Mattel Spyware

Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.

Re:Why does Quicken run all the time?

[Seumas]

Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.

Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com

What disappoints me...

[Dr.Evil]

The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.

The ACM and the IEEE consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice in a number of places, to wit:

3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.

3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.

Furthermore, management (i.e. Mattel) is admonished to:

5.11. Not ask a software engineer to do anything inconsistent with this Code.

5.12. Not punish anyone for expressing ethical concerns about a project.

So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.

Re:But Mattel _asks_ if you want it!

[GnrcMan]

You should actually read the article before you post. It explains quite clearly that older versions installed it without notice (he specifically reinstalled the software to check) and since COPA was enacted, they started asking.

--GnrcMan--

Arms traffickers!

[Tackhead]

Well, if they used PGP to encrypt the transmissions, and exported copies of the software...

I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.

• If they go to jail, it's poetic justice for suing people for CPHack
• If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.

Talk about a win/win situation!

explanation from the learning company

[po_boy]

Here is an allegedly authentic correspondence I dug up after searching around. I'm not sure what relation The Learning Company has to all of this, but this may help some people out:

Many Broderbund applications use a technology called Brodcast. Brodcast is a way that the splash screen (which is the opening screen you see for a few moments when you start a program) can be changed. DSSAgent is a small application that runs in the background and when it sees an Internet connection, it checks with our Web site to see if a new splash screen graphic is available and, if so, downloads it for you.

It does not constantly use your Internet connection.

Sincerely,
Paul Burchfield
The Learning Company

Why You Need to Read the Risks Forum

[goingware]

I keep posting this around Slashdot.

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ on on the Usenet news as comp.risks

The Risks forum is part of the ACM Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:

USS Yorktown dead in water after divide by zero

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

Do you have any loved ones in the hospital with a life-threatening medical condition?

New HDTV signal shuts down Baylor heart monitors

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Peter G. Neumann, moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com
• http://www.barnesandnoble.com
• http://www.amazon.com
• http://www.chapters.ca - in Canada

If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.

Mike

Tilting at Windmills for a Better Tomorrow

Why open source is nice, part LXXVIII

[Nicholas+Vining]

In this age where even the average e-shopper is so worried about "electronic privacy", where Microsoft Internet Explorer warns you constantly not to install untrusted plugins, and where the ILOVEYOU e-mail worm did six billion dollars worth of damage, it constantly amazes me that consumers in general still run software which hasn't been inspected by a reliable and unbiased third party. Perhaps people's trust of the Big Corporations have grown to such a point that we automatically assume that "they wouldn't be spying on us, they're our friends"; or perhaps it's because the 92% of the population that uses Windows 95 fails to see the risk.

Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?

Isn't it an odd world we live in?

Nicholas

I wrote that code - I'll tell you what it does

[Moses+Lawn]

I always wondered when someone was going to find this. To address everybody's biggest concerns:

It is NOT spyware.
It does NOT look for or send any personal, private, ot public information about you or your system.
It does NOT use encryption - it uses PGP digital signatures.
It was NOT designed for kids' products - it was designed for all products.

I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS.
I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
Here's the communication protocol:
Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).