Google Badware Notification

Google has started providing notification before it lets you visit a search result known to contain badware. It’s done in partnership with StopBadware.org, who has a list of sponsors including: Google, Lenovo, and Sun Microsystems.

So far the feature seems pretty good. I’m sure there will be a few C&D‘s trying to get this feature taken down, now that some companies have found their revenue model shattered. To help prevent accidental blacklisting they have been trying to contact websites that are blacklisted so they can try and fix it (should they want to). Hopefully that will eliminate/minimize any errors.

I’d venture most people stumble upon these sites one of a few ways:

  1. Spam, or it’s instant messaging counterpart Spim. Linking to dubious websites in hopes of generating revenue at a computer owners expense.
  2. Search results. The prime situation where a web surfer visits sites out of their ordinary traffic patterns and may fall victim to such practices.

Google just took a big bite out of #2. Gmail/Yahoo/Microsoft/AOL have been working hard on #1. That should really help make the web a safer place… until the next menace takes the web by storm.

SiteAdvisor Spyware Quiz

Site Advisor is running a quiz to see if users can correctly identify sites that ship spyware with their products. A few things crossed my mind while taking the quiz:

The age old method of knowing if an establishment is legitimate is to ask someone who knows, or rely on reviews. In my case I use Google queries, and got 7/8 (simply because I guessed on the P2P programs presented in the end, because I got lazy and it’s getting late). That proved pretty accurate. Just the site name and “spyware” turned up good results each time. Granted that’s more technical than most. I know many who limit their downloads to those offered by more trusted sources (recommended by tech mags for example, or included on CD with them). This test doesn’t really reflect those habits accurately, making more people seem vulnerable.

Why do they have an old version of Firefox for the screenshots (I see the update icon)? Don’t they know running the latest version has more security fixes, and will protect them from known and fixed exploits? I’d expect more from them on that one.

Oh yea, after your done taking the test you can see the analysis of the results, but don’t view that if you plan to take the test or you’ll ruin it. But I know your all honest and wouldn’t cheat ;-).

Firefox for only $37.95?

SiteAdvisor has an interesting article up on a scam where a site makes people pay to download Firefox. As much as $37.95!

I’ll let you all in on a little secret. For the next 30 x 6.022 x 1023 days, you can get Firefox completely FREE! No ads, no spyware, and no spam! Just download here.

What’s the catch? Enjoy the internet, and perhaps tell a friend ;-).

Ok, but seriously it’s pretty sad to see people scamming innocent internet users. Just remember when you tell people about Firefox, to give them an official url (getfirefox.com, mozilla.com, mozilla.org), and tell them it’s 100% free.

Firefox Myths?

Someone looking for their 5 minutes of fame (obviously not worth 15 minutes) decided to post some Firefox Myths. It’s an interesting read, though has a few oddball statements, that really don’t make sense.

“Firefox has lower System Requirements than Internet Explorer”

The author omits that the “system requirements” don’t make the product usable. It’s just the lowest tested environment where the product runs. Windows XP can run on a 233 MHz CPU with 64 MB RAM. It doesn’t include a warning that you’ll throw it against a wall for the poor performance. To use any modern browser you going to need more than the minimum specs. Just ask any gamer how accurate the “minimum specs” are.

“Firefox is faster than Internet Explorer”

“Faster” can refer to many things (boot, css rendering, html rendering, large file rendering, UI responsiveness, etc. etc.). Assuming boot time, yes IE is faster considering it boots on startup. I don’t think anyone has calculated what IE would take if it didn’t integrate into the OS. My bet would be Opera is the fastest on Windows.

“Firefox is a secure Web Browser”

This is literally the first time I’ve heard that argument. The closest I’ve heard is “more secure”. Nothing more than a “Hello World” program is secure. Every product has vulnerabilities no matter how good the programmer, and no matter how good the audit on the source code. The question is how easy to detect and utilize are the vulnerabilities. I’d say since you can trick an IE user into trusting an ActiveX object (you can’t do that in Firefox since it won’t use ActiveX), there’s an advantage right there. Social Engineering is a form of hacking. You don’t have to know how to program to hack. The closest Firefox has is Extensions, though they seem to be mainly limited to more advanced users, who tend to be a bit more cautious.

“Firefox is a Solution to Spyware”

See above.

“Firefox is Bug Free”

Ok, I admit I literally laughed at this one. I can’t imagine anyone with any computing experience possibly making this claim. So I’d say the author made this one up. As the author points out it’s impossible for software to be bug free.

“Firefox was the first Web Browser to offer Tabbed Browsing”

Again something I doubt is really said, especially considering as Asa Notes:

In September of 2001, Dave Hyatt added a tabbed browsing mode to Mozilla. This feature was release in Mozilla 0.9.5 in October of 2001

Yes that’s right. Mozilla (SeaMonkey) had tabs before Firefox was even on the radar. He also notes Netcaptor as being first.

