Home | Mail | Resume | Spyware and Adware
Yours truly

I was quoted in a September 19, 2004 New York Times article, Barbarians at the Digital Gate by Tim O'Brien and Saul Hansell, on the topic of spyware and adware. The article is a good introduction to the topic, but focuses on largely on the business aspects of the issue. Here I'm detailing some of the technical means for addressing the problem, as well as observations on the nature and origin of adware and related malware.

As with many of the pieces on this site, I periodically revisit items to update and revise them as appropriate. First published September 20, 2004.

July 17, 2005 Update. The New York Times has carried several additional stories along this same vein, some better than others. I've addressed these at the end of the essay.

Spyware, Adware, Windows, GNU/Linux, and Software Culture

The Times piece involved a couple of phone interviews with Tim O'Brien, as well as a few email exchanges. My views were fairly presented, though as is usually the case, an awful lot of conversation got boiled down to a very few lines in print, so I'm taking the opportunity to expand on several of these.

For starters, I'll note that I run GNU/Linux on my own personal desktop, both at home and at work, and that the problems delineated in the article simply don't exist for me there. While I strongly favor Linux, I consider my bias grounded in experience and reality. I've certainly had years of experience with both types of systems.

I run herd over a small posse of legacy MS Windows systems at work, a youth center in Napa, CA. I'm also called on periodically to do maintenance on PCs used by adult staff in various businesses. I have to say the the whole issue of spyware, adware, viruses, worms, and other annoyances (generally: malware) really opened my eyes to the problems MS Windows users face.

Among topics the article didn't address for reasons of space and focus:

There were also a few general observations I had on the spyware / adware / malware issue. Briefly (and there's more at depth later on most of these points):

Keeping things clean

I've found that it is possible, at least with luck and a lot of work, to keep Microsoft systems clean.

Among the most effective, of course, is to install GNU/Linux on the box. Very simply: no Linux system I've used or am aware of has had any level of adware infestation. And were they to have a problem, rooting it out would be largely trivial. I'm strongly recommending Ubuntu GNU/Linux, a Debian-based distribution, to GNU/Linux newcomers.

Assuming you're not prepared to go to that level, here's what I've done at work, where my hands are tied (grants, boss, etc.). I don't believe you can get robust results with DOS-based systems: Win3x/95/98/ME. Especially WinME, which is probably the worst of a long line of bad OS products Microsoft has produced.

As I said in extended comments to Mr. O'Brien (with whom I spoke & corresponded), I've got an advantage over many systems administrators in that I'm running a lab for kids: I am the word of God, and I can simply decree that specific programs and/or functionality aren't available. I also run a couple of GNU/Linux servers in the lab which provide certain functionality, some of which is used in keeping things sane. This includes Samba, Apache, Dansguardian, Squid, and numerous utilities. I've also got Cygwin installed on the desktop systems, which simplifies and extends administrative management considerably. All of these tools are FSF Free Software (often called Open Source), meaning several things, but mostly: you can install and use them for free, and modify them if you choose to do so.

Uninstall MS Outlook and Outlook Express

These are a pair of virus-propagation utilities which offer a largely unsatisfactory level of email functionality. Given that the kids don't (currently) have email, and that I've got other options for providing 'em with same if we should choose to do so, simply eliminate the problem by removing it.

This, incidentally, is a good example of security via minimum exposure. If you don't need to offer specific functionality, then don't. Unfortunately it means that you have to give slightly more thought to your system configuration than a default, kitchen-sink installation generally means.

If you must provide email functionality, Mozilla (more below) offers a "Thunderbird" client, and Eudora is a popular small-organization choice (advertising-supported). Both, incidentally, use open and transportable mailbox formats making your future migration to GNU/Linux far easier. Mozilla has a utility for migrating your proprietary MS Outlook format PST (mailbox) files.

Install Mozilla Firefox (or another non-MSIE browser)

Mozilla Firefox, "Rediscover the web", as the slogan says.

Opera is another popular choice, though in its free incarnation it has certain adware characteristics (similar to Eudora above).

Installing Firefox addresses a large host of evils in one swell foop, including:

Mozilla is about taking back control of the web. Very nice, that.

Uninstall other dodgy software

There's a whole mess of software on your MS Windows computer not because it's of any particular use to you, or because you asked for it, but because of marketing arrangements between your hardware or OS vendor and other companies. The mess of Internet service provider icons, for example.

Most of these are relatively harmless. I did find one program, Viewpoint, apparently provided by Yahoo, wanted to upgrade, and was suddenly talking about putting search bars and buttons everywhere. I decided that that particular collection of bits was no longer welcome and uninstalled it. Possibly an overreaction, but any additional icon on a desktop means another twenty minutes of answering questions from kids ("What does this do? This wasn't here yesterday?"), even if it doesn't do anything particularly annoying. Prune ruthlessly. And a note to vendors: stay out of our faces, you're going to have a much better survival profile. When in doubt, Google for the software by title, adding "spyware" or "adware", to find others' discussions. In many cases, the distinction between useful software and malware is grey.

Block MSIE web access

There are a number of methods to prevent users from accessing Microsoft Internet Explorer. Unfortunately, few of them work effectively. The program is too thoroughly entwined in the workings of legacy MS Windows and various Microsoft products to make removing a few icons a fix.

I'm addressing the full method in a forthcoming technical article, but one relatively effective trick is to direct all MSIE traffic to a proxy, except for a small set of hand-picked sites which must get through. For example, windowsupdate.microsoft.com. Doing this on multiple workstations for multiple users is a headache, but can be accomplished with scripting tools, your domain login's "LOGON.BAT" file, and in my case, an Apache webserver given a virtual host who's sole purpose in life is to tell people not to use MSIE.

This breaks some stuff, you have to decide whether you value a few conveniences over a generally working system. There are sites which only work under MSIE (that's their problem, not mine, is my response). There are also specific tool under MS Windows which require MSIE, notably Windows Media Player. Some third-party tools such as anti-virus software will get caught by your proxy. Monitoring my webserver's logs is useful at identifying any such issues, and if necessary, adding a site to the pass-through list.

Using Web-Filtering Software

In my case, it's Dansguardian. As mentioned above, it's FSF Free Software, and comes with its own highly tuned filters. You'll need to adjust them to your needs, slightly, which mostly means adding sites to exception and/or ban lists, done by editing a set of well-documented, easily understood, text files. Blocking is based on several characteristics, including specific domains, keywords, content-type, and extensions.

You need to keep an eye on what's passing or not passing through the filters, which means this is a bit of an ongoing task. For the most part, done on an as-needed basis. After an initial week or so of adjustments, I find I rarely need to touch things more than once a month or so.

For the really bad guys: firewall-level blocking

The NY Times article doesn't mention one particular homepage hijacking site, (and don't click that link yet) http://www.domainsponsor.com/. This is an organization which apparently registers a large number of "typo" URLs -- domain names close to, but not quite. Kids, as you might guess, tend to ha