Mattel Spyware

Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.

Re:Laws?

Another company that doesn't announce that it's software tracks you, but indicates it in the Privacy Policy is Hotbar.com . It looks like it's just skins for Internet Explorer, but sneakily in the background, it updates a database...

Other activities in which you participate on the site and when you use the Software may be tracked anonymously, and will never be associated with your personally identifiable information.

Hotbar uses various methods to collect certain other kinds of information that cannot be personally identified with you, including "cookies," "referrers," IP addresses, GUIDs, operating metrics and environment variables.

And...

This information may be used to identify broad demographic trends that may be used to provide information tailored to your interests.

And...

GUIDs may also be used to uniquely, however anonymously, identify visitors of this site when they access its pages.

Operating Metrics - Information regarding the usage of the Software by users in aggregate such as the average amount of time that the Software is operating and the number of click-throughs a service offered through the Software receives. We may use the information to research the users' habits in aggregate and understand the popularity and effectiveness of the services we offer so we can improve them in the future.

The non-personal information gathered and tracked through our system will not be used by us to attempt to identify you personally.

But we could sell it so that it then can be...

Your welcome,

Marty.

Barbie phone home

If they ever release a barbie doll that hooks up to your PC, make sure its eyes aren't cameras and it ears aren't a microphone.

Re:Barbie phone home

[Black+Parrot]

> Haven't you heard of "Talk to Me Barbie"? It plugs into a serial port.

I didn't know Barbies had a serial port. Dare I ask where they hide it?

--

Re:Barbie phone home

[sconeu]

They already did. Haven't you heard of "Talk to Me Barbie"? It plugs into a serial port.

Re:Barbie phone home

[sconeu]

In her computer desk.

Some Advice Needed!!!

I have always been afraid of something like this. I am esp. worried now that the "self-help" provision may soon be law, allowing software companies to monitor my computer to make sure I am using their software "correctly". I have a sneaky suspicion that many of these companies are already shipping these "little" programs in our software, but not "turning them on at the moment"--or worse, turning them on and not telling us.

I am wondering if there is any advice you could give, or recommend any programs that can monitor my computer's connection to the Internet, and make sure that no information is being sent that I do not know about.

The author of this article obviously had no problem finding the culprit, but I don't trust myself to have the same level of skills. So, if anyone can give me some pointers, point me to some educational resources, etc., I would really appreciate it.

And boy, what a great company that Mattel.

Re:Some Advice Needed!!!

[Guardn]

Just install a personal firewall on your machine, there are many available for download. They let you decide which programm may contact which server.

It comes with all their programs

brodcast is part of virtually every recent broderbund program...all the help files say is that its for updates, blablabla, nothing really useful. Most of their stuff has a little checkbox at startup to deactivate it.

The workers would never have made such a mistake

Think about it: Mattel software is obviously designed by the same sort of people that design all other software, namely geeks.

Now the geeks I know all value their privacy: they use the anonymizer, never give out their SSN, and never allow cookies from commercial sites. One of them even chased a census agent off his property!

Anyway, the point is that the people who make the software probably weren't too thrilled about it. Rather, it was the higher-ups, the CEO, CFO, and other three-letter types who decided to violate everyone's God-given right to privacy. Why? I guess it looked good on the budget sheet, and that's all that matters.

But what if it were the geeks who made the decisions? Would they spy on their fellow-man? Would they sell your personal information to the highest bidder? I think not. On the contrary, they would work hard to protect your privacy, and even see it as a benefit, a value-add in the most important sense.

The workers are always more honest than the exploitive robber barrons. Carnegie, Morgan, Vanderbilt, and others all preyed on the working class, and earned huge bank accounts with the blood of others. Will this happen again? Will your freedom be sacrificed to increase stock value?

It already has. The geeks need to realize what power we have. Like Ayn Rand showed in Atlas Shrugged those who keep the world in motion also have the power to stop it entirely. If the geeks of the world held out for control over the means of production, problems like this would simply disappear.

Re:Spyware Removal

The GRC "Spyware" Remover does its job well... but be sure to take whatever you read on the GRC site with a grain of salt. The Aureate/Radiate software in particular does absolutely no spying on anything, and Gibson probably knows this as well. Obviously he wouldn't say that though, or no one would download his software :) Keep in mind that using the "spyware" remover will most likely break any of the software applications you have installed that depend on those DLLs.

Re:Mattel was already on my shit list

[Wansu]

We may see the day when people go to war against corporations instead of countries. The types of abuse described in your link might ignite this conflict. Profits in and of themselves aren't obscene but companies who obtain them by treating people like dirt are.

Ralph Nader

[jafac]

Perhaps someone needs to make Consumer's Union (Consumer Reports) aware of this - maybe they'll start reviewing software for reliability, security, and privacy. . .

Seems like the industry NEEDS an independent QA body like this.

If it ain't broke, fix it 'til it is!

Re:Hands up who actually inspects it all

[jafac]

Nor is my mother-in-law going to inspect every line of code.

I think we need some good old fashioned consumer advocacy applied to the software industry, and pronto.

If we can't crack open the box, at least it can be tested by an independent source; government funded or otherwise.

If it ain't broke, fix it 'til it is!

Re:1000 bucks?

[tzanger]

Are you sure that you are $1000 better off? Don't forget to factor in costs of your wife working. She will have to get to work, and will ruin her clothes there. Unless she can walk there, you will be paying a minimum of $2/day in transport. You might also be forced to eat more prepared foods, which are more expensive. If you are forced to help her out with house work, you will have less time for repairning things and so they will break more often had have to be replaced.

Okay maybe not $1000, maybe only $800. Fact is that it's quite a bit more than $0. :-)

Taking your facts:

• Clothes: Factory work. Need I say more? Clothes are grubbies.
• Vehicle: 2min drive, 20min walk. Depends on her mood/weather/kids. I'll take your $2/day and say $2/week, taking into account gas and wear&tear. That's now $8/mo.
• Food: She brings a lunch but may get a prepared snack/meal the odd time: $50/mo.
• Home: I just spent the last 4 hours playing with my kids. Housework will Always exist. That's what weekends and after bedtime are for. A friend of mine built an entire second story to his house using just after-work and after-supper time. Took 4 months.
• Health: She breathes fuzz from the factory but she does have a mask she can wear if she desires. I don't consider that much more hazardous than the dust bunnies each of us chases around the house.
• Neighbours: They are all raising kids and working too. Weekends/suppers... we get thogether then. We (can) help each other repair things or take a trip to the beach together.
• Traffic: We're in a town of 5300 and the road to the factory is backroads. Yesterday I counted the stop signs with my son: 4. (about six blocks in total)

I won't argue with you -- yes the quality of living goes down a little, but I look at it this way now: We are knocking down (dumb) debts faster. We're both young (24 and 23) and the kids won't remember these tough times. I actually spend MORE quality time with the little 'uns than I used to and Vanessa doesn't do as much housework because I can do it now. No we don't see eachother as often, but she gets away from the housemommy dementia that tends to plague people who don't have much contact with people outside their kids. I wish she had better work to do but this is good for now.

Re:Database Nation

[tzanger]

$20 for 4 hours!!! keep that babysitter! the 17 yr olds on my block want $50 per night minimum and wanted $150 for New years eve.

Yes holidays will be more, but the trick I've found (me NOT being an expert in this field) is to find someone who has a lot of their own kids. Better quality than the 17 year old and not nearly as greedy.

I'm not in a big city so perhaps this helps too, although I was just talking to someone who lives in Dallas/Fort Worth and pays the same rates.

Re:Database Nation

[tzanger]

Okay, let's work this out. Supposing both parents are working 40hrs a week at $5.25 an hour (our minimum wage here)

I don't think I've been to a single factory where the shop workers get minimum, at least not after their three month "probationary" period.

Why would a baby-sitter work for $20/8-hour day when they can go and make $5.25 an hour too?

In my case, the babysitter has 5 kids of her own and it's better/easier/she prefers it to working "out there". She can care for her own kids so tacking on a couple more is no big deal to her. The cut in her pay is far outweighed by her looking after her own kids and on her own schedule.

I admit I thought that babysitters would be a lot more expensive but (at least here) $2.50/hr/kid seems to be a going rate if you provide the food and whatnot. As mentioned in a later post of mine, a guy in the Dallas/Fort Worth area experiences similar rates.

Low unemployment discourages babysitting/lawnmowing types of work since it's easy to get a 'real' job as young as 14 with parental consent) that would leave precisely $0 for food, clothing, medical, and transportation expenses.

I would agree with you. Our unemployment here in Ontario is far worse than yours is (anywhere) in the U.S.

Anyway, I'm just glad that I'm in IT and don't have to deal with wage-slave jobs anymore. It's not a pretty picture trying to make a living without a college degree.

I'm doing pretty good (R&D "engineer" by day, technical / tactical administrator for a fast-growing ISP by night) without a college degree. :-) I admit that I am an exception here though.

None of which is to contradict the basic point that using the TV as a babysitter is a Bad Thing, I'm just saying that the claim that people's standards are too high is not substantiated, at least not for the working classes in the metro-boston area.

I would also imagine that a family with two minimum-wage-ish jobs is also elligible for government aid. When my wife was single and working, she had quite a bit of aid actually and a healthy tax credit to go to daycare for her son (my stepson). Close to 80% if I am not mistaken. However because I "make so much" and because the fact that I have too much debt load (which is entirely my fault, not theirs) doesn't factor into any of their equations, any famillial support by either the provincial (state) or federal governments vanish. I know for a fact that if I was in a low-paying job (probably < $8/hr here in Canada) we would qualify for all kinds of aid.

Re:What disappoints me...

[peter+hoffman]

The key word here is public. The software that you develop for private use is not the topic of discussion here. The topic is the development of software with which the public comes in contact.

The same way that you can practice law (or even surgery) on your own behalf, you will be able write software on your own behalf. However, as soon as you write software for someone else, then you will be regulated. You can cook in your kitchen any way you like but all restaurants are subject to the health inspector.

Yes, perhaps some companies will choose non-professional developers the same way some companies let non-lawyers make legal decisions. The consequences will be similar. When the company finds itself in court (and anyone actually in business will find themselves in court someday), it will be at a disadvantage because it will not be able to prove that it took all reasonable steps to avoid negligence.

Your final point is a strawman. It is illogical to ignore something you don't like (i.e., probable legislation) and hope it goes away.

-- OpenSourcerers

Re:What disappoints me...

[peter+hoffman]

Yes, I am serious.

Consider driving. We require a driver's license before we let someone on the road. It is not sufficient to be self-taught, you have to prove a level of proficiency. Even after you get a car driver's license you are not allowed to operate an 18 wheeler until you obtain an additional license.

Public safety is at stake here and whether we like it or not, licensing will happen. My grandparents remember a time when driver's licenses were not required but today no one would consider repealing the requirement.

We can be reactive and wait for a qualification-free self-taught programmer to write some code that kills someone and then have pointless regulations forced on us by legislators without a clue, or we can be proactive and regulate ourselves in a rational fashion.

If we wait, then we will have demonstrated the same level of forethought as children and we will be treated as such. If we do it ourselves, we can turn our jobs into a recognized profession. The choice is up to us and time is running out.

-- OpenSourcerers

Re:Makes me wonder...

[Derek+Pomery]

When you say you dug through the registry, does this mean you deleted them from
Run in, I believe, Hkey_Localmachine->Software->Microsoft->Windows->C urrentVersion->?

Sorry if that's not the exact location (and there might be some other Run places), but I'm not about to reboot into Windows just for this question. :)

Re:But four megabytes?

[Imabug]

Quicken's billminder is easy to turn off. Edit/Options/Internet Connection and select the Don't use background downloading radiobutton.

imabug

Re:1984

[dbryson]

Certainly he couldn't be expected to imagine the reality of this. Thank god (or whomever) I am not using Windows where such programs can run. No doubt, soon, I won't be safe anymore and no matter what OS you are running, they will have modified their software to run.

Derry

Why does Internet Explorer run all the time?

[Improv]

Who the heck needs a web browser running all
the time on windows?

Re:Why does Internet Explorer run all the time?

[levendis]

It's integrates with the OS! :)

Reverse firewall

[ciurana]

I read most of the comments on this and the one that struck me the best was the one about having a "reverse firewall."

Disclaimer
I don't own any of this offending software but I'm making the assumption that it opens an Internet connection using a socket and a port.

I use JunkBuster in my Linux and Windoze boxes with excellent results. I can filter which cookies go in/out of the box, which ads or web sites to filter out, which domains to block, which ports to block, etc.

Doesn't this functionality count as the "reverse firewall"? Just a thought.

For more info go to http://www.junkbusters.com (I am not affiliated in any way with this organisation).

Cheers!

E

Re:Reverse firewall

[gfxguy]

To add to the other comment - junkbuster doesn't really do a whole lot unless you configure your software to use it. For example, you can run junkbuster, but if you don't set your web browser's proxy to localhost (or whatever), then it just sits there running doing nothing.

The point is that, unless the software is configured to use junkbuster, it's not going to. So if a program is going to make an...uh..unethical connection, it's certainly not going to play nice by going through your junkbuster proxy.
----------

Re:Reverse firewall

[krenshala]

All the firewalls I've worked with blocked both incoming and outgoing connections that were not specifically authorized by the admin.

kren

Re:But Mattel _asks_ if you want it!

[VAXGeek]

actually, debian DOES have an optional spyware program that you can install. it's called popularity contest, and it polls the packages you have installed and mails it to debian. details here
------------
a funny comment: 1 karma
an insightful comment: 1 karma
a good old-fashioned flame: priceless

Re:Is that news?

[troc]

DOn't forget /. is not a public company, we don't pay to use it. CmdrTaco et al. have all the rights in the world to post whatever bias they want about anything. You don't have to read it.

You can go away :)

Or you could just read the stuff that interests you and ignore the rest.

Yes it's annoying sometimes when (gasp!) someone has a differet opinion to you but hey, that's democracy :)

When we have to start paying for services like /. is when we have to demand objectivity.

Just my opinions anyway

troc

Could this be an innocent mistake?

[gando]

What do you think are the chances that this is a legitimate upload of information that only uploads information needed to keep the game running (ie: version information, checking for updates/patches, etc)?

I know it would be a better idea to let the consumer know that this function exists, but, could this have been an oversight?

What do you think?

-G

Re:Database Nation

[cpt+kangarooski]

I read it when it hit the library round here (KCLS in the Seattle area) and it was really very illuminating. I strongly suggest that people read it. If you're already concerned it's a good resource; if you're complacent it's like reading "Unsafe at Any Speed" while driving 70 down the highway in a Corvair.

Re: Don't be daft

[PhilHibbs]

It would be simplicity itself to demonstrate that you do not have the crypto keys. AIUI, they can only get you on RIP if they can demonstrate beyond reasonable doubt that you have the crypto key. I don't think RIP is as bad as it has been made out to be.

But Mattel _asks_ if you want it!

[Whip]

I recently installed another Mattel product -- Quicken Family Lawyer (no, I don't know why Mattel is making a Quicken product, but hey, go figure). During the install, I was told almost exactly what "Brodcast" did, and was given a choice whether or not to enable it. I said "no" and that was the end of it.

I can't say for certain that the children's software that this guy installed gave the user this choice, but I'm betting that it did, and he just flew right past it without reading what was in front of him.

This is really no worse than various other programs that ask "do you want to send information about your system configuration to us?" during the registration process. Still requires consent, still tells you what it's doing. Granted, having this type of thing on children's software may not be all that wise, but is it "spying" any worse than anything else that's prettymuch standard nowadays? I don't think so.

On a side note, I'm getting really tired of seeing these alarmist attitudes on slashdot. It seems that any article about something that is outside the rules set by the "slashdot community" (or linux community, *bsd community, or open source community) is always splattered across the slashdot homepage, spun in a heavilly unfavorable light.

I dare say if Debian has an optional package that every now and then sent them usage information, that the slashdot headline probably wouldn't read "Debian spyware." Call it a hunch.

Re:But Mattel _asks_ if you want it!

[Rares+Marian]

Microsoft, Doubleclick, Mattel, Metallica, RIAA, MPAA. They're just drops in a reservoir that's going to burst or be hijacked quietly.

So believe me Debian will get roasted the day they release a single kernel boot advertisment.

Course I'd hope by then the remedy brigade at linuxnewbies.org will be as available as freshmeat or the Linux Doc Project.

Re:But Mattel _asks_ if you want it!

[deprecated]

Argh. Read the article. There were several iterations of the install routine. One of them asked and installed even when the answer was no.
The last iteration was the Brodcast software is no onger even shipped. Who's the alarmist?

(Oh no! Someone said something mean!)

Re:But Mattel _asks_ if you want it!

[Jeff+Licquia]

Actually, Debian does have such a package. It's called "popularity-contest", and it uploads your installed packages list to Debian for statistical purposes.

The differences between this and Mattel should be obvious:

- You have to explicitly install popularity-contest, so you are guaranteed to know what you're doing; none of the default install profiles include it. Mattel had to be threatened with legal action before they gave the option to not install it.

- Popularity-contest's purpose is clearly stated and fully documented; Mattel was scared to even let you know it existed.

Re:But Mattel _asks_ if you want it!

[Yambert]

Yes some of the new installers ask you if you want to install "Brodcast", but the old installers don't and even if you say no the DSSAgent is still installed but not activated. So there methods are still questionable.This is quite interesting considering the fact that the installer didn't mention anything about Brodcast untill after the Children's Online Privacy Protection Act went into effect.

