 Hello, welcome to the anti-spyware coalition panel. Thanks everyone for coming. We are going to get started now because we are one panelist short. You'll note from the original book here, Jerry Dixon from DHS isn't here and he's not going to be at the Meet the Feds panel either, so unfortunately. But we do still have a great panel and I'm going to start off. My name is Ari Schwartz, I'm the Deputy Director of the Center for Democracy and Technology and we run the anti-spyware coalition. I'm moderating the panel so I'm just going to briefly go over who the anti-spyware coalition is and then we can talk about some of the issues that we've seen recently. The anti-spyware coalition really came out of a previous failed attempt to create something similar, something called the Coalition of Anti-Spyware Technologies. For those of you that missed the stories on what happened there, I think it will give you a good idea of what the anti-spyware coalition's mission is. The previous group had set up a program to try and certify spyware technologies. What they would do is they would have the anti-spyware companies got together, they would come up with a set of objective criteria for what is spyware and what's not spyware, and then companies could get certified that they were not spyware was the idea. And it ended up getting subverted by some of the spyware companies, particularly the adware companies joining the Coalition of Anti-Spyware Technologies and then trying to change the criteria in their favor. And it really fell apart quickly after that all the anti-spyware companies left. And a few of them came to us at the Center for Democracy and Technology and said, how would you guys run this so that it would be different and that you could avoid that kind of capture? And we came up, we run a lot of working groups in a similar style and we went over what that style is, which is we work with a set of companies, we bring the companies in and we also have public interest groups in the room as well. So we try to bring in really a broad set of public interest groups into the room as well and academic researchers as well and some of the legal aid clinics that work on technology issues. So we have all the major anti-spyware companies involved and many of their distributors and then we also have the National Center for Victims of Crime and the National Network to End Domestic Violence, groups that work on these stocking issues and saw the importance of getting involved in this kind of an issue as well as the Samuelson Clinic at Berkeley and others. So just to give you a sense of how we came about. When we formed, the original goal was to create a set of objective criteria the way that Coast had but in an unbiased way and really in starting that process we realized quickly that we were having discussions using similar terms that meant different things. So we felt that that meant that we needed to have a set of definitions to put out there. So really we put out the set of definitions, we had a public comment process on this, we got over 400 comments including the government of Luxembourg gave us a full, very detailed set of comments as well as many of the companies involved and some of the spyware companies gave us comments too. We brought those back, tried to figure out which ones we thought were legitimate and we did that process and that document is continually updated and it's continually being updated, we've already had one update of it and we're probably going to do another soon. Through that process of putting together definitions we also helped to help provide ways for people to educate others and to stop. And one of the main goals of the group was to help cut down on the ability of spyware companies to sue anti-spyware companies based on the fact that there was no criteria out there. And that information is up on our website, the anti-spyware-coalition.org website. So here's a list of all the members, you probably cannot read it from there but just to give you a sense, pretty much all of the major anti-spyware companies and their distributors, as I read some of these other smaller groups as well, Bit9 is a member and Mario is sitting next to me and so there's a couple other members in the audience here that I see. So if you want to have questions about membership or who's a member you can come up to me afterwards or to the Q&A and we can go over it. Since doing that definitions document we've also done a vendor dispute process. So if you have some software that gets flagged as spyware, what steps do you go through with an anti-spyware company? What are the industry standard best practices on what steps you should go through? The risk model document which is that objective criteria document which rates both threats and the positive criteria. Tips for consumers, as I was saying before, educational documents. Best practices which is really one of the hardest documents, right, which is sort of an aspirational set of criteria to try and get at what companies that are in this spyware definition should be doing and what direction should they be heading without being so concrete the way that the risk model is. And then the conflict resolution document which is for anti-spyware companies that run into conflicts between each other. How do they go about trying to resolve those? We've had some public workshops. We just had one in Harvard last month and we will continue to have, we'll probably have one next year as well, probably maybe in Washington again. The next steps that we're really taking are working on information sharing. We've been in a dialogue with the anti-fishing working group and some other working groups that are trying to do similar sharing. We're trying to work together on standards and means to do that. And