Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security IT

Spyware Analysis of P2P Software 200

rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."
This discussion has been archived. No new comments can be posted.

Spyware Analysis of P2P Software

Comments Filter:
  • Law AND Economics? (Score:5, Interesting)

    by Onimaru ( 773331 ) * on Thursday March 10, 2005 @03:43PM (#11903569)

    When someone who's both a lawyer and an economist says a license is difficult to interpret, I tend to believe them. Even his assertion that these licenses are obfuscated is, itself, obfuscated.

    • by halivar ( 535827 ) <.bfelger. .at. .gmail.com.> on Thursday March 10, 2005 @03:57PM (#11903742)
      He says at the bottom that much of the research was paid for by LimeWire. I was wondering throughout the article why he was givng LimeWire such a clean bill of health, when my experience has not been so good.

      The disclosure does say something for his integrity, but I fear his appraisal may be somewhat biased (intentional or not) in favor of LimeWire.
      • Indeed. Am I the only one who got the LimeStore (or whatever it's called) installed?
      • Comment removed (Score:5, Informative)

        by account_deleted ( 4530225 ) on Thursday March 10, 2005 @04:04PM (#11903815)
        Comment removed based on user account deletion
      • by Vengie ( 533896 ) on Thursday March 10, 2005 @04:05PM (#11903824)
        I spent about an hour talking to Ben at the Yahoo! party last week. I can assure you that he is by no means shilling for anyone. His feelings on the matter are pretty strong, and he sells himself on the integrity you mention.
      • by Audacious ( 611811 ) on Thursday March 10, 2005 @04:24PM (#11904004) Homepage
        I have to say that I think there should be an Open Source set up for independent reviews of things. Sort of like Consumer Reports (versus Consumer Review which was started by the major corporations to try to thwart Consumer Reports' highly accurate ratings). If done correctly, and an unbiased basis can be maintained, it might take off just like many of the software projects have done. Further, it could be used to show the actual state of where Open Source products are versus Closed Source products. In fact, Consumer Reports would be the place to do this since they are fairly independent and back up all of their statements with lots of test data.

        So if anyone from any of the major OSS companies is listening - you might want to help fund the testing of the various OSs via Consumer Reports as well as some of the Open Source Software (OSS) itself versus the Closed Source Software (CSS) versions. Like Open Office versus MS-Office and the like.

        Just a thought.
        • by starfishsystems ( 834319 ) on Thursday March 10, 2005 @08:50PM (#11906279) Homepage
          I have a lot of respect for Consumer Reports. We used to have a subscription to it when I was growing up, and I always found it objective, scientific, and informative.

          Where CR doesn't distinguish itself is in technical evaluations, software in particular. I could wish for more rigor when it takes on projects like these.

          Historically, the rolloff makes a fair amount of sense, as CR writes for a general rather than technical audience. And, as I often argue, you can't understand computing infrastructure as if it were a kind of appliance. Appliances are finite. Infrastructure exists for its potential.

          But as our daily lives become increasingly involved with technology, I often wish that CR could use its leadership and methodology to inform the technology marketplace as well.

      • not the best program too choose to compare limewire to.

        instead of e-donkey, he could have choosen e-mule , which happens to be a gpl replacement.

        i believe there is also a replacement of morpheus, but i rather use specialsed p2p clients. (I think shareaza is comaparable to morpheus. which happens to be .... gpl.

        compare with the worst and you look just fine.
      • > why he was givng LimeWire such a clean bill of health, when my
        > experience has not been so good.

        I too remember helping Windows victims recover from being assaulted by LimeWire in the past. But they have seen the light and repented of their wickedness, including no spy/adware with more recent versions; and the software itself is Free Software, available under the GNU GPLv2. They even have a CVS repository. With those conditions, spyware would be a bit hard to get away with.

        Go look at www.limewir
    • Certainly worth noting this, from down near the bottom:

      Disclosures
      This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.

    • by Threni ( 635302 ) on Thursday March 10, 2005 @04:07PM (#11903850)
      > When someone who's both a lawyer and an economist says a license is difficult to
      > interpret, I tend to believe them

      Personally I'm not convinced until I'm told it by someone who maintains other people's Perl for a living!
    • What if the lawyer and economist had the following disclosure at the bottom of the article?

      Disclosures


      This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
  • by cybrthng ( 22291 ) on Thursday March 10, 2005 @03:44PM (#11903580) Homepage Journal
    It would be interesting to compare against the popular Open Soure ports to see if they're any less invasive by nature.