Joshua Yambert

Re:But Mattel _asks_ if you want it!

[GnrcMan]

You should actually read the article before you post. It explains quite clearly that older versions installed it without notice (he specifically reinstalled the software to check) and since COPA was enacted, they started asking.

--GnrcMan--

Re:How does ZoneAlarm identify a program?

[Firefalcon]

Zonealarm appears to use the path to the exe, its name, its size and its version/file date.

Fairly foolproof, but still spoofable, if you were really determinied, I'd guess.

It also keeps fairly useful logs. By using the IPs listed, I have found that I had portscan attempts (port access denied of course - stealth if earlier tests were correct) from IPs 208.184.172.175 to 208.184.172.185 on ports 1333 to 1533 while I've been logged on this evening. And I've hung up and redialed in order to obtain another IP, so I presume it's some sort of wide search...

Anyone got any idea what they may be trying for on those ports (if anything specific), or if it is a false alarm (although it is unusual...)

Re:Makes me wonder...

[Maserati]

msconfig is your friend

What's going on ?

[Aussie]

is sorehands dead or something

I miss the constant whining

Re:What's going on ?

[luckykaa]

And what happened to www.sorefeet.com? He was funny until he posted exactly the same comment 300 times on the same subject

Re:Spyware Removal

[T-Ranger]

While true, that would require users to be familer with the output it produces...

I just ran it on 'cat /dev/null' and was overwhelmed with the page and a half of information it spewed out (not /dev/null, strace :P )

ZoneAlarm is more like netstat with a nice GUI and and (importantly) allows only selective programs to use IP.

Re:How does ZoneAlarm identify a program?

[Shadarr]

Not sure about ZoneAlarm because I use Private Desktop (not free), but the way it works it identifies the .exe file (along with a complete path) which is trying to connect.

Re:What disappoints me...

[jabber]

So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.

Ethics are a slippery eel. Reaching as far back as Aristotle (probably before), philosophical arguments have been made that if the intention behind the action is good, than the action is good. The easy example is that of hurting a child with an immunization needle, while doing what is good for the child. Most parental discipline falls in here too..

The point being, that if the people who developed the software did so with good intentions, is it really unethical? Yes, it can be abused, and it surely is abused once the Evil Marketting Types(tm) get their way. But, is there no justifiable, ethical reason for such a feature?

Obvious response "But they should tell us and let us opt out". Fair enough, but if what is being gathered is the sort of usage data that is 'influenced' if you know you're being observed?

Personally, I think that the Nielsen TV rating system would be much more effective if data was gathered from a variable, random sample of people who are unaware that their viewing preferences are being studied. Granted, there'd be nothing on but Springer and COPS, but it would at least accurately reflect the tastes of the population.

Keep in mind, I don't agree with clandestine monitoring in the least. I consider it unethical - and irrational, since knowing I am being watched would prompt me to act more like I want to then as I really do - so I would raise my standards of behaviour to those I'd like to project. Then again, that statement probably derives from the fact that I'm writing this from work, while I SHOULD be working. :)

Anyway, just some morning thoughts. Where's my coffee?

Re:Which consumers asked for this feature?

[mcc]

> Did Mattel honestly think that they wouldn't get caught?

Apparently yes.. but since it took so long for anyone to notice, it would appear that that was really more or less a valid assumption to make.

> Did they think that no one would care?

Apparently yes.. and you know what? They're probably right.
Watch as over the next couple of days as a massive mainstream consumer and media backlash against Mattell/broderbund fails to happen.

Watch over the next couple of months as Mattell/broderbund fails to lose substantial amounts of sales from the relatively small number of people for whom all of "reads salon.com or websites that link to articles on salon.com", "has children or a job that involves administering children's software", and "pays enough attention to the world that they actually react to this sort of thing" apply.

electronic privacy

[kaisyain]

I'm pretty sure that most surveys have found that shoppers don't really care about "electronic privacy". I think it usually rates something like sixth or seventh on the list. And then there's the whole question of revealed preferences. Just because people CLAIM they like electronic privacy doesn't mean much. It's their actual behaviour that matters. And it looks like most people care far more about convenience than privacy -- in and out of the electronic realm.

Just because a lot of slashdot readers (and by no means all) put privacy at the top of their lists doesn't mean slashdot accurately reflects the real world.

You trust Mattel to maintain your computer?

[alienmole]

"Slashdot gets all fired up about all sorts of hypotheticals then looks stupid when that isn't the case."

That may be true in some cases, but the problem here is not a hypothetical one. This is important because Mattel was installing software which was doing something to or with your computer, which you have a right to know about - but instead of informing you and asking for your consent, they were actually going to some trouble to ensure that you did not find out about it.

Even if it's only downloading info, unless it actually asks me if I want to check for updates, and tells me what information is being transmitted, I find this unacceptable. If you just sit back and accept every "feature" which every large company tries to stuff down your throat, I guarantee you won't like the world we end up with in ten year's time.

Unless you actually *want* every software package to come with a secret auto-updater that makes decisions for you, you should care about this stuff. If we don't reject software like this, secret market-research-gatherering software built into your email program or browser won't be far behind.

Even if you refuse to believe that this could happen, then you should be worried about what will happen when Mattel decides to upgrade your software for you and causes a DLL conflict with some other package you're running. Most corporate environments wouldn't permit this kind of thing - why should we allow it at home?

Re:What disappoints me...

[Non-Newtonian+Fluid]

You realize that in the IT industry there is a major backlash against people coming out of colleges with degrees, because they haven't learned a damn think useful. It is these programmers who I writing the crap software like this, not the self taught ones...

Funny. I'm in the IT industry, and I haven't noticed any such backlash. Let's not be insulting by making such broad generalizations, especially when you fail to back them up with any evidence whatsoever. There are plenty of hackers I know that went on to be formally trained, and *gasp* got some sort of college degree in what they loved doing most (CS).

But I should say this: People who have no interest in programming and hacking independent of making money, who just go to college and get an IT degree but otherwise couldn't care less about computers or technology and their impact, will probably never be nearly as skilled as those who truly love it and spend their free time doing it as well. If this is what you meant, then I agree with you.

Re:Database Nation

[Pope]

Shower with them???!!
You sick, twisted, perverted...Oh, wait, sorry, my mistake.

Pope

Freedom is Slavery! Ignorance is Strength! Monopolies offer Choice!

Watching for Spyware

[Quarters]

The author states that if the program hadn't attempted to put his computer into online work mode repeatedly he would never have known about it because there isn't a way to detect those types of programs.

That's not true. Any decent personal firewall for Windows (Black ICE, Norton Internet Security 2000, or ZoneAlarm) will alert you to both unauthorized inbound and *outbound* connection attempts.

ZoneAlarm is my favorite, and it is free for personal use. You can get it at http://www.zonealarm.com

Re:Mattel felony, as I read it!

[freddevice]

I think I would be pointing out to Mr Garfinkel that he is probably breaking the Digital Millennium act. Doesn't it make it illegal to work out what is going on. I think in the long term that is going to have greater repercussions, and getting a few journalists up in arms would probable be a good thing.

Better Question...

[slashkitty]

Why the fuck must your splash screen request be encrypted?

Re:Why open source is nice, part LXXVIII

[ConceptJunkie]

The fact of the matter is, in order to use a computer securely, and often, in order to use the computer effectively at all, you have to become an expert.

The average computer user doesn't want to be and shouldn't have to be an expert on the myriad issues concerning privacy and security when all he or she wants to do is buy some Britney Spears CD's on CDNow. After all, isn't everyone and his dog hyping hopw easy and secure it is?

Microsoft's attitude towards security is to throw a bunch of warnings at the user and hope for his sake that he follows them, even though it prevents him from using legitimate and harmless functionality, just because he is not an expert.

It might be reasonable to blame the folks at Apache for not setting up their Web site correctly so it wouldn't be hacked. It is not reasonable to blame Joe Sixpack when Mattel sends out personal info about his 7-year-old kid.

The Internet explosion is already happening. It would be nice if some of the parties involved (esp. Microsoft, AOL, etc) were not too stupid or too lazy to properly serve their customers. If cars were built like software the Washington Beltway would be a parking lot for smoking hulks of burned metal.

Re:Req. for amendment to Godwin's Law (was Re:1984

[SEWilco]

Most of the references to "1984" actually seem to have been written by people who never did read the book.

Re:its not all closed source

[Tyriphobe]

How long was that bug in PGP that didn't generate random keys? Almost a year?

And how long would it be in a closed source piece of software? Until someone reverse engineered the whole shebang, or else never. No software company would come out and admit that they left a big ol' bug in their code that makes their encryption insecure, in fact it would probably go undiscovered indefinately. You could go in for "security by obscurity" there, but eventually someone might notice the behaviour, and not necissarily someone who'll report it.

At least with open source, it was discovered, documented, and fixed - but if this happened in a piece of commercial software, we'd never hear about it, nor would it be corrected in as short a time span.

It's easy to take code for granted thinking that someone else will have reviewed it, but things like the PGP hole should just serve to remind people that they can never be too confident in code they or someone they trust hasn't taken the time to fully understand.

Re:I fail to see what the big deal is...

[Bimble]

Read the article before responding to it. Cyber Patrol was the target of previous Mattel complaints, but this is software being installed with children's games and the like that surreptitiously attempts to connect to the Internet, communicate the software being run, how often it's used, and what version it is, and then downloads a JPEG depending on whether the server deems it necessary. On Mattel's side, there isn't any personal information being transmitted. Against Mattel, however, is the fact that the software is installed without notification, and makes a connection to their server without asking for permission from the user. The main point of the article is that it isn't hard for software that does more to violate privacy to be installed. And to be honest, I would call software that monitors how often the games are run a violation of privacy, if permission had not been sought prior to installation (though it wouldn't surprise me if the license agreement contains language that would allow a lawyer to say permission had been obtained when the software package was opened).

Re:Req. for amendment to Godwin's Law (was Re:1984

[ThePlague]

Well, since you've proposed it, the natural choice would be to call it Pim's law.

I agree, there has been a spate of misplaced or at least tenuous-at-best Orwell references lately. I guess a lot of /.'ers finally read it in Junior English.

Re:What disappoints me...

[Calmacil]

Manager: Code me up some software that sends us the complete contents of the user's hard drive

Software Engineer: Uhh... that's against the code of ethics! *hands over copy*

M: hehe, that's funny... it even asks me not to ask you to do that sort of stuff...But seriously, code it or you're fired. While you're at it, can you make it delete our competitor's software?

-Disclaimer- I've never been in anything resembling that situation

Re:Is that news?

[I+R+A+Aggie]

um, WRONG. /. IS a public company. It was bought by Andover.net which was public, then was bought by VA Linux which is a publicly owned company. Nice try tho.

Yes, and? you own how many stocks?

1. bias could get them sued because their only protection is that they are an unbiased reporting agency that itself does not editorialize. Only its editors editorialize.

Oh, right, like editorial commentary doesn't slip into "mainstream media coverage".

2. if I was a majority shareholder, I could put pressure to have all of them fired if they didn't post favorable stories about M$ and then have all the people that talked crap about M$ moderated down. how you like DEM apples?

Oh, sure, you could. Then a new slash-dot.org would rise up, and you'd devalue your own holdings. Typical shortsighted business management. But you don't own any stocks, do you?

3. this is no longer a bunch of guys running an underground news service from their garage. This is a public company that has to report its earnings, its page hits, server stats, ad banner revenues, etc. face it, /. is part of corporate america whether they want to admit it or not.

Yes, and? It's Slashdot for crying out loud, not the Wall Street Journal.

James

Re:Database Nation

[/]

I have five brothers, all with children and grandchildren, and will be emailing them as well as posting to the family website my strong recommendation that they boycott Mattel and the reasons why.

Awww, crap. You mean now? When I'm halfway to the sweet water rapids and just pulled off a 500 lbs of food for 3 oxen trade? I suppose I could always go Donnor Party and call it quits, but....

j/k

Re:spying on children too... risky indeed

[jleader]

The article never actually said they were spying on children; it just said that they could have been.

It's possible that Mattel was actually trying to gather information about who was running their software, but I think it's more likely they just wanted to be able to download new content or (more likely) ads.

My guess is that it was a (stupid) experiment, someone saying "Hey, ya know, we could get into the advertising business... tell the programmers to make it so our products can be upgraded to display ads later if we feel like it". Then, they got their fingers burned, or got scared by COPPA, and back-pedaled.

I know that back when I was writing "educational software", I saw my share of that sort of management cluelessness and fumbling (not that management is necessarily better in other fields, either!).

Re:Spyware Removal

[Sarsippius]

Even better is ZoneAlarm (www.zonealarm.com) which is a free-as-in-beer-for-personal-use "firewall" that alerts you whenever a program attempts to initiate or receive connections to the Internet. I've used it since beta, and I was shocked at the number of programs that try to connect... Knowledge is power.

Re:Netscape quality feeback agent

[paulm]

Actually, there has been a few times with netscape
when it's crashed and I've said to myself:
"goddamnit. Where's that fucking feedback agent!?!"

Re:Aureate - MUST read

[titus-g]

arghh, I thought, haha no way do I have this, I hardly ever d/l install free software (on windows anyway), but a quick search later (just for fun ya know) and there it is /WINNT/system32/advert.dll

Ever buy a videotape?

[BoLean]

Same ol' same ol'. The only difference is using the customer's computer to do their work.

Re:I wrote that code - I'll tell you what it does

[alecto]

Where does Broderbund get off using a product someone paid for to pitch more products? If they want a platform from which to pitch products, it should be free (as in beer)--the ads Broderbund wanted the users to look at should have been the price of the program. Forcing uninformed consumers to accept ads and an invasion of privacy (which reporting the launch of a program with an IP address without informing the user is) is disingenuous and, perhaps not illegal, but certainly highly unethical.

And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?

Re:I wrote that code - I'll tell you what it does

[alecto]

You mean like a newspaper or cable TV?

Exactly. Except that the newspapers and cable TV didn't trick the public into accepting that model--it's well known (if not particularly fair, esp. in the case of cable TV).

Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy?

The invasion of privacy is the identifiable (by IP) information passed with the fact that the program was launched. That's no more acceptable than a TV (or toaster, or microwave, or vibrator (!)) that reports when the owner turns it on without his or her consent. (If a user gives informed consent after being presented with the option in plain language, e.g.:

The program will connect to Broderbund's web site each time it is started. This allows us to serve you better by retrieving information on products that might interest you. Check the box below if this is OK.

(It's no good if it's buried in the EULA and/or agreeing to the practice is a condition for installing the software the user paid for), then, and only then, is it OK to do that.

Right here, actually.

I'm darned glad to hear that--seriously. I know that privacy concerns often fall on deaf ears, but we are responsible to at least raise them.

An unrelated Broderbund anecdote--I haven't purchased or used a Broderbund product since buying "The Playroom," which used a manual based copy protection scheme (which was trivially defated) on a program meant to be used by kids not yet old enough to read.

Re:You're actually mistaken - let me explain

[alecto]

The application does not contact the server ever.
Fair enough--not by the application and not on launch. Still more than should be done without informed consent.

Re:spying on children too... risky indeed

[Narcischizm]

At the risk of sounding paranoid, that sort of management cluelessness and fumbling is what worries me. Once a Pudding-Brained CEO or marketing director realizes the fact that it is possible to get their greedy little hands on even more information, then they will do so.

Now they might be forced to think about how to hide it better, as well as how to gather more information. It may seem innocuous, MAC address, IP, last 5 sites visited, email address, system environment variables, a 'dir /s >mattelmarketinginfo.txt', etc. But the more information they are allowed to gather, the less we are able to protect our privacy.

We are being desensitized. What we found objectionable last year, pales to what we object this year, as a whole, with regard to privacy. People were almost screaming from the mountain tops over the Great Cookie Scare a couple of years back, nothing has changed, but no one is frightened of cookies anymore, even though the same information is available.

My point is, companies like Mattel will always take a mile when given an inch. They are in it for the money, and as long as they aren't breaking any laws, they will always be able to have the upper hand. Soothe a few geek parents nerves, like the Salon writer who noticed the anomaly, with promises to fix any problems that have occurred. Which is, ironically, good business.

Fsck the customer and then 'Help, in any way we can'.

Re:What disappoints me...

[Dr.Evil]

I hate to flame on my own thread, but...

If what you mean by "self-taught" is having learned a disciplined, formal, language-independent method of software engineering with adherence to industry-adopted design methodologies and coding standards; patterns and algorithm analysis methods (such as "big-O" analysis); formal logic and discrete mathematics; linear algebra and domain transforms; and all the various other aspects of an accredited Computer Science program, then good for you. If, however, by "self-taught" you mean having learned the syntax of the language you're using and the ability to code from a design given to you by someone else, then don't get on your high-horse. The "stupid mindset" of professors is that there is more to creating software than sitting at the keyboard.

The difference between a software engineer and a programmer is vast, to my mind as vast as the difference between a civil engineer and a construction worker or an electrical engineer and a electrician. Sometimes (perhaps often) the trade workers may in fact know more than the engineer on a certain point, but it is nearly impossible for them to have the skill set of a qualified, educated, certified professional in all aspects of the job. I hope that Software Engineering will be a P.E. classification within the next 15 years. The current professional societies are all pushing for it. That doesn't mean that programmers will be obsolete - every engineering field has its related technicians. There will need to be a recognition, however, that professional licensure and conduct is a vital aspect of creating quality software with guaranteed outcomes.

I don't get it.

