The Pure Software Act of 2006 261
lurker412 writes "The MIT Technology Review features a proposal by Simson Garfinkel to provide honest labels on software in the same way that the Pure Food and Drug Act of 1906 forced manufacturers of foods and drugs to divulge the contents of their products. The proposal targets adware, spyware and other unsavory practices. It suggests that by requiring software manufacturers to include clear icons for each nasty behavior--rather than hide the disclosures in seldom read or understood click-through SLAs--end users will be better protected. Garfinkel specifically lists eight types of sneaky behavior, but the list is not meant to be exhaustive."
The 'Evil' Bit (Score:5, Interesting)
Anyway, did anyone else read this and think immediately of the Evil Bit? The whole thing has got to be a joke, right?
Re:Erm... (Score:2, Interesting)
Reward good, instead of punishing evil (Score:5, Interesting)
Re:Like requiring thieves to pay taxes on thier lo (Score:2, Interesting)
Of course not, but the makers of legitimately well behaved products will. You look at two food cans... one has a label with ingredients and such and the other one doesn't. Which one will you eat?
This to work would require one or more bodies like the ESRB to test products, assign the correct labeling, and go after abusers.
NO! (Score:5, Interesting)
I *don't* want that to happen with software! I'd much rather retain the right, as fair use, to legally modify crap-ware, and also have the right to discuss the details of that modification with other people.
Why aren't we blaming Microsoft? (Score:3, Interesting)
I would get 0 adware/spyware if Microsoft wrote a little bit of security into their operating system in a few ways:
- Record log of installed files (prompt for any files being installed in non-specified directlories.. ie: If realplayer trys to install realisawesome.dll in C:\windows\system32, WINDOWS itself prompts me.)
- Prompt for any programs trying to start up with the computer
- Have only one method for a program starting up with a pretty little 'startup' icon in the control panel
- Disable IE's install on demand by default (probby most common method for spyware)
- Allow users to disable popups without a fucking extra program (fuck developers and their incessant popups - MS gives way too much control to them and none to the end user)
- Have Windows control the uninstall and not some crappy script written by the same company that wrote the crappy software that user wants to uninstall cause' it was crappy
- Allow the user to enable plugins only when desired (disable flash advertisements and stuff)
- Quit allowing programs to install a shortcut in startup, the quicklaunch bar, the desktop, every goddamn folder on the computer, favorites, and quit launching a secondary program just to launch a button that launches the main program!!!
This is how you could fix things in Windows.. Linux is pre-fixed.
So, you Linux nerds, why the hell aren't we trashing Microsoft in this thread? They're fixing 'security', but not the type of shit Mr. Stupid Enduser cares about.
More evil bits .... (Score:5, Interesting)
The right solution would be technical, not legal (Score:5, Interesting)
(Legislative solutions are suboptimal/dangerous for many reasons. They are over-broad, in that they apply even to consenting adults who wish to engage in the behavior without meddlesome government oversight; cf prostitution. And they're too-narrow, in that they can by necessity only apply within the country's legal jurisdiction, whereas software distribution is an international operation)
Turn now to the second page the Pure Software [technologyreview.com] proposal. The list of potential warning-labels it suggests is: Hook, Dial, Modify, Monitor, Popup, Remote Control, Self-Updates, and Stuck.
All of those things are basically technical features which a well-designed operating system could prohibit programs from using, without permission. The root of the problem is that even after 30+ years of software publication, most programs are still just completely arbitrary lists of instructions: once they're executing, they do whatever they do, and nothing can stop them.
The big exception there is that most OSes, at least, restrict programs on a per-user basis. A program cannot read or edit files to which the executing user has no permission. That's an important step, but one that Unix has had firmly in place since the 80s. As time passes, we need to go further: program priviledges should be restricted not just at the per-user level, but also at finer granularity.
