Hi Fred - Many of us are employed deep within corporate IT departments; I'm actually a Regional Chief Technology Officer. Like everyone else, we, too, have our share of the "effects" of spyware, or better yet, I like the term.... "cr*pware". For home users, it's easy to use the free-to-use products, but that's not so easy for corporate or government users. We seriously enforce software licensing; thus, without purchase, most all of the anti-spyware products cannot be used.
Purchasing itself isn't the issue, but we don't like to buy licenses one by one. I'd like to find an enterprise solution where seat licensing is more affordable. However, our experience is that no one product usually seems to be enough. It often takes a combination of two or three products to clean a system once it has fallen victim, occasionally more. Of course, if my pockets were deeper, an enterprise license for several products might be what's necessary. However, my pockets aren't deep.
What's your suggestion for the corporate world? Do we use the hosts file route which, by the way, I have used on my kids' systems, for all systems and then use software products for cleaning problem machines? What kind of performance hit does a system take with thousands of lines in a hosts file? What to do, what to do....
Thanks, Dan Greeley
It's one thing to require that all commercial software be bought and paid for--that's a good thing! But any organization that explicitly prohibits all noncommercial software--"without purchase ... products cannot be used"--simply is crippling itself. That kind of rule, if uniformly enforced, would make your business unable to use any open-source software, or any software issued under the GPL Gnu Public License or any freeware whatsoever. This could include many distributions of Linux; most popular Web-server software; office suites like OpenOffice; browsers like Mozilla/Firefox; languages like Perl and so on.
In two words: That's nuts.
There's plenty of high-quality free and very low-cost software available that can do just what you want and more; totally legitimately, legally, and under license. However, the licensing may not be in a form immediately familiar to whoever's setting your software purchasing rules. I fully realize that changing a bureaucratic mindset can be very difficult, so let's look at some of the less-familiar forms of licensing in the hopes of providing you with the ammunition you need to get this type of software on the "approved" list. We'll then look at the separate issue of using the "Hosts" file as a security tool.
The Gnu Public License (GPL)
The Gnu Public License (GPL) is a totally valid, totally legitimate form of copyright. It actually begins with a completely standard copyright, same as any other software, but then formally and legally codifies the user's rights to copy, share, and redistribute the software; or to alter and extend the software in a legally stringent way. Despite what some people think, GPL is not a lesser form of licensing, but actually is a kind of "copyright plus." The thinking that "software that doesn't cost money up front cannot be legitimately licensed" is simply wrong. GPL software is fully licensed, just differently.
The "Dedication" License
There are other forms of software licensing, too. For example, the highly regarded Spybot Search And Destroy anti-spyware tool--a tool I enthusiastically recommend--ships with a form of public license that simply states: "I grant you the license to use Spybot-S&D as much as you like." There are no usage restrictions whatsoever, and that includes use in enterprises, governments, and the like. The author didn't use the Gnu Public License because he wants his software left as-is (the GPL grants rights to modify the software); so the author of SpyBot S&D crafted a license that allows for unlimited use and redistribution of his unmodified code.
The license is unusual in that it includes a personal dedication; and in that the software author accepts (but doesn't require) voluntary donations. But this quirky license is just as valid and just as binding as a dense, legalese, multipage license from Microsoft, Sun, IBM, or anyone else. You can see the full Spybot S&D license here. It's actually rather refreshing to read--a warm and human document radically different from but no less valid than conventional licensing documentation.
In short: There's no reason whatsoever for any business or government to prohibit, a priori, the use of an excellent tool like Spybot.
What About "Voluntary" Contributions?
Because a license document is legally binding on all parties, if an author says that no payment or purchase is necessary, that is in fact true whether you're installing the software on one system or 10,000. There's no catch or gotcha lurking there to trip up commercial installations.
Take the case of Spybot S&D, for example: You can use it on your own system, or post it on a corporate server and install it companywide on every PC in the enterprise; all for free. That's what the license says.
Of course, software costs time and money to produce, so if you think enough of a software tool to deploy it, it makes sense to help ensure the ongoing viability of the software publisher by offering at least a modicum of support. For a large shop, $1 per seat--or even 50 cents per seat--would be welcomed by the author. For smaller shops, a few dollars per seat would be great.
In any case, let your budget and your conscience be your guide: If you can't afford anything, that's fine (and totally legitimate). But if you can afford even a modest payment, it's smart business to help keep the software's author in operation.
SpywareBlaster, another recommended anti-spyware tool, uses a somewhat different but no less valid type of license.
The basic software is offered without restriction, but the software's authors ask that business users voluntarily purchase an enhanced version of the software that can auto-update itself (the standard version requires manual updating). But this auto-update feature is completely optional, voluntary, and not required for business use:
"Business use licensing policy for SpywareBlaster 3.2. ALL USERS may download SpywareBlaster 3.2 for free. While we strongly recommend that Business users purchase an AutoUpdate subscription to ensure up-to-date protection, this is no longer a license requirement. Business users may download, evaluate, and/or use SpywareBlaster 3.2 without purchasing an AutoUpdate subscription."