[SweenyTod]

A story about Mattell, a company, installing and using spy software is news, but a story I submit about an Australian government department being given legal rights to hack into your computers and install spy software isn't?

Yes I know I'm whinging, sorry. Just needed to get that off my chest. :) I'm in a grumpy mood - my house got broken into. Grr.

Re:I don't get it.

[scruffyMark]

Sorry about your house. Same thing happened to me a while ago...

Can you point me to the story you mention?

Re:I don't get it.

[luckykaa]

Man bites Dog is a story, Dog bites Man isn't

By that argument, the only stories that Slashdot should run on Mattel are:

Mattel reveals censorware database for independent scrutiny
Mattel ignores high profile copyright infringement
Mattel allows www.barbie.org site
Mattel actually wins a case

Re:I don't get it.

[dingbat_hp]

Man bites Dog is a story, Dog bites Man isn't

Governments are expected to behave like arrogant bastards who think they have a God-given right to snoop. The Australian story is interesting and should be run, but it's no surprise that Australia (which is pretty dodgy on this issue already) has just slid one notch further down.

OTOH, if you can't trust Barbie, who can you trust ?

What about people with prosthetic fingers made from Barbie's knee joints ? (Scientific American a month or two back) Should they be worried about what their hands get up to when they're not looking ?

Re:I don't get it.

[SweenyTod]

Yeah, sorry - I meant to include it in my original message. /. really needs an edit message function.

Try this story on Yahoo. It's fairly brief, but you get the message.

Re:Spyware Removal

[redmist]

Haven't you ever heard of an ICQ clone?


.{redmist}.
-------------------------------------------------

Re:Spyware Removal

[BeeJay]

There needs to be something similar for Linux. Although companies that ship Linux have the sense of decency not to inforce spyware, times are changing.

On Linux we have strace(1). It can show you any system call performed by the program. That should make it easy to spot unwarranted network connections, opening of files, etc.

Asking for proof is reasonable

[Phallus]

In this age where even the average e-shopper is so worried about "electronic privacy",

Are you truly 15 years old or do you just prefer to act like you are? To respond to a reasonable, beleivable statement with "Do you have any statistics to back up your statement" really shows off a moral and intellectual defecit.

Yet another rude slashdot replier - Zico is making the perfectly valid point that Nicholas Vining is making generalised statements without backing them up - why should we believe the average e-shopper is worried about privacy. And to prove anything about the average e-shopper, one must use statistics. Especially seen this statement isn't necessarily reasonable or believable. In fact Zico makes the far more reasonable point that e-shoppers probably aren't concerned about privacy, because they are willing to use e-shopping, which doesn't have the best privacy record.

Moral and intellectual deficit - man, you're full of sh*t.

tangent - art and creation are a higher purpose

Re:Asking for proof is reasonable

[Vortexboy]

Vining isn't writing an academic paper, he's posting on a silly message board. If including statistics is going to be required every time someone wants to state a fairly accepted fact, slashdot is quickly going to become unreadable. If you want proof that people are concerned about privacy, just follow the news; every other story is about electronic privacy. The reason people use e-shopping is because they realize, correctly, that the chance of a serious privacy violation is outweighed by the convenience e-commerce offers. I don't know about a "moral and intellectual deficit" but asking for "proof" is certainly sophomoric. If Zico doubts that people are worried about privacy, he should give some reasons. In logic, this is called charity; in conversation, it's called civility. Tom

Re:Spyware Removal

[Bouncings]

There needs to be something similar for Linux. Although companies that ship Linux have the sense of decency not to inforce spyware, times are changing. With more corporate involvement in Linux, it's just a matter of time before the marketing departments of Corel and Compaq will want to collect data. Are we going to hide behind Linux and claim that it makes us immune to privacy invasion? Free software is by definition worm free? When's the last time you looked at the source of every package in your distro -- or even have to source to every package in your distro. Unless you're on Debian w/ 100% free, you might not!

Re:What disappoints me...

[bnenning]

Yes, you need a driver's license to drive on public roads. You don't need a license to drive on your own property or on someone else's private property with their permission. Similarly, if I want to work for a private software company, it should be up to them what qualifications they require. Hopefully these qualifications will be based on merit and not pieces of paper; the best programmer I've known was the only developer at his (large) company without a degree. The argument that we should regulate ourselves before the government does is logically equivalent to "we shouldn't put any controversial content on the Internet, because if we do the government may try to censor it".

OT: Banks, Quicken and Quicken alternatives

[FalseConsciousness]

I'll be very happy when there is an open-source online banking solution I can run from linux. Yeah, right - get the banks to cooperate with the Penguin!

Not really that far fetched. Would only require that there be:
1. a stable, documented Open Financial Exchange (OFX, an XML-like format) implementation in the financial management software you are using. Although Quicken does a lot of screwy proprietary things in connecting you to your bank, the actual core of it is an exchange of OFX files (usually a download to the client).
2. a big enough, vocal enough user base to convince the bank or its software vendor to add a new OFX format for the new financial management package to its online banking software. Especially effective to show some sort of rapid growth and scare them into thinking that financial management package X is "the future" - something that often frightens marketroids (who will mostly be responsible for the decision about what software "markets" need to be supported) into action, they have a deep-seated fear (and legitimate I guess) of missing the boat and becoming has-beens.

Re:Aureate - MUST read

[Raelin]

Actually, what you found was the storage where it keeps what you've recently searched for. All that said is that you have recently looked for advert.dll using the find file or folder... HTH. Rae

Re:The all mighty dollar

[Mr_Ceebs]

Another small detail their spokesperson says

If the program is enabled, it communicates with our servers to let them know that a particular product has been installed and retrieves JPEG images for that product if any exist

I don't know about you but if they're forcing me to download jpg's to complete a program that I have on disk, then they are hiding part of the cost of the package. Surely this is at very least immoral if not illegal

Re:I wrote that code - I'll tell you what it does

[davmoo]

There's one other difference...when you buy the newpaper/magazine/cable TV, you KNOW the ads are there before you make the purchase. I wouldn't be nearly as opposed to this sort of crap in applications if the manufacturer(s) would simply disclose, ON THE OUTSIDE OF THE BOX, what their spyware routines do. And some ex-employee singing verses from that popular song "I wrote it three years ago, its harmless" doesn't cut it, and the company deserves all of the bad press they are getting, and they deserve to have even more bad press (and massive loss of sales) heaped upon top of it.

Re:its not all closed source

[Rhys+Dyfrgi]

This is a single incident. It doesn't prove anything other than "Bugs happen in Open Source software, and can go undiscovered for a long time." It says nothing about the general case, and nothing about the difference between closed and open software.
---

Re:Why open source is nice, part LXXVIII

[heliocentric]

inspected by a reliable and unbiased third party [I added the bold]

Finding a truely unbiased third party is all too difficult in this day and age. Companies pay other companies for a supposide unbiased look at things and certify the product as OK, but in the paying I feel they immediately become biased - if even only a little. That is why I feel that the best candidates to review products are the biggeset enemies of the product. They would be best prone to doing any inspection quickly and at no cost to the consumer or the vendor being inspected. I would also trust the greatest enemy of the product more when they say it's ok than I would trust the vendor's best friend.

If MS broke up, and MS1 reviewed MS2's product and hailed it the best product of the year, would you even bat an eye? But if red hat began shipping with Office 2000, IE, and outlook - would you stop and take a little more interest into why red hat would do this? What if red hat said they felt it was a stable product? Would you then think even a little higher of those products?

Thats obvious

[Lion-O]

but I can't imagine what kind of "up-to-date" content the company wants to rush out to all the 5-year-olds using "learn to read" software.

C'mon. Obiously it will send the next bunch of letters in the alfabet for the kid to take on. State of the art; no installation manual needed, just what you need in this situation. :-)

Re:Is that news?

[kootch]

"DOn't forget /. is not a public company, we don't pay to use it."

um, WRONG. /. IS a public company. It was bought by Andover.net which was public, then was bought by VA Linux which is a publicly owned company. Nice try tho.

"CmdrTaco et al. have all the rights in the world to post whatever bias they want about anything."

This is also incorrect. No they don't.

1. bias could get them sued because their only protection is that they are an unbiased reporting agency that itself does not editorialize. Only its editors editorialize.
2. if I was a majority shareholder, I could put pressure to have all of them fired if they didn't post favorable stories about M$ and then have all the people that talked crap about M$ moderated down. how you like DEM apples?
3. this is no longer a bunch of guys running an underground news service from their garage. This is a public company that has to report its earnings, its page hits, server stats, ad banner revenues, etc. face it, /. is part of corporate america whether they want to admit it or not.

Re:PGP key in DSSAGENT

[VB]

Another useful app under Linux is IPTraf, which will let you log these communications, including bytes sent and received from the respective destinations/sources.

A great tool for further locking down your firewall.

While I agree the labeling of this article is slightly skewed, I don't think anyone's being paranoid by running these types of activities through the microscope. Better to send a message to software vendors to back off on surreptitious exchanges of information from the consumer than further the proliferation of legislation to do this for us.

My 2

Linux rocks!!! www.dedserius.com

Legalize Civilian Consumer Reports type Activity

[Rares+Marian]

I'm really getting sick of this type of bull. Support geek business. Outcompete the assholes. Capitalism is its own cure.

Maybe you've missed the point?

[wanderingwalrus]

I have a feeling you've kinda missed his main point - that being that we shouldn't trust big businesses to run our lives so unconditionally. That it's strange how dispite all that's happened people are still quite willing to trust companies to do the best thing by them. Surely, they would know better.

As for the stats go, I haven't got the stats either but I'm certain that if you do look into it, you'll find that people are staying away in droves and reluctant to adopt e-commerce since most do fear for their privacy - more specifically, the privacy of their credit cards. This is probably one of the main reasons why adoption of business-customer e-commerce hasn't quite been as spectacular as the forecasts a coula years back... The fact of the matter is, people are quite worried about e-commerce privacy. The post suggests that considering this, it was strange that they seem to still have so much faith in software that they don't really know what it's doing

Re:I wrote that code - I'll tell you what it does

[eagl]

The problem for me is that the program would hijack control of my computer periodically. When running bandwidth/latency sensitive programs or using 100% of my cpu cycles for something (an online game, watching vid clips, burning a cdrom, ripping a CD, etc), a program waking up in the background and snagging even a few 2k chunks is unacceptable.

Imagine playing Q3 in a serious game and having your computer hiccough or pause as the computer waits for some http transactions?

This kind of thing going on in the background is essentially theft of my property just as much as any virus or trojan horse. When I install a bit of software, I expect it to do it's stated purpose and NOTHING MORE. Whenever I find a program auto-installing additional crap, I immediately uninstall it and go on a registry and .ini file hunt to ensure it's gone, then I never buy a product from that company or developer again unless I absolutely can't live without that product (hasn't happened yet except for win9x).

Hidden, undocumented background behavior is no better than a virus deliberately included with the software, and should be treated as such.

Re:MPR.exe

[jerdenn]

You appear to be correct - A search on the Microsoft MSDN "dll help database" for MPR.exe reveals a file description of "Eicon MPR Utility"

Further searches on the MS website reveal references to a company called Eicon Technology

A search on Eicon's website shows several references to MultiProtocol Routing - looks like MS must license this technology from them.

About the only interesting thing is that the MS dll database does not list that this product is included in any of the 9x, lines just the NT line..

-jerdenn

if you ask me...

[SEAL]

CmdrTaco should bitchslap Mattel's karma back into the Stone Age. Oh wait - I guess this article's doing that already :)

OK I've been at work waaay too long... time to go home heh.

But you do know what NQFA sends

[hodeleri]

At least it a: bothers to ask and b: allows you to look at everything it is sending.

Ok, since you can't view the source you don't know EXACTLY what it is sending, but considering a and b, its a hell of a log better than anything else.

--
Eric is chisled like a Greek Godess

Re:What disappoints me...

[AndroSyn]

So your saying that it ought to be required to be a programming profession, you must have a BS in something like Computer Science? Come on you have got to be serious. I consider myself to be a good C programmer(and a have decent pl/sql programmer) and I haven't had one day of formal training in anything. Yes, lets raise the bar so that you can only program professionally if you have a degree, that way all programmers have the same stupid mindset that professors drill into the heads of students. You realize that in the IT industry there is a major backlash against people coming out of colleges with degrees, because they haven't learned a damn think useful. It is these programmers who I writing the crap software like this, not the self taught ones...

Re:What disappoints me...

[AndroSyn]

But I should say this: People who have no interest in programming and hacking independent of making money, who just go to college and get an IT degree but otherwise couldn't care less about computers or technology and their impact, will probably never be nearly as skilled as those who truly love it and spend their free time doing it as well. If this is what you meant, then I agree with you.

This was exactly the point I was trying to make. I mean I personally don't object to getting a CS degree or whatever, but I know that there is a backlash against the clueless people who try to do jobs they aren't qualified for. I guess I was just being a bit to general :)

On this subject....

[Kwikymart]

While on this subject, Whats the status of Real's products uploading info from the client on their linux/unix versions of their software? I remember a while back there was something about Real doing this. The linux versions seem to come without all the "crap" that the windows versions contains, but do they leave out the anti-privacy code? just something that made me wonder...

Re:On this subject....

[Cool+Man]

All closed source linux proggies should be analysed as they are released much more than windows, because one good fuckup and the linux system looks as insecure as windoze, and there goes our arguments boys.

Re:Arms traffickers!

[wafath]

I think this is the way to go... Mattel caused the author to unwittingly export a munition by failing to reveal the programs presence on his computer. IANAL, but that sounds like a great lawsuit to me.

W

Re:explanation from the learning company

[Caseman]

Designs of this nature are patently irresponsible. What purpose does it serve to have this program run when the computer starts up? Why would I want it using RAM and CPU time all the time?

This could so easily be designed to simply ask you if you want to check for updates when you run the program. Or they could just provide a shortcut to the updater within the program or Start menu.

I'm sure these options were not overlooked when the program was created. The program is intended to do things behind the user's back plain and simple. It is a clear example of unethical software development no matter how harmless the actual program is.

It also once again makes clear the flaws inherent in Windoze. I need not enumerate them here...

Shit...

[Wolfier]

>A quick search on the Web the next day revealed
>that Brøderbund is owned by Mattel Interactive

I'm too out of synch...is it??? DAMN. Broderbund made so many nice games I enjoy...not to mention The Print Shop...

Now it's owned by Mattel and it can kiss its future goodbye.

Re:Why does Quicken run all the time?

[sprayNwipe]

From memory, the bit that runs all the time is the BillMinder app, which pops up a dialog when bills are due.

Re:explanation from the learning company

[dingbat_hp]

It's the perfect banner ad

"good" depends on which side of Mattel's marketing department you are.

Re: Don't be daft

[radish]

You understand it wrong. It plainly states that you have to prove you do not have the keys - the onus is on you. And how on EARTH are you supposed to prove you don't have something, and never did have it?

Impossible. Which is why RIP is against the entire fundamentals of british justice (such as it is). This will get thrown out by a judge - but I wonder how many people will get dragged through the courts first?

So how do we get rid of DSSAgent?

[Cable]

Can we nuke it from the registry, or does the children's software reinstall it if it gets removed? I think we ought to boycott Mattel owned software until they remove the DSSAnget from their distributions.

Re:What disappoints me...

[Tungz10]

We can be reactive and wait for a qualification-free self-taught programmer to write some code that kills someone and then have pointless regulations forced on us by legislators without a clue, or we can be proactive and regulate ourselves in a rational fashion.

Software is really out of control these days. The last time Windows crashed, my computer automatically rebooted. This wouldn't have been so dangerous, but the cup holder automatically retracted when the computer came back on, spilling my drink all over the place! I think both the computer and software should have been certified by a board of professionals so I know it's safe. Imagine what could have happened if I had hydrocholoric acid in the cup!

I think a license should be required to walk on the sidewalk. I'm afraid to go outside, someone's going to get knocked over one of these days! Then it will be too late.

Re:Toys and Machine Guns

[in8]

Perhaps, to stay out of trouble, Mattel should just stick to toys and the M16, eh?

FYI - mattel never made the M16.

SO - how does ordinary users protect themselves?

[in8]

Simon represents the small percentage with a clue and the technological ability to understand these issues.

However, it seems that very few ordinary people I've meet are technically able to detect such spy-ware, or understand the greater issues with regards to privacy. A very large part has no problems selling away their private info for $5 coupons, free-dsl, free-pcs, or the supermarket discount cards.

While laws will be required, i dont see much success when the typical user is unaware of privacy issues and will readily give up those for small sums of $. Perhaps even scarier still is the numerous citizens willing to give up their rights/liberties/privacy for greater felt security.

Personally, I think Simon's book - Database Nation should be required reading in high/secondary schools. Perhaps in the civics type classes.

Re:What disappoints me...

[Winged+Cat]

The PE is really a barrier to entry to keep the underskilled and poor test takers out. It serves as a means of reducing the population of engineers that can practice and thus keeping wages higher than otherwise.

Which is, ethics aside, why the PE approach for software developers won't work. There's far too much work to do to exclude anyone who wants to try, regardless of skill level. Yes, that does mean that some of the work will be outright crappy.

But we can borrow a similar idea. Underwriter's Laboratory was set up to do all kinds of consumer safety testing. (You might be suprised by the array of hardware their logo appears on.) Similar testing of software could be done by various independent parties; open source would allow this to be done better, since white box tests of algorithmic correctness could also be performed (switching from "the test cases don't reveal any bugs" to "this code correctly implements algorithm X, which has been proven impossible to fail"). Maybe someone could even ask UL if they want to get into certification of software as doing what it claims without major security or safety holes?

