Lets say I ran a well-known business that sold a some sort of physical product.
It could be a toy, a common household tool or appliance, or anything else that is small and inexpensive. It more-or-less works as intended, but it also included a small robot. The packaging and marketing would be designed so you weren't supposed to notice the robot, but the packaging included the necessary fine print and an explanation that this robot was just there to make sure you got the best experience possible for anybody that spotted this "extra feature".
Unrelated to whatever it was that you bought, at night the robot would install a device on your phone that re-routed all your phone calls through my office (a MITM attack). The phone still works ok, except now calls to your favorite pizza deliver restaurant seem seem to be re-routed to the competitor across town. Some time later a neighbor complains that he can sometimes when he checks his voicemail, he gets your phone conversations instead.
After finishing with the phone, the robot does the same thing to your cable TV.
Some days, the robot would go through your (physical) mail and place stickers with new advertisements into your magazines. Occasionally one of those stickers would end up on your electric bill, obscuring important information. The power company has a similar logo to one of the sticker-ads, so the robot probably confused the two logos. Even if the robot didn't have any stickers to place, it would still open your mail and leave it (opened) on the ground near your mailbox for anybody to see.
If I rand a business that did this - possibly as my main (or only) product - how long would I be able to run this scam before someone threw me jail?
--
Intentionally breaking TLS with a MITM attack goes way beyond the usual scam/trojan. This isn't even the usual negligence that we see in the "security" of a lot of products. Creating a certificate that lets you MITM any domain is very obviously a willful act.
Why hasnt companies like Download.com and CNET been dragged to court yet beats me. People have had to pay hard cash just to have their systems purged many have lost priced documents and information while attempting resets because of this.
Or at a more simplistic level, why haven't Google, Firefox et al simply blocked download.com as serving malware? Even something that simple happening far more frequently, might mean sites carrying ads gained some ethics. Maybe some of the ad networks would then be held responsible for the crap they regularly carry.
...and sites whine at the unfairness of the growing number of adblocking users. Right.
This is something I have been curious about as well. It seems like Google at the very least should be blacklisting download.com or at least showing the message they show for "bad" sites: "Warning: Visiting this site may harm your computer!"
Download.com doesn't write the malware, it just serves it. Are they a custodian? The argument here is that download.com knowingly serves malware to make money.
By that same argument, if Google knowingly serves a link to download.com to make money, how is this different?
At the end of the day, online businesses serve things to customers just as venues serve performing acts and stores sell goods. There is some expectation of due diligence over what they provide.
We can argue about whether they should be legally compelled to not serve malware, or whether we should simply stop doing business with companies that serve malware, but it's reasonable to consider them responsible for the things they serve to make money.
> At the end of the day, online businesses serve things to customers just as venues serve performing acts and stores sell goods. There is some expectation of due diligence over what they provide.
Devil's advocate: where does this line start and stop?
I'm not advocating for download.com. Stores aren't held responsible for bad products. Physical stores like Walmart and Target as well as digital entities like Amazon and Newegg have shelves full of products designed to break under minimal use, high markups for mediocre products, and products that have been cleverly advertise to look better than exected. This is not completely analogous to serving malware, but the onus is not on the store to vet the products before selling.
Why should download.com be held responsible for hosting crapware when we don't hold stores pushing goods liable for selling us gold-painted trash?
Devil's advocate: where does this line start and stop?Stores aren't held responsible for bad products
I don't know about the US, but in the UK and Europe they are. The contract is with the retailer, so you can sue them. There is an expectation that things we get are safe. They are frequently crap, but rarely damage your other things or injure you. If something breaks after minimal use it would not be of "merchantable quality" and you'd be entitled to a full refund from the retailer. Likewise claims and statements to the public and in advertising must be true. (IANAL)
Now, Download make a big deal of being a trusted source, and will not accept "Software that installs viruses, Trojan horses, malicious adware, spyware, or other malicious software at any point during or after installation". There's a very lengthy list of what they don't allow and how they are curating their offerings. They have, for quite some time, been failing in this. For pity's sake they even have dark patterns and show ads with prominent download buttons, which aren't.
As they want to be a trusted source, and have lengthy text telling us they won't accept malware and that they curate everything, I think they should fall foul of the browser's safe browsing filters.
If, on the other hand they said plainly "we make only limited checks, downloader beware", fair enough. Just like a forum disclaiming views of posters.
TL;DR Yes, they should be held responsible for what they serve, or stop claiming to be so trustworthy and "We test all submitted software products according to comprehensive criteria.".
> Devil's advocate: where does this line start and stop?
I would say that it stops as soon as the venue starts doing any reasonably in depth vetting -- or even more, actively curating -- what they're serving. In this case, Google already has a malware detection service that is hooked into their browser, and this malware detection service can reasonably be expected to catch sites like download.com that serve trojans.
Download.com actively choses what to provide for download, and actively makes sure it has malware.
> This is not completely analogous to serving malware, but the onus is not on the store to vet the products before selling.
Sure it is. If the store sells low priced crapware, then it's 100% the responsibility of the store. The difference here is that the crap that they sell is legal, non-intrusive, and can generally be returned for a refund.
> Why should download.com be held responsible for hosting crapware when we don't hold stores pushing goods liable for selling us gold-painted trash?
There is a vast amount of difference between download.com hosting a binary and Walmart hosting a product. In the latter, there is a due process whereby any defective goods could be returned to the manufacturer. More importantly, a manufacturer's guarantee/stamp is involved.
If the binaries are signed by the original developers' public key, then I can agree somewhat to your analogy. Otherwise, its download.com who is 100% responsible.
I'm not sure if it is still the case, but being hosted on download.com used to have a cachet over other sources. Today, their about us page has this to say:
"All products in our library go through a rigorous testing process."
So, Google should blacklist most torrent sites as well, then?
See, I think Google's job (let's call it that for lack of something else as I'm typing) is indexing the web and showing me relevant links based on what I search for. And that's basically it. If I choose a wrong word and a naughty site pops up, hey, that's my bad. I don't think Google should filter that for me (unless it's an option that I can opt in). Similarly, if I search for software, i don't want Google giving me a curated list of vendors. Good, bad or otherwise.
The point is that they're not showing you what you wanted - if you search for Firefox, I'm pretty sure you don't want a malware-infested version. You want plain old regular malware-free Firefox.
So Google isn't showing you what you searched for.
If you search for torrents or illegal downloads well that's different, isn't it?
