Spyware Weekly Newsletter :· December 24, 2003
The Spyware Weekly Newsletter is distributed every week to 20,000 subscribers and read online by hundreds of thousands of visitors. Click here to subscribe. Please read our Terms of Use for quoting guidelines.This edition of the Spyware Weekly Newsletter is archived permanently at http://www.spywareinfo.net/dec24,2003.
Happy Holidays
Merry Christmas and Happy Holidays everyone. 
End cell phone spying
One of my worst fears is coming true. The technology that allows cell phones to be located so that emergency personnel (911 and 999 operators for instance) can find them is being abused by people who should not have access to that information.
I don't like this, I don't like this, I. do. not. like. this.
My main objection to this is the possibility of companies sending advertisements to people arriving within a certain distance of their retail location. Imagine walking through a mall and being barraged with unwanted text messages from every store within 50 feet. People are going to start just turning off their cell phones until they're ready to make a phone call. Yet another great technology rendered nearly useless by out of control marketing.
People should not have the right, or even the ability, to track another person's physical location without their express consent. I can make an exception for parents keeping tabs on their kids and for the authorities keeping tabs on people out of prison and on parole. Other than those and a few other exceptions, this is something that needs to be stopped NOW.
This is outrageous. People are not cattle to be branded and monitored every second of their lives. McDonalds does not have the right to know that I am around the corner and about to walk by their store. If I decide to spend lunch sitting in my car at the park eating a cheeseburger and listening to talk radio, that is no one's business but my own. I have the right to keep that to myself.
I have a simple solution to this. Require the phone makers to provide a button that disables the tracking signal when the phone is not dialed up to an emergency service. Require them to make that the default setting. If people want the phone to tell the world where they are, fine, but give us the ability to turn it off.
I've been saying this for years. We need the ability to disable this tracking feature. Long before I first plugged into the internet, I wrote a letter to my newspaper calling for this.
I have heard rumors of some models of cell phones having the very feature I am discussing. I promise you this, whoever makes a cell phone that lets me disable this tracking technology will have my business the next time I have to buy one.
Christmas Specials
All of the special Christmas prices are still in effect until the end of the year. Below are the details for each product and the link to the past review of it. The links and coupon codes are still valid.
Merry Christmas everyone.
SpyCop and Evidence Terminator:
SpyCop Home is 20% off: http://www.spywareinfo.com/rd/sch1217
SpyCop Corporate is 20% off: http://www.spywareinfo.com/rd/scc1217
Evidence Terminator is 20% off: http://www.spywareinfo.com/rd/et1217
Spycop and Evidence Terminator together are reduced by $44.95: http://www.spywareinfo.com/rd/scet
For six or more copies, contact Catherine and she will be able to give you a 32% discount. Please contact Catherine for details.
More info: http://www.spywareinfo.net/dec17,2003#feature
Window Washer:
Window Washer is 30% off (Use coupon code SAVE30):
If you want to buy more than six copies for friends and family, the discount is 42%. Please contact Catherine for details.
Purchase: http://www.spywareinfo.com/rd/webroot/
More info: http://www.spywareinfo.net/dec10,2003#feature
Aluria Spyware Eliminator:
Free Pop-up Stopper for 1 copy
10% discount for 2-4 copies
15% discount for 5-6 copies
20% discount for 6-10 copies
25% discount for over 10 copies
Purchase: http://www.spywareinfo.com/rd/aluria/
More info: http://www.spywareinfo.net/dec2,2003#feature
Mailwasher Pro Antispam
Use the appropriate coupon code below:
Sorry. The Mailwasher special has expired.
Catherine can be contacted at http://www.spywareinfo.com/email2.php.
Gator/Claria's DashBar toolbar
Gator/Claria has released a new Internet Explorer toolbar called DashBar. DashBar comes bundled with the Gator/Claria spyware trojan crap adware.
Why is DashBar free?
DashBar is provided free by GAIN Publishing. This application is part of the GAIN Network. This software occasionally displays pop up ads on your computer screen based on your online Web surfing behavior. Click here and get DashBar with no GAIN advertising for $30.