lastly, a testing criteria, which is probably the most active area right now. The way that spyware tests have been done in the past, anti-spyware tests have been done in the past that you see both for certification purposes and in publications, they all have very different methodologies. And what we're trying to do is not to standardize the methodology, but instead to have a way of describing those methodologies so that people can do a real comparison. So if you want an anti-spyware software, you know, you can see the test, know what they're testing for, compare that to another test where one anti-spyware software might be ranked fifth in one of them and first in the other one, you can see from the methodologies why that might be and what might be important for you. And that's the goal. And so with that, I'm going to pass it on to the panelists and talk about these issues. I don't know if there are bios in this packet, but the first, here's my contact information as well. The first panelist is Eileen Harrington, who's the deputy director of the Federal Trade Commission, has been there for 23 years and is one of the best people in Washington, law enforcement people in Washington to work with. And she's going to talk a little bit about what the FTC has done in this spyware space and what they plan to do. Sorry, I think you're one of the best people too. I'm a lawyer. I'm with the Federal Trade Commission and our agency has a very broad statutory mandate to protect consumers in the marketplace by enforcing the FTC acts prohibitions against deceptive and unfair practices. We enforce over 30 other specific consumer protection laws as well, but in terms of spyware and law enforcement targeting spyware, we've used our statutory authority to challenge practices that are deceptive and unfair. And those terms have both, I'm sure, common sense meaning to you and a very well-developed meaning in the law. The FTC not only enforces laws, but we also have regulatory authority. For example, we issued the rules created the National Do Not Call Registry and enforce federal telemarketing rules. How many of you are on the National Do Not Call Registry? Excellent. That's probably the most well-known thing that we've ever done. We are also responsible for enforcing antitrust laws along with the Department of Justice. So you may have read, for example, that the FTC is reviewing the double-click, the Google double-click merger. That's our antitrust side that's doing that. We keep the marketplace safe for consumers by acting deceptive and unfair practices and by making sure that consumers have robust choices in the marketplace. We do that by enforcing antitrust laws. We're a small agency. We're a civil enforcement agency. That means we don't put people in jail. We can't get criminal fines. We go to court. We get orders to stop behavior and orders that require companies to give up their ill-gotten profits or give consumers their money back if consumers have been defrauded. In spyware, our law enforcement work has been based on three important principles. First, the computer belongs to the consumer and not to the software distributor. Second, buried disclosures of material information don't work in the online world any more than they worked in the offline world to satisfy the legal requirement that material information be disclosed to consumers prior to either transactions obligating them or other things happening, in this case, their computer being taken over. So you can't bury disclosures in a EULA or in some other inconspicuous way concerning software that's been downloaded onto the computer. And third, if a distributor puts a program on a consumer's computer, the consumer has to be able to remove that program easily or disable it. Now, the FTC, in addition to doing law enforcement work targeting some spyware distributors, has been working to raise consumer awareness. We do a lot of work in the consumer education area. In fact, we think that the best way to protect consumers is to make sure that they're well informed in the first instance. We have a very good website on Guard Online. It's at onguardonline.gov. It has an array of information for consumers about how to stay safe in the online environment. And wonderful little games and quizzes and informative pieces. I urge you to go there. There's a lot of information there about spyware and how consumers can protect themselves in their computers from unauthorized downloads in the first place or infections. We've also been working to raise industry awareness and particularly in the advertising industry. We have contacted directly scores and hundreds now of advertisers whose content has been distributed through software downloads, warning them about the need to pay attention to how their ads are distributed and to also their possible liability to an FTC lawsuit. If their advertisements are distributed in a way that causes injury or is likely to cause injury to consumers and they know or should know that that's the case. So we have been working hard with the advertising industry to get them to pay attention and cut off the flow of money to illegitimate software distributors. We also support technological solutions in the first instance. These are technology problems and probably the most useful steps that can be taken will be in the technology arena. On the enforcement side, as I mentioned, we've brought cases. We've brought 11 of them against software distributors of spyware and malware. The most recent matters, Zango and Quichben, I think, is going to talk about and direct revenue, address each of them, the three principles that I mentioned previously as being at the core of our spyware enforcement work. The orders require that the respondents, that the defendants in