Slashdot Mirror
Privacy Concerns and The CueCat
An anonymous reader sent us a story running over at
cnet about the
privacy issues with the CueCat. The article gives them a (somewhat undeserved) benefit of the doubt as it talks about various privacy groups being concerned about what DC is doing. Fortunately there are instructions online about how to modify the cat to disable its internal identification code (its not any more difficult then decrypting their split-invert-xor "Intellectual Property") by simply cutting one wire. Or you can just use one of the many free programs floating around. Oh, and since their server was cracked a few days ago, not only are they sniffing all this data, but crackers probably have a copy too. I would have been sick of this story weeks ago, but it just keeps getting funnier every time it pops up.
Detailed instructions are available from the Dissecting the CueCat page.
I'm not sure, but I think there is a way to just flash the eeprom so it no longer sends out the ID. At least I think that's what this does.
Work for Change & GET PAID!
I found a link to a page called "Getting your CueCat declawed" ( http://matrixpm.com/~haveblue/cuecat/ ) at the Lineo CueCat site ( http://oss.lineo.com/cuecat/ ).
:CueCat has been neutered.
It's pretty simple, really:
Step one: Take out the four screws on the bottom of the scanner and pull the cover off, leaving the insides exposed.
Step two: Take off the four screws fastening the board to the plastic case and separate the board from the case.
Step three: Locate the S93C46 EEPROM on the bottom of the board. It's small, it has eight pins, and it should say "S93C4 6DV03 2704" (it's three lines, spaces indicate the line breaks). That's the chip that stores your serial number-- innocent-looking little bugger, isn't it?
Step four: Using whatever method you like, cut the connection right underneath the "4" in "2704". That is, if the "U5" on the circuit board is upside-down by the top-left corner of the chip, you want to cut the lower-left pin. I found that a small pair of wire clippers was actually sufficient to sever the connection-- use whatever you feel comfortable with.
Step five: put the damn thing back together again, and scan something. The serial number should come back as a repeating "BM5U". Congratulations, your
Elapsed time: 10 minutes if you're clumsy like me and lose one of the screws. Less if you're good at this sort of stuff.
Have fun!
http://www.digitaldemographi cs.com/services/index.html
.C3nZC3nZC3nXE3b7DxjZCNnX.fHmc.C3DZC3nZC3f6ChjY.
N zc3Nxe3B7dXJzcnNx.FhMC.c3dzc3Nzc3F6cHJy. 0
r ations.txt
A IL=ppage@txisroads.com&ZIP=38834&GENDER= A&AGE=D&OPTIN=1&UID=Y0ZVY1QCZ7SGx2qHCoSf9g
& EMAIL=fkasica@optonline.net&ZIP=08610-63 02&GENDER=A&AGE=F&OPTIN=1&UID=zRAzCaynOVkBS3XLZDyi NQ
& EMAIL=claude@telapex.com&ZIP=39601&GENDE R=A&AGE=H&OPTIN=1&UID=4Hacci4hfCygvJaWOCA7-A
... the last field ("UID") is presumably the activation code. This means it is trivial to match the weblogs on their servers with your profile data.
The output of the device looks like this (after processing by the keyboard handler):
The device sends an ALT-F10 first, which is apparently a signal that a scan follows. The next field is the serial number. The third is the barcode type, and the fourth is the barcode data. Fields are separated by periods.
Here is what the above scan looks like decoded:
000000002838610102 UPA 040000029311
This scan was of a UPC symbol on a bag of M&Ms. The output of the cuecat is scrambled using a modified base64 encoding. My software simply applies the inverse of the encoding. The Windows CRQ software does not itself process the scan data like this. It simply inverts the case of the scan and builds a URL using it. The basic form of the URL is as follows:
http://[SERVER].dcnv.com/CRQ/1..[ACTIVATION CODE].X.[SCANDATA].0
With the [SCANDATA] field broken out, it looks like this:
http://[SERVER].dcnv.com/CRQ/1..[ACTIVATION CODE].[X].[SERIAL NUMBER].[TYPE].[DATA].0
Here is an example, using the scan data from the M&Ms (try it):
http://t.dcnv.com/CRQ/1..ACTIVATIONCODE.04.c3Nzc3
My software perserves the serial number, but does not transmit an activation code; it actually substitutes the letters "ACTIVATIONCODE" where they should go. This is enough to prevent the tracking of scans, I think. In fact, their servers do not even check for the validity of the activation code.
Their Windows software asks a large number of demographic-defining questions before it actually installs the software. The answers are keyed to your "activation code," without which the Windows software will not work. But because they never do data validation server-side, you can still use their web servers without sending tracking data.
In a separate issue, their "registration database" was not a database (a plain text file, actually), and was stored at a publically accessible URL; they have since disallowed access to it from the internet:
http://net.c-me-register.com/Registrations/regist
This is what the data looked like:
TS=09132000082913&FIRSTNAME=PETE&LASTNAME=PAGE&EM
TS=09132000082926&FIRSTNAME=frank&LASTNAME=kasica
TS=09132000082936&FIRSTNAME=claude&LASTNAME=perry
---- ----
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Something the c|net article does not mention, and I wish more attention would be paid to it, is the use of the CC software to track user viewing habits in addition to barcodes.
The program sits there and listens to the audio feed of your TV. When it hears the CC sound, it takes you to the website, just like scanning a barcode does.
Now, take a look at the software - there thing uses user profiles (if you have them set up). Each person who uses the computer is encouraged to have thier own profile. So, when Mom sits down and scans stuff out of Family Circle, or watches LifetimeTV, or scans a bag of Gold Medal Flour - bingo! DC now knows this stuff. Dad watches ESPN, drinks Budweiser, and eats Guy's Potato Chips. Little Billy watches Nick Jr., drinks Hi-C, and enjoys Little Debbie sacky cakes. Now all those ads you see in print or on TV can be even MORE targeted. You simply change part of the CC-TV code to reflect the channel that is broadcasting it and you can watch the audience reaction to putting a commercial right at the highlight of the show - do they turn the channel? Do they just sit there and watch the commercials?
This is so orwellian in it's nature that I am happier now than ever that I don't run Windows and am not fooled into running CC's software.
Better yet, let's do this hypothetical situation: Pretend that I am a political candidate for the Silly Party. We put on our national convention. At the start of the broadcast, Joe Commentator comes on and says, "Turn on your Cue Cat software folks! The Silly Party will be sending you to various parts of the Silly Party platform during the presentation tonight."
Instantly, my minions at Silly Party HQ can start watching the audience reaction of the home viewers. Since I am using a teleprompter to give my lecture to the masses, it can be instantly changed and edited. The minions see me getting too many of the "angry white male" audience tuning away and returning to Monday Night Nitro? Simply insert political rhetoric aimed at them. Whoops! Now the latino population is tuning out! Better say something to keep them listening. And this can go on and on and on for the rest of the convention.
This just scares the crap out of me.
Vote Nader
Yes, Dodger, we know everything about you now, including that little pants-wetting episode when you were in kindergarten that you thought everyone forgot but was entered in your *permanent record* and is accessible to anyone who knows the serial number of your Intel PII and has a barcode scanner.
</humor>
- Robin
Just goes to show how corruptly curious companies are getting this day in age.
"Ancillary does not mean you get to rule the world." --U.S. Circuit Judge Harry Edwards, speaking to the FCC's lawyer