Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Your Rights Online

Mattel Spyware 298

Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.
This discussion has been archived. No new comments can be posted.

Mattel Spyware

Comments Filter:
  • by Anonymous Coward
    IANAL, but... CPC 502 (I think)

    It's illegal in California to obtain information from someone's machine without explicit consent. Note that:

    (a) The law includes Trojan Horses, which would possibly include this "Brodcast" utility, given that it wasn't explicitly described in the product documentation.

    (b) The wording is "information" not "private information"

    ie, *anything* that is taken from your machine without you knowing about it...

    In fact, this is a jailable offence, and is done on a per-infraction basis, so every installation would count...

    Hopefully, sometime soon, a couple of CEO's will be put inside for this kind of thing pour encourager les autres...

  • ... a Beowulf cluster of these?

    ...called barbie@home and doing Mattel's accounting. With no security and multiple-checking, so I can make a rigged client and redirect their CEO's salary to ACLU and EFF.

  • I agree with you.

    I think some have tried to argue that this wouldn't have happened with a UNIX-based OS, because the software developers who write apps for UNIX pay more attention to details like error trapping than those who write Windows apps do. It's really unfair to generalize like that (although the generalization does seem to be true a lot of the time).

    --

  • As I read the law, Mattel should be in for it. I just sent Mr. Garfinkel the following:
    Dear Mr. Garfinkel, I am not a lawyer, but it seems to me that the US Code, Title 18, Part 1, Chapter 47, Section 1030 (which you can find on-line at CornelL LAw School's Legal Information Institute, at URL
    http://www4.law.cornell.edu/us code/18/1030.text.html [cornell.edu], is relevant in this case.

    Given that you are a journalist working for a publication engaged in interstate commerce, by subsection (D)(2)(b), your computer is a "protected computer" under the definitions of this Act. Under the definitions of (E)(5), Mattel's actions constituted "unauthorized access." Mattel is guilty of a felony. You and _Salon_ should sue them for damages, and make sure you include massive punitive damages while you're at it, because of the nature of this crime (not just a crime against you and _Salon_, but also a crime Against The Children, to quote our First Lady, and one that strikes at the heart of society's foundations -- and also "pour encourager les autres" who also want to engage in this sort of spying.

  • This is quite interesting considering the fact that the installer didn't mention anything about Brodcast untill after the Children's Online Privacy Protection Act went into effect.
    As I read Title 18, Part I, Chapter 47, Section 1030 [cornell.edu], paragraph (2)(B)someone at Mattel should be in for 5 years in the slammer.

  • 90% of linux users praise its greatness, then download a tarball, ./configure;make;make install without reading it. Good job.

    Naturally, nobody ACTUALLY has the time to go over every last line of source for a distro + hand dis-assemble gcc to make sure it doesn't have the login trojan in it (I don't think gcc ever did, but some cc's did).

    It's the other 10% that do look at some part of the source code that keeps everyone honest. Surely, out of a million users, if 100,000 look at the source code, spyware would be detected and reported fairly quickly. There could be no question of EXACTLY what information was gathered and who recieved it. There could be no denying that the code was there. There could be no excuses about downloading updates or other such nonsense.

  • This is not necessarily wholly the fault of the software manufacturer.

    For example, my company had this product, we tested it, beta tested it, we had a schedule, it was looking good to be completed by date X. We started the ad campaign, made announcments, gave eval copies to magazines to write reviews.

    Then, the day we were to ship it, we all sat down and marveled at the quality and feature-set of our amazing creation, and signed the papers.
    Then, our IT group, who was running a large-scale test, noticed a problem. There was no backing out of shipment at this point, the master was in the duplicator, tens of thousands of dollars of manufacturing costs, plus our reputation with the press (all important in this competitive industry) were all on the line. We rolled up our sleeves and went to work on the problem. We loaded up debuggers. Programmers, who had just spent the previous six weeks working seven twelve hour days a week, were in on the weekend again. The problem could not be reproduced on any other hardware but this IT server. The debugger showed the calls to the OS, and the return codes just not coming back. The OS was NT. It was starting to look like a hardware problem. whew. Sigh of relief.

    The problem is - whether we like it or not, bad hardware exists out there. Whether we're talking about a failing 5-year old 3com ISA network card in some secratarie's 486, or a brand new $50,000 RAID Array from Compaq. You'd think that universally, bad hardware should give software certain set responses, so the software knows enough to tell the user; "gee, I made a call down the stack to the network card, but the card didn't respond within the normally alloted timeout range, so it sure looks like your NIC is in need of replacement". But that's not always the case. Yes, properly designed software should have the heuristics to anticipate hardware failure, and behave accordingly, in a way that the user can tell what the fuck is going on, and do something constructive about it, rather than call our tech support and make us troubleshoot bad or misconfigured hardware. But in reality, that software sits on a peice of shit proprietary OS, and API framework, and is reliant on those for it's ability to do stuff - intelligent or not. And don't give me that "open source is better" crap, because there is NO operating system that is even remotely OK at handling these kinds of scenarios.

    We ended up shipping the software. Fortunately, this time, the specific hardware problem that caused the error was unique to our equipment. But I've been in this industry for 8 years, and I've seen scenarios caused by bugs in the underlying OS (*cough* NOVELL *cough*) that lost us ten million dollar contracts, I've seen problems caused by a frayed SCSI connector that required me to fly to Dallas four times, because I was dumb enough to believe the IT guy who said he checked back there and everything was okay, and I've seen problems that only happened with OUR software, with one specific brand of network card, and it was because we had tried to push another vendor's broken standard.
    And, I've seen over zealous marketers push schedules so agressively, that the finished product would be classsified as pre-beta. (Marketers don't seem to understand that software is kind of like having a baby, you can't take nine mothers, and have a baby in one month).
    And, I've seen more cases than I care to count, where a problem is found in testing, but could not be duplicated, so it's left alone (everything humanly possible was done to try to fix the problem, but if it couldn't be identified, or localized, then what could be done), and the problem ends up cropping up in the finished product, on perhaps one in a thousand customer systems.

    In the end, yes, shit happens at software manufacturers. Schedules are tight, competition is very fierce. But we're all forced to write software that runs on a crap OS, running on crap hardware, and no matter how much human effort you put into it, you can't polish a turd.

    Does this industry need some kind of watchdog, some kind of consumer group and independent testing body? Absolutely. No doubt about it - so much is riding on it.
    But will it happen?
    Not while these companies are making campaign contributions to the lawmakers.

    Which again, I state is the fault of all you idiots who voted for G-Dubbya in the republican primary, instead of McCain.

    If it ain't broke, fix it 'til it is!
  • Btw: the rationale for why we are exempt is not actually because we are "professionals" (which, traditionally, has implied licensing).

    The rationale is in the U.S. Code, Title 29 (Labor), Chapter 8 (Fair Labor Standards), Section 213 (Exemptions).

    If you enjoy paranoia, you could say it looks like a collusion between Washington lawyers and Silicon Valley executives to keep IT salaries from approaching those of Washington lawyers or Silicon Valley executives! Of course, just because you are paranoid it doesn't mean they aren't out to get you! :-)

    I don't know much about it but there is a "Programmer's Guild" that has started. Their URL is http://www.colosseumbuilders.com/american.htm [colosseumbuilders.com].

