Tuesday, July 12, 2005

the importance of good definitions

Techdirt has an article on the recent attempts by a group of organizations to come up with an agreed upon set of definitions for spyware and adware... predictably, Techdirt gets it all horribly, horribly wrong...

the author feels that what the software does or doesn't do is immaterial - that any unwanted application that got on one's machine by unknown means should be classified as spyware... he's not the only one who feels that way but there's a BIG problem with this line of reasoning...

the problem is that classifying instances of software on the basis of how they make some nebulous real world group of users feel (which is essentially what the author's position boils down to) is ridiculously difficult on a number of levels... not only will countless millions be spent on navel-gazing exercises trying to divine whether a particular instance of software in a particular software bundle is going to be unwanted and unnoticed at install time by some fictional average computer user or one if his/her 3.2 kids, but countless millions more will be spent defending against a deluge of specious lawsuits on the grounds that each classification was arbitrary and prejudicial - ultimately leading to a system where the courts, rather than the industry decide which program is spyware and which isn't..

we're computer scientists, not mind readers - we don't deal with this eye of the beholder crap unless we absolutely have to - and in this case we don't have to... we already have an umbrella term for all bad software - it's "malware"... if we're going to classify software for anti-whatever purposes we need to do it based on functional definitions (definitions based on what functions the software performs rather than definitions based on guessing how users will react to it)... we already have one malware classification saddled with an eye of the beholder definition, it's known as the "trojan", and that non-functional catch-all definition has been the bane of anti-trojan detection for years and is probably the reason we've had to make so many other classifications because it's proven totally unworkable as a classification that people can agree upon... classification based on eye of the beholder type criteria excludes widespread agreement by definition...

functional definitions, on the other hand, are much more reasonable... no guessing is involved and legal defense is practically a non-issue - define something based on it's function and it becomes much more feasible to demonstrate that a particular thing belongs or doesn't belong in that class...

on reading the actual document that the group of organizations (the anti-spyware coalition) came up with i think that for the most part the definitions are reasonable but a little on the wordy side... adware, for example could be much more simply defined as any software that advertizes a product or service other than itself... likewise spyware can be defined as any software that surreptitiously collects information from the user's system and sends it back to a remote 3rd party...

they did miss the mark on rootkits again, but the most notable problem is their adoption of spyware as an umbrella term for just about all bad software... they justify this by saying that the public at large is calling it that but this is foolish; 2 years ago the public at large was calling all bad software viruses, 2 years in the future they'll be using yet another term... how will this system cope with that? better to ignore the foibles of the unwashed masses and simply strive for internal consistency... trying to accomodate terminology misuse by people who don't know what they're talking about will never work because the people who don't know what they're talking about will not be consistent over time - leaving those of us who do know what we're talking about having to guess what they're talking about regardless of how accomodating we try to be...

EDIT (07/19/2005): i retract what i said about their definition of rootkits - i don't know what i was looking at before but now it looks fine... turning spyware into an umbrella term is still bad though...

Monday, July 04, 2005

the end of anti-adware/spyware software

it seems like only yesterday that microsoft stepped into the anti-adware/spyware business and now it's probably going to collapse...

why? well, the thing about adware and spyware in the past was, despite being a pain in the ass to remove they were relatively easy to detect... stand-alone programs or dlls that are discrete and easily removed, that use various registry or other startup tricks to make sure the the adware/spyware runs also gives away their location...

unfortunately, just as our cyber-innocence was lost 20 some odd years ago by the advent of computer viruses, some of it's final vestiges that managed to stick around are again under siege by file infecting adware...

you're probably wondering why i would take such an alarmist stance on this, since i rarely do so... the reason is simple - existing anti-adware/spyware technologies simply can't cope with file infection, it is in no way comparable to what those products were doing before, the only thing that can deal with file infection right now is anti-virus technology... so we're back in the position of needing the anti-virus industry to provide all-in-one 'solutions' again and the anti-whatever-else industries will be left in the dust because AV technology is neither cheap nor easy to develop and the AV industry has an incredible headstart...

this is actually really sad for the people involved... we had all these new types of threats and whole new industries spring up to try and deal with them, and then someone goes and adds file infection to them and it all falls down... the only 2 ways this won't happen is if file infection doesn't catch on as a big trend in adware/spyware, or if the anti-virus industry sits on their hands and (intentionally or otherwise) gives the anti-adware/spyware guys a chance to catch up...

of course, you could (quite correctly) argue that they should have seen file infecting adware/spyware coming and developed their products with that in mind, but that doesn't make things any less sad for the employees (who generally don't have a huge say in the architecture of the product) of those companies...

[edited to fix totally borked link - thanks for pointing that out nick]