When Does Software Start Becoming Malware? 165
New submitter Da w00t writes: Talos security researchers detected a malicious shockwave flash file that not only bypasses pop-up blockers, but also accurately fingerprints computers with the help of some JavaScript. The 'Infinity Popup Toolkit' is a prime example of software that falls into this gray area by bypassing browser pop-up blocking. In deciding to classify the toolkit as malware, the researchers pondered where the line lies between software that's harmful and software that's not. Quoting: "Without a clear standard defining what is and is not acceptable behavior, identifying malware is problematic. In many situations, users are confronted with software that exhibits undesirable behavior such as the Java installer including a default option to install the Ask.com toolbar. Even though many users objected to the inclusion of the Ask.com toolbar, Oracle only recently discontinued including it in Java downloads after Microsoft changed their definition of malware which then classified the Ask.com toolbar as malware."
When you didn't ask to install it. (Score:5, Informative)
>> When Does Software Start Becoming Malware?
When I didn't ask to install it. Toolbars (like this), automatic update services (that are silently added) and anything else that impacts my resources or distributes my information in a way I didn't choose is malware, IMHO.
Looking at you, Windows 10...
Re:When you didn't ask to install it. (Score:5, Insightful)
When I didn't ask to install it.
Oh but you did. Didn't you read the EULA and look for the tiny size 4 "opt-out" text on the screen?
I would go one step further, any software is malware when it does something other than the user intended. It doesn't matter that the Ask toolbar had a checkbox in the installer, the fact was unless I went to Ask.com and downloaded it there it's malware. Likewise it doesn't matter that I installed Windows 10, the fact that it sends data without the user's intention makes it malware.
Re:When you didn't ask to install it. (Score:4, Interesting)
When I didn't ask to install it.
I would go one step further, any software is malware when it does something other than the user intended.
So... software bugs are all malware?
Re:When you didn't ask to install it. (Score:3)
Re:When you didn't ask to install it. (Score:3)
If you define malware this ridiculously widely then it achieves nothing aside from making the term pointless.
Re:When you didn't ask to install it. (Score:2)
I said it *CAN*.... not that it *DOES*.
I more specifically define malware as software that, without the user desiring it, changes how some other piece of software that was not installed with it functions. Software bugs can cause this to happen.
Re:When you didn't ask to install it. (Score:5, Insightful)
Then Malware is DESIGNED to do something other than what the user intended.
Re:When you didn't ask to install it. (Score:3)
Bingo. And this definition is not even contentious - but it clearly includes Java. It also includes many "freemium" games.
Re:When you didn't ask to install it. (Score:2)
Re:When you didn't ask to install it. (Score:5, Insightful)
The difference is malicious intent. A bug is when the programmer is trying to make the software do what the user wants, but accidentally fails. Malware is when the programmer is trying to make the software do what the programmer wants, user's wishes be damned.
Re:When you didn't ask to install it. (Score:2)
Malware is when the programmer is trying to make the software do what the programmer wants, user's wishes be damned.
You mean like DRM?
Re:When you didn't ask to install it. (Score:2)
Yes. All DRM is malware (but not all malware is DRM).
Re:When you didn't ask to install it. (Score:2)
Re:When you didn't ask to install it. (Score:2)
In other words, a demographic that respects the concept of property rights. Once I buy [a copy of] something, I own it [i.e., that copy]. Because it is my property, I have the right to use it as I wish!
Some examples:
That's different: you're talking about selling a thing with some functionality to the user for one price, or selling a thing with more functionality to the user for a higher price. And that's fine! What's not fine is selling a thing to the user and then telling him he's "not allowed" to use the functionality he already has. It's the after-the-fact restriction on his property rights that's the problem.
If you decide to sell the thing with more functionality to the user for the lower-functionality price and the user modifies it to enable that functionality, that is the user's right. It's his property, and you gave up the right to restrict the thing's use by selling it -- in fact, that's what "selling" means. If that bothers you, then you shouldn't have stupidly sold it for a price lower than you wanted in the first place!
You are either ignorant or trolling. I will charitably assume the former, for now.
The open source license clauses you refer to only require changes to be released by anyone who modifies the code AND DISTRIBUTES the modified version. That's an important distinction! Why? Because basic property law already establishes the user's right to make modifications to that copy; accepting the license is not necessary to have that right.
Copying and redistributing, on the other hand, is restricted by copyright law, and the license gives the user the right to do that -- which he otherwise would not have -- in exchange for his promise to distribute source code that matches the binary he distributes.
Re:When you didn't ask to install it. (Score:2)
In other words, a demographic that respects the concept of property rights. Once I buy [a copy of] something, I own it [i.e., that copy]. Because it is my property, I have the right to use it as I wish!
But I thought software, like digital music and movies, wasn't property and therefore couldn't be stolen?
Re:When you didn't ask to install it. (Score:2)
Copyright is not property (it is a limited monopoly, an intangible concept), and can only be "infringed:" making a copy does not "steal" the copyright; the copyright holder still has it.
