Slashdot Log In
Mattel Spyware
Posted by
michael
on Thu Jun 15, 2000 12:03 AM
from the caught-red-handed dept.
from the caught-red-handed dept.
Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Re:Laws? (Score:2)
It's illegal in California to obtain information from someone's machine without explicit consent. Note that:
(a) The law includes Trojan Horses, which would possibly include this "Brodcast" utility, given that it wasn't explicitly described in the product documentation.
(b) The wording is "information" not "private information"
ie, *anything* that is taken from your machine without you knowing about it...
In fact, this is a jailable offence, and is done on a per-infraction basis, so every installation would count...
Hopefully, sometime soon, a couple of CEO's will be put inside for this kind of thing pour encourager les autres...
Re:Can you imagine... (Score:2)
...called barbie@home and doing Mattel's accounting. With no security and multiple-checking, so I can make a rigged client and redirect their CEO's salary to ACLU and EFF.
Re:Why You Need to Read the Risks Forum (Score:2)
I think some have tried to argue that this wouldn't have happened with a UNIX-based OS, because the software developers who write apps for UNIX pay more attention to details like error trapping than those who write Windows apps do. It's really unfair to generalize like that (although the generalization does seem to be true a lot of the time).
--
Mattel felony, as I read it! (Score:2)
Put them in the slammer(was :But Mattel _asks_) (Score:2)
Re:its not all closed source (Score:2)
90% of linux users praise its greatness, then download a tarball, ./configure;make;make install without reading it. Good job.
Naturally, nobody ACTUALLY has the time to go over every last line of source for a distro + hand dis-assemble gcc to make sure it doesn't have the login trojan in it (I don't think gcc ever did, but some cc's did).
It's the other 10% that do look at some part of the source code that keeps everyone honest. Surely, out of a million users, if 100,000 look at the source code, spyware would be detected and reported fairly quickly. There could be no question of EXACTLY what information was gathered and who recieved it. There could be no denying that the code was there. There could be no excuses about downloading updates or other such nonsense.
Re:Mattel and the Learning Company are screwed up (Score:2)
For example, my company had this product, we tested it, beta tested it, we had a schedule, it was looking good to be completed by date X. We started the ad campaign, made announcments, gave eval copies to magazines to write reviews.
Then, the day we were to ship it, we all sat down and marveled at the quality and feature-set of our amazing creation, and signed the papers.
Then, our IT group, who was running a large-scale test, noticed a problem. There was no backing out of shipment at this point, the master was in the duplicator, tens of thousands of dollars of manufacturing costs, plus our reputation with the press (all important in this competitive industry) were all on the line. We rolled up our sleeves and went to work on the problem. We loaded up debuggers. Programmers, who had just spent the previous six weeks working seven twelve hour days a week, were in on the weekend again. The problem could not be reproduced on any other hardware but this IT server. The debugger showed the calls to the OS, and the return codes just not coming back. The OS was NT. It was starting to look like a hardware problem. whew. Sigh of relief.
The problem is - whether we like it or not, bad hardware exists out there. Whether we're talking about a failing 5-year old 3com ISA network card in some secratarie's 486, or a brand new $50,000 RAID Array from Compaq. You'd think that universally, bad hardware should give software certain set responses, so the software knows enough to tell the user; "gee, I made a call down the stack to the network card, but the card didn't respond within the normally alloted timeout range, so it sure looks like your NIC is in need of replacement". But that's not always the case. Yes, properly designed software should have the heuristics to anticipate hardware failure, and behave accordingly, in a way that the user can tell what the fuck is going on, and do something constructive about it, rather than call our tech support and make us troubleshoot bad or misconfigured hardware. But in reality, that software sits on a peice of shit proprietary OS, and API framework, and is reliant on those for it's ability to do stuff - intelligent or not. And don't give me that "open source is better" crap, because there is NO operating system that is even remotely OK at handling these kinds of scenarios.
We ended up shipping the software. Fortunately, this time, the specific hardware problem that caused the error was unique to our equipment. But I've been in this industry for 8 years, and I've seen scenarios caused by bugs in the underlying OS (*cough* NOVELL *cough*) that lost us ten million dollar contracts, I've seen problems caused by a frayed SCSI connector that required me to fly to Dallas four times, because I was dumb enough to believe the IT guy who said he checked back there and everything was okay, and I've seen problems that only happened with OUR software, with one specific brand of network card, and it was because we had tried to push another vendor's broken standard.
And, I've seen over zealous marketers push schedules so agressively, that the finished product would be classsified as pre-beta. (Marketers don't seem to understand that software is kind of like having a baby, you can't take nine mothers, and have a baby in one month).
