RE: Grokster and your email

["Holmes, Ben" <Ben.Holmes () getronics com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SPYware and other such trojan insertion is quite common on these "Free"
P2P apps..

I have had to uninstall "Bonza Buddy" so many times...

Most of the times these say something during the install.. but many
times they don't (that makes it a trojan)

Limewire and Grokster are both spyware as is bearshare.

I think that "SwapNut" also does it..

XoloX seems rather well behaved though...

GNUcleus is released under GPL and it is great...

If you are going to use a free app, and you want any level of security,
make sure you have the source code (and it is freely available), like
the GPL, some BSD or other OpenSource licensing.  If that is not the
case, go for a firm you can trust (Microsoft., etc) but as far as I
know, there is no MS-Gnutella just yet...

I tend to use GNUcleus (GPL) if I want this sort of P2P fuctionality (or
"gnut" for Linux, it is command line and can be used over a term...)

All this leaves me with more questions than answers... I wonder; 

Does LimeWire for Linux drops any of these SpyWare type programs, and if
it does, what does it log/do, and how?

Is it *legal* for a company (even one that releases freeware) to make a
program that secretly installs something that compromises your personal
privacy without telling you?  If so, what can be legally collected by
these companies and what can't?  How does it all sit with various
countries' privacy laws and Freedom of Information acts?

Is there any mention of this funcionality buried somewhere in the
license aggreement of the program (that you would have read of course,
fully understood because they are in common easy-to-understand language
and accepted before installing it)?  
[If there is, it is not technically a trojan.]

Is there a full list of programs that have this sort of unethical
trojanware included?

Is there a utility anyone knows of that can create locked files (files
marked as "in use") anywhere in the filesystem [or mark files as in use
for read or write] so that malware cannot install in default locations?

Personally, I would put this down to being a more unethical use of
technology then spam E-Mail and junk Faxes.

- -- Benjamin Holmes
Getronics, Brisbane, AUSTRALIA

> -----Original Message-----
> From: Kerosene [mailto:kerosene () mediaone net]
> Sent: Monday, 31 December 2001 11:52 AM
> To: Ken () infosec101 org
> Cc: Markus Kern; yanker () sympatico ca; vuln-dev () securityfocus com
> Subject: Re: Grokster and your email
>
>
> Why hasn't this hit the media yet? A trojan installed on a 
> P2P app that
> many people use? I think someone needs to blow the whistle on this..
>
> Were these trojans installed intentionally or did someone somehow get
> into the code and maliciously insert the trojans?
>
> Cary C.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
Comment: Pee Gee Peeeeee!

iQA/AwUBPDAIeXLvuelW5gClEQLfiACgojX8QfRVaiOiOs2+31qjJL52TvkAn2WS
YbMUvWS2Ml1PhPC6rDlGd+78
=HkV7
-----END PGP SIGNATURE-----