An individual copy is property, and can be stolen.
Let's say Alice owns a CD of music created by Bob. If Eave takes Alice's CD then Alice doesn't have it anymore -- Eave has stolen Alice's property. If instead Eave copies Alice's CD then Eave has (probably*) infringed upon Bob's copyright.
(*unless Eave had Bob's direct or indirect permission (e.g. Bob had chosen a permissive license), or the purpose of Eave's copying fell under Fair Use.)
Re:When you didn't ask to install it. (Score:2)
IOW there must be a meeting of the minds [wikipedia.org].
Re:When you didn't ask to install it. (Score:4, Interesting)
Re:When you didn't ask to install it. (Score:1)
So do systemd's binary logs, which are like that by design, although this is unwanted by many users, qualify it as "malware"?
Re:When you didn't ask to install it. (Score:2)
They certainly qualify as support for malware.
Re:When you didn't ask to install it. (Score:3)
That doesn't work either. Because 'by design' Windows prefetch uses system resources to allocate memory so that something the user will arguably like (have applications load faster). Users are so ignorant of the workings of their computers we couldn't have computers only do "What the user intended" to happen.
My proposed definition would be:
"By design works against the user's best interests."
For instance in Windows 10 users intend for their touch keyboard to work well. In order for a touch keyboard to work well it really needs to learn your typing patterns and correct for them. That means you have to share that data. So is collecting anonymous typing pattern data to improve the accuracy of your keyboard something the user intended? I would argue no.
Similarly if you use SafeScreen on windows it'll upload a hash of the download to Microsoft to see if it's a known virus or a known safe file. Does the user intend to install viruses? No. Does the user know to ask for a service which performs a hash check on all of their downloads? Probably not.
So while the user might intend to use SafeScreen or Prefetch or even the notorious 'keylogger' in Windows 10 I would argue that they aren't caught up by false positives in the definition:
"By design works against the user's best interests."
They arguably are working for the user's best interests not a third party's. Even telemetry data then gets into a debatable position where we can have an honest conversation. "Is anonymous telemetry which improves stability at the cost of some marginal privacy in the user's best interest?" Some can argue yes some can argue no but it's clear that we at least acknowledge and agree on the same definition.
It also works in relationship to Windows 10 pre-downloading installation files without an opt-in. Whose interest is upgrading to Windows 10 serving? If it's exclusively Microsoft's then it's malware. If it's legitimately helping the user by moving them off of an unsupported OS into one which is perhaps more secure then it's maybe an overzealous protection but not malware. If however though it consumes $40 worth of bandwidth on a LTE connection because the user didn't have it set to a metered connection then it's malware since it's not working in the user's best interest. Again it gets into that lovely gray zone of what's an accident, what's a bug, what's by design and what's in the user's best interest. By debating the specifics we can have an empirical and yet robust debate on whether it meets the criteria.
Re:When you didn't ask to install it. (Score:2)
Yes, I like this. The definition clearly identifies the gray zone, and it can be further refined by defining the terms in the definition.
Re:When you didn't ask to install it. (Score:3)
The users best interest is far to vague, you could say the NSA spying on you is in the users best interest as well because they are trying to protect you. You could say selling your information to advertisers is in the users best interest because it lets you buy product that you want.
There needs to be a list of user rights that should not be violated unless granted explicit opt-in rights. Here is a list of some.
1. Right to privacy, no information should be recorded unless it is apparent to the so. So entering data in a form on a web page is ok, recording keystrokes when using your computer in your text editor is not.
2. Do not use the users computing resources, CPU, memory, bandwidth, for anything other than the stated intent of the applications.
Re:When you didn't ask to install it. (Score:2)
You just revealed the best feature of the definition not a flaw. Because:
1. Google Docs records every keystroke to the cloud. That's in the user's best interest to have live collaborative editing. So is that a keylogger? Yep. Is it a keylogger that has the user's interest at heart? Yes.
2. This would work better if in fact there was a 'stated intent' of an application. What is an application's stated intent? Notepad is for writing code. Or a novel. Or ASCII art. And that's just notepad!
Selling information to advertisers is something many applications do and as long as it's transparent so that you can know if you ask then it's up to you to decide whether it is in fact in the best interest of yourself. You're really ultimately advocating for transparency. That doesn't change whether something is malware or not.
Re:When you didn't ask to install it. (Score:2)
Yet again, Stallman is proven right. He was right all along, and the future he predicted is coming true. A future where software works against us.
All because we trusted closed source software not to be evil. Slowly evil became the norm.
Re:When you didn't ask to install it. (Score:2)
NSA would argue that spying on people is not against their best interests. :)
In a nutshell: depends who you're asking
Re:When you didn't ask to install it. (Score:2)
No, I think that's still too broad. If the user intends to give away 5000 copies of that software to people who didn't buy it, but the software prevents that through online license number checking, it would be malware. But it's not.
