Mattel Spyware 298
Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.
Re:Laws? (Score:2)
It's illegal in California to obtain information from someone's machine without explicit consent. Note that:
(a) The law includes Trojan Horses, which would possibly include this "Brodcast" utility, given that it wasn't explicitly described in the product documentation.
(b) The wording is "information" not "private information"
ie, *anything* that is taken from your machine without you knowing about it...
In fact, this is a jailable offence, and is done on a per-infraction basis, so every installation would count...
Hopefully, sometime soon, a couple of CEO's will be put inside for this kind of thing pour encourager les autres...
Re:Can you imagine... (Score:2)
...called barbie@home and doing Mattel's accounting. With no security and multiple-checking, so I can make a rigged client and redirect their CEO's salary to ACLU and EFF.
Re:Why You Need to Read the Risks Forum (Score:2)
I think some have tried to argue that this wouldn't have happened with a UNIX-based OS, because the software developers who write apps for UNIX pay more attention to details like error trapping than those who write Windows apps do. It's really unfair to generalize like that (although the generalization does seem to be true a lot of the time).
--
Mattel felony, as I read it! (Score:2)
Put them in the slammer(was :But Mattel _asks_) (Score:2)
Re:its not all closed source (Score:2)
90% of linux users praise its greatness, then download a tarball, ./configure;make;make install without reading it. Good job.
Naturally, nobody ACTUALLY has the time to go over every last line of source for a distro + hand dis-assemble gcc to make sure it doesn't have the login trojan in it (I don't think gcc ever did, but some cc's did).
It's the other 10% that do look at some part of the source code that keeps everyone honest. Surely, out of a million users, if 100,000 look at the source code, spyware would be detected and reported fairly quickly. There could be no question of EXACTLY what information was gathered and who recieved it. There could be no denying that the code was there. There could be no excuses about downloading updates or other such nonsense.
Re:Mattel and the Learning Company are screwed up (Score:2)
For example, my company had this product, we tested it, beta tested it, we had a schedule, it was looking good to be completed by date X. We started the ad campaign, made announcments, gave eval copies to magazines to write reviews.
Then, the day we were to ship it, we all sat down and marveled at the quality and feature-set of our amazing creation, and signed the papers.
Then, our IT group, who was running a large-scale test, noticed a problem. There was no backing out of shipment at this point, the master was in the duplicator, tens of thousands of dollars of manufacturing costs, plus our reputation with the press (all important in this competitive industry) were all on the line. We rolled up our sleeves and went to work on the problem. We loaded up debuggers. Programmers, who had just spent the previous six weeks working seven twelve hour days a week, were in on the weekend again. The problem could not be reproduced on any other hardware but this IT server. The debugger showed the calls to the OS, and the return codes just not coming back. The OS was NT. It was starting to look like a hardware problem. whew. Sigh of relief.
The problem is - whether we like it or not, bad hardware exists out there. Whether we're talking about a failing 5-year old 3com ISA network card in some secratarie's 486, or a brand new $50,000 RAID Array from Compaq. You'd think that universally, bad hardware should give software certain set responses, so the software knows enough to tell the user; "gee, I made a call down the stack to the network card, but the card didn't respond within the normally alloted timeout range, so it sure looks like your NIC is in need of replacement". But that's not always the case. Yes, properly designed software should have the heuristics to anticipate hardware failure, and behave accordingly, in a way that the user can tell what the fuck is going on, and do something constructive about it, rather than call our tech support and make us troubleshoot bad or misconfigured hardware. But in reality, that software sits on a peice of shit proprietary OS, and API framework, and is reliant on those for it's ability to do stuff - intelligent or not. And don't give me that "open source is better" crap, because there is NO operating system that is even remotely OK at handling these kinds of scenarios.
We ended up shipping the software. Fortunately, this time, the specific hardware problem that caused the error was unique to our equipment. But I've been in this industry for 8 years, and I've seen scenarios caused by bugs in the underlying OS (*cough* NOVELL *cough*) that lost us ten million dollar contracts, I've seen problems caused by a frayed SCSI connector that required me to fly to Dallas four times, because I was dumb enough to believe the IT guy who said he checked back there and everything was okay, and I've seen problems that only happened with OUR software, with one specific brand of network card, and it was because we had tried to push another vendor's broken standard.
And, I've seen over zealous marketers push schedules so agressively, that the finished product would be classsified as pre-beta. (Marketers don't seem to understand that software is kind of like having a baby, you can't take nine mothers, and have a baby in one month).
And, I've seen more cases than I care to count, where a problem is found in testing, but could not be duplicated, so it's left alone (everything humanly possible was done to try to fix the problem, but if it couldn't be identified, or localized, then what could be done), and the problem ends up cropping up in the finished product, on perhaps one in a thousand customer systems.
