Computers are taking on ever more important roles in our daily lives. They used to be simple tools to get simple things done – work-related, mostly, maybe a few simple games, and that was it. However, over time, they have become the central hubs for all sorts of data – including precious data. For his Master of Fine Arts thesis project, Zach Gage illustrated just how important our computer data has become.
For hisMaster of Fine Arts thesis project,Zach Gage created a video game for the Macintosh that looks an awful lot like Space Invaders (called “Lose/Lose“) – except, every alien spaceship in the game is a representation of a file in your home directory. Every time you kill an alien spaceship, a random file in your home directory is deleted.
“At what point does our virtual data become as important to us as physical possessions? If we have reached that point already, what real objects do we value less than our data?” Gage asks. He gets more philosophical than that, though.
“Although touching aliens will cause the player to lose the game, and killing aliens awards points, the aliens will never actually fire at the player,” he explains, “This calls into question the player’s mission, which is never explicitly stated, only hinted at through classic game mechanics. Is the player supposed to be an aggressor? Or merely an observer, traversing through a dangerous land?”
I’m usually not the one for artsy fartsy stuff that isn’t music, but I really like the message on which Lose/Lose is built. From experience, I know that people are really, really sloppy when it comes to their computer data – much sloppier than they would treat “real” data. Actual, real-world baby pictures are treated with much more care than their modern digital equivalents, even though the latter are no less valuable than the former.
You can see the carelessness in other ways too. Most people have no qualms whatsoever about handing over their data to companies like Microsoft, Apple, and Google, even though those companies couldn’t care less about you or your data. You wouldn’t give give your real-world baby pictures to Google, but people have no issues handing over the modern digital equivalents.
Anti-virus companies were not exactly amused by Lose/Lose, as they labelled the application as malware and a trojan. Kind of odd, as the game’s website, as well as the game itself, have warnings plastered all over them about the whole deleting files business.
Gage is kind of amused by all the attention. “I’m kind of OK with it being labeled malware,” he told CNet, “I would categorize it as dangerous software, but not malware because it is dangerous if you use it in a certain manner. Whereas malware implies it was designed to be malicious… Calling it a Trojan is really blowing it out of proportion.”
What are your thoughts on this one?
“Kind of odd, as the game’s website, as well as the game itself, have warnings plastered all over them about the whole deleting files business.”
If you look at it from that perspective, it does look odd. But to put it another way:
If somebody I knew sent me a random binary saying “Hey, dude, this is cool!” and the binary has the explicit goal of doing something somewhat dangerous that other apps do not, you bet I expect the malware software to warn me. Not stop me running it, if I’m aware it’s an art project, etc. But still…
In case you’re thinking “he shouldn’t run random binaries people have e-mailed”, I don’t. But it’s clearly a known-harmful app, so though I don’t think it’s strictly malware (no malicious intent) I think it’s reasonable to expect a warning from the same software that protects you from other known-harmful code.
And that’s leaving aside the fact that parents sharing a computer with their young kids or employers with business desktops, or whatever have pretty strong reasons to want to block apps that operate in an unfamiliar way and will delete data, even if they do warn you first!
It’s fireworks night here in the UK. Fireworks are not bombs, they are designed with recreational not destructive intent. But they are still treated with caution since they are dangerous. I think this app is similar.
So, you trust your malware software to warn you of every impending threat?
Seems like you’ve possibly fallen into the trap this article was trying to portray… You’ve put your trust into software written by others to protect your data for you.
If you’re not backing it up and taking precautionary measures to prevent data loss, then you’re ultimately just wandering around in a dangerous world hoping that everyone is watching out for you.
I think an example program like this should be given to all first time computer users (even if it doesn’t actually delete their files, but just pretends to), to remind them that not all that glitters is gold, and clicking on something neat and shiny could have dire consequences if they aren’t thinking ahead.
No, I just don’t think that it should ignore known threats that it could trivially warn against. If a friend sent me this program without warning me what it did, I’d consider it rude. If software that behaves in a trojan-like way is known to the anti-malware vendors, then I would consider it irresponsible if they didn’t add it to their database. Their target audience isn’t me, it’s more vulnerable users who could benefit from these warnings.
