To limewire programmers and potential and current limewire users:

Although I understand that limewire designers work very hard and need to make money, they way they have chosen to do it is unconscionable. Limewire has completely lost my trust.

I first started using Limewire a half year ago (July 2001). At this time there was a big message on their website touting the fact that they, contrary to many of the popular filesharing programs, did not use spyware.

Spyware are programs that monitor your online actions and relay these actions to advertising companies. Advertising companies pay software developers to include this spyware in their software downloads.

I used limewire for a few months with no problems whatsoever.

Then, three or four months ago, came version 1.8. This version included advertising banners and optional installs of 3rd party "ad-ins."

Right away users posted that they had researched and monitored the actions of these ad-ins, and had found that they were notorious spyware programs. The developers first denied it. Then they were evasive. Then they said the ad-ins were optional.

Several anti-spyware websites also said that Limewire was installing spyware, with or without user's permission.

Further updates came, but the ad-ins remained.

------------------
"Cydoor is not an optional install, but Cydoor does not collect any information about you -- it's just an ad-engine." -- a. fisk, limewire developer
-- December 2001

from "future of limewire?:"
http://www.gnutellaforums.com/showth...1&pagenumber=1
------------------

Then, in late December 2001, several commercial anti-virus programs started listing one of the ad-ins as a backdoor trojan virus.

In early January 2002, limewire admitted that it did use this ad-in. Limewire said they had no idea what the program did and had hoped that "the company in question would have investigated it's package better" for them:

http://www.limewire.com/index.jsp/trojan

-----------------
From a link in the above url (wired.com):

"A Trojan horse program masquerading as an advertising application was included with recent versions of programs BearShare, LimeWire, Kazaa and Grokster. The Trojan, dubbed "W32.Dlder.Trojan" by antiviral companies, is contained within an application called "ClickTillUWin" which promises users a chance to win prizes."

"We rely on Cydoor to deal with our ad deals and bundled software. We assumed that they did their homework on this [clicktilluwin] package but that does not seem to be the case," said Bildson [limewire's chief technical officer].
-- January 2002
-------------------

Limewire released a new version shortly therafter that did not contain that
ad-in. The other ad-ins remained, but were switched to optional installations.

Here we are a month later, and questions about the spyware still remain (you may need to copy and paste these links in sections):


"keyboard sniffers built in?"
http://www.gnutellaforums.com/showth...?threadid=7401

"going around behind our backs again?"
http://www.gnutellaforums.com/showth...?threadid=7357



If you want more detail on the history of this debate:

"Limewire 1.8 beta" -- present:
http://www.gnutellaforums.com/showth...5&pagenumber=1


"Do you accept spyware?:"
http://www.gnutellaforums.com/showth...5&pagenumber=1



If I have ommited anything, or if I am anywhere misinformed please add it below.

Feel free to share your opinion on the spyware debate.

Peace

Just found this in "osX:"

----------------------
"No LimeWire version contains any bundled software except for the Windows version." -- a fisk, limewire developer
-- january 28, 2002

from "spyware in limewireX?:"
http://www.gnutellaforums.com/showth...?threadid=7458


"I downloaded, for the first time, the latest limwire basic per a friends suggestion earlier today. Then in a CLIENT presentation about an hour later - using os x ie 5.1, the URL was re-directed to limewire.com to buy the pro version - by no action on my part - I was presenting and wasn't even touching the computer."
-- February 5, 2002

"url redirection in limewire basic:"
http://www.gnutellaforums.com/showth...?threadid=7907
---------------------------

Sounds a lot like this post:

"How's this? Try buying something from OfficeDepot with [s]LimeShop installed.

I'm perfectly happy with ads on the client. I can live (although not necessarily happily) with referral IDs being added to URLs for shopping sites I'm already visiting. No farking way am I going to leave something on my machine that redirects www.officedepot.com to www.officemax.com/referrer=limeware.

I avoided Gator & OC. I wasn't given the opportunity to avoid LimeShop. Ad-aware didn't pick it up, and it took a good half hour of my time before I noticed it in my program list. Limeware is gone, along with any chance of them seeing $8.50 from me."
-- January 31, 2002

"going round our backs again:"
http://www.gnutellaforums.com/showth...?threadid=7357

Well the unethical behavior continues. Unbelievable. Limewire is now using a bundled ad-in called "top moxie" or "limeshop."

This software changes your URL's, so that when you go to amazon.com, for example, it thinks that limewire referred you there, and pays limewire a portion of the money from things you buy.

