Blogging the ASC: New Market Trends in Responding to Spyware

Posted on June 28, 2007 - 18:02 by egeorge

We have one more panel's worth of notes from our blogging of yesterday's Anti-Spyware Coalition conference. Here, StopBadware researcher Oliver Day shares his notes on the Trends panel, which closed out the day at the conference:


* The interstitial page. Creates a way to warn users of the search engine when a website is possibly infected.
* The Ghost in the Browser paper by Niels Provos et al. Technical paper on the methodologies used by Google to determine "badness"
* Safe browsing API overview. Opening up more information to the end users
* Online security blog. Tech oriented blog that is a day to day journal of the group.


* Program whitelists
* Affiliate networks offloading responsibility


* Educating consumers
* Guideline creation and security tips for site owners
* Community building via discussion groups, etc.

Site Advisor:

* Built for consumers by MIT engineers
* Bots testing for annoying behaviors


How do all these pieces fit together in the security ecosystem?
Orgs like Truste try to fill in particular niches like deep product reviews. Google is trying to make searching safer. Stopbadware is in a unique position as a non-profit to act as a watch dog against corporations (see AOL report).

Are we acting as arbiters of the Internet? What happens when we get something wrong? Versions change often (think updates) so how valid are product certifications?

Google claims near zero False Positives based on vetting through partners. No one should surf securely feeling that they are protected from *all* things. How does one "look both ways" when you are browsing web pages?

False positives can be dealt with on a programmatic level. Creating decays on bans, white lists, etc.

Will/do consumers want their computers to be like appliances?

Porn is a vehicle for a badware codec.

How do we compensate for human stupidity?

How do we evade the bad guys when they know where we are (IP address)?

Community helps develop reputation systems.

What is the opinion of these groups for certifications by other groups? Things marked bad by different orgs are likely to be bad. Things marked good should still be viewed with skepticism.

Blogging the ASC: Public Policy & Legislation

Posted on June 27, 2007 - 20:17 by egeorge

Continuing with the live-blogging of the Anti-Spyware Coalition conference, here are StopBadware intern Mike Connolly’s notes on the Public Policy discussion panel:

John Palfrey, Executive Director of the Berkman Center, is the moderator of this segment. He is joined by Ari Schwartz, Deputy Director of the Center for Democracy and Technology, and a representative from the Federal Trade Commission’s Bureau of Consumer Protection (a late substitute for another FTC speaker).

Mr. Palfrey started by asking Mr. Schwartz for a general overview of the legislative landscape with respect to Badware…

Schwartz noted that there are at least two key statutory tools in effect. First, there are the basic fraud statues that cover unfair and deceptive trade practices, both in the online world and in terrestrial space. These statues exist on both the Federal and State levels. Second, there is the Computer Fraud and Abuse Act (18 U.S.C. § 1030)—this is a criminal statue that was originally passed by Congress in 1986 to thwart “hacking.†The act was most recently amended to include stiffer penalties under the USA PATRIOT Act of 2001, and the Department of Justice used it to indicte the creator of the Loverspy software in 2005. And last year, this statue was used in the conviction of a California man who was distributing badware via botnets. He was sentenced to five years in prison.

Next, Schwartz discussed pending legislation, including the SPY Act and the I-SPY Act. The SPY Act easily passed the House earlier this year. It is a short bill that would toughen criminal penalties for bad(ware) actors, but it also contains a controversial imposition of mandatory language for notice provisions. The software industry is generally concerned that this will result in too many flashing pop-ups, creating a user experience that actually mimics adware behavior. Furthermore, the SPY Act would preempt existing Spyware laws on the State level, and it also contains a number of “broad exceptions.â€

While the Center for Democracy and Technology generally supports enhanced penalties for creators and of spyware, Schwartz’s preference is for the I-SPY Act, another piece of legislation recently passed by the House which also calls for tougher penalties.