Calling it malware is, IMO, a dickish move.
Maybe "the software does, by design, something that the user didn't intend to do, and does it without notifying the user of whatever it is that it's doing". Not really complete, but takes things a step further.
Re:When you didn't ask to install it. (Score:2)
So... software bugs are all malware?
I believe they can be. What is the practical difference to the end user between a virus blocking access to the internet to prevent you downloading software to eliminate it, and for example a VPN client with a kill switch not correctly unloading the TAP driver (happened on my father's machine) resulting in a computer that is completely unusable?
The end result to the user is the same: no internet.
The resulting fix is the same: remove the guilty package and replace it with something the user wanted.
Do intentions matter at this point?
Re:When you didn't ask to install it. (Score:2)
Most software bugs do not result blocking internet access or any virus like behavior, they may crash your game, they may not allow you to do particular thing in your application you are running. They don't generally send out key log information, allow a remote attacker to gain to your computer (sometimes they do but usually not), make your computer part of a DOS attach.
By the original definition
Any software is malware when it does something other than the user intended.
all software bugs are malware, because they probably do what the at least one user doesn't want. In fact, this definition is so broad that, even an application that has no bugs is probably defined as malware, if it has a single feature that the any user doesn't like, no matter how innocuous, e.g. uses a font that the user doesn't like.
Re:When you didn't ask to install it. (Score:2)
It could be argue that bugs are malware, but my definition of malware is that it benefits someone besides the user/owner* of the software.
*Not sure how corporate spying software falls
Re:When you didn't ask to install it. (Score:2)
Re:When you didn't ask to install it. (Score:2)
Frankly, I think the solution is that it needs to be community based. Develop your antimalware kit, develop 'removal' tools for pretty much everything.
Maintain an obvious malware list internally, where there is no debate.
Then let communities develop lists of their own lists, and allow users to subscribe to one or more of those lists. Stuff like ask.com and mcafee security scan, and other borderline stuff will be added to the community lists.
The decision making process is then shifted to the people the decisions affect. If a manufacturer doesn't like the fact that its listed on a popular community list... tough shit... its on that list because the community that uses that list doesn't want that software. If you don't like it, make software they want.
Re:When you didn't ask to install it. (Score:2)
I would go one step further, any software is malware when it does something other than the user intended. It doesn't matter that the Ask toolbar had a checkbox in the installer, the fact was unless I went to Ask.com and downloaded it there it's malware. Likewise it doesn't matter that I installed Windows 10, the fact that it sends data without the user's intention makes it malware.
think about your OS and installed software, and really, think hard if you explicitly asked for them to them to do everything they do. you don't even know everything they do.
as for linux, not too long ago it forced Ubuntu One on me and had a persistent icon in my bar. i never asked for that. i guess Ubuntu is malware too.
Re:When you didn't ask to install it. (Score:3)
think about your OS and installed software, and really, think hard if you explicitly asked for them to them to do everything they do. you don't even know everything they do.
You opted in to your OS when you bought or installed it. That's not quite the same thing.
If a piece of software writes persistent-id-cookie-type information to my hard drive, and I did not explicitly give it permission to do that (as I do with my OS and any DRMed purchased software I install... which is damned little), it's malware. I don't give a damn about any other definition.
Re:When you didn't ask to install it. (Score:2)
Part of the definition should be software that sends or alters data and the machine configuration from a user's machine without explicit authorization and without a direct, primary purpose beneficial to the user.
Something like VirusTotal where a user scans a file against a good amount of AV programs passes these two tests. It has a primary reason to grab and upload a file, and the user explicitly uploaded it.
Browser fingerprinting software, update "services", loopback tunneling services to MITM SSL, and many other items do not benefit the user, nor are they often even authorized, so they are thus malware.
The gray area are processes like Blizzard's Warden and Valve's VAC which scan and upload data to see if a user is cheating.
Re:When you didn't ask to install it. (Score:3)
No, I think its way earlier than that. Software is malware when the device owner isn't in control of the software. If it communicated with anyone or anything in a way that you are unable to view, start and stop communications then it is malware. If it does things without asking you telling it to or at least authorizing automated activity, it is malware. If it enables secrecy between your device and a 3rd party that you aren't privvy to, it is malware.
Re:When you didn't ask to install it. (Score:2)
>> When Does Software Start Becoming Malware?
When I didn't ask to install it. Toolbars (like this), automatic update services (that are silently added) and anything else that impacts my resources or distributes my information in a way I didn't choose is malware, IMHO.
Looking at you, Windows 10...
I'm a bit curious. Would you include Chrome in this classification? Just about every other free download from most sites has Google Chrome with the check-box already checked.
Re:When you didn't ask to install it. (Score:2)
Indeed. The definition is actually quite simple:
If software intentionally does something the user does not want.
It is a subset of bad software (which does not require intent).
Of course intent is difficult to prove, but any kind of revenue sharing is usually a pretty good clue.
