You wrote adware. You bastard.
January 13, 2009 8:14 PM   Subscribe

Good interview. Thanks!
posted by louigi at 8:37 PM on January 13

Man... how come it's always the malware authors who get paid to write nifty hacks? All I ever get paid for is semi-elegant, functional code.

I especially like this quote:

If you think about it, when I use a credit card, the security model is the same as that of handing you my wallet and saying, “Take out whatever money you think you want, and then give it back.”

posted by Netzapper at 8:44 PM on January 13

I found the slippery slope interesting. He would have never coded his 'final product', but as a series of incremental 'improvements' it became the evil malware that it was.

His risk avoidance advice isn't heartening to Windows users ("use unix"). This advice must be more frustrating to the corporate IT workers who have no say in the matter.

The legality of his actions, while dubious, seem consistent with the malware EULA. This speaks to the risks and dangers of EULAs (when did you last read one?).
posted by el io at 8:59 PM on January 13

Dont run as local admin. All his system-level hacks arent going to run then. All adware authors work on the assumption that people are stupid enough to double-click the talking purple gorilla and click OK and YES to several dialogues to install their software running under admin credentials.

Heck, the fix is pretty simple 99% of the time: dont run random crap from the web. Dont install every coupon toolbar. See the act of installation as something thats very serious and dangerous and should only be done when absolutely needed.

You dont need to buy a mac or instal linux to be safe. Some basic common sense protects you from most, if not, all of this stuff.

This advice must be more frustrating to the corporate IT workers who have no say in the matter.

At my last job I took admin powers away from 100 or so people who still had it for historical reasons. The amount of spyware infections after that? Zero. Corporate IT can handle itself just fine, its the unsophisticated home user who is at risk.

Im more interested in the legal aspects here than the technical ones. Why can someone deliver software with an anti-consumer EULA, violate privacy by couching tems in legalese, and hide the uninstaller on a website? Why do businesses have these rights? I feel the anti-consumer pro-business nature of our society led to this, not necessarily people eager to click on the purple monkey. Why cant we have a software bill or rights? Or first sale doctrine applied to drm? Or negate OS Xs incredibly ridiculous restrictions on running on non-apple hardwre? Or why willy-nilly actions can be classified as voiding warranty?

These adware companies are usually legitimate companies. For instance, Google has a non-expiring tracking cookie on your browser right now. They have the right to do this to you. That seems wrong and there's no technical solution to this. Well, other than using a platform that they dont target, but then youre just hiding scared from the real problem. Once they turn their eyes to your system then you'll be in the same boat as all these windows users. Dont believe for a second smart guys like this cant find a way to convince people to install their junk on any OS and that there arent exploitable conditions in that OS.
posted by damn dirty ape at 9:48 PM on January 13 [1 favorite has favorites]

Amusingly enough, this guy claims the largest Scheme deployment ever. As was noted on a Scheme mailing list, with great power comes great responsibility.
posted by ghost of a past number at 10:22 PM on January 13

See? Never trust a Scheme programmer.
posted by mullingitover at 10:26 PM on January 13 [2 favorites has favorites]

You know, I eventually came to the conclusion that a huge reason that unix is safer than windows has nothing to do with internal security, but how software is distributed. If you want software for some random purpose, how do you get it? On Windows, you either get a commercial ap, most of which are either trash or cost way too much, and all of which subject you to an unreadable eula. Or, more likely, you hit up google and get a free app from wherever - and that's one of the largest vectors.

On the other hand, how to linux people get apps? Linux distributions usually ship with everything including three separate kinds of kitchen sink. If you want something else, you usually go through a package manager, the vast majority of which is always adware/spyware/virus-free open source material. How do mac people get software? A lot of what you need comes with the computer, and some of the rest can be sourced from Apple. I also suspect Apple users are much faster to go for the commercial software if they need something. Windows users have gotten used to getting most applications for free, since there's so much shareware/adware/freeware for Windows.

It may also help that the truly clueless users of either unix or macs will crash headlong into software incompatibility if they try to download and run random applications, since they won't understand platform compatibility as a concept.
posted by Mitrovarr at 10:37 PM on January 13

damn dirty ape writes "Heck, the fix is pretty simple 99% of the time: dont run random crap from the web. Dont install every coupon toolbar. See the act of installation as something thats very serious and dangerous and should only be done when absolutely needed."

There's only one problem with that solution: it doesn't work. Oh, sure, you can educate a few people, and gradually people become more computer literate, but it's not a generational thing, as I have to clean up my nieces' and nephews' messes. But any solution which requires everyone to change their behavior is doomed.
posted by krinklyfig at 10:52 PM on January 13 [1 favorite has favorites]

> [Google's persistent cookie seems] wrong and there's no technical solution to this.

Don't be silly. You *could* delete the cookie, or block cookies from *.google.com. You're still the master of your own computer.

dismas: Thanks for the links!
posted by simoncion at 10:54 PM on January 13 [1 favorite has favorites]

Think about it. How long has this been an issue? The Endless September was in 1993. Virii were showing up on floppies since the '80s. All along, oldschool people said the same thing. "The fix is simple. Don't be stupid." Of course!

I do tech support. This doesn't work. You can educate individuals. This is not a workable solution to the overall problem, however, which will continue as long as MS lets it.
posted by krinklyfig at 10:57 PM on January 13

Isn't the whole point of the new security system in vista to make it impossible (or at least difficult) for stupid users to fuck up their systems? I realize all the dialog boxes are annoying for people, but you need a lot more then one or two clicks to really screw up your machine.
posted by delmoi at 11:13 PM on January 13

Wow, that was actually a pretty fascinating read.
posted by delmoi at 11:22 PM on January 13

But any solution which requires everyone to change their behavior is doomed.