In the end, yes, shit happens at software manufacturers. Schedules are tight, competition is very fierce. But we're all forced to write software that runs on a crap OS, running on crap hardware, and no matter how much human effort you put into it, you can't polish a turd.
Does this industry need some kind of watchdog, some kind of consumer group and independent testing body? Absolutely. No doubt about it - so much is riding on it.
But will it happen?
Not while these companies are making campaign contributions to the lawmakers.
Which again, I state is the fault of all you idiots who voted for G-Dubbya in the republican primary, instead of McCain.
If it ain't broke, fix it 'til it is!
Re:What disappoints me... (Score:2)
Btw: the rationale for why we are exempt is not actually because we are "professionals" (which, traditionally, has implied licensing).
The rationale is in the U.S. Code, Title 29 (Labor), Chapter 8 (Fair Labor Standards), Section 213 (Exemptions).
If you enjoy paranoia, you could say it looks like a collusion between Washington lawyers and Silicon Valley executives to keep IT salaries from approaching those of Washington lawyers or Silicon Valley executives! Of course, just because you are paranoid it doesn't mean they aren't out to get you! :-)
I don't know much about it but there is a "Programmer's Guild" that has started. Their URL is http://www.colosseumbuilders.com/american.htm [colosseumbuilders.com].
There is no reason why people in IT should not have the same pay and societal status as doctors and lawyers. To accomplish that objective, I would propose that in order to legally practice software development a person:
Yes, these are onerous artificial barriers to entry but so are the barriers that the AMA and ABA put up for their members. It is the barrier to entry that gives doctors and lawyers what they have.
To garner the support of people already in the field, there should be a grandfather clause. FOO years of documented experience will get you in. BAR years of documented experience and a degree in BAZ will also get you in.
There would be a genuine benefit to society by doing this as well. By requiring licensed professionals, the releasing of untested and buggy programs would be greatly reduced as the law would now be on our side instead of the side of the PHB.
The same way that the crash of an airplane or the collapse of a structure now causes a public outcry and an investigation into why it happened and how to prevent it from happening again, there would be an investigation of things like ILOVEYOU which would lead to systems that are actually engineered (and can legally make that claim) rather than glued together with spit and bailing wire.
The precedents for this are well established. In almost any other field that affects public safety there are regulations. Sometimes there is no immediate personal benefit to the worker (e.g., a busboy who has to comply with the health inspector's directives) and sometimes there is a lot of benefit to the worker (e.g., the lawyer who has to be a member of the bar to practice).
It is up to us here today to decide whether the inevitable regulations will be imposed by us or on us and whether or not we will benefit from those regulations by becoming autonomous professionals or regulated peons.
-- OpenSourcerers [opensourcerers.com]
Re:But Mattel _asks_ if you want it! (Score:2)
The differences between this and Mattel should be obvious:
- You have to explicitly install popularity-contest, so you are guaranteed to know what you're doing; none of the default install profiles include it. Mattel had to be threatened with legal action before they gave the option to not install it.
- Popularity-contest's purpose is clearly stated and fully documented; Mattel was scared to even let you know it existed.
They can pay for the phone calls... (Score:2)
and from the article:
The agent normally detects when a user is online only to do its transactions; it is not designed to try to connect independently.
What both of these comments show is a lot of ignorance. The only surefire way to check if the user is online is to try connecting to somewhere. Now in my home setup, I have dial on demand, so that if an network packet is detected, it'll dial up my ISP automatically, and I have the illusion of permanent access. The same is true of most of my friends, whether they're using Linux or Windows. So each time DSSAgent checks to see if I'm online, it actually forces me online whether I was already connected or not. Being in Europe, I have to pay for that -- local calls aren't free here. If Mattel had installed this product on my machine without my knowledge or consent, they'd be getting a bill for my phone calls, and a law suit if they didn't pay up...
Re:I wrote that code - I'll tell you what it does (Score:2)
Yep, but then I'm in the UK, so that extra phone call once a day costs me money. Phone calls (local or otherwise) are not free here.
Re:They can pay for the phone calls... (Score:2)
No, there's not. Or if there is, it can't work reliably. All the windows box sees is a network connection, and a gateway address. Unless it has some clever way of interrogating my gateway machine and finding out if it's connected (hint: it doesn't), there's no way for windows to know if it's online on not. It may be able to tell if it's Windows that's doing the dialling, but in my case, it's not.
Re:Wow... a $3 lawsuit. (Score:2)
For some reason, you're assuming that it's only going to try and make one phone call. I would guess that it checks for new information on a regular basis (every time you fire up the app? every hour? who knows...)
Coming up next: (Score:2)
And the puns (Score:2)
__
Hands up who actually inspects it all (Score:2)
However, to trust these just because they are Open Source is stupid. I'm not about to *personally* inspect all of the code.... does anyone *seriously* read every line of the Linux kernel to make sure it isn't doing something evil? Well, sure, Alan Cox probably does, but hey.