I _WANT_ every available option shown. They can sort by relevance, but I best darn well see Download.com on some page of the returned results. I _don't_ need Google censoring the internet.
> You really want Google to be the custodian of all things bad?
I expect them to manage their products (chrome, search) in an ethical way. If I'm using their search, then yes, I expect that they'll give these warnings. If I'm using Bing, then I expect MS to do the same.
The sort of person who installs uBlock Origin is also generally the kind of person that knows to avoid these websites. However, people like my mother don't know how to install uBlock, and don't know to avoid download.com (I mean, with a domain name like that, it has to be legit!).
This is what uBlock shows me when visiting a page on download.com [0]. It also changes the URL to "chrome-extension://cjpalhdlnbpafiamejdnhcphjbkeiagm/...". If my mother saw this, I'd get a phone call right away that some virus was stopping her from downloading something. It looks scary, and the most visible information is the most obtuse, while the most useful information is grayed out on the page.
If the most prominent text was something like "We've blocked this page, because it matches our list of 'Badware risks'." I'd feel better about installing uBlock for a casual user. As it is now, I only install Adblock Plus because it hides malicious ads and fake download buttons without also presenting scary things to the user.
Yep, but I would not dare suggest ublock origin to any of my non-techie friends or relatives as my unpaid support load would go up hugely. Adblock is far enough for them! I run it always, but one thing it is not, in any respect, is non-techie friendly.
I love that it tells me what triggered a block, and which filter it pulled it from, but Joe User would be baffled. Then clicking random buttons to make it go away (likely disable strict blocking, permanently), or phoning their ISP because the Net's broken...
Well maybe if it was a new site with no backing, they would block. Unfortunately Download was part of CNET. CNET was purchased by CBS. This is CBS serving malware.
They know what they're doing. It's probably the only portion of the CNET properties that makes a good amount money in CBS's eyes.
If you read the text on some of those dialogs it states pretty clearly what they're going to do to your computer when you click accept: ...collect your IP address, URLs of the pages you visit and other personal information including the content of encrypted web pages...
Watching non-technical folks try to install software is like watching baby seals get clubbed. Even the supposedly trustworthy software vendors (Adobe Acrobat, Oracle Java) all install shitty toolbars and adware.
No doubt! Say what you want about how much the Apple App Store for OS X sucks, but it has never downloaded anything I didn't want, and I've never been hit with malware using it. Nor has my father-in-law who often gets malware from web pages he visits.
Because you have to prove damages from your data loss or web tampering. So, you got redirected to a different site. Maybe your credit card number got sold and bought a few dozen times until some time 2 years later, someone started charging it, so your bank cancelled it and reissued. There's a lot of maybes and tenuous connections.
Nobody would take that case.
There's a problem with our privacy protections in the law.
Its because a lot of windows users are just plain dumb. Not all of them of course, but barring a few users, most just don't care about adware as long as their work gets done. I know too many friends and relatives whose laptops were riddled with all kinds of adware that shipped by the courtesy of download.com, CNET and similar others. When I mention it, they just laugh about it, such is the divide between power-users and noobs of the windows world.
What is needed here is providing them education and information. I try my best to bring them to Ubuntu/LinuxMint after explaining some basics, but its only a small minority that gets converted. But the ones that do switch, never look back after that!
Barely anyone cares about online privacy. MS found that out with the failed Scroogled campaign which they scrapped after it tanked. People value free stuff more than privacy.
There are some interesting court cases going on though, with the analogs of your scenario but with student data.
>MS found that out with the failed Scroogled campaign which they scrapped after it tanked.
it tanked because it was a terrible campaign not because people don't care about online privacy. The fact that it was MS all of companies running it made it even more terrible.
I suspect you are confusing not caring about privacy with a feeling of powerlessness mixed with a general ignorance of any alternatives (which might not exist in some situations). The meme that people want to give up privacy in some kind of barter for services is just projection and wishful thinking in most cases.
> If I ran a business that did this - possibly as my main (or only) product - how long would I be able to run this scam before someone threw me jail?
If you put a reasonable amount of effort into legal defense, you could get away with it indefinitely. The US criminal justice system is non-functional in more ways than one.
If only Microsoft had run with the idea of package management and trusted repos that has existed in open source for decades without restrictions that inspire people NOT to use it. Example to release a debian repo to share your software with your users you have the option to handle hosting/payment if any yourself and keep 100% of the revenue not 70%.
Their position in the market is such that had they started pushing this around the time apt-get started to be a thing they would have had near 100% adoption and users would be used to installing everything that way and would be naturally suspicious of manual installation.
Bad actors could end up on a blacklist that users would opt to enable. You would even have multiple black list sources from people like antivirus vendors etc.
Do you really want to live in that world? The world where I have to get past Google's, Apple's (iOS and Mac app store), Debian's and Steam's arbitrary rules about what is and isn't an acceptable app? Where a company/project's current head gets to decide what it is, and isn't, acceptable to install?
One of the reasons Windows flourished was the openness of the platform.
Linux is a much more open platform than windows. It's only downside is that most people think it's difficult to use.
I cannot think of any reasons why you'd think windows is open, especially when comparing it to Linux. You were talking about installing, yet fail to realise that pkg managers aren't the only way. I mean most Linux users regularly compile binaries directly from the source. How is that not open? Perhaps you'd like to elaborate.
"It was on display at the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying beware of the leopard."
Linux is difficult to use for the kind of person who is downloading software from Download.com - "compiling binaries directly from the source" might as well be Klingon to them. Frankly as a geek I'm much happier with my Mac and Windows machine than I am with Linux. Even now things like the Linux Standard Base not being utterly standard demonstrate that Linux is still aiming for a different market.
There is a gulf between "my Mom is running Debian, she thinks it is Windows, hehehe" and "able to manage a Linux box even remotely competently".
Downloading applications via a package manager is basically the same as downloading applications on your phone via an "App Store" application. (Especially if you are using a package manager with a GUI)
Millions of people use app stores everyday. And I'd say a huge percentage of those people are the ones who would also download a program on their PC from download.com
Which sounds more accessible:
1) click package-manger program
2) type the name of the program you want to install
3) click install
OR
1) open web browser
2) go to http://yahoo.com
3) type google
4) click the first link
5) google "download program_i_want"
6) click on link leading to "www.download.com/malware/viruses/tracking/program_i_want"
7) stare at the dozen different DOWNLOAD! buttons, and wonder which one
8) click the biggest flashiest one
9) wait for it to finish downloading
(if it doesn't automatically start and installer)
a)open File explorer
b)Go to Downloads folder
c)wade through the hundreds of other downloads until you find kd457sfjgs_download_app_i_want_setup_INSTALLER.exe.EXE
10)Once the installer is started click the NEXT button a dozen times, inadvertently installing extra malware each time
Your cognitive dissonance is astounding. With most package managers, unless you know exactly what you want then you're up shit creek. That's assuming you even know what a package manager is, for the millions of people using App Stores every day they'd be completely lost if you asked them to install software on a Linux system.
