Category: security

Security including security problems and security breaches.

Posted on

California’s Toothless Spyware Law

Yesterday Governor Schwarzenegger signed into law SB 1436 (“Computer Spyware”), a California bill that speaks to certain programs installed on users’ computers. The bill admittedly speaks to programs that trick users, harm users, and take advantage of users. So why don’t I support it?

SB1436 prohibits a number of activities. It bans, for example, transmitting computer viruses from a users’ computers (22947.3(a)(1)), using a computer as part of a denial of service attack ((a)(3)), and presenting an option to decline installation of software when selecting that option will in fact cause software to be installed nonetheless ((c)(1)). These are surely bad actions. But they’re all prohibited under existing law — fraud, unfair trade practice, computer fraud and abuse act, etc. When investigators, lawyers, and researchers have tracked down bad actors using these methods in the past, they’ve proceeded with suit, with considerable success. (See e.g. Melissa virus writer’s jail sentence.) So we don’t need SB1436 to address these outrageous activities.


A Claria drive-by download prompt -- allowing the user to press 'Yes' and have software installed, without first seeing Claria's license agreement.A Claria drive-by download prompt — allowing the user to press ‘Yes’ and have software installed, without first seeing Claria’s license agreement.

In contrast, SB1436 fails to speak to the truly controversial activities — many of them arguably “borderline” — that have actually been used by major players in the spyware space, whose installed user counts now reach into the tens of millions. Consider Claria’s 5,500 word license agreement. As presented in Kazaa’s installer (screenshots), Claria’s license is 20% longer than the US Constitution, and it requires 56 on-screen pages to view in full. Or, consider Claria’s drive-by installer (screenshot), where a user can press “Yes” without ever even seeing Claria’s license. More recently, Claria’s drive-bys have begun to show users the Claria license — but only after the user presses Yes, and only after the software is installed! What should we make of such installation practices? Has a user really “accepted” Claria’s software when the user receives unhelpful, confusing, and/or untimely disclosures? Even if the user is a minor? Even if the user mistakenly thought Claria’s software was necessary to view the web page that triggered the drive-by? Some courts may think that pressing “Yes” indicates assent — no matter the circumstances, no matter how one-sided the terms presented, and for that matter even if the terms weren’t actually presented (but were merely linked to). But I don’t think that’s a necessary conclusion, given the length and presentation of the supposed agreement.

SB1436 had an opportunity to address these deceptive installation tactics by clarifying standards for notice and consent. Indeed, the first draft of SB1436 (dated February 19, 2004) addressed Claria’s tactics directly: “‘Spyware’ means an executable program that automatically … transmits to the provider … data regarding computer usage, including … which Internet sites are or have been visited by a user” — exactly what Claria does. The February draft went on to set out various requirements and disclosure duties, even including a minimum font size for disclosure. That’s not to say the February bill was perfect — certainly there was more fine-tuning to be done. But it sought to establish disclosure duties for all companies transmitting information about users’ online browsing — not just a few outrageous outliers who send viruses.

Unfortunately, SB1436’s initial comprehensive approach somehow got lost between the February draft and the August revisions. A recent RedHerring article claims the bill was “gutted” by “the well-heeled and influential online advertising lobby.” Claria’s chief privacy officer recently stated that he had “met with the staffs of members who have proposed legislation” — though not mentioning any special efforts to modify the bill. Whatever Claria’s role, even a quick reading shows that the revised bill won’t affect Claria’s current practices.

Meanwhile, Claria gets to go on record not only supporting the law, but perhaps even complying with it from its first day in effect. Claria can now claim the implicit endorsement of California law: After all, if California passed a spyware law, and Claria complies, then (the logic goes) Claria must be a legitimate business that consumers and advertisers should happily do business with. But the truth is not so simple: Claria’s deceptive installation methods continue, tricking tens of millions of users into receiving Claria software without truly understanding what they’re getting into.

A better spyware bill would address the subtleties of Claria’s methods — would address lengthy, confusing licenses, and licenses shown only after supposed consent. Interestingly, some of the pending federal legislation speaks to disclosure requirements for programs like Claria. The federal bills are far from perfect. But they at least seek to address the harms, like Claria, that actually plague millions of users day in and day out. More on the proposed federal legislation next month.

Posted on

Pick-Pocket Pop-Ups

I’ve been writing for months — years! — about unwanted programs, installed on users’ PCs, that show users extra pop-up ads. There’s been lots to write about: The actual ads shown (WhenU’s and Gator’s), whether users grant meaningful consent (especially in the face of lengthy licenses), privacy (and possible privacy violations), and online marketing methods (like search engine spamming) sometimes used by companies in this space.

