Spyware Analysis of P2P Software 200
rhizome writes "Benjamin Edelman, a PhD candidate in Economics and a Law student at Harvard, has analyzed the hidden (or not) additions to a user's machine when they install some of the major Windows P2P clients. He analyzes the length and readabilty of their licenses, what is revealed or hidden in the software's installer and includes screenshots for illustration. Clear, concise and eye-opening."
Law AND Economics? (Score:5, Interesting)
When someone who's both a lawyer and an economist says a license is difficult to interpret, I tend to believe them. Even his assertion that these licenses are obfuscated is, itself, obfuscated.
Lawyer, economist, and paid shill? (Score:5, Interesting)
The disclosure does say something for his integrity, but I fear his appraisal may be somewhat biased (intentional or not) in favor of LimeWire.
Re:Lawyer, economist, and paid shill? (Score:2, Informative)
Re:Lawyer, economist, and paid shill? (Score:4, Informative)
Comment removed (Score:5, Informative)
Re:Lawyer, economist, and paid shill? (Score:5, Informative)
Re:Lawyer, economist, and paid shill? (Score:5, Interesting)
So if anyone from any of the major OSS companies is listening - you might want to help fund the testing of the various OSs via Consumer Reports as well as some of the Open Source Software (OSS) itself versus the Closed Source Software (CSS) versions. Like Open Office versus MS-Office and the like.
Just a thought.
Re:Lawyer, economist, and paid shill? (Score:4, Interesting)
Where CR doesn't distinguish itself is in technical evaluations, software in particular. I could wish for more rigor when it takes on projects like these.
Historically, the rolloff makes a fair amount of sense, as CR writes for a general rather than technical audience. And, as I often argue, you can't understand computing infrastructure as if it were a kind of appliance. Appliances are finite. Infrastructure exists for its potential.
But as our daily lives become increasingly involved with technology, I often wish that CR could use its leadership and methodology to inform the technology marketplace as well.
paid shill? (Score:2)
instead of e-donkey, he could have choosen e-mule , which happens to be a gpl replacement.
i believe there is also a replacement of morpheus, but i rather use specialsed p2p clients. (I think shareaza is comaparable to morpheus. which happens to be
compare with the worst and you look just fine.
Re:Lawyer, economist, and paid shill? (Score:3, Insightful)
> experience has not been so good.
I too remember helping Windows victims recover from being assaulted by LimeWire in the past. But they have seen the light and repented of their wickedness, including no spy/adware with more recent versions; and the software itself is Free Software, available under the GNU GPLv2. They even have a CVS repository. With those conditions, spyware would be a bit hard to get away with.
Go look at www.limewir
LimeWire disclosure (Score:1, Redundant)
Disclosures
This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
Re:Law AND Economics? (Score:5, Funny)
> interpret, I tend to believe them
Personally I'm not convinced until I'm told it by someone who maintains other people's Perl for a living!
Re:Law AND Economics? (Score:2)
Re:Law AND Economics? (Score:2)
None of the Open Source ones checked? (Score:5, Interesting)
What about Shareaza?
Re:None of the Open Source ones checked? (Score:1)
Re:None of the Open Source ones checked? (Score:3, Informative)
Re:None of the Open Source ones checked? (Score:1, Insightful)
I don't think you'll see any out there with spyware, if any at all
Re:None of the Open Source ones checked? (Score:5, Informative)
Re:None of the Open Source ones checked? (Score:2, Interesting)
More about FastTrack here [pcquest.com]
Re:None of the Open Source ones checked? (Score:1)
FastTraker - Alternative to the "lite" versions. (Score:2)
For now there's nothing wrong with it but depending on the votation in EU about patents, things may get a little problematic.
BTW: FastTracker [wikipedia.org] is also the name of a sound module tracker made by Triton (now Starbreeze).
Re:None of the Open Source ones checked? (Score:2, Informative)
LimeWire is open source, the pre-compiled binaries have banner ads, as noted in the article.
But usually, open source P2P clients have typically been fairly free of spyware. However, there have been a lot of cases where some people have taken the binaries, added spyware, then made it available for download. (At least Azureus got hit by that.) Nothing to do with coders, there are just people who want mess up the distribution somehow...
Re:None of the Open Source ones checked? (Score:2)
All it needs is one geek to remove the spyware in the source, recompile and voila!
How satisfying to see... (Score:5, Funny)
(It rhymes with "BitTorrent.")
Re:How satisfying to see... (Score:3, Funny)
I am unable to crack your code.
