File:Osm virus letter.jpg

Covering letter from the person who forwarded it

"I got a letter today from one of my friends who's read my Christmas letter and tried out the OpenStreetMap website, going directly there and using Internet Explorer. Apparently it was covered in Advertisements, and when he downloaded the program, the advertisement program came down with it - he thinks the site might have been duplicated/hijacked? Later he went in again via Google and this time everything was alright. Anyway, I'll scan in the letter and you can see - I don't really understand it! Could something be happening with Internet Explorer, which you wouldn't notice because none of you ever use it? Or what?"

The URL that we originally sent them in a letter

"You can look at what they've done on http://www.openstreetmap.org/index.html. If your bit of the country hasn't been covered, then you know how you can get involved!"

Investigation by OSM

Possibility 1: Firefox advert

If the OSM website is visited by a browser claiming to be Internet Explorer, then an 256x256 advert (served by google) appears, recommending a Firefox download.

Since Firefox is a software download, this is one possibility, although it would be extremely surprising if an anti-spyware program objected to downloading it.

Advertising on the OpenStreetMap page layout (click for detail)

Possibility 2: Links from google adverts

Google adverts are displayed below the main map, and these are chosen by Google based on an analysis of the text in our web-page (i.e. they should detect that the user is interested in maps, and display map-related adverts).

The adverts are dynamically generated, and you get a different set each time you refresh the OpenStreetMap front page. They appear as a horizontal bar containing multiple adverts, below the slippy map.

Most of the google adverts are for generic searches ("search for maps on ask.com"). Some are offering maps for purchase on CDs (encyclopedia-style). Interesting ones are listed below:

Possibility 2a: Starware

"Starware Toolbar" appears to be a toolbar for Internet Explorer, in the style of other adware type addons that modify the browser behaviour.

At present, this appears to be the best fit for the incident in the letter above: it claims to offer maps, it appears as an advert on the Openstreetmap front page, and it requires a download that is likely to trigger anti-spyware programs

(in fact, Starware's FAQ indicates that it's known to trigger alerts in firewall software, and perhaps in antivirus software too)

Note: for anyone outside OSM reading this, Starware is not related with openstreetmap, and is not required for accessing any openstreetmap data. They are merely someone who bought advertising space from google, who displayed their advert on our website

Symantec's description of Starware: "Adware.Starware is a Browser Helper Object that creates a search bar in Internet Explorer. It also displays advertisement web pages."

Spyware Guide's description of Starware: "This adware program is in the form of a browser plugin. This toolbar program makes www.starware.com your IE browser's start page and 404 (page not found) error pages. ... Even when you do not use this search engine for you searches, it will monitor the search behavior and display advertisements at the bottom on your IE browser."

Possibility 3: Mistyped URL

Are there any misspellings of openstreetmap.org that lead to spam websites?

Possibility 4: Existing spyware on computer

Some spyware programs monitor your browsing, and create popup windows based on triggers when you load a page (e.g. loading CompanyA's page when you search for CompanyB) appearing to the user to be caused by the website.

Is it possible that a program such as this is replacing the openstreetmap page shown to the user, or redirecting attempts to visit openstreetmap?

Possibility 5: Java content

Editing the OpenStreetMap map requires Java to be installed, and browsers may suggest that Java needs to be downloaded if such content is viewed ("extra plugins may be required to view the content on this page").

Internet Explorer may provide security warnings when running java applets, and may warn that our applet is not signed by anyone that Internet Explorer trusts.

However, you need a user account, and to be logged-in before the Edit tab is visible, which makes this explanation rather unlikely (plus they would likely have seen java content on other websites before visiting us)

Suggestions

a: Disclaimer

We should have a line of text like "the advertisers below are not affliated with OpenStreetMap" to ensure that adverts cannot be confused with OSM content

b: Free access statement

We could have a statement on the front page explaining our Free Software principles, making it clear that all our software is free-as-in-freedom, and that our maps and data can be downloaded, copied, and redistributed according to the principles in the Creative Commons Share alike license

c: Show adverts for logged-in users

This would allow us to spot any problematic adverts, which are currently hidden from the people with the power to change them (i.e. regular OSM users)

d: Consider value of adverts

Can the revenue from advertising be replaced with some other source (e.g. donations, similar to Wikipedia) that don't require us to link to distasteful malware from our website?

e: Have some people who use Internet Explorer

This isn't really practical and may well be banned under the Geneva conventions, so we may have to rely on reports from other people to say what the website looks like in Internet Explorer.