READERS HAVE OFTEN joked that we'll really be in trouble when the viruses start coming with sneakwrap license agreements.
But now that it has happened, it turns out the real joke is how many people seem to think that the existence of the license
means it's not a virus.
Starting on Oct. 24, 2002, thousands of people received an e-mail in which a friend or business associate asked them to
pick up an "e-card" left for them at a site called FriendGreetings.com. Those who followed their acquaintances' supposed instructions
discovered they would need to download a program to view the e-card, and they were presented with standard digital certificate
authentication and installation software to do so. Adding credibility to the process was the fact that they then had to click
OK on two EULAs (End-User License Agreements) in order to download the viewer software.
We don't know how many people took the time to read both EULAs, but we can be pretty certain that none who proceeded to
click their approval had read the second one. If they had, they would have seen the bald statement that the supposedly Panamanian
company that owned FriendGreetings.com would be accessing the licensee's Outlook contact list and sending everyone on that
list a similar invitation to download FriendGreetings.
And that's exactly what the software did when installed, with serious results at some hard-hit companies. Along with spamming
many of their co-workers, those credulous enough to download the FriendGreetings software often had problems with Outlook
errors and changes made to some of their Windows settings. The install also apparently deposited several spyware/adware agents
that needed to be sought out and eradicated before they caused trouble. "We'll be cleaning up the mess at least through the
weekend," one IT manager said. "The worst part though is having to explain it to the clients and vendors our people sent this
thing out to."
Dealing with it was made all the more difficult by the seeming reluctance of the anti-virus software vendors to treat the
FriendGreetings outbreak as they would any other virus. "Unbelievable -- Network Associates is saying they can't respond because
of 'legal' issues," wrote one reader shortly after the attack began. "They say it's not a virus because one of our users granted
permission for it to occur by accepting the EULA."
To its credit, however, Network Associates shortly changed its mind. Although still not officially classifying it as a virus
due to the EULA, Network Associates posted details about the files FriendGreetings downloaded on victims' computers and said
detection capabilities would be included in its next anti-virus update file.
In contrast, Symantec Security Response posted an advisory that it was aware "of a widespread e-card" with worm-like characteristics
but did not classify it as a malicious threat. (At the same time, Symantec was treating the Cytron or Ortyc trojan -- another
e-card virus that FriendGreetings was probably imitating -- as a serious security threat, even though the Cytron adware was
downloaded in a very similar fashion but with no EULAs or spamming of Outlook contacts.) Because the second EULA "explicitly
states that by accepting the agreement, you are authorizing the software to send an e-mail to all contacts," Symantec saw
no reason to offer its customers the ability to detect files associated with the FriendGreetings download. Customers who wanted
to remove those files were directed to a FriendGreetings page which, like the rest of the FriendGreetings.com site, was soon
inaccessible. Only after the problem was dying down the next week did Symantec tell me they would respond to customer complaints
and post information about how to deal with the virus.
Much of the discussion on the Internet about the attack reflected the same notion that the warning in the EULA meant that
FriendGreetings was guilty of nothing more than a somewhat unethical type of viral marketing. People I know to be otherwise
quite sane expressed the idea that this just shows you have to read all the EULAs carefully.
What? Wake up, folks. Call it a virus, worm, trojan, or whatever; the FriendGreetings e-mail was a sinister, deceptive attack
in clear violation of federal computer fraud and data security laws. It was still not clear at press time what the real purpose
behind FriendGreetings was -- perhaps it was an attempt to plant pop-up ads for porn sites similar to the Cytron virus, or
maybe it was just harvesting e-mail addresses for spammers. Whatever the intent, the e-card was a false pretense.
Reading all EULAs carefully isn't the answer. The essential idea of sneakwrap, be it from spammers or Symantec, is to get
this stuff past you, and they'll do whatever it takes(see "
Can you really click no
," April 22). If you'll read one EULA, they'll start giving you two. If you'll read two EULAs, they'll give you three,
or render them in 2-point type or Latin or whatever.
Stating in a license agreement that you're going to commit a crime doesn't give you the right to do so. Yet it seems that's
what some software companies would have us believe. Why else would Symantec seem to care more about upholding the sanctity
of some fly-by-night operation's EULA than helping its customers deal with a real security threat? What if the FriendGreetings'
EULA had said they were going to erase your hard drive too? Would Symantec still say that's not a security threat? Hey, you
agreed to it.
The real lesson of the FriendGreetings attack has to be that sneakwrap is no way to run a railroad. We can't let license
agreements that no one has the time to read be the basis of Internet commerce. If we do, it will mean only those with something
to hide will ever feel safe and secure.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