Having played with it for a few minutes, something became very obvious. Every single search of the "search engine" returned a link to a sponsor's web site. All of them.
Maybe it's just me, but I prefer toolbars that return "relevent" search results and suppresses pop-ups instead of causing them. Gee, I wonder if anyone makes such a thing?
Sleazy company can continue sending sleazy ads
A federal judge ruled Monday that a California company can send "pop-up" Internet ads that regulators have called "high-tech extortion" -- at least until the matter is decided at trial.
The FTC said D-Squared improperly used a technology built into most versions of Microsoft's Windows operating software to display intrusive messages on computer screens.
The messages offered software to block the same types of ads the company was sending. The FTC said D-Squared unlawfully exploited Microsoft's Windows Messenger Service feature by sending the unwanted ads to Internet users as frequently as once every 10 minutes. (Source: sfgate.com)
*sigh*
Oh well. It was nice while it lasted. Let's hope the FTC wins this case and shuts these scumbags down, permanently.
Time to double-check your Yahoo! settings
If you have an account at Yahoo.com, you need to log in and edit your "marketing preferences" before you start receiving unwanted advertisements. Yahoo has again created some new options that ask permission to send you advertising. Just as they did last year, Yahoo has "helpfully" enabled those options by default. It is up to you log in and opt out.
Go to www.yahoo.com and log into your account. Click the link for "Acct. Info" or "My Account" and enter your password on the next page. On the next page after that, under the "Member Information" section, click the link that says "Edit your marketing preferences".
Double-check that all options are as you want them (I would suggest saying "no" to all of them, but that is up to you). Also check the settings for the "How may we contact you?" section at the bottom. Click the "Save Changes" button at the bottom and that should do it.
Court puts an end to RIAA's fishing trips
Just when I was starting to wonder if the RIAA owned every judge and politician in the US, we find a court willing to uphold the US Constitution. A Federal appellate court has ruled that the RIAA cannot send subpoenas to ISPs demanding customer information unless they are already suing that customer.
... in a strongly worded ruling, the appeals court sided with Verizon, saying a 1998 copyright law does not give copyright holders the ability to subpoena customer names from Internet providers without filing a formal lawsuit. (source: CNN)
What this means is that someone cannot force an ISP to turn over information about their customers simply by claiming that the customer is infringing on a copyright. Whoever wants that information already must have filed a lawsuit before they can send a subpoena. No more fishing expeditions for the RIAA to look for people to sue.
In elementary schools and retirement homes all over the country, 12-year old girls and little old ladies breathed a sigh of relief.
Everyone, please remember Verizon's willingness to burn money defending the privacy of their customers the next time you are looking around for an ISP. That sort of loyalty to the customer is something that should be rewarded.
Unofficial Patch for MSIE flaw is not recommended
On December 9, someone posted to Bugtraq the details of a newly discovered flaw in Microsoft Internet Explorer. This person did not contact Microsoft until the same day he posted the information publicly and he chose the same day Microsoft releases new security patches. Because Microsoft now releases patches only once per month, anyone who wishes to exploit the flaw was given full reign to do so for 30 days. This is a perfect example of why we need to require IQ tests before allowing people to connect to the internet.
The flaw is very simple to exploit. If an internet address contains %00 or %01 next to a @ character, Internet Explorer will not display any part of the address to the right of those characters in the address or status bar. This allows someone to hide the location of a page with a specially crafted hyperlink. Someone might use this flaw to trick you into giving up passwords and other information.
Because of the actions of the person who announced the flaw, there likely will be no official patch until the second Tuesday of next month (January 13). An open source and freeware software development web site has released an unofficial patch to fix the problem. However, I do not recommend this patch.
First, the original patch contained a flaw that would have left users vulnerable to a buffer overflow attack. Exploiting that flaw is just as easy as exploiting the flaw it was meant to fix. Openwares has updated the patch to correct the problem.
Second, the patch causes Internet Explorer to contact openwares.com each time it encounters an attempt to exploit the flaw. Openwares is no doubt logging these hits, but is not disclosing this to people installing the patch.
