Spyware, Adware, Windows, GNU/Linux, and Software Culture
The Times piece involved a couple of phone interviews with Tim O'Brien, as well as a few email exchanges. My views were fairly presented, though as is usually the case, an awful lot of conversation got boiled down to a very few lines in print, so I'm taking the opportunity to expand on several of these.
For starters, I'll note that I run GNU/Linux on my own personal desktop, both at home and at work, and that the problems delineated in the article simply don't exist for me there. While I strongly favor Linux, I consider my bias grounded in experience and reality. I've certainly had years of experience with both types of systems.
I run herd over a small posse of legacy MS Windows systems at work, a youth center in Napa, CA. I'm also called on periodically to do maintenance on PCs used by adult staff in various businesses. I have to say the the whole issue of spyware, adware, viruses, worms, and other annoyances (generally: malware) really opened my eyes to the problems MS Windows users face.
Among topics the article didn't address for reasons of space and focus:
- Keeping things clean. I've found a few tricks that work, at least for the moment, with vigilance, paranoia, and a healthy dose of luck.
- Experiences. Just how bad the problem is, with some quantified examples.
- Some cultural observations.
There were also a few general observations I had on the spyware / adware / malware issue. Briefly (and there's more at depth later on most of these points):
- Seeing both GNU/Linux and Windows systems running side-by-side, the magnitude of the problem is just unbelievably different. As in: nonexistent vs. a major constant concern.
- It is possible to protect MS Windows systems against the problem. But it's a lot of work, restricts a lot of the so-called useful functionality of the platform, and in my case involves no email, greatly limited downloads, rather effectively blocking use of MS Internet Explorer, and keeping virus and adware definition files up to date. I spend thirty minutes daily on this for ten systems and still don't feel I've got things comfortably nailed down. For those interested in the "how", I cover this in some detail below.
- Typical small enterprise use of MS Windows is an absolute nightmare from an adware/spyware perspective, and (so far) you couldn't pay me to go there. Home-usage is probably even worse.
- Most telling is the difference I see between the applications space in my preferred GNU/Linux distribution (or version), Debian, and MS Windows. Boiling it down: in a collaborative, open platform, programs have to obey rules to be included. In a fiercely competitive environment, there's ferocious levels of backstabbing and low tricks to try to get applications in front of the user or on their system. Adware and its ilk are a logical extension of the existing proprietary software marketplace. There's considerably more on this below.
Keeping things clean
I've found that it is possible, at least with luck and a lot of work, to keep Microsoft systems clean.
Among the most effective, of course, is to install GNU/Linux on the box. Very simply: no Linux system I've used or am aware of has had any level of adware infestation. And were they to have a problem, rooting it out would be largely trivial. I'm strongly recommending Ubuntu GNU/Linux, a Debian-based distribution, to GNU/Linux newcomers.
Assuming you're not prepared to go to that level, here's what I've done at work, where my hands are tied (grants, boss, etc.). I don't believe you can get robust results with DOS-based systems: Win3x/95/98/ME. Especially WinME, which is probably the worst of a long line of bad OS products Microsoft has produced.
As I said in extended comments to Mr. O'Brien (with whom I spoke & corresponded), I've got an advantage over many systems administrators in that I'm running a lab for kids: I am the word of God, and I can simply decree that specific programs and/or functionality aren't available. I also run a couple of GNU/Linux servers in the lab which provide certain functionality, some of which is used in keeping things sane. This includes Samba, Apache, Dansguardian, Squid, and numerous utilities. I've also got Cygwin installed on the desktop systems, which simplifies and extends administrative management considerably. All of these tools are FSF Free Software (often called Open Source), meaning several things, but mostly: you can install and use them for free, and modify them if you choose to do so.
Uninstall MS Outlook and Outlook Express
These are a pair of virus-propagation utilities which offer a largely unsatisfactory level of email functionality. Given that the kids don't (currently) have email, and that I've got other options for providing 'em with same if we should choose to do so, simply eliminate the problem by removing it.
This, incidentally, is a good example of security via minimum exposure. If you don't need to offer specific functionality, then don't. Unfortunately it means that you have to give slightly more thought to your system configuration than a default, kitchen-sink installation generally means.
If you must provide email functionality, Mozilla (more below) offers a "Thunderbird" client, and Eudora is a popular small-organization choice (advertising-supported). Both, incidentally, use open and transportable mailbox formats making your future migration to GNU/Linux far easier. Mozilla has a utility for migrating your proprietary MS Outlook format PST (mailbox) files.