And, I've seen more cases than I care to count, where a problem is found in testing, but could not be duplicated, so it's left alone (everything humanly possible was done to try to fix the problem, but if it couldn't be identified, or localized, then what could be done), and the problem ends up cropping up in the finished product, on perhaps one in a thousand customer systems.
In the end, yes, shit happens at software manufacturers. Schedules are tight, competition is very fierce. But we're all forced to write software that runs on a crap OS, running on crap hardware, and no matter how much human effort you put into it, you can't polish a turd.
Does this industry need some kind of watchdog, some kind of consumer group and independent testing body? Absolutely. No doubt about it - so much is riding on it.
But will it happen?
Not while these companies are making campaign contributions to the lawmakers.
Which again, I state is the fault of all you idiots who voted for G-Dubbya in the republican primary, instead of McCain.
If it ain't broke, fix it 'til it is!
Re:What disappoints me... (Score:2)
Btw: the rationale for why we are exempt is not actually because we are "professionals" (which, traditionally, has implied licensing).
The rationale is in the U.S. Code, Title 29 (Labor), Chapter 8 (Fair Labor Standards), Section 213 (Exemptions).
If you enjoy paranoia, you could say it looks like a collusion between Washington lawyers and Silicon Valley executives to keep IT salaries from approaching those of Washington lawyers or Silicon Valley executives! Of course, just because you are paranoid it doesn't mean they aren't out to get you! :-)
I don't know much about it but there is a "Programmer's Guild" that has started. Their URL is http://www.colosseumbuilders.com/american.htm [colosseumbuilders.com].
There is no reason why people in IT should not have the same pay and societal status as doctors and lawyers. To accomplish that objective, I would propose that in order to legally practice software development a person:
Yes, these are onerous artificial barriers to entry but so are the barriers that the AMA and ABA put up for their members. It is the barrier to entry that gives doctors and lawyers what they have.
To garner the support of people already in the field, there should be a grandfather clause. FOO years of documented experience will get you in. BAR years of documented experience and a degree in BAZ will also get you in.
There would be a genuine benefit to society by doing this as well. By requiring licensed professionals, the releasing of untested and buggy programs would be greatly reduced as the law would now be on our side instead of the side of the PHB.
The same way that the crash of an airplane or the collapse of a structure now causes a public outcry and an investigation into why it happened and how to prevent it from happening again, there would be an investigation of things like ILOVEYOU which would lead to systems that are actually engineered (and can legally make that claim) rather than glued together with spit and bailing wire.
The precedents for this are well established. In almost any other field that affects public safety there are regulations. Sometimes there is no immediate personal benefit to the worker (e.g., a busboy who has to comply with the health inspector's directives) and sometimes there is a lot of benefit to the worker (e.g., the lawyer who has to be a member of the bar to practice).
It is up to us here today to decide whether the inevitable regulations will be imposed by us or on us and whether or not we will benefit from those regulations by becoming autonomous professionals or regulated peons.
-- OpenSourcerers [opensourcerers.com]
Re:But Mattel _asks_ if you want it! (Score:2)
The differences between this and Mattel should be obvious:
- You have to explicitly install popularity-contest, so you are guaranteed to know what you're doing; none of the default install profiles include it. Mattel had to be threatened with legal action before they gave the option to not install it.
- Popularity-contest's purpose is clearly stated and fully documented; Mattel was scared to even let you know it existed.
They can pay for the phone calls... (Score:2)
and from the article:
The agent normally detects when a user is online only to do its transactions; it is not designed to try to connect independently.
What both of these comments show is a lot of ignorance. The only surefire way to check if the user is online is to try connecting to somewhere. Now in my home setup, I have dial on demand, so that if an network packet is detected, it'll dial up my ISP automatically, and I have the illusion of permanent access. The same is true of most of my friends, whether they're using Linux or Windows. So each time DSSAgent checks to see if I'm online, it actually forces me online whether I was already connected or not. Being in Europe, I have to pay for that -- local calls aren't free here. If Mattel had installed this product on my machine without my knowledge or consent, they'd be getting a bill for my phone calls, and a law suit if they didn't pay up...
Re:I wrote that code - I'll tell you what it does (Score:2)
Yep, but then I'm in the UK, so that extra phone call once a day costs me money. Phone calls (local or otherwise) are not free here.
Re:They can pay for the phone calls... (Score:2)
No, there's not. Or if there is, it can't work reliably. All the windows box sees is a network connection, and a gateway address. Unless it has some clever way of interrogating my gateway machine and finding out if it's connected (hint: it doesn't), there's no way for windows to know if it's online on not. It may be able to tell if it's Windows that's doing the dialling, but in my case, it's not.
Re:Wow... a $3 lawsuit. (Score:2)
For some reason, you're assuming that it's only going to try and make one phone call. I would guess that it checks for new information on a regular basis (every time you fire up the app? every hour? who knows...)
