Computer Crime Research Center


The World Notices the Spyware Threat

Date: October 26, 2004
Source: CommsWorld
By: Richard Chirgwin

The first story I posted online on this site dealing with spyware was in January 2003, when the site was two months old, “Spyware Getting Nasty”, in which I talked about a piece of spyware which gave itself Verisign credentials to maintain the pretence that it was legitimate software.

In 21 months since then, things have only got worse. I've run another ten spyware stories, including the accidental “phone home” in Acrobat, an astonishingly stupid download offered by Forbes Magazine's online presence (something which still stands as a masterful piece of brain-donorism), as well as various pieces of phishing and so on.

But at least the world outside tech-enthusiasts has finally started to notice that there's a problem. I read with interest in yesterday's SMH that spyware is finally in the legislative spotlight.

Good luck to Helen “voiceover” Connan if she can pull it off.

Already, the industry that strives to gentrify the spyware slum – I mean the ad analysts, who themselves shamelessly bestow active code on unsuspecting users to watch over our comings and goings – are out among the newspapers telling us all that if their activities were curtailed, it would harm the Internet experience of ordinary users.

That's merely double-speak. Ratings companies exist to improve the Internet experience for advertisers. If a spyware ban took out some versions of rating technology – those products which install active code on the target machine – it's not going to destroy either the end-user experience or the ability to gather rating information.

It would mean, instead, that consumers can't be watched without their knowledge, which is a different question. It may give a competitive advantage to less intrusive page view measurements, such as proxy analysis.

In any case, as the corporate world discovers the dangers of spyware, active ratings companies are going to find their measurements devalued. A fair number of (say) Sydney Morning Herald online readers are doing so from work, on office networks which increasingly block spyware to try and protect their own integrity and save on bandwidth.

And if e-commerce is undermined by insecurity, ratings companies themselves will suffer. Their inability to distinguish their own short-term from long-term interests is hard to credit.

The question for regulators is to work out what principles should apply to spyware legislation.

I'll stick my neck a long way out, and suggest that the core principle already exists.

Imagine a Windows XP Professional server sitting behind a firewall on a corporate network.

If I were to gain access to that machine without the owner's permission, and use it as an Internet server for my own purposes, I will have broken various clauses of computer crime legislation. A defense that I used the stolen machine time for innocuous purposes – running a harmless mail server rather than distributing copyright content – might mitigate my eventual sentence, but it wouldn't save me from being charged.

Yet if that Windows XP Professional server were sold by its owner to me, as a private citizen, it seems to be a different story. Spyware companies can hijack the machine time of a private citizen with apparent impunity, merely because they want to.

The same principles that protect a company's investment in its computers should also protect the investment of individuals.

There are, however, a couple of other issues the industry has to tackle.

The first is the appalling breach of trust propagated by the certificate authorities, whose processes are all about selling their own services rather than a genuine concern in establishing online trust.

While viral spyware installs itself as surreptitiously as possible, “open” spyware (the kind that presents itself to users as a downloadable application for weather reports, news tickers, screen savers and so on) always presents itself with a respectable certificate from the likes of Verisign and Thawte.

The spyware vendors are riding on the back of a double-dose of user trust: not only is the spyware presenting a certificate, it's the same kind of certificate that their familiar e-banking application presents.

A cluestick attack among online banks would be nice; they have much more clout than journalists or citizens. If banks threatened to create their own global root CA and accreditation structure, and remove any confusion that might associate their certificates with those presented by spyware programs, the CAs would change their attitudes instantly.

But that's not going to happen. Banks like analytical data as well as the next company.
Add comment  Email to a Friend

Copyright © 2001-2024 Computer Crime Research Center
CCRC logo