back to article That toolbar you downloaded is malware? Tough, read the EULA

Security software vendor Malwarebytes has highlighted what it says is an increasing trend for malware authors to embed Bitcoin mining into things like browser toolbar helpers and search agents. That's not so new, but its latest observation is that the malware-peddlers are trying to tie up suckers with their license agreements. …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Unhappy

Meh… EULAs

It is impressive how EULAs and other T&Cs can contain so much crap, without any clarity on what is legal or not. I would think that good lawyers could put a hole through this particular one, but in general the field is full of gray.

9
0
Silver badge

Re: Meh… EULAs

Exactly.

People seem to think that if something is in the EULA, it must be binding. - If you agreed in an EULA to kill your first-born, guess which response would be legal?

6
0
Silver badge

Re: Meh… EULAs

"People seem to think that if something is in the EULA, it must be binding. - If you agreed in an EULA to kill your first-born, guess which response would be legal?"

Everything in a EULA is absolutely binding unless there is a constrasting local, state, federal, international or other law or legal allowance. Killing your first born, or, obtaining money by deception is covered. So they *could* in theory put it in there, but it's not legally enforeable.

However, stealing IOPS by deception is not covered by any other law, so they're allowed to do that. The EULA stands. It's slimey, but it stands.

1
12
Silver badge

Re: Meh… EULAs

"Everything in a EULA is absolutely binding unless there is a constrasting local, state, federal, international or other law or legal allowance. "

I doubt that. Instead of killing your first born, try "I owe Microsoft one million dollars for every second I use this product". Giving money is legal, but I don't think it would fly either.

8
0
Silver badge

Re: Meh… EULAs

As a consumer, there's no way any contract can remove or override your statutory rights under UK law.

11
0

Re: Meh… EULAs

Under UK contract law there is a clear statement that an "unfair" contract, even if it has been voluntarily agreed to by all of the parties, cannot be enforced. The gotcha here is that what constitutes "unfair" has to be left to a judges discretion; he might agree that these terms are unfair (on the basis you are having your processor, and hence electricity, used for a purpose that you cannot gain any material or immaterial benefit from), but there again he might decide otherwise.

4
0
Silver badge

Re: Meh… EULAs

You'd think good lawyers would do that, but the problem is the nature of the civil suit system. What happens is, someone gets a lawyer to lodge a suit, the company then ums and ahs about it, and before it gets to trial they settle. So, you never end up with a legal ruling.

Which means no-one ever gets any decent guidance on what would be legal or not in T&Cs.

0
0
Anonymous Coward

Re: Meh… EULAs

Human Cent-iPad anyone?

0
1
Anonymous Coward

Re: Meh… EULAs

"However, stealing IOPS by deception is not covered by any other law, so they're allowed to do that."

IANAL but I'd guess that the law against Abstracting Electricity might stand a chance against them. After all, it is not the stolen IOPs that you care about., It is in the excess electricity that those IOPs used, and that you had to pay for, where you can demonstrate that you have been bilked.

0
0
Silver badge

Re: Meh… EULAs

"I doubt that. Instead of killing your first born, try "I owe Microsoft one million dollars for every second I use this product". Giving money is legal, but I don't think it would fly either."

No, you perhaps don't understand. The EULA isn't the place for pricing, nor the licence agreement. But if you said something along the lines of "you allow us to charge your credit card for in-app purchases", and bury the actual prices somewhere else in a two point font that's hard to read because of the background, that's legal.

Take for instance the CandyCrush (children's iPhone and Android game) scam that's being run now on TV. By law, they're required to state their fine print on screen. They do, with an intentional low resolution still image, where the text is so far obscured due to a small font that it's undreadable, in front of a background that makes it even less readable. So you go to their website where EVERYTHING works perfectly as you'd expect - except the "Terms And Conditions" link, which is obscured behind some odd java. Working past that and reading it reveals their host company is a gambling outfit. Yep, they're trying to start them young.

But too late, your six year old badgered you into buying into it - and you didn't read a damn thing.

In Australia, there is provision for getting out of contracts you (technically) agreed to, if you were "badgered" into it. This was primarily to allow for the rouge power retailers and long distance phone setups that became well-known for berating pensioners into buying their wares.

But that doesn't work if your six year old was the one in your ear....

0
0
Silver badge

Re: Meh… EULAs

> Everything in a EULA is absolutely binding

Really? Where and when did I sign the contract? And if I didn't sign, how is it a contract at all?

In most of the civilized world, EULA's are not considered contracts, and we should all pray that it remains that way.

