Skip navigation

Security UPDATE--Reading EULAs Can Help Prevent Spyware Infiltration--September 28, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

Symantec LiveState Patch Manager

Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter


1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration

2. Security News and Features

- Recent Security Vulnerabilities

- Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions

- New Microsoft Tool Locks Down Shared XP Systems

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- Control Endpoint Media Devices


==== Sponsor: Symantec ====

Symantec LiveState Patch Manager

Symantec LiveState Patch Manager allows you to reliably protect your infrastructure from vulnerabilities. Its intuitive interface allows organizations to scan, identify and install missing patches on hundreds of clients and servers in minutes. Flexible grouping capabilities allow the targeting of patches to specific groups of users. Provides detailed patch status reports. Persistent delivery assures patches are successfully delivered and applied, helping ensure clients are secure and protected. LiveState Patch Manager is a member of a family of modular solutions that work on their own--with tools you may already have--and can be assembled into a broader suite if desired, leveraging a common look-and-feel, management database and agent deployment infrastructure. To learn more, visit us at:


==== 1. In Focus: Reading EULAs Can Help Prevent Spyware Infiltration

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Does anybody (except lawyers) really like reading End User License Agreements (EULAs)? For that matter, does anybody like reading privacy statements? I doubt it. But it's something we all should do because if we don't, we can eventually wind up with all kinds of spyware on our networks that could lead to serious problems.

For example, you might download a slick-looking desktop tool, click to accept the EULA without reading it, then later find out that the tool has been recording all your Web and email activity and sending that information to someone's data collection center. In another scenario, you might install the latest IM and chat tool. If you don't read the privacy policy, you might not know that the company providing the tool reserves the right to track who you contact, how often you transfer data, and more.

That's just the tip of iceberg. In fact, poorly written EULAs and privacy statements, along with people's unwillingness to read them carefully, have spawned an entire multimillion- (if not billion-) dollar industry that now focuses exclusively on the elimination of spyware.

When surfing the Web last week, I came across an interesting story at Techdirt that points out just how lackadaisical people can be when it comes to reading EULAs. Techdirt pointed out an experiment conducted by PC Pitstop (at the URL below). The company embedded in one of its EULAs an offer of $1000 to the first person who simply asked for it! More than 3000 people downloaded the software before somebody actually asked for the check!

A few weeks ago, I learned about a new tool, EULAlyzer from Javacool Software (at the URL below), which as the name implies is designed to help you analyze EULAs to look for areas that might need extra attention. It works by scanning for keywords. It then links to areas that contain those keywords so that you can review those spots. I tested EULAlyzer on a EULA and found that it did point me to some key phrases that I needed to read more closely, but it certainly didn't eliminate the need for me to read the entire EULA carefully.

Last week, I learned about another tool, currently called Project Truth Serum (read about it at the first URL below), that will help analyze EULAs. That tool is being developed by Facetime Communications (at the second URL below) and is currently in closed beta testing, so I didn't have a chance to try it. But based on the sample output, which you can view at the third URL below, the tool provides similar functionality to EULAlyzer.

I don't see any reason why EULA analyzers couldn't be made to analyze privacy statements. But when I tried EULAlyzer on a tool's privacy statement, it didn't flag anything as suspect, even though the statement did indicate that my use of the tool would be tracked. But maybe at some point, Javacool and/or Facetime will upgrade their analyzers to also work on privacy statements.

At any rate, both of these tools are essentially designed to help guard against spyware. Although they're useful to some extent, they certainly aren't replacements for careful reading, nor are they designed to offer you legal advice. They are simply helper applications that might prevent you from overlooking something in a given EULA. If you're interested in this sort of helper application, try EULAlyzer and keep an eye out for Facetime's eventual product release.


==== Sponsor: St. Bernard Software ====

Filtering the Spectrum of Internet Threats: Defending Against Inappropriate Content, Spyware, IM, and P2P at the Perimeter

Because of the proliferation of Web-based threats, you can no longer rely on basic firewalls as your sole network protection. Attackers continue to evolve clever methods for reaching victims, such as sending crafty Web links through Instant Messaging (IM) clients or email, or by simply linking to other Web sites that your employees might surf. This free white paper examines the threats of allowing unwanted or offensive content into your network and describes the technologies and methodologies to combat these types of threats. Get your free copy now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Microsoft Boosts Its Ability to Provide End-to-End PKI Solutions

Microsoft announced that it has acquired privately held Alacris, maker of identity and access-management solutions. The acquisition puts Microsoft in a better position to offer end-to-end solutions and to take the solutions beyond the enterprise environment and out to consumers.

