Mattel Spyware

Yet another company has been caught surreptitiously uploading information from their customers. This time, it was Mattel, who I would have thought would have already reached their "bad PR" quota this year by suing the people who distributed CPHack. But no; they're spying on the children who use their software too, and Simson Garfinkel raises some very important points. A hint for all the /. readers who are handy with a debugger: you want to get your 15 minutes of fame, just figure out what information the DSSagent program is sending and let us know.

Re:Netscape quality feeback agent

A trojan is an advertisement server that steals my bandwidth (and possibly my private information) disguised as a children's game. The difference between Netscape's bug tracking software and this agent are quite obvious. Netscape's bug tracking software asks my permission. Mattell doesn't bother with something as old fashioned as permission.

PGP key in DSSAGENT

I don't know what software put the DSS stuff on my machine. I don't have the software refered to in the article, but I do have other broderbund games. I find the following files that have DSS in them.

/WINDOWS/BBSTORE/DSS
/WINDOWS/BBSTORE/DSS/DSSAGENT.EXE
/WINDOWS/BBSTORE/DSS/temp.$$$
/WINDOWS/SYSTEM/DSSBASE.DLL
/WINDOWS/SYSTEM/DSSSIG.EXE

Using "strings" on DSSAGENT.EXE shows that it has a a PGP key. Running "pgp" on the key gives:

DSS 4096/1024 0xF8EABB3F 1997/12/05 NRobins
sig? 0xF8EABB3F (Unknown signator, can't be checked)

There is also a temp file in /WINDOWS/BBSTORE/DSS that is XML. I am not sure how to include that file here without it getting mangled, but it looks like a file that gets sent to www.brodcast.net. It has in it "DSS V1.0", interval of 86400 seconds (1 day) and a SIG line that looks fairly encrypted. ("iQA/AwUBOJn/KCElolv46rs/EQKCWACfYmhHchvKNf/izSGI mO3yEECbJBcAoMV7hR2SELS5eF2IKuRJPNCTVUE4 ")

Another note. I just installed ipchains masquerading on my linux box. Behind this "firewall" are a couple of Windows machines for the kids. I have run "ipchains -M -L" periodically and always noticed an open connection from one of these machines to www.brodcast.net. I just thought it was one of the zillion things the kids have downloaded. Now I know to block that site with ipchains.

Re:Spyware Removal

This is also another good reason to use a program such as ZoneAlarm [zonelabs.com] (free) or other similar individual firewalls and proxies. Just because you're stuck on Windows doesn't mean you should forfeit all of your privacy.
---
icq:2057699
seumas.com

Re:The Really Ironic thing is

Yeah, but I physically went to the Fatbrain/ComputerLiteracy bookstore.

I'm pretty sure they didn't stick any cookies in my pants when I walked in the door. ;)

---
icq:2057699
seumas.com

Get a grip

You know what? this is just like when we get the media telling us that our 'innocent' hacker tools are 'illegal, malicious' hacker tools.

Like the guys aid.. once a day this app runs, and simply says to the server 'got any new images?' and that's *ALL*.

Could the same framework be used for spyware? Sure. So could *any* software for that matter.

Oh my god! when you run ICQ, it fetches a MOTD from icq's server! INVASION OF PRIVACY!

Oh no.. when I run Unreal Tournament, it fetches a web page from the UT site and tells me if I have upgrades! EVERY TIME I RUN IT! what a violation of privacy!

Oh no... you mean, with mattel software, once in a while it fetches new banners? umm..

Re:Mattel and the Learning Company are screwed up

I have a good friend who worked at the Learning Company for quite some time, and he told me no end of horror stories about an utter disregard for engineering quality, lack of concern for usability, maintainability of code or anything that sounded remotely like common sense. They'd basically just ship all their applications when they could get them to more or less run and not when they were running reliability.[sic]

And this somehow distinguishes them from the rest of the sofware industry? Not a chance. Check out Mark Minasi's http://www.softwareconspiracy.com/ [softwareconspiracy.com] book for more info, but the dirty "secret" of the software industry is that darn near all software development is done like that today. It shouldn't be, but it is. I've seen enough to know - the hardware mfrs are even worse...