People often don't go looking for a specific piece of software but rather an idea of what they'd like their software to do. Google and Apple have made tremendous efforts to make their stores discoverable, searchable, and to provide clear feedback and reviews from other users. They also make sure their store icons are front and center on their devices in the hopes that people can find them. The web is also littered with App Store links because the reality is that most people just Google for help.
The unfortunately thing is that there's little commonality or consistency between Linux Distros so if everyone were suddenly on Linux they'd each learn something slightly unique and you'd end up with a lot of frustrated users trying to help each other out while you scoff at them in the corner saying "Hurr durr Linux is easy".
I am guessing this was intended to be something like Ubuntu Software Center, not someone using apt or dpkg straight from the CLI. If I search for 'spreadsheet' in Ubuntu Software Center, I get results that are fairly easy to work with.
1) apt-get install programiwant
2) Not found, did you mean libprogramiwant-dev.0.5.1ubuntu01?
3) apt-get install libprogramiwant-dev.0.5.1ubuntu01
2) this action will require 0.00001 kb of your 1000TB hard drive, do you want to continue? (Y/n)
3) This will also install xxxxxx yyyyyy zzzzz xxxyyyyzz yyyyzzzxxx xxxxidontgiveashitaboutthisthirdpartylibraryzzzz xxxyyaaabbb xyayyyxzzzz xxxx-dev list of 1000 packages more, do you want to continue (Y/n)
4) The following packages has been kept back and will be unloaded aaaa vbbbb aabbbb bbaaa, do you want to continue (Y/n)
5) bzzzzzzz, loading
6) The file .abc.etc.conf does not match the source version and will be overwritten by updating xxxxyyyzzz, do you want to (Keep/Local/Source/Abort)
7) The file .abc.etc.conf01 does not match the source version and will be overwritten by updating xxxxyyyzzz, do you want to (Keep/Local/Source/Abort)
8) System restart required
9) programiwant
10) programiwant: command not found
With ubuntus synaptics package manager you get a fancy GUI on top of this but most of the decisions and endless lists of libraries remain. There's even a "stability level" you have to choose ranging from 1 to 5, good luck with that grandma. Not saying it can't be done, the app stores are a great example of how it can work but there you are stuck inside the walled garden. And even there you still have problem #2 above of finding things, there's just so much crap in the app-store so even if you search for an exact match you will find imposterors trying to ride on the name, minecraft is a great example, search for it on Play store and you will have to scroll through pages and pages of minecraft-guides, blockcrafts, craftmines, minercrafter and whatnot before you even see the real minecraft.
You're being a bit disingenuous in making the latter seem more complicated than it actually is, though. It's only slightly more tedious than a repo, but it's no less accessible.
No, I don't think he is. Not even a bit. Sure, for us techies there's little difference. For your typical non tech user, each of those 10 steps can cause issues. This does not mean they are a moron, just they don't grok IT.
So many will download the file again each time they run it, or spam click next 20x to install, reading nothing. Or just click the topmost, or largest download GIF - which I pretty much guarantee is not the one they should use. Or install loads over the course of the PC's life, but uninstall nothing, leading to buying iPad or new PC basically because they have 4 printer drivers (pointlessly huge things these days), software for their last 3 phones, 234 screensaver apps the child thought was fun, several anti virus (none from a truly legit source).
For the truly non-techies nothing has changed since the days of a web full of crap adsense 5 pagers. Click a link, click another. Main thing that's changed in 15 years? The link probably isn't blue, or underlined.
The level of blind trust shown towards the web, and downloads is terrifying. "It's on the internet, it must be true."
Is just as high if not higher for a nontechnical user to use Linux. Sure they can look at the source code, but that doesn't mean they'll be able to make sense of it.
What if they try to solve a problem themselves? Googling it will land them on any number of blogs or forums where people post cryptic instructions or link to bash scripts that might as well be black box binaries from their perspective.
>Is just as high if not higher for a nontechnical user to use Linux. Sure they can look at the source code, but that doesn't mean they'll be able to make sense of it.
Except that there is no adware, malware, spyware, or anything else bundled into a Linux repo. The end user may not know what is up, but Debian (and the whole community of package managers) is doing a lot more to protect the end user than CNet, Google or Apple is doing to protect the end user. It is de rigueur that if I install an app from the app store, it will try to spy on me, export my contacts, etc. This is far less likely with a Linux repo.
And when Dell ships a laptop running Debian, they've setup their own repos in the package manager which is along the same lines as installing a trusted root cert in Windows by Lenovo.
The trouble is that these systems are not easy to use and end users have to put their trust somewhere to get a system that is functional for them.
In fact, the malware is often very much too accessible. On these download sites, the software you actually want to download is not the biggest "DOWNLOAD NOW!" link. If you click that, you'll get something completely different. As so many people actually do get - they install accidentally something they weren't looking for, let alone all the malware that comes with it.
Also, the world doesn't end on package repository. In my experience with Linux, a lot of software I want is either very outdated or not in the repository at all. OTOH, for all intents and purposes you can assume that if something can't be found by Google, it doesn't exist.
Yet when I go to grab a piece of software off google I legit have no idea which site to click on.
"Is it speedfan.org or speedfan.net"? I can't remember a concrete example but I've had a few instances of being 50/50 on whether to give up altogether at the risk of getting the wrong thing
The only times I've ever needed to compile a package from its sources was when I was trying to hack away at it.
I've not had to compile a Linux kernel in almost 8 years.
Your argument is specious. You should seriously stop using it. As for the LSB, that hasn't stopped distributions in any way, shape or form. Debian got rid of their LSB meta-package because they didn't need it.
Ok, assuming that it does not, how many instances in the wild have there been of ad/spyware distributed as source to be compiled on the target machine?
I would imagine that in a world where my mum is compiling from the 'source', the 'source' that she's compiling would be infected in the same way as Download.com is.
Ubuntu shipped a spyware package with a few releases. I assume they had a source release with the same package configuration, in which case they were doing exactly that.
