May 02, 2002

Everyone, please pay close attention to this first item. There is a bill in the United States Senate right now that will be disastrous if passed. Senator Fritz Hollings is pushing a bill that could legalize advertising spyware and the trading of personal information. This is not paranoid rambling. This bill will make the trading of personal information such as name, address, phone number, email address, etc. an unrestricted practice.

From salon.com: "The fact that Hollings is behind this bill should be the first clue about the real agenda it serves. Hollings is also a sponsor of the Consumer Broadband and Digital Television Promotion Act (CBDTPA, formerly known as the SSSCA), a bill that requires all new computers and other digital information devices to come with copy protection software and/or hardware installed on them. It would also outlaw any effort to reverse-engineer or disable any copy-protection format -- a measure that some observers believe will cripple software development -- particularly in the open-source and free-software communities. CBDTPA is ostensibly based on the premise that consumers won't sign up for broadband ISP access until Hollywood puts its content online, and Hollywood won't do that until its sure its intellectual property will be safe. But the bill isn't really about the "promotion" of broadband at all. Hollings is one of the Senate's largest recipients of entertainment industry campaign contributions, and the bill is squarely aimed at protecting that industry's interests."

This bill cannot be allowed to pass. If it passes and actually becomes law, it will set the pro-privacy / anti-spyware movements back by many years. Consider the real case of a certain company which serves banner ads and is infamous for setting the sort of tracking cookies that give all cookies a bad name.

This company has made attempts in the past to combine marketing information about web surfers that it has gathered from a large variety of sources. While the information is in individual databases, this company cannot identify you. When you load one of their banner ads in your browser, they see you as anonymous web surfer @ IP address 255.125.250.000. Their ultimate goal is to combine all of this separated information so that they can see you as Johnathon A. Surfer @ 123 Main St, Smallsville, USA. They will then be able to maintain a database of nearly every activity you engage in while you are online, and possible offline. The only thing stopping them now is a mix of conflicting laws and a number of class-action lawsuits. If this atrocity of a bill is permitted to pass, this company will have no impediment to it's plans.

This is just one example of the dangers of this bill. I urge all Americans to stop what you are doing and write to your congressional rep and both of your senators right now and inform them of your concerns in this matter. I also urge you to copy this warning and post it on every message board and newsgroup that you see doesn't have it already. This is a very serious and very real threat to everyone. This bill cannot pass, or we really will be living in Orwell's 1984.

The Center for Democracy and Technology has a page where you can look up your state and be taken to another page with contact information for all of your senators and congressional reps.
http://www.cdt.org/action/contactcongress.shtml

Comment on this story.


Last week I told you about a Divx player from Radlight INC that was removing Lavasoft's Ad-aware. The outrage was immediate and white-hot, and the entire privacy/security community closed ranks to support Lavasoft and condemn Radlight. This outraged community closed down Radlight INC for a few days. Many who had it installed removed it, others hearing about it decided to find another player. C|Net and Simtel removed the files from their downloads sections, but put it back up after a recompile of the software removed the Adaware destroying code. The reputation of this foolish, arrogant little company was destroyed in a matter of hours and it may never recover.

Let this be a warning to anyone else who may be considering tampering with a security product. Attack any member of the privacy/security community and you will draw the wrath of all of us. Also let it be a warning to any developer that attempts to remove software that doesn't belong to them. From reports that I've seen, it would seem that there is another company engaging in what looks to be the same sort of unethical tampering with another company's software. I'll report on that when it's confirmed and after any action is taken.

If anyone reading this has ever been hijacked to a site called globalsearch.com, or by these files (zzgshp - winsys.vbs - zzgshp.vbs - gshp.vbs), it is very important that you contact me and let me know. EDIT: November 3, 2002. Please don't contact me about this now. The situation has changed.

I'm wondering about the effectiveness of the software that I'm using to distribute this newsletter. The last newsletter I sent out never got to me, but it did get to many others. I'll be verifying it this time. If you ever notice that there is a new issue out and you didn't get your copy in your email, please .