Re:Why You Need to Read the Risks Forum

I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

No, you're not. A reporter where I work broke a story based on such information that she found in a company press release. The company believed that their merger plans were a secret because they had deleted them from the release, but this reporter happened to stumble into this "preview changes" mode and saw the plans there. The company was pissed.

Re:I don't get it.

Yeah, sorry - I meant to include it in my original message. /. really needs an edit message function.

Try this story on Yahoo. [yahoo.com] It's fairly brief, but you get the message.

Re:Some Advice Needed!!! -- Useful software

Several pieces of software I can reccomend.

1. Netstat: Standard inclusion in both windows and *nix, spits out a summary of all the netowork connections that are currently active, and where they're going. Downside, won't detect dormant programs.
2. Samspade [samspade.org] : excellent network tools suite, from simple pings to remote port scans (use responsibly, of course!). Web based and downloadable version
3. Starup Manager [delphifreestuff.com] . Freeware software for windows that scans all your startup menu and registry entires so you can see every things that has been told to start with your computer. Enable/Disable/remove them ect.
4. Wintop [microsoft.com] . (Part of the MS kernel toys pack). Windows version of the *nix "top" program, shows everything currently running on your computer. useful for finding the little hidden programs that don't want you to know they're there.

Mattel was already on my shit list

This is the same company that uses child labor in Chinese sweatshops [thenation.com] to manufacture toys. I would no more buy a product from Mattel than I would enslave and work a child in conditions that should have gone out with the dark ages . . . which of course, Mattel does by proxy.

Again, run ZoneAlarm

I hate to sound a repetitive note here, but I'm a BIG fan of ZoneAlarm for just this reason. Try www.zonelabs.com [htpp]. It's nice because it alerts you (and offers the option to block any program trying to connect to the internet. And it's easy enough to use that you can recommend it to even the most computer illiterate. And before I get flamed, no, there isn't a Linux version. But it is free for non-business use.
---

Not spyware then.

When you wrote it was not spyware. Does that mean it's not now?

Something like this is in CyberPatrol too, to check for updates of the CyberNot list.

There has been talk of beta programs monitoring keystrokes to see what users do, so the product could be improved. This can easily be perverted. At one company, people asked if CyberPatrol being used to track attempts at accessing "forbidden" sites to keep track of employees.

When at MSI, while a similar product to CyberPatrol was being developed, I would get calls from the CEO and asked what certain programs were. These programs are ones on my machine that I was running. They were working on control usage of programs. I would get calls and asked what's b.exe or l.exe.

You say that was the intent when you wrote it. But what about after you leave? I have little trust in their ethics.

MSI admitted, under oath, they monitored my internet access from home when I asked for a what would be a reasonable accomodation under the ADA. When asked why, still under oath, they said it was to check up on me because I asked for a reasonable accomodation.

heh,

Man.... How scary, I don't want half the worl knowing I have a barbie collection...

Re:Mattel and the Learning Company are screwed up

Here is some truth about Mattel and software. Back a few years ago, the head of the Barbie Doll division of Mattel (Jill Barad) became CEO of Mattel in what was considered at the time to be a reasonably unfriendly coup. After her rise, Mattel made two major purchases- one was the American Girl company (they make dolls, for 780 million) and one was the Learning Company (they 'make' software, and Mattel spent from 3-4 _b_illion dollars on the company). After the acquisition of the Learning Company (who had bought Broderbund a bit earlier to being bought by Mattel), Mattel went into serious E-Toy mode and released many many software packages, electronic gear, web sites, etc. It was Jill Barad's way of getting into the 'new market'. Well, as time passed, and people realized the new software sucked (ie- they stopped buying it...which is a BIG CLUE to those who are seeking to end the corporate realm. Make a product that doesn't suck and is easy to use and people will buy it), and, well, they stopped buying it. As of last year, the Learning Company division of Mattel lost some 1.1 billion dollars (equal, interestingly enough, to the amount of money that the Barbie doll division made in profit), Jill Barad was fired as CEO of Mattel (as of about April, interestingly enough, the same time that the DSS stopped shipping, according to the article), and Mattel, while still retaining its title of the largest toy maker on the planet, has suffered greatly- its stock has dropped from a high of near $60 down to around the $12-$15 mark. And _that_, dear friends, is the story of Mattel and the Learning Company. :) Open Source seems to be a good answer. Not buying shit software is a good answer. Let's be honest, many people who are reading (this far into this) are responsible for buying software that runs at your homes or offices. Choose wisely. Use your power. :) bye... r.