Are you referring to the amazon search debacle? Because that does not fall into the same realm, it was very clear that it included this feature from the moment you start it up. It wasn't hidden at all.
Although I guess if this describes Linux, then closed source is generally more like the plans being on display at the local Galactic Council office on Proxima Centauri.
> I mean most Linux users regularly compile binaries directly from the source.
I think not really. It's not that common. Precisely because package management works nicely, you can do an apt-get install or yum install or whatever.
I have compiled Linux kernels and even written device drivers in the past, but in the past 5 years I haven't had a need to compile anything from source.
There was a lot of building from sources in mid-1990's (Linux 0.99 and all that), but ever since Ubuntu came out, there's been just no need.
I'm not missing that X86Config tweaking, either. But perhaps I've grown old; when I find a laptop that doesn't come up with X in RHEL, I just think it's a bad laptop.
Linux is not so much a platform as a toolkit for building them. Some Linux-based systems are very open. Some are completely locked down via code signing (e.g. many routers or DVRs).
Not that many Linux users compile binaries directly from source - and if they did it would completely bypass the protection of the official repositories. Fundamentally there's an unavoidable contradiction here: if you only allow installing software from the official repositories then you have a very locked down system, and if you allow installing software from outside the official repositories then the system is unsafe. Windows went for the second option; contrast with iOS which goes for the first. There are Linux-based systems that take the one approach and Linux-based systems that take the other, but both have their downsides.
> It's only downside is that most people think it's difficult to use.
That's because for most people it is difficult to use. Most people lack the technical vocabulary to even know how to find a solution for an issue on a general purpose Linux machine let alone follow the 20 pages of bash commands necessary to implement whatever highly specific fix someone posted on their blog.
Unfortunately Linux is so open that it allows developers to do whatever the hell they want and you end up with each Distro having a slightly different file structure, different default file systems, instances of software installing it's own versions of tools because it can't be bothered to support a given package manager, configurations being deleted during upgrades because a developer came up with a new way to implement configs, default passwords you shouldn't change because it breaks code, and permissions being twiddled during installations that wreak havoc.
My favorite is all of the half-assed front-ends for configuring software that only work with a small subset of the possible features and only on a particular version of the software with a particular kernel. And if you happen to edit the configs manually to enable a feature not present in the GUI, you'd better not ever load the GUI again because that change will be blown away.
The state of Linux is such that technical users can't even safely upgrade their systems for fear of breaking them. There's nothing like running update on your Distro's package manager De jour and having your Wifi stop working. Was it the driver? The configuration? The GUI that edits the configuration? Or having your PBX web front tell you that updates are available and when you hit install it gets about halfway through installing a list of packages that rivals the phonebook before failing, not rolling back, and making it so your system won't boot if you're foolish enough to attempt a restart.
And if you ask for help what do you get? RTFM! Install MINT! You should use XYZ instead. Run this script I wrote for you...
"It's only downside is that most people think it's difficult to use"
I don't know about that, but I know that none of the tools I use in my field works on Linux, and I'm not talking about rocket science, I'm talking about print and web design.
Which one of the apps on download.com (that bundle crapware) would not be considered acceptable in a store? What crazy apps wouldn't conform to those rules? And how many people would actually be interested in those apps?
I've jailbroken an iOS device once just to check out what amazing things apple doesn't want in the store. I wasn't impressed; cydia looked like crap, iOS <7 looks bolted in an ipad app, tacky icons everywhere, and the top X downloads were all tacky looking mods for things like the lock screen. That was back when though, I've looked up some lists of stuff and I'll admit some of the available things can be convenient if you're into that sort of thing.
> Do you really want to live in that world? The world where I have to get past Google's, Apple's (iOS and Mac app store), Debian's and Steam's arbitrary rules about what is and isn't an acceptable app?
Actually yes. With the caveat that I can still install applications outside of the repositories and/or install third party repos. With Android and Debian I can. And Steam isn't quite the same since it's an application rather than OS so you can bypass Steam entirely (even on SteamOS).
That way you have some reassurances (albeit no guarantees) about the software you install, plus a method to manually bypass those protections if you so desire.
> One of the reasons Windows flourished was the openness of the platform.
No, that's not the reason. Or at least not the openness of the _software_ platform. The reason Windows flourished was the number of IBM-compatible clones out there and the monopoly Microsoft had -and successfully campaigned to retain for many years- on said hardware. Under those conditions Windows only needed to be "good enough" to compete rather than a market leader in openness, stability, security, nor any other measure that us geeks normally consider.
I have a computer illiterate family member on Ubuntu. He's easily able to install software outside the repo as long as the process is spelled out. See google earth's install process on Ubuntu.
I don't know about the others, but Debian is certainly not trying to decide for you what is and isn't acceptable to install.
Debian does not allow any kind of software in its own repositories, but it does nothing to prevent you from adding whatever repository you like, installing whatever .deb you like, and trusting whatever signing key you want to trust.
That just means malware sites like download.com will tell users to add the download.com repository.
Without curation package managers/app stores don't offer any additional security, but curation inevitably involves trusting somebody to make those decisions. Do you trust Microsoft to do that for most users?
Consider Chromebooks - one can unlock ChromeOS or replace it with Linux, but Google made it rather scary-sounding process for an average user, so malware site has very little chances to convenience the user to do it.
ChromeOS isn't an open platform and Chromebooks are dangerously locked down.
Microsoft could solve these issues on windows by forbidding software that they don't approve. It would undoubtedly improve the security of the platform. But it turns Windows into a walled garden instead of an open platform (consider - would Microsoft have allowed Firefox onto the platform? unlikely)
Debian, Ubuntu, RedHat, SuSE and a multitude of Linux distributions are doing just fine.
In fact, you can package up your own .rpm or .deb and still install the software. But the likelihood of needing to do so is very, very small. And not only that, but it's extremely easy to see what those packages are made of - you just unzip and untar them and look at the metadata files and scripts.
So yeah, not only do I want to live in that world, I already do.
In fact, so do other Windows users - if they use OneGet or chocolatey. And many, many corporate users also live in that world as software is deployed via SSIS or just bog standard Active Directory.
MS set one up with Windows 8, but they botched it. Their rules initially prevented open-source apps from showing up, but haven't properly enforced their own rules such that there are now plenty of clones/name-grabs on open-source projects.
Java is a bad actor. But I don't get to choose to use it or not. If it was up to me I would never use java and its attempts to install malware on my machine, its habbit of bugging me every day with update pop ups, and creating security holes in my browser, etc. But unfortunately if I want to be able to work from home occasionally I need to have software chosen by my employer running on my machine. Putting it on some blacklist wouldn't help.
