Is Sears Engaging in Criminal Hacking Behavior?

Join "My SHC Community" on Sears.com, and the company will install some pretty impressive spyware on your computer:

Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the "community," very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently.

Here is a summary of what the software does and how it is used. The proxy:

  1. Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system.

  2. Monitors secure sessions (websites beginning with ‘https'), which may include shopping or banking sites.

  3. Records and transmits "the pace and style with which you enter information online..."

  4. Parses the header section of personal emails.

  5. May combine any data intercepted with additional information like "select credit bureau information" and other sources like "consumer preference reporting companies or credit reporting agencies".

If a kid with a scary hacker name did this sort of thing, he'd be arrested. But this is Sears, so who knows what will happen to them. But what should happen is that the anti-spyware companies should treat this as the malware it is, and not ignore it because it's done by a Fortune 500 company.

Posted on January 3, 2008 at 11:02 AM • 91 Comments

Comments

Kevin D. S.January 3, 2008 11:18 AM

I can understand why the marketeers would think this is a great idea. But, I certainly hope legal counsel was screaming in dissent (if they were even consulted). Whoever made the "final" decision needs to be hit sharply with the "What-Were-You-Thinking" stick.

Dan LinderJanuary 3, 2008 11:18 AM

"If a kid with a scary hacker name did this sort of thing, he'd be arrested. But this is Sears, so who knows what will happen to them."

Probably the same thing that happened to Sony...nothing.

Dan

aikimarkJanuary 3, 2008 11:24 AM

This is quite some Blue Light Special on aisle three, folks.

If only there were some cyber blue lights flashing to make Sears pull over and come to their senses (better yet, the Sears users thinking of installing this spyware).

RoyJanuary 3, 2008 12:10 PM

Corporate lawyers dream up schemes by which (they think) the company can do what it wants without anyone going to jail.

The epitome of corporate lawyers is Alberto Gonzales.

So, no, their legal counsel would not dissent, they would advocate.

AnonymousJanuary 3, 2008 12:18 PM

That does it then... I'll never again buy my Celine Dion, Van Zant or Neil Diamond CD's from Sears. :)

GimbalockJanuary 3, 2008 12:19 PM

I would love to ask the Presidential candidates if they think this is acceptable corporate behavior. This is tantamount to sending you home with a hidden transmitter in the lining of your shopping bag.

Question for the computer knowledgeable: how do you detect if software you have installed is up to such mischief on your computer? Ideally I'd use Linux and not install any questionable software, but occasionally the need arises. I've fiddled with Ethereal, but am not knowledgeable enough to interpret the results.

I assume that these programs encrypt all the information that is sent back to hq.

GimbaJanuary 3, 2008 12:19 PM

I would love to ask the Presidential candidates if they think this is acceptable corporate behavior. This is tantamount to sending you home with a hidden transmitter in the lining of your shopping bag.

Question for the computer knowledgeable: how do you detect if software you have installed is up to such mischief on your computer? Ideally I'd use Linux and not install any questionable software, but occasionally the need arises. I've fiddled with Ethereal, but am not knowledgeable enough to interpret the results.

I assume that these programs encrypt all the information that is sent back to hq.

SteveJanuary 3, 2008 12:21 PM

What are the implications of this tracking if a normal user joins the community on their work pc?

antibozoJanuary 3, 2008 12:28 PM

Dan Linder> Probably the same thing that happened to Sony...nothing.

How do you figure that? Sony was the subject of multiple class action suits--one of which was settled to the tune of $7.50 per complaint (based on defective CDs), another of which offers up to $175 per complaint (based on rootkit-affected computers)--as well as multiple investigations by state attorneys general which AFAIK are still pending.

Uncle TimJanuary 3, 2008 12:31 PM

Why would anyone buy a PC from Sears anyway, much less join "My SHC Community"???

EvanJanuary 3, 2008 12:40 PM

@ Gimba:

I'd love to see issues such as these become more prominent in the political arena. I think they're only going to grow in importance.

Captain ObviousJanuary 3, 2008 12:50 PM

What person at Sears came up with this and thought "This is a good idea!"? Whomever it is has shown an obvious disconnect from the general populace's growing realization and discontent with such underhanded tactics and should be fired. Ask yourself if this is worth the ruin of your marketing brand and industry reputation.