these cases, give clear and prominent disclosures and obtain consumers express consent before they download software onto the consumers' computers. And the orders also require that the respondents identify their ads and establish, implement, and maintain user-friendly mechanisms that consumers can use to complain about ads, stop pop-ups, and uninstall their adware. Now, we think that most of the worst of spyware, and this is increasingly the case, is criminal in nature. And as I mentioned, we're a civil enforcement agency, not a criminal enforcement agency. The differences between those two are these. First of all, the remedies that criminal enforcement agencies are able to obtain are different than the remedies that civil enforcement agencies can obtain. We can get orders to stop and orders to return money or disgorge money. Criminal enforcers can put people in jail. They can put people on probation. They can impose criminal fines. The other difference is that the burden of proof that has to be met is different. In a civil case, we have to show by a preponderance of the evidence that a deceptive or unfair practice has occurred. In a criminal case, the prosecutors have to show that whatever statute it is that they're enforcing was violated beyond a reasonable doubt. So it's a slightly higher evidentiary standard. But we think that much of what we're seeing now in the spyware area is criminal in nature. And so we work very, very closely with our colleagues at the Department of Justice, both in the computer crime section in Washington and at United States Attorney's offices around the country. For example, in one of our recent cases that we filed civilly, DC versus ERG ventures, we alleged that the defendants secretly downloaded spyware and other malevolent software programs onto millions of consumers' computers without getting their consent. At the very same time that we filed our case in federal court, the United States Attorney's Office in the District of Columbia executed criminal search warrants in connection with their criminal investigation of the same targets. Operative work happens quite frequently between the FTC and the computer crimes people at DOJ. A number of the people who work, the lawyers who work in that section, used to work for me at the FTC. We have kind of a nice back and forth. And so that kind of cooperation is important, and we think it's increasingly important as we see spyware and spam actually kind of coming together to serve as vehicles for malevolent software and code winding up on people's computers in ways that are criminal. We see gangs outside of the United States increasingly responsible or involved in these kinds of attacks on people's computers in the United States. We have some very useful new statutory authority at the FTC, the U.S. Safe Web Act, and we are using that authority to provide information to foreign governments in aid of their investigations into these kinds of criminal acts. And we're also able now under this statute to receive information from our foreign counterparts. Prior to the enactment of this statute, there were some obstacles to the Federal Trade Commission's exchange of this kind of sensitive information with our foreign counterparts. This law was enacted last November and we are very happy to be able to use it. What we see in the near future for spyware increased criminalization, really, of these activities. Hopefully increased responsibility on the part of domestic companies that advertise online so that they are far more careful about paying attention to how their ad content gets distributed, more cooperation between civil and criminal authorities in the United States and also between U.S. authorities and authorities around the world. I think that's it for now. Ari, we'll be happy to take questions. Okay. Next is Ben Edelman, who is probably well known to a lot of people in this room. He is the best known and deservedly so, known spyware researcher. And also now can add Professor at Harvard Business School to that title as well. Thanks, Ari. I want to see if I can use this big screen for something here today, namely to show the kinds of unfair and deceptive installations that have kept Eileen busy filing 11 lawsuits. Here's one that I remember from some two years ago. And despite being two years old, it really was a useful pair of examples to me, both in showing things getting worse rather than better over time and in putting pressure on the notion of consent. So we've all seen these screens. This is the standard ActiveX screen shown by Windows XP, i.e. up through ServicePack 2 and ServicePack 1 and previously. It looked like this. There would be a yes button that got truncated and if you press the yes button, then the software would install. So to Claria Gader Gain's credit, this software actually wouldn't install unless you press the yes button. So we can't say that the software installed without consent in any substantial quantity. And yet, when you look at the disclosures, which I've boxed in those red rectangles, you see that they are not giving consumers the information that consumers would need in order to make an informed decision. To be told that this software will show you gain-branded ads, you might think those ads are going to appear maybe in the aquarium, that is purportedly the reason why you'd install this software. It's a screensaver aquarium. Put an ad for Coca-Cola in the screensaver. Sure, that would be one thing, but no, actually what Gader Claria Gain was doing was quite different, was near full screen pop-ups. You'd go to Gateway and get an ad for Dell, go to Dell and get an ad for Gateway. Well, they sure don't tell you anything like that, do they? And that leads us right into the FTC's recent settlement with