Coming up next: (Score:2)
And the puns (Score:2)
__
Hands up who actually inspects it all (Score:2)
However, to trust these just because they are Open Source is stupid. I'm not about to *personally* inspect all of the code.... does anyone *seriously* read every line of the Linux kernel to make sure it isn't doing something evil? Well, sure, Alan Cox probably does, but hey.
So it all boils down to trust in the end. Do you trust whoever it is that says Linux is secure?
Be it a large corporation, or lots of kernel hackers... you have to try *somebody*. Either that, or spend more time inspecting code than actually using it.
I've got a bridge to sell you (Score:2)
If all it sent was a registration number, why would it need PGP, and why would it be able to send mail?
Re:the stupidest and most evil thing (Score:2)
I don't think that's necessarily true -- after all, wouldn't that Scandinavian vowel make it pronounced broodcast?! (dramatic music...)
Re:Netscape quality feeback agent (Score:3)
A trojan is an advertisement server that steals my bandwidth (and possibly my private information) disguised as a children's game. The difference between Netscape's bug tracking software and this agent are quite obvious. Netscape's bug tracking software asks my permission. Mattell doesn't bother with something as old fashioned as permission.
PGP key in DSSAGENT (Score:3)
Using "strings" on DSSAGENT.EXE shows that it has a a PGP key. Running "pgp" on the key gives:
DSS 4096/1024 0xF8EABB3F 1997/12/05 NRobins
sig? 0xF8EABB3F (Unknown signator, can't be checked)
There is also a temp file in /WINDOWS/BBSTORE/DSS that is XML. I am not sure how to include that file here without it getting mangled, but it looks like a file that gets sent to www.brodcast.net. It has in it "DSS V1.0", interval of 86400 seconds (1 day) and a SIG line that looks fairly encrypted. ("iQA/AwUBOJn/KCElolv46rs/EQKCWACfYmhHchvKNf/izSGI mO3yEECbJBcAoMV7hR2SELS5eF2IKuRJPNCTVUE4 ")
Another note. I just installed ipchains masquerading on my linux box. Behind this "firewall" are a couple of Windows machines for the kids. I have run "ipchains -M -L" periodically and always noticed an open connection from one of these machines to www.brodcast.net. I just thought it was one of the zillion things the kids have downloaded. Now I know to block that site with ipchains.
Re:Spyware Removal (Score:3)
---
icq:2057699
seumas.com
Re:The Really Ironic thing is (Score:3)
I'm pretty sure they didn't stick any cookies in my pants when I walked in the door. ;)
---
icq:2057699
seumas.com
Get a grip (Score:3)
Like the guys aid.. once a day this app runs, and simply says to the server 'got any new images?' and that's *ALL*.
Could the same framework be used for spyware? Sure. So could *any* software for that matter.
Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!
Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!
Oh no... you mean, with mattel software, once in a while it fetches new banners? umm..
Re:Mattel and the Learning Company are screwed up (Score:3)
And this somehow distinguishes them from the rest of the sofware industry? Not a chance. Check out Mark Minasi's http://www.softwareconspiracy.com/ [softwareconspiracy.com] book for more info, but the dirty "secret" of the software industry is that darn near all software development is done like that today. It shouldn't be, but it is. I've seen enough to know - the hardware mfrs are even worse...
Re:Why You Need to Read the Risks Forum (Score:3)
No, you're not. A reporter where I work broke a story based on such information that she found in a company press release. The company believed that their merger plans were a secret because they had deleted them from the release, but this reporter happened to stumble into this "preview changes" mode and saw the plans there. The company was pissed.
Re:I don't get it. (Score:3)
Try this story on Yahoo. [yahoo.com] It's fairly brief, but you get the message.
Re:Some Advice Needed!!! -- Useful software (Score:3)
Mattel was already on my shit list (Score:3)
Again, run ZoneAlarm (Score:3)
---
Not spyware then. (Score:3)
Something like this is in CyberPatrol too, to check for updates of the CyberNot list.
There has been talk of beta programs monitoring keystrokes to see what users do, so the product could be improved. This can easily be perverted. At one company, people asked if CyberPatrol being used to track attempts at accessing "forbidden" sites to keep track of employees.
When at MSI, while a similar product to CyberPatrol was being developed, I would get calls from the CEO and asked what certain programs were. These programs are ones on my machine that I was running. They were working on control usage of programs. I would get calls and asked what's b.exe or l.exe.
You say that was the intent when you wrote it. But what about after you leave? I have little trust in their ethics.