    What about Shareaza?
    • Well, I don't know if Shareaza is invasive (although I don't think so), but I do know that when I used it for a while a few months ago, it absolutely killed network performance for all other apps while it was running. I eventually uninstalled it for that very reason. I don't suppose it's anything sinister; most likely it's just a complete hog.
      • Shareaza isn't invasive: I used it for months with no ill-effects. It didn't kill my network, just slowed it down quite a lot, so it is not likely to be something sinister; if anything, it is a general problem, as Gtk-Gnutella on Linux causes connection timeout errors for me on any other apps while it's running.
    • by Anonymous Coward
      It's impossible by definition. If it is an open source share app with spyware it will last like fifteen seconds before someone else gets sick of that and releases it without spyware. :nod:

      I don't think you'll see any out there with spyware, if any at all :confused:
    • by mlinksva ( 1755 ) on Thursday March 10, 2005 @04:11PM (#11903883) Homepage Journal
      LimeWire is open source and is safe. I did a quick check [gondwanaland.com] of several other open source P2P apps (BitTorrent, eMule, Phex, and Shareaza). None are bundled with malware and if they have a license agreement it is only the GPL. All of the proprietary apps checked are unsafe, and it is well known that others not checked (e.g., Grokster) are also not safe.
    • iMesh and Kazaa use the FastTrack network, a propietary technology developed by a Swedish company. They need to pay this company licensing fees to use the network, which is probably why no exact open-source, adware-free equivalents exist... unless you count the hacked "light" versions of these two that have the adware removed but can still access FastTrack.

      More about FastTrack here [pcquest.com]
    • LimeWire is open source, the pre-compiled binaries have banner ads, as noted in the article.

      But usually, open source P2P clients have typically been fairly free of spyware. However, there have been a lot of cases where some people have taken the binaries, added spyware, then made it available for download. (At least Azureus got hit by that.) Nothing to do with coders, there are just people who want mess up the distribution somehow...

    • OSS spyware?
      All it needs is one geek to remove the spyware in the source, recompile and voila!
  • by Faust7 ( 314817 ) on Thursday March 10, 2005 @03:45PM (#11903590) Homepage
    ...that the only P2P client I use didn't even need to be reviewed. :)

    (It rhymes with "BitTorrent.")
  • I am aware (Score:4, Informative)

    by bogaboga ( 793279 ) on Thursday March 10, 2005 @03:45PM (#11903594)
    I am aware that eMule has no spyware/addware since its opensource. In this case, the issues the author raises do not concern me. Since this discussion is primarily based on Windows, Linux is offtopic, but in that area, we have KMLdonkey and Limewire.
  • by nurb432 ( 527695 ) on Thursday March 10, 2005 @03:46PM (#11903604) Homepage Journal
    Serves them right for installing that evil bad software that only pirates use..

    For the slower moderators out there today, this is referred to as sarcasm.

  • by J Barnes ( 838165 ) on Thursday March 10, 2005 @03:48PM (#11903627) Homepage
    And here all this time I was thinking my computer is a piece of shit because it's a pentium II 333MHz PC with 64megs of ram running Windows 98...

    but NO...it's the P2P programs!
  • Paid for (Score:2, Informative)

    by MindStalker ( 22827 )
    Just wanted to note that this article is paid for by LimeWire. Obviously because there is no third party apps with limewire and no license whatsoever.
    • And after reading 6,576 words in this article you come across his disclaimer:
      Disclosures This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
      So perhaps there isnt as much here as you think. I mean maybe he has the only copy of LimeWire without other crap bundled in to it!
      I dont see BearShare on this list...seems to work ok for me, not that I use P2P, but if I did, I think I would use BearShare....
      • Him and the other 30 million people that have download LimeWire since last August. And 1 million more each week. LimeWire has absolutely no bundled software.
    • Re:Paid for (Score:4, Funny)

      by bill_mcgonigle ( 4333 ) * on Thursday March 10, 2005 @05:32PM (#11904759) Homepage Journal
      Crap, I never got paid for research papers when I was in school. This guy is a good economist.
  • by Anonymous Coward
    So, which client does he recommend people use?

    JK. Serves those people right. Keep things legal cheapos!
  • Relevant section (Score:4, Informative)

    by Anonymous Coward on Thursday March 10, 2005 @03:49PM (#11903641)

    The relevant parts, for people who can't or don't want to RTFA:

    My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.

    Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.

  • by shanen ( 462549 ) on Thursday March 10, 2005 @03:49PM (#11903649) Homepage Journal
    I'm not so worried about spyware. At least not the commercial type, since you can figure out their motivations. Actually, I think the best response there is not spyware blockers, but a commercial response. There should be an anti-spyware organization that gives negative publicity to the companies that benefit in any way from spyware, and positive publicity to their competitors. If they're doing it for money, then you hit them in the wallet and they'll wake up.

    However, the think that really worries me is the intersection between P2P and black-hat-hacking skills. That's too much power in one place, and we already know that power corrupts. (The only redeeming point is that sometimes the corruption is pretty funny, like the Gannon/Guckert case.)

    • by AviLazar ( 741826 ) on Thursday March 10, 2005 @03:54PM (#11903700) Journal
      No such thing as bad PR. If we had such an organization, every little company would want to get on that negative list because it would give the double advertisement. In the end, people will rmemeber the company name - not what they did.
      • Unfortunately, I sort of agree with you, but that's why I emphasized giving *positive* publicity to their competitors. The problem is that even if you say "buy X because Y stinks", Y is still getting some publicity from it.

        Really sad that so many consumers are so jerked about by lies. Actually, it's more than sad. It's downright tragic. Reality is *always* going to win out in the long term.

      • You're absolutely right. Yup. No such thing as bad PR...

        Anyway, this is offtopic, but does anyone know where I can buy a copy of "SCO Unix"? I don't remember how I heard about em, but I know they've been in the news and stuff, so they must be pretty good...
    • There should be an anti-spyware organization that gives negative publicity to the companies that benefit in any way from spyware, and positive publicity to their competitors. If they're doing it for money, then you hit them in the wallet and they'll wake up.

      And then the spyware/adware companies sue you for libel, slander, and defamation. Who cares if it's not true? You'll still get soaked for the legal bills. Oh, and where is the money for this anti-spyware organization going to come from?

      sigh,
      Sch

        • And then the spyware/adware companies sue you for libel, slander, and defamation. Who cares if it's not true? You'll still get soaked for the legal bills. Oh, and where is the money for this anti-spyware organization going to come from?

        Let's say company X advertises on Y-program. Where is the falsehood in advertising the fact that X advertises on Y-program? There is none. You would only get in trouble if you said something like "X advertises on Y-program AND X-founder's wife is an inside trader maki

  • by tmleafsar ( 866698 ) on Thursday March 10, 2005 @03:49PM (#11903651)
    pssh. Spyware? P2P? NEVER!
  • by Cr0w T. Trollbot ( 848674 ) on Thursday March 10, 2005 @03:51PM (#11903667)
    • User will be required to supply their own vaseline, and will receive neither a kiss nor a call the next morning.
    • User agrees to transmit any virus as required by the Program, including, but not limited to, SoBig, MyDoom, Gator, Realplayer, MS Windows, AIDS, and bubonic plague.
    • User agrees toi call the writer of this program "Big Daddy."
    • All your base are belong to us.
    • Do not taunt Happy Fun Ball.
    - Crow T. Trollbot
  • by robogun ( 466062 ) on Thursday March 10, 2005 @03:51PM (#11903674)
    For instance, WinMX [winmx.com] doesn't install anything but the p2p program. Where is it on this list?
    • by tmleafsar ( 866698 ) on Thursday March 10, 2005 @03:55PM (#11903716)
      WinMX magically installed the complete Rush discography on my hard drive. ....that's my story and I'm sticking to it!
    • by bedelman ( 42523 ) on Thursday March 10, 2005 @04:02PM (#11903793) Homepage
      Robogun,

      Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.

      WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.

      Or perhaps someone else will be so kind as to take over where I've left off!

      Ben
  • Very true... (Score:5, Interesting)

    by Robotron23 ( 832528 ) on Thursday March 10, 2005 @03:54PM (#11903703)
    A couple of years back, I serviced a friends computer which was literally deluged with adware and spyware from KaZaA (KaZaA was at its peak then).

    Around 300 files, mostly registry entries, aswell as Gator were on his computer, combined it all took up roughly 35% of his RAM to run, on his 128mb chip it was difficult to even play civ or counter-strike without extreme slowdown...