    There is no reason why people in IT should not have the same pay and societal status as doctors and lawyers. To accomplish that objective, I would propose that in order to legally practice software development a person:

    • Should have graduated from an accredited program with a B.S. in [something appropriate to be determined]
    • Should pass a state regulatory exam
    • Should have to maintain an audit trail of their work so that personal accountability can be maintained

    Yes, these are onerous artificial barriers to entry but so are the barriers that the AMA and ABA put up for their members. It is the barrier to entry that gives doctors and lawyers what they have.

    To garner the support of people already in the field, there should be a grandfather clause. FOO years of documented experience will get you in. BAR years of documented experience and a degree in BAZ will also get you in.

    There would be a genuine benefit to society by doing this as well. By requiring licensed professionals, the releasing of untested and buggy programs would be greatly reduced as the law would now be on our side instead of the side of the PHB.

    The same way that the crash of an airplane or the collapse of a structure now causes a public outcry and an investigation into why it happened and how to prevent it from happening again, there would be an investigation of things like ILOVEYOU which would lead to systems that are actually engineered (and can legally make that claim) rather than glued together with spit and bailing wire.

    The precedents for this are well established. In almost any other field that affects public safety there are regulations. Sometimes there is no immediate personal benefit to the worker (e.g., a busboy who has to comply with the health inspector's directives) and sometimes there is a lot of benefit to the worker (e.g., the lawyer who has to be a member of the bar to practice).

    It is up to us here today to decide whether the inevitable regulations will be imposed by us or on us and whether or not we will benefit from those regulations by becoming autonomous professionals or regulated peons.


    -- OpenSourcerers [opensourcerers.com]
  • Actually, Debian does have such a package. It's called "popularity-contest", and it uploads your installed packages list to Debian for statistical purposes.

    The differences between this and Mattel should be obvious:

    - You have to explicitly install popularity-contest, so you are guaranteed to know what you're doing; none of the default install profiles include it. Mattel had to be threatened with legal action before they gave the option to not install it.

    - Popularity-contest's purpose is clearly stated and fully documented; Mattel was scared to even let you know it existed.
  • DSSAgent is a small application that runs in the background and when it sees an Internet connection, it checks with our Web site to see if a new splash screen graphic is available

    and from the article:

    The agent normally detects when a user is online only to do its transactions; it is not designed to try to connect independently.

    What both of these comments show is a lot of ignorance. The only surefire way to check if the user is online is to try connecting to somewhere. Now in my home setup, I have dial on demand, so that if an network packet is detected, it'll dial up my ISP automatically, and I have the illusion of permanent access. The same is true of most of my friends, whether they're using Linux or Windows. So each time DSSAgent checks to see if I'm online, it actually forces me online whether I was already connected or not. Being in Europe, I have to pay for that -- local calls aren't free here. If Mattel had installed this product on my machine without my knowledge or consent, they'd be getting a bill for my phone calls, and a law suit if they didn't pay up...

  • So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right?

    Yep, but then I'm in the UK, so that extra phone call once a day costs me money. Phone calls (local or otherwise) are not free here.

  • Actually, I belive there's a windows API hook to tell if you're dialed up.

    No, there's not. Or if there is, it can't work reliably. All the windows box sees is a network connection, and a gateway address. Unless it has some clever way of interrogating my gateway machine and finding out if it's connected (hint: it doesn't), there's no way for windows to know if it's online on not. It may be able to tell if it's Windows that's doing the dialling, but in my case, it's not.

  • Not that mattell is RIGHT, but sueing someone over a $3 phonebill?

    For some reason, you're assuming that it's only going to try and make one phone call. I would guess that it checks for new information on a regular basis (every time you fire up the app? every hour? who knows...)

  • Mattel sues Slashdot for incitement to copyright violation under the Digital Millennium Copyright Act.
  • And there are lots of puns by PGN. (But I don't know if that's a reason for or against)
    __
  • I use quite a few Open Source products. Linux is the obvious one.

    However, to trust these just because they are Open Source is stupid. I'm not about to *personally* inspect all of the code.... does anyone *seriously* read every line of the Linux kernel to make sure it isn't doing something evil? Well, sure, Alan Cox probably does, but hey.

    So it all boils down to trust in the end. Do you trust whoever it is that says Linux is secure?

    Be it a large corporation, or lots of kernel hackers... you have to try *somebody*. Either that, or spend more time inspecting code than actually using it.
  • Sure, the PR rep _says_ info only goes to your computer. Do you actually believe that?

    If all it sent was a registration number, why would it need PGP, and why would it be able to send mail?
  • that Mattel have done is to suffer the existence of a product whose name ("Brodcast") a) is a lousy pun and b) only makes sense if you mispronounce the name of the parent company, which has a Scandinavian o-slash rather than an o.

    I don't think that's necessarily true -- after all, wouldn't that Scandinavian vowel make it pronounced broodcast?! (dramatic music...)

  • As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.

    Yeah, but what if the PC is on a LAN (so that it appears to always have a network link), but the PCs share a single on-demand dialup through a separate box? Before I got a cable modem, that's how our household worked. All of the PCs routed through a single box that used IP-masquerading to route our network's outbound traffic over the single modem. (With 3 or 4 PCs, it's good to not need 3 or 4 phone lines and 3 or 4 modems in order for everyone to have Internet access.) Now, your RAS autodetection fails miserably since it always looks "on".

    I believe that's what the original poster was complaining about. I think the main issue is that trying to hide oneself from the user and do things behind their backs is bound to fail eventually and piss someone off. Better to be up front about it, IMHO. After all, the road to hell is paved with good intentions.

    Anyway, thanks for the clear description of what DSSAgent does. :-)

    --Joe
    --
  • Couldn't software that surrepticiously collects information on your computer and sends it to a vendor be considered a form of illegal wiretap? Actions like this on the part of any software vendor are outragious. I've already questioned using any software made by Mattel (especially since they raised such a stink because someone actually thought you, as a user of their filtering software, should know what web sites that you're being denied access to); this just reinforces my decision to suspect their motives. Hypocrits!

    I'm sure glad I don't access the internet using WinXX from my home systems.
    --

  • You mean like a newspaper or cable TV?

    You don't pay for a newspaper (or magazine) or cable TV. You pay for newspaper and cable TV delivery.

    The paper itself, as well as the cable networks, are entirely advertiser-supported. If you actually had to pay the cost of a newspaper, it would be about $5.00 per issue, and magazines would be $10-15 or more.

    As far as I know, the users accepting ads didn't get 95% off the retail price...
  • Um, if they included PGP in DSSAgent then that would classify it as a munition at the time they did it. I know for a fact that they had oversea sales and the box was not labeled "Not for Export". Now who do we go to for this blatant breach of a bad law by a bad company (see the export restrictions aren't all bad :-)?
  • > How long was that bug in PGP that didn't generate random keys? Almost a year?

    I don't think your comparison is apt. I suspect that bugs are generally harder to find than the whole encrypted communication infrastructure Garfinkel describes would be.

    > Unless you read and understand the source its no help.

    True. I suspect the world would be a better place if more of us read more of the code we ran.

    On the other hand, the developers of an OSS project read the code all the time. I suppose you might be able to swear a small clique to secrecy if you wanted to embed some spyware in an OSS project, but it wouldn't be very effective when you've got a public CVS server. How would the core developers keep embedded spyware secret with even just a few people around who go in a couple of times a year and fetch the CVS code to tweak some minor something they don't like? It only takes one person to spot it, and then the game is up. And the core developers would never be trusted for anything again.

    > This is another example of bad slashdot reporting. Right now all you know is that it "may" send back information, but you have no idea what.

    Actually, /. is just reporting what Garfinkel says. It may be a premature reaction, but the fault is not a /.-specific matter.

    BTW:For my money, even if the Mattel excu^H^Hplanation is factual and complete, it is still inexcusable. Beyond that the "trustworthiness" issue comes in to play. If they were doing that much without my informed consent, should I trust them at all?

    --
  • > Now tell me again how fade-out menus help your fileserver

    Since you mention it... The FO menus provided some of the best circumstantial evidence I have seen for hidden APIs in Windows: when those NT5 betas first started coming out, I read someone's writeup that casually mentioned that the FO effect was really cool, and showed up in every application he ran except MS Office. Looks to me like MSO was using a different API from the ones all the other application programers knew about.

    --
  • Uh... lots of software *might* do this.

    What should you do? you should configure your dial on demand server to not trigger ont his kind of traffic...
    just like you do with icmp ping, dns, etc.. (or whatever you happened to do).

  • I dare say if Debian has an optional package that every now and then sent them usage information, that the slashdot headline probably wouldn't read "Debian spyware." Call it a hunch.

    Like BitchX, which sends a UDP packet to the makers to count users? (Yes, I know, it can be disabled, if you compile from source).

  • A similar wierd thing happened to me one time. I have a home network with a linux machine as a gateway and a few other machines running various OS's. Anyway I was sitting thier working on some code. I look up and my modem is blinking away as if I am downloading something, though I wasn't intentionally doing this. I telneted over to my gateway and did a `netstat -M`, and I see my windows box is connected to an FTP site and is downloading something! Needless to say I was pissed off, so I check the site with a browser and it's a bunch of jpeg's, erkay. I do an nslookup on the IP and it has no hostname. Then I enter the IP into google and I get a view hits for some security lists, and one says that it's TSAdbot. Apparently it downloads ads for a view different applications, like pkzip and AIM. I don't know if it's just me, but that just seems really rude. I mean I guess it's okay, they need to advertise, but using my CPU resources hanging around in the background all the time downloading soap ads for programs I already bought, or are free seems pretty shitty to me.
  • Whilst I agree with you (I run AtGuard, partly for this reason) its not complete protection. All the software has to do is look like a web browser or Telnet client and the firewall will probably let it through.

    Paul.

  • Surely this could be prosecuted under computer misuse laws. Mattel are plainly guilty of using many computers for unauthorised purposes (to whit, sending them adverts). If this usage was not authorised then it leads to both criminal and civil liability in most countries (except the Phillipines).

    Any lawyers want to put a class action suit together?

    Paul.

  • you should configure your dial on demand server to not trigger ont his kind of traffic.

    Read what the programmer wrote again. "[H]is kind of traffic" is HTTP. Most people will want dial-on-demand links brought up for HTTP.

    Of course, if you're properly paranoid, you're running Junkbuster (and possibly Squid) on a single server, and have all legitimate HTTP clients configured to proxy through them. Then you configure your dial-on-demand server to only bring up the link for HTTP requests from the Junkbuster server, and applications with covert communication channels are foiled. The worst that happens now is that the covert applications use your browser proxy settings, but you're reviewing your Junkbuster logs, right?
  • First PE is the law pretty much everywhere in the US and Canada. The professional society lobbiests made sure of it. There is a growing industry around the license process and passing these marginal exams. The exams are fundamentally flawed as the 'pass' rate swings wildly from 30% to 70% with no appreciable change in the pool of people taking the exams.

    I am a Civil Engineer. The PE means approximately nothing to the ethical behavior of the engineering world. Trust me, been there, done that. In fact, I can make a coherent arguement that it has in fact made things worse. There are bunches of laws & regulations about this and that, but in reality unless a project kills or significantly hurts people, the laws are totally ignored. This non-enforcement is a very dangerous thing, as it lends the illusion that the public's ethics are being watched out for.

    The PE is really a barrier to entry to keep the underskilled and poor test takers out. It serves as a means of reducing the population of engineers that can practice and thus keeping wages higher than otherwise. There is a movement afoot to make things 'harder' so that the net wages will continue to rise "up to those of programmers".

    To get a PE you do swear to a code of ethics. I've heard of a few dozen cases a year nationally (USA) where those are even vaguely enforced. It's just like bad Doctors who can practice (and kill) for years and not be de-licensed until they kill someone important or a large group.

    If you note some cynical tone here, you get an A. The professional registration of Engineers, Doctors and Lawyers is fundamentally a good idea. I believe that as the system is currently operated it does more harm than good.

    Finally, I taught Software Engineering at a major midwestern university for 5.5 years. We talked about ethics and one of the things that was discussed is the freedom computer people currently have. If they don't like what is happening, there are so many empty jobs, they can go someplace else and work. Civil Engineering currently has more engineers than jobs and that doesn't allow a CE to depart a job over something as trivial as an ethical objection. Something to ponder as you drive along the interstate crossing hundreds of lowest bid bridges, eh?

    Summary: Don't hold up PE as a model of how things ought to be. It is very broken from the ethical perspective.

  • Ok, this is partly Slashdot's fault for labeling this article with such a misleading title. No, this is not spyware. From what the rep says, information only goes TO your computer. The only thing that comes FROM it is some registration number, the last time contact was made being used to see if an upgrade is available.

    This is no different than when you start up some antivirus software and it wants to check for updates. Many programs do this sort of this. Just because this "technology" (wow, what a "technology" talking to a server is) COULD send sensitive information doesn't mean it DOES. Heck, ANY native app can send sensitive information somewhere. So just pre-emptively cool down.
  • "If all it sent was a registration number, why would it need PGP"

    Um, perhaps to ensure nobody sniffed the data on the wire maybe??

    The point is, just because it CAN be done, doesn't mean it is happening. Slashdot gets all fired up about all sorts of hypotheticals then looks stupid when that isn't the case.
  • >What are we to do about, say, the president of a mid-size corporation who keeps company financial records on the same PC that his 6-year-old uses to play shareware games?

    Have the 6 yr old do the protection. No way he's gonna let some cracker screw up his game of Purple Dinosaur Massacre and his porn collection.

    //rdj
  • Yes, but I belive that the program only removes programs which he finds and manually adds to his program, it can't detect unkown spy ware.
    It's basicly a virus scanner for spy ware, it's only as good as it's data file.

  • consumer pods

    I think its time they began hearing en masse from some of us pods. They have a cleverly obscure web form [mattel.com] for contact. Heres the two cents I sent:

    For a year or more I have been noting your bad behavior on the internet. You sue at the drop of a hat for some pretty nebulous reasons. I've read all about the employee with the carpal tunnel problems you harrassed. This morning I read about your DSSAgent spyware being included in childrens CD-ROMS. My children are grown, however, as one who is about to become a grandparent in plural, I wanted to let you know that until I see some evidence of a reformed, forward-thinking attitude with regard to the internet (on which, I might point out, your company is a GUEST, rather than an OWNER OF) no grandchild of mine will receive Mattel products. I have five brothers, all with children and grandchildren, and will be emailing them as well as posting to the family website my strong recommendation that they boycott Mattel and the reasons why. I see your attitude even boils down to the level of this "e-mail form", which displays such a tiny amount of the message body that it is very difficult to compose/edit a message here.