Zango, where the FTC sets out this remarkably tight, carefully drafted set of requirements for what Zango has to do before installing. And a block of text is a little bit dense, especially on screen, but just to highlight the key points, Zango needs express consent. They must clearly and prominently disclose the material terms of their software. They must do that prior to and separate from any EULA. You can't put the material terms in paragraph 37 of a 90-page EULA. No, no, you have to show these prominently and clearly and prior to any EULA that you might display. So that's a great settlement. It says exactly what Zango needs to do. But what about the next question? Do they actually do it? Does Eileen get to go and sue them again? Well, maybe she does. And here's the set of screen shots that would at least make you think she might have to. I was at this lovely radio storm site, which has some kind of streaming music, and got the pop-up shown right in the center, media.fastclick.net. So that's a pop-up from FastClick, part of the value-click ad conglomerate, a large, publicly-traded ad network. And it says, do you want to block junk emails? Well, wouldn't we all like to block junk emails? So a reasonable user might click anywhere on that ad, not just on the yes button, anywhere you click. You get taken to this landing page, which tells you a little bit about what the software will purportedly do, like protect your inbox from annoying junk email. But it sure doesn't say anything about any pop-up ads, any tracking of what searches you do at search engines, or what websites you visit, what products you buy, and what have you. It doesn't say they're going to do that, although it turns out they are going to do that. So this prominent disclosure of material terms, well, it hasn't happened yet, maybe in the next screen. We'll see. I press the free download button. I get the standard IESP2 security warning, another security warning, but you just press the run button, just as you'd have to do to install any other EXE you're downloading. Now I get a ULA, you see right on the top line, Terms of Use and End User License Agreement. It doesn't say anything too interesting or too substantive in its first screen. We believe users should be able to choose to receive free software in exchange for limited reasonable advertising. Okay, but that's not the material terms that are at issue. The material terms would be, we'll show you pop-up advertising. We'll track what websites you visit. They haven't put those terms in here. They haven't done what the settlement requires. What if you press the I accept button? Then you get this screen, which surely is the most interesting of all of them. Notice that there is no cancel button. There's no reject button. There's no refuse button. By the time you're in here, you can't even press an X in the upper right-hand corner because as you'll see, well, there is no X in the upper right-hand corner. There's just a blank space where the X belongs. Meanwhile, what they're describing here is actually quite different from what you would have thought you were signing up for. You signed up to stop spam, and now they're telling you you need to choose between a free ad-supported version or a paid version with no price listed. So if you're a consumer confronting this screen, you're certainly not likely to want to choose the paid version without knowing how much you're going to have to pay. This is a starting matter. But then this free ad-supported version, well, that has problems too, doesn't it? They haven't told you anything about how or when those ads are going to appear, and they certainly haven't told you what is actually the case, that the ads appear in near full-screen pop-ups, that they track most everything you do online. It does. And, you know, the company that makes this would take that position to their deathbed. They'd say, this isn't spyware because you agree to install it. Of course, if you agree to install it without being told what it's going to do, then it certainly seems deceitful, doesn't it? Underhand it at the very best in that if they don't tell you they're going to track what you're doing, they do perform exactly that kind of tracking. In fact, they've sent letters to people saying, because they have come to a settlement agreement with the FTC, therefore they're not spyware. Indeed, they send out letters saying they're FTC certified. I have just such a letter in my inbox. That, of course, is a mistake. They shouldn't go around saying they're FTC certified, but sometimes they do anyway. So that's Zango in terms of their installation practices. Not quite doing what the settlement seems to require. Maybe Eileen's staff will get to sue them again, which I would say is a privilege and an honor rather than a duty, but I don't know if they'll think of it that way. Separately, the settlement also obliges Zango to label ads. And here, too, the requirements are awfully precise, and I think they're appropriate. They're exactly on target. Every ad needs to have a clear and prominent label saying what software showed the ad, identify it, and then provide a hyperlink that gives instructions as to how to remove the software and how to complain if you don't like it. So pretty clear, right on the ad, there needs to be that identification and a hyperlink. If you ever find a Zango ad that doesn't have the identification and or doesn't have the hyperlink, then, you know, they're in trouble. So what about it? Can you find such an ad? Well, yes, of course you can find such ads. For example, they insert this toolbar into Internet Explorer, and lo and behold, it has ads. Each of these buttons is an offer from a bona fide third party. They get paid for taking you through to the third party