Categories
Direct Revenue: My Response
...ahahahaha! Someone sounds rattled! nonprofit resource center, the warm and fuzzy world of BitTorrent has been invaded by a massive software distribution campaign linked to New York-based adware purveyor Direct Revenue LLC. "This is the marketing campaign to end all marketing campaigns," said Boyd, the Microsoft Security MVP (most valuable professional) known throughout the security industry by the "Paperghost" moniker. Well, what a pity, because everyone needs to go download this video and see Direct Revenue's software (and I'll say this in big, red letters so nobody misunderstands) - INSTALL WITHOUT FULL AND INFORMED CONSENT! In fact, here's a whole page full of spurious installs that are performed with no warnings! Hey Daniel, are you wishing you hadn't bothered yet? Ding-ding, round three... 3) He acknowledged that a "grey area" exists in the timing of the disclosure, but insisted that it was done in full compliance with existing laws. "We require all our distributors to fully inform end users about what is being installed. It's a clear opt-in procedure," he said. ...though it's a grey area you'll happily reside in, yes? If you're so confident people will keep Aurora on board, why not actually put the disclosure in an area that radiates a lower shade of grey? What about this install from Fasterxp.com, where Buddy.exe appears to come from a totally different website than the originating source? More timing issues! Perhaps we should all chip in and buy Direct Revenue a stopwatch? And why, if the MMG licence agreement is so upfront, does it not say anywhere that you can run the supplied mediafile (through the WinRaR self-extracting executable) WITHOUT INSTALLING THE ADWARE? Doman described Boyd's posts on VitalSecurity.org as "misleading" and pointed out that the screenshots provided by the researcher "clearly show full disclosure" before the Aurora program is installed. Hey Daniel - without wanting to sound picky, you missed the entire point of this article. The piece was merely highlighting where the apparent flood of Aurora installs was coming from. Nobody accused you of "surreptitious installs". In fact, you'll see I was actually rather generous, taking into account all of the above: "As always, Direct Revenue do the absolute bare minimum to claim they have covered themselves with their ad-spewing nightmares." Very generous! Riddle me this: Why does the licence agreement in these MMG installs show a generic licence agreement that does not mention Aurora / Ceres, rather than the Aurora / Ceres specific licence agreements? Could it be that if the end-user knew what was going to be placed on their system - namely, the frankly scary Aurora - they would flat out refuse the install? Aurora, so beloved by the general populace that companies with Aurora in their name are now resorting to putting pages like this "Neither Aurora Networks nor any of its employees are in any way associated with this obnoxious behavior or the miscreants responsible for their creation." Ouch! Ding-ding, final round... 4) Answer this for me - we have already seen: a) A MMG install of 180 Solutions where no licence agreement is displayed Here is one final question for you: Taken into account the behaviour mentioned above by MMG, can you absolutely, positively guarantee that every single mediafile included on those installers - including The Club By Paul Oakenfold 2005, System of a Down: Mesmerize (the full album!) and an episode of Family Guy - have all been licenced for use? Because it's funny - the MMG installer is rather cagey regarding licenced content, and virtually every program I have seen - ever - where licenced content was concerned slapped a big, fat warning that the content was okay to be there in the first place. Luckily, I thought I'd help out with this little mystery, so good news - I'll be checking to make sure all of the Bittorrent files have been signed off correctly! I don't mind putting my years as an intellectual property copyright licencer to good use! And with that in mind, let's get to the knockout blow - the Licence Agreement for MMG's installer. Important parts highlighted in red: Our software installation is preceding the source file you have chosen to download. The license agreement of the source file is not covered in this agreement. You will likely be presented with the Source file License agreement during the installation of the source file. Again this agreement pertains only to the software installation process of the Metrix Marketing Group’s 3rd Party Software. This agreement pertains only the software that will be installed should you choose to accept these terms and conditions. We make no representations or warranties with respect to ownership of or copyrights, if any, in the source file software / or digital content that our affiliates distribute. We do not represent others who may claim to be authors or owners of copyright or other rights thereto. Affiliates must obtain all permission(s) when required and are solely responsible for determining the existence of such rights, satisfying any copyright and other use restrictions...and our affiliates expressly assume all responsibility for observing applicable laws of copyright, literary right, trespass, conversion, property right, privacy, publicity, and libel. Wait - did that just say the guys whose software is bundled with the MMG installer are responsible for licencing that copyrighted content? I think they did! Way to shaft the guys who are paying you to distribute their software, MMG! Hey, Direct revenue, 180 Solutions, SearchFind, YourSearchBar and everyone else - I really hope you guys sorted out all that boring copyright stuff with Fox, Sony and all those other big, scary legal-type guys... ...wouldn't it be fun to find out? Labels: BitTorrent, Direct Revenue
Where?