Re:I wrote that code - I'll tell you what it does

[linux_penguin]

OK, in Australia we pay for local calls, but it is not timed. This puts us in a better position (unless the rate is really low) than countries with timed local calls.

Here it costs ~25c per local call. Take the example of one a day, thats 365x0.25c per year, or $91.25 per year, excluding ISP fees (if you have a timed ISP). If this company wants to send me a cheque for $91.25 every year, Ill run their shit software. This could even be grounds for a class-action lawsuit. These guys just dont geddit (tm).

This is the most stupid idea ever, and yet another reason to use open-source software.

As for getting marked down as flame-bait, it doesnt matter anyway. The karma system is so broken that I can never get my karma above 10 anyway. It seems whenever I get a submission accepted I get +3 karma, which disappears again about 2 days later... This has happened a couple of times to me... but anyway, OT.

I just dont think these morons realise that they *do not* have the right to run whatever they want on your machine. The stated functionality is what it should do, nothing more, no matter how 'benign' it seems.

Just my $91.25

Simon

Simon

Aureate - MUST read

[Tom7]

Check out this story on that site: http://grc.com/oo/aureate.htm

Christ! I consider myself a pretty savvy user, and I had this advert.dll on my system. It's part of, for instance, Go!Zilla. (See list http://www.radiate.com/press/products.html ).

Quick summary:

- installs as part of other freeware without telling you
- hides in your browser's address space to avoid detection by egress firewalls
- specifically avoids removal when user attempts windows add/remove programs
- periodically (insecurely) checks with the master server to see if there are "updates", then downloads and runs them

If someone wants to ruin this company (and 22 million home users' day), a little DNS poison and a trojan would certainly do it.

If you're a windows user, delete /windows/system/advert.dll now!

Re:Aureate - MUST read

[LiveFreeOrDie]

I can't find the file on my computer, but I do have the following registry entry:

HKEY_USERS\%username%\Software\Microsoft\Windows\C urrentVersion\Doc Find Spec MRU

The funny thing is, I just recently reformated and reinstalled Windows on this machine. I can count the third party apps that I have installed on one hand. Real Player is one of them....

Re:Aureate - MUST read

[LiveFreeOrDie]

Actually, what you found was the storage where it keeps what you've recently searched for. All that said is that you have recently looked for advert.dll using the find file or folder... HTH. Rae

Thanks. I feel better, but also a bit embarrassed. Back to the books....

Re:Aureate - MUST read

[OldHorton]

I did the very same thing and there it was, advert.dll. I even went so far as to download OptOut and it found advert.ocx as well. It's a crying shame. I think I got it from CuteFTP. Not sure though.

Re:Mattel and the Learning Company are screwed up

[RickHunter]

Glad to see someone posting something about that book on Slashdot. It is excellent, and really made me think about why most proprietary software was so bad. Unfortunately, there's one chapter (but only one) that I felt was a "blame the programmers, its their fault, they act different" rant, but that's probably just me. He also doesn't cover Free Software, or even Open Sourced software, and the benefits it offers. In fact, as far as I could tell, a lot of the things he suggests are already being done by big Free Software/Open Souce projects.

And this little issue, that has popped up how many times this year, doesn't get addressed either, if I remember right. But I'm sure its going to get a couple of chapters to it in the next edition (assuming he does one).

-RickHunter

Don't like to be paranoid...

[skiy]

How the hell does one know the Spyware scanners arn't spying on one?

you can't tell unless it's open source.

Re:The workers would never have made such a mistak

[tps12]

Dude. That wasn't even what Atlas Shrugged was about. It was in defense of the "robber barons" and exploitive capitalists. The importance of the workers has been acknowledged for a very long time. Ayn Rand was pointing out that, while labor is of course necessary for industry, skilled management is also essential to any kind of manufacturing.

Re:With respect..actually scratch that....

[festers]

I do believe this was a troll. Not a very good one, but a troll nevertheless. Let's try not to feed them :P


--------

Windows Startup Programs

[nachoboy]

I highly recommend a utility written by Mike Lin which can be had for free at http://www.mlin.net/StartupCPL.shtml. It enumerates each and every program and service that will run at startup. It runs on any 32-bit Windows OS from Win95 Gold to Win2000. What distinguishes it from other programs of its type is that when you delete an entry, it only moves to a "Deleted" area so that if you find out things have crashed and burned after a reboot, all is not lost.

Re:its not all closed source

[webrunner]

See, this is proof that people have to look at things differnet. By their nature, open source or closed source doesn't make any software more secure. Open Source just fixes the bugs and holes quicker.

----
Oh my god, Bear is driving! How can this be?

Re:Netscape quality feeback agent

[quasimoto]

True. If I recall correctly the netscape install program even asks (there is a check box) if you want to install it. Netscape 4.72 does, I don't know about any others. The only bad thing about having it installed on a machine that installs and checks alot of different software is wasted time while it gathers information. I have since removed it.

-d

Re:What about this?

[JackiePatti]

If a parent or teacher behaves unethically and excuses that behavior on the basis of "it's for your own good," the behavior remains unethical. I'm a mother and find your idea abhorrent as hell - like reading my daughter's diary or something. It's not "OK" to do things to kids that are inappropriate to do to adults JUST because they're kids. You don't suddenl;y become a real person when you hit the age of majority; kids are people too, you know.

Re:What about this?

[JackiePatti]

So telling them first makes it OK? How about I TELL you I'm gonna hack into your box and load it full of child porn and then call the cops? Is it OK for me to do this just cause I told you ahead of time?

Re:Why open source is nice, part LXXVIII

[gmarceau]

I see two origins for our problem those days:

"Not knowing the law is not an escuse from breaching it" and the fact it takes at least three years of Law studies in college to learn it is quite an amazing contradiction of our society. The only reason why it work is that the law is keep in-sync with what people expect from it.

Now, people expect for now expect big compagnies that do unreasonable use of their computer, of their bandwidth, and of click-through licence to be punished. But this is not happening.

We have to get the law back in sync with what people expect.

I can only do an inspection of the car I buy to the extent of my competance, which is not much. I trust the courts the beat on GM if later the car I bougth is found to be defect or plainly dangerous. That why I can buy a car in peace without becoming a skilled macnical engineer first.



-

Re:Makes me wonder...

[softsign]

Check out www.sysinternals.com. They have tons of stuff that will help you identify and kill rogue dlls and hidden background processes, even in Win98. These guys actually know what they're doing.

Oh, and it's all freeware. =)

--

stupid pills

[anonimato]

whats wrong with Mattel...havent they heard of all the bad press other companies doing this have gotten. Or maybe they just thought that they were to powerfull and mighty to be bothered with such minute details. someone take all the stupid pills away from Mattel

Re:stupid pills

[John+Napkintosh]

Not to mention the inability to close an italic tag...

UCITA anyone?

[billyt007]

Consent is not just clicking a box -- parents need to send in a letter, a fax or an identifying e-mail message. There's no way to get legal consent through the installation process, and I certainly hadn't signed any permission forms.

Well not anymore thanks to the UCITA, yep, you could actually allow a company to spy on your children just because you're a bit busy and you child REALLY wants this game installed, "please, right before you go to work!" After all its just some reading software, so innocent, ok...

But it turns out that even if you tell the installer that you don't want to use Brodcast, the installer puts the program on your computer anyway.

Great, so now even if you do pay attention and don't give them permission they install it anyway! Terrific!

"If the user doesn't want it, it is not enabled," Galdin says. But the program is still installed, she says, because it is part of the complete CD-ROM application.

I bet, Mattel has always earned my trust!
"Remember kids buy Barbie and GI Joe!"

the stupidest and most evil pronunciation

[Annnoying+Coward]

Only if you want to pronounce it in german. The slash-o is used in danish and norwegian. I believe it is pronounced in norwegian like the ö here in Finland and there in Sweden. (That is, like the i in bird). I can't say anything about danish pronunciation, its so wierd (I'm certain that danes would say finnish is so wierd ;).

Umm

[ArchieBunker]

If you read what someone posted about mattel they said it downloads a new jpeg splash screen. Then again I'm sure mattel really cares about your mailspool, windows registry, etc etc.

Netscape quality feeback agent

[ArchieBunker]

How about jumping on netscapes case for having this program? You don't know what its sending. Its kind of funny they need an seperate reporting app to log the crashes. IE never seems to crash at all.

Ummm BTW its not a trojan, a trojan is like the whacka mole game infected with netbus. This is an actual part of the software.

Re:Netscape quality feeback agent

[Jason+Earl]

A trojan is an advertisement server that steals my bandwidth (and possibly my private information) disguised as a children's game. The difference between Netscape's bug tracking software and this agent are quite obvious. Netscape's bug tracking software asks my permission. Mattell doesn't bother with something as old fashioned as permission.

What about this?

[cheesethegreat]

The spyware that's being used by major companies, is not bad in and of itself. It's bad because it's being used by bad people. What if we took the spyware used by these companies, and gave it to educational institutions and parents so that they could watch and control their children's internet access, without the knowledge of the child. This would be a great leap for child-protection, because the current programs are not very dificult for a computer-savvy adolescent to crack; but the spyware programs are vey well designed. Just a few thoughts, please don't flame me. -- "Long live the chipmunks!"

Re:What about this?

[cheesethegreat]

How about I TELL you I'm gonna hack into your box and load it full of child porn and then call the cops?

First of all, please don't flame me.
Second: The difference is that you are neither my legal guardian, nor are you trying to protect me. The use of spyware which I am suggesting is simply a way of discouraging children from accessing inappropriate web sites. I also think that this use of it should only be accesible to parents who want to protect their children. I'm sorry if you don't feel that way.

Re:What about this?

[cheesethegreat]

I'm not suggesting that you do this withoput their knowledge, but let them know what you are doing. ANd make sure that they understand that you don't want them going on inappropriate websites.

Re:The all mighty dollar

[yzquxnet]

Yeah, it probably isn't. But I always like to look at things at how they could be used rather than what they are used for. This program could very well have been just intended to allow the transmission of jpeg images. But what else could it possibly do. But yeah, it probably isn't anything big. But I guess most (or maybe just some) people don't like things going on that they are not aware of.

Toys and Machine Guns

[Dungeon+Dweller]

Perhaps, to stay out of trouble, Mattel should just stick to toys and the M16, eh?

Re:Toys and Machine Guns

[Dungeon+Dweller]

I thought that Mattel manufactured a handful of the M16's used in Vietnam. Am I mistaken? I am pretty sure that they, or one of their subsidiaries have manufactured weapons.

Re:Laws?

[krogoth]

I'm in canada, so the law here might protect me a bit (although i don't really expect it). Even though i have DSL i use a firewall (ZoneAlarm 2) that will ask me for each program if i want it to use the internet....what's the name of the file? brodcast?

This is why UCITA and DMCA are illegal!

[bitchazz]

with these draconian restrictions on licensed use of products, you are not allowed to circumvent encryption to find out if a program may be invading your privacy or tracking you.

Anyone know if this guy could be sued for bypassing the encrypted spyware?

Could four moderators please moderate down?

[bendude]

This is obviosly flame bait! Who the hell gave it a 4 interesting? Do I have to read every pedantic little troll on this site now? - or are we trying to /. hotmail today?





Oh, and a big "HI!" to the ASIO computers who now have a general warrant to monitor all ELECTRONIC COMMUNICATIONS in Australia... and of course the ESCHELON ones who pretty much cover it globally.

Re:SO - how does ordinary users protect themselves

[bendude]

"While laws will be required"!!!!!
Give me a break - what if we put that kind of energy into educating the net community and the greater community so even more laws won't be required. Who is it that says "The more corrupt the state, the more laws it has" or words to that effect?

Re:How to Stop Spyware?

[bendude]

Have registered spyware.org.

Send submitions to submitions@spyware.org

Anyone who could be bothered helping with this service or providing information would be appreciated.

Is it really spyware?

[Bodero]

While I appreciate the criticism of Mattel (I do indeed, actually), this software appears to be nothing more than the auto-updater software that computer users have grown used to over the years. It didn't look like Broderbund had any evil intentions in this (except for the mysterious coding), it's nothing much more than a simple promotional program forced upon us. It's not spyware and isn't apparent that it was indended as such. Although I appreciate the investigation of a 'feature' that should indeed be investigated, I believe this article provides a lot more FUD than new information.

Re:Why You Need to Read the Risks Forum

[Anomalous+Canard]

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems

Now if PGN would only update it more frequently than monthly. :^/

Anomalous: inconsistent with or deviating from what is usual, normal, or expected

Re:spying on children too... risky indeed

[bellings]

I bet something much more serious than COPPA is at work here -- if brodcast really used PGP, then Mr. Garfinkel was smuggling munitions across the Atlantic on a Commercial Airline.

Mr. Garfikel probably broke several laws when he unknowingly brought those munitions through the Airport security and onto a commercial airline. But he admits in the article that he discovered those munitions once he was in the air, and makes no mention of warning the flight crew of these dangerous materials, or letting customs know what type of criminal smuggling he was involved in once he landed.

The man shouldn't be writing for Salon. He should be in jail for a long, long, long time.

Re:I wrote that code - I'll tell you what it does

[driehuis]

we went to great lengths to only try to talk to the server if ...

This, of course, is the nub of the matter. When you write the code, you know sooner or later your clever hacks will go awry, and a small (but invariably growing over time) percentage of your customers will be screwed over. In this case, telephone costs, in others, Blue Screens and possibly loss of data.

I feel for you plight, Mozes, and I'm very happy you spoke up about it. I'm all to aware of how the technically competent lose out against the managerial types ("we pay you for it, so stop complaining and fscking write it").

invasion of the priacy act

[starworks5]

i think that any company who has to resort to that type of methods to keep up in the market should be deemed anti competive.this is another example of people invading your privacy and noone caring.

Mattel vs UK Government?

[clickety6]

So Mattel sticks some software on my PC (without my knowledge) that sends PGP encrypted information over the network.

The UK government then passes their new law and the police decide that they need to have the key to decode all outgoing messages on my PC else I face a prison sentence.

I didn't even know Mattel was collecting the data, let alone what their PGP key is. What do I do?

Re:Mattel vs UK Government?

[Scooby71]

Go directly to Jail, do not pass Go, do not collect £200?

Re:spying on children too... risky indeed

[Frank+T.+Lofaro+Jr.]

Kill that exe, call tech support and claim the game doesn't work. Don't mention killing the ad program. Waste their time. Mention you have software that deletes anything that accesses the Internet without your permission automatically. After you've spent a lot of time on it. Repeat this process.

Use the EULA refund provision. If they want their EULA, then they need to play by the rules. Such as when you buy a game it doesn't contain a Trojan horse and certainly not require it to run.

What did the program say if you removed that file? Give an error? Anything admitting what it did?

You could try replacing the exe with a program which runs and does nothing. If you are really clueful, make a DLL wrapper that makes any IP calls to talk to remote IPs say successful, returning all requested bytes, but not actually communicate anything.

Re:What do your examples have to do with anything?

[startled]

First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it?

They ARE worried about it, they're just fairly ignorant. As far as evidence, sorry, but I don't think my company would allow me to post the thousands of e-mails we have asking if our e-commerce transactions are secure. Just about everyone who used it asked; we had to put a lot of messages about it all over so people would stop hitting customer service with it so much, and they still ask many, many times a day.

Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not.

Again, if we're talking about the "average" user, they don't even go in and change their preferences. So is open source going to help the "average" user? Not directly. It all falls to the people who know what they're doing to make the DEFAULT setting correct. For example...

If you get tricked into running something bad, the presence or absence of source isn't going to help you.

By default, Outlook shouldn't have allowed vbs's to do that kind of damage. They finally issued a patch, after months of denial from smaller viruses found earlier. Lots of users aren't going to even install the patch. But sysadmins and such will. And if OUTLOOK was open source (I'm pretty sure you intentionally "mis-heard" him when you decided he was saying only the ILOVEYOU virus should be open source), the patch would have come along sooner, as shown from many a slashdot story on those sorts of studies between patch speed between open source and closed source.

Re:What do your examples have to do with anything?

[Refrag]

ZicoKnows,

I believe that the point he was trying to make is that because Microsoft Lookout, I mean Outlook, is not open source; ILOVEYOU.TXT.vbs exploited security holes that could have been identified and fixed under an OSS model.

Refrag

Re:Makes me wonder...

[prot0z]

oh yes, i'm having a lot of trouble when i try to kill that HAL.DLL and GDI32.DLL. don't know why.

Re:Makes me wonder...

[prot0z]

but *why* is this HAL.DLL calling me Dave when i try to extract my DIMMs modules ?

Re: Mattel and the Learning Company

[huie]

As has already been mentioned, Mattel has a new CEO as of May 17. But the story of Mattel and the Learning Company isn't over yet- because the purchase of the Learing Company has caused so many problems (especially to the bottom line), Mattel is trying to get sell the Learning Company.

Incidentally, from the report I read, TLC only lost $206 million last year (vs. the $1.1 billion total mentioned in a previous posting)

However, will Mattel stop screwing up? It depends on what they decide to do even when the new CEO, Robert Eckert, says, "It's clear consumers have become more adept at new technology...We need to capitalize on the opportunities that creates." I wonder how they'll capitalize on these opportunities?

-mark

Re:Laws?

[fedos]

It's Brodcast, but apparently the name DSSAgent is what shows up as the name of the program that's running. Wath out for either.

Mattel EULA?