Also on the radar is the Counter Spy Act of 2007. This was introduced by Senator Mark Pryor and has received attention in the past few weeks. Schwartz speculated that this bill has something of a shot at movement through the Congress since Pryor is from majority party and sits on a related committee.

Next, attorney and internet expert John Levine asked about the politics surrounding the pending legislation...

According to Schwartz, advertisers generally do not care for "Good Samaritan" provisions aimed at protecting anti-spyware companies and organizations. Nevertheless, Schwartz notes that even with Good Samaritan protection, Spyware producers may continue to take action on other grounds. Therefore, Schwartz would prefer to see a statement from Congress that declares anti-spyware tools to be "good" and in the public’s interest.

Bottom line: the CDC would be happy with a proposal that enhances spyware penalties and does not preempt other State law. Schwartz points to the Zango case as an example of the lack of civil penalties, and he cites the action taken in the Sony rootkit case as an example of useful State law in this area.

Another member of the audience also noted that the advertising community is generally concerned that Congress is trying to regulate behavioral targeting. Schwartz says the SPY Act is not designed to do this—but that members of Congress are in fact interested in regulating behavioral targeting via other privacy legislation.

Mr. Palfrey then asked the FTC representative about the usefulness and/or inadequacies of the existing body of law. She has been litigating spyware cases with the FTC since 2004. She explained that when she started, there was no federal law explicitly designed to apply to spyware. Therefore, she and her colleagues looked to the broad language under section 5 of the FTC Act outlawing "unfair and deceptive trade practices." In the past few years, the FTC has used this act to target some of the more nefarious spyware actors, including Seismic Entertainment.

So, is there a good argument that we do not need any new law? Could we just get by on section 5? The FTC’s general position is that new law isn’t needed, and that there is a danger in enumerating certain prohibitions since that might suggest a defense to Spyware developers since the latest exploits will always be one-step ahead of the law...

Furthermore, the FTC has pushed for greater civil penalties since it can be considerably more difficult to prove consumer injury in spyware cases than in other, more traditional cases where damages are more readily quantified. Mr. Palfrey suggested that the ASC community could play a role in helping to develop a better understanding of Spyware’s cost in this regard…

In general, the FTC is working to enforce principals of express consent, clear and conspicuous disclaimers, and readily available uninstallers. In the coming years, the FTC will continue to focus on establishing principles and targeting crime. They will also be on the lookout for legitimate companies with practices that "cross the line." However, it was also noted that resources are particularly thin, as the FTC has only pursued a handful of cases over the past few years.

Blogging the ASC: Spyware and Domestic Abuse

Posted on June 27, 2007 - 20:11 by egeorge

Jason Callina, a StopBadware senior developer, shares his notes on the ASC lunchtime discussion about the use of spyware in domestic abuse:

Cindy Southworth of the National Network to End Domestic Violence introduces a victim of domestic violence including abuse via spying and monitoring through software installed on her computer without her knowledge.

Cindy has been doing work to end domestic violence for 14-15 years. She grew up in a family of geeks which gave her a strong technical background that infoms her current line of work. Cindy chose to go down the path of social change and found a perfect combination of her skills in this topic.

She states that less than 10% of shelters have firewalls and similar security measures. This represents a serious security risks for victims of domestic abuse and others staying at shelters. This represents a very vulnerable segment of society.


The presenter (who is anonymous for obvious reasons) is educated, young individual currently volunteering with domestic violence issues doing service work. Consultant on several boards. She noted that she has young children who she is also concerned for. The conversation is structured as questions from Cindy with answers from the presenter.

Q: How did you end up getting in a relationship to the abuser?

A: After college, she was facing several options and was unsure what road to take in her life and career. She met a charming, handsome individual, who appeared to have an excellent personality and background profile. The start of the relationship was calm and without incident. Control issues started to pop up later in an incremental fashion. Abuser slowly integrated controlling behaviors into their relationship using tactics like defining the relationship parameters with family members and friends and insisting on the structure of her communication.