New Microsoft Tool Locks Down Shared XP Systems

Microsoft released a new toolkit that helps you lock down shared Windows XP systems. The new Shared Computer Toolkit for Windows XP includes three parts, including a disk protection tool, user restrictions tool, and an accessibility tool.


==== Resources and Events ====

Exploit the Opportunities of a Wireless Fleet

With the endless array of mobile and wireless devices and applications, it's hard to decide what you can do with the devices beyond providing mobile email access. It's even tougher to know how to keep it all secure. Join industry guru Randy Franklin Smith in this free Web seminar and discover what you can do to leverage your mobile and wireless infrastructure, how to pick devices that are right for you, and more!

Get Ready for the SQL Server 2005 Roadshow in Europe

Back By Popular Demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a one-year membership to PASS and a one-year subscription to SQL Server Magazine. Register now.

Are You Walking the Tightrope Between Recovery and Continuity?

There's a big difference between the ability to quickly recover lost or damaged data and the ability to keep your messaging operations running normally before, during, and after an outage. In this free Web seminar, you'll learn what the technical differences are between recovery and continuity, when each is important, and what you can do to make sure that you're hitting the right balance between them.

Streamline Desktop Deployments--Free Web Seminar and White Paper!

Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this on-demand Web seminar, find out how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. Plus--register today and receive a free industry white paper on standardizing the software packaging process.

Deploy VoIP and FoIP Technologies

Voice over IP (VoIP) is the future of telecommunications and many companies are already enjoying the benefits of transporting voice over IP networks to significantly reduce telephone and facsimile costs. Join industry expert David Chernicoff for this free Web seminar to learn the ins and outs of boardless fax in IP environments, tips for rolling out fax, integrating fax with telephony technologies, and more!


==== Featured White Paper ====

Supercharging SMS for Effective Asset Management

Cost control and license compliance have risen to the top of the IT asset and desktop management agenda. Learn to map Microsoft's SMS to specific business objectives and examine the pitfalls of relying solely on SMS to achieve business IT asset management objectives. Download this free white paper now and find out how you can leverage technology to bridge the gap between technical professionals and your CFO.


==== 3. Security Toolkit ====

Security Matters Blog: Are Most Desktop Firewalls too Complicated?

by Mark Joseph Edwards,

An interesting assertion is that Windows Firewall is enough for most people because they aren't capable of making informed decisions about whether to allow certain outbound network traffic. If that's true, is it just that such people need a more intuitive interface and possibly a little education? Read the rest of this blog entry for more about this subject and post your comments to share your opinion with other readers.


by John Savill,

Q: How do I log on to Windows Vista using a domain account?

Find the answer at

Security Forum Featured Thread: Problem with Windows Update

A forum participant writes that when he tries to access Windows Update he receives the message "The website has encountered a problem and cannot display the page you are trying to view." This occurs just after the site informs him that it's checking for the latest updates. He said this happens only on one server and wonders if anyone knows what the problem might be. Join the discussion at


==== Announcements ====

(from Windows IT Pro and its partners)

Stay Up-to-Date with the Windows IT Security Newsletter

Every issue of Windows IT Security features related product coverage of the best security tools available and expert advice on the best way to implement security. Our expanded content includes even more fundamentals on building and maintaining a secure enterprise. In addition, paid subscribers get access to our entire online security article database (more than 1900 articles)! Subscribe today:

VIP Monthly Online Pass = Quick Security Answers!

Sign up today for your VIP Monthly Online Pass and get 24/7 access to the entire Windows IT Security online article database, including exclusive subscriber-only content. That's a database of more than 1900 security articles to help you get all the answers you need, when you need them. Sign up now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Control Endpoint Media Devices

Ecora Software announced the latest version of its endpoint security solution, Ecora DeviceLock. DeviceLock provides centralized management and access control for USB and FireWire ports, Wi-Fi and Bluetooth adapters, CD-ROM/DVD and floppy drives, and other removable media devices according to user, schedule, and/or specific device. DeviceLock now lets you define a discrete list of administrator accounts so that users with local administrator privileges can't disable or remove DeviceLock services from computers. The product's USB whitelist can now limit access to devices whose serial numbers are on the list. And DeviceLock can now display custom messages when an access attempt is denied. DeviceLock pricing starts at $35 per endpoint. For more information, visit

Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100 Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Argent Versus MOM 2005

Download Argent Versus Microsoft Operations Manager 2005

Is Your Office Truly Fax Integrated?

Download this free whitepaper from Faxback and find out!

Admins rush to install BLOG servers

How to run your own blog server. Free 5 user license.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.