risk.
 

For all Windows platforms:

  1. To disable Java in Internet Explorer:
    •  Go to Start | Settings | Control Panel
    •  Double-click on the "Internet Options" applet.
    •  Click on the "Security" tab.
    •  In the text box at the top, click on the "Internet" icon.
    •  Click on the "Custom Level" button.
    •  Scroll down to the Java heading, and, under "Java
       Permissions" select "Disable Java" (radio button).
       
  2. To stop Internet Explorer from installing Red Sheriff from the BBC website:1, 2
    •  Go to Start | Settings | Control Panel
    •  Double-click on the "Internet Options" applet.
    •  Click on the "Security" tab.
    •  In the text box at the top, click on the "Restricted Sites" icon.1
    •  Click on the "Sites" button.
    •  Type in (or copy and paste)  http://news.bbc.co.uk/ .
    •  Click on the "Add" button, then on the "OK" button.2
      1 If you have not already done so, click on the "Custom Level" button, scroll down to "Java Permissions," select "Disable Java," and click the "OK" button; then, click "Yes" on the warning screen [‘Are you sure you want to reset the security settings for this zone? ’], and "OK" on the Internet Properties screen.
      2 Note: you can add any website to the "Restricted" zone by entering its specific URL in this manner.
       
  3. To disable Java in Netscape Navigator and Mozilla (older versions ):
    •  Open the browser and go to Edit | Preferences
    •  In the left frame click on "Advanced."
    •  In the right frame UNcheck "Enable Java."
      (The Doctor also recommends that you UNcheck the box "Enable JavaScript for Mail and News." )
       
  4. To disable Java in Firefox and Mozilla (more recent versions ):
    •  Open the browser and go to Tools | Options
    •  In the left frame click on the "Web Features" icon.
    •  In the right frame UNcheck "Enable Java."
      (The Doctor also recommends that you UNcheck the box "Enable JavaScript." )
       
  5. To block Red Sheriff in other web browsers, you must disable Java. Since controls vary widely, check your browser Help files or call your computer service technician.
     
  6. To remove Java entirely (recommended):
    •  Go to Start | Settings | Control Panel
    •  Double-click on the "Add/Remove Programs" applet.
    •  Scroll down and select the Java entry.
    •  Click on the "Add/Remove" button.
     

If, like the Doctor, you are using Proxomitron to filter your web pages, download and merge the Red Sheriff filter (written by Bill Webb at cexx.org).

**You can download a zip archive with additional information on spyware, step-through help on using Ad-aware and Spybot S&D, and a collection of links to online information on spyware and other privacy issues. For more advanced users, the Doctor has provided archives with network and firewall security references and, from his esteemed colleague "sh", a technical analysis of security and privacy issues affecting Windows users.

 

  left arrow Back up arrow Home Downloads right arrow  

 


This page made possible by support from The Groundlevel Foundation, “Building on a secure base”