Yeah, I still grow my own food to get my family through the winter.
posted by ryoshu at 12:01 AM on January 14 [1 favorite has favorites]

I realize all the dialog boxes are annoying for people, but you need a lot more then one or two clicks to really screw up your machine.

Annoying dialogue boxes achieve one thing: Conditioning people to click "OK" even faster than they did before, whenever they see it. And one or two clicks can screw up your machine wildly if you're running as a privileged user, and the clicks install a root kit.

I think Mitrovaar is correct in that the method of software distribution, combined with a locked-down-by-default security model, is what makes Linux so much less prone to dodgy software than Windows. I admit, when I'm on my Windows machine and I want some software to do something, I'll fire up Google and download whatever free software I find that fits the bill...luckily I'm smart enough to try and figure out if it's really free or not. When I'm in Ubuntu and I need to find some software to do something, I fire up Synaptic Package Manager and select from one of the thousands of securely distributed, malware-free open source packages. In Linux, installing software that contains malware would actually require extra effort.

Of course, with the massive uncontrolled ecosystem of software out there for Windows, implementing some kind of "package manager" would be impossible. Getting software signed by Microsoft is futile, because, as I said, people have been conditioned to click "OK" before they even read the warnings.
posted by Jimbob at 12:09 AM on January 14 [1 favorite has favorites]

For instance, Google has a non-expiring tracking cookie on your browser right now. They have the right to do this to you. That seems wrong and there's no technical solution to this

Don't install or use their products.
posted by Blazecock Pileon at 12:18 AM on January 14

I realize all the dialog boxes are annoying for people, but you need a lot more then one or two clicks to really screw up your machine

Yeah, with Vista you need three clicks. That's 50% more security right there!

It's the simple fact that the UAC popups are annoying that renders them ineffective. I've watched quite a few people interacting with their Vista systems, and the standard reaction to "Windows needs your permission" is just to click OK as soon as the screen starts greying out, purely because it happens so often. Nobody bothers to hang about reading the text that (very occasionally) says which process it is that wants permission. And you don't get told what it wants permission to do; you only get told that something wants permission to continue. It's pointless crap.

Even with User Annoyed Constantly turned on, a process only needs to go through that gate once to get administrative rights; once it has them, it can keep them forever. Also, any processes launched by a process with admin rights will inherit those admin rights. There is absolutely nothing in Vista that would stop any of the adware persistence schemes described in that interview from working without interruption by UAC, given the initial granting of permission to the installer.

The most secure way to run a Vista box is the same as the most secure way to run an XP box: have a single Admin account for computer housekeeping, use limited accounts for day-to-day use, and turn the frickin' UAC off so you don't accidentally give something admin rights without thinking about it. And this will cause grief for Vista users for exactly the same reason it causes grief for XP users: there are still application programs - major application programs - that want admin rights for no good reason. Intuit, I'm looking at you!

No app should need admin rights for anything except installing itself or uninstalling itself, unless its main function is some kind of computer housekeeping. This is the way things have always been done in Unix culture, and is the reason why running a nixbox without permanent admin rights is so much less painful than doing the same thing on a winbox.
posted by flabdablet at 12:22 AM on January 14 [3 favorites has favorites]

with the massive uncontrolled ecosystem of software out there for Windows, implementing some kind of "package manager" would be impossible

In fact it's the uncontrolled open source ecosystem that makes package management possible for Linux. The only reason it works is because the repository maintainers do have access to the source code and can verify that there is no bastardware lurking in anything that goes into their repositories.

Anybody attempting to implement anything like a Linux-style software repository for Windows would be caught in an enormous web of software licenses before they'd got 1% of it done.
posted by flabdablet at 12:29 AM on January 14

I think Mitrovaar is correct in that the method of software distribution, combined with a locked-down-by-default security model, is what makes Linux so much less prone to dodgy software than Windows.

User stupidity is the biggest problem. Linux is "more secure" because > 90% of web surfers don't use some variant of *n*x.
posted by ryoshu at 12:44 AM on January 14

It's interesting that this gentleman wraps up by talking about how mostly you can trust people, after being knee-deep in some very compelling evidence that you can't. (but hey, he wasn't ripping off credit card numbers, right?)

I prefer systems where I just pay for what I want. Advertising-supported anything strikes me as a convoluted scheme*. However, I don't think advertising-supported software was inherently any worse than other ad-based economies until knuckleheads like this just starting running malware instead and making like they didn't know the difference. (but hey, he wasn't ripping off credit card numbers, right?)

I did a triple-take when he described creating remote threads on Windows. I scanned the function documentation expecting to quickly see something indicating that he was exaggerating or leaving out some important detail. I come away instead with nothing more than WTF...I think, maybe, you can't have a process running as a different user launch a thread for you, but that's about the limitation on that.

Google has a non-expiring tracking cookie on your browser right now.
posted by damn dirty ape at 12:48 AM on January 14

I don't think so, Firefox has pretty easily-accessible options to disable third-party cookies and two ways to delete them all whenever it's closed. Of course, after reading the interview, I'm not going to bet my life that I don't have a Google tracking cookie anyway...but I don't think I do.

I realize all the dialog boxes are annoying for people, but you need a lot more then one or two clicks to really screw up your machine.
posted by delmoi at 2:13 AM on January 14

We all sort-of realize that people aren't much less likely to click "yes" to five or six different squares-with-Greek-inside to get to the talking purple gorilla than they are to one or two. I mean, after all, it's a talking, purple, gorilla!

