Privacy Issues: February 2006 Archives

As any regular day, this evening after work I settled with a snack (today: Cup-o-noodles) behind the computer for some "light reading" of industry blogs and their related links. This was a safe activity until tonight, when I came across this 180solutions press release, which made my noodles fly all over the place.

Let's for a moment sidestep the disregard for the great research work my collegues at FaceTime did, and focus on this quote:

However, according to McGraw, the company took the extra measure of requiring each user to re-opt in to the installation a second time, even though proper consent was obtained at the time of first install. "In this case, the re opt in opportunity wasn't required, because the few users who did install our software as delivered in this exploit did so with knowledge and consent," McGraw said. "But it was the right thing to do given the unorthodox and unapproved nature of the installation interface those users encountered."

Now let's read that again.

It seems only yesterday that I wrote about the dangers of the "sendkeys" attack, and how it would easily defeat any kind of confirmation screen the adware creator puts up, and what to do about the problem.

Now both crusaders Wayne Porter and Ben Edelman discuss this techinique actively being used in the wild. Grab (a small amount of) popcorn and watch the movie.

Let's make things very clear here:

If adware creators do not create a strong validation system like we have proposed (or something similiar), then any form of obtaining user consent via a confirmation dialog is virtually worthless!

On that note a personal message to 180 Solutions.
Your "S3" has been proven to be "less than satisfactory".
Get the message and learn the lesson, or S4 and S5 will go the same way.