[vergil]

Does anyone know if Mattel software comes equipped with EULA's that would purport to sanction this type of activity? Vergil Bushnell Consumer Project on Technology email: vbushnell@cptech.org

Re:Hands up who actually inspects it all

[Ig0r]

The point isn't that you should read the source for everything you use, it's that you can. Just like the analogy of a car with it's hood welded shut, most people would never have the need to open the hood and mess around inside, but if you do feel the need you're free to do so.

--

Re:What do your examples have to do with anything?

[kirkb]

Are you truly 15 years old or do you just prefer to act like you are? To respond to a reasonable, beleivable statement with "Do you have any statistics to back up your statement" really shows off a moral and intellectual defecit.

From a intellectual standpoint -- If you truly doubt the validy of what Mr. Vining has said, then the non-weasel response would be "I beleive that your statement is incorrect". This would then provide Mr. Vining (or anyone else) an opportunity to validate his position (using statistics or whatever other method is deemed appropriate).

From a moral standpoint -- By requesting that a person go out and find some statistics in order to gain your approval of their statements, it shows that you have little regard for them or their time. Conversely, it shows that you probably think much too highly of yourself. If *you* doubt his statements, then why don't *you* go look for the statistics that would prove or disprove them?

Re:Why You Need to Read the Risks Forum

[kirkb]

Although I certainly don't have any reasons to defend NT, I don't think that it's fair to blame the OS for a bad programming practice [not preventing/handing a Div0]. I *do* understand how a Div0 is handled by a more robust OS, but realistically, it would still kill the app. It's still the programmer's job to recover the app/system in such instances.

Re:Get a grip

[duckyd]

word up. glad to hear someone talk sense

Re:Makes me wonder...

[Landaras]

Run msconfig.exe. That allows you to see all of the programs that run on startup, as well as giving you easy access to your system.ini, win.ini, autoexec.bat, and config.sys files. I know msconfig is available in Win98, although I'm not certain if it exists under NT (I know it's not in Win2000, because that's what I run).

Nothing to do with spying on kids!

[ChiaBen]

I actually took the time to read this article...

It had a quote from a Mattel spokeswoman stating(paraphrased) that the software would tell Mattel when the last time the game was ran, and then download jpg's and update info to the game.

This sounds goofy, but I'll take their word until it is proven otherwise.

It doesn't say anything about getting info about kids, so perhaps we should be a little less jumpy about this stuff. Also, don't cry about it when misinformed people complain about open-source, hackers, and Napster if y'all are gonna be just as paranoid about childrens games.

regards,
Benjamin Carlson

Re:I wrote that code - I'll tell you what it does

[tim.holt]

Interesting -- see this thread at Treemaker Geneology Forum where there is some info on it. The official company explanation fits exactly with the above description.

AKA - Firewall

[Asmordean]

ZoneAlarm does this. It asks you for permission to let a program access the net everytime there is an attempt. You can authorize per session or forever.

Re:What disappoints me...

[StormyMonday]

The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.

The ACM and the IEEE consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice in a number of places, to wit:

Coupla problems:

1. Not everybody is a member of ACM or IEEE. (IMHO, if you're not a member of both, you're simply not a professional.)
2. Even for those who are members, not everybody subscribes to the Code of Ethics. You don't have to sign it to join.
3. The Code is toothless. Violate it and nobody will say "boo" to you.
4. Most programmers, at some time or other, find themselves in a situation where the boss says "This is *not* unethical. Do it or you're fired". Don't say what you'd do in this situation until it happens ....

The biggst point, however, is that there can be honest disagreements about how the Code applies to a particular piece of software. For example, most folks would agree that a Webpage hit counter is not unethical, while mailing a user's address books to the company is unethical. Everything else is in the middle. I'm sure that the Mattel programmers see their spyware as not that much different from a hit counter or a banner ad generator.

It's awfully easy to say "But we would *never* do anything nasty" and look the other way.

Don't Worry! It'll get worse!

[Beatbyte]

I'm worried about this only in the future tense. As of now I can pull the plug from my modem. In the future, I think there are going to be more of these internal secrets, possibly even requiring or quiet dialing/accessing the site to send and receive information. Either way, the people that bought the product bought the product, not the advertisements, nor were they warned. I would be very irritated.

Re:read www.softwareconspiracy.com

[ericdewey]

Well, that certainly makes sense. If any of you saw Win2K in the early NT5 beta stages, you may have noticed that while the services and networking did not function at all, the Open-GL enabled GUI was great. Now tell me again how fade-out menus help your fileserver......

a talk with a broderbund employee

[anon27]

tonight i had the suprise honor of getting to meet with a broderbund/mattel interactive employee at an awards ceremony. This employee had worked on the childrens software that used this agent, she told me that during development whether or not to include the agent to talk to the server was a very controversial topic, most employees did not want it, but managment did, and managment won. But unfortunatley she could not tell me what data the agent sends out.

Re:Laws?

[-Harlequin-]

There is (very recent).
Now I'm hoping to see a fireworks display :-)

the stupidest and most evil thing

[streetlawyer]

that Mattel have done is to suffer the existence of a product whose name ("Brodcast") a) is a lousy pun and b) only makes sense if you mispronounce the name of the parent company, which has a Scandinavian o-slash rather than an o. People like this should be repeatedly beaten about the body with barbed wire whips.

Re:the stupidest and most evil thing

[Zach+Baker]

that Mattel have done is to suffer the existence of a product whose name ("Brodcast") a) is a lousy pun and b) only makes sense if you mispronounce the name of the parent company, which has a Scandinavian o-slash rather than an o.

I don't think that's necessarily true -- after all, wouldn't that Scandinavian vowel make it pronounced broodcast?! (dramatic music...)

Re:Mattel Criminalises Users?

[simstim]

A more comprehensive website about the RIP Bill is at Stand's site

Re:ZoneAlarm firewall - a few problems

[inonurmi]

I have been using ZoneAlarm for a few months, and it seems to work well. However I have two problems with it.
1) I found that some programs such as Quicktime, and RealPlayer, can use your browser's TCP connections, so ZoneAlarm won't always alert you to them.
2) ZoneAlarm seems to run a logging program that stores all connection details (connections made, URLs visited, applications used) to a file called c:\windows\internet logs\YOURCOMPUTERNAME.ldb. There does not seem to be a way to turn this feature off. Even if ZoneAlarm is not running, there seems to be some threads that automatically start when windows starts up, that write to the log files. This is a privacy risk.

Re:ZoneAlarm firewall - a few problems

[inonurmi]

I believe all you have to do is call up the ZoneAlarm console, click the Alerts tab, and deselect "Log to a text file".

This feature only turns off the Alerts text file, NOT the URL database file.

Re:Database Nation

[DustyHodges]

Thank you my friend. I seriously hope that things like this are capable of bringing a wake up call to all of those in America who allow everything their children learn to come from the television and the computer. To show them that, indeed, those who we trust with such duties are as corrupt as our politicians.

I want to see an America where parents pay attention to their children, shower them with love, and teach them all of the beauty and love of Natalie Portman.

Thank you.

Re:What do your examples have to do with anything?

[EricEldred]

I have one Windows machine I use for a few purposes running Windows98. I heard about the Outlook patch you mention and went to the download page. There is a logo after the notice of the file, and the logo says 98/97, meaning for Outlook 98 and 97, like the other files are.

After I downloaded the patch and tried to install it, it refused and told me the patch was only for Outlook 98, not the Outlook 97 that I apparently have. Consequently I have the choice of paying money to upgrade to Outlook 98, or to stop using Outlook completely because of the security problem.

I decided to uninstall Outlook 97. Your statement that Outlook has been patched to prevent the .vgs virus is apparently not correct. If you have better information, please let me know. Otherwise I will continue using open source software that I can patch myself.

Re:Why does Quicken run all the time?

[warkeng]

No it's not Bill Minder that is running all the time. Bill Minder starts, checks the database for bills that are due, then it shuts down again.

There is another program Quicken (Canadian Version - Quicken 2000) installs that does live in the startup group. Somthing called Quicken Startup (qwdlls.exe). Near as I can tell this "program" pre-loads Quicken's DLLs into memory. This is so the application starts faster.

It's similar to an M$ Office program called OSA.exe (called office startup? - nuked that shortcut long ago!) Real Player sort of does the same thing but at least Real has an option to disable this non-feature.

Found out about these non-features by examining every running process (in Wintop) and then searching for every file listed (had to get out the hex editor for a couple of them). Can anyone tell me what MPR.exe in win98. Me thinks its a multiprotocol router but need to know why that one is running.

Missed a point there, I think

[FooRat]

"Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea"

I think you may have missed the guy's point about IE warning you constantly about untrusted stuff, he wasn't saying that that bothered him, his point was that he found it surprising that even though people get warned a lot not to trust stuff from Joe Company, that they still trust stuff from Joe Company.

Intercept the transmission

[jelizondo]

You can use ZoneAlarm (http://www.zonelabs.com) to stop ANY program attempting to use your internet connection without permission. It is a bit of a hassle to grant permissions manually to each program, but it insures you know what programs are accesing the internet from your computer.

Why Just Children?

[Cinquain]

Why do we protect only children? Why are the rest of us subject to spying? While I don't want anyone to take advantage of my children, I certianly don't want to give them permission to take advantage of me? Why is the default value "take advantage of anyone not specifically protected?"

First thing we do...

[queasymoto]

let's kill all the managers. It seems to me like we can track 99% of the crap out there in the computer world nowadays to managers saying "Wouldn't it be neat if, in addition to everything users wanted, we could get the software to do (x) for the guys in (department) too?"

Re:How to Stop Spyware?

[Yanna]

Actually the offender may not even know that he is attempting to connect to your machine. The latest DoS attack tools operate in a network form without the offender even knowing he is packeting a third party. That's basically the way something like Stacheldrecht (sp?) works. You are infected by a "virus" and your box serves as a distribution tool sending packets to another server. Unless you keep an eye on your firewall logs, you won't even notice what your boxes are doing while connected to the Internet.

The best thing you can do is filter your firewall logs, make sure its illegal incoming traffic and then report them to abuse@the culprit's provider.

Re:Makes me wonder...

[eudas]

especially if someone disguises the BO trojan as a BO client prog... ;) then you'd just end up infecting yourself for real, heh.

eudas

It looks like what we need is ..

[OzPeter]

a reverse firewall. One that only lets *out* messages from software that we nominate as being safe to do so. And also logs attempts by non-nominated programs that try and sneak stuff by.

Re:Is that news?

[bwalling]

iYes it's annoying sometimes when (gasp!) someone has a differet opinion to you but hey, that's democracy :)

Tsk, tsk! The US (and several other countries) is a democracy. This site has a world audience.

Re:I wrote that code - I'll tell you what it does

[kaosmunkee]

Quoting Mr. Coward:

(of course, we still aren't exactly sure what NSA Key is really used for)

This is just silly. If you want to know what the RSA key is used for, read the following, which I quote from the original post:

The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.

The whole point of the RSA key is to protect you from some cracker deciding that it'd be funny to show a porno splashscreen on your kids copy of Math Workshop. Every block of image data that is transfered is signed by the company so that the client knows it's legitimate.

Here's a thought: If you want to see what gets transfered back and forth, do the following:

• Edit the INI file to set the interval to something like 60 seconds
• Fire up a packet sniffer like Ethereal
• Launch the DSSAgent

You now get to see what's transferred to and from Mattel. Pretty simple to prove or disprove that your private data is not being sent off to some evil database for questionable purposes.

Off the immediate topic, I'd like to mention that a large number of posters here seem to read a headline and post a response to the article before reading the article or at the very least before reading the whole article. I also think that a lot of people forget that humans tend to believe a lot of what they read without external verification -- a trend that needs to change in this "age" of information overload.

Your mileage may vary -- don't forget to change your oil every 3000 clicks.

With respect..actually scratch that....

[robholland]

If you don't like it don't read it.

How often have you been forced to read Slashdot? Have you even read it before?

I've not seen a story saying "Hurrah for the murderers!!" recently as far as I can remember".

Re:The Really Ironic thing is

[Anonymous+Karma]

No, but if they asked for your phone number (which they likely did) they are now tracking your purchases anyway.

Re:They can pay for the phone calls...

[Anonymous+Karma]

Actually, I belive there's a windows API hook to tell if you're dialed up. Sorry.

Re:Database Nation

[Cool+Man]

Thanks for the message! The world needs more people like you.

The only problem is that sometimes I wonder if nothing short of a revolution will change the world as we know it.

Never give up hope, never stop trying!

Re:How to Stop Spyware?

[Cool+Man]

Now this is what I call a real piece of crap... A fucking winamp plugin contacting the net!

I'm pissed, suffice it to say. Perhaps a web page listing all the known spyware is an EXCELLENT idea. Let's publicly humiliate companies until they succum to the collective will of the people and respect our god-given privacy.

Thanks a lot for this information, you have greatly aided me.

How to Stop Spyware?

[Cool+Man]

After all the recent cases of spyware being shipped with products, I was wondering if posting the results of anomalies that my firewall has picked up to the web would be a good idea.

I am on a cable modem, and I continually see attempted connections to my TCP port 27374. This is a port used by the well known Win9x trojan SubSeven (sub7) found here. It is similar to netbus and back orifice but the new version sports a plugin design. This is in order to facilitate infections with its server that is only 57k. All other features are implemented by uploading dlls when your the first connection to the infected box is made.

I have noticed that many of the scans have originated from other cable modem subscribers, and thus posting the IPs of these attackers might discourage them in the future. Then again, after that fruit posted fake sex pics of kids to the gnutella network and logged IPs, I'm not so sure its a good idea. How can I stop these little turds from being such a nuisance?

I have considered stalking the offenders, but it is a lengthy process, and I'm not sure it is worth the effort (though it does give some quick satisfaction, something like creaming my shorts, when I use his tools against him after pretending to be Tammy17 in heat)

In short, I'm fed up with these little fruity turds, and I appreciate the slashdot expertise in security matters, and natalie portman's pouty teenage breasts.

By the way, I use ZoneAlarm on my Win9x computer, available here. It is a basic firewall that can log attacks and does not accept or deny connections that you don't allow, thereby placing your computer in "stealth mode." It is free as in beer, and I recommend it for any of your friends or family that lack the technical expertise required to use linux, which is obviously a wiser choice in such matters.

On a related note, ZoneAlarm has logged many attempts by a program named "wcmdmgr" to access the internet. I have denied it access to the internet, though I am very curious as to its nature. If you have any information regarding it or its hell spawn, please reply to this post.

I thank you for your time and expertise.

--

I have noticed recently that my girlfriend looks VerY similar to natalie portman. I started going out with her after my obsession had started (thanks to opensourceman and his HOWTO). I wonder if my subconscious desire for np influenced my selection of a petite young lady with pouty teenage breasts and pouty teenage lips.

Re:Database Nation

[Cool+Man]

that was an apt description of us and our kids:

consumer pods

stunning imagery

Re:The workers would never have made such a mistak

[Cool+Man]

What we need is a coders ethic. e.g.: Thou shall not infringe upon the privacy of lusers, for they shall execute thy code.

This ethic shall be named "The CODA ethIc" The miscaps are there to make it 'hip-looking'

Praise NP for she is of pouty teenage breast!

Re:explanation from the learning company

[Cool+Man]

WHY the fuck would they want to change the splash screen?!

Give me one good reason!

The Software Engineering Community

[herve76]

Software-Engineer.org is a new website dedicated to the FREE information sharing between software engineers (i.e. industrials, faculty members and students). The website is now available online, and already 100 software engineers worldwide have become contributors and share their expertise every day by posting links, news, articles, and messages.

Re:Mattel Criminalises Users?

[Scooby71]

Thanks, I've seen it, just thought that the BBC may offer a more balanced introduction. Stand has a particular agenda in this case.

Finnish is wierd

[cornboy_99]

Norwegian, Swedish, and Danish are all about the same (they can understand each other), but Finnish is funky! You are correct about the 'bird' thing though. Oh, and Finland has the most beautiful women in the world.

Re:Why You Need to Read the Risks Forum

[AndrewD]

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. ... suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

If I had a penny for every time someone in my profession made a bone-headed error like this in the use of IT, I'd be posting this from the Cayman Islands. Or rather, I probably wouldn't. I'd be able to pay someone to post it for me...

It's worth pointing out, though, that the reason this happened wasn't the technology as such, but the fact that the lawyer concerned regarded the use of a word-processor as beneath his/her dignity.

You'd be amazed (actually, you probably wouldn't, you probably know the same kind of people as me) at how many people in professional and managerial positions regard the use of IT as something the peons do. It goes like this:

My secretary uses the word-processor. She is socially inferior to me. Ergo, use of a word-processor, or even knowing how to use one, is the mark of an inferior. Ultimate conclusion: I should disavow any knowledge of how these things work in order to establish my status.

Hence the phenomenon of senior management stating, with evident pride, that they don't even know where the power switch is, a matter which my eldest son mastered at the age of two years.

Andrew D

Re:Laws?

IANAL, but... CPC 502 (I think)

It's illegal in California to obtain information from someone's machine without explicit consent. Note that:

(a) The law includes Trojan Horses, which would possibly include this "Brodcast" utility, given that it wasn't explicitly described in the product documentation.

(b) The wording is "information" not "private information"

ie, *anything* that is taken from your machine without you knowing about it...

In fact, this is a jailable offence, and is done on a per-infraction basis, so every installation would count...

Hopefully, sometime soon, a couple of CEO's will be put inside for this kind of thing pour encourager les autres...

Re:Can you imagine...