* I was going to go into an aside about why I think so many ad-based economies have evolved despite being IMO inferior, but this post is long enough already. But I like how the asterisk looks so I'll put something down here anyway.
posted by Bokononist at 12:48 AM on January 14

Linux is "more secure" because > 90% of web surfers don't use some variant of *n*x.

Partly true, but given that the majority of internet servers run on some variant of *n*x, it's still clearly a nice target to hack. If lack of end-user uptake was the only thing keeping Linux secure, we'd be seeing a lot more h4x0r3d websites than we do.
posted by Jimbob at 1:08 AM on January 14

I did a triple-take when he described creating remote threads on Windows.

Yeah, that kind of functionality exists on OS X, too. You can do some pretty hilarious things with the low-level mach system calls... like mapping yourself into another process's memory space and then starting up some remote threads. Lots of features for patching function calls and system calls, too.

You know those star trek computer viruses that move from system to system and take over the ship? You could totally write one of those for the Mac. Probably would need to trick the user into giving up their password during install, but how hard can that be?
posted by ryanrs at 1:15 AM on January 14

Forget being sued. That guy should be in jail, the havoc he has caused.
posted by Blazecock Pileon at 1:43 AM on January 14

ryanrs: Yes, once you have code executing on someone's Mac, there are untold numbers of insane exploits you could do using InputManagers, mach shm, etc. — but there are no straightforward vectors for getting the code running in the first place.

There's no autorun, no BHOs, people don't download software from low-profile people, and opening an app for the first time shows a warning dialog with it's provenance. There's no network services running out of the box (much less lolsploitable RPC servers like on Windows). The only plausible means I see for infection is via browser and IM client vulnerabilities — still workable, but not 'viral'.
posted by blasdelf at 2:07 AM on January 14

Nah, UAC being too frequent, or not frequent enough, or not terrifying enough ... none of that matters.

What matters is that people want that WeatherBug. They want the shiny toolbar. They want that thing that sits on their desktop and scrolls pictures of their grandchildren. And as long as there is something that they can click "OK" to, they'll do so, so long as they get the playful kitten animation that follows their mouse around. If UAC displayed the scorched and smoking ruins of a PC with the chestburster from Alien thrusting itself out of the CD ROM with the legend "This could happen to you! Loose clicks sink chips!" ... people would still click "OK."

If IT tells them "No," that doesn't do anything. If policy is circulated, that does nothing. Warnings? Nope. They'll still take the laptop home and let their twelve year old on it. Higher ups will always have some "valid need" to mess about with some software they'd like to try out, so of course they need admin privileges.

It's because people can get someone else to clean up the mess, that's all. "Clean up my trashed desktop" is pretty much viewed as janitorial work; you might as well be bussing tables. And why not leave a mess behind, if someone else is going to do the scut work?

IT is increasingly about the assumption of responsibility, wherever it can be done, automated or not, from users. Not in the sense that it takes choice away as much as it promotes the suggestion that you can do anything you want, we'll have disk images for your PC and backups for your data, and we'll make it impossible to screw up, so everyone can go home feeling like they did great that day in kindergarten, yay, a winner!

As long as that is what is expected of IT, people will continue to do any fool thing with their PC, which will keep the malware guys busy for a very, very long time.
posted by adipocere at 4:48 AM on January 14 [8 favorites has favorites]

This is not a workable solution to the overall problem, however, which will continue as long as MS lets it.

What does Microsoft have to do with it? You have to install software as root. Microsoft has nothing to do with it. The same problem exists for Linux.
posted by Civil_Disobedient at 5:09 AM on January 14

Not in the sense that it takes choice away as much as it promotes the suggestion that you can do anything you want, we'll have disk images for your PC and backups for your data, and we'll make it impossible to screw up, so everyone can go home feeling like they did great that day in kindergarten, yay, a winner!

And then they wonder why we get pissy and petulant.

Could it be because, I dunno, you won't listen to me and are going to reinstall the fucking "Advanced Search Bar" again fifteen minutes after I leave? Because obviously the thing that was the problem isn't the problem.
posted by Netzapper at 5:25 AM on January 14

I don't think advertising-supported software was inherently any worse than other ad-based economies until knuckleheads like this just starting running malware instead and making like they didn't know the difference.

Yeah, I actually wrote an adware software app before the term spyware was popularized, and before adware was a euphemism for malware. This was back when adware consisted of a single dll that developers could reference in their apps so that they would pull banner ads from the net while the program was running. To me it didn't seem any worse than putting ads on a website; they looked ugly but they paid the bills. There were around three big adware companies back then, and the biggest ad-supported app was probably Go!Zilla.

The big problems started showing up when the adware dll guys got greedy and started wanting to make their adware dlls run in the background all the time, rather than just while the application was running. This was back when most people had modems, and the idea was that it would download ads whenever they connected to the Internet, so that if they didn't have a connection when they ran the app they could still get fresh ads. They implemented it pretty sloppily, and the uninstaller didn't work very well.

Around this time a guy named Steve Gibson, started calling adware spyware, pointing out the real problems that the adware provider's software had, and making claims that actually weren't true (such as that the apps had keyloggers or monitored users' web traffic). He also wrote a tool called OptOut that would uninstall the adware but allow the ad-supported software to run. Although he was right that running stuff in the background was a dumb idea, his approach seemed pretty time-cubey to me back then and I think he really only made the situation worse. My app didn't even use the new version of the adware dll that ran in the background, but it was still included in the various spyware lists that floated around Usenet.

