Home > Privacy, Security > Clueless about cookies or spyware? Clueless about cookies or spyware? Eugenia Loli 2005-02-03 Privacy, Security 33 Comments Spyware-removal tools are a fairly new commodity from Internet service providers, but some of the software may confuse people as much as it protects them, critics say. About The Author Eugenia Loli Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker. Follow me on Twitter @EugeniaLoli 33 Comments 2005-02-03 6:03 am also included on the list are advertising system “cookies”–bits of code used to monitor people’s response to online ads or regulate their frequency. EarthLink itself systematically distributes cookies to keep track of consumers. tracking visitors. domain names like cybermonitor.com, track.whateveradvertisingagency.com… come on, we are human beings, not animals, no herd to be culled by the dozen, no Jewish or Gipsy to be tatooed a id number on the arm in extermination camps. so yes, while most spyware-removal tools are written to remove spyware and some pests like trojans, privacy is important too and it is ok to warn and educate users that cookies (just a tool anyway) can range from harmless and necessary to some web sites, to abusive and can be even stolen in phising attacks. 2005-02-03 6:12 am It just occurred to me that all of the big internet carriers (telecoms and ISPs) should maybe be making a bigger effort to protect the internet from spyware, zombie pc’s, viruses, etc. than they currently are. For the great masses of compromised machines connected to the internet causing everyone grief, Microsoft gets bashed constantly for not doing enough. But it is the ISPs who are allowing all of those boxes to be connected to the internet in the first place and I think they could do a lot more to educate and equip hapless end-users whom they are selling services to. Most ISPs now provide spam filtering for email but they could also enforce all home-user clients to have some sort of firewall, anti-spyware and anti-virus installed before they are even permitted to connect to the internet at large so that they aren’t a menace to the rest of us. I think a lot of that process could be pretty much automated without undue effort and these basic defenses should be provided, perhaps even mandatory, to any home user who buys internet access. I’m not trying to deflect blame from Microsoft for their shortcomings at all here, but I just wonder if more people should be directing their anger at ISPs instead to make them take more responsibility for what goes on in their own network domains and affects everyone else on the internet. After all, many Windows users are still too helpless to look after their own machines properly (obviously) and it seems like their ISPs really couldn’t care less about it. I would like to see them doing more. A LOT more. 2005-02-03 7:32 am Some ISPs will block traffic from known worms/viruses in their routers, but that’s about all they seem willing to do. At least AOL is starting to include virus scanners and such tools built into their software packages. Part of the problem, though, is that most ISPs understand that you’re going to connect almost anything to their network. Customers have Linux, Windows, MacOSX, and obscure hardware devices. All that stuff works differently and has different vulnerabilities. If they forced you to use Windows and scanned for compliant systems, their customers would (rightly) scream bloody murder. If they banned Windows, it’d be just as bad. If they sent a tech to everyone’s house once a month there’d be screams of privacy, convenience, and of course it’d cost a ton. I’m really not certain what they can do about it short of providing free spyware removal tools and maybe sending out the odd paper newsletter to their customers (since the electronic one would just be lost in a sea of spam, ironically). Much more than that and they start having to lock down their connections in such a way that it almost negates the usefulness of being on the network in the first place. 2005-02-03 8:24 am Well, for one thing, ISPs could diversify their services structure based on what the end-user connects to their networks. A standard Windows client network connection (probably 80-90% of all their connections in many cases) could be price discounted if the ISP was permitted to provide some basic automated protection of it with a standardized service package. For a carte blanche connection that is totally unregulated, for whatever reason, it should cost more. I’m sure some sort of balanced cost structure could be worked out one way or another. I don’t buy the argument that the ISPs are helpless to do anything more at all. That’s just a cop-out. Forcing the ISPs to act would be more productive than banging Microsoft on the head for the legions of ignorant users it has absolutely no control over, IMHO. 2005-02-03 8:37 am 1) “”Cookies are so common,” said Richard Smith, a