Slashdot Mirror
Mattel Spyware
Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.
Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.
I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.
With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.
Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.
TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.
If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."
Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!
I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.
You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.
It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
---
icq:2057699
seumas.com
The problem with any "code of ethics" is that you can't have responsibility without authority. A civil engineering project has to be reviewed and approved by a Professional Engineer (P.E.), this is a matter of law in many places. There is no analogous law for software engineering. Even though most employers categorize them as "exempt", using the rationale that they are professionals, like doctors or lawyers, programmers and software engineers rarely have the authority associated with the traditional professions.
Mea navis aericumbens anguillis abundat
First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.
Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.
Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.
Cheers,
ZicoKnows@hotmail.com
They'd be on the bad (defendant) side of the legal system for a change.
Just because it CAN be done, doesn't mean it should!
Gibson Research's opt out utility can remove unwelcome spyware. GRC also maintains a list of suspected spyware and other useful privacy resources including a FAQ.
Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com
The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.
The ACM and the IEEE consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice in a number of places, to wit:
3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
Furthermore, management (i.e. Mattel) is admonished to:
5.11. Not ask a software engineer to do anything inconsistent with this Code.
5.12. Not punish anyone for expressing ethical concerns about a project.
So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.
Right...
You should actually read the article before you post. It explains quite clearly that older versions installed it without notice (he specifically reinstalled the software to check) and since COPA was enacted, they started asking.
--GnrcMan--
I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.
- If they go to jail, it's poetic justice for suing people for CPHack
- If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.
Talk about a win/win situation!If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks
The Risks forum is part of the ACM Committee on Computers and Public Policy.
You should make a special effort to read Risks if you:
- Program computers
- Make policy decisions involving computers (managers, government etc.)
- Depend on computers for your life or safety (do you fly on airplanes?)
- Operate computers in situations where they affect life or safety
You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:USS Yorktown dead in water after divide by zero
The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.
Security concerns, viruses and the like are discussed extensively in Risks.
Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:
Do you have any loved ones in the hospital with a life-threatening medical condition? Peter G. Neumann, moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.It has ISBN 020155805X and you can purchase it online from:
- http://www.fatbrain.com
- http://www.barnesandnoble.com
- http://www.amazon.com
- http://www.chapters.ca - in Canada
If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.Mike
-- Could you use my software consulting serv
In this age where even the average e-shopper is so worried about "electronic privacy", where Microsoft Internet Explorer warns you constantly not to install untrusted plugins, and where the ILOVEYOU e-mail worm did six billion dollars worth of damage, it constantly amazes me that consumers in general still run software which hasn't been inspected by a reliable and unbiased third party. Perhaps people's trust of the Big Corporations have grown to such a point that we automatically assume that "they wouldn't be spying on us, they're our friends"; or perhaps it's because the 92% of the population that uses Windows 95 fails to see the risk.
Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?
Isn't it an odd world we live in?
Nicholas
disclaimer: opinions contained therein are not neccessarily those of my employer.
It is NOT spyware.
It does NOT look for or send any personal, private, ot public information about you or your system.
It does NOT use encryption - it uses PGP digital signatures.
It was NOT designed for kids' products - it was designed for all products.
I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS. /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
Here's the communication protocol:
Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and
That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).
What if life is just a side effect of some other process and God has no idea we exist?