FlabJanuary 3, 2008 12:53 PM

Uncle Tim, You don't need to buy your PC at Sears. All you need to do is visit their web site and join their online community.

georgeJanuary 3, 2008 12:56 PM

It has been a number of years since I canceled my sears account (credit card) and due to the poor quality of sears service personnel and a majority of their products today I do not shop either in the store or online with them. Go figure.

Rionn Fears MalechemJanuary 3, 2008 1:14 PM

Wow. This could really generate some great data. While I'm amazed that they'd try this and they should definitely be stopped, it'll be really useful to see what a large ensemble of people actually do on the internet.

HALJanuary 3, 2008 1:20 PM

"Are companies required to hand information over to government?"
privacyinternational.org
They could sell the data to the government. Everything is for sale.
State of Privacy Map
http://tiny.cc/w2DtI

Carlo GrazianiJanuary 3, 2008 1:26 PM

@Gimba:

I would say that you have the right idea -- ethereal or some other network monitoring tool to attempt to glean whether some process is talking autonomously to some IP address that you've never heard of. For an initial diagnosis, lots of protocol knowledge should not be necessary. If the same IP address (or address range) crops up in source and/or destination, irrespective of where you're browsing, that would be a reason to be suspicious.

The trouble is that a well-designed spyware application can presumably mask its own traffic from other local applications. It doesn't appear as if Sears did this, but they are not the only sociopaths around, and they are certainly not the smartest ones. The bottom line is that if you are suspicious or paranoid, you should find some way to monitor traffic on your LAN using some machine other than the potentially compromised box.

One very basic option that is always available is to keep an eye on the LEDs of your DSL modem/cable box. You can't hide network activity from those LEDs. If there's a lot of traffic, and you don't think you're causing it, take a minute to figure out what's going on.

Many DSL/Cable routers also have (somewhat primitive) logging facilities, sometimes associated with their firewalls. If you can find a way to get your router to temporarily log all traffic, then you can monitor that traffic through the router admin tool using a browser and attempt to identify suspicious source/destination IP addresses in the log. That log will grow pretty fast, and probably lives in a finite buffer, so you may have to do some fast copy/paste text work.

If you have a second computer, you can try using that to monitor all the traffic. Assuming that the box can see all the traffic on your LAN, including traffic directed from/to other machines (for example if everyone talks to the router by wireless), you can put the network interface into promiscuous mode, and monitor all the traffic. With a Linux box, you could do this -- as root -- by invoking tcpdump at the command-line with some suitable set of packet selection criteria, or by firing up some graphical monitor (like ethereal). I'm not certain what the procedure is to do this using Windows.

TonyJanuary 3, 2008 1:41 PM

"Monitors and transmits a copy of all Internet traffic going from and coming to the compromised system"

Doesn't this completely cripple most home systems where upload bandwidth is 10% or less of download bandwidth? E.g. I try to download a 700MB .iso image of a Linux install disk ... at 3 Mbit/s download speed this takes me ~ 40 minutes, but my network uplink (128 Kbit/s) is then tied up for 15 hours sending Sears a copy.

Rich WilsonJanuary 3, 2008 1:54 PM

Can't wait for an FBI employee to visit from a work computer (over lunch, of course). I'm sure the FBI would love to know that Sears is spying on them.

seaanJanuary 3, 2008 2:18 PM

Luckily I stopped patronizing Sears a while back (as a 20 year customer when they jacked my credit card rate up to 29% after a single delayed payment). I figured if they were the type of company that would try to exploit their customers that way, it was evident they did not need the ~ $1,000 per year I was spending there.

Seeing this just reinforces my opinion that their corporate culture has "gone bad".

Frank WilhoitJanuary 3, 2008 2:22 PM

@antibozo, please remind me which Sony executives went to prison and for what terms. Nothing else matters. If they did not go to prison, then they got away with it and they were seen to get away with it.

dragonfrogJanuary 3, 2008 3:42 PM

@Tony

I'd assume they're not really capturing every byte sent and received. It would be enough for them to be sent the URL of the ISO you downloaded - a few hundred bytes at most. They could download it themselves if they wanted to; they have your password...

AnonymousJanuary 3, 2008 3:51 PM

Apparently spyware is good for your company stock. SHLD is up 3.13% for the day.

Julian B.January 3, 2008 4:02 PM

Sears is down almost $90.00 since April. They're on their last legs and are apparent'y trying whatever they can to generate a revenue stream..