privacy and security consultant. “Unless they make it clear that this is not as bad a threat as these other things like keystroke loggers, it gets people worried for no reason.”” Just because something is common doesn’t make it right. Spyware is common and it sure not right. The argument of popularity doesn’t hold water. ____________________________________________________________ 2) “”As the threat of malware has grown, it has become increasingly challenging for ISPs, lawmakers and security experts to pin it down. There is enough government regualtion to choke a horse. Regulation will only get in the way of having the problem fixed. Technology created the problem. Technology should fix the problem. Think about the Can Spam Act. It has actually increased global spam from 60 to 80 percent of world wide email. The can spam act has made some sort of spam legitimate.” ____________________________________________________________ 3) “”It typically slips onto a person’s machine unnoticed as a scantly disclosed add-on with other popular applications, such as file-sharing software, or via browser security vulnerabilities.”” Browser security is a major concer. The concept of shipping an OS and Applications secure by default, should be a defatco standard. As for file sharing: You should know what you are downloading before you click that button. Now as for the muscic / entertainment industry, boobie traping music files with spyware and circumventing home users PC’s is criminal. People do use p2p for legitimate purposes, such as speeding up downloads. Some music sites do offer freedownload on copyrighted material. And just to offer an explination of why boobie traping a music file is illegal will be illustrated here: Think about someone who wants to explore a computer system, of course not intending harm. What do you think the courts do when such a kid is caught. He is charge with damage to the network. a) Stealing processor time. b) Stealing bandwidth. c) General havoc and causing the sys admin to audit every file and potentially reinstall the OS because of potential back doors that might be left behind. This also creates more down time for the server. These rules have been applied in court numerous times with sever penalities. These same rules should apply to the music and video industry for using the same tools that the crackers use. Is this somewhat hypocritical? Well, this legistation has already existed and the current laws are more that sufficient. Piracy is a crime. ____________________________________________________________ 4) “Spyware denies people reasonable control over the application–the ability to easily uninstall it, for example. And, as its name implies, it typically spies on people while they’re surfing the Web. It can collect passwords, bank statements and other personal data, down to the keystroke.” See my statments above. This is already a crime based on previous legislation. It just must be applied in courts as such. ____________________________________________________________ 5) “”But most advertising network cookies are much more for providing feedback to advertisers about how their ads are performing,” and historically that’s only been a disappointment to the advertisers, he said.” When people take surveys, they are compensated. People are giving their information in exchange for financial reward. Loading tracking cookies without the users permission and tracking their behavior is not acceptible. Do these cookies prevent other sites from reading those cookies? No. So, othersites can use those cookies and the effect just sprials onward. Why should a user be a bastion of marketing information to corporate America? Yes, you can set some browsers to accept cookies and reject others or put in manual mode and get prompted on every cookie request. How much time is wasted on clicking “ok” or “no/cancel”. You are flooded with pointing and clicking just to do some basic reading. Remember: For those old enough to remember: The web was NOT founded on commercial interests. Its foundation is academia. For the record, I have no issues with the capitolism. I believe in freemarkets. However, I do have issues when it comes to invasion of ones own privacy. This would be the crux of the issue. Just my humble opinion. 2005-02-03 11:11 am Little Joe wrote: A standard Windows client network connection (probably 80-90% of all their connections in many cases) could be price discounted if the ISP was permitted to provide some basic automated protection of it with a standardized service package. For a carte blanche connection that is totally unregulated, for whatever reason, it should cost more. I’m sure some sort of balanced cost structure could be worked out one way or another. Surely that could also be interpreted as penalising customers that choose to not use Windows systems. Or are ISPs, under your proposal, supposed to be able to “regulate” non-Windows connections? I don’t buy the argument that the ISPs are helpless to do anything more at all. That’s just a cop-out. What equipment would you propose ISPs start to use? Let’s presume for a moment, that our imaginary ISP is using Cisco equipment, or similar (quite likely). How would you propose that the ISP regulates and inspects (and decrypts) all IP traffic (TCP or UDP) to and from all their customers that choose to sign-up to this potentially restrictive service? I ask you, please at least understand how networks work, not just how Windows works, before making such daft suggestions. 