So it all boils down to trust in the end. Do you trust whoever it is that says Linux is secure?
Be it a large corporation, or lots of kernel hackers... you have to try *somebody*. Either that, or spend more time inspecting code than actually using it.
I've got a bridge to sell you (Score:2)
If all it sent was a registration number, why would it need PGP, and why would it be able to send mail?
Re:the stupidest and most evil thing (Score:2)
I don't think that's necessarily true -- after all, wouldn't that Scandinavian vowel make it pronounced broodcast?! (dramatic music...)
Re:I wrote that code - I'll tell you what it does (Score:2)
Yeah, but what if the PC is on a LAN (so that it appears to always have a network link), but the PCs share a single on-demand dialup through a separate box? Before I got a cable modem, that's how our household worked. All of the PCs routed through a single box that used IP-masquerading to route our network's outbound traffic over the single modem. (With 3 or 4 PCs, it's good to not need 3 or 4 phone lines and 3 or 4 modems in order for everyone to have Internet access.) Now, your RAS autodetection fails miserably since it always looks "on".
I believe that's what the original poster was complaining about. I think the main issue is that trying to hide oneself from the user and do things behind their backs is bound to fail eventually and piss someone off. Better to be up front about it, IMHO. After all, the road to hell is paved with good intentions.
Anyway, thanks for the clear description of what DSSAgent does. :-)
--Joe--
Illegal Wiretap? (Score:2)
Couldn't software that surrepticiously collects information on your computer and sends it to a vendor be considered a form of illegal wiretap? Actions like this on the part of any software vendor are outragious. I've already questioned using any software made by Mattel (especially since they raised such a stink because someone actually thought you, as a user of their filtering software, should know what web sites that you're being denied access to); this just reinforces my decision to suspect their motives. Hypocrits!
I'm sure glad I don't access the internet using WinXX from my home systems.
--
Re:I wrote that code - I'll tell you what it does (Score:2)
You don't pay for a newspaper (or magazine) or cable TV. You pay for newspaper and cable TV delivery.
The paper itself, as well as the cable networks, are entirely advertiser-supported. If you actually had to pay the cost of a newspaper, it would be about $5.00 per issue, and magazines would be $10-15 or more.
As far as I know, the users accepting ads didn't get 95% off the retail price...
My daughter's software is a munition? (Score:2)
Re:its not all closed source (Score:2)
I don't think your comparison is apt. I suspect that bugs are generally harder to find than the whole encrypted communication infrastructure Garfinkel describes would be.
> Unless you read and understand the source its no help.
True. I suspect the world would be a better place if more of us read more of the code we ran.
On the other hand, the developers of an OSS project read the code all the time. I suppose you might be able to swear a small clique to secrecy if you wanted to embed some spyware in an OSS project, but it wouldn't be very effective when you've got a public CVS server. How would the core developers keep embedded spyware secret with even just a few people around who go in a couple of times a year and fetch the CVS code to tweak some minor something they don't like? It only takes one person to spot it, and then the game is up. And the core developers would never be trusted for anything again.
> This is another example of bad slashdot reporting. Right now all you know is that it "may" send back information, but you have no idea what.
Actually,
BTW:For my money, even if the Mattel excu^H^Hplanation is factual and complete, it is still inexcusable. Beyond that the "trustworthiness" issue comes in to play. If they were doing that much without my informed consent, should I trust them at all?
--
Re:read www.softwareconspiracy.com (Score:2)
Since you mention it... The FO menus provided some of the best circumstantial evidence I have seen for hidden APIs in Windows: when those NT5 betas first started coming out, I read someone's writeup that casually mentioned that the FO effect was really cool, and showed up in every application he ran except MS Office. Looks to me like MSO was using a different API from the ones all the other application programers knew about.
--
Re:I wrote that code - I'll tell you what it does (Score:2)
What should you do? you should configure your dial on demand server to not trigger ont his kind of traffic...
just like you do with icmp ping, dns, etc.. (or whatever you happened to do).
BitchX (Score:2)
Like BitchX, which sends a UDP packet to the makers to count users? (Yes, I know, it can be disabled, if you compile from source).
Re:Makes me wonder... (Score:2)
Re:Spyware Removal (Score:2)
Paul.
Aren't trojan hourses illegal? (Score:2)
Any lawyers want to put a class action suit together?
Paul.
Re:I wrote that code - I'll tell you what it does (Score:2)
Read what the programmer wrote again. "[H]is kind of traffic" is HTTP. Most people will want dial-on-demand links brought up for HTTP.