RussJanuary 3, 2008 4:11 PM

I went to Sears.Com and gave them some feedback via the 'contact us' web form in the customer service area. I compare them to Sony and asked why they had willingly blackened their reputation. Let them know how you feel about this!!

EndielJanuary 3, 2008 5:13 PM

For all those of you who have expressed concerns about the bandwidth, if you read the article it appears that this tool is proxying all your data, not copying it, so it's not using any extra bandwidth.

What this means is that when you want to see a web page, instead of connecting to the web page's server, your computer connects to Sears' server and requests the page. Sears' server then fetches the page and sends it to you. In the process, they get to see every byte of the web page fetched. Similarly, if you want to send data to a web server, your computer instead connects to Sears' computer and sends the data to them. They then send it on to the web server. In the process, they again get to see all the bytes.

It's important to note that many ISPs do this in order to aggregate and minimize redundant traffic (i.e., they only have to fetch that picture from cnn.com once for all 10,000 users that request it), and it's often done transparently at the network level. The important differentiation is that this sort of proxying at the network level is only done on unsecure connections (i.e., http and not https), so it won't typically see credit card, bank, password, and other such data that's usually transmitted securely.

Because the Sears spyware is installed on the endpoint of the connection, though, it can (and apparently does) spy even on this sensitive data that a third party should NEVER have access to.

NE PatriotJanuary 3, 2008 5:39 PM

I only hope there's lots of politicians joining this community. Maybe then, when they realize their private information has been tossed to the four winds, will we see real attention paid to privacy rights.

BazJanuary 3, 2008 6:51 PM

@Valid

"This is why you should always read your EULA."

Whats interesting in this case is that you see a different privacy policy if you install the software but not before. So if you thought to read the privacy policy before installing... you read the wrong one. That's just incredible.

antibozoJanuary 3, 2008 7:15 PM

antibozo> as well as multiple investigations by state attorneys general which AFAIK are still pending.
Frank Wilhoit> please remind me which Sony executives went to prison and for what terms. Nothing else matters.

Please consult a dictionary for the meaning of "still pending". I won't waste any time on the utter absurdity of your premise that only executives' going to prison matters. Sony clearly did not "get away with it". Yes, they're still in business, and that's not such a terrible thing as they make some good products. They have been punished financially, had to agree not to do it again, are subject to pending investigations, and, one hopes, learned something from the experience, as did some other companies who would do similar things--just not Sears.

DZGJanuary 3, 2008 7:21 PM

What gets me is the stark difference between this behavior and what they're doing for their employees that are deployed at war. If their employees have been sent to war, Sears is paying whatever the difference is between their Sears salary and their armed services salary, for up to two years IIRC.

It just demonstrates the massive disparity of morals in a corporation that is so large.

evil twinJanuary 3, 2008 8:21 PM

Sounds like someone needs to start an organized effort to see just how much bandwidth their proxy can handle, :-)

stumpyJanuary 3, 2008 9:55 PM

If you previously became an SHC member, how can you now disconnect and stop any further monitoring?

SitaramJanuary 4, 2008 5:18 AM

@antibozo:

I think what Frank Wilhoit and Dan Linder meant was: if an individual had done *exactly* the same thing, he would be in prison. But since a major corporation did it, the only people who suffer are the share holders.

I agree with them. Until someone in Sony/BMG (or Sears; I'm not picky) gets some jail time, corporations will continue to be arrogant about individual users. And they will continue to make statements like "no one knows what a rootkit is, so why does it matter" :-(

There's a reason why the French/Spanish/Portuguese eqvt of "Corporation" is "S.A.". It stands for "Society of the Anonymous", in those (and several other) languages. Think about that for a bit...

HoratioJanuary 4, 2008 6:40 AM

From the My SHC Community site:

+++++++

My SHC Community currently supports the following operating systems and browsers:

Operating Systems:
Windows 2000

Windows XP

Windows Vista

+++++++

Bottom line - for now - if you want to join get a Mac

matt aJanuary 4, 2008 8:48 AM

@Gimbalock - "This is tantamount to sending you home with a hidden transmitter in the lining of your shopping bag." Technically, its more like sending you a pen that transmits back everything you write down.

One of the most amusing aspects of this would be to find out that all this extensive "spying" analysis determines that almost no one uses sears.com in the first place....

antibozoJanuary 4, 2008 9:58 AM

Sitaram> if an individual had done *exactly* the same thing, he would be in prison. But since a major corporation did it, the only people who suffer are the share holders.

