Language Selection

English French German Italian Portuguese Spanish

Giving New Meaning to 'Spyware'

Filed under
Security

Supreme Court Justice Potter Stewart famously said that he couldn't define obscenity, but that he knew it when he saw it.

The same has long been the case with spyware. It's not easy to define, but most people know it when parasitic programs suck up resources on their computer and clog their browsers with pop-up ads.

Recognizing that one person's search toolbar is another's spyware, a coalition of consumer groups, ISPs and software companies announced on Tuesday that it has finally come up with a mutually agreeable definition for the internet plague.

Spyware impairs "users' control over material changes that affect their user experience, privacy or system security; use of their system resources, including what programs are installed on their computers; or collection, use and distribution of their personal or otherwise sensitive information," according to the Anti-Spyware Coalition, which includes Microsoft, EarthLink, McAfee and Hewlett-Packard.

The group hopes the definitions will clear the way for anti-spyware legislation and help create a formal, centralized method for companies to dispute or change their software's classification.

"One of the biggest challenges we've had with spyware has been agreeing on what it is," said Ari Schwartz, associate director of the Center for Democracy and Technology, which has led the group's work. "The anti-spyware community needs a way to quickly and decisively categorize the new programs spawning at exponential rates across the internet."

The lack of standard definitions of spyware and adware has doomed federal and state legislation and hampered collaboration between anti-spyware forces.

In a colloquial sense, spyware is used to refer to a whole range of programs, including unwanted browser toolbars that come bundled with other downloads, surf-tracking software that generates pop-up ads, and software that tries to capture passwords and credit-card numbers.

Software companies like Claria, which distribute their pop-up advertising software by bundling it with free programs such as peer-to-peer software, adamantly deny their products are "spyware." They point out that users can usually find a definition of the programs' effects deep in the user agreement.

It is unclear what effect the new definitions will have on current anti-spyware programs, such as Lavasoft's Ad-Aware and Microsoft's free AntiSpyware tool.

Recently, Microsoft downgraded the default program action for Claria's software from "Remove" to "Ignore," which prompted widespread criticism.

Microsoft responded by saying that it had changed the handling of "Claria software in order to be fair and consistent with how Windows AntiSpyware (beta) handles similar software from other vendors."

Microsoft is in negotiations to buy venture-capital-backed Claria, according to The New York Times.

Ben Edelman, the country's foremost spyware researcher, questions whether the new definitions are simply there so that adware companies can find a way to get a stamp of approval for their software.

"From the perspective of users whose computers are infected, there is nothing hard about (defining spyware)," Edelman said. "If you have adware or spyware on your computer, you want it gone.

"Maybe the toolbar is Mother Theresa, but it's Mother Theresa sitting in your living room uninvited and you want her gone also," Edelman said. "You don't need a committee of 50 smart guys in D.C. sipping ice tea in order to decide that.

"The question is, what do you want to do with it? If you had a consensus of 100 computer-repair technicians or Bill Gates himself, what would they say to do?"

By Ryan Singel
Wired News

More in Tux Machines

ImageMagick Security Bug Puts Sites at Risk

  • Open Source ImageMagick Security Bug Puts Sites at Risk
    ImageMagick, an open source suite of tools for working with graphic images used by a large number of websites, has been found to contain a serious security vulnerability that puts sites using the software at risk for malicious code to be executed onsite. Security experts consider exploitation to be so easy they’re calling it “trivial,” and exploits are already circulating in the wild. The biggest risk is to sites that allows users to upload their own image files. Information about the vulnerability was made public Tuesday afternoon by Ryan Huber, a developer and security researcher, who wrote that he had little choice but to post about the exploit.
  • Huge number of sites imperiled by critical image-processing vulnerability
    A large number of websites are vulnerable to a simple attack that allows hackers to execute malicious code hidden inside booby-trapped images. The vulnerability resides in ImageMagick, a widely used image-processing library that's supported by PHP, Ruby, NodeJS, Python, and about a dozen other languages. Many social media and blogging sites, as well as a large number of content management systems, directly or indirectly rely on ImageMagick-based processing so they can resize images uploaded by end users.
  • Extreme photo-bombing: Bad ImageMagick bug puts countless websites at risk of hijacking
    A wildly popular software tool used by websites to process people's photos can be exploited to execute malicious code on servers and leak server-side files. Security bugs in the software are apparently being exploited in the wild right now to compromise at-risk systems. Patches to address the vulnerabilities are available in the latest source code – but are incomplete and have not been officially released, we're told.

Canonical to Offer Snappy Ubuntu 16 Images for Raspberry Pi 2, DragonBoard 410c

As you may know (or not), the Ubuntu Online Summit for Ubuntu 16.10 (Yakkety Yak) is taking place these days, between May 3 and May 5, on the Ubuntu On Air channel, where the Ubuntu devs are laying down plans for the future. We've already reported the other day that the next major release of the popular Linux kernel-based operating system, Ubuntu 16.10, which has been dubbed by Canonical and Ubuntu founder Mark Shuttleworth as Yakkety Yak, won't ship with the long-anticipated Unity 8 desktop interface as the default session. Read more

Beautiful Simplicity Linux 16.04 OS Arrives, Based on LXPup and the LXDE Desktop

The guys over at Simplicity Linux, a simple and beautiful GNU/Linux desktop-oriented operating system, have had the great pleasure of announcing the release of Simplicity Linux 16.04. Simplicity Linux 16.04 is distributed in three main editions, namely Desktop, X, and Mini. The distribution has been in development for the past three months, since February, when it was initially released as Simplicity Linux 16.01. Read more

Wine Staging 1.9.9

  • Wine Staging 1.9.9 Released for GNU/Linux with Small Improvements and Bug Fixes
    The Wine Staging team has announced the release and immediate availability for download of Wine Staging 1.9.9, which comes hot on the heels of Wine 1.9.9, a development snapshot released last week.
  • Release 1.9.9
    Wine Staging 1.9.9 was released yesterday. This updates brings some smaller improvements.
  • Wine-Staging 1.9.9 Shipped Some Patches To Mainline, Cleaned Up Other Code
    Wine Staging, a playground for experimental Wine patches not yet ready to be accepted to the mainline tree, is out with their newest release that's powered off last week's official Wine 1.9.9 release. Over the past two weeks, Wine-Staging developers spent time cleaning up some of the patches they were carrying in and got them merged to mainline. For v1.9.9, they were able to mainline more than thirty of their patches that they'll no longer need to carry in this experimental tree. They also dropped their libcef system call workaround for Steam now that there's a command-line switch to workaround the CEF sandboxing.