Of course, if you're properly paranoid, you're running Junkbuster (and possibly Squid) on a single server, and have all legitimate HTTP clients configured to proxy through them. Then you configure your dial-on-demand server to only bring up the link for HTTP requests from the Junkbuster server, and applications with covert communication channels are foiled. The worst that happens now is that the covert applications use your browser proxy settings, but you're reviewing your Junkbuster logs, right?
Re:What disappoints me... (Score:2)
First PE is the law pretty much everywhere in the US and Canada. The professional society lobbiests made sure of it. There is a growing industry around the license process and passing these marginal exams. The exams are fundamentally flawed as the 'pass' rate swings wildly from 30% to 70% with no appreciable change in the pool of people taking the exams.
I am a Civil Engineer. The PE means approximately nothing to the ethical behavior of the engineering world. Trust me, been there, done that. In fact, I can make a coherent arguement that it has in fact made things worse. There are bunches of laws & regulations about this and that, but in reality unless a project kills or significantly hurts people, the laws are totally ignored. This non-enforcement is a very dangerous thing, as it lends the illusion that the public's ethics are being watched out for.
The PE is really a barrier to entry to keep the underskilled and poor test takers out. It serves as a means of reducing the population of engineers that can practice and thus keeping wages higher than otherwise. There is a movement afoot to make things 'harder' so that the net wages will continue to rise "up to those of programmers".
To get a PE you do swear to a code of ethics. I've heard of a few dozen cases a year nationally (USA) where those are even vaguely enforced. It's just like bad Doctors who can practice (and kill) for years and not be de-licensed until they kill someone important or a large group.
If you note some cynical tone here, you get an A. The professional registration of Engineers, Doctors and Lawyers is fundamentally a good idea. I believe that as the system is currently operated it does more harm than good.
Finally, I taught Software Engineering at a major midwestern university for 5.5 years. We talked about ethics and one of the things that was discussed is the freedom computer people currently have. If they don't like what is happening, there are so many empty jobs, they can go someplace else and work. Civil Engineering currently has more engineers than jobs and that doesn't allow a CE to depart a job over something as trivial as an ethical objection. Something to ponder as you drive along the interstate crossing hundreds of lowest bid bridges, eh?
Summary: Don't hold up PE as a model of how things ought to be. It is very broken from the ethical perspective.
Calm down again (Score:2)
This is no different than when you start up some antivirus software and it wants to check for updates. Many programs do this sort of this. Just because this "technology" (wow, what a "technology" talking to a server is) COULD send sensitive information doesn't mean it DOES. Heck, ANY native app can send sensitive information somewhere. So just pre-emptively cool down.
Re:I've got a bridge to sell you (Score:2)
Um, perhaps to ensure nobody sniffed the data on the wire maybe??
The point is, just because it CAN be done, doesn't mean it is happening. Slashdot gets all fired up about all sorts of hypotheticals then looks stupid when that isn't the case.
Re:I got hacked on my laptop (Score:2)
Have the 6 yr old do the protection. No way he's gonna let some cracker screw up his game of Purple Dinosaur Massacre and his porn collection.
//rdj
Re:Spyware Removal (Score:2)
It's basicly a virus scanner for spy ware, it's only as good as it's data file.
Re:Database Nation (Score:2)
consumer pods
I think its time they began hearing en masse from some of us pods. They have a cleverly obscure web form [mattel.com] for contact. Heres the two cents I sent:
For a year or more I have been noting your bad behavior on the internet. You sue at the drop of a hat for some pretty nebulous reasons. I've read all about the employee with the carpal tunnel problems you harrassed. This morning I read about your DSSAgent spyware being included in childrens CD-ROMS. My children are grown, however, as one who is about to become a grandparent in plural, I wanted to let you know that until I see some evidence of a reformed, forward-thinking attitude with regard to the internet (on which, I might point out, your company is a GUEST, rather than an OWNER OF) no grandchild of mine will receive Mattel products. I have five brothers, all with children and grandchildren, and will be emailing them as well as posting to the family website my strong recommendation that they boycott Mattel and the reasons why. I see your attitude even boils down to the level of this "e-mail form", which displays such a tiny amount of the message body that it is very difficult to compose/edit a message here.
======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16
Re:spying on children too... risky indeed (Score:2)
What really gets me is that this kind of legislation isn't passed because politicians really care anything about privacy its passed because "Fighting for children's rights" looks so good for next election's commercials.
Re:firewalls (Score:2)
No, at least not for ZoneAlarm. It doesn't decide for you what it lets through. When a program tries to connect to the net, eg. your e-mail program or browser, it'll alert you and you can decide whether you want to allow it or disallow it. Programs are not allowed to access the net by default. However, there's no accounting for user stupidity and your idea holds that if they make it seem like a telnet client or browser, the user might be clueless enough to let it through. Not likely, but maybe.