Re:I wrote that code - I'll tell you what it does

Where does Broderbund get off using a product someone paid for to pitch more products?

You mean like a newspaper or cable TV?

Seriously, how exactly is showing a 320x200 JPEG (for 15 seconds) that advertises a product you just might want to buy an invasion of your privacy? Admittedly, it's a little tacky, but so are many things in life. You don't have to look at it - you can check the "don't show this again" box that shows on each splash screen, you can choose not to install it in the first place, or you can make it go away by clicking on it (at least you used to, unless someone has changed it since I left).

And to head off another concern - it doesn't make the app take any longer to load, it just replaces the default splash screen that shows while the memory hog of an app starts up.

And where was the programmer with the developed sense of ethics to bring this to the attention of his employer?
Right here, actually. I brought up the ethical issues numerous times, to the point of being a pain in the ass about it. The upshot? It was going to happen anyway, and what it does is really not that bad. If not for people like me complaining, you wouldn't even be able to turn it off.

Re:I wrote that code - I'll tell you what it does

OK, but you have just proven yourself the most stupid man alive. Pretty benign eh? Ok, so if Im using your product on a windows box on my network, with my Dial-on-demand RedHat server, what happens if Im not there? You dickhead

Well, thank you for that thoughtful and polite comment. As was (I thought) pointed out previously, we went to great lengths to only try to talk to the server if there is a currently active connection, by enumerating the active RAS (dialup networking, essentially) connections in the system. If there is no RAS connection, we don't dial.

If RAS is not installed, and there is a network card, yeah, we assume there is a connection. So yeah, your modem will dial once a day. You have the inactivity timeout set to hang up after 5 minutes or so, right? Kinda annoying, but that was the design decision. Wasn't my idea. It hardly puts me in the "stupidest man alive" category, I must say.

But remember, this is consumer software. 99% of our customers did what we expected - installed in on their home machine, connecting to the net with a modem, or installed it at work with a network. Sorry about your home network situation, but you can't write software that takes every possible variable or future change in underlying system design (remember, this was written 3 years ago. Windows has changed quite a bit since then. New bugs^H^H^Hfeatures come along all the time.) into account.

Re:Database Nation

Part of the problem is, people are having kids, and they don't give a damn past the birth. There are a lot of affluent folk out there who just want the kids (and the dog) for show-- to prove that they're "good, family people;" there are a lot of less-affluent people that are having kids, and can't afford not to have the TV babysit for them. On the third hand, there are people who are having kids, and just don't give a rat's ass one way or the other.

I'm not quite sure about the whole "not being able to afford a babysitter" part. I work two jobs (okay one and a half, it's still 12-14 hours a day) and my wife just started afternoons at a factory. The kids (4 and 7mos) are at a babysitter from 2:30pm to 6:30pm. That costs us a whole $20 a day (approx $400/mo) to have them looked after by someone who doesn't just plop them down in front of the TV.

With Vanessa (that's my wife) working, she makes about $9.50 an hour breathing fuzz and tying knots (she works at a yarn manufacturer). That means she'll bring home approximately $1600 before taxes every month. Since she's in such a low tax bracket let's say they knock off 15%. That's $1400 a month she brings home, or after daycare (which we wouldn't need if she weren't working) $1000 we didn't have before.

Factory work is damn near everywhere. Yes it's hot, it's awful, it's mind-blisteringly boring... but it's work. And 9 times out of 10 it's above $6/hr ($4 being minimum wage here). I would wager a guess that those moaning that there is no work (especially in America, jeez, every time I'm down there there's signs for help wanted EVERYWHERE) have their standards set too high. Hell even at the shitty factory my wife works at she can be in the highest pay tier in 12 months if she does good.