Again, who suffers in the corporation remains to be seen. How many times do I have to point to the words "still pending"?

As to whether an individual who did the same thing would be in prison, you are ignoring the fact that there is information in the EULA, obscure as it is, that warns the user. It may be offensive, but it remains unclear that there has been a violation of civil, let alone criminal, law.

IOW, bollocks. Not to mention, isn't it *idiotic* to install a software download from Sears? Good grief. Yes, Sears is way over the line, but the people who fell for this should already have had all their bank accounts drained by phishers by now.

paulJanuary 4, 2008 10:03 AM

So when do we get the news that some organized criminals have gained control of the Sears proxy machines and are both siphoning out personal data and inserting a percentage of falsified transactions?

anon1234January 4, 2008 10:24 AM

>>kmart had/has the blue light specials, not sears.

Kmart bought Sears, then changed the name to "Sears Holdings" to (attempt to) get rid of the Kmart white-trash image.

It is amusing that Lands' End, once a very nice high-end retailer, is now a division of Sears, which is in turn a division of Kmart, where the traditional LE shopper wouldn't have been caught dead.

AnonymousJanuary 4, 2008 11:06 AM

@antibozo

If the punishments for corporate spying on individuals (for lack of a better expression) are purely financial, then the only lesson learned by companies is that they will have to pay $x. If they value the proposed information gained (via rootkit or malicious proxy, whatever) at $y, and $y > $x, they have no reason not to go through with these offensive programs.

These events don't seem to have any long-term effect on the company brand image among consumers at large. The only cost to the company from implementing programs like this are punitive fines. Nobody goes to prison, and there's a small ding in the yearly financials. Until insiders need to worry about prison time for stuff like this, they're going to keep doing this. Too much to gain, not enough to lose.

derfJanuary 4, 2008 11:18 AM

If I joined the community and my bank accounts were hijacked, could this service be held liable?

AnonymousJanuary 4, 2008 1:02 PM

"Sears is way over the line, but the people who fell for this should already have had all their bank accounts drained by phishers by now."

@Everyone who has responded to antibozo in this thread.

YHBT. YHL.

Just in case someone has missed the obvious, antibozo is casting blame at people who trusted the Sears brand. He is declaring that they deserve to have "all their bank accounts drained by phishers".

YHBT. YHL.
HTH. HAND.

antibozoJanuary 4, 2008 1:05 PM

Anonymous> The only cost to the company from implementing programs like this are punitive fines.

Perhaps thrice was insufficient: "Still pending".

Anonymous> Until insiders need to worry about prison time for stuff like this, they're going to keep doing this.

A fallacious claim. Individuals will continue to do things that are illegal regardless of the penalties. Furthermore, you seem to have some voluminous case history in mind that involves numerous corporations engaging in clearly criminal, individually directed, computer malfeasance, yet resulting in no criminal prosecutions of the individuals responsible. Perhaps you could name three such cases?

I for one find it laughable that Sony is the example everyone trots out to show how corrupt the system is supposed to be, when in that case, there actually were clearly positive results. Contrast that with, say, the HP spying thing, which is a pretty clear example of individuals behaving criminally, happened more recently, and actually resulted in felony prosecutions (not that they amounted to much, mostly being resolved by nolo contendere and community service).

Maybe the problem for some people is that legitimate corporations generally haven't done the sort of things individuals have done along these lines very often, or at least haven't been caught at it. I detest big corporations as much as the next guy, but the Sony case is hardly an indictment of the system. And this Sears case may turn out be an example where some kind of individual prosecution results, although this objective is undermined by the way the matter was disclosed--full disclosure is another issue: it protects the public (at least the ones who pay attention), but it undermines criminal prosecution since law enforcement has no opportunity to investigate before the shredding and degaussing begin. In any case, from what has been revealed so far, this appears on the face of it to be more a case of an individual (Rob Harles) acting under the guise of a clueless corporation (Sears) to benefit another corporation (comScore). We'll see.

Grant BugherJanuary 4, 2008 1:10 PM

The privacy policies of Sears and comScore, while sensible on their own, become almost impossible to interpret when a system installed by Sears sends data directly to comScore -- whose privacy policy applies? They both claim not to share data with "any" third party! There's more commentary on this at http://perimetergrid.com/wp/2008/01/04/...

antibozoJanuary 4, 2008 1:18 PM

Anonymous> Just in case someone has missed the obvious, antibozo is casting blame at people who trusted the Sears brand. He is declaring that they deserve to have "all their bank accounts drained by phishers".