Re:Sounds a lot like systemd. (Score:2)
There is a difference between software that tracks, and collects information about you and redirects you to sights in order to gather advertising revenue, and software that implements functionality in a way that you don't agree with. When you implement something you have to choose a way implement it, some people may not agree with that implementation but does make it malware, choices have to be made. Systemd may have been the wrong choice but I don't believe it was a bad choice made out of malice, or a desire to make money of its users.
Re:Sounds a lot like systemd. (Score:2)
Hehehehehe. Well, sane init-systems usually manage to give you a shell so you can find out what is wrong, but systemd finds that this is beneath it as you have obviously insulted its creator by using it not exactly as was ordained.
And that is the real core of the criticism on systemd: It is a misanthropic POS, that does not respect its users one bit. Resembles its creator in that way.
Re:Sounds a lot like systemd. (Score:2)
While I agree on systemd as the default being utterly demented for Debian and a complete violation of the principle that Debian stable must be rock-solid, you can replace it with sysvinit after installation, or even before if you give the installer some configuration.
Re:Sounds a lot like systemd. (Score:2)
The above rant brought to you by a malware author.
When... (Score:3)
When the ratio nuisance / benefits is larger than some threshold (>=1)?
RE:When Does Software Start Becoming Malware? (Score:1)
Re:When Does Software Start Becoming Malware? (Score:1)
...such as bugs?
Re: When Does Software Start Becoming Malware? (Score:2)
How do you determine whether the author KNEW the code was buggy?
Re:How do you define "malicious"? (Score:2)
I think you have to be setting out to cause harm in order for it to count as malicious. As such, I would concede that GNOME made a mistake, but I would think it hyperbolic to say that they that GNOME 3 is malicious.
I think if you want to call something malicious, you have to have set out in the first case with intentions to subvert the user's sovereignty over their own property. Install something I didn't ask for and would have specifically rejected? Malicious. Make it difficult to opt out? Malicious. Report my local drive searches that are none of your business? Malicious. Lock me out of content I bought? Malicious. Bloat my phone with a bunch of apps I can't install? Malicious. Make a dumb-ass design mistake? Dumb-assed, but not malicious.
To conflate bad design with malice dilutes the discussion of things that genuinely are malicious -- that genuinely mean us harm.
Simple malware test (Score:3)
If it doesn't meet these criteria, then it is spyware, crapware, malware, or junk, and should be classified as malicious. This includes almost all programs and web pages. This is Sturgeon's law, 90% of everything is crap. But in computer science you can take it one step farther. 90% of everything is crap, and 90% of the stuff that is worthwhile is designed to keep away the crap.
Re:Simple malware test (Score:2)
Malware can also be trojan. Spyware is an excelent example of that, most spyware is very useful, they just collect data on you and sell it on. In some cases like Google, you don't even risk them selling it on to anyone criminal, just for advertisement.
So some spyware is certainly malware.
The real question is: Is Chrome or Android, they are if Windows 10 is.
Re:Simple malware test (Score:2)
So, if I were to write a computer game you really liked, and had it send me interesting things like your personal information, credit card numbers, and porn, it isn't malware? You installed it, it does something you want, and if you didn't know any better you'd want the software reinstalled if it were removed.
Re:Simple malware test (Score:2)
But in computer science you can take it one step farther. 90% of everything is crap, and 90% of the stuff that is worthwhile is designed to keep away the crap.
Very true. My chosen field has decided to screw itself over repeatedly and with a vengeance. I really do not get the level of stupidity that gets applied. It is like every moron that can barely write a line of code insists on shaping the "future" of CS. CS also still fails to really be engineering or science. This is just pathetic, given the time it had to evolve.
Empirically speaking... (Score:2, Funny)
Based on Skype and now Windows 7-10, I'd say that Microsoft-owned --> Malware.
Re:Empirically speaking... (Score:2)
YEs.
And in the example in the OP; if Microsoft deems the "ask.com" toolbar as "malware" - - - hmm, is that because users don't want it? Or is it because Microsoft doesn't want a competitor's search engine on the desktop? This rabbit-hole doesn't actually go that deep.
Comment removed (Score:4, Insightful)
Re:as a linux user, i can explain. (Score:3)
So, you specifically told every single Linux program what to do? You actually told gdm to start? You told your web browser to cache data? You told vi to automatically make backup files?
I get your primary point. But the way you put it may be a little bit simplistic for a complex system. My Linux boxes do a lot of things that I didn't actually tell it to do. Cron runs, and I didn't tell it to. I know it does it, but I didn't TELL it to. It's default behavior. Some distros have sudo automatically setup. Some distros have ntp setup. Some automatically check (but don't install) for updates. All of that, I didn't tell it to do. Unless that also counts as malware?
Re:as a linux user, i can explain. (Score:2)
So, you specifically told every single Linux program what to do? You actually told gdm to start? You told your web browser to cache data? You told vi to automatically make backup files?