So, any user, including businesses and governments, may use SpywareBlaster for free; it's a totally legitimate, licensed use. But those who wish the convenience of auto-updating, and/or who wish to support the ongoing development of the software may purchase the auto-update version for $10 per seat per year. (Note: A networked version of SpywareBlaster is also in the works. The site says: "We anticipate its release within the next 2 months. The network version will assist administrators of large networks in protecting large numbers of machines, and in keeping that protection up-to-date.")
See this page for complete license information.
Split Free/Commercial Licensing Tools
The highly-regarded Ad-Aware anti-spyware tool is a good example of split licensing: The publishers offer the software in several versions, each with a separate license: The basic product, "Ad-Aware Personal," is free and available for noncommercial use by private individuals; "Ad-Aware Plus" offers more flexibility and functions, and costs $26.95; "Ad-Aware SE Professional" offers still more flexibility and features, and is aimed at IT professionals and corporate/governmental installations. One copy costs $39.95, but the per-seat costs drop to as low as around 70-cents a seat with very large volume purchases. You can see all the pricing options and read the full license terms for each version via the link to Lavasoft above.
There are many other good tools available, usually with utterly conventional personal/retail licensing, and separate corporate/governmental licensing: For the former, individuals and small businesses can buy the software on the Web or from a retailer; for the latter, volume buyers contact a sales rep and negotiate the license terms. A few examples of this type of software:
Watching The Bottom Line
In working through the examples, above, you probably noticed that the more conventional the licensing, the higher the per-seat cost. While that's not an absolute rule--there are exceptions--it's generally true.
That, in turn, gives you powerful ammunition in any discussions with conservative bean-counters and bureaucrats who balk at anything other than the most familiar and conventional forms of software licensing: Products issued under the GPL or any of the other less-familiar forms of licensing afford some of the greatest savings possible; and can significantly extend your software budget while keeping your software environment totally legal, licensed, and legitimate.
There's also a "devil's advocate" argument you may find useful: If your business disallows freeware such as SpybotS&D and SpywareBlaster, it also should disallow GPL, open-source, and other forms of freeware, too. That means any business with a "no freeware" rule must not use Perl on its E-commerce Web site; nor host the site on Apache; nor run the Web server (or any workstation) on Linux; etc. In fact, pushing the "no freeware" rule to its logical limits is a fine way to prove just how illogical such a rule really is.
In fact, you usually can find examples of some GPL, open source, or other freeware operating at the heart of any enterprise--perhaps even running the core business. This deeply undermines the argument that freeware is inherently inferior or unlicensable; and helps you make the case that software should be judged by its quality and usefulness; not by its licensing model.
The Hosts File Approach
Finally and separately, let me try to dissuade you from using the Hosts file to control site accesses:
The Hosts file is an archaic part of networking setups that was originally meant to be used on a LAN; it tells a PC the fixed numeric address of the internal server(s)--the LAN Host(s)--so the PC doesn't have to go looking for them through all possible addresses. It can save time when "discovering" a LAN.
But the Hosts file can be used for other purposes, too. For example, some less-than-stellar Internet speed-up software tries to shave a few fractions of a second off an Internet connection by placing the numeric address of external Web sites in the Hosts file so a Web browser won't have to look up the addresses externally. This works--as long as the site's numeric IP address never changes.
But IP addresses do change--and they're supposed to be able to. The Web operates via "dynamic" naming, where a human-friendly name (e.g., "informationweek.com") is actually an alias for the real address, which is numeric (in this example, 188.8.131.52). The numeric address can and will change from time to time as a site or server is moved or reconfigured.
People with out-of-date addresses hardwired into their hosts file will no longer be able to connect to any site whose numeric address has changed--the hosts entry will permanently point them to a dead location!
In fact, the hosts file is sometimes abused this way by hijacking software that writes a new, fake hosts file onto a system, substituting a bad numeric address (such as a porn site) for common locations such as Microsoft.com, Yahoo.com, Google.com, and so on: When a user tries to access any of the sites in the fake host file, they're redirected to the new site, such as the porn page.
Some "security" software tries to hijack the Hosts file in a benign way; and users can do it on their own as well: You use the Hosts file to associate a known-safe, numeric address with the names of sites you want to block. When the user or any process on the PC then tries to access a blocked site, it is instead directed to the safe location.
This works, but runs into the same problem as mentioned previously: A Hosts file is static, and the Web is extremely dynamic. It's almost impossible to update a Hosts file frequently enough to guard against all threats; and even if you did, you'd probably also run into problems in accidentally blocking good sites that happened to move to new numeric addresses.
There's lots more information on Hosts file abuse here, but I don't recommend its use for anything other than the original, and now archaic, purpose for which it was intended. Anything else is a misuse of the Hosts files, and runs a high risk of causing unnecessary service calls in the future when the user can't connect to some valid site they want to get to.
Instead, use the free and low-cost tools mentioned earlier, even if it means fighting a guerilla war with the bean counters or other licensing authorities in your workplace. There are many forms of licensing, all completely valid. Any organization that's cutting itself off from GPL and other totally legitimate forms of licensed freeware is seriously hurting its own business!
What's your take on freeware? Do you use it on your own PCs? On your business machines? Is it explicitly allowed or disallowed by your business? Have you run into closed minds and corporate biases against GPL, open-source, and other forms of freeware? How have you made the case for the use of software with nonstandard licensing? Join in the discussion!