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • They mention COPPA in the article and how they supposedly removed the DSS program after it was passed, but that's not my point. Why do politicians rally over laws like COPPA but do almost nothing for consumer rights? Sure helping the kids is nice, but those kids are going to grow up and deal with this crap on an adult level. Where's the FTC then?

    What really gets me is that this kind of legislation isn't passed because politicians really care anything about privacy its passed because "Fighting for children's rights" looks so good for next election's commercials.
  • All the software has to do is look like a web browser or Telnet client and the firewall will probably let it through.

    No, at least not for ZoneAlarm. It doesn't decide for you what it lets through. When a program tries to connect to the net, eg. your e-mail program or browser, it'll alert you and you can decide whether you want to allow it or disallow it. Programs are not allowed to access the net by default. However, there's no accounting for user stupidity and your idea holds that if they make it seem like a telnet client or browser, the user might be clueless enough to let it through. Not likely, but maybe.

  • For those using windows, running "netstat -a 5" will show you all currently open connections. A nice program similar to windump is Z-monitor [xyzsoft.com]. Easy to use, logs all connections so you can see where info is being sent from your computer. Shareware though.
  • > you should configure your dial on demand server to not trigger ont his kind of traffic...

    Read the message. This traffic is a plain HTTP Post request, nothing fancy. If you block "this kind of traffic", you essentially make that windows box unusable for surfing.

    Btw, I agree with linux_penguin's "dickhead" comment, why was that marked as flamebait? Especially since many people (Europe) actually pay for their local phone calls.

  • In a reply to my comment on the Learning Company earlier in this discussion, someone refers to The Software Conspiracy [softwareconspiracy.com] which quotes Bill Gates:

    There are no significant bugs in our released software that any significant number of users want fixed... The reason we come up with new versions is not to fix bugs. It's absolutely not. It's the stupidest reason to buy a new version I ever heard... And so, in no sense, is stability a reason to move to a new version. It's never a reason.
  • While it might be reasonable for a poorly written or QA'ed program to crash, what is inexcusable is for the whole operating system to crash because of the behavior of a user application.

    And in this case, it wasn't just an instance of the OS that crashed, it was the whole ship's network - note my mention that the ship had to be towed back to port as a result of user error at a keyboard.

    Now imagine this happened during live battle.

  • I have a good friend who worked at the Learning Company for quite some time, and he told me no end of horror stories about an utter disregard for engineering quality, lack of concern for usability, maintainability of code or anything that sounded remotely like common sense.

    They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability. The mere fact that a child's educational program would crash six ways to sunday from normal usage would not stop them from shipping a product.

    I could easily see some junior programmer there telling a manager that they could easily write a program to scoop god knows what off a child's hard drive and send it on in for data-mining driven marketing purposes, and this being implemented as a standard feature without being run through corporate lawyers or even a moments thought as to whether this would ultimately get them sued - or arrested.

    They have similarly enlighted personnel policies, which is why my friend was happy to tell me these stories on a regular basis.

    I'm pretty amazed that the Learning Company lasted as long as it did. I know it had no end of financial trouble - is it still even in business?

    Mattel clearly didn't do an adequate due diligence when they bought the company. Or at least they didn't involve any engineers in the process.

    Considering what my friend told me, not just occassionally but almost every time I spoke to him during his period of employment there, I'm suprised the engineers could even get their code to compile and link, let alone ship it in a shrink-wrapped box.

    Words I live by: Make a Bonfire of Your Reputations [goingware.com]

    Mike

    Tilting at Windmills for a Better Tomorrow
  • I don't remember the name of the daemon, as I'm in linux now, but I know that Quicken installs a daemon that uses about 4 megabytes of memory that runs all the time when windows is operating.

    I feel the need to use Quicken to access online banking so I haven't got away from this. The one thing I do is kill it in the task manager when I remember.

    I'll be very happy when there is an open-source online banking solution I can run from linux. Yeah, right - get the banks to cooperate with the Penguin!

    Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.

  • When I got a cable modem I noticed that network performance under windows was often very poor and I'd have a lot of blinking lights on my modem when I left my laptop idle.

    I installed some firewall software (eSafe Desktop Security or something like that - search for "firewall" on Tucows) and reinstalled service pack 6 for NT.

    After the firewall installation the mysterious blinking lights went away. Something's still not quite right with my NT installation. I can't reinstall the whole system because of my 18 GB hard drive.

    This is one reason I've finally become a regular linux user - it started because I could get good performance browsing the web via my cable modem, and it stayed because I can log in as a regular user with no special priveliges, but then "su" when I want to do an administrative task.

    One thing I did on NT also was take away administrator privileges for my own user, and log in as administrator when I want to install something, but it's a real pain because I can't look at the calendar - don't have privileges - and Quicken needs to reinitialize its networking preferences every time I go online.

    When my friend who got the same kind of laptop got a cable modem, I kept telling him to get a firewall, and he thought this was ridiculous, even with the distributed DOS attacks using hacked machines and stuff, and I sent him lots of URLs about people discovering hacker daemons on their home PC's when they got windows firewalls.

    This guy is a very experienced computer programmer. What are we to do about, say, the president of a mid-size corporation who keeps company financial records on the same PC that his 6-year-old uses to play shareware games?

  • If so, Billminder consumes four megabytes of physical memory constantly (if that's what the mem column in the process list means). Or is it virtual memory?

    That's an awful lot for a checkbook program to consume on a laptop with 128MB.

    Consider that there are lots of Windows boxes out there with only 32 MB of RAM I think that's excessive.

    And I don't want Billminder - I never asked for it.

  • They've already accumulated enough negative karma that they're all going to have to spend the next thousand lifetimes as slugs.

    I hope no one was surprised by this story. Mattel seems to be one of the most evil companies on the planet. From the sorehands guy's case to the implementation of their censorware, they've been a bunch of evil fucks all along. I expect the next story we hear about them will be that they perform inhuman experiments on kittens. Or something.

  • Yes some of the new installers ask you if you want to install "Brodcast", but the old installers don't and even if you say no the DSSAgent is still installed but not activated. So there methods are still questionable.This is quite interesting considering the fact that the installer didn't mention anything about Brodcast untill after the Children's Online Privacy Protection Act went into effect.

    Joshua Yambert
  • I have to use NT at work, and sometimes win98 at home, and of course have had a lot of fun trying to resurrect a dying OS on several occasions.

    I'm no expert on windows (nor do I wish to be), but there are always programs/services running which I don't know anything about. When a program locks up the systems, I sometimes try to kill it to fix the problem, but if I don't know its name and things are really bad, I just start killing unknown processes (what the hell, it's not like i'm going to be able to save the system anyway).

    Now I wonder what those things are, I kill them and nothing happens - sometimes the OS continues without the process and works fine. I know some of them are supposed to be there, but how many are set up by installers without asking me? Or worse still, I could have Back Orifice or something running without my knowledge.

    I'd really like to know where the hell information on these services is, and how I can find out what the processes are. And I'd prefer actual documentation to some proprietary program which will sanitise my PC for me without telling me what it's doing.

