Ann Arbor Area Business Monthly
Small Business and the Internet
By Mike Gould
In the jungle, the mighty jungle we call the World Wide Web, the lion is not lying down with the lamb. The lion is luring it to its website and conning it into signing up for Bad Things. The lion = evil web-based advertisers; the lamb = you. Instead of tripping over tough jungle vines and into stinking pools of quicksand, explorers of the Internet are stumbling over online forms and into steaming piles of spam, adware, and phishing schemes.
Who do you trust? Who can tell you in advance that a web site just might harbor an agency of sinister intent?
Siteadvisor, that's who.
Switching from jungle to processed meat metaphor, let's say you decide you need a new flying sausages screensaver. (Which you don't, because modern screens don't need saving and they waste electricity and are usually terminally cute but people seem to like them anyway so we will use them as an example). (I really do like run-on sentences - hope you do too).
You click over to Google and search on "screen savers". You find a suitable download site, sign up for a free "Hotdog-a-Rama" screensaver and download your digital doodad. You had to give the site your email address, but hey, it's FREE! And you might want to go back for the deluxe "Kruising Kielbasas" version, so you join their little club and then sit back and enjoy your winged tube steaks.
Then the magic happens: 73 new and fascinating spams start arriving every day, you are bombarded with pop-up ads constantly and your PC has started to whir and click when you are not using it. Surprise! That free screensaver installer just inserted a myriad of malware into your PC, signed you up to all the spam the market can bear (and then some), and spread the word that there's a live one at this particular email address. This can happen to Mac users as well, at least the spam part (Macs are currently immune to adware, directory attacks and viruses, but you knew that).
Your faith in humanity sorely shaken, you vow to never again share your email address with a website, then you change your email address, pick up the shattered pieces of your life and move on. And if you are a PC user, you hire someone to come over and clean up your hard drive for the umpteenth time.
But a ray of hope shines down on this dismal scene: a new startup that vows to review websites and warn you of ones that you might just want to avoid.
The company is siteadvisor.com and their mission is to provide a means of evaluating websites before you click on them. Most anti-evil software works after you've made that fatal click-through; this effort is pre-emptive.
How it works
Siteadvisor (SA) evaluates sites by signing up for whatever a given site is offering, filling in a special email address when asked. Then they sit back and see what starts hitting that email inbox, totaling it up and tracing it back to its sender. They also look at what else is installed with whatever was advertised, and they look to see who received the original registration info you filled out. Often the customer info collected from one site is sent to another, who handles the dirty deeds. The first site receives a fee from the second one and that is how a lot of these evil-doers make their money. SA obviously can't review the entire WWW, so it is concentrating on the most popular sites first. And it doesn't currently scan for security-busting exploits, such as the recent Microsoft .wmf issue (search on .wmf security for more info.)
SA accomplishes its goals by using the same procedures Google and other search engines do - sending out robots. In the case of Google, the robot is a piece of software called a crawler that goes to a site, accumulates data about it, and reports back what it finds to Google for evaluation and eventual listing. The SA robot visits a site, looks for a form, fills it out with the specially-coded address information, and moves on to the next targeted site. All the accumulated data from the various submitted email addresses end up in the SA servers in mammoth databases, which can then be analyzed for varying degrees of evil.
On the user end, the mechanism is an extension for your browser; currently Internet Explorer and Firefox are covered. You go to the SA website (listed below) and sign up to receive a copy of the extension. The extension is a piece of software that hooks into your browser and manifests itself by adding little icons to sites revealed in a Google search. If a site is known to harbor bad behavior, a red X appears after its link. Mouse-ing over the X shows you how many spams SA received after signing up with that site. Clicking on the X shows you other information about the site, such as other suspect sites that link from that site.
I tested this under FireFox on my Mac, and the results were very informative. Searching on "iPod" found a lot of sites that had green check marks, a sign that no Bad Things were detected. It also reported a number of untested sites, where you are on your own, and a few red X's where evil presumably lurks. I haven't tried this with Internet Explorer, because, well, it sucks. If you haven't gotten the word yet, DO NOT USE INTERNET EXPLORER for anything except for visiting sites that are so badly written that they require it. Do a Google search on Internet Explorer security flaws for more info.
Who Do You Trust?
All this brings up the question: "Yeah, but to use this, you need to give up your email address to these guys; why should I trust them?" Glad you asked. Well, I trust them, based on what I've read on the Web in various articles and blogs. I've been wrong before, but I signed up and I'm about as paranoid as it gets. You gotta believe in someone, and this seems like a good start. Do a Google search on siteadvisor and make up your own mind.
It is a processed meat jungle out there.
Mike Gould, is a part-time mouse wrangler for the U of M, runs the MondoDyne Web Works/Macintosh Consulting/Digital Photography mega-mall, is a member of Factotem.com, and welcomes comments addressed to firstname.lastname@example.org.