    Is it just me, or did KaZaA seem the scourge of commercialism when it first started? Heck, since then its become a veritable beacon of it.
  • by Anonymous Coward
    ...as opposed to the license agreements. 22,606 words, 182 on-screen pages for a license? Might as well rename it Attorney Full-Employment Act of 2005 or something.
  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Thursday March 10, 2005 @03:58PM (#11903744)
    Comment removed based on user account deletion
    • Comment removed based on user account deletion
      • If you use any decent software, such as AdAware or Spybot or Microsoft Anti-Spyware, you'll see that LimeWire indeed has absolutely no bundled software. If you use software whose only claim to fame is that it can find spyware where no spyware exists, well... good luck keeping your computer working.
      • by bedelman ( 42523 ) on Thursday March 10, 2005 @04:31PM (#11904101) Homepage
        Skyshock21,

        You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).

        Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?

        I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).

        Ben
  • by zymano ( 581466 )
    Is that most files on P2p are Viruses or have trojans in them.

    I tried messaging one person on Kazaalite about the worm in the software he was uploading and he didn't even know where to get antivirus software.

    • by Anonymous Coward
      MOST!!! How on earth can you say that with the vast number of files on the P2P Networks?I have downloaded more files than I care to admit and have actually only found one Virus ( Yep I scan them all just to be sure ) and I am quite sure that my experience is not atypical
  • The bias is right there, bookending the article in small print (Ok, so the whole page is in small print, you get the point).

    From TFA:

    "One program in my sample is notable not for its inclusion of bundled software but for its omission of such software. Not only did LimeWire not include bundled software, but in my testing it also did not show any advertisements beyond promotions for the paid version of LimeWire."

    "This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their wil

    • "Something stinks..."

      That's their server melting down.
    • Is it wrong for a company to commission an article that highlights good points about their software? Is it wrong for FireFox to point out why it's better than Internet Explorer?

      LimeWire has no bundled software, so it commissioned an article from a well-known & reputable source in order to prove it.
      • No one said it was wrong, just pointing out that the author isn't completely objective in his analysis. I happen to agree with his findings based on first-hand experience, but it's concerning when articles like there are presented as impartial journalism.
        • I could understand concern if there was some subjectivity in the review. However, the review is 100% objective -- it gathers facts and reports them. He doesn't give his recommendation, nor does he draw conclusions based on an opinion. That said, Ben did disclose who funded the study, which should remove any concern.
    • I'd have to disagree with you here. From where I'm sitting I think everything is just peachy, you see, he fully disclosed his involvement with Limewire.

      What this does is let, you, me, and everyone else decide wheter or not to take his words at face value or with a grain of salt.

      Not unlike when Slate runs a piece on MS or when Slashdot posts an article about OSDN. I think it speaks to his integrity that he disclosed this since he likely could have written his article without the disclaimer at all.

      No con
    • The bias is right there, bookending the article in small print

      I think you are confusing the difference between bias and conflict of interest.

      Conflict of interest means someone with responsibility to act impartially also has a personal interest in the outcome of the action. It describes only the situation, not the actual decision.

      Bias describes when a decision, statement or action is made that favors a particular outcome.

      Conflict of interest is often a flag indicating that bias may be present. It does n

    • As to the small size of the article's text: I suspect you're using Firefox. My CSS has the problem recently described at codestore [codestore.net]. I've hesitated to put absolute font-sizes ("10px") right into my CSS. But font-size x-small is what I need to use in IE to make my page look "right" to the millions of users with IE; Firefox, of course, has its own (arguably more sensible) ideas as to what's medium and what's in fact x-small. So the same code that looks great in IE looks lousy in Firefox.

      Anyone want to sug
      • Thanks to the kind Slashdot'er who wrote with CSS suggestions. Those now visiting the site with Firefox will find a much more reasonable font-size, that still looks good in IE. (Solution: Instead of using medium, small, x-small, etc., use 1em, 0.9em, 0.8em, etc. as uf22 suggests.)
  • Installing sketchy software puts more sketchy software on your machine? Preposterous!
  • soulseek? (Score:2, Informative)

    by ruxxell ( 819349 )
    how is it that soulseek stays off EVERYONES RADAR? in all my "research" of what the RIAA is busting this week, i have never once even heard soulseek get namedropped. it's almost like they don't even realize it exists. which, of course, makes me very very happy.

    but yeah, go soulseek. eff these other p2ps.
  • by idealego ( 32141 ) on Thursday March 10, 2005 @04:16PM (#11903935)
    The author only tests P2P software known to have spyware in it so the results aren't surprising. eMule runs on the eDonkey network, it's open source, no spyware/malware and it's an amazing program.
  • OSS piracy (Score:1, Interesting)

    by Anonymous Coward
    One thing threatening Open Source today--piracy.