Re:How satisfying to see... (Score:5, Funny)
Re:How satisfying to see... (Score:2)
Bliss!
Re:How satisfying to see... (Score:3, Informative)
Re:How satisfying to see... (Score:2)
Re:How satisfying to see... (Score:3, Informative)
Well (Score:1)
Re:How satisfying to see... (Score:2)
What BitTorrent DOES give you is a single point of control. This can be useful, and is why I keep a BT client in
Re:How satisfying to see... (Score:2)
1) It is by far the most popular P2P client (Or at least protocol), in fact its more popular than all other P2P clients/protocols combined. Last I heard BitTorrent made up 35% of all net traffic. Perhaps it takes up even more since then?
2) It should be reviewed precisely BECAUSE it has no spyware. Bram Cohen, who doesn't write the official client (anymore that is. Check the about dialog) still organizes everything, and has a refreshing take on privacy and le
Re:How satisfying to see... (Score:3, Insightful)
I am aware (Score:4, Informative)
Serves them right (Score:5, Funny)
For the slower moderators out there today, this is referred to as sarcasm.
Whoda thunk it? (Score:5, Funny)
but NO...it's the P2P programs!
Re:Whoda thunk it? (Score:2, Funny)
Re:Whoda thunk it? (Score:2)
[/aol]
Paid for (Score:2, Informative)
Re:Paid for (Score:1)
Disclosures This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their willingness to let me share my findings with the public.
So perhaps there isnt as much here as you think. I mean maybe he has the only copy of LimeWire without other crap bundled in to it!
I dont see BearShare on this list...seems to work ok for me, not that I use P2P, but if I did, I think I would use BearShare....
Re:Paid for (Score:2)
Re:Paid for (Score:4, Funny)
What's his recommendation? (Score:1, Funny)
JK. Serves those people right. Keep things legal cheapos!
Relevant section (Score:4, Informative)
The relevant parts, for people who can't or don't want to RTFA:
My testing uncovered no bundled software installed without at least some disclosure apparent in a careful and complete reading of all applicable installation license agreements. However, it is possible that programs were installed that I failed to detect, especially if bundled program installations were set to be delayed after installation of the requested P2P software.
Although each P2P installer included at least a vague reference to each program to be installed, certain P2P programs' installation procedures nonetheless present cause for concern. For one, substantive disclosures are generally detailed only in license agreements presented in scroll boxes -- often squeezing thousands of words of text into small windows requiring dozens of page-downs to view in full.
It's not the spyware, it's the black hat hackers.. (Score:4, Insightful)
However, the think that really worries me is the intersection between P2P and black-hat-hacking skills. That's too much power in one place, and we already know that power corrupts. (The only redeeming point is that sometimes the corruption is pretty funny, like the Gannon/Guckert case.)
Re:It's not the spyware, it's the black hat hacker (Score:4, Insightful)
Re:It's not the spyware, it's the black hat hacker (Score:1)
Really sad that so many consumers are so jerked about by lies. Actually, it's more than sad. It's downright tragic. Reality is *always* going to win out in the long term.
Re:It's not the spyware, it's the black hat hacker (Score:1)
Anyway, this is offtopic, but does anyone know where I can buy a copy of "SCO Unix"? I don't remember how I heard about em, but I know they've been in the news and stuff, so they must be pretty good...
Re:It's not the spyware, it's the black hat hacker (Score:1)
Re:It's not the spyware, it's the black hat hacker (Score:2)
And then the spyware/adware companies sue you for libel, slander, and defamation. Who cares if it's not true? You'll still get soaked for the legal bills. Oh, and where is the money for this anti-spyware organization going to come from?
sigh,
Sch
Re:It's not the spyware, it's the black hat hacker (Score:2)
Let's say company X advertises on Y-program. Where is the falsehood in advertising the fact that X advertises on Y-program? There is none. You would only get in trouble if you said something like "X advertises on Y-program AND X-founder's wife is an inside trader maki
What? No way! (Score:3, Funny)
Little-Known Spyware EULA Provisions (Score:5, Funny)
- User will be required to supply their own vaseline, and will receive neither a kiss nor a call the next morning.
- User agrees to transmit any virus as required by the Program, including, but not limited to, SoBig, MyDoom, Gator, Realplayer, MS Windows, AIDS, and bubonic plague.
- User agrees toi call the writer of this program "Big Daddy."
- All your base are belong to us.
- Do not taunt Happy Fun Ball.