The software has a description of what it does. As such, he told them those pieces of software to do those things when he accepted the defaults in good faith during the initial installation.
Re:as a linux user, i can explain. (Score:2)
when he accepted the defaults in good faith
Exactly. So, the issue here isn't so much what MS is doing, but not being more up front about it. In other words - documentation and probably some better decisions (heh). But the OP said that malware was a program doing anything that he didn't *tell* it to do. Telling something to do something is active; accepting defaults is fairly passive, I would argue.
Maybe it's a nitpick, but I see it as a pretty big one. Linux distros do a lot of things that I didn't actually ask them to do. It just so happens that they do a lot less without me knowing than Windows or OS X.
Here's a good example: what does a given Linux distro do when you plug in a USB drive? I'm not sure. :) Most seem to prompt for what to do. As does Windows. Some may open the folder automatically. Some don't even mount it automatically. Offhand, I can't remember what the distro that I use most at work (RHEL) does.
Re:as a linux user, i can explain. (Score:2)
Obviously there's an element of degree to it, which I think is where the nitpicking comes in. Auto-mounting a USB stick (or not) on a desktop OS isn't necessarily a behavior that has a huge impact. In the context of RHEL (we also use this at work and I couldn't tell you the default behavior without going to the lab to check
Re:as a linux user, i can explain. (Score:2)
That control was why I chose Gentoo: not for privacy or a protest against "stealth software" (the Steam client is installed), but because by having to touch each and every part of the system I get a clearer idea of how these parts mesh. I would highly recommend setting up a machine in this fashion: it's a very educational experience.
Re:as a linux user, i can explain. (Score:2)
So even within Linux distros, there's differences in how much they do without you "knowing." This was my point. :)
I haven't actually setup Gentoo... I played with Sabayon at one time, but that's a just a Gentoo-based distro, as I recall. I don't think I had to do the whole crazy long Gentoo installation and configuration process.
But I've installed and configured a whole lot of aix, linux, solaris, hp-ux, and windows servers for work, so I'm not unfamiliar with the way *nix works. :)
Re:as a linux user, i can explain. (Score:2)
At this point you start with the big picture. You installed some distro to have a usable desktop. you expect a sane login system. Your distro does so, by using gdm. So your distro does what you expect from it, gdm does whats needed to fulfill this. cron is some helper, which does useful things, too. You may inspect it or disable it. Now systemd is another topic ...
But in the end, its something you (indirectly) chose. Some flash downloaded from a website is downloaded by some software you trust, still it is hidden and does things, where the programmer knew, they are against the user.
Re:as a linux user, i can explain. (Score:2)
Good definition. I like it.
Lies (Score:5, Insightful)
When the software behaves counter to the stated purpose, or the company behind it lies about the what they are doing with data collected by the software, it is malware.
Sadly Windows appears to fall into this with all their recent auto-downloading of Windows 10, and extra monitoring being added to 7 and 8. I welcome a broader definition that shames such behavior, if not criminalizes it. Google is a little more upfront about this being their business model, but I still squirm at their cavalier collection of every piece of information they can get their paws on.
Re:Lies (Score:2)
Re:Lies (Score:2)
I welcome a broader definition that shames such behavior, /i>
Really? I don't see that as a new thing. I see this as an extension of the Computing Ethics class I took for my degree. It was required. I suspect that when you get Marketroids making Engineering decisions (as you very commonly see at Microsoft), you end up with people who haven't been required to take a Computing Ethics class - making UNETHICAL decisions.
All this data collection that has been going on since around 2000 or so, was deemed completely unacceptable in the 1990's. You didn't even need to discuss it, because everyone pretty much agreed that they didn't want their tools spying on them, and making their private information available to thieves or even industrial competitors. Somehow, the spying has now become acceptable (through EULA's), and even common practice. They said that the 1990's was the "wild-west" era of the Internet. Today's era must be the "dystopian" era.
non-isolated third-party cookies are data trojans (Score:4, Interesting)
Toolbars are just the tip of the iceberg. All major browsers are malware because they don't isolate cookie storage (or all storage, really) between origin domains, breaking the same-origin policy. Third-party cookies then become data trojans. Intent is important here. It isn't just a vulnerability, but a design flaw continued by the fact that all major browser development is funded by advertising companies.
See for yourself how Mozilla refuses to fix a security vulnerability that is enabling billions to be made from stolen user data: Bugzilla bug 565965 [mozilla.org]
Does functionality match description? (Score:1)
Does it do what it is supposed (and documented/advertised) to do, and nothing else? Probably not malware.
Does it do all kinds of stuff that it isn't documented as doing (especially if it does it unasked)? Probably malware.
And yes, I regard programs that call home looking for updates -- if they haven't asked for and received permission to do that -- to be a (mild) form of malware, although their benefits might outweigh that.
DiceToolbar? (Score:1)
Is this article posting Dice's way to introduce the Dice Toolbar?
When Windows - Windows 10? (Score:5, Insightful)
.
