Marked for Dearth

A few days ago, Phil proposed a rating system to identify deceptive, irritating, or hostile Internet software. I figured that the ISLAND system - named after the six misfeatures it aims to quantify - could use a field test.

Four programs were put through the wringer:

1. WinZip 9.0
2. Google Toolbar 2.0.111 (disclaimer: I work for Google)
3. Yahoo! Messenger 6
4. AOL Instant Messenger 5.5

These evaluations are necessarily subjective. They are meant to promote discussion and raise awareness of naughty software practices. Disagree with the ratings? Feel free to post a comment or two.

Program: WinZip 9.0
ISLAND Score: 85

In the Walls: 1

• The express “recommended” installation type installs WinZip icons all over the place and hooks WinZip into the Windows shell.

Spy: 0

• Does not talk to the mothership.

Limited: 0

• Is not feature-limited.

Advertising: 0

• Does not show ads.

Nag: 3

• A registration dialog is shown every time the user starts Winzip. The “buy now” and “user evaluation version” buttons occasionally swap positions, presumably to trick the user into clicking on the registration button.

Defaults: 1

• Makes itself the default program for ZIP files and possibly other archive files.

Program: Google Toolbar 2.0.111
ISLAND Score: 94

In the Walls: 0

• No extra critters.

Spy: 1

• Enabling “advanced features” sends Google URLs of pages that user visits. This is explicitly spelled out and turned off by default.
• Information is never sold or given to any third parties.

Limited: 0

• Is not feature-limited.

Advertising: 0

• Does not show ads.

Nag: 0

• Does not solicit donations.

Defaults: 1

• Installation program shows checkbox to make Google the user’s default search engine. It is checked (on) by default.

Program: Yahoo! Messenger 6
ISLAND Score: 70

In the Walls: 3

• The default “recommended” installation type automatically installs the Yahoo Toolbar and various Yahoo “extras”. These are all given separate shortcuts and separate uninstall entries in “Add/Remove” programs.
• Places shortcuts for Yahoo Mail on Start Menu, taskbar, and desktop without asking user.

Spy: 3

• Yahoo collects personal info and may combine it with other info it gets from partners.
• Personal info is used to personalize content and ads shown to user.
• Personal info is given to Yahoo’s “trusted partners”.

Limited: 0

• Is not feature-limited.

Advertising: 1

• Displays “Yahoo! Insider” window by default when user signs in. It can be disabled through the preferences dialog.

Nag: 0

• Does not solicit donations.

Defaults: 3

• Installation program shows checkbox to make Yahoo the user’s default search engine. It is checked (on) by default.
• Installation program shows checkboxes to make Yahoo.com the user’s home page and Yahoo Mail the user’s default mail app. They are both cleared (off) by default.
• Changing the install type (Typical or Custom) automatically rechecks the “make Yahoo my default search engine” box, even if the user has already cleared it. When the “Custom” install type is selected, it is impossible to uncheck the “make Yahoo my default search engine” box.

Program: AOL Instant Messenger 5.5
ISLAND Score: 73

In the Walls: 2

• Offers to install games support and WeatherBug, which are presented as AIM “components” and checked by default.
• Places “Free AOL & Unlimited Internet” shortcut on desktop and at top of Start Menu without asking user.

Spy: 3

• Personal info is used to personalize content and ads shown to user.
• Info used to offer other products/services “that may be of interest.”
• Info may be used to present offers to user on behalf of AOL’s business partners.
• Biz partners and advertisers receive aggregate data.

Limited: 0

• Is not feature-limited.

Advertising: 2

• AOL portal page with lots of ads is displayed by default when user signs in. It can be disabled through the preferences dialog.
• Small banner ad - occasionally animated - placed at top of buddy list.

Nag: 0

• Does not solicit donations.

Defaults: 2

• Installation program shows check box to make Netscape.com your home page. It is checked by default.

SpoofStick has made it into this week’s Circuits section. That is all.

Congratulations to my brother, Phil, for being recognized as a 2004 Innovator by the InfoWorld Media Group.

Phil deserves a boatload of credit, despite his attempt to offload some of it on his coworkers (come on, who does that?!). However, I’m sure you’ll agree that any award lacking hoity-toity pseudo-Latin arouses suspicion among the more “educated” ranks.