I shouldn’t rely on getting a malware warning. But I see absolutely nothing odd about the anti-malware vendors flagging up this software, it’s exactly what they should be doing and represents fairly sensible behaviour on their part, IMO. Whether anti-malware software should be necessary is a somewhat independent issue…
I think that’s quite a lot to infer from what I said! There’s also a “trap” in assuming that because technically literate users are able to protect their personal machines against such threats that nobody else has a legitimate usecase for anti-malware software. I think a corporation (or parent, or long-suffering family computer-fixer) would be justified in installing anti-malware software just to reduce the instances of pain that irresponsible or ignorant users might present to them. It doesn’t have to be a complete fix to be worth the effort, if it saves the admin a spate of “please restore backups of these files that a game deleted” then that’s desirable.
If I were in this position, I’d prefer that the software flag up known applications that look like a game and yet delete files. In this case it is known, so it’s been listed as malware and I think that’s the sensible precaution for the vendors to take.
Note, though, that it does sound to me like the author has been responsible in warning users of the functionality of the program so I do not consider this to be true malware – there’s no malice. I just think it’s still a reasonable thing to block by default as for most users it probably doesn’t do something they want!
I’d agree with that – most computer users seem completely unaware of the extent to which they rely on good behaviour from their software and often can’t understand why they’d be at risk anyhow.
In order to “behave like a trojan” – the software would pretty much have to do something other than what it says it will do. Since it specifies exactly what it will do, I don’t consider it to be a “trojan” by the definition.
Dangerous, yes, trojan, no.
It’s really no more dangerous than the rm command – it just gives the user a fun, random way to do the same thing that a user can already do on their own.
I inferred a possibility based on what you claimed should happen with your anti-malware software – nothing more.
I never said anti-malware software was useless – but if you rely on it to protect your data, you’re doing it wrong. It should be viewed as a time-saving product, not a data-saving product: it can occasionally save you the time of having to restore from backups due to data loss. I believe you alluded to this also in your followup statement (which I didn’t quote).
Where do you draw the line for “looks like a game”? I’ve seen some pretty fancy/shiny looking software that has the sole purpose of altering files on your system (possibly destroying them) without backing them up first. Sometimes this software just begs you to click a button and destroy data by making the button so nice and pleasant looking
As it turns out, I’ve seen software I use daily flagged as “malware” because the vast majority of people don’t know how to use it properly, or doesn’t understand the consequences of running it. In some cases, this software has been added/removed/added/removed from malware listings repeatedly over several years because the malware software authors can’t decide if it’s legitimate or not.
In the end, by choosing anti-malware software, you’ve chosen to let someone else decide what’s best for you. You’re also relying on them to do it right in the first place, which is no guarantee.
Always backup your important data.
Neither do I – but if it looks like one thing and does another, then that is behaving somewhat like a trojan. It doesn’t make it a trojan – trojans are malware and I don’t think this is. But its appearance would still seem to be misleading…
At least with the rm command you know what you’re deleting. Most of the time, depending on how much fun you have with globs!
I don’t actually use any anti-malware software, so I don’t know what exactly is normally expected behaviour. I was merely pointing out what I saw as a logical inconsistency in the article’s suggestion that listing this software as malware is peculiar. I think malware vendors are right to list this, even though I think individual users should take responsibility for their stuff where possible.
<snipped some stuff>
That’s true 🙂 I think in this case the difference is (relatively) clearcut in that the software is trying to mimic the appearance and user-facing functionality of space invaders whilst also performing a function that no sane person would expect space invaders to perform.
In this case the software is doing the honourable thing and warning users about what it *really* does, so it’s not actually trying to deceive them. But I’m happy to see other tools attempting to protect users from their stupidity / misunderstanding.
I know computer users who I can imagine would think the warning messages were some kind of plot background for the game, or click through without reading them. Do these people deserve to lose data? They’ll lose it eventually but I wouldn’t want to speed the process for them 😉
Not really related but – I had a friend who kept an archive of virus code for educational purposes (and, in his case, it really *was* for educational purposes). Whenever he plugged in the hard drive that contained it, his AV software would go insane and slow down his PC for a considerable length of time, even though they were meant to be there (and weren’t being run).
Out of interest, what sorts of things do you find keep going in and out of malware rating? It’s certainly something I can imagine happening in the same way I can think of some network admin tools sometimes being “hacker tools”. Just curious.
True. This *is* the case with all software, in a sense – people assume that their operating system will prevent other users bypassing permissions checks, that their word processor will not silently alter their data … At the end of the day, though, you just can’t remove the human element from your computer system and people do have to take responsibility for foul-ups that they let a computer perpetrate.