Re:Spyware Removal (Score:2)
Re:I wrote that code - I'll tell you what it does (Score:2)
Read the message. This traffic is a plain HTTP Post request, nothing fancy. If you block "this kind of traffic", you essentially make that windows box unusable for surfing.
Btw, I agree with linux_penguin's "dickhead" comment, why was that marked as flamebait? Especially since many people (Europe) actually pay for their local phone calls.
read www.softwareconspiracy.com (Score:2)
Application shouldn't bring down whole network (Score:2)
And in this case, it wasn't just an instance of the OS that crashed, it was the whole ship's network - note my mention that the ship had to be towed back to port as a result of user error at a keyboard.
Now imagine this happened during live battle.
Mattel and the Learning Company are screwed up (Score:2)
They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability. The mere fact that a child's educational program would crash six ways to sunday from normal usage would not stop them from shipping a product.
I could easily see some junior programmer there telling a manager that they could easily write a program to scoop god knows what off a child's hard drive and send it on in for data-mining driven marketing purposes, and this being implemented as a standard feature without being run through corporate lawyers or even a moments thought as to whether this would ultimately get them sued - or arrested.
They have similarly enlighted personnel policies, which is why my friend was happy to tell me these stories on a regular basis.
I'm pretty amazed that the Learning Company lasted as long as it did. I know it had no end of financial trouble - is it still even in business?
Mattel clearly didn't do an adequate due diligence when they bought the company. Or at least they didn't involve any engineers in the process.
Considering what my friend told me, not just occassionally but almost every time I spoke to him during his period of employment there, I'm suprised the engineers could even get their code to compile and link, let alone ship it in a shrink-wrapped box.
Words I live by: Make a Bonfire of Your Reputations [goingware.com]
Mike
Why does Quicken run all the time? (Score:2)
I feel the need to use Quicken to access online banking so I haven't got away from this. The one thing I do is kill it in the task manager when I remember.
I'll be very happy when there is an open-source online banking solution I can run from linux. Yeah, right - get the banks to cooperate with the Penguin!
Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.
I got hacked on my laptop (Score:2)
I installed some firewall software (eSafe Desktop Security or something like that - search for "firewall" on Tucows) and reinstalled service pack 6 for NT.
After the firewall installation the mysterious blinking lights went away. Something's still not quite right with my NT installation. I can't reinstall the whole system because of my 18 GB hard drive.
This is one reason I've finally become a regular linux user - it started because I could get good performance browsing the web via my cable modem, and it stayed because I can log in as a regular user with no special priveliges, but then "su" when I want to do an administrative task.
One thing I did on NT also was take away administrator privileges for my own user, and log in as administrator when I want to install something, but it's a real pain because I can't look at the calendar - don't have privileges - and Quicken needs to reinitialize its networking preferences every time I go online.
When my friend who got the same kind of laptop got a cable modem, I kept telling him to get a firewall, and he thought this was ridiculous, even with the distributed DOS attacks using hacked machines and stuff, and I sent him lots of URLs about people discovering hacker daemons on their home PC's when they got windows firewalls.
This guy is a very experienced computer programmer. What are we to do about, say, the president of a mid-size corporation who keeps company financial records on the same PC that his 6-year-old uses to play shareware games?
But four megabytes? (Score:2)
That's an awful lot for a checkbook program to consume on a laptop with 128MB.
Consider that there are lots of Windows boxes out there with only 32 MB of RAM I think that's excessive.
And I don't want Billminder - I never asked for it.
Don't be too hard on Mattel... (Score:2)
I hope no one was surprised by this story. Mattel seems to be one of the most evil companies on the planet. From the sorehands guy's case to the implementation of their censorware, they've been a bunch of evil fucks all along. I expect the next story we hear about them will be that they perform inhuman experiments on kittens. Or something.
Re:But Mattel _asks_ if you want it! (Score:2)
Joshua Yambert
Makes me wonder... (Score:2)
I have to use NT at work, and sometimes win98 at home, and of course have had a lot of fun trying to resurrect a dying OS on several occasions.
I'm no expert on windows (nor do I wish to be), but there are always programs/services running which I don't know anything about. When a program locks up the systems, I sometimes try to kill it to fix the problem, but if I don't know its name and things are really bad, I just start killing unknown processes (what the hell, it's not like i'm going to be able to save the system anyway).
Now I wonder what those things are, I kill them and nothing happens - sometimes the OS continues without the process and works fine. I know some of them are supposed to be there, but how many are set up by installers without asking me? Or worse still, I could have Back Orifice or something running without my knowledge.
I'd really like to know where the hell information on these services is, and how I can find out what the processes are. And I'd prefer actual documentation to some proprietary program which will sanitise my PC for me without telling me what it's doing.