    Another pet peeve: how the hell do I get rid of startup programs? I empty the "Statup" folder like a good luser, and have even dug through the registry getting rid of some programms, but I still have annoying programs popping up on startup that I can't get rid of.

    Is there any sane way of setting up a windows box? (OK, this is rhetorical just in case anyone's tempted to try to answer it.)

  • It would be simplicity itself to demonstrate that you do not have the crypto keys

    How ?

    RIP is fundamentally broken on technical grounds, as well as fundamentally immoral. This is a good example of just why it's unworkable.

    Under the current draft of RIP, StealthBarbie here lays you open to prosecution. It's unlikely to happen, but it's no more daft than the conviction of the Cambridge Two.

  • ROFL !

    How does this sit with the UK RIP Bill ? If Mattel are sending secret crypto from my machine, what should I do if Jack Straw's stormtroopers turn up on my doorstep demanding the keys ? Send Barbie to jail for two years ?

    I think there's a really good T shirt design in here somewhere. Barbie, through a jail cell window, and a caption along the lines of "Strong Crypto - Why can Mattel use it to snoop, but I can't secure my email ?"

  • If I want unknown comms going on with my machinery, then I will ask for it. Any company or grouping that installs such unspecified back doors onto my equipment without my permission will be regarded in much the same light as someone installing a copy of BackOrifice.

    I trust Mattel just about enough to believe they're not going to deliberately steal my banking details. OTOH, I strongly suspect that they will start snooping marketing demographics on my kids, and history tells us that implementation of such things is often pretty poor - What happens if the next "I Love You" outbreak is actually an exploit for a weakly secured Barbieserver ? Auto-downloaded pr0n startup banners for anyone running Barbieprograms ?

  • Man bites Dog is a story, Dog bites Man isn't

    Governments are expected to behave like arrogant bastards who think they have a God-given right to snoop. The Australian story is interesting and should be run, but it's no surprise that Australia (which is pretty dodgy on this issue already) has just slid one notch further down.

    OTOH, if you can't trust Barbie, who can you trust ?

    What about people with prosthetic fingers made from Barbie's knee joints ? (Scientific American a month or two back) Should they be worried about what their hands get up to when they're not looking ?

  • I'm not sure what relation The Learning Company has to all of this, but this may help some people out:

    The Learning Company [learningco.com], a producer of educational games and software, was purchased by Mattel sometime last year.

  • It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.

    You make it sound like people aren't doing this already. My roommate (she who so stridently claimed that "my child will never watch television") has been using the tube as a babysitter while she plays Ultima Online. My sister babysat a child who would spend at least six hours a day watching tapes of Barney and Friends-- and would howl like a banshee between the time the tape ended, and Carolyn popped the next one in (bear in mind that this was a direct instruction from the child's parent).

    The MTV Kids generation is all around us, drooling in their oh-so-expensive Gap Kids and Tommy H. wardrobes.

    Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.

  • How long was that bug in PGP that didn't generate random keys? Almost a year? Unless you read and understand the source its no help. 90% of linux users praise its greatness, then download a tarball, ./configure;make;make install without reading it. Good job.

    This is another example of bad slashdot reporting. Right now all you know is that it "may" send back information, but you have no idea what. How about researching and providing facts to back this up? Oh wait.... As long as you get those banner hits it doesn't mater.
  • This just goes to show you what a company is willing to go through or endure just to earn your buck. Whether is be by ad placement or information collection. In my book though, Matel is just digging itself a really deep hole. First censorship and now hidden information collection. I'm waiting to see what else they can screw up.

  • I thought that Mattel manufactured a handful of the M16's used in Vietnam. Am I mistaken? I am pretty sure that they, or one of their subsidiaries have manufactured weapons.
  • You can configure AtGuard to grant/deny network access by executable as well as by address & port. If you are concerned that program X might be leaking information over port n, just create a rule to deny X.exe from making outbound connections on that port.

    That being said, I don't think that can ever rely 100% on a monitor/firewall that's running on the same machine as the suspect program. The only way to be REALLY safe is to have a second (clean, trusted) machine sniffing packets off the wire.


    "The axiom 'An honest man has nothing to fear from the police'

  • Blockquoth the poster (Moses Lawson):
    The application does not contact the server ever. Not when it launches or at any other time. There is a background process that talks to the server once a day (maybe every two days)
    Um, that's supposed to be better than having the app do it? Personally, I really despise the little fly-on-the-wall background apps that lurk and wait. That's even more of an invasion of privacy, since the user has no good reason to connect the background app to the one that installed them.

    No matter how you dice it, this little "feature" is one step aware from spyware, and it's a teensy step at that. How do we know that it's not collecting info? How do we know its mission wasn't expanded after you wrote it? This was a tremendous screw-up on Broderbund's part and they cannot finnesse their way out, no matter how "benign" the software was intended to be.

  • Blockquoth the poster:
    there does not seem to be a way to turn this feature off
    I believe all you have to do is call up the ZoneAlarm console, click the Alerts tab, and deselect "Log to a text file".
  • Blockquoth the poster:
    Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!

    Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!

    Um, it's not an "invasion" when you ask them in. There are several significant differences between the Mattel case and the ones you mention:

    (a) Most importantly, you are informed of these behaviors ... you know exactly what's going on and why.

    (b) Also, the cases you mention involve directly the functionality of the system. In other words, the ICQ MOTD allows ICQ to alert users (if need be) of changes in the system. The UT update check allows UT to notify you of, well, updates -- enhancements or fixes of behavior of the software. Because these network interactions directly affect the performance of the software, in a relatively obvious manner, it's reasonable for the companies to expect that you know about them. But Mattel's software did not enhance the program, check for bug fixes, or do anything else that could reasonably be construed as vital to the operation of the software. It allowed them to update ads, in a splash screen.

    (c) I don't know this for a fact, but I'd be willing to go out on a limb: When the ICQ program retrieves the MOTD, it is the ICQ program -- not some other mysterious program tucked away in your registry -- that retrieves the MOTD. When the UT engine retreives updates, it is the UT engine -- not some deceptive, hidden daemon -- that goes out and retrieves the update. But here, it is not the software you (thought you) purchased that does the Net connect. It is a different program, installed quietly and (originally) without notification or approval, that sits in the background and, without informing you, does a Net connect.

    If you don't see that these fall into different classes, well, I'm not responsible for your misapprehension. But they are different and the Mattel case is more sinister.

  • After reading this I checked my machine - only to find DSSAgent running! I suggest that we sumbit this obvious trojan to McAfee and other virus detector companies. Obviously I will never purchase any more software from them.
  • First of all, thanks for this reply. It was very interesting to see what the thing does from the horses mouth. The problem as I see it is that regardless of how 'harmless' DSSAgent was, the company responsible simply had no right at all to install it secretly. I know that it must have been installed secretly because I'm the only one to install apps on my machine, and I would never agree to having a app download stuff off the internet without me checking the content first.
  • If Mattel includes this feature in their international versions they are walking on very thin ice. Ohhh! Plus that bad, bad guys would be exporting encryption. Do they have a license? Did they register with the feds? Isn't that a federal crime if they don't?
    Domestic laws (Switzerland) make it a federal crime, punishable by lengthy jail time to steal business information and trade secrets (it's considered industrial espionage and the authorities take a dim view on that). I run a business and my computers most definitely contains proprietary and confidential data. Not only from my company, but also from my customers, which include telcos, worldwide operating fright forwarding companies, international organisations with immunity status, etc.
    So, let's run that sucker, gather as much evidence as possible and then have a chat with the local DA.
    Provided that the DA is interested (0.7 possibility :>) does that mean that Mattels country manager is going to jail ? Most likely not. Does that mean that the local Mattel office (or their distributor) is having a real hard time and a shitload of trouble? Likely. I can possibly prove that they sucked data (unauthorized and without my knowledge) from my companies computer. They must prove that it's no confidential data which should be hard, painful & cost them a lot.
    If stuff like this continues I might just be up for it.
    Do those bozos actually consider that they might be breaking (criminal) laws in other counries and that the world does not only consist of the US of A?
    What a bunch of wanking losers...
  • At the moment there are a few applications with spyware and almost exclusively for Windows.