And someone appears to feel the need to invent the non-obvious: I did not say "deserve". I said "should", meaning that if they behave consistently, this is what should have happened already. Duh.

I don't think it is much disputed that people who do this sort of idiotic thing are more likely to end up with malware on their systems. If you regard this as "blame", that's up to you, but it wouldn't reduce the heinousness of what Sears or a phisher is doing: as I said, "Sears is way over the line". It simply means that if people were being adequately trained by us, the security community, no one would fall for it.

AdamJanuary 4, 2008 1:48 PM

I would be interested to know what security protocols are used in the communication between your machine running the proxy and the Sears machines. If i were to connect to a secure https, and that would get transmitted to sears, this is technically a man in the middle attack. Also if sears did not use adequate security on both on the wire, and at the server end, then you're running a risk of exposing a lot of sensitive information from customers to third parties *read crackers*. If this is the case, that the communications aren't secure, then i could see a lawsuit against Sears based on miss handling sensitive and private information.

seeker135January 4, 2008 2:11 PM

Boycott Sears. I do. Story too long and boring, but they add reasons to do so all the time!

JosueJanuary 4, 2008 5:23 PM

It's okay guys/girls... don't worry, I use Linux (and you should too)... the community site only likes MS Windows users.

MartyJanuary 4, 2008 5:53 PM

In 2000 I did a CISSP course and someone from Sears Canada was in the course. I know it's a big company and all, but that's polarized behavior. Speaking generally a company that cares enough about security to spend on staff training wouldn't be expected to have their staff violate their customers' security so blatantly.

Did they built the software in house or was it outsourced? Who at Sears actually authorized and implemented this? Whoever was involved needs to be identified and dealt with.

Blinky the HitmanJanuary 4, 2008 6:50 PM

Those of you with the excellent "UserAgent Switcher" extension for Firefox may wish to visit their sites with a custom UA string like:

Description: YOUR-SPYWARE-SUCKS!!!
User Agent: YOUR-SPYWARE-SUCKS!!!
App Name: YOUR-SPYWARE-SUCKS!!!
App Version: YOUR-SPYWARE-SUCKS!!!
Platform: YOUR-SPYWARE-SUCKS!!!
Vendor: YOUR-SPYWARE-SUCKS!!!
Vendor Sub: YOUR-SPYWARE-SUCKS!!!

Nothin' like expressing your disapproval right into their logs. (heh)

TonyJanuary 5, 2008 3:19 AM

Looks like I'm gonna have to call Uncle Vito and my cousin Louie 'knees' to have em take this crap off my computer...sob's are gonna pay!

WummelJanuary 5, 2008 4:38 AM

You can't really monitor SSL-encrypted traffic unless you

a) break the encryption which should be reasonably hard to do depending on what algorithm the SSL handshake is using, or

b) decrypt and reencrypt the traffic withing the proxy, which yields an invalid SSL certificate error popping up. The user might ignore those though.

Apart from that the proxy of course sees what URLs you visited (ie. what shops or banks you are using). This might be more interesting to Sears than your actual account balance.

antibozoJanuary 5, 2008 5:30 AM

Wummel> You can't really monitor SSL-encrypted traffic unless you

That depends on the specific mechanism being used. If the malware simply configures a normal HTTP proxy into the browser's proxy settings, then yes. If the malware intercepts calls to the underlying network and SSL libraries, then no: all bets are off.

D D WressellJanuary 5, 2008 10:17 AM

You say "If a kid with a scary hacker name did this sort of thing, he'd be arrested." That gets us to the big picture.

We're reaping the harvest of a 15+ year history of a wink-nudge attitude towards hacking. The kids are now 20- and 30-somethings, in mid- and upper-level IT positions to which they have brought an ethical vacuum.

What made us think that their ethical world view would change? The best predicter of future behavior is past behavior.

nomnomJanuary 5, 2008 4:16 PM

@antibozo: The company promised not to do it again? That's punishment? If that's all it takes, every lawbreaker in the country can commit crimes with impunity.

This is (or should be) criminal behavior, not a "give back a fraction of what you gained" offense. Frank is right. Until and unless some execs do the perp walk before the TV cameras, they got away scot free.

antibozoJanuary 5, 2008 5:00 PM

nommon> @antibozo: The company promised not to do it again? That's punishment?