He attempted to define who she was through influential suggestions on changing her appearance and gradual control of other aspects of her life. Six months into the relationship he slowly integrated verbal attacks. Physical abuse started after a year. At first they seemed accidental and out of character for the person, but they continued and became a constant aspect of the relationship.

The abuser had them move frequently, to keep her isolated from friends and family. Due to the nature of the physical abuse she was concerned about her life and the life of her unborn child. She felt that he was directly trying to kill her unborn child through physical attacks on herself.

There were threats that if she was to seek help she would be killed. Her parents became concerned due to lack of contact and sent police to check on her. Abuser silently threatened to kill child while the police officer was present, but not in the officer's view, so she lied to protect her child and herself. Threats were also made to her family and others.

Surveillance and Monitoring

He would have friends check on her and befriend them to make sure she was in line with what he expected of her behavior. He gained the trust of her co-workers and their impression was that he was very likable.

He began monitoring her cell phone to find out who she called and who had called her. He monitored her email and set up passwords so he would have access to all of her online accounts. The abuser also sent emails out in her name to her friends.

The abuser used keyloggers and other tracking mechanisms to monitor and control her behavior. Once he misinterpreted the results of the key logs, accused her of behavior she was not guilty of and almost beat her to the point of death. Computers were her last contact to the outside world and she had to stop using them to protect herself and her family. Court hearings eventually revealed that he was using spyware to track her movements.

Cindy states that most homicides occur at the point the victim tries to escape.

She used her computer at work to plan her escape. Thankfully he was not able to track the data on this machine. His technical level was low, yet it was easy for him to learn and use these technologies to his advantage.

Remaining anonymous

She only does research online, and commits no personal financial information on her computer. She rotates passwords and names every six months. Her children are allowed no web access to protect her familiy's identity. She keeps multiple identities and uses them based on whatever task she is undertaking. No personal information about location is ever posted online, and she has changed her social security number and other trackable information.


Q & A from the audience:

Q: Are there resources available for abusers on how to implement these techniques and technologies?

A: Unfortunately, there are groups that target and share information on how to spy on your spouse and control their behavior. It has been suggested that some of these connections are made when individuals meet at mandatory classes for the prevention of domestic violence.

Q: Do restraining orders cover spyware?

A: Possibly, sometimes the restraining order will dictate that the abuser cannot contact the victim via a third party. Some law enforcement officials consider spyware to be a third party contact.

Q: What do people do when they suspect they are being tracked via spyware?

A: Use a safer computer, such as one at work or at a library or other public resource. It is to be noted that not using the home computer can be an indicator of knowledge of surveillance, so you need to be careful about drastic changes in behavior. If you think the computer is compromised, treat it like it is.

There are very little technical forensics resources available to low enforcement agencies but if you are going to the police you need to keep the computer intact to preserve evidence. This entails not running anti-spyware or malware applications which could potentially destroy evidence.

If you are not going to the police and need to quickly remove all possible tracking capability wiping the computer is the best solution to keep you safe.

Leaving your computer unsupervised or having an open wireless connection could also leave you open to monitoring.

Keyloggers can come in the form of hardware and software. If you have a hardware logging mechanism in place the only way to protect yourself against it is to physically remove it.

Q: Does facial recognition on photos or tagging pose security risks?

A: Allowing friends to post information about you or tag your photos on social networks or other boards opens up a huge tracking potential. As facial recognition technology becomes more technically feasible it will also introduce a great degree of risk.

Q: What does she tell her children?

A: She limits the public exposure they have. They also use multiple identities and addresses on public record.

Q: Why isn't he in jail?

A: Because the laws don't adequately cover or punish domestic violence.

Q: Can you volunteer?

A: Yes - See the NNEDV website for information.

Q: When does abuse end?

A: Grimly, via the death of the abuser or when an abuser focuses on a new relationship.