- Crow T. TrollbotFYI: (was:Little-Known Spyware EULA Provisions) (Score:5, Informative)
List is far from complete. (Score:5, Interesting)
Re:List is far from complete. (Score:4, Funny)
What programs were included (Score:5, Informative)
Preparing these detailed analyses is surprisingly time-consuming -- lots of license text to read, lots of screenshots to make, lots of measurements and other tests (registry, filesystem, etc.). So at least for this initial run, I had to limit myself to a manageable number of P2P programs. In general I tried to focus on the programs believed to have largest market share -- the programs that would infect the most PCs with unwanted software if such programs in fact contain unwanted software.
WinMX would be a good candidate for inclusion in a follow-up piece. And there are plenty more too.
Or perhaps someone else will be so kind as to take over where I've left off!
Ben
Re:What programs were included (Score:3, Funny)
On a more serious note, I think that this is a fantastic piece of analysis. I did a simple version of this last year (nothing formal enough to publish, but interesting) and it took days, because KMD, etc., so thoroughly destabilize a PC on installation that you have to spend hours cleaning/reinstalling/etc., each time.
Re:What programs were included (Score:2)
Give you a nice clean sandbox to play in.
Re:What programs were included (Score:2)
Re:What programs were included (Score:2, Funny)
I see you are new here. Welcome!
Very true... (Score:5, Interesting)
Around 300 files, mostly registry entries, aswell as Gator were on his computer, combined it all took up roughly 35% of his RAM to run, on his 128mb chip it was difficult to even play civ or counter-strike without extreme slowdown...
Is it just me, or did KaZaA seem the scourge of commercialism when it first started? Heck, since then its become a veritable beacon of it.
"Clear, concise and eye-opening." (Score:1)
Comment removed (Score:4, Informative)
Re: (Score:1)
Re:Use Webroot's SpySweeper (Score:3, Informative)
Allegation of LimeWire Installing Bundled Software (Score:4, Informative)
You'll see that my site contains (what I claim to be) screenshots of the LimeWire install. I also have registry and filesystem change-logs, which I can post if needed (i.e. if they're actually helpful or of interest, which seems a bit unlikely).
Can you say more about the LimeWire installation you tested? Where did you get the installer program? Was this current testing? Are you sure you have the current installer?
I don't mean to suggest that current behavior excuses past bad decisions -- quite the contrary. But things change over time, and if we're to understand the way software actually is getting onto users' PCs, we have to be clear about what specific software is being tested. My article, at least, tried to be quite explicit as to where and when I got the programs at issue (even showing screenshots of the download pages).
Ben
Re:Allegation of LimeWire Installing Bundled Softw (Score:2)
I think a good way to improve your page would be to state, for each tested program:
* Download URL
* Version downloaded
* MD5sum of the downloaded file
Another close topic (Score:2, Offtopic)
I tried messaging one person on Kazaalite about the worm in the software he was uploading and he didn't even know where to get antivirus software.
Re:Another close topic (Score:2, Informative)
Re:fool (Score:2)
But, I did create a proof of concept virus when some time ago. It depeneded on a user have file extensions hidden for known file types. So you'd name something brittneyspears.mp3.exe. The executable simply contained code to launch copy a virus executable to the hard
What's that smell... (Score:2, Insightful)
From TFA:
"One program in my sample is notable not for its inclusion of bundled software but for its omission of such software. Not only did LimeWire not include bundled software, but in my testing it also did not show any advertisements beyond promotions for the paid version of LimeWire."
"This article builds on paid consulting I conducted for LimeWire. I thank LimeWire for their wil
Re:What's that smell... (Score:2)
That's their server melting down.
Re:What's that smell... (Score:2)
LimeWire has no bundled software, so it commissioned an article from a well-known & reputable source in order to prove it.
Re:What's that smell... (Score:2)
Re:What's that smell... (Score:2)
Re:What's that smell... (Score:2, Insightful)
What this does is let, you, me, and everyone else decide wheter or not to take his words at face value or with a grain of salt.
Not unlike when Slate runs a piece on MS or when Slashdot posts an article about OSDN. I think it speaks to his integrity that he disclosed this since he likely could have written his article without the disclaimer at all.
No con
Re:What's that smell... (Score:2)
I think you are confusing the difference between bias and conflict of interest.
Conflict of interest means someone with responsibility to act impartially also has a personal interest in the outcome of the action. It describes only the situation, not the actual decision.
Bias describes when a decision, statement or action is made that favors a particular outcome.