[Alex+Belits]

... a Beowulf cluster of these?

...called barbie@home and doing Mattel's accounting. With no security and multiple-checking, so I can make a rigged client and redirect their CEO's salary to ACLU and EFF.

Re:Why You Need to Read the Risks Forum

[Phroggy]

I agree with you.

I think some have tried to argue that this wouldn't have happened with a UNIX-based OS, because the software developers who write apps for UNIX pay more attention to details like error trapping than those who write Windows apps do. It's really unfair to generalize like that (although the generalization does seem to be true a lot of the time).

--

Mattel felony, as I read it!

[coats]

As I read the law, Mattel should be in for it. I just sent Mr. Garfinkel the following:

Dear Mr. Garfinkel, I am not a lawyer, but it seems to me that the US Code, Title 18, Part 1, Chapter 47, Section 1030 (which you can find on-line at CornelL LAw School's Legal Information Institute, at URL http://www4.law.cornell.edu/us code/18/1030.text.html, is relevant in this case.

Given that you are a journalist working for a publication engaged in interstate commerce, by subsection (D)(2)(b), your computer is a "protected computer" under the definitions of this Act. Under the definitions of (E)(5), Mattel's actions constituted "unauthorized access." Mattel is guilty of a felony. You and _Salon_ should sue them for damages, and make sure you include massive punitive damages while you're at it, because of the nature of this crime (not just a crime against you and _Salon_, but also a crime Against The Children, to quote our First Lady, and one that strikes at the heart of society's foundations -- and also "pour encourager les autres" who also want to engage in this sort of spying.

Put them in the slammer(was :But Mattel _asks_)

[coats]

This is quite interesting considering the fact that the installer didn't mention anything about Brodcast untill after the Children's Online Privacy Protection Act went into effect.

As I read Title 18, Part I, Chapter 47, Section 1030, paragraph (2)(B)someone at Mattel should be in for 5 years in the slammer.

Re:its not all closed source

[sjames]

90% of linux users praise its greatness, then download a tarball, ./configure;make;make install without reading it. Good job.

Naturally, nobody ACTUALLY has the time to go over every last line of source for a distro + hand dis-assemble gcc to make sure it doesn't have the login trojan in it (I don't think gcc ever did, but some cc's did).

It's the other 10% that do look at some part of the source code that keeps everyone honest. Surely, out of a million users, if 100,000 look at the source code, spyware would be detected and reported fairly quickly. There could be no question of EXACTLY what information was gathered and who recieved it. There could be no denying that the code was there. There could be no excuses about downloading updates or other such nonsense.

Re:Mattel and the Learning Company are screwed up

[jafac]

This is not necessarily wholly the fault of the software manufacturer.

For example, my company had this product, we tested it, beta tested it, we had a schedule, it was looking good to be completed by date X. We started the ad campaign, made announcments, gave eval copies to magazines to write reviews.

Then, the day we were to ship it, we all sat down and marveled at the quality and feature-set of our amazing creation, and signed the papers.
Then, our IT group, who was running a large-scale test, noticed a problem. There was no backing out of shipment at this point, the master was in the duplicator, tens of thousands of dollars of manufacturing costs, plus our reputation with the press (all important in this competitive industry) were all on the line. We rolled up our sleeves and went to work on the problem. We loaded up debuggers. Programmers, who had just spent the previous six weeks working seven twelve hour days a week, were in on the weekend again. The problem could not be reproduced on any other hardware but this IT server. The debugger showed the calls to the OS, and the return codes just not coming back. The OS was NT. It was starting to look like a hardware problem. whew. Sigh of relief.

The problem is - whether we like it or not, bad hardware exists out there. Whether we're talking about a failing 5-year old 3com ISA network card in some secratarie's 486, or a brand new $50,000 RAID Array from Compaq. You'd think that universally, bad hardware should give software certain set responses, so the software knows enough to tell the user; "gee, I made a call down the stack to the network card, but the card didn't respond within the normally alloted timeout range, so it sure looks like your NIC is in need of replacement". But that's not always the case. Yes, properly designed software should have the heuristics to anticipate hardware failure, and behave accordingly, in a way that the user can tell what the fuck is going on, and do something constructive about it, rather than call our tech support and make us troubleshoot bad or misconfigured hardware. But in reality, that software sits on a peice of shit proprietary OS, and API framework, and is reliant on those for it's ability to do stuff - intelligent or not. And don't give me that "open source is better" crap, because there is NO operating system that is even remotely OK at handling these kinds of scenarios.

We ended up shipping the software. Fortunately, this time, the specific hardware problem that caused the error was unique to our equipment. But I've been in this industry for 8 years, and I've seen scenarios caused by bugs in the underlying OS (*cough* NOVELL *cough*) that lost us ten million dollar contracts, I've seen problems caused by a frayed SCSI connector that required me to fly to Dallas four times, because I was dumb enough to believe the IT guy who said he checked back there and everything was okay, and I've seen problems that only happened with OUR software, with one specific brand of network card, and it was because we had tried to push another vendor's broken standard.
And, I've seen over zealous marketers push schedules so agressively, that the finished product would be classsified as pre-beta. (Marketers don't seem to understand that software is kind of like having a baby, you can't take nine mothers, and have a baby in one month).
And, I've seen more cases than I care to count, where a problem is found in testing, but could not be duplicated, so it's left alone (everything humanly possible was done to try to fix the problem, but if it couldn't be identified, or localized, then what could be done), and the problem ends up cropping up in the finished product, on perhaps one in a thousand customer systems.

In the end, yes, shit happens at software manufacturers. Schedules are tight, competition is very fierce. But we're all forced to write software that runs on a crap OS, running on crap hardware, and no matter how much human effort you put into it, you can't polish a turd.

Does this industry need some kind of watchdog, some kind of consumer group and independent testing body? Absolutely. No doubt about it - so much is riding on it.
But will it happen?
Not while these companies are making campaign contributions to the lawmakers.

Which again, I state is the fault of all you idiots who voted for G-Dubbya in the republican primary, instead of McCain.

If it ain't broke, fix it 'til it is!

Re:What disappoints me...

[peter+hoffman]

Btw: the rationale for why we are exempt is not actually because we are "professionals" (which, traditionally, has implied licensing).

The rationale is in the U.S. Code, Title 29 (Labor), Chapter 8 (Fair Labor Standards), Section 213 (Exemptions).

If you enjoy paranoia, you could say it looks like a collusion between Washington lawyers and Silicon Valley executives to keep IT salaries from approaching those of Washington lawyers or Silicon Valley executives! Of course, just because you are paranoid it doesn't mean they aren't out to get you! :-)

I don't know much about it but there is a "Programmer's Guild" that has started. Their URL is http://www.colosseumbuilders.com/american.htm.

There is no reason why people in IT should not have the same pay and societal status as doctors and lawyers. To accomplish that objective, I would propose that in order to legally practice software development a person:

• Should have graduated from an accredited program with a B.S. in [something appropriate to be determined]
• Should pass a state regulatory exam
• Should have to maintain an audit trail of their work so that personal accountability can be maintained

Yes, these are onerous artificial barriers to entry but so are the barriers that the AMA and ABA put up for their members. It is the barrier to entry that gives doctors and lawyers what they have.

To garner the support of people already in the field, there should be a grandfather clause. FOO years of documented experience will get you in. BAR years of documented experience and a degree in BAZ will also get you in.

There would be a genuine benefit to society by doing this as well. By requiring licensed professionals, the releasing of untested and buggy programs would be greatly reduced as the law would now be on our side instead of the side of the PHB.

The same way that the crash of an airplane or the collapse of a structure now causes a public outcry and an investigation into why it happened and how to prevent it from happening again, there would be an investigation of things like ILOVEYOU which would lead to systems that are actually engineered (and can legally make that claim) rather than glued together with spit and bailing wire.

The precedents for this are well established. In almost any other field that affects public safety there are regulations. Sometimes there is no immediate personal benefit to the worker (e.g., a busboy who has to comply with the health inspector's directives) and sometimes there is a lot of benefit to the worker (e.g., the lawyer who has to be a member of the bar to practice).

It is up to us here today to decide whether the inevitable regulations will be imposed by us or on us and whether or not we will benefit from those regulations by becoming autonomous professionals or regulated peons.

-- OpenSourcerers

They can pay for the phone calls...

[Tet]

DSSAgent is a small application that runs in the background and when it sees an Internet connection, it checks with our Web site to see if a new splash screen graphic is available

and from the article:

The agent normally detects when a user is online only to do its transactions; it is not designed to try to connect independently.

What both of these comments show is a lot of ignorance. The only surefire way to check if the user is online is to try connecting to somewhere. Now in my home setup, I have dial on demand, so that if an network packet is detected, it'll dial up my ISP automatically, and I have the illusion of permanent access. The same is true of most of my friends, whether they're using Linux or Windows. So each time DSSAgent checks to see if I'm online, it actually forces me online whether I was already connected or not. Being in Europe, I have to pay for that -- local calls aren't free here. If Mattel had installed this product on my machine without my knowledge or consent, they'd be getting a bill for my phone calls, and a law suit if they didn't pay up...

Re:They can pay for the phone calls...

[Tet]

Actually, I belive there's a windows API hook to tell if you're dialed up.

No, there's not. Or if there is, it can't work reliably. All the windows box sees is a network connection, and a gateway address. Unless it has some clever way of interrogating my gateway machine and finding out if it's connected (hint: it doesn't), there's no way for windows to know if it's online on not. It may be able to tell if it's Windows that's doing the dialling, but in my case, it's not.

Re:I wrote that code - I'll tell you what it does

[Tet]

So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right?

Yep, but then I'm in the UK, so that extra phone call once a day costs me money. Phone calls (local or otherwise) are not free here.

Re:Wow... a $3 lawsuit.

[Tet]

Not that mattell is RIGHT, but sueing someone over a $3 phonebill?

For some reason, you're assuming that it's only going to try and make one phone call. I would guess that it checks for new information on a regular basis (every time you fire up the app? every hour? who knows...)

Coming up next:

[acb]

Mattel sues Slashdot for incitement to copyright violation under the Digital Millennium Copyright Act.

And the puns

[Pseudonymus+Bosch]

And there are lots of puns by PGN. (But I don't know if that's a reason for or against)
__

Hands up who actually inspects it all

[Mercenary]

I use quite a few Open Source products. Linux is the obvious one.

However, to trust these just because they are Open Source is stupid. I'm not about to *personally* inspect all of the code.... does anyone *seriously* read every line of the Linux kernel to make sure it isn't doing something evil? Well, sure, Alan Cox probably does, but hey.

So it all boils down to trust in the end. Do you trust whoever it is that says Linux is secure?

Be it a large corporation, or lots of kernel hackers... you have to try *somebody*. Either that, or spend more time inspecting code than actually using it.

I've got a bridge to sell you

[Alan+Shutko]

Sure, the PR rep _says_ info only goes to your computer. Do you actually believe that?

If all it sent was a registration number, why would it need PGP, and why would it be able to send mail?

Re:I've got a bridge to sell you

[Hard_Code]

"If all it sent was a registration number, why would it need PGP"

Um, perhaps to ensure nobody sniffed the data on the wire maybe??

The point is, just because it CAN be done, doesn't mean it is happening. Slashdot gets all fired up about all sorts of hypotheticals then looks stupid when that isn't the case.

Re:I wrote that code - I'll tell you what it does

[Mr+Z]

As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.

Yeah, but what if the PC is on a LAN (so that it appears to always have a network link), but the PCs share a single on-demand dialup through a separate box? Before I got a cable modem, that's how our household worked. All of the PCs routed through a single box that used IP-masquerading to route our network's outbound traffic over the single modem. (With 3 or 4 PCs, it's good to not need 3 or 4 phone lines and 3 or 4 modems in order for everyone to have Internet access.) Now, your RAS autodetection fails miserably since it always looks "on".

I believe that's what the original poster was complaining about. I think the main issue is that trying to hide oneself from the user and do things behind their backs is bound to fail eventually and piss someone off. Better to be up front about it, IMHO. After all, the road to hell is paved with good intentions.

Anyway, thanks for the clear description of what DSSAgent does. :-)

--Joe
--

Illegal Wiretap?

[rnturn]

Couldn't software that surrepticiously collects information on your computer and sends it to a vendor be considered a form of illegal wiretap? Actions like this on the part of any software vendor are outragious. I've already questioned using any software made by Mattel (especially since they raised such a stink because someone actually thought you, as a user of their filtering software, should know what web sites that you're being denied access to); this just reinforces my decision to suspect their motives. Hypocrits!

I'm sure glad I don't access the internet using WinXX from my home systems.
--

Re:I wrote that code - I'll tell you what it does

[NMerriam]

You mean like a newspaper or cable TV?

You don't pay for a newspaper (or magazine) or cable TV. You pay for newspaper and cable TV delivery.

The paper itself, as well as the cable networks, are entirely advertiser-supported. If you actually had to pay the cost of a newspaper, it would be about $5.00 per issue, and magazines would be $10-15 or more.

As far as I know, the users accepting ads didn't get 95% off the retail price...

My daughter's software is a munition?

[color+of+static]

Um, if they included PGP in DSSAgent then that would classify it as a munition at the time they did it. I know for a fact that they had oversea sales and the box was not labeled "Not for Export". Now who do we go to for this blatant breach of a bad law by a bad company (see the export restrictions aren't all bad :-)?

Re:its not all closed source

[Black+Parrot]

> How long was that bug in PGP that didn't generate random keys? Almost a year?

I don't think your comparison is apt. I suspect that bugs are generally harder to find than the whole encrypted communication infrastructure Garfinkel describes would be.

> Unless you read and understand the source its no help.

True. I suspect the world would be a better place if more of us read more of the code we ran.

On the other hand, the developers of an OSS project read the code all the time. I suppose you might be able to swear a small clique to secrecy if you wanted to embed some spyware in an OSS project, but it wouldn't be very effective when you've got a public CVS server. How would the core developers keep embedded spyware secret with even just a few people around who go in a couple of times a year and fetch the CVS code to tweak some minor something they don't like? It only takes one person to spot it, and then the game is up. And the core developers would never be trusted for anything again.

> This is another example of bad slashdot reporting. Right now all you know is that it "may" send back information, but you have no idea what.

Actually, /. is just reporting what Garfinkel says. It may be a premature reaction, but the fault is not a /.-specific matter.

BTW:For my money, even if the Mattel excu^H^Hplanation is factual and complete, it is still inexcusable. Beyond that the "trustworthiness" issue comes in to play. If they were doing that much without my informed consent, should I trust them at all?

--

Re:read www.softwareconspiracy.com

[Black+Parrot]

> Now tell me again how fade-out menus help your fileserver

Since you mention it... The FO menus provided some of the best circumstantial evidence I have seen for hidden APIs in Windows: when those NT5 betas first started coming out, I read someone's writeup that casually mentioned that the FO effect was really cool, and showed up in every application he ran except MS Office. Looks to me like MSO was using a different API from the ones all the other application programers knew about.

--

Re:I wrote that code - I'll tell you what it does

[mindstrm]

Uh... lots of software *might* do this.

What should you do? you should configure your dial on demand server to not trigger ont his kind of traffic...
just like you do with icmp ping, dns, etc.. (or whatever you happened to do).

BitchX

[Robert+S+Gormley]

I dare say if Debian has an optional package that every now and then sent them usage information, that the slashdot headline probably wouldn't read "Debian spyware." Call it a hunch.

Like BitchX, which sends a UDP packet to the makers to count users? (Yes, I know, it can be disabled, if you compile from source).

Re:Makes me wonder...

[aithien]

A similar wierd thing happened to me one time. I have a home network with a linux machine as a gateway and a few other machines running various OS's. Anyway I was sitting thier working on some code. I look up and my modem is blinking away as if I am downloading something, though I wasn't intentionally doing this. I telneted over to my gateway and did a `netstat -M`, and I see my windows box is connected to an FTP site and is downloading something! Needless to say I was pissed off, so I check the site with a browser and it's a bunch of jpeg's, erkay. I do an nslookup on the IP and it has no hostname. Then I enter the IP into google and I get a view hits for some security lists, and one says that it's TSAdbot. Apparently it downloads ads for a view different applications, like pkzip and AIM. I don't know if it's just me, but that just seems really rude. I mean I guess it's okay, they need to advertise, but using my CPU resources hanging around in the background all the time downloading soap ads for programs I already bought, or are free seems pretty shitty to me.

Re:Spyware Removal

[Paul+Johnson]

Whilst I agree with you (I run AtGuard, partly for this reason) its not complete protection. All the software has to do is look like a web browser or Telnet client and the firewall will probably let it through.

Paul.

Aren't trojan hourses illegal?

[Paul+Johnson]

Surely this could be prosecuted under computer misuse laws. Mattel are plainly guilty of using many computers for unauthorised purposes (to whit, sending them adverts). If this usage was not authorised then it leads to both criminal and civil liability in most countries (except the Phillipines).

Any lawyers want to put a class action suit together?

Paul.

Re:I wrote that code - I'll tell you what it does

[StenD]

you should configure your dial on demand server to not trigger ont his kind of traffic.

Read what the programmer wrote again. "[H]is kind of traffic" is HTTP. Most people will want dial-on-demand links brought up for HTTP.

Of course, if you're properly paranoid, you're running Junkbuster (and possibly Squid) on a single server, and have all legitimate HTTP clients configured to proxy through them. Then you configure your dial-on-demand server to only bring up the link for HTTP requests from the Junkbuster server, and applications with covert communication channels are foiled. The worst that happens now is that the covert applications use your browser proxy settings, but you're reviewing your Junkbuster logs, right?