How is this not extremely illegal? People have gone to prison for far less. How is it possible that a company like Lenovo would get involved with this?
I recently found myself wondering if I should consider CNET a reliable source of software. I guess this story answers that.
But why are businesses given the benefit of the doubt? Surely if crimes like these are core to their business, that business is a criminal organization, and its members should be locked up?
Could any criminal organization decide to incorporate and file taxes and get just a slap on the wrist and a fine for their drug trade, mugging, etc? Reminds me of HSBC's minor fine for laundering billions of drug dollars. Why do corporations get that kind of immunity?
More generally, people have prejudices about what crime "looks like", which isn't an office, and there is a huge pro-business bias generally in the West based on the idea of "creating jobs".
I don't think that's a good answer; in general governments get even more latitude to screw up than businesses do.
I think it's just that groups with diffused responsibility get more latitude, because for a given act, who are you going to put in jail exactly? That turns out to be a hard question, especially when you consider not just the local consequences but the global ones. For instance, take a hard line "I'm putting the CEO/Secretary of X/Whatever the highest plausible person is in jail" stance and you just created an extraordinary incentive for pervasive, total micromanagement, and probably in the end worse results for society than even what we have now. It's a hard problem.
Interesting that you say "screw up", which implies error rather than malice. Maybe that's an important part of it that we look at intent of individuals and then label them "bad", whereas the intent of a business decision is harder to label?
I intend screw up here to represent both innocent error and deliberate malice. Teasing apart which is which in groups is hard, especially since it may well be both at the same time with different people in various roles.
It often gets hard to pinpoint who actually made the call. Once you start scrutinizing a company, it turns into endless finger-pointing. I agree with your point, someone should be punished for this, but implementation is hard.
Well in Google's case it's easy, wouldn't want to upset that ad income. Firefox though absolutely should be blocking/warning of malware for sites like this. Firefox is more spin than substance these days, sadly.
But these are companies overwriting Google's ads with their own. Sounds like Google is directly hurt by them. Maybe blacklisting would get them charged with anticompetitive behaviour? (That would be really funny in a horrifying way if that happened.)
Why do you support private companies policing the internet? I'd rather be given the chance to decide what's good or bad for me by myself, instead of having someone else doing this proactively.
That's akin to saying if I tore up the road leading to your house, your house is still accessible. You're not wrong, but you can't deny the power that Google has when it comes to access to websites. Furthermore, if Google started delisting some websites, you probably wouldn't even notice, which makes this all the scarier. There's a solution to be found that doesn't involve Google acting as some kind of pseudo-internet police.
At the same time, Google has a responsibility to their users. Their search engine is a list of what are likely to be the best results. If a website regularly spreads malware, is it in the best interest of Google's reputation to link to it?
It's amazing watching a normal person install something. Most people I've seen just spam the next button until the window disappears, until the software and all its friends are happily installed. I think the first step is to educate users. Or implement a package manager.
To be honest, it's not just a problem for a "normal person". I can easily admit that I could easily be bitten by something like this if one of my top 10 most used installers implemented an adware addition step.
Sure, it's common sense to read what you are agreeing to and sometimes the installers are just made to deceive the end-user (I am looking at you, Flash updater). But generally you just don't have the time or don't want to read through the 7-8 pages of an installer for a program that you have already installed hundreds or thousands of times. It requires certain amount of trust and when the chain of trust is broken, I get bitten once, sure, but the program loses an user forever. The sad thing is that this isn't the case for the Grampa with 12 Ask.com toolbars installed.
It takes about a minute, as opposed to 10 seconds, to install something if you skim each page for check boxes, as opposed to spamming next. If you can't spare that amount of time, then there's not much that anyone can do to help you.
The bare minimum corrective action when you see "value added offers" in a Windows installer is to cancel the installation and then revert to the most recent restore point. There's no reason to assume the installer will honor your "no thanks" (as it often won't) or that it hasn't already taken the opportunity to hose your system (less likely but a definite possibility with the type of person who is willing to bundle malicious garbage in their installers for a buck).
You're thinking entirely the wrong way about that "type of person". Very few people think of themselves as evil; rather they will have some rationale for how what they're doing is OK, and very different from behaviour that from the outside seems to be the same thing. They will use any number of dark patterns to get you to misclick, but I've literally never seen such an installer not honour the "no thanks" if you can find it.
I was being a bit hyperbolic, but only a bit. I really don't trust someone who is willing to bundle up crap that obviously nobody wants, just to earn a few bucks when someone is tricked into installing it, but I can agree that it's a significant step from that to actually producing malware.
Most reports of "no thanks" failing to work are probably due to third-party installers from who-knows-where, but I've seen at least a couple of cases (PSPad and CamStudio IIRC, could be mistaken) where it was attributed to a bug in the official bundle.
We decades down the line. Education users won't work. Regular people just aren't gonna learn.
It's time for us techies to build better software, to get laws passed that stop this sort of thing, to get websites like CNET download.com and manufactors like Lenovo blacklisted.
I love it when people tell me they don't want to learn to use a computer because they don't need to. Then they come to me and ask me to solve their inability to read instructions... Sometimes I get mad at them... If they want to use computers they better learn to work with them. Or pay for the maintenance. It seems they don't wish to do either.
I can relate. Creating a text document, registering for and installing Spotify, ordering something from Amazon - those are tasks that target a very general audience. Yet there's the reluctancy in some people to deal with any of it since it's computer stuff.
On the other hand you're generally expected to be able to operate a car, or a washing machine. Just imagine that you'd tell anyone that, "well, sorry, household chores aren't within my area of expertise" - that probably won't get your clothes clean.
Yet, somehow, all those persons have no problem at all using facebook, but ordering something from some online shop, do a google search to solve some problem, or even read the Help menu on some software is out of the question for them... It seems they have their priorities all mixed up.
It's more of a case of people not wanting to find out how things work. So many people will drive a car, use a washing machine or vacuum cleaner, or even use a phone with no idea how it works, and no intention of ever learning. If it breaks they go to the 'repair guy' that will fix their problems. Or they will scrap the old item and buy a shiny new one.
One part of this comes from the fact that some things are really difficult or impossible to repair these days. Cars come with engine computers that you need special tools to access, computers and modern electronics come so integrated that you can't easily swap out components yourself.
The other part is that people treat computers as one entity, not a combination of entities. So the whole device is one item, and if something doesn't work, it's all broken.
