Schneier on Security
A blog covering security and security technology.
« MI6 Camera -- Including Secrets -- Sold on eBay |
| Bank Robber Hires Accomplices on Craigslist »
October 2, 2008
"Scareware" Vendors Sued
This is good:
Microsoft Corp. and the state of Washington this week filed lawsuits against a slew of "scareware" purveyors, scam artists who use fake security alerts to frighten consumers into paying for worthless computer security software.
The case filed by the Washington attorney general's office names Texas-based Branch Software and its owner James Reed McCreary IV, alleging that McCreary's company caused targeted PCs to pop up misleading security alerts about security threats on the victims' computers. The alerts warned users that their systems were "damaged and corrupted" and instructed them to visit a Web site to purchase a copy of Registry Cleaner XP for $39.95.
I would have thought that existing scam laws would be enough, but Washington state actually has a specific law about this sort of thing:
The lawsuits were filed under Washington's Computer Spyware Act, which among other things punishes individuals who prey on user concerns regarding spyware or other threats. Specifically, the law makes it illegal to misrepresent the extent to which software is required for computer security or privacy, and it provides actual damages or statutory damages of $100,000 per violation, whichever is greater.
Posted on October 2, 2008 at 7:03 AM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
..."These guys are doing whatever it takes to get you to buy their crap software," he said...
Ironic that Microsoft has a problem with this...
Before even downloading a self-proclaimed antispyware or any other crap I recommend to check the excellent Spyware Warrior's Rogue/Suspect Anti-Spyware Products & Web Sites list:
Any chance of someone punishing scam artists who use fake security alerts to frighten consumers into paying for worthless wars against abstract nouns?
May be someone will sue CNBC/NYT and other crooks for scaring the country that "money" will disappear unless ransom is paid very quickly -- now, this week etc. etc.
May be we can add US Congress and Henry Paulson as co-defendants
When last checked there really isn't any spyware affecting Linux or BSD. I feel sorry for people who buy software and get meh when they could do better for free. Many Windows users are clueless and some have no choice, but just as many ought to know better and don't.
@kwertee: oh please, cut if off already (says a many-years Linux user).
I love this. My company has gotten computers infected with this stuff to clear off. It seems the last few months have been worse than other. I would rather lose the small ammount of income, we get from jobs like this, than for companies like this to continue.
In the state I am located in, there is really no recourse for victims of companies like this one. I always wonderd myself how legal it was to do this. Alot of them look exactly like a MS system pop-up. Hopefully this sends a message, and this kind of stuff goes away.
Here is the section in the Revised Code of Washington that deals with Spyware:
The penalty is set at $1000 per violation. In addition, the court can triple that "if the defendant has engaged in a pattern and practice of violating this chapter." That's got some teeth...
In January of this year, house bill 2879 was raised to add the following deceptive actions:
* Modifying settings for opening web pages, search engines, bookmarks, and toolbars;
* Misrepresenting that software will be uninstalled or disabled by an owner or operator's actions; and
* Misrepresenting that software is necessary for security, maintenance, repair, or privacy reasons.
Maybe because the alleged spyware purveyor lives in Texas they can give him the chair :)
How is this different from those pop-ups who notice how big your pecker is and suggest you buy Viagra?
Try this one for size:
If you download and install the Firefox add-in called Active Whois, the first time you use it, you are prompted to download an executable from Russia that installs itself (bypassing all your security), and then after a bit.. demand money from you to use their service.
Whats more, when I posted on Firefox questions asking people to check to see if this is a spyware / bot / worm loader in disguise, no one responded.
It is still up there... anyone care to check?
Here is the drawback:
People who let themselves be scared into buying a product, simply deserve to have less money.
So, the law is unfair.
"Misrepresenting that software is necessary for security, maintenance, repair, or privacy reasons."
Geeze, would that apply to Microsoft's Automatic "Critical" updates like:
Internet Explorer 7
Windows Genuine Advantage
Of course, Microsoft can do no wrong in Washington State....
Hey, can we keep this on discussion about computers and not partisan politics. You partisan politics people make me sick. Take your crap to your preferred blog of choice and stop poisoning tech blogs with political crap.