“Firefox fully Supports W3C Standards”

Again not likely anyone really says that. Anyone who cares enough to even know what W3C Standards are knows how poorly implemented they are. Interestingly the author omits that IE doesn’t fair to well in most categories of the site the author choose to reference. The author also misreads the statistics:

Feature MSIE 6 Firefox 1.0 Firefox 1.5
XHTML 1.0 changes 58% 100% 100%
XHTML 1.1 changes 39% 24% 24%

Notice the word “changes” as the stats author defines it (“not covered in the sections above”). The results are cumulative. You can achieve 100% XHTML 1.1 but still be pretty much nowhere because your XHTML 1.0 is so low. 100% XHTML 1.0 and 24% XHTML 1.1 (Firefox) is more usable than 58% XHTML 1.0 and 39% XHTML 1.1 (IE) for most (if not all) real purposes. Now to be fair to everyone the author notes “Percentages only concern the features tested by this resource”. I’m not sure if there is a more through analysis than that. If someone knows of one, please leave a comment.

“Firefox works with every Web Page”

This is the topic I have a fair amount of experience with, considering I implemented the reporting tool, and work with the data a bit. Of course the author managed to pull a percentage (15% incompatible) out of it’s proper context to make the percentage appear to be something static, when in reality, the source the author quotes states:

If Mozilla and the other non-Microsoft browser outfits hold their own or gain share, the 15% of Web sites that aren’t completely compatible with non-Microsoft browsers will come under pressure to design their sites to open Net standards. That way, Microsoft won’t be able to control how content is presented on the Web.

I personally can’t vouch for the accuracy of that number to begin with, so I’ll take it as truth with a grain of salt. I can’t imagine how someone could even make such a number without testing each website on the internet manually (since you can’t tell compatibility by machine since expected output isn’t a quantitative term. You’d need some revolutionary AI to do a task like that). Then you’d most likely need to factor in a site’s relevance. A 12 year olds GeoCities website shouldn’t have the same weight as Google for example (considering each to be 1 website). It’s actually an interesting statement. I’d love to know how WebSideStory (who came up with the stat) actually calculated it. If anyone from WebSideStory is reading, and would be willing to email me a bit more on the topic, I’d love to get a better understanding of the number.

Summary

Overall it was an entertaining read, though I’d question how many really are “myths” and how many are made up “myths” so the author had content to write about. Most of them are highly technical, and anyone who would even mention them would know how ridiculous they are. It’s like a Chief believing that Extra Virgin Olive Oil has to be pressed by virgin women (for those wondering EVOO is actually the first press, regardless of the history of the person who actually does the press).

Sony should compensate for it’s rootkit fiasco

After this whole mess with rootkits, I’m starting to think Sony should be giving monetary compensation to those effected. Write an app to see if the rootkit was installed, and give a confirmation number. That number should be worth some hard cash, since it appears that the only way to get rid of this giant hole is to completely wipe your hard drive and reinstall your stuff (lots of time, and as we know time = money).

I don’t believe for a second this caught Sony by surprise, they knew what the software did, and how much trouble it can cause the end user. Their business strategy was simply to hope nobody noticed. There’s no way this software was written without an understanding of what it did. Absolutely no chance. Rootkits have been a topic of discussion for sometime (mainly related to spyware).

I’d say those effected deserve at least $250- per computer, likely more. Considering the best remedy right now is to backup documents, format and reinstall. That will take at least 3hrs -5hrs for most people. And for many people who don’t have much experience with this, it will take much longer.

In all honesty, Sony should face some legal consequences for fraud or hacking, since that’s essentially what they did. If a 17 year old can get 17 months for hacking Paris Hiltons cell phone (the last part of her anatomy not widely available on the internet), and Canada got a kid for 2 years, how could this be worth nothing?

If nothing happens to Sony (which is very likely), the next company to attempt this is going to take it a step further, and it’s just going to get worse. I think CNet’s article has a great title “Who has the right to control your PC?”. Very appropriate.

Update [11/21/2005 @ 1:58 PM EST]: Texas sues Sony BMG over alleged spyware. Thank you State of Texas! I still want users to be compensated though. They are the ones who get still get the short end of the stick.

Pavlovian Vulnerability

It seems like Ivan Pavlov’s theory of Classical Conditioning is demonstrated every time I install an extension. You follow the same mindless task of white listing the domain, so that you can install, then wait for the delay, and install. Restart your browser, and your done. It rather quickly gets to the point where you don’t even think about it. Is that a good thing? Is this a bug?

I hope at some point, we get to the point where there’s a secure repository of extensions, ones that have been tested and known to be “evil free” (spyware, adware, virus, etc.). A source of safe and effective extensions that you can use without worry. It would likely be hard to review them all, but some. That can be installed easily, and the user can know that they are safe.

My objection to the current system is that it does little but block “drive-by downloads”. It requires a few clicks, so you don’t install something by accident. But other than that, what have you prevented? The extension can still be literally anything in the world.

How many end users really understand the risk? How many actually understand the dialog presented by those prompts that we bypass without even thinking about? I’m guessing most people just few these as annoyances, and still open and install stuff indiscriminately.