Amen. (in fact, this discussion reminded me to do another backup for offline storage!)
Actually, pretty harmless stuff that is generally classified as “distributed computing” software.
Examples include BOINC, distributed.net’s dnetc, Seventeen or Bust’s sb.exe client, etc.
Being a member of several distributed computing forums and mailing lists (and even committing changes to some of them), I often see people reporting “<some famous company>’s antivirus product has flagged <some app> as malware, how can we get it removed from their list?”.
Often times the very purpose of the software is what causes it to be labeled malware, namely: It runs in the background (often as a service, or program that starts up automatically), it eats up CPU resources, it downloads new work, and uploads results to the server, it reports some basic usage info (for statistics purposes).
While these activities don’t destroy data, neither does the majority of malware out there. Most of it is classified as malware simply because it’s running without the user’s knowledge, regardless of what it actually does.
That’s interesting. From what you said, re the software running in the background eating resources and therefore looking malware-ish, is it picked up based on heuristic detection? Or is this behaviour somehow causing anti-malware vendors to add it to their signature lists?
I must admit that my first (naive, I hope!!!) impulse was to think that, perhaps, some script kiddies try to improve their scores in distributed computation competitions by trojanning their clients onto others’ machines. I can just about imagine this being done but it’s not something I’ve thought about before. Have you ever known this happen?
Ah, that’s an excellent question indeed.
In the cases I have seen reported – the anti-malware vendors had specifically labeled the product as such (giving it a “name” and everything).
Thus, it wasn’t necessarily the behavior of the software, but rather someone having reported the behavior of the software to the vendor.
Oh indeed. In fact, there have been known-reported trojans out there whose sole purpose was to install a distributed computing app in a hidden location and start it running. In those cases, the app being dropped by the trojan is not the malware, however, but the trojan itself.
Fortunately, in almost all cases where this behavior has been detected, the projects have blacklisted the user and removed all their statistics. Almost every distributed project out there makes a disclaimer that installation of the software on a machine without the owners permission is illegal and subject to fines and or imprisonment (or both).
In some cases, I even suspect system admins for corporations likely are finding the software installed by some employee (perhaps who is no longer working there), and probably reports it as malware. Again, this is not a case of the software being malware, but rather an abuse of corporate resources. The same argument could be used if someone was using a corporation’s high-end server to compile nightly builds for some large FOSS project – and yet gcc is not malware
Oh, that makes more sense. I was wondering how this stuff might get on their lists otherwise. I suppose one would expect that the vendors in question would apply a certain amount of vetting to the stuff submitted – but if they take a “better safe than sorry” approach to categorising an apparently suspicious program they haven’t seen before, I suppose that makes some sense.
Argh! The reason I was hoping that it was naive was that it actually kinda seems like a daft thing to do, given your user ID could potentially identify one (unless you genuinely were doing this out of a twisted kind of altruism, then I assume it would be done to inflate ones personal account stats …).
Depending on the protocol, maybe they could bounce the results through a proxy to help mask what they’re actually doing (giving the impression that they just own a really big machine somewhere, for instance).
Good 🙂 There are worse things, I suppose, for a script kiddie to do but it’s best not to encourage them. Risking those penalties just to improve some computation stats does seem like an incredibly silly thing to do but I suppose I shouldn’t be surprised that people do it anyhow!
Yep. Would be interesting to see if something like build tools (or OpenStreetMap’s distributer rendered, Osmarender) have ever actually been added to a malware database.
Whilst the procedures for adding reported malware signatures might be relatively opaque for certain companies (don’t know, I’ve never thought about finding out before!) it could be interesting to compare and contrast what something like ClamAV does – I’d hope they’re a bit more transparent, maybe…
It’s an art. It is ok to label it as trojan, too.
By destroing files it shows, how we are destroying our time.
After all, every file that was not backuped, was not so important.
Any second of our life that was wasted, wasn’t so important too.
Heh.
“One art, please!”
Sorry, couldn’t resist.
It’s two arts!
.
Edited 2009-11-06 11:06 UTC
This whole argument is silly. It’s malware. It destroys data. The average person doesn’t read documentation or on-screen notices (we all know this — they click-through practically everything), so the deletion of files will be unexpected and unwanted. Which is precisely what malware does.