To drive a car, people have to learn a shit ton of things, not just about the law, but about the machine itself. And they do, because they have no other choice - and so for most it doesn't even register things could be different.
Look at professional software like Photoshop or AutoCAD - again, everyone knows it's "complicated", and so people either sign up for training courses, or sit down and learn it themselves. Somehow, the software tool being complex isn't a problem. But for most software, we've created an expectation that people should be able to use it from the get-go. I submit that this is wrong. People should be expected to read the manual, like in the old days, and the software should politely force them to.
Do you have to read many pages of dense legalise in order wash clothes or drive a car, like you do with installing Spotify? Users are trained to just click "Next" until the computer boxes have gone away.
There are schools and licences for driving a car. There is no EULA for washing clothes.
If we want to train users to not click on "I Agree" to get rid of the legalese then there should be no legalese for installing Spotify or buying from Amazon. I can buy in a shop without needing to sign a 10 page document, so why not the same with Amazon?
We, in tech, have trained users to click on the green buttons to make the computer boxes go away.
Regarding the fine print in ecommerce: As a seller of goods in our own store we are actually required to include boilerplate terms and conditions. We don't like it, our customers don't read it and if they do they may not understand. And yet it's quite dangerous to drift away from or simplify the ever growing legalise language since we risk legal and financial consequences from business and so-called customer interest groups that found a way to monetize the search for shops that don't follow the boilerplate terms close enough or miss certain parts.
A nitpick - you have to undergo training to drive a car, and yes, you have to read a lot of legalese (though most drivers probably didn't, as evidenced by how they drive). And yes, you have to learn to wash clothes, though you probably don't remember if your parents taught you this as a child. I do remember, because I haven't been taught it.
RE education, I think this attitude is one of the bigger sources of the problems we have. Nobody expects to get into a car first time in their lives, go through a 2-minute tutorial and drive on the public road. Nobody expects to grok electric saws or soldering irons in 30 seconds. Those are all tools, and tools require some training, or at least reading the manual. Everybody knows that and thus nobody complains.
OTOH, we've created a silly situation with computing where people are expecting to be able to use stuff immediately. They should not. This thing is complicated, and you have to engage your brain. Dumbing software down to create illusion of immediate competency only makes our software worse, and it makes general population stupider.
As for the second point, I agree with building better software and throwing the book at CNET and Lenovo, and any other malware bundler. Seriously, this kind of behaviour should not be allowed in a civilized society.
It took centuries or more for (language) literacy to become widespread. I think we should give it more time before coming to such conclusions.
Imagine a society in which, many centuries ago, the literates decided on something similar: regular people can't be taught how to read or write, they don't need to and they won't learn.
You're absolutely right. Plenty of non-tech scummy practices have been banned / curtailed under consumer protection laws. HTTPS circumventing adware is unjustifiable from a consumer protection stance.
Its amazing watching a normal person watching TV. They keep spamming the buttons until they find something that catches their eye. People are always going to go for minimal time/effort (and that s good), it s the responsibility if the IT industry to fix the side-effects.
The problem is that installs are all TL;DR. I'm quite happy that Windows finally has an app store, which gives them some control about what can be installed on people's computers while at the same time simplifying the install process. Of course, Microsoft can't force all windows applications to only be offered via the Store, but, it was adopted quickly by OSX app builders. I think people will be more inclined to spend a bit of money on apps too if they know they're safe and you don't have to dodge a dozen 'download' buttons or convoluted install processes that ask you to install crapware. But, that's just a theory; one problem is that there's a nontrivial amount of people that go to download.com on a regular basis to install c00l n3w appz. At one point, I did too - iirc back then the computer magazines would often point to download.com. Bet some still do.
Proper package management is the only solution... I still manage to screw up and forget a checkbox here or there once in a while and next thing you know, I spend half an hour cleaning it up.
Well, it seems to be the way Microsoft wants to go at it anyway what with the atrocious Windows store.
As a sidenote, I really wish we'd get generic package management. A proper package management server and protocol that is. Something that can be used and picked up by Windows and linux distros but also by domain-specific packages (pypi, etc), browser extensions, games with addon repositories and so on.
It's sad that right now we can't answer "and now we need package management" by "sure, let me fire up pkgserve.d" or something.
It's even more interesting when you start the observation at the stage of downloading the software in question.
I saw it with some co-workers - first google result, obviously fake colorful download buttons, ads everywhere and they finally have an (not necessarily the correct) install.exe they wouldn't think twice about actually executing it. Now imagine doing the same thing with less specific search terms like "mp3 converter" instead of Skype, VLC or Dropbox. That's a very sure way for non-technical users to mess up their system.
You're right. Once in a while, I encounter a user that has clearly given up. You can normally tell because they're running windows XP and their IE6 Crapium edition has 7 browser bars, some from defunct adware companies, and bonzi buddy in a corner...
I typically skim-read install screens until I see anything like "will also install" / "optional extras" / "free trial", then I slow down and untick accordingly.
The bottom line is that you can no longer trust that green lock icon in your browser’s address bar. And that’s a scary, scary thing.
What's even scarier? Not being able to inspect the traffic your own machine sends or receives because the powers that be have decided that, due to Superfish and all this other unwanted MITM'ing software, to "improve security", certificate stores will be locked down so well that only the "trusted authorities" (i.e., they) can modify them.
As long as users (and by extension, the software they run) can modify the certificate store this "problem" will exist, but as this article shows, it's not hard to add and remove certificates, and thus effectively "choose who you trust". The alternative, to have no choice in who you trust, is far worse. I just hope that the security community realises this, but if things continue moving in the direction they currently are, I'm not so optimistic.
Incidentally, I also use a local MITM proxy, but to remove ads and other crap.
There's a tradeoff that seems to be missed in security discussions quite often - the more secure something gets, the less useful it is. At the extreme end, a perfectly secure system is also perfectly useless.
I personally also dislike the direction where things are going. I get that maybe most people don't actually need general-purpose computers, they want glorified web browsers instead. But I'm afraid, given how the market behaves, that this will mean there won't be any non-locked computers available at all, or even if, they won't be able to interoperate with their "dumber" counterparts for general population.
> the more secure something gets, the less useful it is. At the extreme end, a perfectly secure system is also perfectly useless.
That's a pretty profound statement. On the one hand it totally rings true, but on the other, I wonder is there any sort of argumentation or research to back this up? I would love to be able to reuse.