All of this was coinciding with the massive dotcom crash, so the tech companies didn't have any more VC money to buy ads with, and most of the adware companies went out of business. By 2001 the adware company who's dll I used took down their website and stopped sending me checks. This whole experience made me abandon the entire concept of adware as a legitimate way to do software, and I assume most other ethical shareware authors felt the same way. I'm not sure what events shaped how adware progressed from there, but I think if things had gone differently adware could have actually worked.
posted by burnmp3s at 5:26 AM on January 14 [1 favorite has favorites]

Google has a non-expiring tracking cookie on your browser right now. They have the right to do this to you. That seems wrong and there's no technical solution to this.

There's actually a very easy-to-install Firefox extension which takes care of this nicely.

As a lot of people have pointed out, security is mostly the simplest of vigilence. It still surprises me that some phishing projects actually work. OK, the site looks like MySpace, but since when is MySpace's URL www.myspace.tripod.cn? Just looking at the address bar can save your account. It doesn't take a lot of tech savvy in most cases.
posted by Marisa Stole the Precious Thing at 6:50 AM on January 14 [1 favorite has favorites]

Isn't the whole point of the new security system in vista to make it impossible (or at least difficult) for stupid users to fuck up their systems? I realize all the dialog boxes are annoying for people, but you need a lot more then one or two clicks to really screw up your machine.

As Jimbob indicated, this model is fundamentally broken. Have you used Vista? You get the same message all day long whether doing perfectly legitimate tasks like running Notepad on a text file or attempting to install a program. Users are quickly trained by the system that you should always hit OK, because if you don't hit OK you can't get any work done.

It's just as stupid a "fix" as when Microsoft "fixed" the 2GB Outlook problem by just preventing Outlook from continuing to receive mail. Admittedly this was better than fucking up your entire PST with no warning whatsoever, but it's certainly not to be classified in the "Solution" column.
posted by odinsdream at 6:53 AM on January 14

Just looking at the address bar can save your account. It doesn't take a lot of tech savvy in most cases.

It does however require that you understand what an address bar is. Almost all non-computer-saavy users I train don't know:

1. What a web browser is. They do not understand basic ideas like "being connected to the internet" and "using a web browser." They frequently believe that opening IE is "being on the internet" and that using "Mazzulah Fox Fire" means they can't go to their "home site" anymore, which was just their ISP's default homepage.

2. What a web URL is, and where it goes. They do not understand that you type www.something.com into the top area of the web browser. They just enter this into whatever box accepts text input on their homepage. This is frequently a search engine of some kind, of course, and the first result usually is a link to the page they meant to go to.
posted by odinsdream at 6:57 AM on January 14 [6 favorites has favorites]

Wow. Alright then.
posted by Marisa Stole the Precious Thing at 7:02 AM on January 14

I really have no idea what people are talking about when they say UAC is annoying, it doesn't annoy me that much at all.

Also the whole "It comes up so often" thing, well, it doesn't come up that often at all. Maybe once or twice an hour, when I start some little un-installed apps (winSCP and putty). Most of the applications I run don't require UAC authentication to start, and windows actually added a feature that lets you turn it off when you don't want it.

The other thing is that you do get UAC dialogs doing certain tasks, like viewing processes from all users, but I know those are coming up because I'm used to it. If I got a UAC dialog on something when I wasn't expecting it, I probably would read the dialog. But who knows, maybe some people do just click, click, click. But if that was the case, they'd be just as vulnerable running OSX or Linux

Finally, the fact that UAC dialogs come up whenever you try to do something requiring higher level access means that developers are going to use those features much more sparingly in the future, which is definitely a good thing.
posted by delmoi at 7:06 AM on January 14 [1 favorite has favorites]

Don't even ask about subdomains. Nightmare material.
posted by odinsdream at 7:06 AM on January 14

But who knows, maybe some people do just click, click, click. But if that was the case, they'd be just as vulnerable running OSX or Linux

This is not the case. OSX's equivalent to UAC is that you need to enter your login password when a program is being installed and modifying something that could potentially be dangerous. This password prompt generally comes up only when you're performing these actions, hardly at all during normal use of the computer. You mention you see UAC prompts multiple times a day. The last time I saw an OSX password prompt was when I did Apple software updates* and then before that when I installed a kernel-level driver for a USB cell data card about five months ago. If I had been using Windows I probably would have clicked OK on a UAC dialog about 300 times over the same time period.

* Yep, even Apple can't install stuff without getting your permission.
posted by odinsdream at 7:10 AM on January 14

Also the whole "It comes up so often" thing, well, it doesn't come up that often at all.

Maybe this is one of those tech urban legends, like when I get asked if I ever get tired of having to log in as root any time I want to run an application.
posted by Marisa Stole the Precious Thing at 7:10 AM on January 14

As Jimbob indicated, this model is fundamentally broken. Have you used Vista? You get the same message all day long whether doing perfectly legitimate tasks like running Notepad on a text file or attempting to install a program

Yes, I use vista at home. I've never gotten a UAC dialog trying to edit a text file in notepad (I suppose it's possible depending on who you're running as and who owns the text file), and how often do you install software? Is that something you've do every day? The only annoying thing was when running those no-install apps, which required authentication each time, but as I said, that's recently changed.
posted by delmoi at 7:10 AM on January 14

odinsdream: oh God yes, trying to get some people not to type www before a web address you give them can be a nightmare without end.

Google's Zeitgeist is a good illustration for your second point: the top ten search terms (for the UK) are all things like "facebook" and "hotmail".
posted by chorltonmeateater at 7:14 AM on January 14

This is hilarious listening to a lot of this "it's the stoopid users" banter from IT wonks and developers. It's the tiresome expectation that everyone who finds themselves on a computer should, somehow, be as literate about the minutia of IT and the mechanics of the web as the guys who built the thing in the first place.

