[d@DCC] New and Sneaky Threat to Computer Users
tOM Trottier
tOM at Abacurial.com
Mon Nov 14 08:08:12 EST 2005
(copy of my comments on the "Anti-Spyware Coalition Risk
Model Description" at
http://www.antispywarecoalition.org/documents/riskmodel.htm )
AS YOU SAY, TECHNOLOGY IS NEUTRAL. IF THE USER IS
FULLY INFORMED, THAN ALMOST ANY ACTION IS
ACCEPTABLE AND NOT SPYWARE.
YOU SHOULD BE ESPECIALLY ON THE OUTLOOK FOR
PRIVACY VIOLATIONS - YOU DON'T SEEM TO BE
RESPECTING PRIVACY TOO MUCH. GIVEN THE RISKS OF
IDENTITY THEFT AND SPOOFING. USERS SHOULD BE
FULLY INFORMED BEFORE DISCLOSING ANY INFO OR
CONSENTING TO ANY FORM OF TRACKING.
ALSO, YOU SHOULD BE SUPPORTING THE USER, NOT
ANY THIRD PARTIES. PROGRAMS WHICH BREAK
TECHNOLOGICAL PROTECTION MEASURES ARE LEGAL IN
MOST COUNTRIES AND SHOULD NOT BE
AUTOMATICALLY IDENTIFED AS PESTS. THEY CAN BE
ESSENTIAL TOOLS IN SUPPORTING USER RIGHTS (EG,
TRANSFERRING MUSIC TO A PORTABLE PLAYER)
IDEALLY, EACH ANTI-SPYWARE PROGRAM SHOULD HAVE
WELL-DESCRIBED OPTIONS TO TURN EACH OF THESE
KINDS OF PROTECTIONS ON OR OFF, GLOBALLY, OR FOR
PARTICULAR WEB SITES OR PROGRAMS.
MY COMMENTS INTERSPERSED BELOW.
TOM
Behavior that may impact users / Relative Impact
Installation & Distribution, including but not limited to:
Replication behavior (mass-mailing, worming, or viral) High
AGREE
Installs without user’s explicit AND WELL INFORMED
permission or knowledge, such as not providing or ignoring
user’s request to cancel installation, drive-by installation, use of a
security exploit, or software that meets other risk factors and is
undisclosed in a software bundle (Note: The rating of High
indicates a typical rating for this item and its relative risk. The
specific weight may vary depending on the severity.) High
AGREE
Uninstalls other applications, such as competitive programs High
AGREE
Software updates automatically Medium AGREE
Program downloads or installs software that has potentially
unwanted behavior, as described in definitions document
(Reminder: The rating of High indicates a typical rating for this
item and its relative risk. The specific weight may vary depending
on the severity or amount of items installed.) High AGREE
Identification & Control, including but not limited to
Has incomplete or inaccurate identifying information Medium
AGREE
Program obfuscated with tools that make it difficult to identify,
such as a packer Medium SHOULD BE LOW
No indication the program is running inside an application, such
as an icon, toolbar or window Low AGREE
No indication the program is running standalone, such as a
taskbar, window or tray icon Low AGREE
Program runs automatically without explicit user consent Low
Networking, including but not limited to:
Proxies, redirects or relays the user’s network traffic or modifies
the networking stack High AGREE
Creates or modifies “hosts” file to divert domain reference
without user permission or knowledge at time of change High
AGREE
Changes default networking settings (Broadband, telephony,
wireless, etc.) High AGREE
Dials phone numbers or holds open connections without user
permission or knowledge. High AGREE
Alters SECRETLY the default internet connection to connect at a
premium rate (i.e. 2x normal rate) High
Data Collection, including but not limited to:
Transmits personally identifiable data (Reminder: Technologies
are neutral, and only a concern when abused. A behavior can be
acceptable with notice and consent). High AGREE
Collects personal information, but stores it locally Medium
AGREE
Intercepts communication, such as email or IM conversations
(without appropriate notice and consent) High AGREE
Uploads arbitrary data, some of which could be personally
identifiable Medium SHOULD BE HIGH
Uploads data that can be used used to track user behavior
offline and online as well as other types of data that may be
sensitive, yet not personally identifiable Low SHOULD BE HIGH
Uses tracking cookies to collect information (Reminder: Each
Anti-Spyware vendor weighs a behavior according to their own
policy. ASC recommends that vendors that utilize this criteria
make it clear to users that they do so, affording users the
opportunity to make an informed marketplace decision) Low
SHOULD BE HIGH; EACH COOKIE'S CONTENTS AND USES
SHOULD BE EXPLAINED BEFORE USER CONSENT
Computer Security, including but not limited to
Changes the contents of files the program did not originally
create that most user-level applications would not normally
modify High AGREE
Hides files, processes, program windows or other information
from the user or system tools High AGREE
Allows remote users to alter or access the system (files, registry