My favorite EULA is the one Sony bundled with all their audio CD's back in the day when they also added stealth-installed spyware in their audio CD's, a 17 kilobyte monstrosity Sony has since DMCA'd off the net -- but I still keep a copy to show people how absurd EULA's are. That particular EULA is brimming with illegal terms, like that you may never sell the CD, you can not sue Sony ever, for any reason, can only communicate with Sony through the court of Orange County, USA... and if you make a copy of a Sony audio CD, Sony owns your entire CD collection.

0
0

Unfair to on-line retailers !

"WBT uses a custom installer, Monitor.exe, which it serves up from Amazon"

While I have no connection with Amazon other than as an occasional customer, I feel this is a little unfair to them. Unless I have completely misunderstood the Malwarebytes PDF referenced in the article, this PUP is stored on Amazon's cloud, not dished up with any software you might download from Amazon themselves.

Chris Cosgrove

10
3
Bronze badge

oxymoron alert

'Good' is not a word I ever expected to see in a sentence that also included 'lawyer' unless it also included the phrase 'up to no'

7
1

Re: oxymoron alert

"'Good' is not a word I ever expected to see in a sentence that also included 'lawyer' unless it also included the phrase 'up to no'"

Or 'kicking'

1
0
Anonymous Coward

What about a web hosted email service using ssl, you host and setup logins for the customer? Of course it does depend on the file size.

0
0
Silver badge
Paris Hilton

What exactly is it you are saying?

3
0
Anonymous Coward

I'm saying that when I worked for a ftse100 company who needed pension info files sent to them, we gave our customers logon to a web hosted email server which we hosted so they could securely email files where they were required.

I am also quite drunk, so apologies for incoherence.

1
1

Drunk? You're past drunk and into "posting in the wrong thread".

Here is where you wanted to be

11
0
Silver badge
Happy

I wouldn't normally make a post like this, but:

"HAHA! Best thread ever!"

1
0
Anonymous Coward

Thank you, yes I just realized that... Hmm, really not sure how that happened, must go to bed now... :)

5
0
Anonymous Coward

Drunk posting

The problem with your post is that you appear to be responding to an entirely different article to the one you have posted your comment on!

0
0
Silver badge

"do mathematical calculations ... to confirm transactions and increase security"

How do those stated purposes equate to bitcoin mining? Seems like the EULA doesn't cover it at all.

2
0
Bronze badge

Re: "do mathematical calculations ... to confirm transactions and increase security"

evil KOSer: bitcoin mining works by finding a hash value between 0 and the publicly-known "target" for that round. Each hash attempt processes (among other things) a link to the previous "block" in the bitcoin transaction database and new transactions to be added to the database. Hashes are "mathematical calculations". The target value is set to be positive, but low enough that it is difficult to find a desired hash value, thus increasing the security of the protocol. Once transactions have been included in a new block with hash value below the target value, they are considered to be confirmed.

1
0
Anonymous Coward

Re: "do mathematical calculations ... to confirm transactions and increase security"

The process of mining a bitcoin involves solving a reverse hash problem on the bitcoin transaction chain. A valid solution to the problem allows the latest transactions at the head of the chain to be confirmed and consolidated into the ongoing chain. So that description does pretty much describe the process of mining.

0
0
Silver badge

Re: "do mathematical calculations ... to confirm transactions and increase security"

@MondoMan and @AC : thanks for the explanations. I see now how "confirm transactions and increase security" relate to the bitcoin activity.

The thing is, though, it makes no mention of that activity and to any reasonable reader of the EULA the words relate to the expressed functionality of the tool being installed.

So to my mind agreement to the EULA does not constitute agreement to the bitcoin mining, and that activity should be considered an offence under the appropriate laws (eg UK Computer Misuse Act).

2
0

Re: "do mathematical calculations ... to confirm transactions and increase security"

Justakos, its not obvious, but its not misleading, they are just explaining the background as opposed to advertising their reward... no toolbar is 'free' and the fact that they are making money for authenticating the bitcoin chain is no different to them making money selling your search results or supplying advertising....

One of the advantages of metro internet explorer is the death of the 3rd party toolbar!

0
1
Silver badge

Re: "do mathematical calculations ... to confirm transactions and increase security"

@Matt_payne666 :

I don't really think 'misleading' is enough. There would be no need to mention the processing at all if it was just for explanation. I think it is an attempt to get the user to approve processing that they are unaware of.

The way it is written, with no mention of the purpose of the processing, the user is left with the impression that it is a necessary part of the tool that they are installing.