The problem with security is eventually people get used to it, and life goes back to normal. It’s something faced by national security experts, as well as programmers. Special security measures are only special when used in a limited way. Otherwise they become the norm. Right now the US threat level is “elevated”. How many people are doing something special as a result of that? Yea, most are just living their normal lives. Does this “elevated” level serve a purpose (other than PR)?

The big question is how do you clearly distinguish between safe, and unsafe to end users? I’d love to hear some comments on how to prevent these current security measures from becoming a Pavlovian Vulnerability.

Definition

Pavlovian Vulnerability – the susceptibility to a security risk due to a learned response almost automatic in nature in reaction to a monotonous situation or predictable chain of events.

Note: this is different from carelessness or negligence because Pavlovian requires it be learned, either by training, repetition or some other means.

Note: Yes, I’m discussing extensions here, but it also applies to how IE handles ActiveX, Safari and Dashboard Widgets, or how all browsers handle downloads. No browser that I am aware of is exempt from this issue.

Edit (10/15/05 9:13 PM EST): Added definition for clarity in regards to the title of this post.

Microsoft “AntiSpyware” First Look

Microsoft released a beta of AntiSpyware this morning. I’ve been pretty anal about spyware for quite some time, so I of course decided to give it a look. I personally use a few products on a regular basis. Spybot S&D, LavaSoft Ad-Aware, and Spyware Blaster are my regular arsenal. I use them all and trust them all. Each has their own advantage. The combo of the 3 is my secret recipe for a clean computer (of course mixed with a firewall or 2, and a good virus scanner). And of course Firefox.

Here are a few observations I had:

  • Seems to be a rebranded “Giant Anti-Spyware”. If you used GIANT before, you’ll pretty much be seeing it rebranded. No revolutionary changes are apparent.
  • Advanced tools remind me of Spybot S&D a bit. The ability to explore advanced settings etc. It claims it can restore IE after it’s hijacked. I’ve yet to try this (don’t really plan on it, as I use Firefox).
  • Has “realtime protection”, so it sits in the system tray… not exactly original, but good that it’s active, and doesn’t require a user to initiate the response to spyware. Since users don’t appear to really care so much.
  • Requires Microsoft Windows 2000, Windows XP, or Windows Server™ 2003 according to the website

Gripes

Oh, I’ve got a few gripes.

Price – No official pricing has been mentioned, but the website makes very clear they are talking about the beta when it says it’s a free download. There’s no mention of the product itself. Part of the problem with spyware/adware/mailers is that they are harming the Internet as a whole, not just the user infected. I’m curious why there’s no mention of the release being free?

2000, XP, 2003 only supported – This bugs me quite a bit as well. There are many 95, 98, ME users out there with this problem. Their computers are clogged with this garbage, and clogging our inboxes with spam becuase they are loaded with mailware. But unless they pay for an upgrade to XP, we have to live with that.

Definition of Spyware? – The product fails to clearly differentiate between the different types of problems one may have. For example as many on slashdot noted, VNC is considered Spyware. While it can indeed be used to monitor usage, it’s quite often installed by the user (or the network administrator). Why is VNC considered Spyware, but Windows XP Pro’s “Remote Desktop” DLL’s not considered Spyware? Remote Desktop provides very similar functionality. Both are installed on my computer. Both aren’t running during the scan, but VNC is still detected. “Remote Desktop” is not. Are Microsoft products white listed? What about partners? Who decides? What ichecklist do they use? Is the author of the product a factor?

Conclusion

This isn’t to say you shouldn’t run Microsoft Windows AntiSpyware. It will provide some benefit. But I would still recommend running at least 1 other product at least once a week to keep your computer clean. Not to mention a virus scanner, and a firewall.

I’m personally disappointed at Microsoft’s policy of “security costs extra”. Please correct me if I’m wrong, but there’s no mention of plans to deploy this to all windows users using “windows update”. There’s nothing stating the final version will be free, only the beta. There’s no mention of the criteria for spyware that the definition authors use when creating definition updates for the product. And of course, quite a few users with Windows 95, 98, ME are left out in the cold, simply because they can’t pay hundreds for an upgrade (assuming their hardware can handle it).

I personally feel Security should be included at no extra effort or charge to the end user. It’s not a “bonus feature”, “extra”, “pro tool”, “option”, “reloaded”, or any other silly term for add-on. It’s something that a paying user deserves.

Without Spyware there’s no such thing as free software

But some users of iMesh didn’t seem to be troubled by the actions of Marketscore. Users at iMesh forums chided those who complained, posting messages stating that “without spyware there’s no such thing as free software.”

[Source: Wired.com @ 12/6/2004 9:55 AM EST]

SpreadFirefox anyone? This is a common mindset among average internet users. Something that needs to be debunked.

Challenge

Formulate a campaign that SpreadFirefox can use, which would also raise awareness to the fact that Spyware is not required to make software free. Make users realize they don’t have to jeopardize their privacy to get something free. Make them realize privacy is important. And of course, Spread Firefox. Perhaps if someone comes up with a good one it can be the next campaign.