entries, other data) High AGREE
Allows host security to be bypassed (privilege elevation,
credential spoofing, password cracking, etc.) High HIGH IF
SECRET
Allows remote parties to identify vulnerabilities on the host or
elsewhere on the network High AGREE
Allows remote control over a computer, including process
creation, spamming, or attacks on third parties High HIGH IF
SECRET
Disables security software, such as AntiVirus or Firewall software
High AGREE
Lowers security settings, such as in the browser, application, or
operating system High HIGH IF SECRET
Allows for remote control of the application, beyond self-update
High HIGH IF SECRET
User Experience, including but not limited to:
Advertising
Displays external advertisements (ie, not created by online
content—e.g., web pages—to which users deliberately surf) that
are not attributed to their source program High MEDIUM
Displays external advertisements that are indirectly attributed to
the source program (such as a pop-up with a label) Medium
AGREE
Displays external advertisements that are clearly attributed to the
source program, such as starting alongside the program Low
AGREE
Replaces or otherwise alters web page content, such as search
results or links High AGREE. THIS IS A HUGE DANGER AS IT
CAN MISINFORM AND MISLEAD USERS, EG, INTO
REVEALING PASSWORDS.
Settings
Changes browser pages or settings (error page, home page,
search page, etc.) Medium SHOULD BE HIGH IF INFORMED
CONSENT IS LACKING
Modifies user settings such as favorites, icons, shortcuts, etc.
Low SHOULD BE HIGH IF INFORMED CONSENT IS LACKING
System Integrity
Causes frequent system instability Low SHOULD BE HIGH
Uses excessive resources (CPU, Memory, Disk, Handles,
Bandwidth) Low SHOULD BE HIGH
Attaches to other programs, such as the browser, using a non-
standard method Low SHOULD BE HIGH IF INFORMED
CONSENT IS LACKING
Disables or interferes with functionality of system (right-click
behavior, ability to use system tools, etc.) High
Other Behaviors, including but not limited to
Has other potentially unwanted behavior, as described in
definitions document Medium SHOULD BE HIGH
Program modifies other applications to bypass copyright
protections Medium SHOULD BE LOW. COPYRIGHT LAWS
DIFFER BETWEEN JURISDICTIONS. NO PROGRAM CAN
KNOW BETTER WHAT IS LEGAL THAN THE USER. THE
USER SHOULD HAVE FULL CONTROL. ANY MODIFICATION
MUST BE AFTER INFORMED USER CONSENT. THE USER
SHOULD BE EMPOWERED, NOT COERCED.
I WOULD NOT BUY OR USE ANTI-SPYWARE SOFTWARE
WHICH TRIED TO ENFORCE THE COPYRIGHT LAW OF ANY
JURISDICTION.
Program generates serial numbers/registration keys to allow
illegal use of copyrighted products Medium SHOULD BE LOW.
COPYRIGHT LAWS DIFFER BETWEEN JURISDICTIONS. NO
PROGRAM CAN KNOW BETTER WHAT IS LEGAL THAN THE
USER. THE USER SHOULD HAVE FULL CONTROL.
I WOULD NOT BUY OR USE ANTI-SPYWARE SOFTWARE
WHICH TRIED TO ENFORCE COPYRIGHT LAW OF ANY
JURISDICTION.
Removal, including but not limited to
Self-healing behavior that defends against removal or changes to
its components, or requiring manual steps to run the uninstaller
High AGREE
Uninstaller does not functionally remove the program, such as
leaving components running after reboot or silently reinstalling
components High AGREE
Does not provide an easy, standard method to permanently stop,
disable or uninstall the program (such as Add/Remove Programs
or equivalent). High AGREE
Uninstaller repeatedly attempts to badger or coerce the user into
cancelling the uninstall Low AGREE
Non-Programmatic Behaviors, including but not limited to
Contains or distributes offensive language and content
(Reminder: Each Anti-Spyware vendor weighs a behavior
according to their own policy. ASC recommends that vendors
that utilize this criteria make it clear to users that they do so,
affording users the opportunity to make an informed marketplace
decision) Medium AGREE
Consists of advertising components and is installed at or through
web sites designed for, targeted at, or heavily used by children
13 and under Medium AGREE
Uses misleading, confusing, deceptive, or coercive text or
graphics text, graphics, advertising or other false claims to
induce, compel, or cause users to install or run the software or
take actions (such as click on an advertisement) Medium
SHOULD BE HIGH
Consent Factors
The behaviors below indicate that a program provides users with
some level of notice, consent and control that may help mitigate
a risk factor. Certain high-level risks may be extensive enough
that no level of consent can mitigate them, and the Anti-Spyware
vendor will always warn users about such behavior.