site, be it career builder or some mortgage service provider or what have you. And there is no labeling. You look on screen for anything telling you what software showed this ad, and you can't find it. You look on screen for the hyperlink about how to uninstall or how to complain. And again, you can't find it. Open and shut, it seems to me. Here, too, they put icons onto your desktop. These are ads for third party software, actually for software online. That's the name of the company. They got in trouble with the Washington State Attorney General for telling users that their computers were infected with spyware when they weren't. These are ads. You know, they're desktop icons promoting third parties for a fee, and yet they don't have the kind of labeling that the settlement requires. So I think these are pretty straightforward in terms of violations, and I'm looking forward to the FTC doing something about it. If not, we'll tar and feather them in the press and that would be okay, too. But elsewhere in the spyware ecosystem, so to speak, that is beyond Zango, there are other interesting practices still ongoing, perhaps not as top-line in terms of the prominence and folks noticing. Here's an ad that got syndicated to a website I was visiting. Syndicated through a top ad network. My notes don't say which. Right here, it says, if your computer has been running slower than usual, it may be infected with adware or spyware to scan, click yes below. Well, there are several things about this that are underhanded. For example, warning spyware notice in the top left corner. They haven't conducted any scan to tell you that you're infected with any spyware. Here, when you have the no button and the X button, those are negative buttons that maybe shouldn't do anything or should take away this ad. In fact, they'll take you through to the ad landing page trying to get you to install their software, which will tell you you're infected, even if you're not, and then charge you to disinfect. This is all fascinating because it comes from a company called Casale Media, a top-ten ad network with offices all over the place and real money in the bank, such that you could sue them and take their money, which might not be a bad idea on these facts. Separately, I continue to test some spyware that has just remarkably tenacious effects, remarkably invasive. Reaching right into Google, for example, and putting an ad where, of course, we all know, no ad belongs. So here's an ad for Singular, a company that earlier this year settled litigation with the New York Attorney General's Office as to their improper spyware-delivered advertising. Well, here, inserted right into the Google site without Google's permission, obviously, is an ad promoting Singular. You see the same kinds of ads promoting HP, Verizon. I've got dozens of these examples. Most every big U.S. banner advertiser gets infected this way. Sometimes you even see a Google AdSense frame inserted into the top of the Google homepage in a particularly ironic twist. Who do you blame for this? Well, you certainly could blame full context. If only you could find them. I, despite some efforts, couldn't figure out where they're located, you could also blame the ad networks that are trafficking in this sort of placement. They're paying full context in order to show the ads, and that certainly is what sets the practice in motion. Finally, the advertisers perhaps could do more to get to the bottom of this. Well, let me, yes. The New York Attorney General's Office filed what was conducting an investigation that ultimately settled, and there were three companies that were at issue, Singular, Priceline, and Ari, do you have the third one on the tip of your tongue? Was it Verizon, or was it another phone company? We'll think of it. In any event, these companies were each spending on the order of hundreds of thousands of dollars per year with Direct Revenue, a notorious company that would install through exploits, make uninstall remarkably difficult, disguise their product as a printer driver so that it would automatically load every time you turned on your computer, and they were making these purchases directly from Direct Revenue. Even after, you know, if you just typed the company's name into Google, you would readily find out that this company was up to no good. But they were doing it anyway. You'd go to the Sprint site, and the generic attorney general's case stands for the much narrower proposition that if you do business to the tune of a large amount of money with a company whose bad practices have been so detailedly documented, then you can get sued. Whether you could be sued for a relationship and face liability for a relationship that was smaller, that was intermediated through several ad networks that would have been harder to track down, you know, that's still an open question, maybe, but it certainly seems less obvious. Let's make a quick commercial error, which is on the CDT.org website we have a list of SPIWARE enforcement cases, and it lists the cases that the AG has brought, including these, and the AG's have brought in all the FTC cases and the DOJ cases. Well, let me close with an example that's a little bit more complicated, but here we are at DEF CON, so I think everyone will probably enjoy that rather than complain about it. I was on a computer that had Zango software installed. You can see the Zango branding on this ad, this ad at least was properly labeled, and there it is saying that the ad came from Zango. I went to the Netflix website, and I got a pop-up, which you see here in the top right corner, of Netflix. You might say to yourself, gee, that's a strange way for Netflix to advertise, advertise to people who are already at their site. I mean, why bother if