I do not recommend this work-around. Even without the buffer overflow bug, this is unofficial software that might interfere with the official patch when Microsoft gets around to producing one. The company distributing the patch has given us reason to distrust them by not disclosing the fact that it would log all attempts to exploit the flaw.
My recommendation, as always, is to put down Internet Explorer and never use it again. It is outdated, lacks essential features found in every modern browser and it is dangerous. My recommendation is either Mozilla (or Mozilla Firebird for advanced users) or Opera.
If you absolutely MUST use Internet Explorer, at least use a safer version of it. Make certain you are using version 6 with service pack 1 and all updates from the Windows Update web site. There is no reason for sticking with an older version of Internet Explorer (5.01, 5.5, etc).
Last week, I reviewed an addon to Internet Explorer called MyIE2 that has been updated to deal with this flaw. Using MyIE2 is a safer way to use MSIE.
Be sure to check out SpywareInfo's software page for a whole list of programs that can help lower the risks of using Internet Explorer.
Why are you still using Internet Explorer?
I have blathered on endlessly about the dangers of using Internet Explorer. People who use other browsers are immune from browser hijackings.
MSIE lacks nearly every feature common in more modern browsers. It doesn't handle cascading style sheets properly and doesn't correctly render some pages written to W3C standards. It pops up obnoxious errors if you disable ActiveX.
It's just a bad browser, period.
Despite this, more than 90% of the visitors to SpywareInfo and most other web sites are using Internet Explorer. I want to know why.
The only reason I don't have MSIE locked up behind my firewall is so I can use Windows Update and so I can check out new pages on my site to make sure some IE bug hasn't messed it up. Other than that, I don't use it. I prefer Mozilla Firebird.
Why do you continue to use Microsoft Internet Explorer? Post your answer to this question at the message board.
Here is some additional reading for those still not convinced they should switch:
http://www.xulplanet.com/ndeakin/arts/reasons.html
http://www.mozilla.org/products/firebird/why/
http://www.opera.com/features/
Can-Spam Law, One man's opinion
Reader Rich Harvey sent in his opinion of the new 'Can Spam' law.
Comment on the can spam law: A simple explanation, a multiple choice test:
A.) We have the best congress money can buy.
B.) You dont have to be constipated to work for the Government, but it helps.
C.) Ignorance is curable with knowledge, but stupid is forever.
D.) Government will never fix a problem, without making more for job security.
E.) They actually believe they are helping the situation.
F.) All of the Above!
Thanks Rick ;-)
Corrections
Last week, while talking about Windows 98 heading for retirement, I was unaware of the fact that existing bug patches for Win 98 will continue to be available at the Windows Update web site until 2006. No new patches are likely to be developed. I apologize for the error.
That doesn't change the fact that you need to take extra steps to protect Windows 98. No new patches mean that it will be extra vulnerable to new flaws.
I also feel the need to update what I said about Acronis True Image. My experience with True Image was based on version 6 of that program. Version 7 has been released and I decided to upgrade to it several days ago. After making my purchase and attempting to install it, I received a very rude shock.
Unlike True Image 6, True Image 7 does not install on a server version of Windows (I use Windows 2000 Server). There is a special version of True Image just for servers which, no doubt, costs quite a bit more than the standard version.
Acronis has failed completely to disclose this anywhere on their web site and allowed me to spend money with them without presenting me with all the facts. In fact, they advertise falsely that True Image works with "Windows 95 / 98 / Me / NT / 2000 / XP". Windows 2000 is what I have and True Image refuses to install on it. That behavior is by design.
They also advertise a "no questions asked" 30-day money back guarantee. In fact, I've had to demand repeatedly that they return my money and finally had to threaten them before they would start the process. They now claim they've contacted Digital River to submit the refund.
Needless to say, I am royally pissed off. If Acronis wants to gouge people running servers, that's fine. Acronis should disclose somewhere on the site that Version 7 does not install on servers and not surprise people after they've made their purchase.
I've made my last purchase at Acronis. Great software, despicable company.