2005-02-03 12:13 pm i know people dislike it when such sweeping statements are made. but his is an extremely good example for ditching windows. it is severly broken and such large problems as this are a direct result of its shicking engineering. 2005-02-03 1:42 pm Here’s a thought: all the nice people running spyware on my computer are in fact using my system’s resources to further their application although I did not want that, right? So, to emulate our most successful societal leeches, the lawyers, let’s look at this from a revenue perspective: since the software which I did not ask for and do not want is running on my system thereby consuming resources and gathering valuable data, I contend that I am entitled to a consultancy fee for providing the information and services consumed by the spyware on my computer. I will start by charging $475.67 dollars per hour per spy/malware application. So, the only thing we need to do is find the vermin that install this stuff on my machine [and then I mean the original content creators, not the zombies they make out of unsecured machines, although the smart guys among you are going to make just this claim] and just invoice them. When they do not comply, and of course they won’t, you then sue them and lay claim to their assets. While the suit is pending they cannot use their assets to further their goals. They put Capone in the can for cooking the books, not for all the other crimes he commited or had commited “it’s not sexy but it’s got teeth” [The Firm] Tom Cruise to Ed Harris -their respective characters, of course-. This way you could annoy the spam/malware purveyors no end and tie them up in court for donkeys years. And, be serious, if you’ve been a victim of this kind of practice, isn’t that a very sensible and just course of action for all the grievance you’ve been put through? I knew you’d agree. 2005-02-03 1:51 pm I used to work in tech support for an ISP before the days of spyware .. I couldn’t even imagine what it’s like now. From my viewpoint, it would be hard for an ISP to provide much in the way of education. Why? Because if you were to, for example, recommend in a mass email that customers stop using Internet Explorer and download/install another browser such as Firefox, you would probably get 10,000 phone calls from people going “How do I do that?”, or when they hit the first page that requires a plugin they don’t have. 2005-02-03 1:58 pm Please, keep ISPs out of my computers, if you will not care about configuring a simple firewall and control what programs do you use, you’ll have problems. Period. Don’t ask about an ISP inspecting network traffic and/or forcing a compulsive installation of ‘security’ programs because you are lazy. Would you trust your ISP to judge what packet is fine and secure and what one isn’t, or what program is inoffensive and what one is harmful? What happens if your ISP ‘spyware detector’ decides that ‘Gaim’ is insecure because it has some vulnerability and instead forces you to install ‘MSN Messenger’? 2005-02-03 2:19 pm i would happily run code (on linux/bsd even) which pretended to be spyware and reported false and distorting information back to the collectors. thus rendering their databases useless. 2005-02-03 2:21 pm How about the government? Maybe they should decide what’s best for all of us. Maybe they should tell us which pages we can and can’t go to. That would make us all safe and cozy. The world is scary when you don’t have other people protecting you all the time, and we all know that the government has our best interests at heart. Get real. Users will find ways to f0x0r thier machines faster than any ISP could patch holes. A testament to this is the number of people who can’t handle running norton/mcafee/whathaveyou – they install it, “set it and forget it” and then scream bloody murder when their anti-v or firewall block access to the intarweb. There’s a special place for people like this — it’s called AOL. People there probably bitch and moan that half of their services are off, anyhow. “I wanna run kazaa, and my own mailserver, I want ports 135-139 open, and I DON’T want you folks letting ANY HACKERS through!” 