Re:What disappoints me...

[Multics]

First PE is the law pretty much everywhere in the US and Canada. The professional society lobbiests made sure of it. There is a growing industry around the license process and passing these marginal exams. The exams are fundamentally flawed as the 'pass' rate swings wildly from 30% to 70% with no appreciable change in the pool of people taking the exams.

I am a Civil Engineer. The PE means approximately nothing to the ethical behavior of the engineering world. Trust me, been there, done that. In fact, I can make a coherent arguement that it has in fact made things worse. There are bunches of laws & regulations about this and that, but in reality unless a project kills or significantly hurts people, the laws are totally ignored. This non-enforcement is a very dangerous thing, as it lends the illusion that the public's ethics are being watched out for.

The PE is really a barrier to entry to keep the underskilled and poor test takers out. It serves as a means of reducing the population of engineers that can practice and thus keeping wages higher than otherwise. There is a movement afoot to make things 'harder' so that the net wages will continue to rise "up to those of programmers".

To get a PE you do swear to a code of ethics. I've heard of a few dozen cases a year nationally (USA) where those are even vaguely enforced. It's just like bad Doctors who can practice (and kill) for years and not be de-licensed until they kill someone important or a large group.

If you note some cynical tone here, you get an A. The professional registration of Engineers, Doctors and Lawyers is fundamentally a good idea. I believe that as the system is currently operated it does more harm than good.

Finally, I taught Software Engineering at a major midwestern university for 5.5 years. We talked about ethics and one of the things that was discussed is the freedom computer people currently have. If they don't like what is happening, there are so many empty jobs, they can go someplace else and work. Civil Engineering currently has more engineers than jobs and that doesn't allow a CE to depart a job over something as trivial as an ethical objection. Something to ponder as you drive along the interstate crossing hundreds of lowest bid bridges, eh?

Summary: Don't hold up PE as a model of how things ought to be. It is very broken from the ethical perspective.

Calm down again

[Hard_Code]

Ok, this is partly Slashdot's fault for labeling this article with such a misleading title. No, this is not spyware. From what the rep says, information only goes TO your computer. The only thing that comes FROM it is some registration number, the last time contact was made being used to see if an upgrade is available.

This is no different than when you start up some antivirus software and it wants to check for updates. Many programs do this sort of this. Just because this "technology" (wow, what a "technology" talking to a server is) COULD send sensitive information doesn't mean it DOES. Heck, ANY native app can send sensitive information somewhere. So just pre-emptively cool down.

Re:I got hacked on my laptop

[radja]

>What are we to do about, say, the president of a mid-size corporation who keeps company financial records on the same PC that his 6-year-old uses to play shareware games?

Have the 6 yr old do the protection. No way he's gonna let some cracker screw up his game of Purple Dinosaur Massacre and his porn collection.

//rdj

Re:Spyware Removal

[magicmat]

Yes, but I belive that the program only removes programs which he finds and manually adds to his program, it can't detect unkown spy ware.
It's basicly a virus scanner for spy ware, it's only as good as it's data file.

Re:Database Nation

[quonsar]

consumer pods

I think its time they began hearing en masse from some of us pods. They have a cleverly obscure web form for contact. Heres the two cents I sent:

For a year or more I have been noting your bad behavior on the internet. You sue at the drop of a hat for some pretty nebulous reasons. I've read all about the employee with the carpal tunnel problems you harrassed. This morning I read about your DSSAgent spyware being included in childrens CD-ROMS. My children are grown, however, as one who is about to become a grandparent in plural, I wanted to let you know that until I see some evidence of a reformed, forward-thinking attitude with regard to the internet (on which, I might point out, your company is a GUEST, rather than an OWNER OF) no grandchild of mine will receive Mattel products. I have five brothers, all with children and grandchildren, and will be emailing them as well as posting to the family website my strong recommendation that they boycott Mattel and the reasons why. I see your attitude even boils down to the level of this "e-mail form", which displays such a tiny amount of the message body that it is very difficult to compose/edit a message here.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:spying on children too... risky indeed

[gad_zuki!]

They mention COPPA in the article and how they supposedly removed the DSS program after it was passed, but that's not my point. Why do politicians rally over laws like COPPA but do almost nothing for consumer rights? Sure helping the kids is nice, but those kids are going to grow up and deal with this crap on an adult level. Where's the FTC then?

What really gets me is that this kind of legislation isn't passed because politicians really care anything about privacy its passed because "Fighting for children's rights" looks so good for next election's commercials.

Re:firewalls

[nocent]

All the software has to do is look like a web browser or Telnet client and the firewall will probably let it through.

No, at least not for ZoneAlarm. It doesn't decide for you what it lets through. When a program tries to connect to the net, eg. your e-mail program or browser, it'll alert you and you can decide whether you want to allow it or disallow it. Programs are not allowed to access the net by default. However, there's no accounting for user stupidity and your idea holds that if they make it seem like a telnet client or browser, the user might be clueless enough to let it through. Not likely, but maybe.

Re:Spyware Removal

[nocent]

For those using windows, running "netstat -a 5" will show you all currently open connections. A nice program similar to windump is Z-monitor. Easy to use, logs all connections so you can see where info is being sent from your computer. Shareware though.

Re:I wrote that code - I'll tell you what it does

[BlueUnderwear]

> you should configure your dial on demand server to not trigger ont his kind of traffic...

Read the message. This traffic is a plain HTTP Post request, nothing fancy. If you block "this kind of traffic", you essentially make that windows box unusable for surfing.

Btw, I agree with linux_penguin's "dickhead" comment, why was that marked as flamebait? Especially since many people (Europe) actually pay for their local phone calls.

read www.softwareconspiracy.com

[goingware]

In a reply to my comment on the Learning Company earlier in this discussion, someone refers to The Software Conspiracy which quotes Bill Gates:

There are no significant bugs in our released software that any significant number of users want fixed... The reason we come up with new versions is not to fix bugs. It's absolutely not. It's the stupidest reason to buy a new version I ever heard... And so, in no sense, is stability a reason to move to a new version. It's never a reason.

Application shouldn't bring down whole network

[goingware]

While it might be reasonable for a poorly written or QA'ed program to crash, what is inexcusable is for the whole operating system to crash because of the behavior of a user application.

And in this case, it wasn't just an instance of the OS that crashed, it was the whole ship's network - note my mention that the ship had to be towed back to port as a result of user error at a keyboard.

Now imagine this happened during live battle.

Mattel and the Learning Company are screwed up

[goingware]

I have a good friend who worked at the Learning Company for quite some time, and he told me no end of horror stories about an utter disregard for engineering quality, lack of concern for usability, maintainability of code or anything that sounded remotely like common sense.

They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability. The mere fact that a child's educational program would crash six ways to sunday from normal usage would not stop them from shipping a product.

I could easily see some junior programmer there telling a manager that they could easily write a program to scoop god knows what off a child's hard drive and send it on in for data-mining driven marketing purposes, and this being implemented as a standard feature without being run through corporate lawyers or even a moments thought as to whether this would ultimately get them sued - or arrested.

They have similarly enlighted personnel policies, which is why my friend was happy to tell me these stories on a regular basis.

I'm pretty amazed that the Learning Company lasted as long as it did. I know it had no end of financial trouble - is it still even in business?

Mattel clearly didn't do an adequate due diligence when they bought the company. Or at least they didn't involve any engineers in the process.

Considering what my friend told me, not just occassionally but almost every time I spoke to him during his period of employment there, I'm suprised the engineers could even get their code to compile and link, let alone ship it in a shrink-wrapped box.

Words I live by: Make a Bonfire of Your Reputations

Mike

Tilting at Windmills for a Better Tomorrow

Re:Mattel and the Learning Company are screwed up

[dublin]

I have a good friend who worked at the Learning Company for quite some time, and he told me no end of horror stories about an utter disregard for engineering quality, lack of concern for usability, maintainability of code or anything that sounded remotely like common sense. They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability.[sic]

And this somehow distinguishes them from the rest of the sofware industry? Not a chance. Check out Mark Minasi's http://www.softwareconspiracy.com/ book for more info, but the dirty "secret" of the software industry is that darn near all software development is done like that today. It shouldn't be, but it is. I've seen enough to know - the hardware mfrs are even worse...

Re:Mattel and the Learning Company are screwed up

[fugu23]

Here is some truth about Mattel and software. Back a few years ago, the head of the Barbie Doll division of Mattel (Jill Barad) became CEO of Mattel in what was considered at the time to be a reasonably unfriendly coup. After her rise, Mattel made two major purchases- one was the American Girl company (they make dolls, for 780 million) and one was the Learning Company (they 'make' software, and Mattel spent from 3-4 _b_illion dollars on the company). After the acquisition of the Learning Company (who had bought Broderbund a bit earlier to being bought by Mattel), Mattel went into serious E-Toy mode and released many many software packages, electronic gear, web sites, etc. It was Jill Barad's way of getting into the 'new market'. Well, as time passed, and people realized the new software sucked (ie- they stopped buying it...which is a BIG CLUE to those who are seeking to end the corporate realm. Make a product that doesn't suck and is easy to use and people will buy it), and, well, they stopped buying it. As of last year, the Learning Company division of Mattel lost some 1.1 billion dollars (equal, interestingly enough, to the amount of money that the Barbie doll division made in profit), Jill Barad was fired as CEO of Mattel (as of about April, interestingly enough, the same time that the DSS stopped shipping, according to the article), and Mattel, while still retaining its title of the largest toy maker on the planet, has suffered greatly- its stock has dropped from a high of near $60 down to around the $12-$15 mark. And _that_, dear friends, is the story of Mattel and the Learning Company. :) Open Source seems to be a good answer. Not buying shit software is a good answer. Let's be honest, many people who are reading (this far into this) are responsible for buying software that runs at your homes or offices. Choose wisely. Use your power. :) bye... r.

Why does Quicken run all the time?

[goingware]

I don't remember the name of the daemon, as I'm in linux now, but I know that Quicken installs a daemon that uses about 4 megabytes of memory that runs all the time when windows is operating.

I feel the need to use Quicken to access online banking so I haven't got away from this. The one thing I do is kill it in the task manager when I remember.

I'll be very happy when there is an open-source online banking solution I can run from linux. Yeah, right - get the banks to cooperate with the Penguin!

Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.

Re:Why does Quicken run all the time?

[Seumas]

Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.

Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com

I got hacked on my laptop

[goingware]

When I got a cable modem I noticed that network performance under windows was often very poor and I'd have a lot of blinking lights on my modem when I left my laptop idle.

I installed some firewall software (eSafe Desktop Security or something like that - search for "firewall" on Tucows) and reinstalled service pack 6 for NT.

After the firewall installation the mysterious blinking lights went away. Something's still not quite right with my NT installation. I can't reinstall the whole system because of my 18 GB hard drive.

This is one reason I've finally become a regular linux user - it started because I could get good performance browsing the web via my cable modem, and it stayed because I can log in as a regular user with no special priveliges, but then "su" when I want to do an administrative task.

One thing I did on NT also was take away administrator privileges for my own user, and log in as administrator when I want to install something, but it's a real pain because I can't look at the calendar - don't have privileges - and Quicken needs to reinitialize its networking preferences every time I go online.

When my friend who got the same kind of laptop got a cable modem, I kept telling him to get a firewall, and he thought this was ridiculous, even with the distributed DOS attacks using hacked machines and stuff, and I sent him lots of URLs about people discovering hacker daemons on their home PC's when they got windows firewalls.

This guy is a very experienced computer programmer. What are we to do about, say, the president of a mid-size corporation who keeps company financial records on the same PC that his 6-year-old uses to play shareware games?

But four megabytes?

[goingware]

If so, Billminder consumes four megabytes of physical memory constantly (if that's what the mem column in the process list means). Or is it virtual memory?

That's an awful lot for a checkbook program to consume on a laptop with 128MB.

Consider that there are lots of Windows boxes out there with only 32 MB of RAM I think that's excessive.

And I don't want Billminder - I never asked for it.

Don't be too hard on Mattel...

[Greyfox]

They've already accumulated enough negative karma that they're all going to have to spend the next thousand lifetimes as slugs.

I hope no one was surprised by this story. Mattel seems to be one of the most evil companies on the planet. From the sorehands guy's case to the implementation of their censorware, they've been a bunch of evil fucks all along. I expect the next story we hear about them will be that they perform inhuman experiments on kittens. Or something.

Makes me wonder...

[Alpha+State]

I have to use NT at work, and sometimes win98 at home, and of course have had a lot of fun trying to resurrect a dying OS on several occasions.

I'm no expert on windows (nor do I wish to be), but there are always programs/services running which I don't know anything about. When a program locks up the systems, I sometimes try to kill it to fix the problem, but if I don't know its name and things are really bad, I just start killing unknown processes (what the hell, it's not like i'm going to be able to save the system anyway).

Now I wonder what those things are, I kill them and nothing happens - sometimes the OS continues without the process and works fine. I know some of them are supposed to be there, but how many are set up by installers without asking me? Or worse still, I could have Back Orifice or something running without my knowledge.

I'd really like to know where the hell information on these services is, and how I can find out what the processes are. And I'd prefer actual documentation to some proprietary program which will sanitise my PC for me without telling me what it's doing.

Another pet peeve: how the hell do I get rid of startup programs? I empty the "Statup" folder like a good luser, and have even dug through the registry getting rid of some programms, but I still have annoying programs popping up on startup that I can't get rid of.

Is there any sane way of setting up a windows box? (OK, this is rhetorical just in case anyone's tempted to try to answer it.)

Re: Don't be daft

[dingbat_hp]

It would be simplicity itself to demonstrate that you do not have the crypto keys

How ?

RIP is fundamentally broken on technical grounds, as well as fundamentally immoral. This is a good example of just why it's unworkable.

Under the current draft of RIP, StealthBarbie here lays you open to prosecution. It's unlikely to happen, but it's no more daft than the conviction of the Cambridge Two.

RIP Bill

[dingbat_hp]

ROFL !

How does this sit with the UK RIP Bill ? If Mattel are sending secret crypto from my machine, what should I do if Jack Straw's stormtroopers turn up on my doorstep demanding the keys ? Send Barbie to jail for two years ?

I think there's a really good T shirt design in here somewhere. Barbie, through a jail cell window, and a caption along the lines of "Strong Crypto - Why can Mattel use it to snoop, but I can't secure my email ?"

Re:I fail to see what the big deal is...

[dingbat_hp]

If I want unknown comms going on with my machinery, then I will ask for it. Any company or grouping that installs such unspecified back doors onto my equipment without my permission will be regarded in much the same light as someone installing a copy of BackOrifice.

I trust Mattel just about enough to believe they're not going to deliberately steal my banking details. OTOH, I strongly suspect that they will start snooping marketing demographics on my kids, and history tells us that implementation of such things is often pretty poor - What happens if the next "I Love You" outbreak is actually an exploit for a weakly secured Barbieserver ? Auto-downloaded pr0n startup banners for anyone running Barbieprograms ?

The Learning Company == Mattel Interactive

[Carnage4Life]

I'm not sure what relation The Learning Company has to all of this, but this may help some people out:

The Learning Company, a producer of educational games and software, was purchased by Mattel sometime last year.

Re:Database Nation

[Bieeardo]

It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.

You make it sound like people aren't doing this already. My roommate (she who so stridently claimed that "my child will never watch television") has been using the tube as a babysitter while she plays Ultima Online. My sister babysat a child who would spend at least six hours a day watching tapes of Barney and Friends-- and would howl like a banshee between the time the tape ended, and Carolyn popped the next one in (bear in mind that this was a direct instruction from the child's parent).

The MTV Kids generation is all around us, drooling in their oh-so-expensive Gap Kids and Tommy H. wardrobes.

Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.

its not all closed source

[ArchieBunker]

How long was that bug in PGP that didn't generate random keys? Almost a year? Unless you read and understand the source its no help. 90% of linux users praise its greatness, then download a tarball, ./configure;make;make install without reading it. Good job.

This is another example of bad slashdot reporting. Right now all you know is that it "may" send back information, but you have no idea what. How about researching and providing facts to back this up? Oh wait.... As long as you get those banner hits it doesn't mater.

The all mighty dollar

[yzquxnet]

This just goes to show you what a company is willing to go through or endure just to earn your buck. Whether is be by ad placement or information collection. In my book though, Matel is just digging itself a really deep hole. First censorship and now hidden information collection. I'm waiting to see what else they can screw up.

Re:Spyware Removal

[Tassach]

You can configure AtGuard to grant/deny network access by executable as well as by address & port. If you are concerned that program X might be leaking information over port n, just create a rule to deny X.exe from making outbound connections on that port.

That being said, I don't think that can ever rely 100% on a monitor/firewall that's running on the same machine as the suspect program. The only way to be REALLY safe is to have a second (clean, trusted) machine sniffing packets off the wire.

"The axiom 'An honest man has nothing to fear from the police'

Re:You're actually mistaken - let me explain

[gilroy]

Blockquoth the poster (Moses Lawson):

The application does not contact the server ever. Not when it launches or at any other time. There is a background process that talks to the server once a day (maybe every two days)

Um, that's supposed to be better than having the app do it? Personally, I really despise the little fly-on-the-wall background apps that lurk and wait. That's even more of an invasion of privacy, since the user has no good reason to connect the background app to the one that installed them.