I think deceit isn't too strong a word.

3
0
Silver badge

Isn't this akin to your mechanic using your car at the racetrack when he was only supposed to be changing the oil and keeping the purse if he wins?

7
0
Anonymous Coward

I was about to reply, "Well, at least this thing won't crash yo--", and then thought, "actually it's not a bad analogy..."

3
0

Good News !

I changed your oil and spark plugs and as a bonus I can confirm that your air bags work (ed) !

5
0
Silver badge

Mechanic

Well, to be honest he does change the oil for free; I don't see much of a difference between this and innundating the user with ads or selling your data for market analysis. All are evil(TM) way of retributing "free" crapware (the alternate POV is that the free crapware is a disguise to distribute money-making infections, à la "$CELEB nude pics screensaver" ). Just another reason to forbid stoolbars, and to keep the LART at hand for the lusers who do download them.

0
2
Silver badge

Re: Mechanic

Who changes your oil for free?

But yes, toolbars and all that crap are horrible inventions.

1
0
Silver badge

Re: Mechanic

> Who changes your oil for free?

The mechanic in the original analogy

2
0
Anonymous Coward

It's this sort of shit that plays into the hands of Apple and Microsoft who want to kill off 3rd party hosting of software and channel everything through their app stores.

With full power comes great responsibility. The scum who write this trojan style software have a lot to answer for.

7
0
Silver badge

The question then becomes, how long will it be before the big players start doing the exact same thing? It seems to me the lines could be injected into any EULA including ones from Apple, Google or Microsoft and it could be written into the OS or worse, anything produced with Xcode, Visual Studio, etc.

0
0
Silver badge

"The question then becomes, how long will it be before the big players start doing the exact same thing?"

Who says they aren't?

3
0
Silver badge

It's a huge waste of time to attempt BTC mining on a normal PC

It's not even worthwhile on large GPU arrays now, with the ASIC miners out there.

There's no real reason for this stuff to mine BTC. But other random cryptocurrencies that still have relatively low burden and possible trading use? Sure.

Even then, only really if the machine has a decent graphics card..

2
5

Re: It's a huge waste of time to attempt BTC mining on a normal PC

If you're not paying the 'leccy bill, then it might be, even if all your victims in total only give you one bitcoin.

3
0
Anonymous Coward

it's a question of scale ..

They aren't trying to mine on _a_ normal PC, they're trying to mine on several million of them.

Anything they make is free money.

6
1
Bronze badge
Terminator

Re: It's a huge waste of time to attempt BTC mining on a normal PC

The mining will be so slow that you will never win the "race" to the next successful hash. Since it's a first-past-the-post system, you get nothing, as each time just dividing the work among your army of very slow bitzombies will take more time than others use to actually complete their solution with their compact high-power miners and win the round.

1
0
Anonymous Coward

Re: It's a huge waste of time to attempt BTC mining on a normal PC

that is what the pools are for you troll.

3
0
Anonymous Coward

Re: It's a huge waste of time to attempt BTC mining on a normal PC

Let's assume 10k-100k downloads as a "successful" toolbar.

That's not really mining from a "normal PC" now is it?

0
0
Anonymous Coward

Re: It's a huge waste of time to attempt BTC mining on a normal PC

Indeed. even if the toolbar is forced to mine using the CPU, even an old school crap CPU should get 700kh,

multiply by 100k and you have 70gh/s surely enough to make some change?

0
0

An idea for google

Instead of plastering advertising all over the web

When you use their search engine, it mines for bitcoins or whatever

Could this finally be a business model for the likes of twatter?

1
1
Bronze badge

Re: An idea for google

My thoughts exactly. Pay for software with your spare CPU cycles – a viable business model for the Internet era at last!

1
0
Silver badge

Re: An idea for google

I would rather run Seti@Home for free.

1
0
Anonymous Coward

The really sad bit is most users (who even hear about this) won't give a fuck if someone else is stealing their clock cycles to get rich, just as long as facebook loads fast enough for them.

0
0
Silver badge

It might actually be noticeable. In my brief stint GPU mining bitcoins, back before they were hundreds a piece, I found it was enough to introduce a small but annoying lag in mouse movements. It also sucked up an extra 60 watts or so.

0
0
Bronze badge

They may complain once they realise their 6 hour battery is flat in under 2 and it is hot enough to fry an egg.

2
0
Silver badge

I'll give your slow!

Put Einstein@Home on your CUDA device and you will notice your machine is suddenly a fat cow.

1
0

Page:

This topic is closed for new posts.

Forums