I'd say it's true at the extreme end but not really true in the middle. For real-world systems, there are often security improvements which don't impact usefulness, or even improve it. For an example, imagine something like gmail that uses plain HTTP. Upgrade it to HTTPS, did it become less useful? If anything, it became more useful, because you can now use it on public WiFi networks without worrying about being hijacked. If the backend is also secure then you can use it to exchange private information you wouldn't transmit in the open.
The major conflict right now isn't because there's an inherent tradeoff between security and usefulness, it's because if your users are idiots then "secure" becomes problematic. For a smart and knowledgeable user, "secure" can be considered to be roughly synonymous with "do what the user wants, and only that." With idiot users (most of them), security requires protecting them from themselves. For example, with knowledgeable users, protection against malware can be accomplished by signing apps to show who made them and running them in a sandbox where the user controls what permissions the app has. With idiots, none of this does any good, because they'll click Accept when Blofeld's Stealy App requests permission to withdraw money from the user's bank account, if there's a slick gem-matching game attached. And idiots can't be trusted to know that they're idiots (because they're idiots) so having an "advanced mode" doesn't really solve the problem.
So really, the problem is deciding what "security" means. Does it mean your computer can't be subverted by outsiders? Or does it mean your computer can't be subverted by you? Increasing the former kind of security tends to improve usefulness, but increasing the latter kind harms usefulness.
The solution to this is Certificate Transparency[0], a distributed public log of certificate timestamps that are submitted by CA's and checked by browsers.
CT has been required for EV certificates in Chrome for a year now[1], and eventually will be required for all certificates otherwise they will error out on connection.
A certificate signed by a root cert that is not the original CA will not validate.
Unfortunately, Chrome's current policy is to disable certificate transparency and HPKP when a certificate appears to have been manually installed, to support MITM proxies [1].
Needless to say, this makes HPKP and certificate transparency worthless when the client has been compromised by adware or viruses.
Why don't they change the green lock icon to a blue icon indicating a pair of eyes, that when clicked on explains that the connection is not secure because your IT department is monitoring the connection?
> Chrome's current policy is to disable certificate transparency and HPKP when a certificate appears to have been manually installed, to support MITM proxies
Sidenote: Is there a way to disable these on iOS to inspect SSL traffic through a MITM proxy?
Firefox accepts local certs over pinned ones by default as well (superfish affected it too).
I believe there is an about:config setting that can be changed to have it reject local certificates in the face of a pinned site, but if malware is putting certificates in Firefox's cert store, they can just as easily flip that setting as well.
I honestly wonder if there should be some sort of signature or approval process on the OS vendor's part before any cert can serve as a root.
I'm not sure what that would look like and I do realize there are some 'walled garden' implications here. But honestly, I don't get how or why a userland application has any right to touch the OS' trusted CA roots. Perhaps some model similar to driver/kext signing would make sense - self signed and/or untrusted could be loaded when the system is booted with some development mode flag, but on a general user system, the only path to get your cert trusted as a root COULD be via update/push from the OS vendor.
Firefox does not use the OS's certificate store. They use their own, and each root cert must pass Mozilla's own policies. There are long discussions about some cert issuers; see Mozilla's "dev-security-policy" mailing list.
Somebody should file criminal charges against some of these outfits for violation of the Computer Fraud and Abuse Act. From the article: "the installers are so tricky and convoluted that we aren’t sure who is technically doing the “bundling,”". Now that's a good argument that the user gave the "bundler" permission, and they have thus "exceeded authorized access", as the Computer Fraud and Abuse Act puts it.
That would be great if the CFAA and the relevant police resources were actually used against fraud and abuse, rather than being used against copyright infringers all the time.
Fair point (and kudos to Mozilla), but unfortunately this doesn't protect 90% of other traffic passing through the host. As many (if not all) of the victims of this kind of attack are laypeople, a broader approach may be warranted.
That is debatable. The device/system then doing the MITM is a prime target for attacking/exfiltration of data since everything is de- and re-encrypted there. A huge single point of failure in my opinion.
> Organizations can use AD CS to enhance security by binding the identity of a person, device, or service to a corresponding private key. AD CS gives organizations a cost-effective, efficient, and secure way to manage the distribution and use of certificates.
> Applications supported by AD CS include Secure/Multipurpose Internet Mail Extensions (S/MIME), secure wireless networks, virtual private network (VPN), Internet Protocol security (IPsec), Encrypting File System (EFS), smart card logon, Secure Socket Layer/Transport Layer Security (SSL/TLS), and digital signatures.
Issue certificates for free and have complete control over them?
Imagine if you had all your infrastructure authenticating with DigiNotar issued certificates (that you paid for) only for them to be invalidated in one day.
It's much more likely that your IT staff will bungle things managing your own CA. And less likely that you will notice it and successfully manage the revocation process.
There's a lot of fun to be had when someone steals your root CA private keys undetected, and a lot of time & money to be spent ensuring it doesn't happen despite Murphy's law...
It’d be extremely expensive if every university would have to pay for a full CA root certificate.
Instead, just having a self-signed one, limited to their own domains and subdomains allows them to use eduroam, or provide their own signed software, or sign certificates for people who want to provide their own software, etc.
Safer, simpler, and cheaper. (Although some unis actually have a CA certificate limited to *.uniname.tld)
The German universities do have such a thing: They fund a network with their own backbone and all, called DFN. This organization does have a full CA root certificate which is signed by the globally trusted Deutsche Telekom CA. The DFN then signs certificates for their members. So in short the German universities operate their own CA. I don't think running this is prohibitively expensive as almost every university is member there.
Sure, but unless a root cert is installed as part of an Active Directory group policy, Windows should pop up a mandatory full screen warning with a very clear explanation and "No" as the default option...
I could see enterprise management being an exception, as there is still some (presumably) informed authority approving the installation of a cert. What I was really getting at is an average, non-technical user's home device.
A lot of large companies also run things like websense, which has a MITM and fake root certs at it's core so it can decide if you're looking at company approved content.
Hate to say it but I'd rather focus on user education than concentrate more centralized compliance control with Microsoft. I am old enough to remember how Microsoft wielded that type of control in the past. Malwarebytes alone could/should fix 90% of this problem.
Perhaps, but for the majority of users, the iOS security model happens to be extraordinarily effective. I'm not saying Microsoft should force this down everyone's throats, but I for one wouldn't see it as a bad thing if something along these lines was the default on retail purchased PCs.
I say this as the "free" family tech support officer.
I've moved about half of my extended family onto iPads and my life is much better.