Another pet peeve: how the hell do I get rid of startup programs? I empty the "Statup" folder like a good luser, and have even dug through the registry getting rid of some programms, but I still have annoying programs popping up on startup that I can't get rid of.
Is there any sane way of setting up a windows box? (OK, this is rhetorical just in case anyone's tempted to try to answer it.)
Re: Don't be daft (Score:2)
It would be simplicity itself to demonstrate that you do not have the crypto keys
How ?
RIP is fundamentally broken on technical grounds, as well as fundamentally immoral. This is a good example of just why it's unworkable.
Under the current draft of RIP, StealthBarbie here lays you open to prosecution. It's unlikely to happen, but it's no more daft than the conviction of the Cambridge Two.
RIP Bill (Score:2)
ROFL !
How does this sit with the UK RIP Bill ? If Mattel are sending secret crypto from my machine, what should I do if Jack Straw's stormtroopers turn up on my doorstep demanding the keys ? Send Barbie to jail for two years ?
I think there's a really good T shirt design in here somewhere. Barbie, through a jail cell window, and a caption along the lines of "Strong Crypto - Why can Mattel use it to snoop, but I can't secure my email ?"
Re:I fail to see what the big deal is... (Score:2)
If I want unknown comms going on with my machinery, then I will ask for it. Any company or grouping that installs such unspecified back doors onto my equipment without my permission will be regarded in much the same light as someone installing a copy of BackOrifice.
I trust Mattel just about enough to believe they're not going to deliberately steal my banking details. OTOH, I strongly suspect that they will start snooping marketing demographics on my kids, and history tells us that implementation of such things is often pretty poor - What happens if the next "I Love You" outbreak is actually an exploit for a weakly secured Barbieserver ? Auto-downloaded pr0n startup banners for anyone running Barbieprograms ?
Re:I don't get it. (Score:2)
Man bites Dog is a story, Dog bites Man isn't
Governments are expected to behave like arrogant bastards who think they have a God-given right to snoop. The Australian story is interesting and should be run, but it's no surprise that Australia (which is pretty dodgy on this issue already) has just slid one notch further down.
OTOH, if you can't trust Barbie, who can you trust ?
What about people with prosthetic fingers made from Barbie's knee joints ? (Scientific American a month or two back) Should they be worried about what their hands get up to when they're not looking ?
The Learning Company == Mattel Interactive (Score:2)
The Learning Company [learningco.com], a producer of educational games and software, was purchased by Mattel sometime last year.
Re:Database Nation (Score:2)
You make it sound like people aren't doing this already. My roommate (she who so stridently claimed that "my child will never watch television") has been using the tube as a babysitter while she plays Ultima Online. My sister babysat a child who would spend at least six hours a day watching tapes of Barney and Friends-- and would howl like a banshee between the time the tape ended, and Carolyn popped the next one in (bear in mind that this was a direct instruction from the child's parent).
The MTV Kids generation is all around us, drooling in their oh-so-expensive Gap Kids and Tommy H. wardrobes.
Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.
its not all closed source (Score:2)
This is another example of bad slashdot reporting. Right now all you know is that it "may" send back information, but you have no idea what. How about researching and providing facts to back this up? Oh wait.... As long as you get those banner hits it doesn't mater.
The all mighty dollar (Score:2)
Re:Toys and Machine Guns (Score:2)
Re:Spyware Removal (Score:2)
That being said, I don't think that can ever rely 100% on a monitor/firewall that's running on the same machine as the suspect program. The only way to be REALLY safe is to have a second (clean, trusted) machine sniffing packets off the wire.
"The axiom 'An honest man has nothing to fear from the police'
Re:You're actually mistaken - let me explain (Score:2)
No matter how you dice it, this little "feature" is one step aware from spyware, and it's a teensy step at that. How do we know that it's not collecting info? How do we know its mission wasn't expanded after you wrote it? This was a tremendous screw-up on Broderbund's part and they cannot finnesse their way out, no matter how "benign" the software was intended to be.
Re:ZoneAlarm firewall - a few problems (Score:2)
Gripping a moving target? (Score:2)
(a) Most importantly, you are informed of these behaviors ... you know exactly what's going on and why.
(b) Also, the cases you mention involve directly the functionality of the system. In other words, the ICQ MOTD allows ICQ to alert users (if need be) of changes in the system. The UT update check allows UT to notify you of, well, updates -- enhancements or fixes of behavior of the software. Because these network interactions directly affect the performance of the software, in a relatively obvious manner, it's reasonable for the companies to expect that you know about them. But Mattel's software did not enhance the program, check for bug fixes, or do anything else that could reasonably be construed as vital to the operation of the software. It allowed them to update ads, in a splash screen.