    As we have already seen [slashdot.org], the GPL is under attack from evil forces known as "pirates." These shadowy folk silently steal source code and violate the GPL, infringing on the rights of GPL authors. They are nothing more than thieves getting a free ride off the work of others, and I for one am disgusted at the idea of it. As you can see in the previous article, clearly Slashdot is also sickened by the idea of copyright infringement and piracy.

    Some have even call
  • by 5n3ak3rp1mp ( 305814 ) on Thursday March 10, 2005 @04:33PM (#11904135) Homepage
    Funny, you'd think "stealing" would be easier/better on PC's... On this OS X machine we have the following tools:

    1) Acquisition. All the search hits with none of the spyware, plus a snazzy interface.
    2) Azureus. Everyman's BitTorrent client (only gripe is the high CPU usage)
    3) eetee. Interesting p2p app. No spyware.
    4) HandBrake. Easiest-to-use DVD ripper in existence, on any platform.
    5) Many other p2p clients in various levels of development... all with no spyware

    Still snickering at the Windows holdouts...
  • Would be nice if his survery also included effective removal methods for each installed item. Then it would be really useful and informative.
  • I mean, how much does it take to just guess that some of these programs might be loaded with gunk code that doesn't belong on your machine?

    eMule runs fine, finds most anything I bother to look for, and doesn't come with crud. Between that and minor torrent useage, who needs Kazaa of any kind?

    W/regard to the RIAA and company, how long until they come up with a P2P sharing program put out through a front company to engage in a sting? Tinfoil hat maybe, but as stupid as they are, sheer statistics alone s
  • Perhaps that applies to a Mac to a lesser extent. If you use Unix/Linux don't get too smug. Might I
    suggest one thing: Use a seperate account for anything questionable: All your P2P, "Instant Messaging" and possibly any action that may produce spam. Also consider IRC is faster than "IM" and talk(1) is 'realtime'. Talk(1) is secure, unlike IRC on a trusted server where SSH is used.

    "Where's the beef?"

  • by pg110404 ( 836120 ) on Thursday March 10, 2005 @05:01PM (#11904452)
    There are two types of p2p networks.

    1) The likes of bittorrent. You download from an authoritative server a 'control' file that has an MD5 checksum of a file you want. Very difficult or impossible to spoof the saved file.

    2) The likes of kazaa. You query other machines on the network for files and pray it's not riddled with spyware, etc. It's probably far too easy to create a virus, giving it an enticing name like 'xpcrack.exe' and plop it in your shared folder and wait for someone to pick it up.

    Why would the makers of kazaa bundle spyware/trojans etc directly into their application when it's easier to allow the user to search for something they want and have a hit not on what they really wanted but spyware masquerading as what they wanted?

    I've loaded kazaa on a sandbox computer and downloaded executable files pertaining to cracks of various kinds, and virtually all of them were not cracks at all but were trojans/viruses, etc.

    Bundling trojans/spyware into an application is slow, restrictive and pointless when there are so many more effective ways to do so, including activex, email worms, seeded trojans in the p2p network, etc.

    Kazaa itself and the multitude of files associated with its install for example is reported as spyware, but probably in the most generic term of the fact that whatever files are set up as shared are accessible and thus the program is considered "spyware" for giving that information up. If you go into its options and set up the shared directory, or what you want to share or not, it's not likely to divulge or give up any serious information or data.

    But I don't really care, because I don't really trust apps these days that don't have source code with it.
  • by bill_mcgonigle ( 4333 ) * on Thursday March 10, 2005 @05:39PM (#11904815) Homepage Journal
    Don't forget, there was a story [slashdot.org] here about an interview with Ben a couple months ago.
  • I have been using eDonkey on Mac OS X for a few weeks now to grab a few files, and from my shallow observation, I don't think any spyware was installed on my machine. Yeah, I know, Macs don't really have the spyware / virus problem that PCs do, but it is interesting that the same program in the Macintosh world appears to be completely legitimate.

    What is my observation? I use almost exclusively the Firefox browser (rarely use Safari), and I haven't seen any issues with pop-ups or page hijacking. Of course,

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...