This all seems akin to you guys building and maintaining the Cube, then blaming the captives for not knowing exactly how to get around without getting their asses killed.
posted by Thorzdad at 7:38 AM on January 14

It's the tiresome expectation that everyone who finds themselves on a computer should, somehow, be as literate about the minutia of IT and the mechanics of the web as the guys who built the thing in the first place.

Oh, I don't know about that. I think knowing what the address bar is and reading the dialogue box before pressing "OK" don't take a lot of understanding of computer science.
posted by Marisa Stole the Precious Thing at 8:02 AM on January 14

> Also the whole "It comes up so often" thing, well, it doesn't come up that often at all. Maybe once or twice an hour....

You put up with that? If I got alert boxes every hour for doing tasks I meant to do I would be driven to distraction and trying everything I could to disable the damned things. That's not a security guard, that's a little kid with a stick going, "Poke! Poke! I'm not touching you! I'm not touching you! Poke!"
posted by ardgedee at 8:32 AM on January 14 [1 favorite has favorites]

I really have no idea what people are talking about when they say UAC is annoying, it doesn't annoy me that much at all.

Yeah, me too.

I see it when I reboot or login, maybe a couple of times a month, when a few programs/processes require admin privileges to run. Apart from that, I generally see it less than once a week when I install something or do something in a directory that Vista finds suspicious.
posted by ROU_Xenophobe at 8:35 AM on January 14

All the unix-like operating systems I've worked with that support ptrace(3) also allow code injection into foreign processes. In the security community, tools like injectso are used to automate the process of sticking code into processes so threads can do bad things without showing up in the process list.

Another trick I don't think is very well-known is to use the enable -f builtin in bash to load a DSO into a bash process. If the DSO spawned a thread and started doing network communication, the administrator might have a harder time noticing it.

His mention of processes watching out for each other isn't new either; I used a similar trick many years ago for a contest at DEF CON. The short version is you make a list of processes that fork every system tick, and the processes use a shared memory segment or an unlinked mmaped file as a heartbeat scoreboard. When a process dies, one of the processes that's still alive does an extra fork to make up for the dead one. If the processes also change their process title by overwriting argv, it's nearly impossible to kill them because kill by name won't work and the admin can't run ps -> kill faster than the processes are forking. You also need to have some long-lived processes that mimic existing processes to defend against mark-and-sweep tactics. In combination with an erlang runtime for in-program patching, the result is nearly impossible to kill, especially in conjunction with a firmware rootkit on systems that supported by flashrom(8).

On Windows, I don't know why more people don't know about SteadyState, which is free if you have a Windows license. If you've ever worked with Faronics DeepFreeze, it's the same file system copy-on-write filter technology. Being free, there's no excuse not to stick it on any system you think might be used by people with bad data hygiene. Then, just like a wiki, if something bad happens you simply roll it back without any drama.
posted by thalakan at 8:39 AM on January 14 [1 favorite has favorites]

Matt Knox belongs in jail. He wrote software that deliberately prevented people from uninstalling it. At the very least, he should be the target of a civil lawsuit for the thousands of hours people have lost trying to undo the damage he caused.

OK, maybe not Matt. Let's give him amnesty: it's a great interview, he came clean, he seems like a smart and nice guy who regrets his mistakes. But in exchange for amnesty let's make him testify against his bosses who ran the business and encouraged his criminal actions.
posted by Nelson at 8:45 AM on January 14 [1 favorite has favorites]

Also: Vista UAC works pretty well. It certainly doesn't pop up when using Notepad on normal files, unlike the nonsense claimed above. I run with it regularly while doing all sorts of hackerish things and it only pops up when it's supposed to. Namely, when Program Files or the OS are being modified. The only real hassle with UAC is when you try to run software that's still not aware of it and breaks the Windows guidelines. I'm looking at you, World of Warcraft. The solution is to install those programs outside the protected folder. They're no longer protected, but at least the rest of the system still is.

That being said UAC is the wrong approach. Normal users have no idea whether it's safe to click "yes" or "no" when they're asked for permission. It's a reasonable protection for people who want to run with Admin privileges, but it'd be better if regular users never need to run as Admin at all.
posted by Nelson at 8:52 AM on January 14

Matt's personal website has a statement about the Direct Revenue article. It's good and worth a read. He points out that they did have a legitimate uninstaller, and they did make efforts to avoid being installed by exploits. So he had some sense of ethics. I think his comparison to the Milgram experiments is most trenchant.
posted by Nelson at 9:08 AM on January 14

It does however require that you understand what an address bar is.

Things like computers, cars, cell phones and aeroplanes are used by most of us, but actually understood by few of us.

My car makes some funny noises when I drive it, but as long as it doesn't stop moving I continue to drive it. I am lucky enough to know someone who is a bit of a car geek. Sometimes, if I am concerned about something the car is doing, I get him to ride shotgun while I attempt to reproduce the phenomenon. Usually he says, don't worry about that it isn't serious. There is no way I would be able to diagnose the problems, despite using the car regularly and having a Haynes manual and not being at all scared of the busted knuckles and oily residue that results from tinkering with the thing. I rely on the online forum for my particular brand of car for any further technical insight.

Cars have been around for a lot longer than computers and still most people understand them on a very basic level, if at all.

I would suggest that UI design should help people to use their computers intelligently, but there also needs to be some comprehension of the incredibly complicated back end activities involved to really get a feel for the *language* of computing. I have been using the internet since mosaic, and thus I am familiar with the visual language of web design, not to mention the *evolution* of MS Windows. To me it is usually fairly clear what is going on when I look at a website, for many people that basic fluency with design is not present.

A little knowledge can be a dangerous thing. I know enough to know that I know nothing.

