Spyware becomes increasingly malicious

John Underhill stepnwlf at magma.ca
Wed Jul 14 17:44:41 UTC 2004



> MS do not publish full system specs, and they use undocumented features
> themself.


Ok, say MS puplished their code tomorow, what do you think would happen? All
the crackers and virus writers of the world would join hands and sing 'joy
to the world' and forgive MS for their tresspasses? I suggest that many of
these virus writers are not motivated by an elitist ideaology, but rather by
financial gain, and the sense of empowerment borne of damaging a global
system. I agree that MS, like many large companies, have not always behaved
in an ethical manner, and have been driven largely by bottom line economics,
but what is done is done, and that doesn't absolve virus and spyware writers
of the damage they are doing to the internet community.


> So, what other companies are doing? Yes, correct, they are experimenting,
> searching for  the undocumented features.
> They found it, and no one can separate bugs and undocumented features.
> These are all results of MS approach _I am doing everything myself and do
> not want others to compete with me_.
> Ok, so please do not complain on those who uses your undocumented
features,
> undocumented API (and ohh, it is not my API, it is a bug... as they are
> saying now). Are you sure that it is a bug, but not a backhole created by
MS
> for themself? I am not.


So MS has undocumented 'features', so what? When you install their software
you agree to a licence, and that you are using their software bound by their
terms and conditions. Am I afraid big brother is watching, that MS is spying
on me? Not really, nothing to see. Do I think that some of these practices
are unethical? Yes, they probably are, but when I agreed to that licence I
gave up my right to complain.
Arguably, the internet would not be where it is today without MS, and that
this design principle of automating as many processes as possible is what
has made the internet a universally accessable medium, and that this
automation creates security vulnerabilities is simply the trade off made for
that accessability.


> Or - after others found this backhole, they decided to seal it. You can
not
> prove that it is a bug, as I can not prove that it was a feature.
>
> Any undocumented API is not different from a bug - it is just something
> which is not documented but exists.
> Just as MS is working on new undocumented API's. Of course, they are -
> hackers, spyware designers and MS developers... I do not see a difference.


I see a very distinct difference, and that is that I have made a choice to
use the MS product, that I have given my consent to them by way of a licence
agreement, if they clearly abuse that trust, I will choose an alternative
product, that is free enterprise in action. But I did not give the hacker
and spyware writer permission to invade my privacy and damage my systems.
Using MS products is not an open invitation to criminals to disrupt my
networks, or absolution for criminal acts.


> Please, specify a difference between 'flaw in the code' and 'backhole
> created for their own purposes'. If they claim 'our developers use only
> specified API' and 'we specify and document every system call and every
> function which can be used legally, from technical point of view', then I
> agree. But they never did and never would. if they do it, they lost their
> monopoly. Result - full zoo of pets, pests, and other animals in every
home
> computer running Windoze.
>
> May be, this particular feature was a bug, I can agree - but I do not see
a
> difference (still).


MS has a monopoly, it's true, but the reason for that monopoly is not
entirely because of unfair business practices, it also has a lot to do with
their original design mission. That was and still is, to make their OS as
easy to use as possible. You and I may know how to use linux, but up until a
couple of years ago, this was just too complex an operating system for the
average home user. That much of the MS code is undocumented, is probably a
good thing, because it makes the virus writers work more difficult. Do I
think that these undocumented features serve some devious purpose? If
someone can come up with hard evidence of that, I will change operating
systems.


> Sorry, it was a _technical_ question - is MAC OS known as having pests and
> ad-ware in the comparable numbers (if any)?


This is spurious logic. You are suggesting that Mac is a more secure
operating system, and I would suggest that it is probably far less secure,
because it has not had to withstand years of unearthing vulnerabilities in
the code.
I have heard an OS compared to a sphere, the larger the sphere the more
surface area: the larger the OS, the more area to protect. The last time I
installed Red Hat, it weighed in at nearly 2 gigs, Mac around the same. Now,
you can fit a 1000 page novel in a 3 meg file, so consider, there are
millions of pages of code in an OS, and regardless of your operating system
of choice, there are innumerable flaws that beg exploitation. The only
reason MS is consistantly the subject of attack, and not Mac, is not because
Mac is bullet proof, it is a tactical decision. Like it or not MS controls
the market, and virus writers want to create exploits that will have the
greatest impact. If MS were to dissapear tomorow, and Mac were to become
king, it would only be a matter of weeks before virus writers ported their
code to the Mac OS. Don't agree? Read 'Hacking Exposed Linux'. I used to
think linux was secure, now I know better.


> Hmm. Is it legal for MS developers (for example, office developers) to use
> undocumented APIs? What's a difference? What does it mean 'access' - you
> open my web page, and your IE download my GIF file - is it authorised (my
> GIF is installed into your computer)? You allow Active X to run, even if
> ActiveX can install software - it is enough to be authorised. These is
> common sense  - if there is a road, it is authoruised to hike it (except
if
> there is a closed gate or an angry dog on the way). At least, it is common
> sence on 90% of the world.


Again I think it comes down to choice. I have navigated to a website because
I have made a choice to view its content and services, I did not however,
choose to have spyware installed on my computer. By installing this
software, they have violated my trust, they have installed invasive software
without my consent. I realize that I may be vulnerable to viruses in using
the internet, but that does not excuse the virus writer from creating
software that impedes my use of this system, or removes my ability to choose
the nature of my experience.


> Of course, we can create many laws making common sense useless, but do not
> expect anyone outside to follow it. Internet is not located inside, so -
you
> can make a conclusion. MS provoked people to search for undocumented
> things - it is common sense which say me that it results in my home
computer
> making unpredicted actions - and I can not blame spyware writers, I should
> blame MS writers... (I do not like spywriters, anyway, but they are making
> their business..)

> Of course, they are. MS is profited from undocumented API's, as well.
Where
> is a difference?


Well it may seem that I am singing the praises of MS, but that is simply not
the case. After years of being a systems admin, I came to really dislike MS,
it was a lot of work keeping the systems clean and safe, but it's kind of
like what Churchill said about democracy: 'Democracy is a bad form of
government. Unfortunately all the others are so much worse..'  MS makes a
lousy OS, but for the home user, it's the best thing we've got.
I think though, that there is a greater issue here, and that is what should
be done about sites like 'cool web search'. Clearly they are causing damage
to the internet community. Laws can not be relied upon to act on such
trespasses, not in an international community. This places the onus of
responsibility on the ISP leasing the addresses. This site has likely
infected millions of computers, and I have no doubt their ISP is aware, but
probably has a policy of non discrimination, or doesn't want to involve
itself in legal entanglements. Do you de-peer them or filter their prefixes
as someone suggested?. I think a lot of legitimate users would suffer as a
result, so this is not a reasonable solution. But something does have to be
done, when a website presents a clear and ongoing threat to the internet
community, it has to be actionable. The problem then becomes, who defines
what is a threat, and by what criteria do providers refuse service to the
individual or each other? So do you create a charter of acceptable policies
and practices among ISPs? Some collectively agreed upon statement of what
constitutes acceptable practices as it pertains to this type of situation?
I'm not sure it would work, but I am hard pressed for solutions.
We all remember the promise ecommerce once held to our industry, and I
believe it has fallen flat, largely due to the perceived danger of spyware
and viruses. The danger of these attacks, and their scope and severity seem
to grow each year, and I think the entire community is suffering as a
result. So the question remains, what do we do about it?




More information about the NANOG mailing list