Conflict of interest is often a flag indicating that bias may be present. It does n
The small print problem on my site (off-topic CSS) (Score:2)
Anyone want to sug
more off-topic CSS (Score:2)
Something to think about . . . (Score:1)
soulseek? (Score:2, Informative)
but yeah, go soulseek. eff these other p2ps.
Re:soulseek? (Score:2)
Re:soulseek? (Score:2)
BitTorrent is too much of a pain to find things to be worthwhile for music, honestly. I don't *want* to have to hunt around on different tracker sites. I like having that central network, from the perspective of getting the things I want.
And I have never, ever donated, and never had download priority problems.
Use eMule - Open Source - No Spyware (Score:3, Informative)
OSS piracy (Score:1, Interesting)
As we have already seen [slashdot.org], the GPL is under attack from evil forces known as "pirates." These shadowy folk silently steal source code and violate the GPL, infringing on the rights of GPL authors. They are nothing more than thieves getting a free ride off the work of others, and I for one am disgusted at the idea of it. As you can see in the previous article, clearly Slashdot is also sickened by the idea of copyright infringement and piracy.
Some have even call
P2P is better on Macs? (Score:4, Informative)
1) Acquisition. All the search hits with none of the spyware, plus a snazzy interface.
2) Azureus. Everyman's BitTorrent client (only gripe is the high CPU usage)
3) eetee. Interesting p2p app. No spyware.
4) HandBrake. Easiest-to-use DVD ripper in existence, on any platform.
5) Many other p2p clients in various levels of development... all with no spyware
Still snickering at the Windows holdouts...
Uh... (Score:2)
Yes, as a person who uses a Windows laptop all day at work and troubleshoots and repairs countless friends' and family members' PC machines, I freely admit that I AM an arrogant M
Cursor (Score:2)
One thing missing (Score:2)
Is anyone actually surprised? (Score:2, Insightful)
eMule runs fine, finds most anything I bother to look for, and doesn't come with crud. Between that and minor torrent useage, who needs Kazaa of any kind?
W/regard to the RIAA and company, how long until they come up with a P2P sharing program put out through a front company to engage in a sting? Tinfoil hat maybe, but as stupid as they are, sheer statistics alone s
Looks like a Windows problem to me (Score:2)
suggest one thing: Use a seperate account for anything questionable: All your P2P, "Instant Messaging" and possibly any action that may produce spam. Also consider IRC is faster than "IM" and talk(1) is 'realtime'. Talk(1) is secure, unlike IRC on a trusted server where SSH is used.
"Where's the beef?"
Was this even necessary? (Score:3, Informative)
1) The likes of bittorrent. You download from an authoritative server a 'control' file that has an MD5 checksum of a file you want. Very difficult or impossible to spoof the saved file.
2) The likes of kazaa. You query other machines on the network for files and pray it's not riddled with spyware, etc. It's probably far too easy to create a virus, giving it an enticing name like 'xpcrack.exe' and plop it in your shared folder and wait for someone to pick it up.
Why would the makers of kazaa bundle spyware/trojans etc directly into their application when it's easier to allow the user to search for something they want and have a hit not on what they really wanted but spyware masquerading as what they wanted?
I've loaded kazaa on a sandbox computer and downloaded executable files pertaining to cracks of various kinds, and virtually all of them were not cracks at all but were trojans/viruses, etc.
Bundling trojans/spyware into an application is slow, restrictive and pointless when there are so many more effective ways to do so, including activex, email worms, seeded trojans in the p2p network, etc.
Kazaa itself and the multitude of files associated with its install for example is reported as spyware, but probably in the most generic term of the fact that whatever files are set up as shared are accessible and thus the program is considered "spyware" for giving that information up. If you go into its options and set up the shared directory, or what you want to share or not, it's not likely to divulge or give up any serious information or data.
But I don't really care, because I don't really trust apps these days that don't have source code with it.
Slashdot Story on Ben (Score:3, Informative)
eDonkey on the Mac (Score:2)
What is my observation? I use almost exclusively the Firefox browser (rarely use Safari), and I haven't seen any issues with pop-ups or page hijacking. Of course,
Re:LimeWire safrest. (Score:2)
Re:just a question (Score:5, Informative)
- Works well (IMHO)
- Open source and Free (beer)
- Connects to Gnutella, Gnutella2 and Emule networks
- Built-in bittorrent support.
Re:I've got a solution to spyware! (Score:2)
Whether its walking out of a store with a five finger discount or downloading via bittorrent, or your favorite application here.
Although I do admit a lot of bittorent links are for useful things like OSS applications, but many more aren't OSS.