- it does things to your computer that you did not ask it to do
- it downloads software you did not ask it to download
- it gathers data from your computer and sends it to distant servers without your knowledgeable permission (agreeing to a fine-print multi-page EULA is not knowledgeable permission)
Re:When Windows - Windows 10? (Score:2)
While I largely agree, the issue is not quite as black and white as you paint.
There are something around 2 Billion users with Windows installed on their computer. Regardless of your personal opinion about updates, they should be enabled by default, with no user prompt asking them at install time if they want updates. This is the same argument for mandatory immunization; the species as a whole benefits from herd immunity. If you are arguing against automatic updates, and malware-scanning-by-default, then I think you have a fundamental confusion about how the Internet will survive when infected devices are counted in the billions rather than the millions. Regardless of your distaste for the business practices of companies like Adobe and Oracle, their auto-updaters save the world billions in damages by reducing the number of vulnerable users.
There are other areas where best practices should not be up for debate by the user. My car doesn't ask me if I want to use my ABS brakes when I stop, nor does it stop dinging at me if I drive without a seatbelt on. You may value your personal freedom to choose, but society at large benefits when fewer people crash or die. The needs of the many outweigh the needs of the few, or the one.
Re:When Windows - Windows 10? (Score:2)
- it does things to your computer that you did not ask it to do
Like a bug?
- it downloads software you did not ask it to download
Like all Google software that auto-updates?!
- it gathers data from your computer and sends it to distant servers without your knowledgeable permission (agreeing to a fine-print multi-page EULA is not knowledgeable permission)
This is a good one though.
When is it malicious? (Score:1)
Oracle has the intent of causing harm by installing the ASK toolbar? Yes -> malware, No -> not malware.
ASK has the intent of causing harm with the toolbar? Yes -> malware, No -> not malware.
Buuuuuuut....
I will also go by the definition of pernicious as "having a harmful effect, especially in a gradual or subtle way" To bring up a new classification perniciousware (or pernware)
Is ASK toolbar causing a gradual, subtle harmful effect on the user's computer? I don't think it's possible to answer no to this question. For me it's of course, at the very least by consuming resources (disk space, memory, cpu time) on unwanted software. So it's pernware
Is Oracle causing a gradual, subtle harmful effect on the user's computer by including the ASK toolbar, specially when it's the default installer behavior to install it? Yes (not no here either)-> Java installer is pernware.
Both Malicious and Pernicious definitions supplied by Google search
As a side note, I would say most big players are having serious pernicious behaviour on software distribution. By automatically configuring the startup of their apps/services without asking; bundling software which has little to nothing to do with the provided one (i.e: Flash including an antivirus...) etc. And ofc the well known un readable by general layman EULAs which gives them superpowers to do mostly anything they want with YOUR computer, software, and data.
Worst thing is. The smaller players uses these as excuses to do the same, and people has "accostumed" to this, and pay no longer any notice. Opening wide breaches in most security and allowing anyone with malicious intent to do anything they want...
Re:When is it malicious? (Score:2)
I'm not sure you need to use "pernicious". As far as I'm concerned, somebody who attempts to use a position of power or specialized knowledge to trick me into behaving against my own interests is being malicious. In this case, they are doing me harm by appropriating something that's mine for their own use.
My computer doesn't own anything. So they aren't stealing my computer's resources. They are stealing my resources.
The second is does something for THEIR benefit (Score:5, Insightful)
Putting anything on my computer for your benefit without making absolutely sure I know what is going on, is MALWARE.
Or will you let me put a key logger on your PC in order to 'ensure quality'.
Software is malware when (Score:1)
...it's called iTunes.
easy. (Score:4, Interesting)
When it:
1. Installs without permission
2. makes any unnecessary network connections
3. tracks the user and uploads any data not relevant to functionality (with or without permission, mandatory or not)
4. injects code into the bootloader, filesystem, or anywhere else that's not strictly necessary
5. localfunction/desktop software that requires the user to 'log on' to a vendor portal and/or has 'dead man' switches that require subscriptions (adobe suite)
6. abuses system GUI conventions (skinned applications)
7. is bundled with irrelevant 3rd party plugins, addons, or extensions for marketing purposes (browser search toolbars, apple itunes/quicktime on windows etc)
Re:easy. (Score:2)
"unnecessary" is a very squishy term.
Microsoft might think that it's completely necessary to collect your personal preference information, in order to provide ontological context for the desktop AI assistant. Or to give their developers more information when they're troubleshooting application crashes. It's offloading data from your machine, for "distributed processing" - data that is shared with applications running on their server, or even going to analysis by their developers. These uses may sound perfectly benign. And they quite possibly are. I think what most users (including me) are objecting to, is that the nature of this data, and that it is being passed outside of our physical possession (and legal control), is that we lose control over how that data is used or misused. Even if we "agreed" to it in the EULA - we're not being given a choice, or if there IS a choice, it's being made too difficult or obscure to opt out, and that unease is creeping further and further.