When I download and install a program, I don't want just the option of "run it or don't". I should be able to run it, but without it being able to read any files except those it came with. Or being allowed to read files, but only if I pick them from a system-supplied dialog box. Or read any files, but not write to them, except in a directory I've chosen (and that it can't override). Or write files, but only in specific approved formats (such as those which can't possibly contain executable code). Similar kinds of restrictions suggest themselves for GUI and network areas (including the important points of "phone home" and "data tainting")
To a small extent, Java frameworks (like "Web Start") have attempted to do this, with a list of features the user can individually permit a program to execute. Microsoft
The best way to prevent software from doing something is to use software that prevents it from doing it. (As Lawrence Lessig said, the best and most effective laws for code are more code [amazon.com])
Secret Software Formulas (Score:3, Interesting)
What's to stop someone from saying "This product may contain one or more of the following; ad-ware, spy-ware, automatic updates, and a chance to win $1,000,000"
That last item would be enough to entice most people to buy it anyway.
LK
It's too tied into the GUI model (Score:3, Interesting)
As described, the proposed law would hard-code the concept of using icons to disclose this information. What about fundamentally non-graphical programs (drivers, daemons)? What about overall non-graphical environments (servers, embedded)?
I fear this scheme would further what is already an increasing problem: that everybody wants to attach a GUI to every program, even if it's totally inappropriate (e.g. printer drivers). The proliferation of spurious GUI interfaces leads to the proliferation of inappropriate design choices in exception reporting (pop-ups instead of log files), configuration methods, etc.
I'm not anti-GUI, by the way. I'm anti-inappropriate-GUI, and I fear hard-coding icon requirements into every piece of software makes this trend even worse. Immagine if every
On the other hand, I would definitely like to see these icons displayed on the labels of software packages and disks, or on the web pages that software is downloaded from.
Oh, and something the article didn't mention, but I'd propose this ammendment to the act: Make it hard to add any additional icons (i.e. to make the program behavior worse) in upgrades. If any icons are added, the vendor must either (1) continue to support the old version for future bug fixes, security patches, etc., or (2) refund the purchase price to buyers who choose not to continue using the product. (Obviously, there'd have to be a time limit, but long enough to prevent the use of "incrimental-spyware" as a bait-and-switch technique.)
Re:The 'Evil' Bit (Score:2, Interesting)
Surely though, things like winrar that add funtionality to menus and suchlike would also give grounds for labeling under the "changes operating system" catagory? My point being that not all of the things each catagory describes are harmful to you or your computer, and such vague descriptions as these labels carry could mislead joe-public as to the program's intent.
Another point being, how would each program be labeled if it could only be downloaded from say, an ftp, where there were no visual descriptions outside of the program itself?
On another note though, I think this could work to everybody's advantage IF such creases were ironed out.
Re:The 'Evil' Bit (Score:3, Interesting)
Re:No... (Score:4, Interesting)
Your argument is based on the premise that IE and Netscape are the same in terms of design. Netscape/Mozilla can't be "hijacked" in the same manner because it doesn't use Windows' registry classes to determine what to do with a downloaded file, and it isn't integrated with the Explorer shell. A Netscape browser window instance can't be silently started (without a "head"), and a new filetype can't be opened without the user knowing, or taking action. Likewise, Sun Java and Javascript is limited to things done inside the browser, it doesn't have access to the rest of the operating system.
But disabling IE is not the answer. I predict within a few weeks of you doing this you are undoing it for some higher ranking manager. Then his buddy will find out, and so on. Soon you are supporting not 1 browser but 2. HAVE FUN with your crippling!
Obviously, I can't completely remove it, that would break Windows. I want to use it as a tool for running Windows Update, but I will have to make exceptions for certain trusted sites. It won't be my undoing because my superiors are well aware of the problems that malware causes, and would be happier without pop-ups and system instability. I'm not doing this in secret. I've explained to them the reasons, the effects, and the exceptions where some may have to use IE.
Make the people who are making your job misserable RESPONSABLE for their actions.
I can't go Stalin on my network users. Where there are standard configurations, we use DeepFreeze to restore the computers to the original configuration. Unfortunately, we can't use this everywhere, because it is to inflexible for the users with non-standard configurations.