March 28, 2024

Archives for November 2002

Virus With a EULA

Rob Lemos at news.com reports on a new “greeting card” virus that protects its author by using a EULA (End User License Agreement):

The FriendGreetings electronic greeting card has all the hallmarks of a mass-mailing computer virus.

The e-mail misleads a victim into downloading an application–ostensibly to view a Web card–and then sends itself to every e-mail address in the victim’s Outlook contacts file. At least a few systems administrators have complained in Usenet postings that the mass-mailing e-card was to blame for swamping their network.

Yet the creators–Permissioned Media, a company apparently based in Panama–will be hard to prosecute: The viral card is protected by a license agreement that tricks unsuspecting users into clicking “Yes” and consenting to have the program send itself to all their e-mail contacts.

This exploits the well-known fact that people don’t actually read EULAs, but just click “I Accept.”

The theory underlying the validity of long, hard-to-read EULAs (if indeed they are valid) is that companies that use misleading EULAs will get bad publicity – if BadCorp’s EULAs are evil, somebody will notice this, and when this information is spread BadCorp will lose business. This is all well and good when BadCorp is a company that wants to do business for an extended period.

This virus-with-a-EULA is a challenge to that theory. The virus spreads so rapidly that it does all of its damage before the news about the bad EULA can spread. And the virus’s author is a company that nobody has ever heard of. Having spread the virus, the author-company can close up shop, so the damage to its reputation doesn’t matter.

If the law says that this kind of EULA actually makes a virus legal, then we’re in a tough spot. We can ask every user to read, understand, and evaluate every EULA he sees. But that’s not going to happen. People can decide not to accept EULAs, except those from well-known companies. That isn’t a very satisfying answer either. Or people can settle on a few standardized EULAs, and we can rely on software tools to recognize non-standard EULAs so that we can reject them.

This recapitulates a debate that the research community had about mobile code security. The problem there is that little programs are arriving on people’s computers, and somebody has to decide what those programs are allowed to do. One approach is just to ask the user to decide in every case; but users get “dialog box fatigue” and start agreeing to everything without reading it. Another method is to apply a standardized one-size-fits-all policy to all programs, but that policy is either too restrictive for legitimate programs, or too lax for malicious programs, or both. In the end, no fully satisfactory solution was found, but everybody agreed that a well-engineered system would limit the harm that bad programs could do. How to apply that lesson to the EULAs isn’t immediately clear.

A Stroll Through the Logs

The website statistics program I use (webalizer) lets me see what search strings people are using when they find this site via the usual search engines. November’s report is amusing.

The most common search string that led to the site is “tinker.” No surprise there. Number two, though, was “fart noises.” (That matches a Fritz’s Hit List entry, in case you’re wondering.)

This raises important questions that merit future research. Is this site known primarily for its material on fart noises? Or are there lots of people out there searching for “fart noises” and then stumbling onto this site? Readers are invited to submit explanations.

(“Fart noises” ranked highly in October, too, behind only “tinker,” “freedom to tinker,” and “fritz’s hit list”.)

Also interesting is the fact that more people found this site by searching for “ed felton” (with my last name spelled incorrectly) than for “ed felten” (the correct spelling). The misspelling appears nowhere on this site, so it must be that people link to the site using the misspelled name, or that some search engines are smart enough to correct for the misspelling.

In a related story, click here for an explanation of how Eugene Volokh’s serious, non-porn site was a search result for “kazakh girls nude”.

More Great Stuff From Seth Schoen

If you want to understand what the whole Palladium/LaGrande/”trusted computing” issue is about, you should read Seth Schoen’s recent writing. His analysis is insightful, technically sound, independent, and hype-free. For the latest example, click here, scroll down to “Trusted Computing,” and read the next several sections.

Early Release of MS Decision Just a Blunder

Ted Bridis at AP confirms, based on an internal investigation by court staff, that the early release to the Web of Judge Kollar-Kotelly’s rulings in the Microsoft case was just a mistake by someone on the staff.

Garfinkel on Mitnick's Book

Simson Garfinkel has an interesting reaction to Kevin Mitnick’s recent book.

Mitnick, “the most famous computer hacker of our time,” claims to have operated mainly by social engineering, that is, by conning people into giving him restricted information. Garfinkel describes how Mitnick-type attacks can be mitigated by wisely-designed technology.