This seems to be plain illegal to me. If I were amazon.com, I would be very angry that limewire was stealing my money. It's one thing if you click on an ad on the limewire website that brings you to amazon.com. But with topmoxie, limewire has absolutely nothing with my going to amazon, yet amazon pays you anyway.

-----------------
"If this brings in enough revenue, we very much prefer it over other bundled software (spyware), and we hope that everyone will agree." -- a fisk, limewire developer.
-- january 16, 2002

http://www.gnutellaforums.com/showth...5&pagenumber=1
-----------------
(at least they're admitting they use spyware now).

The second part of using topmoxie, is that if you click on an amazon.com banner on another site, limewire makes the money, rather than the real referring site:

"I see what you are going through but overwriting and taking a browser's URL functionally destroys our entire companies marketing campaign. I have been a long time fan of lime wire up until yesterday.

When we send out emails and URL's to our customers we use links back to our site. Since I installed lime wire -- no links work because you have overwritten all references and redirected them through linkshare.

All our other affiliates are now getting over written by you as well. You are taking money from other people.

When some one tries to unsubscribe they get redirected instead of landing on our page. Our customer service department will get destroyed. I could go on but you get the picture.

You need to get in contact with us-- I want to work with you on this. I do not want you to be black listed on the affiliates program, being an affiliate is a privilege. Let's get something done about this." -- Michael, ethical web developer Road Runner Sports
-- February 5, 2002

(same post)

LIMEWIRE, YOU SHOULD LOOK UP THE WORD MOXIE.

I'm not sure what I'm doing with this post. I like limewire. I think the developers are TRYING to make an honest living from their work. They have failed miserably.

Not only do they bundle spyware and topmoxie (which are dishonest ways of making money), but they have been consistantly evasive and even deceitful to users regarding their use (see history posts above).

If you are doing ethical business you do not need to avoid, hide, or "spin" the truth to make it more palatable.

I'm afraid the limewire development team has always known exactly what they're doing (if not at first, then after loyal users told them about it).

-------------------
I want to see an official answer, by limewire, to the following questions regarding their free limewire software and installer:

1. What, non-LimeWire-essential, software do you currently bundle in the latest (non-beta) LimeWire release?

2. What does each of these softwares do (their purpose and their method)?

3. Do these softwares ask me for permission every time before they "run" and before they perform an action?

4. Do these softwares tell me and/or create a log (that I can look at) of what they're doing.

5. Can I choose to not install these bundled softwares?

6. Do you answer and explain the previous five questions, clearly, to your users in a place where they must see it before they install limewire (on your website and during the installation)?

I am sorry to hear that you feel we have been deceitful in any way. I, of course, strongly disagree with this perception, and I think that you have missed several points along the way.

First, we give you the option to buy LimeWire Pro, where none of these issues apply.

If you choose to install the free version, we do not deny (and we have never denied) that there's optional bundled software in the application. Far from denying it, we state this explicitly in the installer, and this has always been the case. You did not need to "research" what we were installing, because we were telling you in bold letters that we were installing Gator and TopText, giving you the option not to install either one. We always gave you this option.

Regarding Cydoor, as we have said numerous times, Cydoor is an ad engine. It serves ads in the same way that the banner on the top of this web page serves ads. Simply put, LimeWire makes money from advertising in the same way that three quarters of the technology companies in the world make money from advertising. Outside of the technology sector, much of the entertainment industry follows the same model. LimeWire is clearly not alone in the advertising business, and I feel strongly that we should not be condemned for making money from advertising.

Regarding the "Trojan" that was temporarily installed with LimeWire, Symantec has since corrected its assertion that this was a malicious virus, as you can see at the following link:

http://securityresponse.symantec.com...w32.dlder.html

We were also being truthful when we proclaimed that we were not aware that this software reported information back to ClickTillUWin, as were four or five other software companies being truthful when they claimed not to have been aware that this was the case when they included it with their programs.

As far as LimeShop goes, there are many companies that profit from affiliate programs as well --- www.ebates.com, for example. We prefer this method of making money to using advertising, as we feel that it annoys users less and does not change the user experience. We have been in contact with RoadRunner Sports to correct the glitch that was causing them problems.

So, while I symapthize with your frustration regarding these issues, I really do not think that we have been anything but truthful in these matters. I also ask you to recognize that we have tried to provide the users with as many options as possible while still allowing LimeWire to exist, providing optional installs of bundled software and providing the LimeWire Pro alternative.

Thanks.