Deliberate misquotation is not a valid form of argument.

SeanJanuary 5, 2008 9:27 PM

I just want to make the following comment:
Keep in mind that SHC has purchased this software from a third party vendor, ComScore. I understand that this is not a legitimate excuse to continue to offer such spyware to consumers, but as an SHC employee, I am sure that the SHC corporate IT department did not fully evaluate the "My SHC Community" before allowing it to be implemented. Sears was probably truly ignorant of the possibilities of this software until it came out in the news. Considering the correlation between the SVP of Sears and ComScore, they probably decided to trust ComScore instead of evaluating it. Again, no excuse on Sears' part.

nomnomJanuary 5, 2008 11:37 PM

@antibozo: "...They have been punished financially, had to agree not to do it again, are subject to pending investigations, and, one hopes, learned something from the experience...."

Let me rephrase that: "They promised not to do it again." Oh, and let's not forget that they paid a fine, which did not come out of the pockets of the executives that approved of this, it came from the shareholders' pockets, who were both unaware and helpless to prevent the deed.

I repeat: Until and unless some of their executives go to prison over this, they have not been punished.

antibozoJanuary 6, 2008 12:30 AM

nomnom> Let me rephrase that: "They promised not to do it again."

When you "rephrase" to modify meaning, the result is your claim, not mine. If you don't see the difference between a court-sanctioned settlement restraining future activity and "promising not to do it again" there's no point in debating with you.

nomnom> let's not forget that they paid a fine, which did not come out of the pockets of the executives that approved, it came from the shareholders' pockets

I'm unaware of a fine--I know they paid compensation to consumers who were affected by the rootkit in various ways. As for the effects on the "executives who approved", maybe you should read up on what percentage of shares are typically held by company executives, how their pay packages are often keyed to share performance, etc.

nomnom> I repeat: Until and unless some of their executives go to prison over this, they have not been punished.

Repeat all you like. Make it your mantra. Nonetheless, one biased anecdote, mindlessly repeated, doesn't constitute an argument. Why is prison for executives the only form of punishment? Let's see some evidence for that claim.

We live in a world where corrupt corporations manipulate energy prices to cause widespread power outages (which often result in actual injury and even death). Oh, but wait, Kenneth Lay was convicted (but died before sentencing) and Jeffrey Skilling got a 24-year prison sentence, which he is currently serving. So what were you saying?

Yes, people get away with things. No, Sony is not a good example. Like I say, you might make a stronger argument with HP, though I believe there is a class action suit pending in that case as well.

YouYeahYouJanuary 6, 2008 2:54 PM

I agree with one of the responders: Get a MAC!!! And shame on you Sears. Maybe if we all just failed to darken their doors?

KanlyJanuary 6, 2008 5:08 PM

> Sony was the subject of multiple class action suits

If Hak3rd00d did this, the FBI wouldn't give him the opportunity to settle it by dealing with multiple class action suits.

Big companies can and do get away with anything. The rewards are far greater than the risks. I've yet to see a company get hit with a fine so bad it drove them out of business. Look at Microsoft: Use illegal tactics to build a OS monopoly, get a slap on the wrist and get to keep their spoils.

Nothing can be done about this, but lets not kid ourselves that it's not happening.

antibozoJanuary 6, 2008 6:09 PM

Kanly> If Hak3rd00d did this, the FBI wouldn't give him the opportunity to settle it by dealing with multiple class action suits.

Sigh. "Still pending."

Kanly> I've yet to see a company get hit with a fine so bad it drove them out of business.

Would putting a company executive in prison drive the company out of business? What's your point? Which is more harmful to a corporation: forcing them to replace executives or hitting their bottom line?

And what would be the point of putting a company out of business? How would they even pay such a fine? The term is "punitive damages", not "annihilating damages".

Related:
http://www.usatoday.com/news/nation/...

GusJanuary 7, 2008 7:13 AM

@ antibozo:

"Not to mention, isn't it *idiotic* to install a software download from Sears? Good grief. Yes, Sears is way over the line, but the people who fell for this should already have had all their bank accounts drained by phishers by now."

For an IT savvy, yes. But my sister in law doesn't understand this subject. Still, she's got access to surf "the Web". Like many people today, she doesn't understand how it technically works. And she doesn't care much. Most people don't.