(c) I don't know this for a fact, but I'd be willing to go out on a limb: When the ICQ program retrieves the MOTD, it is the ICQ program -- not some other mysterious program tucked away in your registry -- that retrieves the MOTD. When the UT engine retreives updates, it is the UT engine -- not some deceptive, hidden daemon -- that goes out and retrieves the update. But here, it is not the software you (thought you) purchased that does the Net connect. It is a different program, installed quietly and (originally) without notification or approval, that sits in the background and, without informing you, does a Net connect.
If you don't see that these fall into different classes, well, I'm not responsible for your misapprehension. But they are different and the Mattel case is more sinister.
Matel Distributes Trojan (Score:2)
Re:I wrote that code - I'll tell you what it does (Score:2)
Sounds as if I oughta purchase it (Score:2)
Just wondering (Score:2)
How long will it be before spyware as a requirement starts making it into the EULAs for new applications?
You know. You're not licensed to use this application unless you agree that information can be sent back to the publishers.
I can see this kind of requirement turning up in stuff that would otherwise be free software. MP3 players etc. Scary.
ZoneAlarm! (Score:2)
Re:Laws? (Score:2)
-o Disclaimer: My employer doesn't even agree with me about C indentation style. o-
Re:Netscape quality feeback agent (Score:3)
A trojan is an advertisement server that steals my bandwidth (and possibly my private information) disguised as a children's game. The difference between Netscape's bug tracking software and this agent are quite obvious. Netscape's bug tracking software asks my permission. Mattell doesn't bother with something as old fashioned as permission.
PGP key in DSSAGENT (Score:3)
Using "strings" on DSSAGENT.EXE shows that it has a a PGP key. Running "pgp" on the key gives:
DSS 4096/1024 0xF8EABB3F 1997/12/05 NRobins
sig? 0xF8EABB3F (Unknown signator, can't be checked)
There is also a temp file in /WINDOWS/BBSTORE/DSS that is XML. I am not sure how to include that file here without it getting mangled, but it looks like a file that gets sent to www.brodcast.net. It has in it "DSS V1.0", interval of 86400 seconds (1 day) and a SIG line that looks fairly encrypted. ("iQA/AwUBOJn/KCElolv46rs/EQKCWACfYmhHchvKNf/izSGI mO3yEECbJBcAoMV7hR2SELS5eF2IKuRJPNCTVUE4 ")
Another note. I just installed ipchains masquerading on my linux box. Behind this "firewall" are a couple of Windows machines for the kids. I have run "ipchains -M -L" periodically and always noticed an open connection from one of these machines to www.brodcast.net. I just thought it was one of the zillion things the kids have downloaded. Now I know to block that site with ipchains.
Re:Spyware Removal (Score:3)
---
icq:2057699
seumas.com
Re:The Really Ironic thing is (Score:3)
I'm pretty sure they didn't stick any cookies in my pants when I walked in the door. ;)
---
icq:2057699
seumas.com
Get a grip (Score:3)
Like the guys aid.. once a day this app runs, and simply says to the server 'got any new images?' and that's *ALL*.
Could the same framework be used for spyware? Sure. So could *any* software for that matter.
Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!
Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!
Oh no... you mean, with mattel software, once in a while it fetches new banners? umm..
Re:Mattel and the Learning Company are screwed up (Score:3)
And this somehow distinguishes them from the rest of the sofware industry? Not a chance. Check out Mark Minasi's http://www.softwareconspiracy.com/ [softwareconspiracy.com] book for more info, but the dirty "secret" of the software industry is that darn near all software development is done like that today. It shouldn't be, but it is. I've seen enough to know - the hardware mfrs are even worse...
Re:Why You Need to Read the Risks Forum (Score:3)
No, you're not. A reporter where I work broke a story based on such information that she found in a company press release. The company believed that their merger plans were a secret because they had deleted them from the release, but this reporter happened to stumble into this "preview changes" mode and saw the plans there. The company was pissed.
Re:I don't get it. (Score:3)
Try this story on Yahoo. [yahoo.com] It's fairly brief, but you get the message.
Re:Some Advice Needed!!! -- Useful software (Score:3)
Mattel was already on my shit list (Score:3)
Again, run ZoneAlarm (Score:3)
---
Not spyware then. (Score:3)
Something like this is in CyberPatrol too, to check for updates of the CyberNot list.
There has been talk of beta programs monitoring keystrokes to see what users do, so the product could be improved. This can easily be perverted. At one company, people asked if CyberPatrol being used to track attempts at accessing "forbidden" sites to keep track of employees.
When at MSI, while a similar product to CyberPatrol was being developed, I would get calls from the CEO and asked what certain programs were. These programs are ones on my machine that I was running. They were working on control usage of programs. I would get calls and asked what's b.exe or l.exe.
You say that was the intent when you wrote it. But what about after you leave? I have little trust in their ethics.