Install Mozilla Firefox (or another non-MSIE browser)
Mozilla Firefox, "Rediscover the web", as the slogan says.
Opera is another popular choice, though in its free incarnation it has certain adware characteristics (similar to Eudora above).
Installing Firefox addresses a large host of evils in one swell foop, including:
- Popups: blocking is a few mouse-clicks away (install Adblock Plus and Adblock Filterset.G Updateer for more goodness).
- Tabbed browsing: you'll consider MSIE horribly primitive (install Tab Mix Plus for more goodness).
- Selective image blocking: for the full effect, you'll want to explore the many, many plugins available for the browser. While they're a bit daunting to navigate, initially, several of them really pay off. In particular, you can block images from specific regions of a site, or matching specific patterns (say: "/ad/" or "/ads/") on a website.
- Similarly, plug-in blocking & management: while Flash can be very cool, it's about 99.98% annoying. In large part because there is no "off" button. You can't control whether or not the plugin runs in your browser. Firefox plugins provide this control (install Flashblock).
- A host of others. Animation limits (whether or not that jitterstrobe ad banner loops infinitely, or...only once). Among my own favorites, and definitely an advanced-user feature, is the use of custom user stylesheets to control how Web content is presented. If you find yourself cursing site designer's picks of squint-inducing fonts and nausea-inducing colors, userContent.css can be a real bonus.
Mozilla is about taking back control of the web. Very nice, that.
Uninstall other dodgy software
There's a whole mess of software on your MS Windows computer not because it's of any particular use to you, or because you asked for it, but because of marketing arrangements between your hardware or OS vendor and other companies. The mess of Internet service provider icons, for example.
Most of these are relatively harmless. I did find one program, Viewpoint, apparently provided by Yahoo, wanted to upgrade, and was suddenly talking about putting search bars and buttons everywhere. I decided that that particular collection of bits was no longer welcome and uninstalled it. Possibly an overreaction, but any additional icon on a desktop means another twenty minutes of answering questions from kids ("What does this do? This wasn't here yesterday?"), even if it doesn't do anything particularly annoying. Prune ruthlessly. And a note to vendors: stay out of our faces, you're going to have a much better survival profile. When in doubt, Google for the software by title, adding "spyware" or "adware", to find others' discussions. In many cases, the distinction between useful software and malware is grey.
Block MSIE web access
There are a number of methods to prevent users from accessing Microsoft Internet Explorer. Unfortunately, few of them work effectively. The program is too thoroughly entwined in the workings of legacy MS Windows and various Microsoft products to make removing a few icons a fix.
I'm addressing the full method in a forthcoming technical article, but one relatively effective trick is to direct all MSIE traffic to a proxy, except for a small set of hand-picked sites which must get through. For example, windowsupdate.microsoft.com. Doing this on multiple workstations for multiple users is a headache, but can be accomplished with scripting tools, your domain login's "LOGON.BAT" file, and in my case, an Apache webserver given a virtual host who's sole purpose in life is to tell people not to use MSIE.
This breaks some stuff, you have to decide whether you value a few conveniences over a generally working system. There are sites which only work under MSIE (that's their problem, not mine, is my response). There are also specific tool under MS Windows which require MSIE, notably Windows Media Player. Some third-party tools such as anti-virus software will get caught by your proxy. Monitoring my webserver's logs is useful at identifying any such issues, and if necessary, adding a site to the pass-through list.
Using Web-Filtering Software
In my case, it's Dansguardian. As mentioned above, it's FSF Free Software, and comes with its own highly tuned filters. You'll need to adjust them to your needs, slightly, which mostly means adding sites to exception and/or ban lists, done by editing a set of well-documented, easily understood, text files. Blocking is based on several characteristics, including specific domains, keywords, content-type, and extensions.
You need to keep an eye on what's passing or not passing through the filters, which means this is a bit of an ongoing task. For the most part, done on an as-needed basis. After an initial week or so of adjustments, I find I rarely need to touch things more than once a month or so.
For the really bad guys: firewall-level blocking
The NY Times article doesn't mention one particular homepage hijacking site, (and don't click that link yet) http://www.domainsponsor.com/. This is an organization which apparently registers a large number of "typo" URLs -- domain names close to, but not quite. Kids, as you might guess, tend to ha