    How long will it be before spyware as a requirement starts making it into the EULAs for new applications?

    You know. You're not licensed to use this application unless you agree that information can be sent back to the publishers.

    I can see this kind of requirement turning up in stuff that would otherwise be free software. MP3 players etc. Scary.
  • For anyone who hasn't seen it mentioned before, ZoneAlarm by ZoneLabs [zonelabs.com] is a fairly decent (for Windows) program... It lets you allow/disallow network/Internet connectivity on a per-program basis... the first time an application attempts to use the Internet connection, ZoneAlarm prompts you and asks if you want to allow the access. I used it for a short while and it got to be annoying with all the 'net programs I was installing... but for normal home use it works wonderfully. And since it's free for non-commercial use... you'd have to be nuts to not use it if you needed an outbound firewall...
  • COPA absolutelly applies in this situation. The Childern On-line Protection Act was designed in 1997 precisly for these purposes: to protect aggresive merchants from collecting sensitive data from children without the consent of a parent or legal guardian.

    -o Disclaimer: My employer doesn't even agree with me about C indentation style. o-
  • by Jason Earl ( 1894 ) on Wednesday June 14, 2000 @08:33PM (#1001318) Homepage Journal

    A trojan is an advertisement server that steals my bandwidth (and possibly my private information) disguised as a children's game. The difference between Netscape's bug tracking software and this agent are quite obvious. Netscape's bug tracking software asks my permission. Mattell doesn't bother with something as old fashioned as permission.

  • by saw ( 5768 ) on Thursday June 15, 2000 @03:19AM (#1001319)
    I don't know what software put the DSS stuff on my machine. I don't have the software refered to in the article, but I do have other broderbund games. I find the following files that have DSS in them.

    /WINDOWS/BBSTORE/DSS
    /WINDOWS/BBSTORE/DSS/DSSAGENT.EXE
    /WINDOWS/BBSTORE/DSS/temp.$$$
    /WINDOWS/SYSTEM/DSSBASE.DLL
    /WINDOWS/SYSTEM/DSSSIG.EXE

    Using "strings" on DSSAGENT.EXE shows that it has a a PGP key. Running "pgp" on the key gives:

    DSS 4096/1024 0xF8EABB3F 1997/12/05 NRobins
    sig? 0xF8EABB3F (Unknown signator, can't be checked)

    There is also a temp file in /WINDOWS/BBSTORE/DSS that is XML. I am not sure how to include that file here without it getting mangled, but it looks like a file that gets sent to www.brodcast.net. It has in it "DSS V1.0", interval of 86400 seconds (1 day) and a SIG line that looks fairly encrypted. ("iQA/AwUBOJn/KCElolv46rs/EQKCWACfYmhHchvKNf/izSGI mO3yEECbJBcAoMV7hR2SELS5eF2IKuRJPNCTVUE4 ")

    Another note. I just installed ipchains masquerading on my linux box. Behind this "firewall" are a couple of Windows machines for the kids. I have run "ipchains -M -L" periodically and always noticed an open connection from one of these machines to www.brodcast.net. I just thought it was one of the zillion things the kids have downloaded. Now I know to block that site with ipchains.

  • by Seumas ( 6865 ) on Wednesday June 14, 2000 @07:24PM (#1001320)
    This is also another good reason to use a program such as ZoneAlarm [zonelabs.com] (free) or other similar individual firewalls and proxies. Just because you're stuck on Windows doesn't mean you should forfeit all of your privacy.
    ---
    icq:2057699
    seumas.com
  • by Seumas ( 6865 ) on Wednesday June 14, 2000 @08:04PM (#1001321)
    Yeah, but I physically went to the Fatbrain/ComputerLiteracy bookstore.

    I'm pretty sure they didn't stick any cookies in my pants when I walked in the door. ;)


    ---
    icq:2057699
    seumas.com

  • by mindstrm ( 20013 ) on Saturday June 17, 2000 @07:24AM (#1001322)
    You know what? this is just like when we get the media telling us that our 'innocent' hacker tools are 'illegal, malicious' hacker tools.

    Like the guys aid.. once a day this app runs, and simply says to the server 'got any new images?' and that's *ALL*.

    Could the same framework be used for spyware? Sure. So could *any* software for that matter.

    Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!

    Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!

    Oh no... you mean, with mattel software, once in a while it fetches new banners? umm..
  • by dublin ( 31215 ) on Wednesday June 14, 2000 @09:14PM (#1001323) Homepage
    I have a good friend who worked at the Learning Company for quite some time, and he told me no end of horror stories about an utter disregard for engineering quality, lack of concern for usability, maintainability of code or anything that sounded remotely like common sense. They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability.[sic]

    And this somehow distinguishes them from the rest of the sofware industry? Not a chance. Check out Mark Minasi's http://www.softwareconspiracy.com/ [softwareconspiracy.com] book for more info, but the dirty "secret" of the software industry is that darn near all software development is done like that today. It shouldn't be, but it is. I've seen enough to know - the hardware mfrs are even worse...
  • I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

    No, you're not. A reporter where I work broke a story based on such information that she found in a company press release. The company believed that their merger plans were a secret because they had deleted them from the release, but this reporter happened to stumble into this "preview changes" mode and saw the plans there. The company was pissed.

  • by SweenyTod ( 47651 ) <sweenytod.sweenytod@com> on Wednesday June 14, 2000 @11:01PM (#1001325) Homepage
    Yeah, sorry - I meant to include it in my original message. /. really needs an edit message function.

    Try this story on Yahoo. [yahoo.com] It's fairly brief, but you get the message.
  • by BLiP2 ( 54296 ) on Thursday June 15, 2000 @01:19AM (#1001326)
    Several pieces of software I can reccomend.
    1. Netstat: Standard inclusion in both windows and *nix, spits out a summary of all the netowork connections that are currently active, and where they're going. Downside, won't detect dormant programs.
    2. Samspade [samspade.org] : excellent network tools suite, from simple pings to remote port scans (use responsibly, of course!). Web based and downloadable version
    3. Starup Manager [delphifreestuff.com] . Freeware software for windows that scans all your startup menu and registry entires so you can see every things that has been told to start with your computer. Enable/Disable/remove them ect.
    4. Wintop [microsoft.com] . (Part of the MS kernel toys pack). Windows version of the *nix "top" program, shows everything currently running on your computer. useful for finding the little hidden programs that don't want you to know they're there.
  • by unquiet ( 64767 ) on Wednesday June 14, 2000 @08:42PM (#1001327) Homepage
    This is the same company that uses child labor in Chinese sweatshops [thenation.com] to manufacture toys. I would no more buy a product from Mattel than I would enslave and work a child in conditions that should have gone out with the dark ages . . . which of course, Mattel does by proxy.