MSI admitted, under oath, they monitored my internet access from home when I asked for a what would be a reasonable accomodation under the ADA. When asked why, still under oath, they said it was to check up on me because I asked for a reasonable accomodation.
heh, (Score:3)
Re:Mattel and the Learning Company are screwed up (Score:3)
Re:I wrote that code - I'll tell you what it does (Score:3)
You mean like a newspaper or cable TV?
Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy? Admittedly, it's a little tacky, but so are many things in life. You don't have to look at it - you can check the "don't show this again" box that shows on each splash screen, you can choose not to install it in the first place, or you can make it go away by clicking on it (at least you used to, unless someone has changed it since I left).
And to head off another concern - it doesn't make the app take any longer to load, it just replaces the default splash screen that shows while the memory hog of an app starts up.
And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?
Right here, actually. I brought up the ethical issues numerous times, to the point of being a pain in the ass about it. The upshot? It was going to happen anyway, and what it does is really not that bad. If not for people like me complaining, you wouldn't even be able to turn it off.
Re:I wrote that code - I'll tell you what it does (Score:3)
Well, thank you for that thoughtful and polite comment. As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.
If RAS is not installed, and there is a network card, yeah, we assume there is a connection. So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right? Kinda annoying, but that was the design decision. Wasn't my idea. It hardly puts me in the "stupidest man alive" category, I must say.
But remember, this is consumer software. 99% of our customers did what we expected - installed in on their home machine, connecting to the net with a modem, or installed it at work with a network. Sorry about your home network situation, but you can't write software that takes every possible variable or future change in underlying system design (remember, this was written 3 years ago. Windows has changed quite a bit since then. New bugs^H^H^Hfeatures come along all the time.) into account.
Re:Database Nation (Score:4)
Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.
I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.
With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.
Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.
TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.
Which consumers asked for this feature? (Score:4)
If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."
Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!
Database Nation (Score:4)
I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.
You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.
It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
---
icq:2057699
seumas.com
Re:What disappoints me... (Score:4)
What do your examples have to do with anything? (Score:4)
First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.
Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.
Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.
Cheers,
ZicoKnows@hotmail.com
spying on children too... risky indeed (Score:4)
They'd be on the bad (defendant) side of the legal system for a change.
Spyware Removal (Score:4)
Re:Spyware Removal (Score:4)
Currently the freeware version of Optout only can detect and remove Aureate/Radiate/Binary Bliss (advert.dll) spyware. However, this type of spyware is embedded in hundreds of freeware products.
If you're looking for a utility to detect all Spyware, you will have to do it yourself using a program such as tcpdump [tcpdump.org] or windump [polito.it].
Re:Why does Quicken run all the time? (Score:5)
Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com
What disappoints me... (Score:5)
The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.
The ACM [acm.org] and the IEEE [ieee.org] consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice [computer.org] in a number of places, to wit:
3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
Furthermore, management (i.e. Mattel) is admonished to:
5.11. Not ask a software engineer to do anything inconsistent with this Code.
5.12. Not punish anyone for expressing ethical concerns about a project.
So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.
Re:But Mattel _asks_ if you want it! (Score:5)
--GnrcMan--
Arms traffickers! (Score:5)
I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.
- If they go to jail, it's poetic justice for suing people for CPHack
- If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.
Talk about a win/win situation!explanation from the learning company (Score:5)
Why You Need to Read the Risks Forum (Score:5)
If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ [ncl.ac.uk] on on the Usenet news as comp.risks [comp.risks]
The Risks forum is part of the ACM [acm.org] Committee on Computers and Public Policy.
You should make a special effort to read Risks if you:
- Program computers
- Make policy decisions involving computers (managers, government etc.)
- Depend on computers for your life or safety (do you fly on airplanes?)
- Operate computers in situations where they affect life or safety
You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:USS Yorktown dead in water after divide by zero [ncl.ac.uk]
The Navy got rid of its more robust warship operating systems and replaced them with Windows NT [geometricvisions.com]. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.
Security concerns, viruses and the like are discussed extensively in Risks.
Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:
Do you have any loved ones in the hospital with a life-threatening medical condition? Peter G. Neumann [sri.com], moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.It has ISBN 020155805X and you can purchase it online from:
- http://www.fatbrain.com [fatbrain.com]
- http://www.barnesandnoble.com [barnesandnoble.com]
- http://www.amazon.com [amazon.com]
- http://www.chapters.ca [chapters.ca] - in Canada
If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.Mike
Why open source is nice, part LXXVIII (Score:5)
Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?
Isn't it an odd world we live in?
Nicholas
I wrote that code - I'll tell you what it does (Score:5)
It is NOT spyware.
It does NOT look for or send any personal, private, ot public information about you or your system.
It does NOT use encryption - it uses PGP digital signatures.
It was NOT designed for kids' products - it was designed for all products.
I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS. /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
Here's the communication protocol:
Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and
That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).