Today I present research about another problem, quite distinct from pop-ups: Programs that tamper with affiliate commissions. Call them stealware, thiefware, or even “pick-pocket pop-ups” (a term recently coined by Kenn Cukier), but their core method is surprisingly simple: Stealware companies join the affiliate networks that merchants operate — networks intended to pay commissions to independent web sites that recommend the merchants to their visitors. Then when users browse to targeted merchants’ sites, the stealware programs jump into action, causing merchants’ tracking systems to think users reached the merchants thanks to the stealware programs’ efforts.

Stealware raises several major policy concerns. For one, merchants risk throwing away money — paying commissions when none are due, increasing their costs, and ultimately raising prices for everyone. For another, legitimate affiliates lose commissions when stealware programs overwrite their tracking codes with stealware programs’ own codes. Finally, stealware puts affiliate networks (like LinkShare and Commission Junction) in a truly odd position: If the networks enforce their rules and remove stealware programs from their networks, then the networks shrink and receive smaller payments from merchants.

I’ve begun my research in this field with a particular program that I believe to be the largest and most prevalent of those that specifically seek to add and replace affiliate commissions: Like Gator and WhenU, Zango (from 180solutions / MetricsDirect) monitors users’ activities and sometimes shows popup ads (though 180’s ads are particularly large, often covering the entire browser window). But the real news is that Zango frequently sets and replaces affiliate tracking codes — as to some 300+ major merchants, using at least 49 different affiliate accounts and scores of redirect servers.

Much of Zango’s affiliate code replacement lacks any on-screen display. As a result, ordinary users (not to mention merchants’ testing staff) are unlikely to notice what’s going on. Where possible, I’ve captured Zango’s behavior with screenshots and videos. As to the rest, I’ve used my trusty network monitor to inspect the raw transmissions passing over my Ethernet wire.

Details:

The Effect of 180solutions on Affiliate Commissions and Merchants

Posted on

What Advertisers Use WhenU?



Advertisers Using WhenU

Ever wonder who advertises on WhenU? A few reporters have tried to figure this out but have been stymied: Few companies care to talk about their use of Claria or WhenU. (WSJ [paid registration required], BusinessWeek).

So I thought I’d put together a list of all of WhenU’s current advertisers — all the companies showing graphical ads (not just sponsored link text) on WhenU’s system. There are 234 distinct advertisers, by my count. The biggest advertisers (by advertisement count) are Priceline (51 ads), J.P. Morgan Chase (43), Casino On Net (37), Verizon (28), Orexis (24). Major advertisement categories:

Gambling, Betting and Bingo 327 advertisements 49 advertisers
Loans 263 advertisements 35 advertisers
Travel 213 advertisements 21 advertisers

Further down the list, 102 ads for insurance, 99 for sexual health (mostly Viagra and similar products) and even some ads for online psychics and online cigarette sales.

All the details, and thousands of advertisement thumbnails, are in:

Advertisers Using WhenU

Posted on

Utah Spyware Control Act On Hold updated July 7, 2004

Today brought closing arguments in WhenU.com, Inc., v. The State of Utah.

After closing arguments, Judge Fratto granted WhenU’s Motion for Preliminary Injunction, enjoining current enforcement of the Spyware Control Act. Ruling from the bench, Judge Fratto stated that he was not persuaded that WhenU had satisfied the requirements of showing a substantial likelihood of prevailing on the merits of its constitutional challenge as to the spyware provisions of the Act, but that WhenU had satisfied such showing regarding the context-triggered pop-up ads provision. Nonetheless, Judge Fratto enjoined enforcement of the act in its entirety. See transcript of ruling.

For my perspective on the factual portion of the hearing, June 10-11, see Report from WhenU v Utah.

Posted on

Report from WhenU v Utah updated June 13, 2004

In April I mentioned WhenU’s suit against the state of Utah, challenging Utah’s recent Spyware Control Act. Oral argument took place yesterday and today as to WhenU’s motion for preliminary injunction.

Consistent with case filings, WhenU claimed that the company cannot reliably determine which users are in Utah and which are elsewhere. However, documents presented in the hearing showed that WhenU offers its advertisers the service of showing their ads only in particular locations, including in particular states.

Counsel for the state of Utah also asked WhenU’s CEO about WhenU’s display of advertising for online gambling and for online liquor sales. My testing demonstrated that WhenU shows such ads in Utah, but longstanding Utah law is thought to prohibit these ads. So WhenU will have to develop — arguably, already should have developed! — systems to avoid showing these ads in Utah. WhenU has criticized the Spyware Control Act, claiming that compliance would be difficult and costly. But WhenU must satisfy Utah’s gambling and liquor laws independent of the Spyware Control Act. So much for the purportedly high burden of Utah’s spyware regulation.

