I spend a good amount of time this morning reading Interview with an Adware Author at Philosecurity. The Adware author is Matt Knox, who worked at Direct Security before they were sued by the New York Attorney General's Office. The article itself is interesting though probably nothing that most readers here will find surprising. The comments are more fascinating as most of them are back and forths between co-workers at Direct Revenue and Christopher Boyd (paperghost) of Vitalsecurity.org.
In everything that follows, italicized quotes are taken from the article referenced above or its comments.
Matt Knox and his co-workers paint themselves as being lulled into dirty deeds much like the proverbial frog in hot water who does not notice the slowly rising temperature. There are excuses (Matt: "I was utterly and grindingly broke") and rationalizations ("I actually believe that if you sum up everything I did it comes out positive"). Yet there is also recognition:
Matt: "It really showed me the power of gradualism. It's hard to get people to do something bad all in one big jump, but if you can cut it up into small enough pieces, you can get people to do almost anything."
Eric (co-worker, in comments): "Even so, it was a dance with the Devil. As with much ordinary advertising, we were exploiting people's naivete and/or stupidity; I'm glad to have it behind me."
Jordan Stevens (co-worker, in comments): "as Matt said, we probably in the end did more good than harm because I am sure we did knock off some horrendous adware clients far more unethical than ours from countries which had no regard for our laws"
Eric again: "Yes, we caused suffering. We knew we were going to hell. We have done our best since then to apologize and atone."
Some people didn't buy the excuses.
Satan (comments): "most people do view you as a criminal"
Sherri (Interviewer, comments) "Guys, please be respectful in your comments. I received a couple that were not appropriate to post. Matt is a wonderful teacher, a great coder and a good friend."
Others also defended Matt:
Anonymous (comments): "A former roommate who I very much respect (and happens to be the grand-daughter of people that you'd recognize from your history of computing lectures) for a brief period worked on helping spams get through filters. I was shocked and unimpressed, but she made a really excellent point: if she didn't, someone else would"
Of course that bit of rationalization brought well deserved references to Nazi concentration camp guards. Most of the defensive parrying seemed to be a claim of ignorance:
Jordan Stevens (co-worker, comments): "The truth is that the whole programming group was full of good people with good intentions, including Matt and Eric. At one point there were around a hundred people working there and we were sheltered by management from knowing how we were negatively affecting our users."
Some defended that:
xandalar (comments): "Sometimes when you code, because of the way the work is segmented, you might have a vague idea of the overall project, but your individual snippet is just a tiny part and when you finish, you're on to something else and then on the train home. Hardly anyone at the cubicle level understands the big picture."
That might be true with some software, but the actual words of the coders show that they did know what they were doing.
Some comments applauded that the coders had fought back against things like (Eric, comments) "hiding the code file in a phony bad sector"
Danv (comments): "It sounds like Matt and Eric worked hard not to cross certain lines. "
There were also arguments of moral ambiguity:
Eric (co-worker, comments): "My point is that almost all of the things Matt describes have 'normal' uses. I was recently asked by maker of a parental-control (censorware) product, to make it hard for a kid to disable the software. Suddenly all these 'exploits' (in Matt's sense) were now potentially legitimate. Where is the clear bright line?"
Those attitudes seemed to frustrate Christopher Boyd:
Paperghost (comments): "To this day, I've never seen such anger generated as a result of a piece of code. Ever."
Paperghost (comments): "You don't get dragged in front of the NYAG for minor screwups. It seems anyone who works for an adware company that gets brought to book can wring their hands and talk about how they knew they were 'going to hell' and 'making people suffer', yet anyone who rightly criticizes them for doing that instead of, you know, doing something about it (as opposed continuing to be dragged along for the ride) 'just doesn't get it'".
I tend to side with Paperghost. I certainly understand that desperate people will do things they wouldn't do otherwise, but I don't think these people were in that situation. All the nonsense about "more good than harm" is silly - there's no excuse for this. Tell me that you are living in Russia and your family is near starvation and I can find some sympathy; it's hard to do that for these guys.
Also interesting were the various comments on protecting oneself from this stuff:
Sherri: "In your professional opinion, how can people avoid adware?"
Matt: "Um, run UNIX."
But that's nonsense. This was Adware - something users willingly installed. When I download an application on my Mac, the installers often ask for a sudo password. How many of us even stop and wonder "Why does this need that?". If we do wonder, how many of us continue anyway? This is why I really wish we had full virtualization available!
A comment about Vista matches my expectations:
Jordan Stevens (co-worker, in comments): "I was proud to be part of that team, because it was after all, such an amazing group of brilliant minds. I left the company as soon as I found out what the true effect we were having on our customers, when I read some hate mail directed at the company.
I went on to work at Microsoft as a security engineer and after enough time felt I had redeemed myself. Vista is more secure, however, many of the same exploits that we used are still possible to do, which is a scary thought. I do believe the Windows model is fundamentally flawed, unfortunately and even the most advanced anti-virus software is insufficient. I do recommend users run a version of UNIX and Windows in a VM (Virtual Machine) only when absolutely necessary."
I bet those remaining exploits are all in the name of being "user friendly" and supporting legacy apps. Microsoft never learns anything.
Note the recommendation to run in a VM. Other commenters suggested running the browser in a VM.. how much longer is it going to take for people to understand how much we need the VM model for our desktops?i I've been beating that drum for years, pointing out that Apple and Linux are in a far better position here than Microsoft. Apple particularly could leverage its nascent popularity and really strike a blow against Microsoft if they'd move on this.. but so far I've seen no indication that they will.
Anyway, interesting post with a lot to think about.
If you found something useful today, please consider a small donation.
Got something to add? Send me email.
More Articles by Anthony Lawrence © 2012-07-19 Anthony Lawrence
If debugging is the process of removing bugs, then programming must be the process of putting them in. (Edsger W. Dijkstra)