About TopText and Gator. These are optional installs in limewire, however some users may inadvertantly enable them:


TOP TEXT supplied by E Zula:

"This software super-imposes advertiser contextual links over Web pages viewed by the user via MSIE. Currently, eZula has not made available a way for Webmasters to disable links from showing on their sites. Those links can lead your site viewers/customers to your competitors.

Users can experience interrupted navigation on web sites since TopText also hijacks links within Web pages. When a user clicks on a navigation link that is also a TopText link, the user gets a small popup box with a small link to continue with normal navigation and another link of the same size or at times a larger advertisement encouraging the user to leave the site. This can be both frustrating for the user as well as the site owner."

-- http://www.thiefware.com/info/data.toptext.shtml


GATOR:

"Gator is a software product that can automatically fill in passwords and other form-elements on Web pages. But its main purpose is to load an advertising spyware module called OfferCompanion, which displays pop-up ads when visiting some Web sites. Gator boasts that since it's software is always running, it can spam users with "Special Offers" and other ads anywhere they go--even competitors' sites--with remarkable targeting capabilities, since it can spy on what sites the user is visiting."

-- http://www.cexx.org/gator.htm

"Gator tracks the sites that users visit and forwards that data back to the company's servers. Gator sells the use of this information to advertisers who can purchase the opportunity to make ads pop up at certain moments, such as when specific words appear on a screen. It also lets companies launch a pop-up ad when users visit a competitor's Web site."

-- Tribune media (http://www.azstarnet.com/public/star...roundzero.html)
____________________________________

Regarding TopMoxie, the NON-OPTIONAL software that installs with free limewire:

If I go to amazon.com (for example), of my own accord, TopMoxie redirects my url to make it seem like I was referred there by limewire. Limewire then gets a percentage of the money I spend. That is, in my opinion, stealing.

If I was visiting ebay.com and clicked their amazon.com banner, ebay would not get the referral, limewire would.* That is, in my opinion, stealing.

Numerous companies engage in fraudulent activities. That does not mean that it is ok.

Regarding CyDoor, a non-optional install:

Cydoor has cleaned up it's act in the current version of the software, 3.2 (I assume this is the one limewire bundles). It is no longer as much of a cause for concern as the other bundled software:

"In our test installation, Cydoor's CD_CLINT.DLL downloaded executable code to the test system [log]. While the code (a Visual C++ library, ATL.DLL) was not malicious, the program's ability to silently load executable code presents a potential security vulnerability to the user."

-- cexx.org/cydoor.htm
________________________
Regarding the cilcktillyouwin issue:

ClickTillYouWin which was distributed by CyDoor, was never a "malicious" trojan, as shown in Adam's link. This means that the ClickTillYouWin company was not using it to hack (break in to), crack (do damage to), or control its users' computers.

It does, however function and look like a trojan, which is why anti-virus companies classified it as such.

Despite ClickTillYouWin's non-malicious intent, their software (masquerading as an online gambling game) is in fact a potentially harmful trojan that submits data about the user without the user's permission.

"This two-component spyware-trojan was discovered in the end of December 2001. The DlDer spyware-trojan was supposed to be an on-line lottery game with an adware component that had to display advertisement and offers. But the way it was implemented and dropped to users' systems made anti-virus vendors consider it a spyware-trojan. Do note that DlDer is NOT a virus, as it doesn't spread.

The trojan being installed on a user's system downloads or upgrades its main component that connects to a website and reports user's ID (unique for each computer), IP address, web browser a user is using and URLs that a web browser opens."

-- http://www.europe.f-secure.com/v-descs/dlder.shtml


After removing this software from free limewire, limewire commented:

"We rely on Cydoor to deal with our ad deals and bundled software. We assumed that they did their homework on this package but that does not seem to be the case," said Bildson [chief technical officer at LimeWire].

-- http://www.wired.com/news/privacy/0,1848,49430,00.html


The two main points in this particular issue are:

1. When you use controversial methods to make money, you are walking a fine line. Some people and companies you deal with will be just on the honest-side of this line, and some will have crossed the line into dishonesty or even illegality (violation of privacy acts).

2. LimeWire "assumed that [CyDoor] did their homework on this [ClickTillYouWin] package." Similarly, limewire users EXPECT that limewire does it's homework on the software it includes in its filesharer.

Thanks for your thorough research in this area. My biggest issue with this critique, however, is that it doesn't offer an alternative. Do you see other avenues for LimeWire to continue bringing in enough revenue to operate? I do sympathize with many of these issues, as does much of the LimeWire team. I just think it's difficult to imagine being in our shoes trying to create as high quality software as possible while maintaining a viable company.