Re:easy. (Score:2)
Firefox? 2, 3, 6, 7. Maybe 5, if you count firefox accounts and pocket as "requires" (for some of the functionality)
When.... (Score:2)
When the software changes how some other software that is already installed on the computer behaves when the user did not expressly indicate that they desired it, it is malware.
It is insufficient to conclude that the user desires how such software might modify the behavior of other software when it is bundled by default with with yet another piece of software that the user did express intent to want to use . In many ways, such software would resemble a trojan.
Comment removed (Score:2)
Re:Grayware (Score:2)
Chrome itself is a Potentially Unwanted Program.
Easy one (Score:2)
When it's written by Symantec?
Think I'm kidding? Ever try to REMOVE Symantic "antivirus" crap?
Re:Easy one (Score:2)
Re:Easy one (Score:2)
Yes, I have. And I almost always use their removal tool first. Same as with McAfee. Never uninstall from Control Panel. And it's true, sometimes their uninstall tool doesn't even get it all.
Re:Easy one (Score:2)
Defining obscenity (Score:3)
This is just like the define obscenity [wikipedia.org] problem. You know it when you see it.
Windows "telemetry". Malware--and after years of zealots on this site tossing that around and me disagreeing, this is not something I say lightly.
When it has any of the following characteristics: (Score:2)
1. ads
2. tries to lure you into installing additional, non-wanted software (such as bundling McAfee with Flash Player, or Safari with iTunes, or the ask toolbar)
3. Has a nag screen (WinZIP "I agree")
4. its sole purpose is to spy on you (the ask toolbar again fall into that category)
2 things that come to mind now (Score:2)
1. If it installs without my permission
2. If it ignores me when I turn off certain settings.
Not that I can think of anything that meets those. ;)
It's easy to define (Score:2)
If it does something that a reasonable user would not expect, it is malware. I don't care if it's documented because those bastards will bury their evil deeds in twenty pages of legalese.
When does software become maware? (Score:2)
Ask and Oracle (Score:2)
The Ask toolbar is not a gray area. It's malware. Oracle knows it's malware, but they don't care. I don't even believe Talos security researchers are confused about the Ask Toolbar. They are simply afraid to go against a 600 lb. Gorilla in the industry. It takes Microsoft to force Oracle to do the right thing.
Simple definition of "malware" right here (Score:2)
1. Software that is installed without the fully informed consent of the user.
2. Software that performs previously unknown or other functions not specifically alluded to, in a repeatable manner.
3. Software that performs functions nonconducive to the secure functionality of a host computer system.
4. Software that installs other software without the fully informed consent of the user.
5. Software that communicates with other hosts without the fully informed consent of the user.
6. Software that degrades the performance of the host system with no clear benefit to the user.
Examples and notes:
1. sideloaders such as the Ask Toolbar and other Browser Helper Objects (Bonzi Buddy and Gator spring to mind) which are bundled with software that you actually ask for, such as when you download installers from SOURCEFORGE and CNET.
2. Such as when Microsoft disabled SSL3 by default in the February 2015 IE11 Security Rollup rather than fix the SSL3 vulnerability.
3. Such as when software opens a port through the firewall and leaves it open (sorry no examples spring immediately to mind but I have known this to happen).
4. See #1.
5. Microsoft's "security" updates that are actually CEIP and other telemetry daemons.
6. Full-on antivirus packages that absolutely HAVE to scan EACH and EVERY file, library, script, document and bitmap on opening! Not sure if the ones that HAVE to run a full scan in the background when the system starts up is worse but that can be demonstrated to increase waiting time for a usable desktop from a couple minutes to several HOURS.
actually... (Score:2)
Tuesday.
It's who benefits (Score:2)
Malware is any software that functions to benefit a third party rather than the user.
If your installer/updater is installing some app/toolbar/etc in addition to the application I want it to install -- that's malware.
If your installer/app/updater is changing settings in my browser or any other application on my system -- that's malware.
I want to write a letter, if your "letter writing app" is sending a copy of the letter or meta-data about the letter or my writing of the later to a third party -- that's malware.
If I'm playing your off-line single-player game and you're collecting data on how I play it -- that's malware.
If I'm playing your on-line multi-player game and you're doing anything with the data I'm sending you other than sending it to the other players -- that's malware.
If your search engine is doing anything with the search request I'm sending you other than fulfilling my search request -- that's malware.
If your app is displaying ads -- that's malware (unless it's an ad locator application).
Pretty much... (Score:2)
Next question!
When it does anything you wouldn't want it to do. (Score:2)
Software becomes malware whenever it does anything the user, had he been given an informed choice, would have chosen to reject.
(This includes surreptitious installation, hidden misfeatures, information leakage, etc.)
Simple and more complex (Score:2)
I know it when I see it. But it's an interesting question.
The simplest is "it does something the user doesn't want". But this gets bogged down in questions.
I propose that any software that fits (1) AND (2) is malware, *no exceptions*.