The consent factors help lay the terminology and groundwork for
Best Practices, which is a set of positive examples that
demonstrate clear notice and consent. (Note: The Best Practices
will live in a separate document, based on the final version of this
document.)
It is important to note that these consent factors are per-
behavior. If a program has multiple risky behaviors, each is
examined separately for its consent experience.
The weights (High, Medium or Low) indicate a relative ordering
for the consent behaviors – although all are helpful, some
behaviors provide more consent than others. Again, each Anti-
Spyware vendor can weigh the characteristics on their own
scale.
In the list below, the term “Potentially Unwanted Behavior” refers
to any program activity or technology that can present a risk to
users if abused, such as data collection or changing system
settings. These technologies are described in more detail in the
definitions document on the Anti-Spyware Coalition website.
Behavior that provides user consent / Level of Consent
I SUGGEST YOU CHANGE THE TERMINOLOGY IN THIS
SECTION TO BE DIFFERENT FROM THE PREVIOUS
SECTION. BEFORE, HIGH MEANT HIGH-RISK. HERE IT
MEANS HIGH-VALUE.
Installation & Distribution
Distributed via download, in clearly labeled packages, and not
bundled by affiliates High HIGH-VALUE
Requires high level of consent before installation, such as
registration, activation, or purchase High HIGH-VALUE
Has clear, explicit setup experience that users can cancel High
HIGH-VALUE
Potentially unwanted behaviors are clearly called out and
prominently disclosed outside of EULA Medium HIGH-VALUE
Potentially unwanted behaviors are part of the expected
functionality of the program (i.e., an email program is expected to
transmit information) High HIGH-VALUE
User can opt-out of potentially unwanted behaviors (on by
default) Medium MEDIUM-VALUE
User can opt-in for potentially unwanted behaviors (off by default)
High HIGH-VALUE
Obtains user consent before software updates High HIGH-
VALUE
Obtains INFORMED user consent before using passive
technologies, such as tracking cookies High HIGH-VALUE
Bundled Software
All bundled software components are disclosed in EULA Low
AGREE
All bundled software components are clearly called out and
prominently disclosed outside of EULA Medium AGREE
User can review and opt-out bundled components (on by default)
Medium AGREE
User can opt-in for bundled components (off by default) High
Visibility (Run-Time) HIGH-VALUE
Files and directories have clear, identifiable names and
properties in accordance with industry standards (Publisher,
Product, File Version, Copyright, etc.) Low MEDIUM-VALUE
Files are digitally signed by publisher Med MEDIUM-VALUE
Program has a minor indication when it is active (tray icon,
banner, etc.) Med HIGH-VALUE
Program has major indication when it BECOMES (is) active
(application window, dialog box, etc.) High
Control (Run-Time) HIGH-VALUE
Sponsor programs only run when sponsored program is active
MedHIGH-VALUE
Clear method to disable or avoid program, aside from uninstall
Med HIGH-VALUE
Program requires explicit user consent before starting (i.e.,
double-click an icon) High HIGH-VALUE
Program has opt-in before starting automatically High HIGH-
VALUE
Program Removal
Provides straightforward, functional uninstaller in well-known
location (such as Add/Remove Programs) Med HIGH-VALUE
Program uninstaller removes all bundled components Med
HIGH-VALUE
Conclusion
The consent factors, risk factors and modeling process outline
the analysis approach used by members of the Anti-Spyware
Coalition. Although behavior weights may vary between vendors,
the core guidance for application developers is to minimize the
risk factors and maximize the consent factors to avoid
classification. However, certain risks may be serious enough that
an Anti-Spyware vendor will always inform users about impact of
the behavior.
The risk modeling process is a living document, and will change
over time as new behaviors and technologies emerge.
topwww.antispywarecoalition.org
-- Quidquid latine dictum sit altum viditur --
,__@ tOM Trottier
_-\_<, 758 Albert St., Ottawa ON Canada K1R 7V8
(*)/'(*) N45.412 W75.714 +1 613 860-6633
<a href="http://Abacurial.com">Abacurial Information
Architecture</a>
Q, Q,
</ </ I would rather be exposed to the inconveniences
(`-/---/-') attending too much liberty than to those
attending
~~@~~~~@~~~~~~ too small a degree of it.-Thomas
Jefferson
More information about the Discuss
mailing list