Speaking of the newsletter, it is going to have a new home by next week I hope. One of my readers at zortera.com has donated web hosting. I'm going to activate a domain I don't currently use and transfer it there, and then this newsletter will have it's own domain name on it's own host seperate from the main site.

The reason for this is to avoid what happened to me last week. What happened you ask? That Radlight story got linked to on Slashdot. If you are reading the online edition, take a look at the counter at the bottom of the page. That counter said 2,500 max before slashdot. After slashdot it read 30,000, with most of the increase coming in one day. The web site did two weeks worth of bandwidth transfer in one day. Lord knows what the hosting bill will look like.

Sheeeeesh. Never doubt the power of the slashdot effect. I'm lucky the server held up.

Warnings

http://www.pcworld.com

The W32.Klez worm and its variants are still loose in the wild more than a week after the latest variant was discovered, moving antivirus software vendor Symantec to upgrade it to a level 4 virus threat on its danger scale of five.

Symantec says it is receiving more than 3,000 submissions a day of W32.Klez and its variants. At the peak of the SirCam virus, in mid-2001, the company received about 1,500 daily submissions, Symantec of Cupertino, California, says in a statement.

Keep SpywareInfo running by making a small donation towards the web site's upkeep, either with PayPal or with Amazon's Honor System. http://www.spywareinfoforum.info/support.html for more details.

Updates

After reviewing my server logs, I've noticed that the Hijacked! article has surpassed the main page of the site both in terms of visits and bandwidth. The page itself was also getting a bit large. For these reasons, I've split it up into a two-part article to make it load quicker.

I'm about to redesign the web site again. The solid blue is starting to get old, so I want to play with the colors a bit. This isn't what I'm going to do in the end, but you can see what I was playing with the other night here.

Take control of your startup programs! RegRun Security Suite 3.1 is the new version of the award-winning startup manager that replaces Windows msconfig. Pick up your copy now!

Featured Site

http://www.spychecker.com

Spychecker.com is a public database of Spyware products. The database is maintained on a daily basis and new software is added or removed as needed. Information is gathered from Internet sources, ad companies and reliable sources in the software distribution industry.

We use the term "Spyware" because it has become the Internet jargon for certain advertising supported products. Spychecker.com does not suggest that any of the advertising networks are using the collected data in any other way than stated in their privacy policy.

And NO, we did not invent the term "Spyware" either... :-)

Download

You all know that Gator is difficult to avoid these days. Hard to believe, but there are some people who actually like using Gator for its password management features. For those who would like to use Gator, but don't want to install its annoying adware components, I have two downloads for you this week.

Both of these products save your login information, including passwords, in encrypted files. Keywallet was extensively tested by the folks at VoiceofthePublic last year and the general consensus is that it is a good product. Last I heard, it was going to include a feature to import saved Gator files.

Roboform already does this. It also uses encryption to save your passwords and login information. With this one, you can import the data, then be rid of Gator. Both of these products are free.

http://www.keywallet.com
http://www.roboform.com

The Weekly Hack

If you are like most of us, you're using plain old Outlook Express to download and read your email. It's easy to use, it's free, it comes with the computer. People like to complain about it, me included, but it does just about everything I need out of an email client.

One of the complaints is that it is so lax in security that it helps spread all of the worms and virii that escape into the wild. That it is the most used email client out there has nothing to do with it I suppose. One of the reasons that it is so insecure is because of the preview pane, which is enabled and open by default.

The preview pane actually executes the email just by selecting it with the mouse in the inbox, so you don't need to open it to run it. This is how spammers who include a web bug harvest your address, and it is why the MIME exploit is so dangerous. These days, you don't need to open an attachment to get infected with an email virus. Because of this preview pane, you don't really need to open the email either, just preview it and you're infected.

Did you know you could turn it off? That's right. You can just turn the thing off if you want.

Right-click on the toolbar of your inbox. Choose "customize" and on the left side, click on "preview" with your mouse. Click the "add" button, then the "close" button. This puts the preview pane button on the toolbar. To turn off the preview pane entirely, press the button. That's it. Now your emails open only when you double-click on them.

Are you reading this? Well so are thousands of other people. today about advertising your product here!