TV-babysat kids don't save you any money. They cost you a lot in the long run. My kids watch TV at least once every two days (sometimes more than I'd like) but they aren't raised by it. Once my son figured out that TV shows and movies had to end sometime ("Why's it over?!") he had no problem turning off the tube and playing with cars, tormenting his sister, getting dirty outside or getting into my stuff. And the little one is happier trying to figure out how to get Cheerios into her mouth or watching her big brother than she is in any TV show. Maybe we're just lucky or maybe it has something to do with the fact that we don't use the TV as a babysitter.

Which consumers asked for this feature?

If there is one thing that I think single handedly guarantees the continued existance of the Open Source movement it is stuff like this. Software companies have gotten so arrogant that it is absolutely crazy. Honestly, you can't even buy a simple children's game nowadays without worrying about a company foisting Trojan horse software on you. Did Mattel honestly think that they wouldn't get caught? Did they think that no one would care? If the commercial software houses keep this stuff up then pretty soon even the most neophyte computer users will be demanding that the source code to their software be "open."

Even more ironic is the fact that Mattel was probably using this software to gather marketing information. Imagine their surprise when they come to the conclusion that 99 out of 100 Americans don't feel like purchasing software from companies that might potentially be spying on their children!

Database Nation

Good timing.

I was just at ComputerLiteracy/Fatbrain today and after picking up a bunch of Oreilly books and a couple Neal Stephenson books, found myself thumbing through Database Nation (Simson Garfkinkel/O'Reilly). It looks like an interesting read. I think there was a slashdot review on it, but I missed most of it. Anyway, after reading the absurd account on Salon, I'm going to move Database Nation to the top of my reading list and get started immediately.

You know, it seems that this kind of behavior on Mattel's part would fly directly in the face of the recently passed law requiring that websites who know their users are under 13 years old and collect personal data on them, must require parental authorization. Sure, this isn't a website, but it's virtually the same thing -- and probably just as bad.

It seems we're no longer raising children, but breeding consumer pods. Fuck it, let Mattel and MTV raise your kids, I guess.
---
icq:2057699
seumas.com

Re:What disappoints me...

The problem with any "code of ethics" is that you can't have responsibility without authority. A civil engineering project has to be reviewed and approved by a Professional Engineer (P.E.), this is a matter of law in many places. There is no analogous law for software engineering. Even though most employers categorize them as "exempt", using the rationale that they are professionals, like doctors or lawyers, programmers and software engineers rarely have the authority associated with the traditional professions.

What do your examples have to do with anything?

where even the average e-shopper is so worried about "electronic privacy"

First off, if your "average e-shopper" is so worried about electronic privacy, then what are they doing e-shopping? Do you have any statistics to back up your statement that they are "so" worried about it? Secondly, if you've paid attention to e-commerce snafus, you'll realize that they've come from poor administration, most often from not configuring database connections properly and not applying patches, not from the presence or absence of source code. Hell, even the Apache Group itself got its website hacked -- source code didn't protect them, because they didn't follow the proper procedures for the open source software that they had installed on their server.

Microsoft Internet Explorer warns you constantly not to install untrusted plugins

Constantly? You're kidding, right? If it really bothers you, just go into your options and disable all downloading of plugins, signed or not. If not, it seems like a pretty accurate warning, giving you the option to install plugins that you might want, like from Macromedia, but telling you that installing one from somebody you know nothing about might not be such a hot idea. Personally, I find web browsing using only open source tools to be a pretty boring experience, even much more so before Mozilla started up.

where the ILOVEYOU e-mail worm did six billion dollars worth of damage

Sorry again, but the ILOVEYOU trojan was open source. I believe that someone even posted it here at Slashdot. If you get tricked into running something bad, the presence or absence of source isn't going to help you. See wu-ftpd.

Cheers,
ZicoKnows@hotmail.com

spying on children too... risky indeed

If what the article claims is true, they could be looking at $11,000 fines for each violation of the Childrens' Online Privacy Protection Act. That would be cool.

They'd be on the bad (defendant) side of the legal system for a change.

Spyware Removal

Gibson Research's opt out [grc.com] utility can remove unwelcome spyware. GRC also maintains a list [grc.com] of suspected spyware and other useful privacy resources including a FAQ [grc.com].