Many people seem to think of a computer screen as being like a television screen with no delineation between the operating system, software or (most commonly) the internet/web pages. Its all just some stuff on the computer.
posted by asok at 9:13 AM on January 14

For instance, Google has a non-expiring tracking cookie on your browser right now.
posted by damn dirty ape at 12:48 AM on January 14

I don't think so, Firefox has pretty easily-accessible options to disable third-party cookies and two ways to delete them all whenever it's closed. Of course, after reading the interview, I'm not going to bet my life that I don't have a Google tracking cookie anyway...but I don't think I do.

posted by Bokononist at 3:48 AM on January 14

So, in the course of stuff actually unrelated to this, I stumbled across information about Flash cookies. I was vaguely aware of this but not...aware enough to disable them or anything. NoScript, I have to imagine, blocked a whole lot of these, but there was plenty there from most anyplace I'd ever gone ahead and allowed to run scripts - which, of course, included Google.

So, now I don't think I have a Google tracking cookie...but I probably still do. I'm going to wrap my compuer in aluminium foil...
posted by Bokononist at 9:21 AM on January 14

Linux is "more secure" because > 90% of web surfers don't use some variant of *n*x.

"I'm thinking of buying a house in Torvaldia rather than Gatestown because Gatestown has so much more crime."

"Bah! Torvaldia is just 'more secure' because Gatestown has so many more criminals!"

"...um... yeah, and?"
posted by Zed at 9:51 AM on January 14

Gatestown is a sprawling metropolis of 2.5 million, whereas Torvalida is a sleepy town of 25,000.
posted by Nelson at 10:39 AM on January 14

Yeah but Linus could totally pin Gates in an Indian leg wrestling contest so nyeh.
posted by Marisa Stole the Precious Thing at 10:54 AM on January 14

For instance, Google has a non-expiring tracking cookie on your browser right now. They have the right to do this to you. That seems wrong and there's no technical solution to this

Don't install or use their products.

And then you find yourself unable to use sites foolish enough to use the googleapis for functinality. (Yes I am looking at you metafilter! )

I don't favorite things because I don't want to have to enable the googly javascript (though I did today).

Your freedom to avoid the google monsters watchful cookie is eroding....
posted by srboisvert at 11:35 AM on January 14

Your freedom to avoid the google monsters watchful cookie is eroding....

Seriously, am I the only person using CustomizeGoogle? Half the reason it was designed, it seems, was to block Google from learning anything about you. Where did this legend of Google's omnipotent cookie come from?
posted by Marisa Stole the Precious Thing at 12:29 PM on January 14

I think knowing what the address bar is and reading the dialogue box before pressing "OK" don't take a lot of understanding of computer science.

Many dialogue boxes contain language which requires more understanding of computer science than many users possess. It is hard for the tech-literate to grasp that lots of otherwise intelligent people do not know or care what files are or understand the difference between an application and an OS. Explaining the 'address bar' to such users can be hard work. Such people can read the average dialogue box as much as they like - it simply doesn't help them.

My father, for example, falls into this category, which makes life interesting for both of us every single time something unexpected happens with his computer.

(See also Penny Arcade.)
posted by motty at 12:36 PM on January 14

I don't mean to come across as mocking people who don't understand techincal stuff. I don't understand techincal stuff. But when I used Windows, if a dialogue box sprang up or ZoneAlarm informed me of a process or what have you, and I didn't understand, I Googled it. Having said that, I don't for a moment think all security matters can be deftly handled with basic common sense. A lot of them, maybe most of them, can be. But the cleverness and sneakiness of malicious applications continues to increase, and I expect in the near future that malware will come in the form of digitally engineered videos of loved ones asking for cash advances via Western Union.
posted by Marisa Stole the Precious Thing at 12:46 PM on January 14

Hey, look at that, I wrote "techincal" twice. It must be my lucky day.
posted by Marisa Stole the Precious Thing at 12:47 PM on January 14

It's the tiresome expectation that everyone who finds themselves on a computer should, somehow, be as literate about the minutia of IT and the mechanics of the web as the guys who built the thing in the first place.

Which corresponds perfectly to the feeble protests every time I try to troubleshoot somebody's computer, "I'm not a computer person! teeheehee. I just don't know what's going on. Why don't you just come down and show me what to do."

Why do people seem to think this kind of willful ignorance is acceptable? You work on a fucking computer all day; you have one at home. At this point, I'll warrant more people use computers than use arithmetic* in their daily lives. And nobody argues that you don't need to know how to multiply.

Now, it's not the ignorance that bothers me. Ignorance is fixable. But it isn't fixable when you refuse to learn. And learning, in this instance, does not mean filling a sheet of paper with step-by-step instructions on which little picture to click on. Because tomorrow, they'll ship a new version that changes the icon (or, god forbid, moves the menu item), and you'll be calling IT again.

Learning, in this instance, means becoming at least conversant with the metaphors of the UI and at least the most basic conception of how your computer is organized. It means actually listening to me as I explain those things you need to know for the task at hand in a methodical, patient way, free of unnecessary technobabble. But, you don't get to throw your hands up in the air and scream, "No! I will not learn this!" the moment I use a three-letter acronym. You especially don't get to scream that, and then get to scream, "Stop being so condescending, I'm not an idiot!", when I drop down to a more basic level so that we can avoid the TLA's you're obviously allergic to.

Things like computers, cars, cell phones and aeroplanes are used by most of us, but actually understood by few of us.

I don't need you to know how the computer works. But, I do need you to know that the File menu is nearly always where you go to save a file, that you shouldn't delete funny-named files just because you don't remember saving a word document called "kernel32.dll", the difference between harddrive space and RAM, and that your printer must be plugged in for the computer to see it.