Most people don't understand the less obvious risks of driving a car. They don't stop at green light to verify that cross traffic actually behaves as they are supposed to. Or at a railroad crossing. Most people apply a certain amount of trust. If not, car driving would become too inefficient.

There are laws and regulations that people are supposed to follow. Not everyone does. Accidents happen. But the average car driver makes the assumption that the train won't run against red light at the crossing. Partially because it's run by a big and "trustworthy" corporation.

My sister in law would never mistrust a large company such as Sears. (I might. ;-)

I believe that if we agree that you should have the right to drive a car/surf the Web without being a subject matter expert, then companies that do brake consumer trust and respect, should be thrown out from there.

Not everyone can be a network expert. Some people (surprisingly) have other objectives in life.

GusJanuary 7, 2008 9:12 AM

@ antibozo:

"Would putting a company executive in prison drive the company out of business?"

Hardly.

But companies are made out of individuals, even on executive level.

Maybe another executive, maybe even in a different company, would think twice before doing something similar.

Executives don't like prison more than anyone else. It's too restrictive. ;-)

Gus

antibozoJanuary 7, 2008 11:13 AM

Gus> Maybe another executive, maybe even in a different company, would think twice before doing something similar.

Maybe, maybe not. As I said earlier, that claim requires evidence. Some people, for example, believe capital punishment deters violent crime, some don't (please let's not debate here ;^). It is incumbent on people who claim that the only way to stop corporations from doing stupid things is to put officers in prison to demonstrate that prison is a more effective deterrent than massive financial penalties for these people. I don't see this as a cut-and-dry question at all, not to mention that not everything a corporation does is the direct result of an officer's decision.

Gus> My sister in law would never mistrust a large company such as Sears. (I might. ;-)

The point of my other comment is not to say your sister-in-law is an idiot, but to point out that we need to do a better job of educating people that just because they *think* they got software from a large company, such as Sears or Microsoft or Apple, that doesn't mean it's safe to run on their computers.

LeoNerdJanuary 7, 2008 12:01 PM

Surely a fine, if large enough, is actually a better punishment for a corporation.

For individuals, prison represents a restriction on personal liberties; that which most people hold dearest of all. It's incentive enough not to do "bad things".

But a corporation is not an individual. It's a commercial entity, the primary purpose of which is to make money. The corporation, as a whole, cares not for the personal liberty of any of its component individuals. The threat of prison for some execs is no bother; with enough buckpassing the blame can always be shifted out anyway. Far better would be to hit the corporation where it cares most - its bank balance. Threaten that with legal action, and it will listen.

RoxanneJanuary 7, 2008 4:53 PM

It occurred to me - as I was about to place an order - that Lands' End is now owned by Sears. Has anyone investigated to see if Lands' End installs similar malware? And how do we get rid of it?

Stephan SamuelJanuary 7, 2008 6:30 PM

@LeoNerd,

I disagree that a fine is better than jail time. In fact, the fine and the jail time are not connected. If the AG's office does its job correctly, someone at Sony and Sears would be required to face criminal charges regardless of how much money people won in lawsuits.

Sony put spyware on computers. According to the DMCA, that's a criminal violation. It doesn't matter who sues them and wins in civil court, it's still a criminal violation.

If the CEO of Sony killed someone because it was better for company business, he or she would be charged with murder. If the same CEO said, "I didn't know that was a crime; I was just protecting my company's assets," that wouldn't hold water as a defense.

Someone at Sony and Sears needs to be held liable for criminal violations of the DMCA. Guessing based on the amount of damage caused, it's probably a federal felony that has mandatory jail time. Let them plead out of it like any other hacker (cracker, if you're being pedantic) would.

antibozoJanuary 7, 2008 6:52 PM

Stephan Samuel> Someone at Sony and Sears needs to be held liable for criminal violations of the DMCA.

So you're in favor of the DMCA?

AndrewJanuary 7, 2008 8:05 PM

@antibozo

The point of my other comment is not to say your sister-in-law is an idiot, but to point out that we need to do a better job of educating people that just because they *think* they got software from a large company, such as Sears or Microsoft or Apple, that doesn't mean it's safe to run on their computers.

What?
I'm not sure if you are just baiting people, but to seriously suggest not to trust software from microsoft,etc.

What OS are you using to run the web browser? How many years did it take you to read through the code and check it was all legitimate.