  • by Pfhreakaz0id ( 82141 ) on Thursday June 15, 2000 @02:36AM (#1001328)
    I hate to sound a repetitive note here, but I'm a BIG fan of ZoneAlarm for just this reason. Try www.zonelabs.com [htpp]. It's nice because it alerts you (and offers the option to block any program trying to connect to the internet. And it's easy enough to use that you can recommend it to even the most computer illiterate. And before I get flamed, no, there isn't a Linux version. But it is free for non-business use.
    ---
  • by www.sorehands.com ( 142825 ) on Saturday June 17, 2000 @06:46AM (#1001329) Homepage
    When you wrote it was not spyware. Does that mean it's not now?

    Something like this is in CyberPatrol too, to check for updates of the CyberNot list.

    There has been talk of beta programs monitoring keystrokes to see what users do, so the product could be improved. This can easily be perverted. At one company, people asked if CyberPatrol being used to track attempts at accessing "forbidden" sites to keep track of employees.

    When at MSI, while a similar product to CyberPatrol was being developed, I would get calls from the CEO and asked what certain programs were. These programs are ones on my machine that I was running. They were working on control usage of programs. I would get calls and asked what's b.exe or l.exe.

    You say that was the intent when you wrote it. But what about after you leave? I have little trust in their ethics.

    MSI admitted, under oath, they monitored my internet access from home when I asked for a what would be a reasonable accomodation under the ADA. When asked why, still under oath, they said it was to check up on me because I asked for a reasonable accomodation.

  • by Tarsh ( 144250 ) on Wednesday June 14, 2000 @07:08PM (#1001330) Homepage
    Man.... How scary, I don't want half the worl knowing I have a barbie collection...
  • by fugu23 ( 198144 ) on Wednesday June 14, 2000 @09:48PM (#1001331)
    Here is some truth about Mattel and software. Back a few years ago, the head of the Barbie Doll division of Mattel (Jill Barad) became CEO of Mattel in what was considered at the time to be a reasonably unfriendly coup. After her rise, Mattel made two major purchases- one was the American Girl company (they make dolls, for 780 million) and one was the Learning Company (they 'make' software, and Mattel spent from 3-4 _b_illion dollars on the company). After the acquisition of the Learning Company (who had bought Broderbund a bit earlier to being bought by Mattel), Mattel went into serious E-Toy mode and released many many software packages, electronic gear, web sites, etc. It was Jill Barad's way of getting into the 'new market'. Well, as time passed, and people realized the new software sucked (ie- they stopped buying it...which is a BIG CLUE to those who are seeking to end the corporate realm. Make a product that doesn't suck and is easy to use and people will buy it), and, well, they stopped buying it. As of last year, the Learning Company division of Mattel lost some 1.1 billion dollars (equal, interestingly enough, to the amount of money that the Barbie doll division made in profit), Jill Barad was fired as CEO of Mattel (as of about April, interestingly enough, the same time that the DSS stopped shipping, according to the article), and Mattel, while still retaining its title of the largest toy maker on the planet, has suffered greatly- its stock has dropped from a high of near $60 down to around the $12-$15 mark. And _that_, dear friends, is the story of Mattel and the Learning Company. :) Open Source seems to be a good answer. Not buying shit software is a good answer. Let's be honest, many people who are reading (this far into this) are responsible for buying software that runs at your homes or offices. Choose wisely. Use your power. :) bye... r.
  • by Moses Lawn ( 201138 ) on Thursday June 15, 2000 @02:53PM (#1001332)
    Where does Broderbund get off using a product someone paid for to pitch more products?

    You mean like a newspaper or cable TV?

    Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy? Admittedly, it's a little tacky, but so are many things in life. You don't have to look at it - you can check the "don't show this again" box that shows on each splash screen, you can choose not to install it in the first place, or you can make it go away by clicking on it (at least you used to, unless someone has changed it since I left).

    And to head off another concern - it doesn't make the app take any longer to load, it just replaces the default splash screen that shows while the memory hog of an app starts up.

    And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?
    Right here, actually. I brought up the ethical issues numerous times, to the point of being a pain in the ass about it. The upshot? It was going to happen anyway, and what it does is really not that bad. If not for people like me complaining, you wouldn't even be able to turn it off.

  • OK, but you have just proven yourself the most stupid man alive. Pretty benign eh? Ok, so if Im using your product on a windows box on my network, with my Dial-on-demand RedHat server, what happens if Im not there? You dickhead

    Well, thank you for that thoughtful and polite comment. As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.

    If RAS is not installed, and there is a network card, yeah, we assume there is a connection. So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right? Kinda annoying, but that was the design decision. Wasn't my idea. It hardly puts me in the "stupidest man alive" category, I must say.

    But remember, this is consumer software. 99% of our customers did what we expected - installed in on their home machine, connecting to the net with a modem, or installed it at work with a network. Sorry about your home network situation, but you can't write software that takes every possible variable or future change in underlying system design (remember, this was written 3 years ago. Windows has changed quite a bit since then. New bugs^H^H^Hfeatures come along all the time.) into account.

  • by tzanger ( 1575 ) on Thursday June 15, 2000 @03:25AM (#1001334) Homepage

    Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.

    I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.

    With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.

    Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.

    TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.

  • by Jason Earl ( 1894 ) on Wednesday June 14, 2000 @07:25PM (#1001335) Homepage Journal

    If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."

    Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!

  • by Seumas ( 6865 ) on Wednesday June 14, 2000 @07:20PM (#1001336)
    Good timing.

    I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.

    You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.

    It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
    ---
    icq:2057699
    seumas.com

  • by Detritus ( 11846 ) on Wednesday June 14, 2000 @09:04PM (#1001337) Homepage
    The problem with any "code of ethics" is that you can't have responsibility without authority. A civil engineering project has to be reviewed and approved by a Professional Engineer (P.E.), this is a matter of law in many places. There is no analogous law for software engineering. Even though most employers categorize them as "exempt", using the rationale that they are professionals, like doctors or lawyers, programmers and software engineers rarely have the authority associated with the traditional professions.
  • by Zico ( 14255 ) on Wednesday June 14, 2000 @08:19PM (#1001338)

    where even the average e-shopper is so worried about "electronic privacy"

    First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.

    Microsoft Internet Explorer warns you constantly not to install untrusted plugins

    Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.

    where the ILOVEYOU e-mail worm did six billion dollars worth of damage

    Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.

    Cheers,
    ZicoKnows@hotmail.com

  • If what the article claims is true, they could be looking at $11,000 fines for each violation of the Childrens' Online Privacy Protection Act. That would be cool.

    They'd be on the bad (defendant) side of the legal system for a change.

  • by QBasic_Dude ( 196998 ) on Wednesday June 14, 2000 @07:10PM (#1001340) Homepage
    Gibson Research's opt out [grc.com] utility can remove unwelcome spyware. GRC also maintains a list [grc.com] of suspected spyware and other useful privacy resources including a FAQ [grc.com].
  • by QBasic_Dude ( 196998 ) on Wednesday June 14, 2000 @07:59PM (#1001341) Homepage

    Currently the freeware version of Optout only can detect and remove Aureate/Radiate/Binary Bliss (advert.dll) spyware. However, this type of spyware is embedded in hundreds of freeware products.