2005-02-03 2:32 pm Just so folks are aware, at least 1/3 of all “spyware” (a stupid name if there ever was one) is VOLUNTARILY installed my oblivious end users. “Oh yes, I love my bonzi buddy, and hotbar is so cool. I adore how nice gator makes my life, and oooh, Comet Cursor is great! Oh, why the hell is my connection so slow? I’m getting the error “IEXPLORE has encountered an error and needs to shut down” all the time these days — IS THE SERVER DOWN???? As the old saying goes – you can lead a horse to water, but you can’t make it drink. 2005-02-03 2:37 pm I know it’s a bad thing to say you love something that mostly everyone hates. But I do love that software that slows down your pc to a crawl. I moonlight on the side fixing peoples pcs. The number one call, you guessed it. Spyware and malware. Some computers I fix have very little, but most have over 15 running agents in the background and over 1000 files and known directories and registry entries. After some scanning and updating the bill comes to $150 or $200. Not to bad for 3 hours work. No matter how much I try and educate the people about protecting their pc’s they re-infect themselves in no time. Sometimes it’s so bad I have to rebuild the pc. Causing another trip out and another $200 scan and clean. I say things like “Update and scan once a week” Mostly they have a blank look on their face and shake their heads allot like they know what to do. 2005-02-03 2:47 pm they could also enforce all home-user clients to have some sort of firewall, anti-spyware and anti-virus installed before they are even permitted to connect to the internet at large so that they aren’t a menace to the rest of us. I work in a repair shop. It would be a *very* bad idea to force the common user to have a firewall. We often sell Norton Internet Security to people, and *EVERY ONE* that buys it ends up coming because they completely lock themselves out of accessing the internet. I don’t disagree that something needs to be done. As an extreme, we could just kick 90% of people off of the internet. 2005-02-03 3:09 pm I was at my neighbor’s house last night…stock Dell desktop, AOL, dialup, spyware, IE, unpatched WinXP Home. About half an hour later, I had patched their WinXP install, loaded Spybot and AdAware (subsequently removing 100 items) and installed Firefox to plug the hole. My neighbor fell in love with Firefox in only a minute when I showed her all the privacy features, pop-up blocking and tabs. This weekend I may let them join my wireless network if they’re in range. The point to all this is that we can do a lot better job than corporate America in educating the people around us about security and privacy issues. 2005-02-03 3:53 pm Ummmm … no. I will help my immediate family and a couple of very close friends, but that’s as far as I’ll go. Why? Because once you fix somebody’s PC once, your phone number immediately becomes their tech support hotline by default. I don’t get very many phone calls, but 90% of those I do get are because of computer-related problems. I would just assume that people don’t know I know anything about computers. Hell, at one point, I was getting calls from people I didnn’t even know. “Hi, you don’t know me, but I got your phone number from your uncle. I’m having this problem ….” 2005-02-03 4:32 pm yes – i used to be inundated with friends and relatives and even unknowns asking me to “have a look” at their PCs… yes, the same problem, malwares, spywares, badly programmed desktop toys, corrupted registries, all sorts .. and of course viruses and worms. and the you have anti-virus A fighting anti-virus B, which also clashes with anti-spam C which all clash with pc-clean D. so i ask what they use their PC for. its usually browsing, emailing, sometimes wordprocessing and printing. scanning evem! install a FOSS operating system .. with firefox, openoffice, thunderbird … kooka, k3b, if they have to … now… its like the computers in the microwave and the washing machine and the DVD player .. it just works. 2005-02-03 4:45 pm install a FOSS operating system .. with firefox, openoffice, thunderbird … kooka, k3b, if they have to … Nope, won’t do that either – that causes more problems than it solves. For one thing, even with Firefox on Windows, the first time they hit Launchcast or some other lame IE-only page, my phone rings. Plus, there’s always at least one app that’s missing that they swear by, or one piece of hardware that doesn’t working on a *nix OS. 2005-02-03 5:24 pm I have one solution that will work for the major ISP’s. Stop embracing IE and customize a version of Firefox for your service. Mention the pros and cons of using Firefox with the biggest pro, prevention of spyware. I’d also recommend ISP’s look at Thunderbird as a safe mail client as well. If you’re using a Windows based PC you will get spyware due to IE’s lack of security. It’s not the ISP’s problem but they can help. Microsoft is the real problem here. 2005-02-03 6:05 pm “we could just kick 90% of people off of the internet.” So, since abou 90% plus users are Windows users, and since