You don't know how the twirly bits under the hood work. That's fine. But, you do know how to operate the steering wheel, the brakes, the throttle, the gear selector, the radio, the heater, the AC, the headlights, the highbeams, the defroster, the wipers. That's all part of operating a car, whether you know how those components work or not.

But with a computer, it's somehow assumed that you shouldn't need to know anything to operate it. That the computer should somehow divine you innate desires and react accordingly, regardless of what you click on. What other goddamn machine exists where people honestly expect to operate it at more than a superficial (or dangerous) level without the slightest bit of training or knowledge?

It's like you tell me you want to learn to drift your car like a badass, and when I start to tell you about traction and weight transfer and oversteer, you protest, "I'm not a car person, just show me how far I need to turn up the heater, you irksome piassant!"

*Not counting all the arithmetic the computer's doing.
posted by Netzapper at 1:58 PM on January 14 [8 favorites has favorites]

Higher ups will always have some "valid need" to mess about with some software they'd like to try out, so of course they need admin privileges.

Hi. It's me. A "higher up with admin privileges" here, just letting you know that admin privileges are quite handy for me, since I got sick of explaining to the IT staff (who think "open source" means "freeware", and who have never heard of Mozilla Thunderbird) what every R library I need to install to do my work does ("Why do you need software called RandomForest? Can't you do this in Excel?") before they would install it. Calling the useless suckers twice a day every time I needed to install a new R, ArcGis or Python module eventually wore them down and they gave me admin privileges. I haven't needed to bother them since.
posted by Jimbob at 4:51 PM on January 14

But you're using a separate admin-level user account to do those installs, right? And your day-to-day user account is still limited, yes?
posted by flabdablet at 6:11 PM on January 14

At my last job I took admin powers away from 100 or so people who still had it for historical reasons.

At my current job, local admin is given to many users who would otherwise be unable to run a large number of expensive-to-replace applications. I'd love to know how you dealt with this issue.

IT...promotes the suggestion that you can do anything you want...

Is this a terrible goal for IT?

I think knowing what the address bar is [doesn't] take a lot of understanding of computer science.

Learning what the address bar is may be indeed worthwhile, but software providers (Microsoft and Adobe leap to mind) so often waste user's time with pointless frustrating nonsense, or downright manipulation, that it's very very difficult to know what is actually important.

Netzapper, I feel your pain, but:

I do need you to know that the File menu is nearly always where you go to save a file

And then along comes Microsoft and REMOVES the file menu from one of the most commonly used applications.

"you shouldn't delete funny-named files just because you don't remember saving a word document called 'kernel32.dll'"

The folks who do this sort of thing are actually trying to learn. Very hard to deal with, I admit.

I got sick of explaining to the IT staff
Jimbob, you are the exception, and I would put you in the camp of "IT". I get very frustrated at the attitudes you describe, and they are indeed common, especially among middle management.
posted by not_that_epiphanius at 10:05 PM on January 14

But you're using a separate admin-level user account to do those installs, right? And your day-to-day user account is still limited, yes?

Nope. I've been added (along with colleagues in a similar position) to the local admin list on my machine. Which is probably a bad thing, but that's how they did it.

I used my privileges to install VirtualBox, I run Ubuntu inside that, and actually do most of my work in there.

I get very frustrated at the attitudes you describe, and they are indeed common, especially among middle management.

At my last job, the IT department called a meeting of staff to discuss the new Microsoft CMS they were going to move the university website over to, at great expense. Anyone who needed to edit the website would have to undergo training...there would be some funding available for this as well.

A staff member asked whether they had considered any open source CMS options, to save some money.

The IT manager's response (not a word of a lie) - "Well, freeware may be fine for your home computer, but it's hardly something one would use at a university!"
posted by Jimbob at 11:33 PM on January 14

Yeah, that's common. I used to be amazed at otherwise intelligent folk who would rather pay a vendor for a lack of support than get it for nothing.

Now I just charge twice as much to support commercial software as I do to support open source. I do this because supporting commercial packages is usually so much harder.
posted by flabdablet at 12:44 AM on January 15

Somebody had better alert the Grand and Glorious University of Melbourne that they're doing it wrong, too.
posted by flabdablet at 12:59 AM on January 15

There's no autorun, no BHOs, people don't download software from low-profile people, and opening an app for the first time shows a warning dialog with it's provenance.

Oh please. All it takes is a cleverly marketed and fancy photoshop plugin. Now I'm sure Fractalius is legitimate and upstanding, but if it were free, would you really think twice about their motives?
posted by pwnguin at 1:46 AM on January 15

But with a computer, it's somehow assumed that you shouldn't need to know anything to operate it.

I see this attitude frequently at my office. Our computers are the tools of our trade. I'd expect a carpenter to know how to use a jigsaw, a surgeon to know how to use a scalpel, or a plumber to know how to use a pipe wrench. And I'd expect them to know how to use them safely! Why is it that we give office-bound trades a pass on basic skills?
posted by harriet vane at 4:33 AM on January 15

Jimbob, you are the exception, and I would put you in the camp of "IT".

You would be wrong. Does he work in an IT department? No. Is he paid to provide computer support or services to others? No. Ergo, he is not in the camp of IT, he is a user or client.

I get very frustrated at the attitudes you describe, and they are indeed common, especially among middle management.