No matter how you dice it, this little "feature" is one step aware from spyware, and it's a teensy step at that. How do we know that it's not collecting info? How do we know its mission wasn't expanded after you wrote it? This was a tremendous screw-up on Broderbund's part and they cannot finnesse their way out, no matter how "benign" the software was intended to be.

Re:ZoneAlarm firewall - a few problems

[gilroy]

Blockquoth the poster:

there does not seem to be a way to turn this feature off

I believe all you have to do is call up the ZoneAlarm console, click the Alerts tab, and deselect "Log to a text file".

Gripping a moving target?

[gilroy]

Blockquoth the poster:

Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!

Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!

Um, it's not an "invasion" when you ask them in. There are several significant differences between the Mattel case and the ones you mention:

(a) Most importantly, you are informed of these behaviors ... you know exactly what's going on and why.

(b) Also, the cases you mention involve directly the functionality of the system. In other words, the ICQ MOTD allows ICQ to alert users (if need be) of changes in the system. The UT update check allows UT to notify you of, well, updates -- enhancements or fixes of behavior of the software. Because these network interactions directly affect the performance of the software, in a relatively obvious manner, it's reasonable for the companies to expect that you know about them. But Mattel's software did not enhance the program, check for bug fixes, or do anything else that could reasonably be construed as vital to the operation of the software. It allowed them to update ads, in a splash screen.

(c) I don't know this for a fact, but I'd be willing to go out on a limb: When the ICQ program retrieves the MOTD, it is the ICQ program -- not some other mysterious program tucked away in your registry -- that retrieves the MOTD. When the UT engine retreives updates, it is the UT engine -- not some deceptive, hidden daemon -- that goes out and retrieves the update. But here, it is not the software you (thought you) purchased that does the Net connect. It is a different program, installed quietly and (originally) without notification or approval, that sits in the background and, without informing you, does a Net connect.

If you don't see that these fall into different classes, well, I'm not responsible for your misapprehension. But they are different and the Mattel case is more sinister.

Matel Distributes Trojan

[Hairy1]

After reading this I checked my machine - only to find DSSAgent running! I suggest that we sumbit this obvious trojan to McAfee and other virus detector companies. Obviously I will never purchase any more software from them.

Re:I wrote that code - I'll tell you what it does

[Hairy1]

First of all, thanks for this reply. It was very interesting to see what the thing does from the horses mouth. The problem as I see it is that regardless of how 'harmless' DSSAgent was, the company responsible simply had no right at all to install it secretly. I know that it must have been installed secretly because I'm the only one to install apps on my machine, and I would never agree to having a app download stuff off the internet without me checking the content first.

Sounds as if I oughta purchase it

[CaptainZapp]

If Mattel includes this feature in their international versions they are walking on very thin ice. Ohhh! Plus that bad, bad guys would be exporting encryption. Do they have a license? Did they register with the feds? Isn't that a federal crime if they don't? Domestic laws (Switzerland) make it a federal crime, punishable by lengthy jail time to steal business information and trade secrets (it's considered industrial espionage and the authorities take a dim view on that). I run a business and my computers most definitely contains proprietary and confidential data. Not only from my company, but also from my customers, which include telcos, worldwide operating fright forwarding companies, international organisations with immunity status, etc. So, let's run that sucker, gather as much evidence as possible and then have a chat with the local DA. Provided that the DA is interested (0.7 possibility :>) does that mean that Mattels country manager is going to jail ? Most likely not. Does that mean that the local Mattel office (or their distributor) is having a real hard time and a shitload of trouble? Likely. I can possibly prove that they sucked data (unauthorized and without my knowledge) from my companies computer. They must prove that it's no confidential data which should be hard, painful & cost them a lot. If stuff like this continues I might just be up for it. Do those bozos actually consider that they might be breaking (criminal) laws in other counries and that the world does not only consist of the US of A? What a bunch of wanking losers...

Just wondering

[Moderation+abuser]

At the moment there are a few applications with spyware and almost exclusively for Windows.

How long will it be before spyware as a requirement starts making it into the EULAs for new applications?

You know. You're not licensed to use this application unless you agree that information can be sent back to the publishers.

I can see this kind of requirement turning up in stuff that would otherwise be free software. MP3 players etc. Scary.

ZoneAlarm!

[nstenz]

For anyone who hasn't seen it mentioned before, ZoneAlarm by ZoneLabs is a fairly decent (for Windows) program... It lets you allow/disallow network/Internet connectivity on a per-program basis... the first time an application attempts to use the Internet connection, ZoneAlarm prompts you and asks if you want to allow the access. I used it for a short while and it got to be annoying with all the 'net programs I was installing... but for normal home use it works wonderfully. And since it's free for non-commercial use... you'd have to be nuts to not use it if you needed an outbound firewall...

Re:Laws?

[Signa1+||]

COPA absolutelly applies in this situation. The Childern On-line Protection Act was designed in 1997 precisly for these purposes: to protect aggresive merchants from collecting sensitive data from children without the consent of a parent or legal guardian.

-o Disclaimer: My employer doesn't even agree with me about C indentation style. o-

Mattel Criminalises Users?

[Scooby71]

Under pending legislation in the UK (the RIP act) failure to provide a key for encypted information can be punishable by up to 2 years imprisonment. The fact that one never had it is not necessarily a defence. Insertion of encrypted data by commercial software without the user's knowledge is worrying for a whole host of reasons. More info about RIP http://news.bbc.co.uk/hi/english/sci/tech/newsid_7 84000/784426.stm

You're actually mistaken - let me explain

[Moses+Lawn]

The invasion of privacy is the identifiable (by IP) information passed with the fact that the program was launched. That's no more acceptable than a TV (or toaster, or microwave, or vibrator (!)) that reports when the owner turns it on without his or her consent.

No, no. The application does not contact the server ever. Not when it launches or at any other time. There is a background process that talks to the server once a day (maybe every two days). The application just uses the JPEGs that were previously retrieved.

This may be annoying, it may be misguided, it may have been a stupid decision, it may be many things. But it is not an invasion of privacy.

Sorry about the copy protection - I was in the Systems Group, I didn't do apps. Sounds pretty stupid, though.

Re:You're actually mistaken - let me explain

[Moses+Lawn]

The application does not contact the server ever.
Fair enough--not by the application and not on launch. Still more than should be done without informed consent.

Yeah, I agree. One could argue about whether the less-than-explicit verbiage in the installer constitutes "informed consent" (I don't really think it does, but nobody cared what I thought. Try fighting product managers.), but it really should have been done differently.

On the whole, I wish it had never happened. But it was a cool bit of code to write, I must admit. Plus I figured out how to display JPEGs at arbitrary bit depths. And I got to discover all kinds of hokey Windows bugs. Joy.

PGP key in DSSAGENT

[saw]

I don't know what software put the DSS stuff on my machine. I don't have the software refered to in the article, but I do have other broderbund games. I find the following files that have DSS in them.

/WINDOWS/BBSTORE/DSS
/WINDOWS/BBSTORE/DSS/DSSAGENT.EXE
/WINDOWS/BBSTORE/DSS/temp.$$$
/WINDOWS/SYSTEM/DSSBASE.DLL
/WINDOWS/SYSTEM/DSSSIG.EXE

Using "strings" on DSSAGENT.EXE shows that it has a a PGP key. Running "pgp" on the key gives:

DSS 4096/1024 0xF8EABB3F 1997/12/05 NRobins
sig? 0xF8EABB3F (Unknown signator, can't be checked)

There is also a temp file in /WINDOWS/BBSTORE/DSS that is XML. I am not sure how to include that file here without it getting mangled, but it looks like a file that gets sent to www.brodcast.net. It has in it "DSS V1.0", interval of 86400 seconds (1 day) and a SIG line that looks fairly encrypted. ("iQA/AwUBOJn/KCElolv46rs/EQKCWACfYmhHchvKNf/izSGI mO3yEECbJBcAoMV7hR2SELS5eF2IKuRJPNCTVUE4 ")

Another note. I just installed ipchains masquerading on my linux box. Behind this "firewall" are a couple of Windows machines for the kids. I have run "ipchains -M -L" periodically and always noticed an open connection from one of these machines to www.brodcast.net. I just thought it was one of the zillion things the kids have downloaded. Now I know to block that site with ipchains.

Re:Spyware Removal

[Seumas]

This is also another good reason to use a program such as ZoneAlarm (free) or other similar individual firewalls and proxies. Just because you're stuck on Windows doesn't mean you should forfeit all of your privacy.
---
icq:2057699
seumas.com

Re:The Really Ironic thing is

[Seumas]

Yeah, but I physically went to the Fatbrain/ComputerLiteracy bookstore.

I'm pretty sure they didn't stick any cookies in my pants when I walked in the door. ;)

---
icq:2057699
seumas.com

Get a grip

[mindstrm]

You know what? this is just like when we get the media telling us that our 'innocent' hacker tools are 'illegal, malicious' hacker tools.

Like the guys aid.. once a day this app runs, and simply says to the server 'got any new images?' and that's *ALL*.

Could the same framework be used for spyware? Sure. So could *any* software for that matter.

Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!

Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!

Oh no... you mean, with mattel software, once in a while it fetches new banners? umm..

Re:Why You Need to Read the Risks Forum

[Mignon]

I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

No, you're not. A reporter where I work broke a story based on such information that she found in a company press release. The company believed that their merger plans were a secret because they had deleted them from the release, but this reporter happened to stumble into this "preview changes" mode and saw the plans there. The company was pissed.

Re:Some Advice Needed!!! -- Useful software

[BLiP2]

Several pieces of software I can reccomend.

1. Netstat: Standard inclusion in both windows and *nix, spits out a summary of all the netowork connections that are currently active, and where they're going. Downside, won't detect dormant programs.
2. Samspade : excellent network tools suite, from simple pings to remote port scans (use responsibly, of course!). Web based and downloadable version
3. Starup Manager . Freeware software for windows that scans all your startup menu and registry entires so you can see every things that has been told to start with your computer. Enable/Disable/remove them ect.
4. Wintop . (Part of the MS kernel toys pack). Windows version of the *nix "top" program, shows everything currently running on your computer. useful for finding the little hidden programs that don't want you to know they're there.

Mattel was already on my shit list

[unquiet]

This is the same company that uses child labor in Chinese sweatshops to manufacture toys. I would no more buy a product from Mattel than I would enslave and work a child in conditions that should have gone out with the dark ages . . . which of course, Mattel does by proxy.

Again, run ZoneAlarm

[Pfhreakaz0id]

I hate to sound a repetitive note here, but I'm a BIG fan of ZoneAlarm for just this reason. Try www.zonelabs.com. It's nice because it alerts you (and offers the option to block any program trying to connect to the internet. And it's easy enough to use that you can recommend it to even the most computer illiterate. And before I get flamed, no, there isn't a Linux version. But it is free for non-business use.
---

Not spyware then.

[www.sorehands.com]

When you wrote it was not spyware. Does that mean it's not now?

Something like this is in CyberPatrol too, to check for updates of the CyberNot list.

There has been talk of beta programs monitoring keystrokes to see what users do, so the product could be improved. This can easily be perverted. At one company, people asked if CyberPatrol being used to track attempts at accessing "forbidden" sites to keep track of employees.

When at MSI, while a similar product to CyberPatrol was being developed, I would get calls from the CEO and asked what certain programs were. These programs are ones on my machine that I was running. They were working on control usage of programs. I would get calls and asked what's b.exe or l.exe.

You say that was the intent when you wrote it. But what about after you leave? I have little trust in their ethics.

MSI admitted, under oath, they monitored my internet access from home when I asked for a what would be a reasonable accomodation under the ADA. When asked why, still under oath, they said it was to check up on me because I asked for a reasonable accomodation.

heh,

[Tarsh]

Man.... How scary, I don't want half the worl knowing I have a barbie collection...

Re:I wrote that code - I'll tell you what it does

[Moses+Lawn]

Where does Broderbund get off using a product someone paid for to pitch more products?

You mean like a newspaper or cable TV?

Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy? Admittedly, it's a little tacky, but so are many things in life. You don't have to look at it - you can check the "don't show this again" box that shows on each splash screen, you can choose not to install it in the first place, or you can make it go away by clicking on it (at least you used to, unless someone has changed it since I left).

And to head off another concern - it doesn't make the app take any longer to load, it just replaces the default splash screen that shows while the memory hog of an app starts up.

And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?
Right here, actually. I brought up the ethical issues numerous times, to the point of being a pain in the ass about it. The upshot? It was going to happen anyway, and what it does is really not that bad. If not for people like me complaining, you wouldn't even be able to turn it off.

Re:I wrote that code - I'll tell you what it does

[Moses+Lawn]

OK, but you have just proven yourself the most stupid man alive. Pretty benign eh? Ok, so if Im using your product on a windows box on my network, with my Dial-on-demand RedHat server, what happens if Im not there? You dickhead

Well, thank you for that thoughtful and polite comment. As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.

If RAS is not installed, and there is a network card, yeah, we assume there is a connection. So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right? Kinda annoying, but that was the design decision. Wasn't my idea. It hardly puts me in the "stupidest man alive" category, I must say.

But remember, this is consumer software. 99% of our customers did what we expected - installed in on their home machine, connecting to the net with a modem, or installed it at work with a network. Sorry about your home network situation, but you can't write software that takes every possible variable or future change in underlying system design (remember, this was written 3 years ago. Windows has changed quite a bit since then. New bugs^H^H^Hfeatures come along all the time.) into account.

Re:Database Nation

[tzanger]

Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.

I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.

With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.

Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.

TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.

Which consumers asked for this feature?

[Jason+Earl]

If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."

Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!

Database Nation

[Seumas]

Good timing.

I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.

You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.

It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
---
icq:2057699
seumas.com

Re:What disappoints me...

[Detritus]

The problem with any "code of ethics" is that you can't have responsibility without authority. A civil engineering project has to be reviewed and approved by a Professional Engineer (P.E.), this is a matter of law in many places. There is no analogous law for software engineering. Even though most employers categorize them as "exempt", using the rationale that they are professionals, like doctors or lawyers, programmers and software engineers rarely have the authority associated with the traditional professions.

What do your examples have to do with anything?

[Zico]

where even the average e-shopper is so worried about "electronic privacy"

First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.

Microsoft Internet Explorer warns you constantly not to install untrusted plugins

Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.

where the ILOVEYOU e-mail worm did six billion dollars worth of damage

Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.

Cheers,
ZicoKnows@hotmail.com

spying on children too... risky indeed

[Frank+T.+Lofaro+Jr.]

If what the article claims is true, they could be looking at $11,000 fines for each violation of the Childrens' Online Privacy Protection Act. That would be cool.

They'd be on the bad (defendant) side of the legal system for a change.

Spyware Removal

[QBasic_Dude]

Gibson Research's opt out utility can remove unwelcome spyware. GRC also maintains a list of suspected spyware and other useful privacy resources including a FAQ.

Re:Spyware Removal

[QBasic_Dude]

Currently the freeware version of Optout only can detect and remove Aureate/Radiate/Binary Bliss (advert.dll) spyware. However, this type of spyware is embedded in hundreds of freeware products.

If you're looking for a utility to detect all Spyware, you will have to do it yourself using a program such as tcpdump or windump.

What disappoints me...

[Dr.Evil]

The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.

The ACM and the IEEE consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice in a number of places, to wit:

3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.

3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.

Furthermore, management (i.e. Mattel) is admonished to:

5.11. Not ask a software engineer to do anything inconsistent with this Code.

5.12. Not punish anyone for expressing ethical concerns about a project.

So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.

Arms traffickers!

[Tackhead]

Well, if they used PGP to encrypt the transmissions, and exported copies of the software...

I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.

• If they go to jail, it's poetic justice for suing people for CPHack
• If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.

Talk about a win/win situation!

explanation from the learning company

[po_boy]

Here is an allegedly authentic correspondence I dug up after searching around. I'm not sure what relation The Learning Company has to all of this, but this may help some people out:

Many Broderbund applications use a technology called Brodcast. Brodcast is a way that the splash screen (which is the opening screen you see for a few moments when you start a program) can be changed. DSSAgent is a small application that runs in the background and when it sees an Internet connection, it checks with our Web site to see if a new splash screen graphic is available and, if so, downloads it for you.

It does not constantly use your Internet connection.

Sincerely,
Paul Burchfield
The Learning Company

Why You Need to Read the Risks Forum

[goingware]

I keep posting this around Slashdot.

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

Do you have any loved ones in the hospital with a life-threatening medical condition?

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Peter G. Neumann, moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.

Mike

Tilting at Windmills for a Better Tomorrow

Why open source is nice, part LXXVIII

[Nicholas+Vining]

In this age where even the average e-shopper is so worried about "electronic privacy", where Microsoft Internet Explorer warns you constantly not to install untrusted plugins, and where the ILOVEYOU e-mail worm did six billion dollars worth of damage, it constantly amazes me that consumers in general still run software which hasn't been inspected by a reliable and unbiased third party. Perhaps people's trust of the Big Corporations have grown to such a point that we automatically assume that "they wouldn't be spying on us, they're our friends"; or perhaps it's because the 92% of the population that uses Windows 95 fails to see the risk.

Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?

Isn't it an odd world we live in?

Nicholas

I wrote that code - I'll tell you what it does

[Moses+Lawn]

I always wondered when someone was going to find this. To address everybody's biggest concerns:

It is NOT spyware.
It does NOT look for or send any personal, private, ot public information about you or your system.
It does NOT use encryption - it uses PGP digital signatures.
It was NOT designed for kids' products - it was designed for all products.

I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS.
I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
Here's the communication protocol:
Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).