Internet Explorer is about the biggest threat to a healthy system as you could hope a target to be using, do you mean to say that most if not all Windows users should be barred from the net? Just looking to start a flame war, is all. 2005-02-03 9:12 pm “we could just kick 90% of people off of the internet.” Too late for that. The Internet is too integral to daily life now. Those who can’t or won’t use it are left behind. OS makers need to be including easy manuals on the basics of Internet security with their products. Yes, that means paying for the paper and printing costs, not just supplying a .pdf that the customer is supposed to print out themselves. They’re the ones who need to educating the public on security. The average user doesn’t have all day to keep up to date on the latest security threats and fixes. But explaining the basics of it all wouldn’t kill MS or Apple or any of the Linux distributors. 2005-02-04 12:01 am “What equipment would you propose ISPs start to use? Let’s presume for a moment, that our imaginary ISP is using Cisco equipment, or similar (quite likely). How would you propose that the ISP regulates and inspects (and decrypts) all IP traffic (TCP or UDP) to and from all their customers that choose to sign-up to this potentially restrictive service?” “I ask you, please at least understand how networks work, not just how Windows works, before making such daft suggestions.” All I’m hearing are excuses. Is it too much to ask you to adapt your systems and perhaps <gasp> write some software? God, no wonder were in this mess right now with that attitude. Besides, I wasn’t talking about packet-level regulation and inspection in any way at all – don’t be stupid. Just confirm that a firewall and anti-virus/anti-spyware is installed and running on the client Windows box when it is connecting to the internet. That’s all I proposed. 2005-02-04 10:01 am Little joe wrote: All I’m hearing are excuses. Is it too much to ask you to adapt your systems and perhaps <gasp> write some software? God, no wonder were in this mess right now with that attitude. You are kidding me, aren’t you? Have you ever actually dealt with routers? Write some software? Just to simplify things for the “average Joe” – we can consider Routers to be “appliances”, just like your microwave oven. You cannot write programmes for them, you can only give them instructions. Only Cisco are allowed to write software for Cisco routers. IOS (the Operating System found on Cisco routers) does not have a development environment. How do you propose we write software for these devices? Or did you think the whole world used Windows Servers for everything? Little Joe wrote: Besides, I wasn’t talking about packet-level regulation and inspection in any way at all – don’t be stupid. Just confirm that a firewall and anti-virus/anti-spyware is installed and running on the client Windows box when it is connecting to the internet. That’s all I proposed. Since the only information that crosses a network is a load of frames (which contain the packets), then how the hell did you propose for this inspection? Confirmation of a firewall is easy enough using port-scanners. But how is an ISP supposed to check for anti-virus or anti-spyware software? Please tell me, oh wise one. How are ISPs supposed to do this, eh? Dumbass. 2005-02-04 12:13 pm Not all ISPs are so severely retarded, like wherever you come from, you know… http://www.mytelus.com/ecare/display.do See? Software. My God! Holy sh*t! 2005-02-04 12:33 pm Software! Bloody hell! I would never have thought of it…. wait, I spy Windows software! You still haven’t answered what is a simple question: Let’s review your original statement: Well, for one thing, ISPs could diversify their services structure based on what the end-user connects to their networks. A standard Windows client network connection (probably 80-90% of all their connections in many cases) could be price discounted if the ISP was permitted to provide some basic automated protection of it with a standardized service package. For a carte blanche connection that is totally unregulated, for whatever reason, it should cost more. I’m sure some sort of balanced cost structure could be worked out one way or another. The software you have pointed me to happens to be CLIENT SIDE SOFTWARE. You know, something that the CUSTOMER installs. This will not provide even basic AUTOMATED protection. The ISP will still not have any idea if their customer has installed it. And what if their customer isn’t running a compatible OS? The devices that their customers (either ADSL or Dialup… and in dialup I include ISDN) connect to will not be Windows machines. Please explain to me how an ISP is supposed to ensure their customers are running this software? Please explain to me how an ISP is supposed to run such software themselves on their routers? Like I have said before: Learn how NETWORKS work before