MSI admitted, under oath, they monitored my internet access from home when I asked for a what would be a reasonable accomodation under the ADA. When asked why, still under oath, they said it was to check up on me because I asked for a reasonable accomodation.
heh, (Score:3)
Re:Mattel and the Learning Company are screwed up (Score:3)
Re:I wrote that code - I'll tell you what it does (Score:3)
You mean like a newspaper or cable TV?
Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy? Admittedly, it's a little tacky, but so are many things in life. You don't have to look at it - you can check the "don't show this again" box that shows on each splash screen, you can choose not to install it in the first place, or you can make it go away by clicking on it (at least you used to, unless someone has changed it since I left).
And to head off another concern - it doesn't make the app take any longer to load, it just replaces the default splash screen that shows while the memory hog of an app starts up.
And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?
Right here, actually. I brought up the ethical issues numerous times, to the point of being a pain in the ass about it. The upshot? It was going to happen anyway, and what it does is really not that bad. If not for people like me complaining, you wouldn't even be able to turn it off.
Re:I wrote that code - I'll tell you what it does (Score:3)
Well, thank you for that thoughtful and polite comment. As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.
If RAS is not installed, and there is a network card, yeah, we assume there is a connection. So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right? Kinda annoying, but that was the design decision. Wasn't my idea. It hardly puts me in the "stupidest man alive" category, I must say.
But remember, this is consumer software. 99% of our customers did what we expected - installed in on their home machine, connecting to the net with a modem, or installed it at work with a network. Sorry about your home network situation, but you can't write software that takes every possible variable or future change in underlying system design (remember, this was written 3 years ago. Windows has changed quite a bit since then. New bugs^H^H^Hfeatures come along all the time.) into account.
Re:Database Nation (Score:4)
Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.
I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.
With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.
Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.
TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.
Which consumers asked for this feature? (Score:4)
If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."
Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!
Database Nation (Score:4)
I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.
You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.
It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
---
icq:2057699
seumas.com
Re:What disappoints me... (Score:4)
What do your examples have to do with anything? (Score:4)
First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.
Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.
Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.
Cheers,
ZicoKnows@hotmail.com
spying on children too... risky indeed (Score:4)
They'd be on the bad (defendant) side of the legal system for a change.
Spyware Removal (Score:4)
Re:Spyware Removal (Score:4)
Currently the freeware version of Optout only can detect and remove Aureate/Radiate/Binary Bliss (advert.dll) spyware. However, this type of spyware is embedded in hundreds of freeware products.
If you're looking for a utility to detect all Spyware, you will have to do it yourself using a program such as tcpdump [tcpdump.org] or windump [polito.it].
Re:Why does Quicken run all the time? (Score:5)
Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com
What disappoints me... (Score:5)
The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.
The ACM [acm.org] and the IEEE [ieee.org] consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice [computer.org] in a number of places, to wit:
3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
Furthermore, management (i.e. Mattel) is admonished to:
5.11. Not ask a software engineer to do anything inconsistent with this Code.
5.12. Not punish anyone for expressing ethical concerns about a project.
So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.
Re:But Mattel _asks_ if you want it! (Score:5)
--GnrcMan--
Arms traffickers! (Score:5)
I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.
- If they go to jail, it's poetic justice for suing people for CPHack
- If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.
Talk about a win/win situation!explanation from the learning company (Score:5)
Why You Need to Read the Risks Forum (Score:5)
If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ [ncl.ac.uk] on on the Usenet news as comp.risks [comp.risks]
The Risks forum is part of the ACM [acm.org] Committee on Computers and Public Policy.
You should make a special effort to read Risks if you:
- Program computers
- Make policy decisions involving computers (managers, government etc.)
- Depend on computers for your life or safety (do you fly on airplanes?)
- Operate computers in situations where they affect life or safety
You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:USS Yorktown dead in water after divide by zero [ncl.ac.uk]
The Navy got rid of its more robust warship operating systems and replaced them with Windows NT [geometricvisions.com]. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.
Security concerns, viruses and the like are discussed extensively in Risks.
Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:
Do you have any loved ones in the hospital with a life-threatening medical condition? Peter G. Neumann [sri.com], moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.It has ISBN 020155805X and you can purchase it online from:
- http://www.fatbrain.com [fatbrain.com]
- http://www.barnesandnoble.com [barnesandnoble.com]
- http://www.amazon.com [amazon.com]
- http://www.chapters.ca [chapters.ca] - in Canada
If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.Mike
Why open source is nice, part LXXVIII (Score:5)
Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?
Isn't it an odd world we live in?
Nicholas
I wrote that code - I'll tell you what it does (Score:5)
It is NOT spyware.
It does NOT look for or send any personal, private, ot public information about you or your system.
It does NOT use encryption - it uses PGP digital signatures.
It was NOT designed for kids' products - it was designed for all products.
I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS. /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
Here's the communication protocol:
Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and
That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).