    If you're looking for a utility to detect all Spyware, you will have to do it yourself using a program such as tcpdump [tcpdump.org] or windump [polito.it].

  • by Seumas ( 6865 ) on Wednesday June 14, 2000 @08:12PM (#1001342)
    Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.

    Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
    ---
    icq:2057699
    seumas.com

  • by Dr.Evil ( 47264 ) on Wednesday June 14, 2000 @07:58PM (#1001343) Homepage

    The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.

    The ACM [acm.org] and the IEEE [ieee.org] consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice [computer.org] in a number of places, to wit:

    3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.

    3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.

    Furthermore, management (i.e. Mattel) is admonished to:

    5.11. Not ask a software engineer to do anything inconsistent with this Code.

    5.12. Not punish anyone for expressing ethical concerns about a project.

    So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.

  • by GnrcMan ( 53534 ) on Wednesday June 14, 2000 @07:35PM (#1001344) Homepage
    You should actually read the article before you post. It explains quite clearly that older versions installed it without notice (he specifically reinstalled the software to check) and since COPA was enacted, they started asking.

    --GnrcMan--
  • by Tackhead ( 54550 ) on Wednesday June 14, 2000 @08:29PM (#1001345)
    Well, if they used PGP to encrypt the transmissions, and exported copies of the software...

    I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.

    • If they go to jail, it's poetic justice for suing people for CPHack
    • If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.
    Talk about a win/win situation!
  • by po_boy ( 69692 ) on Wednesday June 14, 2000 @07:33PM (#1001346)
    Here is an allegedly authentic correspondence I dug up after searching around. I'm not sure what relation The Learning Company has to all of this, but this may help some people out:
    Many Broderbund applications use a technology called Brodcast. Brodcast is a way that the splash screen (which is the opening screen you see for a few moments when you start a program) can be changed. DSSAgent is a small application that runs in the background and when it sees an Internet connection, it checks with our Web site to see if a new splash screen graphic is available and, if so, downloads it for you.

    It does not constantly use your Internet connection.


    Sincerely,
    Paul Burchfield
    The Learning Company

  • by goingware ( 85213 ) on Wednesday June 14, 2000 @08:32PM (#1001347) Homepage
    I keep posting this around Slashdot.

    If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ [ncl.ac.uk] on on the Usenet news as comp.risks [comp.risks]

    The Risks forum is part of the ACM [acm.org] Committee on Computers and Public Policy.

    You should make a special effort to read Risks if you:

    • Program computers
    • Make policy decisions involving computers (managers, government etc.)
    • Depend on computers for your life or safety (do you fly on airplanes?)
    • Operate computers in situations where they affect life or safety
    You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:

    USS Yorktown dead in water after divide by zero [ncl.ac.uk]

    The Navy got rid of its more robust warship operating systems and replaced them with Windows NT [geometricvisions.com]. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

    Security concerns, viruses and the like are discussed extensively in Risks.

    Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

    I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

    We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

    This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

    Do you have any loved ones in the hospital with a life-threatening medical condition?

    On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

    Peter G. Neumann [sri.com], moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.

    It has ISBN 020155805X and you can purchase it online from:

    If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.

    Mike

    Tilting at Windmills for a Better Tomorrow
  • by Nicholas Vining ( 104178 ) on Wednesday June 14, 2000 @07:18PM (#1001348)
    In this age where even the average e-shopper is so worried about "electronic privacy", where Microsoft Internet Explorer warns you constantly not to install untrusted plugins, and where the ILOVEYOU e-mail worm did six billion dollars worth of damage, it constantly amazes me that consumers in general still run software which hasn't been inspected by a reliable and unbiased third party. Perhaps people's trust of the Big Corporations have grown to such a point that we automatically assume that "they wouldn't be spying on us, they're our friends"; or perhaps it's because the 92% of the population that uses Windows 95 fails to see the risk.

    Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Would you buy a car if you weren't allowed to look under the hood, take it for a test drive, or even open the door before you signed the purchase agreement?

    Isn't it an odd world we live in?

    Nicholas
  • by Moses Lawn ( 201138 ) on Thursday June 15, 2000 @09:44AM (#1001349)
    I always wondered when someone was going to find this. To address everybody's biggest concerns:

    It is NOT spyware.
    It does NOT look for or send any personal, private, ot public information about you or your system.
    It does NOT use encryption - it uses PGP digital signatures.
    It was NOT designed for kids' products - it was designed for all products.

    I worked for Broderbund from 1995 until about a year ago. Maybe 3 years ago, my then-manager came to me with an idea he had dreamed up for giving applications new and different splash screens every time they started up. This would give us the ability to pitch related products (if you had Print Shop, we could try to sell you Presswriter, or special clip art at Christmas) and tell you about upgrades. There was also talk about, eventually, having some form of 2-way communication with users. Thus was born Dynamic Splash Screens, or DSS.
    I had a number of big problems with the idea, mainly with the idea of advertising and with the obvious invasion-of-privacy issues. I pointed out (rather stridently) that we could have serious legal and P.R. problems with this, not to mention the heinous ethical problems, and that we were in danger of ruining our (at the time very good) reputation. Wisely, all ideas for this were dropped except for the splash screens. Pretty benign.
    Here's the communication protocol:
    Periodically (by default, once a day), the background app wakes up, pulls a list of IDs of installed DSS-enabled apps out of the registry, and sends then to the Brodcast site via HTTP POST. It receives an XML page, PGP-signed, that either says "Nothing new, go back to sleep" (99% of the time) or describes a new splash screen (name, dates to display, time to show, location of JPEG file). It then retrieves the pieces (generaly 2k chunks) of the JPEG, verifies their PGP signature, and reassembles them.
    When a DSS-enabled app starts, it looks in the registry to see if it has a new splash screen to show. If so, it displays the JPEG (along with a "never show this again" checkbox) for 10 seconds or so, instead of the app's normal splash screen.
    The PGP signing is to make sure nobody can hijack the URL and send bogus images. There is no encryption. Try this: take the XML page, remove the signature (between SIG and /SIG) , run the rest of the page through PGP with the key that a previous poster pulled out of dssagent.exe, and they *should* match. Nothing really secret here.
    That said, I was never really confortable with the whole idea. In fact, part of the reason I left the company was a plan (later dropped) to add "targetted advertising". While some of the comments posted here are way over the top (it's just plain paranoid to suggest rogue employees sending kiddie porn or stealing financial info), I agree that it was begging for trouble to do something like this. However, there was always (while I was there) a (relatively) clearly-stated installer screen that asked if you wanted this. Always. Regardless of what Simpson Garfinkel remembers.
    As to why the DSS agent was installed if the user said no, you can blame Install Shield and its charming installation scripts.
    Anyway, there it is. Annoying, misguided maybe, but not so sinister. Oh, and the Mattel-Broderbund connection? A bottom-feeding sleazeball company called Softkey bought The Learning Company, took them over like a hermit crab, then bought Broderbund (and ran them deeply into the ground), and was, in turn, bought by Mattel (and proceeded to lose $200 million for them in one quarter, putting Mattel CEO Jill Barad's career in the ground).

Human resources are human first, and resources second. -- J. Garbers

Working...