1- The software does ANY of the following:
- Hides its presence from the user (registry malarkey, malicious RAM stuff, etc)
- Tricks the user into being installed (packaged in other software, straight up virus piggyback, checkbox you must unclick)
- Is inside a package via sponsorship, deception, or coercion of the pacakger, as an addition to an actual product (including most of the download.com stuff)
- Fights user attempts to uninstall (including disabling unrelated features, reinstalling itself, etc)
*Sponsorship should handle all cases where a packager includes an element in the package that is not why you chose to get the package. Coercion includes, say, a government or company that forces by law or other method to include code in such a package, and deception involves a packager who is not aware of the malware they are packing along.
2- The software does EITHER of the following:
- Is not strictly needed for the operation the user intends, offering a data leak (personal data, envelope information about user activity) or unarguably malicious feature (blackmail, data deletion, display of advertisements) instead of its advertised or apparent purpose.
- Is installed entirely in secret and from an activity that should not result in software installation.
By this definition, you could argue that some elements of Windows 10 qualify (and they probably do), that the Ask.com garbage pile qualifies (and it definitely does), along with drive by downloads. This excludes a game that shows you advertisements, but includes one that installs an advertising thing on your desktop.
What am I missing? Gimme some false positives or false negatives with this pls.
It's complicated (Score:2)
There are a number of recurring themes I see here, and I see examples that muddy the waters further.
"Installs without user consent" /v/qn switch, so I never see any form of "consent", but I've consented to install a game that requires this runtime version in order to function. Malware?
Counterargument: I install a game from Steam. A copy of the required version of MS VC++ Runtime is installed with a
"Sends data to a third party without user consent"
What *exactly* lives in the usage data that Microsoft gets? It's unclear, but I'd like to think that if Microsoft realized that 90% of its users clicked 'start' at least five times a day, the people in the planning meetings for Windows 8 would have had a hell of a lot more leverage. If Microsoft got data that read, "user 1363959 clicked 'start' a total of 418 times in the last 30 days", I'm fine with that. If Microsoft gets data that says "Voyager529 clicked 'start' 418 times, and then typed the following 15 sentences...", I'd be less okay with that. Is the issue here the fact that, even if I look at the data dumps, they're not terribly user readable the ultimate problem? Would something like the Steam Hardware Survey be viable for Microsoft? Is "allow telemetry [accept/decline]" enough either way?
"Is bundled with other software"
Ghostscript is bundled with PDFCreator, and it's wonderful. AVG Secure Search is questionable - it ultimately shows Google search results, along with different sets of ads, but it at least gives a 'safe/unsafe' indicator which is probably a good idea for many people. Many Slashdotters have Chrome installed, is Chrome 'not malware' when installed from Google.com/chrome, but malware when installed with CCleaner? Comodo Dragon has a few extensions bundled in to assist in safe browsing. Malware? The aforementioned VC++ Runtime - malware? Bundling alone is not enough.
Conversely, "not-bundled" isn't a dead giveaway, either. Cyberlink's installers of paid-for software, by default, changes your default autoplay settings and has a super-difficult-to-disable 'feature' of regular pop-up notifications letting you know that you don't have their latest, greatest, kitchen-sink edition...malware?
"Buggy code"
This goes hand-in-glove with the concept of "Microsoft deciding what is and what isn't". The Ask toolbar was flagged as a result of working as intended. Having buggy code is a matter of human error and is (hopefully) intended to be rectified.
Here's how I would judge whether a piece of software is malware or not:
1. Explain what your program is intended to do, and who gets copies of any data the software is privvied to, to a five year old. Are you uneasy with writing that description on the front page of your website?
2. Does the CEO of the company have this software installed on his/her computer? Did he/she do so by hitting 'next' repeatedly?
3. During the installation, were there any questions unrelated to the nature of the installation of the code you wrote? If so, was the nature of its requirements reasonably explained, and was any form of opt-out clearly labeled (i.e. not using quadruple-negatives to confuse users who would otherwise intend to opt-out)?
4. Does your software include an uninstaller that leaves the computer in a state that is indistinguishable from a computer that never had it installed in the first place?
Simply put... (Score:2)
Malware is software I don't want it on my machine and cannot uninstall easily.
"Easily", in this case, being using the mechanism appropriate for that particular OS. Uninstall a program dialog / apt-get uninstall / whatever.
That's it. Crap I don't want, and can't get rid of easily. Yes, that means I may call IE is malware (it increases surface attack area on my machine, and I cannot remove it), while someone else does not.
~D
Re:when it does anything w/o telling (Score:2)
Suing a company under the Computer Misuse Act would require a private prosecution under criminal law and would probably cost a lot of money. You would also have to prove 'beyond all reasonable doubt'.
You would certainly be able to file a claim, alleging a tort (England/Wales) or delict (Scotland), which would be decided on the balance of probabilities.
(IANAL but I did work for one for a couple of years).