A picture is worth $160,000 in biannual payments:

A thread on broadbandreports.com alerted me to a Microsoft Knowledge Base article that describes how users can identify spoofed web sites. I do not doubt that Microsoft means well here, but the chances of this article actually helping some of the most vulnerable users are slim to nil.

Think of a less technically savvy web surfer you know - a relative, a colleague, or perhaps a former music professor who once giggled that her computer’s infection with worms and Trojans sounded racy. Now imagine this person being told to “verify the name of the server” before submitting personal information and warned not to “click any hyperlinks that you do not trust”. How useful would (s)he find these instructions?

Moreover, how exactly does one identify an untrusted link or verify a server’s name? The article’s authors place that burden directly on users, requiring them to carry out a sequence of potentially confusing and error-prone steps that involve copying/pasting, scanning for “suspicious” characters, manually typing link URLs into the browser address bar, and running lines of JavaScript code.

SpoofStick was born out of the idea that this is an irresponsible way to approach the problem. Although complete protection from spoofing attacks will probably always require some human participation, I believe we should strive to move more and more responsibility out of users’ hands and into the software.

Doesn’t Mom deserve to have a safe browsing experience without all the hoop-jumping, tedium, and paranoia?

In some parts of the country, Internet connectivity might soon become a public good. Consider the Bay area, where I recently spent a few days house hunting.

Throughout the process, my girlfriend and I were an elite, well-organized strike force of planning and paperwork. We spent much of the week prior to our trip carefully screening Craigslist posts, making appointments, and completely filling three days of itinerary.

Once we had landed and were actually driving around the peninsula, there was little time to spare. In the mornings, we saved a daisy chain of driving directions on our laptop. Though we occasionally made it through two or three appointments on plan, a midday cancellation or two would eventually shatter the chain.

OK - on the road, laptop planted squarely on lap, require directions to a place ten miles away. Struggling with a road map like some dad taking his kids to the Hoover Dam in a wood-paneled station wagon is naturally out of the question. What to do?

Well, realizing that we were driving through a major tech hub spotted with an abundance of wireless access points, we decided to try a little freeloading. My girlfriend would drive past a row of houses, an apartment complex, or a mini-mall while I scanned the proverbial ether for able candidates. Conveniently, a large number of those I found were unsecured and had MAC filtering disabled. We never stalked access points for more than five minutes before hitting pay dirt.

Imagine if gas behaved this way: we’re running low - quick, drain some from that car over there. You have to admit that, especially with the current outlook, that would be pretty handy…

It has arrived. SpoofStick is out of beta and ready for prime time.

Phil posted a nice roundup of comments and reviews from across the web. Here’s one encouraging endorsement that went out in the press release:

“I love SpoofStick,” said Carol Baraoudi, CEO of Baroudi Bloor International and author of the Internet for Dummies. “E-mail fraud is on the rise—innocent people are being duped every day— it makes me crazy. SpoofStick lets you see just where you’re being taken - in every sense of the word. I want the world to be using SpoofStick. I want everybody using SpoofStick today!”

Always nice to have your work appreciated.

Something seems different around here. To preempt speculation (”did he get a haircut?”), I’ll come clean and reveal that Blogger has relaunched, affording subscribers a host of new features and 26 new templates to choose from. Though I have little discernible artistic talent, my abilities for choosing among professionally designed templates are widely respected. And so, witness the new look in all of its stylish, standards compliant glory.

Eyecandy aside, some of the new functional features may affect the way you read and interact with this blog. For instance, each post now lives on its own page. This cleans up PermaLink URLs somewhat without breaking older anchor-based links. Also, in the (rare) event I post something you deem worthy of comment, you’ll now be using Blogger’s own comment system instead of HaloScan to share your thoughts. Unfortunately, the switch from the latter to the former will make all past comments unavailable.

Unfair? Comment below…

BlogSpot has been a bit temperamental lately, so I’m considering switching hosts. Maybe I’ll change blogging tools while I’m at it; I’ve been hearing good things about WordPress.

Of course, doing nothing remains a tempting option…