the user is already at Netflix? Surely he's about to sign up for Netflix in any event, there's nothing you can do to push him further into Netflix and that's actually the right response. Netflix would not want to buy this advertising. This advertising is a bad deal for Netflix, but a good deal for Zango and some of Zango's partners, they're getting paid on what's called a CPA basis, cost per acquisition. They get paid something like $40 for delivering a new user to Netflix. Now, where can you get a new user who really wants to sign up for Netflix? How about a user who's about to sign up for Netflix at Netflix.com? That's a good place to get a user to sign up for Netflix. The guys who are at Blockbuster might prefer Blockbuster. The guys who are searching for car repair at Google probably don't want to sign up for Netflix, but the people who are about to sign up for Netflix, those are people who are really interested in Netflix. So convince those folks to sign up through this second window, the smaller one rather than the big one, and then you get $40 if you're Zango or Zango's partner. It turns out that because the two browsers share a single set of cookies, then if the user signs up through the larger window, the background window, the partner will still get paid because the tracking pixel will still kick and then the CPA tracking system will think that the partner deserves the commission. Well, in terms of how this happens, we can use a packet sniffer to see the underlying redirects. Straightforward enough, Zango software underlined in red there sees that I'm at Netflix, instructs the Zango software to load an ad from roundads.com. My browser begins to load that ad from roundads and is redirected to Linkshare. That's a U.S.-based New York affiliate network acquired by Rakutan last year for upwards of $400 million, so they're doing pretty well. And then Linkshare redirects me onwards to Netflix. So what happened? Zango saw that I was at Netflix. Zango sends me to roundads. Roundads sends me to Linkshare. Linkshare sends me back to Netflix, and all of a sudden Netflix is out $40 if the user makes a sign-up. This is still Zango's business. They're doing this all over the place. I have automation that catches dozens of examples per week, send them off to my advertiser and ad network clients even to try to get to the bottom of this mess. Nothing in the FTC settlement prohibits Zango from cheating advertisers. That's just not what the FTC was going after, and Zango really seems to be retrenching in this kind of business model, even as they face pressure on other fronts. Arya? Thanks, Ben. Well, that gives a lot for us to talk about in the Q&A portion of coming. But next we have Mario Luxon from Bit9. And Mario's going to talk about the increasingly important issue of code signing and how it relates to this issue. Thank you, Arya. We'll try to put a finger on roughly what is the size of the problem or how serious it is. So my name is Mario Luxon. I'm a director of knowledge-based services at Bit9. And for you who don't know, Bit9 is a leading application control and device control vendor. We also have a Bit9 knowledge base, which is the world's largest database of information, files and applications. And with that, I would like to talk about malicious use of certificates. And I'll first, you know, lead you through simply a process for obtaining a certificate, illustrate you a problem, although you've seen fair amount of slides, you know, from Ben on this topic. And then we're going to look into the issues of, you know, how certificates get revoked and what is the current status of certificates being used for malicious signing. So let's say you obtain a certificate from a certificate authority. It's quite simple to sign your code. You obtain an authentic code tool set from Microsoft to sign your CABs, EXCs and OCXs that will trigger that window in browsers validating a certificate and telling users hopefully what is the valid publisher of the certificate and what is the product that this vendor is trying to sell you. In the same regard, you could be assigning Netscape, Java, Apple or VBA components. Same mechanism works. So what a certificate would do for potential ISVs is that it would attest to the code's integrity and it would help a user determine the code's provenance, meaning it will see the company's name and it will know who has published the particular code. And then on the other hand, the software that's doing the validation will most likely check the certificate revocation list and if the certificate is not disabled, you'll be able to proceed or if the certificate is on a revoked list like these two micro certificates that had an issue several years back, you would get warned appropriately. Typically, certificates are used only to sign the installers. People don't sign every single file in their install. There's a significant binary overhead and yes, it would be very nice if every file had some kind of signature so we could easily check through the entire machine and figure out what came from which source. Problems, I'm really sorry about the small nature of the images, real problems with certificates are well known. I mean, Ben Edelman did a great piece two years ago that questioned the viability of a certificate issued to an entity called Click Yes to Continue. Definitely not a valid company name, definitely nothing you could ever Google and then come up with anything meaningful. But nevertheless, a certificate issued to this entity that then used that certificate to sign equally meaningless piece of code that was clearly geared towards urging the user to install unwanted pieces of software. Well, today the names of these publishers have changed. You'll see that the package names pretty much have more or less the same text as Ben showed yesterday. I mean, yesterday earlier, or as they're shown here. When it comes to certificate authorities that issue certificates to software companies, market is mainly dominated by two companies. We all know that very simultaneously. There are some newcomers like Commodore and in reality any CA that's mentioned in the trust of the root certification authority section in your explorer could be issuing certificates for code signing. There are minor differentiators between these vendors, mainly in price and also how long they have been listed in the trust of the root certification authorities section which will just sort of mean what's your backward compatibility if you were to use their certificate. The big problem with code signing certificates for authorities is that it's not really a revenue leader in any shape or form. I mean, even though they're expensive, roughly ranging around $600 a year for code signing certificate, there's very few companies, you know, number wise who use them and so on. They feature minorly in the overall revenue scheme and definitely do not urge these companies to heavily invest into verifying and tracking certificates after issues. Also, certificate authorities are responsible to provide for a revocation list. They just maintain the revocation list, but they leave the responsibility for the usage of the revocation lists back to the software developers. Software developers really have to go through every single certificate authority, get their revocation lists, bundle it together and validate each time the new certificate is being seen. Well, it becomes quite interesting to figure out how do I get a certificate from either of these two organizations. Very simply, you go to the website. I'm not sure if you see very much details. There's not really nothing spectacular here. It's just a general e-commerce form. Enter your technical company or business contact information in it and finally please give us your charging information. So we could proceed to complete this transaction by charging you money and then potentially calling you in a couple of days to validate whether the telephone number that you issued is correct and whether it belongs to the entity that you have specified in the certificate. That's all. Tauti sort of does things a bit different. It tells you that you need to certify your business status, your business type after you decide on what type of certificate you're trying to get and fill out your personal information, you will be asked to classify their business type. And so one of the interesting options here is that you could select to be doing business as or trading as, meaning to declare yourself to be of a status that has no relevant paper trail that you need to submit back to Tauti. And that's it. So you get your user agreement which are quite interesting in terms of the liability and the powers that it gives to the certificate authorities. So after you see that, ignore that, you're on your own. So after you obtain your certificate there's really not much threat to a particular spyware vendor of any sort. Based on Ben's piece of paper years ago, VeriSign actually put in a complaint page for report code signing and misuse, this is herein. And that's nothing that Tauti or Commodore have yet implemented. So in their world certificates are usually revoked by vendors asking themselves to have their own certificate revoked in case there was an infringement of any sort. But it's very difficult for the public to submit a request for whatever user agreement violation there was that the company would then take an action and do something about it. In case certificates made it to a certificate revocation list it would take about 24 hours before that would actually get published and start getting picked up by browsers. And then as a final comment it turns out that only about 10 last three certificates are being revoked monthly. So that's just a very small number in terms of when compared to the spider universe out there. So user agreements also have not changed very much in the last three years. I'm just quoting here from Ben's blog very interesting piece for anyone to check out where all three vendors more or less stated distribute malicious or harmful content of any kind by the software that you certified is a violation of the agreement and then also it gives the power to the certificate authority to go and do something about it. So having seen that we looked in our Bit9 knowledge base to try to figure out top ten offenders and so let me just do some background on how we came up with this list it's really based on one million unique malicious samples that we have acquired we don't really track malware we really after getting the information on the known good software but in the process spider gets through and we are using multiple anti-malware scanners to detect and appropriately label the software. So we have found this found product signed by these entities here that had to be detected by more than three different scanners to make it a list and once the report was done we found 177 total publishers of this type with as you can see on this list Cougar Technologies leading with about 1,700 apps signed and many of these companies are not really all that prominent except for obviously Zango and when you which are not towards the bottom meaning they're still very much active and they're using all the artifacts of available there to make themselves look benign, appropriate friendly to the end user to really use anything that we have device to assure the general consumer of the good nature of the software being distributed. Okay so just quickly go to this three samples Cougar Technologies is a company based out of