Too often, when it comes to IT/Software the burden is placed upon the user to not 'click on things' and the assumption is that only an idiot would do so. (When you consider that infections have even spread via jpeg images, i think you'd be hard pressed to find something that wouldn't infect you).

The points others are trying to make is that a) it's criminal and b) it SHOULD NOT be acceptable to pass it off in an EULA. Unfortunately these things end up in 'fines' that never even cover the profit they made from exploiting people.

EULA should be banned.

antibozoJanuary 7, 2008 8:43 PM

Andrew> How many years did it take you to read through the code and check it was all legitimate.

I didn't have to. It was signed. Did you notice the emphasis around the word *think* in what you quoted, or did that just pass you by?

Andrew> ... the burden is placed upon the user to not 'click on things' and the assumption is that only an idiot would do so. (When you consider that infections have even spread via jpeg images...

Are you saying that because there are vectors that don't require stupidity, stupidity isn't stupid any more? Yes, I do think it's stupid to download and install a program in order to participate in a Sears marketing program. At the same time, I can see how it happens, because people don't have any sense of what risk is reasonable. Which gets back to education.

Andrew> The points others are trying to make is that a) it's criminal and b) it SHOULD NOT be acceptable to pass it off in an EULA.

I think that sentence is self-contradictory. Obviously if I agree to allow someone to install software, there's no inherent crime in their installing it. And I'm unaware of a legal definition of spyware. I'm sure Sony wouldn't characterize MediaMax as spyware.

Andrew> EULA should be banned.

I agree EULAs have achieved new heights of impenetrable gobbledygook. But if you don't like them, don't buy the products; if there were enough people like you and me, maybe the EULAs would have to change to adapt to the market. Which gets back to education.

Andrew> Unfortunately these things end up in 'fines' that never even cover the profit they made from exploiting people.

I haven't been talking about fines. A fine is generally paid to a governing body; I was talking about damages paid to resolve class-action suits. As these are proportional to the number of users affected, they can grow quite large without having to rely too heavily on a single judge's ability to judge technical harm.

I'm not saying prison sentences wouldn't help. I just disagree that they are the "only way", and I fail to see the vast number of terrifying injustices that demand massive criminal investigation. On the contrary, I'd like to see people stand up and demand repeal of large parts of the DMCA and let the law enforcement people with skills pursue the phishers and child pornographers, but instead the same people who are most outraged by Sony or Sears are saying they should be held criminally accountable under the DMCA.

Every time something like this comes up (last time was the MPAA's University Toolkit) people start citing the Sony rootkit, no matter how irrelevant, while perpetuating the ignorant view that Sony just "got away with it". They didn't, and it isn't necessarily over.

SamHuffJanuary 8, 2008 9:45 AM

Sony may make some good products, but buying from them is furthering a criminal conspiracy. Besides who knows what they will come up with next.

antibozoJanuary 8, 2008 4:13 PM

SamHuff> Sony may make some good products, but buying from them is furthering a criminal conspiracy.

What conspiracy is that? Please elaborate.

Jesse VivianoJanuary 9, 2008 3:23 PM

@antibozo

SamHuff must be thinking about the Sony rootkit incident. Hopefully, Sony BMG has learned its lesson about invading our computers.

By the way, I have read that Sony BMG is now launching DRM-free downloads, but it requires you to buy some card at a music store with a code to put into a website to download music. I think this method of distributing DRM-free music is ridiculous.

KpollaMarch 25, 2008 3:04 AM

I am a current Sears employee. I strongly belive that shc will soon be shut down due to the inside problums it faces. I think this spyware incident is just another one of the "inside problums" sears has. It hires crapy people and expects great work from them. And when it hires great people it treats them like crap. Sears at one time was a great place to shop and too work but now it seems like Target is the new giant (next to walmart) and sears is the new big lots. The store wast money one anything from paper to misprinted ads, and now there web site is a waste of time and money. Good bye sears You no longer get more with a Kenmore and theres not a craftman is all of us, and by the way sears, it's not "where it begins" its where NO ONE SHOPS!!

bitten twiceOctober 5, 2008 2:34 PM

I was a long time employee at sears and if only people knew what sears does! try camara"s in the womans dressing rooms,
it happened IN phoenix. at several stores the companies said they were planted and viewed/recorded remotly. but guess what i have seen those hidden camera's
and they belong to sears. also commisioned sales people used 3-part copies on big ticket items so guess what that ment copies of credit card numbers.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..