I understand where you're coming from but it's a little like saying that North Korea enjoys a low crime rate.
Do we want one company to have that much control? How do you think personal computing would have evolved if Microsoft had controlled Windows applications the way that Apple controls iOS applications?
One of the best things that ever happened was Windows and the web both flourishing as massive market share, mostly-open development platforms for almost two decades.
I don't disagree, but let's not blur the lines here between people who use computers professionally and people who use computers as an appliance.
We could have had an iOS-like security model on Windows for the majority of unassuming retail customers and I don't think it would have made a single jot of difference to wider flourishing.
(In fact, for various reasons, I would wager that we'd have a more mature technology sector. Don't underestimate the damage caused by malware to consumer trust.)
Web development as we know it would not exist. Microsoft would have banned competing browser engines (as is the case on iOS) and IE6 would have had 90% market share. The preferred way of doing active content would be ActiveX.
That's still a huge majority of PCs. The self-built PC has always been a bit of a market anomaly; people don't have self-built Macs and self-built cars are a truly tiny number.
And I'm working on the assumption that this would have applied decades ago, when there weren't quite so many viable alternatives to the PC and Microsoft was the terrifying market monopolist.
The difference is that it's voluntary. Apple has competitors. If they are too strict with their policies, developers will get angry, customers will get angry and eventually both will switch to a competitor.
Apple has a strong interest in finding the right compromise between control, convenience and diversity.
User education is good but when it comes to you mums and dads, this will be tough. I know that my parents will not ever understand this, or even the implication of these security gaps.
The Badfish page at https://filippo.io/Badfish/ seems to be down. Any other place where I can direct people to check for invalid security certificates?
I have not looked for an online tool, but you can download sigcheck [1] and run `sigcheck -tv` which will display "valid certificates not rooted to the Microsoft Certificate Trust List".
I'm really surprised that CBS hasn't been called out for the behavior of download.com. They're a major news corporation that needs to maintain their reputation. I've never seen any news story questioning senior management as to the disreputable activities of CBS Interactive and it's subsidiaries like CNET and download.com.
I've been investigating PUPs for the last month or so.
These kind of bundlers now drop not only adware (browser extensions, or those that drop MITM proxies that break TLS), but also winlockers and fakealert trojans of Indian origin ("CALL OUR [FAKE] TECH SUPPORT TO RESOLVE THE ISSUE").
Probably a silly question here (and I've asked it before), but why exactly do we only have dodgy download sites for Windows programs anyway?
I mean, other platforms have decent stores and download repositories. And games on Windows... well, you've got a lot of good sites and services there. Everything from Steam to Good Old Games to the average game mod or ROM hack download site is moderated and mostly kept free of adware and other crap.
Is there really no one interested in providing a site or service that explicitly disallows bundling and ad supported crap (or that outright removes it from anything submitted to them)? Does no one with any ethics exist in this space?
I'd be willing to pay a modest fee to have a repository of common software, always up to date, free of adware, and that can be updated automatically. A sort of commercial chocolatey with more choice and more up to date packages.
Yeah, I looked at it. The problem I have with ninite is their limited number of apps. Even with Chocolatey there are some key apps (to me) missing, like Spybot Anti Beacon.
Ideally you would want something popular enough that developers would be rushing to submit packages for their apps and so even relatively small softwares would be available. If customers are paying (and the cost should be fairly modest anyway), it would be an efficient way for developers to distribute their binaries.
The most popular package on chocolatey has 700,000 downloads right now. A typical user of chocolatey would have multiple machines and must download multiple version so at best you must have 100,000 people using it in the world (most likely far less). That's a negligible fraction of the windows user base.
How the fuck is this not illegal? Oh wait, it is and someone should prosecute CNET. They're gaining elevated access to your computer without your permission. For once, can't the CFAA be used for good?
I wish Microsoft would crackdown hard on this, perhaps by make non-trusted root certs an Enterprise/Pro feature guarded by a group policy entry.
I can't understand Google's reasoning in disabling Cert pinning for non-enterprise users either! How do common or garden home users of Chrome benefit from this feature?
because eventually, somewhere in the API there must be a way to actually add that cert. The API that's being called from windows internally when you press the "OK" button on the warning that's normally shown.
And even if there was no API or if you do not manage to find its location: At some point, the certificate needs to be stored somewhere. So you just put it there and be done with it.
You can try and fight this using stuff like OSX' new rootless mode, by making a second class of binaries who are more trusted than others, but even then there will always be ways around it and the backlash would be considerable too (there were some very nasty comments about the introduction of the OSX rootless mode, even though it's turnoff-able).
The only way to prevent this from ever happening is to pre-approve every single app you want running on your platform, but, honestly, that's not a platform I would want to use (not that I want to use Windows anyways)
The rootless mood was only a huge pain in the ass because everyone was used to pathing usr/local/bin and brew, probably one of the most popular package managers, relies on a rootful env. Brew was definitely playing with fire and even though it was tricky getting shit to work again, I for one am glad they opted to go rootless at the behest of user convenience. Sometimes foul medicine is the best kind.
It could be a toy, a common household tool or appliance, or anything else that is small and inexpensive. It more-or-less works as intended, but it also included a small robot. The packaging and marketing would be designed so you weren't supposed to notice the robot, but the packaging included the necessary fine print and an explanation that this robot was just there to make sure you got the best experience possible for anybody that spotted this "extra feature".
Unrelated to whatever it was that you bought, at night the robot would install a device on your phone that re-routed all your phone calls through my office (a MITM attack). The phone still works ok, except now calls to your favorite pizza deliver restaurant seem seem to be re-routed to the competitor across town. Some time later a neighbor complains that he can sometimes when he checks his voicemail, he gets your phone conversations instead.
After finishing with the phone, the robot does the same thing to your cable TV.
Some days, the robot would go through your (physical) mail and place stickers with new advertisements into your magazines. Occasionally one of those stickers would end up on your electric bill, obscuring important information. The power company has a similar logo to one of the sticker-ads, so the robot probably confused the two logos. Even if the robot didn't have any stickers to place, it would still open your mail and leave it (opened) on the ground near your mailbox for anybody to see.
If I rand a business that did this - possibly as my main (or only) product - how long would I be able to run this scam before someone threw me jail?
--
Intentionally breaking TLS with a MITM attack goes way beyond the usual scam/trojan. This isn't even the usual negligence that we see in the "security" of a lot of products. Creating a certificate that lets you MITM any domain is very obviously a willful act.