Here.
In an interview just given with Eweek.com, a tale of two cities is presented - one where thousands of people have ended up with Aurora on their systems and wished they could get a can of industrial strength bug-spray to clean the damn thing out.
The other is a place where Aurora is a "valuable marketing proposition" and everybody can't wait to have anything up to five advertising windows popped open at the same time.
In other words, Daniel Doman (chief technology officer for Direct Revenue) sounds a touch rattled by the increased attention paid to their "toy" - it's a long time since I saw someone come across as that defensive in an interview. Even better, he appeared to miss the point of this article completely. So in the spirit of fair play (and because I love stuff like this), what follows is a breakdown of the above article with my responses to this guy's vaguely panicked sounding "accusations". Don't worry, I'll be fine. I've seen Eric Howes do this hundreds of times...
In the red corner:
...Chris Boyd, a renowned security researcher who runs the Vitalsecurity.org
...Direct Revenue chief technology officer Daniel Doman said MMG is "one of many affiliates" used to distribute Aurora. "They [MMG] specialize in doing content distribution on peer-to-peer channels, and we think they provide an easy mechanism for people like us who want to monetize software or content."
Ding-ding, round one...
1) Direct Revenue admitted to using MMG to push Aurora distributions via BitTorrent, but insisted that the actual adware installation was done with adequate and up-front disclosure.
Okay Daniel, tell me - the ONLY place an Aurora / Ceres install is disclosed is here:
All the components of this install - the MMG front-end, the WinRaR self-extracting executable and (of course), the adware bundle are all completely seperate...it's not like they're all fused together in one massive slab of programming. So with that in mind, how could you guarantee that all of these files contain links to the relevant licence agreements? Is there some heavy-duty smackdown waiting in the wings for MMG should such a thing occur? Surely there's no way MMG would ever manage to do such a thing - install something without clear and full disclosure?....
........WHOOPS! Because here is an example of them doing just that!
That's right - someone at MMG was obviously off sick that day, because there is, and I'm going to put this in big red letters so nobody misunderstands - AN INSTALL OF 180 SOLUTIONS SEARCH ASSISTANT WITHOUT ANY FORM OF LICENCE AGREEMENT DISPLAYED.
Unless it's written in invisible ink, your claims that MMG disclose all of the installs in those bundles has already been blown out of the water, and I haven't even started ranting yet!
Ding-ding, round Two...
2) Doman, a former director of engineering at DoubleClick Inc., said the increased visibility of Aurora and the "nail.exe" component was not the result of new installations, pointing out that Direct Revenue is auto-updating its file-naming convention to address criticisms that the adware program was hidden on purpose.
Okay, so we heard it again - Direct Revenue absolutely does not install anything without full and clear consent. Ever. It just doesn't happen.
"The user is downloading something through BitTorrent that is ad-supported and [Boyd's screenshot] shows the disclosure that is provided. The idea that somehow the download is surreptitious is wrong. It's very apparent that if the BitTorrent user goes through with the MMG download, they agree to install the ad-supported software."
up because they're getting so much grief aimed at them? And I quote...
b) A raft of videos displaying elements of Direct Revenue software being installed with no warning, licence agreement, informed consent or anything else (quick! Blame the affiliates!)
c) A bunch of "grey area" installs that you are apparently quite happy to continue with, as it just about falls inside the long arm of the law. Well done.