Netherlands and the signs pretty much in a two different piece of software one is called Sexy Sexy and the one is called almost like in previous example you know click on yes and Sexy Sexy has been in last two years published in 1,700 variants which you know if you divide it you know in service you know in the daily build sense it will be probably about three years worth of daily builds so this is extremely prolific company for which you will never find the website or any relevant Google results so they usually come up you know by various dialers you know labels and here have some file details on actually the package that was signed a second example plug-in movie limited is a well documented certificate which has been there's a nice write up on the Sunbelt software research center it's a high risk porn dialer coming out of a company that registered itself in London again package name is really really you know non-informative of what you're trying to install and it's well known if using the number of anti-malware scanners. FastTrack is a company out of Poland does porn dialers and again you know a couple of packages that do Net Vision and FastTrack have the same problems we've seen all along so the questions to consider in the future is you know whether this system is inherently broken whether it could fix itself and to really try to figure out you know is any of the technology updates that are coming going to address issues or what I would suggest you know if you're ready to look into alternative solutions and potentially start working towards a global software registry. Great, thanks Mario. So I want to take one question and then you can so people can get a taste of what the Q&A will be like since I think getting in more detail would probably be really interesting so why don't we take one question here and then people can decide whether they want to move with us to the Q&A or not anyone have a question follow up with anyone here Yes Is there anything that the bad guys cannot take advantage of to make themselves look like good guys Mario and Ben you want to answer that first and then I think it looks ready to answer I think it's thinking I mean this is I'll start with an answer since no one is jumping at it I mean it's a very good question I mean we have the same problem in pretty much every cyber fraud area and spam in phishing right the more that you go about to try and build protections the more that the fraudsters take advantage of those of what that looks like we've seen that even in some of the more complex areas in phishing where they've tried to come up with new schemes and I've heard some researchers say in the phishing case well maybe we shouldn't do as much user education we'd be better off with the phishers being dumb and then we can block for users rather than trying to have them subvert that system I don't know I don't know how other people feel about that but I think that eventually by making it harder and making the cost of development more expensive then they have to be able to recoup that and that becomes harder so that's really the only outgoing defense that I can see is just in terms of an all out war making it so expensive that it's too expensive for the bad guys right but they make millions of dollars but if you look at the ad so you look at the adware companies they have to deal with the FTC they have to deal with well I mean and internationally if they have partners that we've seen from those AG cases that were mentioned that Ben raised even if you advertise you're a U.S. company that advertises so U.S. company that advertises a Canadian company that's a network the way that the ad systems work and that's the one thing about spyware is the adware side of it at least has been very advertising based a lot of the advertising points are based in North America the key advertising points for people so if you can get at that piece of it and make it more expensive in that front then you can start to at least make it harder for people to do business in that space the bad guys I'm talking about side by side I think anti spyware companies generally have been pretty hard to attack here when when Zango threatens to sue Symantec Symantec doesn't mind that much here's the address for service of process we look forward to seeing you in court new.net pretty big spyware type company installing without consent did sue Lavasoft a German anti spyware company in federal court and lost they lost twice actually first the judge dismissed half their case and then he dismissed the other half and was quite fed up with new.net by the end of it it's not been an easy attack for spyware companies against security companies and so the first line of defense for most users is their anti spyware software which will detect most stuff most of the time in terms of peer review I was on the board of advisors of a company called site advisor which started off by having automated systems that would browse the web download every exe they could find scan for spyware see if there was anything bad about that exe but then supplement it by asking users to submit reviews you can do it right now if you think of a bad site that you think site advisor might be rating green just go to site advisor dot com look up the site if it comes out green register create an account and say why it's bad site probably will switch over to yellow or red according to the gravity of what you propose so you know it works there are some millions of users using it on the other hand most users have never heard of it and so it's only the beginning to really getting to the bottom of the problem well we have to get going but let's move that discussion to the q&a session q&a room I hope that the people that have questions will follow us up there thank you