That's okay. Lots of people get frustrated in return at the commonplace problem of an IT staff who insists on overwhelming control of the user's machine but:

*Doesn't educate itself about what the user needs, or about the software commonly used by the different users they serve

*Assumes that it knows better than the user what the user needs, even though they have no substantive experience in the user's field

*Doesn't even get out of the way by assuming that if the user says they need this piece of freeware, they need it

*Replies to queries or requests with answers that display a deep, penetrating ignorance of important aspects of their own job when outside of their most immediate competencies

*When they do install software for the user, do not do so in a timely basis, or even insist on physically removing the machine for more than a day to do so. For the record, a timely basis in this setting is "within two hours."

There are of course really good people out there doing IT stuff, especially in regards to the administration of unix boxen. Pleasure to deal with, work quickly, don't question what you need the particular dataset or package for when it's costless, clearly deeply knowledgeable about the systems they run, the common uses of those systems, and the data on their systems. But those people do seem to be awfully concentrated in the administration of unix boxen.

Windows-support IT at universities has a particular tendency to be less than stellar since the first few levels tend to be made up of part-time student help, or new grads with an MCSA who are likewise just around for a year or two and know positively fuck-all about anything that wasn't published by MS.

I've been lucky in that I've either arrived early enough to get admin rights before they stopped giving them out (last job), or dealt with IT that's actually run by real adults with real jobs, who also give admin rights to faculty (this job).

Faced with Jimbob's problem, though, my own reaction wouldn't have been to pester IT to install things for me. It would have been to just blow the OS, reinstall from my own license, and ignore IT as somewhere between "useless" and "hindrance."
posted by ROU_Xenophobe at 7:28 AM on January 15

I see this attitude frequently at my office. Our computers are the tools of our trade.(...) And I'd expect them to know how to use them safely! Why is it that we give office-bound trades a pass on basic skills?

Because the current and recent generations of workers had computer skills sort of foisted upon them, with little or no structured training and support --- it was normal not to know anything about computers and most people could not really do anything about it.

Add to this the fact that most people are free to abuse their IT support to no end, whether it is your corporate underlings or your kids¹, and you have a culture bred to believe computer stuff is Somebody Else's Problem.

Marketing also needs to sell computers to more people, and cannot be limited to those that actually know what the fuck they are doing.


¹ Obligatory PennyArcade reference
posted by ghost of a past number at 8:53 AM on January 15

That's okay. Lots of people get frustrated in return at the commonplace problem of an IT staff who insists on overwhelming control of the user's machine...

Uh, I was agreeing with Jimbob, perhaps I didn't write unambiguosly enough. "I too get frustrated..." would have been better.

And I consider providing good IT support to be a cooperative endeavour, which is what I was trying to suggest with the comment: I would put you in the camp of "IT".

For the record, a timely basis in this setting is "within two hours."

Unless it is your network, a "timely basis" is once the network admin has approved the request. Don't like this? Don't use the network.
posted by not_that_epiphanius at 10:18 PM on January 15

Civil_Disobedient writes "What does Microsoft have to do with it? You have to install software as root. Microsoft has nothing to do with it. The same problem exists for Linux."

MS does nothing to warn people away from running as root all the time, nor do they prevent major vendors from writing software which requires it. That's the problem.
posted by krinklyfig at 11:12 PM on January 15 [1 favorite has favorites]

nor do they prevent major vendors from writing software which requires it.

This is a major issue, and it's what makes UAC in Vista such a pain. A lot of software written for Windows is still written as if it were going to run on Windows 95. Trying to write preferences to areas that should be off-limits, for example. There's no use trying to use Windows as a non-privileged user if the day to day software you run demands privileges.

There's no such problem in Linux. Every piece of software demands to be installed as root - and then it works beautifully for non-root users, confining all its actions to their home directory, keeping itself separate from critical parts of the system.

This makes running as a non-privileged user in Linux painfree, but completely painful in Windows. It wasn't Notepad for me, as someone above mentioned, but another basic text editor that started throwing up UAC warnings after I modified some preferences that eventually led me to disable UAC warnings on my machine at home.
posted by Jimbob at 11:33 PM on January 15

You guys must be living with some seriously old broken Windows apps. I've been running Vista exclusively for half a year with UAC turned on and it's never in the way.
posted by Nelson at 7:30 AM on January 16

One more (belated) observation: IT is terribly underfunded. I don't believe that any company can afford to pay what it would actually cost to supply sane IT support.

Several posters have used the 'car' analogy. A reasonable driver education program takes 30 hours of class and 6 hours of in car education. How many companies provide this to their staff? And computers are more complicated than cars. When there is a change to the tools workers use, whether it's Word or even Acrobat reader there needs to be training if users are expected to be competent in its use. No one wants to pay for this - but software providers sure want to get those new versions out there.

There are no provisions (because of the cost) for testing software configuration at even medium sized companies and government IT environments (there may exceptions, I have yet to see them). I have frequently been told that (open source, e.g.) software is 'not on the approved software list', but when I ask to see the list - it doesn't exist!

IT staff are often asked to be available 24 hrs a day, 7 days a week. Legislation in my province has deprivied IT staff of most fundamental workplace protections, without providing for compensating rewards for this sacrifice. Because it would cost several times current IT budgets to pay for the support, training and testing required to have sane IT support. And there are no legal requirements for software providers to conform to standards - again compare this to car manufacturers.
posted by not_that_epiphanius at 8:22 AM on January 16

I don't believe that any company can afford to pay what it would actually cost to supply sane IT support.

Not if they've done all their money on licences for proprietary software, at any rate.

And I fully agree with you, which is why I work cheap.

The school has a new principal this year. I'm hoping to persuade him that paying me for 60 extra days this coming year to run one-on-one staff training sessions for OpenOffice is better value than 60 seats' worth of Microsoft Office 2007 licences.
posted by flabdablet at 7:22 PM on January 17