In The News

Information gathering and customer/user profiling is important in a world which preaches about targeting the right products at the right customers. That is why customer relationship management (CRM) is such a big, billion-dollar business whether it is in the US or Asia. However, spyware, adware, or scumware, ought to evolve from its current practices of information gathering. It is marketers' job to think of how they can obtain customers' information without being a nuisance and without crippling a user's PC in some cases.

Comment on the story above

"Anything that says "free," people want. But eventually people will realize there's not really such thing as "free" software. It comes with a price -- in this case the annoyance of advertising, or possibly privacy violations ...... people rarely understand what they're signing, ..... clicking contracts that could hijack their computers or make them targets of aggressive advertisers."

Comment on the story above

Calling the tactic "malware at its worst," Lavasoft said its privacy software is being silently deleted when users install a third-party multimedia player.

Newsbytes has confirmed that installing RadLight version 3.03 deletes Lavasoft's Ad-Aware program without warning.

Ad-Aware is a free program designed to scan a PC for ad-supported software components or "spyware" and to remove them.

Comment on the story above

Although Larry Ellison's post-September 11 push for a national ID card system may have left some IT vendors hoping to derive some new business from the mammoth endeavor, experts at the Computers, Freedom, and Privacy conference in San Francisco Wednesday threw some cold water on their burning hopes.

Comment on the story above

Under a voluntary "trusted traveler" program geared toward frequent fliers, passengers would register with a questionnaire providing information similar to a credit card application, Dullum explained. A background check would include law enforcement information and travel history, and would be updated periodically. Finally, biometric data such as fingerprints, iris scans, and facial features would be captured on a "smart card," giving the passenger the privilege of bypassing long lines at airports. A fee might be charged for participation in such a program.

Comment on the story above

U.S. policies are gaining an international reputation, noted an EFF attorney. Robin Gross cited last year's arrest of programmer Dmitry Sklyarov for distributing software in violation of the DMCA.

"The state of Russia has issued a travel advisory about the dangers of travel to the United States, especially computer programmers, who may be arrested," Gross said.

Comment on the story above

Despite a good rattling by privacy advocates, leading companies offering Web-based authentication and single sign-on services stuck to their guns at the Computers, Freedom, and Privacy conference here, defending their record on privacy and saying it tops their list of concerns crucial to their business success.

Executives from Microsoft, VeriSign, and Sun all touted their Web authentication and location services as privacy-friendly at the session Thursday. They repelled sharp arrows of criticism launched by CFP attendees who raised concerns about information sharing and data archiving. "Privacy advocates generally don't like very large databases full of personal information," said Jason Catlett, president of Junkbusters, a privacy advocacy and antispam group.

Comment on the story above

Every month, millions of people agree to terms-of-service and privacy contracts they haven't read--and probably wouldn't understand if they tried--to download software without paying for it. Many are later disturbed to find their computers coopted by little-known companies to distribute advertisements, monitor online behavior, or help solve complicated computing problems.

Comment on the story above

Computer Activists Debate Privacy's Future

Alarmists, nay-sayers and Cassandras from around the cyber world have assembled here this week for the "Computers, Freedom & Privacy" conference to debate how to preserve privacy in a security-conscious age.

"It is a gathering of people who tend to know what they are talking about," said Peter Neumann, principal scientist at Silicon Valley think-tank SRI International, and a leading expert in the field of computer risk management.

In what has become an annual ritual for vocal activists and the policy makers who act as their rhetorical punching bags, the conference, in its 11th year, features heated debates on a host of complex topics where most politicians fear to tread

Comment on the story above

Support SpywareInfo
Support SpywareInfo - it's fast, free and secure!



SpywareInfo's Privacy Policy

SUBSCRIBE
TO THE
SPYWARE WEEKLY!

Email Address


Current Edition Spyware Weekly

Past Issues
Privacy Policy
Search
SpywareInfo Chatroom

Support Forums
Visit SpywareInfo

ZoneAlarm Pro

Pest Patrol

SpyCop

hosting by zortera.com

Credits

Copyright © 2002 by Mike Healan.

Content gathered and compiled by Mike Healan.