Friday, February 6, 2009

CNN installs a Trojan Horse on your computer

This sounds harsh, but it's true. If you watch live streaming video from CNN over Al Gore's Intarwebz, CNN installs software on your computer that will let them transfer files around without you knowing.
Many people who watched live streaming video of the inauguration of U.S. President Barack Obama on Jan. 20 may not realize that their PC was used to send the video to other PCs, too.

Clicking "yes" to a CNN.com dialog box installed a peer-to-peer (P2P) application that uses your Internet bandwidth rather than CNN's to send live video to other viewers.
Sounds like malware to me. It doesn't seem to matter that it's a big time media company, and not some l33t d00dZ. It's worse, in fact. Not only do they try to trick you into installing something that you don't actually need to watch the feed, their click-through license agreement prevents you from protecting yourself:
CNN's use of software called Octoshape presents an incredibly abusive EULA. If you agree to the EULA, you agree that CNN can use your bandwidth, and that you will pay any costs. Also, you lose the right to monitor your own network traffic. You can't even use information collected by your own firewall. Quoting the EULA: 'You may not collect any information about communication in the network of computers that are operating the Software or about the other users of the Software by monitoring, interdicting or intercepting any process of the Software. Octoshape recognizes that firewalls and anti-virus applications can collect such information, in which case you not are allowed to use or distribute such information.'
This is double-plus uncool. Network traffic monitoring is one of the basic pillars of security. So are firewalls and anti-virus programs. This says that you can possibly be sued if you use them.

Never mind that they're potentially costing you money with all the bandwidth they might use. This cannot be anything other than pre-meditated:

1. It uses a false promise to trick the user into installing a program that the user doesn't need or want. Security folks call this a "Trojan Horse", after the story from The Iliad. It doesn't contain what you think it does.

2. The license agreement isn't available to read until you've already clicked "Yes" to install. Click-through license agreements aren't rocket science, and the legal beagles work extra hard to make sure that you don't use them wrong. Ergo, the legal beagles likely wanted it this way.

3. The license agreement prohibits you from watching what their software does. Never mind the question what are they trying to hide; the key question is when did their lawyers know that they had to hide something?

This is the worst case of Big Company malware since the Sony music CD rootkit. Actually, it seems worse - there's more appearance of malice aforethought, and what their trojan horse does can cost their "users" real cash money.

And oh yeah, the software's full of security bugs, too. So now the l33t d00dZ can take it over and use it for their purposes. Protected by CNN's license agreement, which restricts your firewall, monitoring, and anti-virus.

Watch 'em at your own risk. Me, I'll watch something else.

No comments: