Slashdot Mirror
Mattel Spyware
Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.
A trojan is an advertisement server that steals my bandwidth (and possibly my private information) disguised as a children's game. The difference between Netscape's bug tracking software and this agent are quite obvious. Netscape's bug tracking software asks my permission. Mattell doesn't bother with something as old fashioned as permission.
Using "strings" on DSSAGENT.EXE shows that it has a a PGP key. Running "pgp" on the key gives:
DSS 4096/1024 0xF8EABB3F 1997/12/05 NRobins
sig? 0xF8EABB3F (Unknown signator, can't be checked)
There is also a temp file in /WINDOWS/BBSTORE/DSS that is XML. I am not sure how to include that file here without it getting mangled, but it looks like a file that gets sent to www.brodcast.net. It has in it "DSS V1.0", interval of 86400 seconds (1 day) and a SIG line that looks fairly encrypted. ("iQA/AwUBOJn/KCElolv46rs/EQKCWACfYmhHchvKNf/izSGI mO3yEECbJBcAoMV7hR2SELS5eF2IKuRJPNCTVUE4 ")
Another note. I just installed ipchains masquerading on my linux box. Behind this "firewall" are a couple of Windows machines for the kids. I have run "ipchains -M -L" periodically and always noticed an open connection from one of these machines to www.brodcast.net. I just thought it was one of the zillion things the kids have downloaded. Now I know to block that site with ipchains.
This is also another good reason to use a program such as ZoneAlarm (free) or other similar individual firewalls and proxies. Just because you're stuck on Windows doesn't mean you should forfeit all of your privacy.
---
icq:2057699
seumas.com
I'm pretty sure they didn't stick any cookies in my pants when I walked in the door. ;)
---
icq:2057699
seumas.com
You know what? this is just like when we get the media telling us that our 'innocent' hacker tools are 'illegal, malicious' hacker tools.
Like the guys aid.. once a day this app runs, and simply says to the server 'got any new images?' and that's *ALL*.
Could the same framework be used for spyware? Sure. So could *any* software for that matter.
Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!
Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!
Oh no... you mean, with mattel software, once in a while it fetches new banners? umm..
I have a good friend who worked at the Learning Company for quite some time, and he told me no end of horror stories about an utter disregard for engineering quality, lack of concern for usability, maintainability of code or anything that sounded remotely like common sense. They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability.[sic]
And this somehow distinguishes them from the rest of the sofware industry? Not a chance. Check out Mark Minasi's http://www.softwareconspiracy.com/ book for more info, but the dirty "secret" of the software industry is that darn near all software development is done like that today. It shouldn't be, but it is. I've seen enough to know - the hardware mfrs are even worse...
"The future's good and the present is nothing to sneeze at." - Roblimo's last
No, you're not. A reporter where I work broke a story based on such information that she found in a company press release. The company believed that their merger plans were a secret because they had deleted them from the release, but this reporter happened to stumble into this "preview changes" mode and saw the plans there. The company was pissed.
Yeah, sorry - I meant to include it in my original message. /. really needs an edit message function.
Try this story on Yahoo. It's fairly brief, but you get the message.
Alas gallinaceas de urbe bovis volo
Vote Technocratic! Government by killer robots!
Got a beef? Plug a name into the Bizarre Rumour Generator!
I hate to sound a repetitive note here, but I'm a BIG fan of ZoneAlarm for just this reason. Try www.zonelabs.com. It's nice because it alerts you (and offers the option to block any program trying to connect to the internet. And it's easy enough to use that you can recommend it to even the most computer illiterate. And before I get flamed, no, there isn't a Linux version. But it is free for non-business use.
---
DO NOT DISTURB THE SE
Something like this is in CyberPatrol too, to check for updates of the CyberNot list.
There has been talk of beta programs monitoring keystrokes to see what users do, so the product could be improved. This can easily be perverted. At one company, people asked if CyberPatrol being used to track attempts at accessing "forbidden" sites to keep track of employees.
When at MSI, while a similar product to CyberPatrol was being developed, I would get calls from the CEO and asked what certain programs were. These programs are ones on my machine that I was running. They were working on control usage of programs. I would get calls and asked what's b.exe or l.exe.
You say that was the intent when you wrote it. But what about after you leave? I have little trust in their ethics.
MSI admitted, under oath, they monitored my internet access from home when I asked for a what would be a reasonable accomodation under the ADA. When asked why, still under oath, they said it was to check up on me because I asked for a reasonable accomodation.
Fight Spammers!
Man.... How scary, I don't want half the worl knowing I have a barbie collection...
EOT
Here is some truth about Mattel and software. Back a few years ago, the head of the Barbie Doll division of Mattel (Jill Barad) became CEO of Mattel in what was considered at the time to be a reasonably unfriendly coup. After her rise, Mattel made two major purchases- one was the American Girl company (they make dolls, for 780 million) and one was the Learning Company (they 'make' software, and Mattel spent from 3-4 _b_illion dollars on the company). After the acquisition of the Learning Company (who had bought Broderbund a bit earlier to being bought by Mattel), Mattel went into serious E-Toy mode and released many many software packages, electronic gear, web sites, etc. It was Jill Barad's way of getting into the 'new market'. Well, as time passed, and people realized the new software sucked (ie- they stopped buying it...which is a BIG CLUE to those who are seeking to end the corporate realm. Make a product that doesn't suck and is easy to use and people will buy it), and, well, they stopped buying it. As of last year, the Learning Company division of Mattel lost some 1.1 billion dollars (equal, interestingly enough, to the amount of money that the Barbie doll division made in profit), Jill Barad was fired as CEO of Mattel (as of about April, interestingly enough, the same time that the DSS stopped shipping, according to the article), and Mattel, while still retaining its title of the largest toy maker on the planet, has suffered greatly- its stock has dropped from a high of near $60 down to around the $12-$15 mark. And _that_, dear friends, is the story of Mattel and the Learning Company. :) Open Source seems to be a good answer. Not buying shit software is a good answer. Let's be honest, many people who are reading (this far into this) are responsible for buying software that runs at your homes or offices. Choose wisely. Use your power. :) bye... r.
r. (Do not deny not by denying)
You mean like a newspaper or cable TV?
Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy? Admittedly, it's a little tacky, but so are many things in life. You don't have to look at it - you can check the "don't show this again" box that shows on each splash screen, you can choose not to install it in the first place, or you can make it go away by clicking on it (at least you used to, unless someone has changed it since I left).
And to head off another concern - it doesn't make the app take any longer to load, it just replaces the default splash screen that shows while the memory hog of an app starts up.
And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?
Right here, actually. I brought up the ethical issues numerous times, to the point of being a pain in the ass about it. The upshot? It was going to happen anyway, and what it does is really not that bad. If not for people like me complaining, you wouldn't even be able to turn it off.
What if life is just a side effect of some other process and God has no idea we exist?
Well, thank you for that thoughtful and polite comment. As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.
If RAS is not installed, and there is a network card, yeah, we assume there is a connection. So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right? Kinda annoying, but that was the design decision. Wasn't my idea. It hardly puts me in the "stupidest man alive" category, I must say.
But remember, this is consumer software. 99% of our customers did what we expected - installed in on their home machine, connecting to the net with a modem, or installed it at work with a network. Sorry about your home network situation, but you can't write software that takes every possible variable or future change in underlying system design (remember, this was written 3 years ago. Windows has changed quite a bit since then. New bugs^H^H^Hfeatures come along all the time.) into account.
What if life is just a side effect of some other process and God has no idea we exist?
Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.
I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.
With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.
Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.
TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.
If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."
Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!
I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.
You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.
It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
---
icq:2057699
seumas.com
The problem with any "code of ethics" is that you can't have responsibility without authority. A civil engineering project has to be reviewed and approved by a Professional Engineer (P.E.), this is a matter of law in many places. There is no analogous law for software engineering. Even though most employers categorize them as "exempt", using the rationale that they are professionals, like doctors or lawyers, programmers and software engineers rarely have the authority associated with the traditional professions.
Mea navis aericumbens anguillis abundat
First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.
Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.
Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.
Cheers,
ZicoKnows@hotmail.com
They'd be on the bad (defendant) side of the legal system for a change.
Just because it CAN be done, doesn't mean it should!
Gibson Research's opt out utility can remove unwelcome spyware. GRC also maintains a list of suspected spyware and other useful privacy resources including a FAQ.
Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com
The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.
The ACM and the IEEE consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice in a number of places, to wit:
3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
Furthermore, management (i.e. Mattel) is admonished to:
5.11. Not ask a software engineer to do anything inconsistent with this Code.
5.12. Not punish anyone for expressing ethical concerns about a project.
So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.
Right...
You should actually read the article before you post. It explains quite clearly that older versions installed it without notice (he specifically reinstalled the software to check) and since COPA was enacted, they started asking.
--GnrcMan--
I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.
- If they go to jail, it's poetic justice for suing people for CPHack
- If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.
Talk about a win/win situation!If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks
The Risks forum is part of the ACM Committee on Computers and Public Policy.
You should make a special effort to read Risks if you:
- Program computers
- Make policy decisions involving computers (managers, government etc.)
- Depend on computers for your life or safety (do you fly on airplanes?)
- Operate computers in situations where they affect life or safety
You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:USS Yorktown dead in water after divide by zero
The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.
Security concerns, viruses and the like are discussed extensively in Risks.
Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:
Do you have any loved ones in the hospital with a life-threatening medical condition? Peter G. Neumann, moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.It has ISBN 020155805X and you can purchase it online from:
- http://www.fatbrain.com
- http://www.barnesandnoble.com
- http://www.amazon.com
- http://www.chapters.ca - in Canada
If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.Mike
-- Could you use my software consulting serv
In this age where even the average e-shopper is so worried about "electronic privacy", where Microsoft Internet Explorer warns you constantly not to install untrusted plugins, and where the ILOVEYOU e-mail worm did six billion dollars worth of damage, it constantly amazes me that consumers in general still run software which hasn't been inspected by a reliable and unbiased third party. Perhaps people's trust of the Big Corporations have grown to such a point that we automatically assume that "they wouldn't be spying on us, they're our friends"; or perhaps it's because the 92% of the population that uses Windows 95 fails to see the risk.
Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?
Isn't it an odd world we live in?
Nicholas
disclaimer: opinions contained therein are not neccessarily those of my employer.
It is NOT spyware.
It does NOT look for or send any personal, private, ot public information about you or your system.
It does NOT use encryption - it uses PGP digital signatures.
It was NOT designed for kids' products - it was designed for all products.
I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS. /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
Here's the communication protocol:
Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and
That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).
What if life is just a side effect of some other process and God has no idea we exist?