Regarding the Cydoor/ClickTillUWin incident, I agree that we should have been more careful in determining what the software did. We trusted Cydoor as our partner, and we should not have done so. I do want to point out that most of the major file sharing applications made the same mistake, however. Why not just recognize that we made a mistake that was quickly corrected and leave it at that?

As far as Cydoor posing a security risk in its ability to run executables, this will only occur if they do, in fact, load malicious executables, which they have little to no incentive to do. Moreover, countless applications have a similar "security hole" in that any application can load and run an executable if it so chooses.

Firstly, you say, "We trusted Cydoor as our partner, and we should not have done so." Yet you continue to include Cydoor as a non-optional install in the free limewire.

Secondly, this post is not about how to keep limewire afloat. That's not my job.

However, I will outline limewire's situation:

1. Gnutella client software is opensource.
2. There are several filesharing softwares out there.
3. If you stop offering free limewire, users will use other software.
4. Filesharing is a controversial issue.

The question limewire must ask itself is, "What do we offer that the other file-sharing systems don't?"

The big issues here are:
a. Ease of use.
b. Number and diversity of files shared.
c. Ability to find these files quickly.
d. Ability to download these files quickly.
e. Stability both in terms of the software, and the file-sharing institution.

If you are focusing on other issues, I suggest you reexamine your priorities (chat facility, mp3 player).

If limewire is the best in these areas, people will pay a "shareware" fee for your software. If not, they won't.


As to creating revenue:

I assume you know how many users you have daily, monthy, yearly, based on how many people access your router.

Hire someone to investigate advertisers. I'm sure there are a few big companies that don't mind being associated with filesharing that will endorse limewire. By endorse, I mean pay a yearly fee to have their logos permanently on your software.

I was having trouble with Gnotella not staying connected so I thought I’d try LimeWire to see if I’d get any better results. I ran the installer and opted out of the optional stuff. I wasn’t too happy with the installer. It made connections to the Internet as part of the install process and didn’t really tell me what it was doing, but I was in a lazy sort of mood and just let it do what it wanted. When it was done I fired it up. It didn’t seem to be working very well and I didn’t like the interface. Nothing in particular, maybe it was just because it was different and I’m getting to old to keep climbing learning curves. Bottom line, I uninstalled it and went on to other things.

At least I thought I uninstalled it.

The next time I restarted my box Zone Alarm informed me that “JavaRun.exe” wanted to be a server. Since I didn’t know what JavaRun.exe was I said no and started investigating. Eventually I found a registry entry in the windows run key firing up JavaRun.exe with a bunch of switches for something called “TopMoxie.” Eventually I figured out that the LimeWire installer had set all that up and left it there after the uninstall.

I checked the LimeWire and TopMoxie websites and they both said that TopMoxie would be uninstalled with LimeWire. Since that didn’t happen I sent e-mail to LimeWire and TopMoxie asking them how to get rid of it. LimeWire never responded, but a droid from TopMoxie did. He said all I had to do was run the uninstaller from Add/Remove Programs and it would fix it. I replied telling him I had already done that, but TopMoxie was still there—with no uninstaller in Add/Remove.

He wrote back saying, in effect that was not possible. Miffed, I manually cleaned up my registry and deleted all the TopMoxie files. I also sent another e-mail to TopMoxie with a cc: to LimeWire explaining what I had to do to get my box cleaned up and asking for a straight forward explanation of exactly what happened during the install process. TopMoxie replied again, LimeWire didn’t. The response, from the same guy was once again to tell me that running the uninstaller via Add/Remove would clean it all up.

Never treat an unemployed geek like an idiot; he has way too much time to make you look silly.

I went through the entire install process again, this time using Ad-Aware and checking the registry at each step of the way to see exactly what happened. I also documented it all. I won’t bore you with the details. Needless to say the same thing happened again, but this time I also got to see Cydoor mutate a little so it could stay on my system even if I deleted the original installation directory.

I send my results to the TopMoxie fellow and he responded saying that because I stopped JavaRun.exe with Zone Alarm the install process never completed so everything did not get configured for a clean uninstall. He also said there was not much they could do about that, thanked me for the detailed analysis, and apologized for the inconvenience.

I told him the Ferengi Commerce Authority would be proud of TopMoxie’s business methods then cleaned up my system again and sent a e-mail to Ad-Aware asking them to add TopMoxie to their signature file.

After all that I tried Gnotella again and it worked like a charm. Go figure.

I need a job.