Ars technica is reporting on the ruling from the FTC about the software shenanigans of Kmart and Sears. The marketing geniuses behind the parent company of Sears and Kmart decided they needed more information about the users of their website. Their solution? Offering $10 to users who install their custom software which phones home with data on just about everything they do on their computer. Not content with just browsing habits of webites, the software apparently recorded everything the user did online, including secure sessions. Under the settlement (PDF) with the FTC, Sears says they will stop collecting data and promises to destroy any and all information they’ve collected so far. Selling what websites you’ve been to, how much money you have, which prescriptions you take and what products you’re interested in for the low low price of $10 seems like a bargain.
Philosecurity has an interview with [Matt Knox], a former coder for Direct Revenue, an adware company which was sued in 2006 by New York governor Eliot Spitzer. The interview contains some interesting details of how the adware code worked internally: it created a Browser Helper Object, then ensured that the Browser Helper Object stayed up by creating a poller to check every ten seconds and regenerate the Browser Helper Object if it had stopped running. The poller ingeniously masked itself partly by exploiting Windows’ Create Remote Thread function to run itself as a series of threads instead of as an executable.
The truly fascinating bit of the interview is how [Knox] defies your initial suspicion that he’s a complete scumbag; he started off writing spam filtering software, was hired by Direct Revenue to do traffic analysis, started writing tiny bits of code to improve the adware, and eventually wound up knee-deep in the code. [Knox] notes that you can get ordinary people to do incredibly distasteful things if you break those things into small enough chunks and introduce them gradually.