We're live-blogging the Anti-Spyware Coalition conference taking place today at Harvard Law School. Check for updates on the sessions throughout the day from StopBadware's staff and interns.
The first session is a keynote by Steve Gibson, a veteran security expert, credited with coining and popularizing the term "spyware" and writing one of the first adware removal programs, OptOut. Here are my (rough and paraphrased) live notes on his talk:
The problem of bad software isn’t new. There were viruses even on "SneakerNet" – the early days of gated internet services like CompuServ. The internet has created a more connected playground for the bad guys.
"Spyware begets adware and demonware and preinstalledware and… you-can’t-remove-it-ware."
Hardware vendors now look for money by contracting to pre-install software on brand-new machines. "It takes forever to boot" and the performance isn’t as expected, in part because it’s loaded down with pre-installed software. Typical users don’t know how to even try to uninstall this stuff, and many programs don’t even have an uninstall option.
The nature of the platform being open, "anything that can happen, will happen." There’s a constantly increasing list of real threats. These are real problems, and they affect people’s lives all the time.
Some of this could have been avoided. We’re putting the huge potential of the computer industry at risk. Browser scripting is now relied on for "Web 2.0" applications, but it’s also causing real problems for ordinary users when exploited. Why should anyone’s browser allow third-party cookies enabled by default? There’s a "tyranny of the default" because most users don’t understand how to change their computers’ settings. Some of these problems should be easy for the software industry to solve.
Viruses and spyware aren’t just a game for hackers anymore. As exploiting computers has become profitable, it’s drawn in organized crime. Hackers finding new vulnerabilities now can sell them to the highest bidder. Systematic exploitation of the computer user has become a business model.
There is no easy solution. The PC is no longer changing in revolutionary leaps, but evolving slowly. There is no “next killer app.†Users have most of what they need already, and are becoming more and more frustrated. Those of us on the side of the user simply must do the best jobs we can. Educate users, but try not to over-frighten. Keep pushing back, on every front – technical, legislative, education.
The ultimate sadness is when users give up on computers and the internet. Our goal is to keep that from happening.
Q – How do you differentiate spyware from adware, etc.?
A – User knowledge. If the user is fully informed about what’s going onto their computer and what it is going to do, in a way that actually makes sense and is easy to see instead of buried in a license agreement, then it’s fine.
Q – Public policy protects people from doing things like selling their children. Can’t it protect them from selling their personal information, no matter how many disclaimers there are? Users aren’t fully aware of the consequences of giving away their information.
A – Yes, we need to find ways to protect users from their own limited understanding of what they’re agreeing to.
Q – Could there be a long-term benefit to ISPs taking a more interventionist approach?
A – I dislike the idea of imposing those requirements on them from the government level. ISPs don’t want to take any responsibility for content filtering of any sort, but now they do tend to block ports. The technology certainly exists to identify and sequester a bot-infested machine. But we’re a long way from making that happen, policywise. It would be expensive for the ISPs, and they would also need protection from liability. Really, the way we see this problem needs to change. We need to take proactive actions against bot networks. We need research to set up honeypots, get infected, and trace back to the botnet masters. Right now, we’re being too reactive, and we need to become more proactive.