Well, that should teach people to read what’s on screen and not blindly click whatever button pops up first. Knowing that most people act dumb in front of computers, then it should be labeled as malware because it exploits human behaviour.
Sounds like you’ve relabeled malware as: Anything that doesn’t prevent the user from hurting themselves with.
I suspect there are a multitude of tools that come with your operating system that allow a user to destroy their files if they simply click through the warnings without paying attention.
Let’s say that you download a piece of software of unknown/untrusted origin, you run it, and you get the UAC prompt which says that the software is trying to do something which requires elevated privileges. You click “OK”, and it proceeds to damage your machine. Is that malware or not? You got a warning. You had an opportunity to decline. Is there really much of a difference?
Call it social engineering. It leverages well known human behaviors — the tendency of people to ignore documentation and on-screen information dialogs — to do damage to your machine. And it’s designed to wantonly destroy data. It isn’t a defect. It’s intentional. That isn’t art. It’s malware.
Edited 2009-11-05 19:54 UTC
You jumped over the part where the “malware” application starts up and before anything bad happens, the user is shown a full screen of red text declaring: “If you destroy an alien ship, it will destroy a file on your disk”, along with a disclaimer about data loss as a result of using the software…
And if the user chooses to continue from there, doing what was described by the introduction screen, that the results would be exactly as described.
That’s not malware, it’s just User Idiocy.
I agree that users SHOULD read onscreen notices, but the reality is that they DON’T. It’s one of the reasons why malware has become such a persistent problem. Perhaps a better way to evaluate this software is to examine its purpose. IMHO, it was created to create chaos and destroy data — no different than any other malicious malware. Even if there’s a disclaimer.
That’s exactly what this software wants to prove. Even with warnings people do stupid things. If they are hurt they will blame the software instead of their ignorance.
This software/art project is a very explicit way of making this clear and makes us geeks more aware of this problem. We can try and act accordingly.
People learn about the dangers of driving and are instructed to use safety measure to avoid them. With computers, they don’t know about all the dangers involved.
But these people are not at fault. Since computers have become such an import factor of our lives, they should be made aware of the dangers and safety measures. But who can and will?
PS: I want that game on a virtual machine!
Plus, what if someone with malicious intent repackages this software (standalone or with a collection of other games, for example) and removes the notices of data loss? Better to be proactive and detect it now, and I agree, it should be classed as malware. Even if not the developer’s intent, people don’t expect a game to delete their data.
A Symantec rep in the CNET article actually mentions this scenario:
“We are concerned that somebody could take this and modify it in some way where users aren’t aware of the consequences,” Kevin Haley, director of product management at Symantec Security Response, said in an interview on Wednesday. “We want to make people aware of what’s on their machine and they can make the decision on whether to run it or not.”
Edited 2009-11-08 18:37 UTC
Do you really believe it’s so difficult for someone to add this “feature” to any other game out there? Deleting files on a disk is a pretty trivial task…
No, I don’t believe it’s difficult, and the response should be similar in such cases. It’s largely about expected behavior. If I made/hacked a game to acquire your PII or CC#s, or randomly encrypt/corrupt your data, would you not consider that malware even if I gave notice of what I’d be doing? If not my version, would you consider a repackaged release of my game (sans notices) by a third-party malware?
You don’t even need admin privileges to do this, so what good is AV software if it doesn’t warn the user about these types of apps?
I wouldn’t consider this an art. It’s an engineering thing.
I would launch it with chroot and copy some random directories to test it if I really wanted to.
Interesting idea. Reminds me of psDooM – a Doom-based process manager (http://psdoom.sourceforge.net/)
Think it’d be a bit more fun if a file were deleted if you died or lost the game, however. A bit of incentive.
I think this is the original release.
http://www.cs.unm.edu/~dlchao/flake/doom/
It was (or is) a strange tool, the only one i know where a process can defend itself.
I think you’re right
– That was the one I was looking for, I specifically remember the bit about the game’s controlling terminal being killed by another monster 
So can the player win by not destroying the aliens and avoiding touching them?
His deeper message is the most interesting part of the experiment to me. In fact perhaps it would better illustrate his point about assumptions and real unintended and unknown consequences if he simply warned in big letters about the serious real permanent consequences to the user’s machine but did not specify what they were. Would people still choose to risk shooting at the aliens?
Edited 2009-11-06 09:32 UTC