Although Linux doesn't generally have spyware like Windows does, it does have viruses and rootkits. It's just that more often the value of a Linux box is as a command and control server, or as a spam blaster, rather than as a means to sniff accounts and passwords. I've never before seen (personally, heard of yes) a desktop Linux system that's been compromised, but I've personally helped clean a nasty rootkit job off a Linux server. Incidentally the rooted system was being used for two purposes, first and foremost it was being used to try to find more hosts to root (we received logs from other hosts as well as inspected our own logs and saw the system attempting a whole slew of exploits, mostly targeted at PHP forum software). Secondly it was being used to send e-mail and forum spam.
A ton of stuff in the computer space that the government has passed special legislation against could be handled under existing laws, without stretching the laws very much at all.
But of course we live in a culture where if you commit a crime with a computer it's automatically 10x worse than if you comimtted an equitable crime without it.
Is that the johnru.com Active Whois? Dang. That's a great tool. Next you'll tell me NoScript is suspicious.
I always wonder what Mozilla Add-ons are safe, or at least how to determine such. I'm not L337 enough to determine it from the sourcecode, so I mostly trust trustworthy friends.
But on this topic, I know my friends and relatives who ask me to fix their PCs very often have PurportedAntiSpyware or SupposedSecurityTools all over the place cluttering things up.
I don't see how this can be illegal when every politician in public office (in the US) got there by convincing the voters (or Diebold at least) that there is a CRISIS RIGHT NOW and THEY are the ONLY ones that can fix it.
Visited the plugin. Odd that there's no version for Linux.
Please resist the temptation to use Bruce's posts as a pretext to bring up unrelated political subjects.
And, Anonymous, spelling flames are not welcome.
When will they go after norton and macafee consumer tools, which, granted are not marketed the same way, but which frequently fall into the placebo category -- personally, I've had to go in and reinstall systems for several people, recently who received trial versions of this "neccesary security software" that crippled their brand-new machines to pre-windows95 slowness....
"Posted by bob" LOL!
I agree with mrgenixus. mcafee and norton are proveably unable to handle certain virii that I've handled and they cripple systems.
The simple fact is that they're only able to handle the stuff written by incompetent quiche eating VBScript programmers.
I would like to see some action taken against the people that accept such advertisements. I've seen some legit sites have these lying ads on them, and I think it's irresponsible of them to allow that to happen. If they are from a service, then it is the responsibility of the service to review the ads. You cannot allow unscrupulous people to target your users and claim that you are innocent.
There are a couple or three "elephants in the room" with this issue.
Firstly with regards to the likes of Norton, Mcafee etc
They have been accused in the past of writing "protection" for malware that did not exist outside of their labs and of deliberatly ignoring certain rootkits developed by a large media organisation.
Further Mcafee had significant issues with the fact that it's software had lowlevel hooks into MS Browser software, and they did not do update testing on some MS platforms (ME) correctly. The resulted in compleatly corupted machines that even their thirdline support staff could not sort out. I eventually had to do a compleate re-instal on a journalist's computer which Mcafee's software had "infected" and "disabled".
Secondly as for MS (and others) and their past security software attempts...
I'm just thankfull that there are alternative OS's out there (apart from Linux ;) where the number of attacks are less frequent, they tend to be easier to "lock down" and some of the OS vendors/suppliers have a history of making security patches available fairly promptly (by the then prevailing industry standards).
Thirdly should compleate ICT novicies be alowed to conect to public networks to the detriment of others (after all in most "western" countries you need a license insurance and a road worthy car to drive on the public roads)
But should there be extra legislation to invent new crimes?
Especialy when as some have pointed out above it appears to protect those companies who's (in/)actions caused the problem to start with...
Then in such a fast moving industry there are the questions of how do, unknowledgable legislators frame it correctly, and even less knowledgable authorities implement, it down to the judges and juries that have little or no hope of understanding it decide on guilt or not.
I just feel we are going about the whole thing the wrong way.
I think you just hit the nail on the head.
There is no linux version because they cannot let you see the code...
I did not install the file... (just the plug in that requested the file).... but my bet is it is spyware / worm / etc.
didn't M$ do the same - every new windows version they promised more security?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.