In my own oral testimony, I explained the methods of installation and operation of spyware. In one notable section, I showed videos of WhenU software installed via drive-by downloads with defective license agreements, such that even when a user requested to view WhenU’s license agreement, the license was not available.

Details in WhenU.com, Inc., v. The State of Utah – Case Documents. The hearing will conclude on June 22, 2004, and the Court’s decision is expected thereafter.

Posted on

Dell’s Spyware Puzzle updated June 9, 2004


Dell Ad Displayed using ClariaDell Ad Displayed using Claria

Lots of companies have a puzzling relationship with spyware. For example, a recent eWeek article pointed out the complexities in Yahoo!’s relationship with Claria: My research of last year found that yahoo.com is the the single most targeted domain of the many thousands Claria targets with its context-triggered popups. More recently, Yahoo! released a toolbar that uninstalls Claria software. These facts suggest that Yahoo! would dislike Claria and would actively oppose Claria’s activities. Nonetheless, Yahoo! remains a major supplier to Claria (via Yahoo!’s Overture sponsored link service, which reportedly provides 30% of Claria’s revenue, per Claria’s S-1 filing).

Even more puzzling, Dell both suffers from spyware and receives web traffic from Claria’s advertising services. In recent comments to the FTC (PDF page 70), Dell’s Maureen Cushman reported that spyware is Dell’s “number one call driver” as of late 2003, and that spyware is responsible for as much as 12% of calls to Dell tech support.

Nonetheless, my testing shows that Dell UK ads run on the Claria ad network. See the ad shown at right (among several other ads also from Dell UK), which I received while viewing the IBM.COM site. My further testing indicates that Claria shows several Dell UK ads when users visit the sites listed below (perhaps among others). (Note that users might have to visit particular parts of the sites listed here — i.e. the computers section of amazon.co.uk, not just other parts of the Amazon site.)

ebay.co.uk
hp.com
msn.co.uk
apple.com
amazon.co.uk
ibm.com
kelkoo.co.uk		 bt.com
pricerunner.com
dabs.com
dealtime.co.uk
johnlewis.com
dooyoo.co.uk
comet.co.uk		 ebuyer.com
pcworld.co.uk
dixons.co.uk
acer.co.uk
abrexa.co.uk
sony.co.uk
simply.co.uk		 priceguideuk.com
toxiclemon.co.uk
packardbell.co.uk
microwarehouse.co.uk
evesham.com
toshiba.co.uk		 cclcomputers.co.uk
morgancomputers.co.uk
timecomputers.com
sony-cp.com
europc.co.uk
empiredirect.co.uk

Dell staff tell me that the ads were unauthorized, placed by an affiliate without Dell’s permission. My inspection of the ads (and their link destinations) is consistent with this claim. But my inspection of Claria configuration files further suggests that the ads ran on the Claria network since at least February 6, 2004 — some four months ago. Why didn’t Dell notice this problem until I brought it to their attention?

If this is just a glitch, what procedures could Dell (and other companies) implement to make sure their ads are placed through only authorized channels? I’d be honored to work with interested advertisers to think through the possibilities for automatic or scheduled monitoring, testing, etc.

A note on my research methods: In May-June 2003, I offered a Gator real-time testing service that reported, on request, which ads (if any) targeted a given web site. I have subsequently disabled this site, so it provides only archived data. But I can still provide current Gator targeting data upon request. Interested readers, please get in touch by email.

Posted on

WhenU Security Flaw

Every program installed on users’ PCs exposes users to potential security risks — for any program can contain design flaws that let attackers take control of a user’s computer. But experience shows some kinds of programs to be far more risky than others. Frequent readers of my site won’t be surprised to learn that software from WhenU, distributed on WhenU’s own web site until mere weeks ago, is among the programs with security vulnerabilities that let attackers take over users’ PCs.

For details, see my new WhenU Security Hole Allows Execution of Arbitrary Software. I explain the specific WhenU software found to be vulnerable, and I show what an attacker would have to do to take advantage of the vulnerability.

Among advertisement-display programs, WhenU is not alone in its security vulnerabilities. Earlier this year, researchers from the University of Washington found similar vulnerabilities in software from Claria and eZula. (See their Measurement and Analysis of Spyware in a University Environment (PDF).)

Before releasing this research to the public, I alerted WhenU staff to the flaw in their software. WhenU staff acknowledged the security risks of the software I identified — saying the program was “obsolete” and claiming it was taken out of public distribution in September 2002, even as it remained on WhenU’s ordinary public web site until I brought it to their attention. In any event, my testing indicates that the vulnerable code has now been removed from WhenU’s site, and that vulnerable software installed on users’ PCs has been patched via WhenU’s auto-update system.