making stupid comments about how ISPs should be doing more work. 2005-02-04 1:13 pm I’m sorry. I have just thought of one way that an ISP can ensure their customers use their software. Let’s look at AOL, shall we. If you’re using Dialup then you have to use AOL’s dialler, which only runs on Windows and Mac (I’m not sure if it runs on MacOSX). You have to use this software because AOL don’t use standard PPP connections. This way they can ensure their customers are using their software. If all ISPs were to adopt this methodology then, yes, it could be done (for a select few OSs). Each ISP that wished to offer this “service” could write their own protocol and write their own connection software. When doing this, yes, they could include firewalling/anti-virus/anti-spyware routines. However, this would mean that each ISP would have to develop their own protocol suites. Otherwise they would not be certain that their customers were using their software. 2005-02-04 1:17 pm I guess you didn’t even take a look at the actual features of the Telus package I just pointed you to, but it really doesn’t matter anymore now. This article is soon to scroll off the front page of OSNews, so this will be my last post. I’m not about to sit here and struggle with you over trivial implementation details that any sophomore level computer science student should be able to solve, especially since even that Telus package already shows most of your points to be moot – if you cared to even look, that is. The last word goes to you, buddy. Indulge. 2005-02-04 1:48 pm So you bloody should do. I agree that any “sophomore” level computer science student should be able to solve some simple things like installing a firewall for a Windows machine, installing some anti-virus software for a Windows machine and installing some anti-malware software for a Windows machine. Grantedly a second-year student could do these things. But they wouldn’t be able to write software to reside on a router that inspects a users PPP traffic to determine whether they are protected or not. That is how an ISP would have to work in order to ensure their customers are being protected. I did have a look at the software that Telus are providing. I found it refreshing that an ISP are actually giving their customers software to combat virii, malwares and crackers. It makes a change from ISPs just “recommending” that you install such softwares. Indeed, I have come across at least 1 British ISP that recommends you don’t install a firewall because it interrupts their services. But that doesn’t negate the point. Any ISP cannot actually enforce this unless they write their own protocols like AOL did. I thank you for pointing out that 2nd year students should be knowledgable of such things. I certainly hope the my students would be. Actually, I would hope that my students would be able to identify the flaws in your argument since they have had significant exposure to actual routers and know that they don’t run Windows softwares. Have fun in your own little world. Grant. 2005-02-04 2:53 pm The old “I’m morally superior and more intelligent, therefore I don’t have to backup my indefensible argument” stance. It would help if you had *any* real world experience there, buddy. 2005-02-04 3:11 pm Who’s that directed to? I have a feeling that’s been directed to me. Let me just explain that I am not disagreeing with Little Joe’s stance wholeheartedly. I do think that ISPs should do more than just “encourage” their customers to take personal Internet protection more seriously. As I said, I find it refreshing that Telus are doing this. What I am disagreeing with is Little Joe’s statement that ISPs should offer “automated protection” – because it is impractical. I am not trying to say “I am morally superior and more intelligent”. Morals have nothing to do with it. Intelligence has nothing to do with it. Understanding of how ISP’s equipment works is what I am saying. It is not an indefensible argument to say that ISPs are helpless to defend their customers from the ISP end of the connection when it comes to OS specific (ie virii and malware) problems. Crackers using open ports, yes, they can help there very easily. I cannot defend myself against arguments that I have no “real world” experience. It is true that I have never worked for an ISP. But I do deal with the same type of equipment that ISPs use in my classes, so I do understand how they work. I appreciate both their advantages and their limitations. Grant. 2005-02-04 3:54 pm I think he was responding to Little Joe’s comment. His last comment was the internet forum equal to taking his toys and leaving the sandbox because some other kid woun’t admit he was right. 2005-02-05 3:45 am Yes, I was speaking to Little Joe – his expectations are preposterous, and unrealistic. He’d be better served railing against Microsoft, and demanding that they ship a secure product like so many do.