I’m releasing this research in preparation for tomorrow’s hearing entitled “Who Might Be Lurking at Your Cyber Front Door? Is Your System Really Secure?,” convened by the House Committee on Government Reform‘s Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Spyware poses serious security risks of which users and policy-makers should be aware.

Posted on

WhenU Breaks Its Privacy Promise

In July 2003, I noticed — and shortly notified WhenU — that WhenU’s software transmits to its servers the URLs that users visit, and that it does so every time it shows a user an ad. What’s the big deal? WhenU’s privacy policy said it wouldn’t do this: “URLs visited … are not transmitted to whenu.com or any third party server.” Many of WhenU’s software installers carry an even more explicit, but equally false, statement: “… does not track, collect or send your browsing activity anywhere.” What did WhenU do in response to my notification? Nothing, so far as I know.

Fast-forward eight months. I mentioned WhenU’s privacy violation in my FTC comments (PDF), and an FTC workshop speaker mentioned it (citing me) in his oral comments, with WhenU’s CEO and counsel present in the room. What did WhenU do? Again, nothing, so far as I know.

But this past Friday, I released to the public my new WhenU Violates Own Privacy Policy. I’ve revised my research of last summer and this spring — explaining things a bit more clearly, better tracking the duration and scope of the violation, and adding formatting to make the work easier to read. What did WhenU do? This time, finally, WhenU changed its privacy policy, to better describe its actual practice. But WhenU only made the change in some places — namely only on its web site, but not in the installer screens users look at as they decide whether or not to install WhenU software. So even today, as users install WhenU software, they are told — falsely — that WhenU doesn’t track, collect, or send their browsing activity. (screen-shots)

This is a troubling situation: For one, there’s the ten month lag between the violation first being brought to WhenU’s attention, and WhenU doing anything to even begin to address it. Then there are the thirty million users who reportedly run WhenU software. As users installed WhenU’s programs, WhenU promised not to send or track which URLs they visited. Instead, WhenU sent this information all along, and even continues sending it this very minute. Can WhenU correct the violation merely by changing its privacy policy web page?

Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.

Posted on

Research on WhenU Search Engine Spamming, and Its Consequences updated May 22, 2004

Today I released an article documenting at least thirteen web sites operated with WhenU’s knowledge and approval (if not at WhenU’s specific request) that use prohibited methods to attempt to manipulate search engine results as to searches for WhenU and its products.

Some of these cloaking sites do offer information about WhenU, but their genuine information is interspersed with a mix of gibberish as well as with articles copied, without attribution of any kind, from the New York Times, c|net, and others. Meanwhile, most or all of the sites were registered with invalid whois data — most registered on the same day through the same registrar, but to five different names with five different gibberish email addresses in four states. The details:

WhenU Spams Google, Breaks Google ‘No Cloaking’ Rules

Sound too weird to be true? It turns out these behaviors are part of a practice called “search engine cloaking” — designed to make search engines think a site is about one subject, when in fact the site redirects most visitors to totally different content. The situation is complicated, and the easiest way to understand it is to read my article, complete with HTTP transmission logs and annotated HTML code.

Meanwhile, Google’s response was swift: I notified Google of the cloaking infractions on Sunday, and WhenU’s sites were removed from Google by Wednesday. Try a Google search for “whenu” and see for yourself: You’ll get critics’ sites and news coverage, but not www.whenu.com itself.

In subsequent research, I also found that WhenU has been copying news stories from around the web, without any statement of license from the respective publishers. See WhenU Copies 26+ Articles from 20+ News Sites. After I released this article, WhenU deleted the article copies from the dozen WhenU sites on which they had been posted. Fortunately, I kept plenty of screenshots. Meanwhile, at least one affected publisher has confirmed that the copies were unauthorized.

These aren’t WhenU’s only controversial business practices. For one, there’s WhenU’s core business — showing context-triggered pop-up advertisements that cover other companies’ web sites, without those sites authorization, a subject which has brought on extensive litigation. In addition, I previously discovered that WhenU violates its own privacy policy. In its privacy policy (as it stood through May 22), WhenU tells (told) its users that “URLs visited … are not transmitted to whenu.com or any third party server.” WhenU’s software installers continue to say the same, sometimes even more explicitly (“does not track, collect or send your browsing activity anywhere”). But my research indicates otherwise — that WhenU transmits to its servers the specific web pages users visit, and that it makes these transmissions every time users see WhenU advertisements. Details, including HTTP logs and screen-shots, are in my WhenU Violates Own Privacy Policy.