Re:Spyware Removal

Currently the freeware version of Optout only can detect and remove Aureate/Radiate/Binary Bliss (advert.dll) spyware. However, this type of spyware is embedded in hundreds of freeware products.

If you're looking for a utility to detect all Spyware, you will have to do it yourself using a program such as tcpdump [tcpdump.org] or windump [polito.it].

Re:Why does Quicken run all the time?

Also when I was beta testing Windows 2000 I noticed that often I couldn't get my programs to compile because realplay.exe was consuming 99% of the CPU time - when I wasn't connected to the net or listening to music.

Just wait a couple weeks and then go check-out RealNetworks' RC5 crunching stats on distributed.net -- then you'll know where your cycles are going! ;)
---
icq:2057699
seumas.com

What disappoints me...

The disappointing thing about cases like this is that the software professionals who write these programs apparently don't consider ethical behavior to be a priority.

The ACM [acm.org] and the IEEE [ieee.org] consider user privacy to be so important that it appears in their joint Software Engineering Code of Ethics and Professional Practice [computer.org] in a number of places, to wit:

3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.

3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.

Furthermore, management (i.e. Mattel) is admonished to:

5.11. Not ask a software engineer to do anything inconsistent with this Code.

5.12. Not punish anyone for expressing ethical concerns about a project.

So why do products like this keep appearing? I realize that just because something's unethical doesn't make it illegal, but still... it's dismaying, to say the least.

Re:But Mattel _asks_ if you want it!

You should actually read the article before you post. It explains quite clearly that older versions installed it without notice (he specifically reinstalled the software to check) and since COPA was enacted, they started asking.

--GnrcMan--

Arms traffickers!

Well, if they used PGP to encrypt the transmissions, and exported copies of the software...

I dunno, I think seeing the brass at Mattel thrown behind bars for arms trafficking would be a good thing. Take your pick.

• If they go to jail, it's poetic justice for suing people for CPHack
• If they walk, it'll be because they spent enough money on legislators to buy us sane crypto regs.

Talk about a win/win situation!

explanation from the learning company

Here is an allegedly authentic correspondence I dug up after searching around. I'm not sure what relation The Learning Company has to all of this, but this may help some people out:

Many Broderbund applications use a technology called Brodcast. Brodcast is a way that the splash screen (which is the opening screen you see for a few moments when you start a program) can be changed. DSSAgent is a small application that runs in the background and when it sees an Internet connection, it checks with our Web site to see if a new splash screen graphic is available and, if so, downloads it for you.

It does not constantly use your Internet connection.

Sincerely,
Paul Burchfield
The Learning Company

Why You Need to Read the Risks Forum

I keep posting this around Slashdot.

If you're a computer user, you need to read The Forum on Risks to the Public in Computer and Related Systems, available on the web at http://catless.ncl.ac.uk/Risks/ [ncl.ac.uk] on on the Usenet news as comp.risks [comp.risks]

The Risks forum is part of the ACM [acm.org] Committee on Computers and Public Policy.

You should make a special effort to read Risks if you:

• Program computers
• Make policy decisions involving computers (managers, government etc.)
• Depend on computers for your life or safety (do you fly on airplanes?)
• Operate computers in situations where they affect life or safety

You will see computers in a different light after reading Risks for a while, and maybe it will affect the decisions you make regarding them and the way you write and test your code. Consider this article I posted:

USS Yorktown dead in water after divide by zero [ncl.ac.uk]

The Navy got rid of its more robust warship operating systems and replaced them with Windows NT [geometricvisions.com]. As a result of this, when a sailor typed a "0" in a data entry field, the whole shipboard network went down and the proud Yorktown had to be towed back into port.

Security concerns, viruses and the like are discussed extensively in Risks.

Do you use Microsoft Word on Mac or Windows? Do you use it to type confidential documents? Consider this post from a fellow who received a contract from an attorney in Word format:

The scary MSWord residue feature [ncl.ac.uk]

I recently received a legal document as part of a personal negotiation that I am doing. The document was e-mailed to me in MSWord format. As I was showing it to my lawyer (who happens to be my wife), we decided to put our thoughts inline using the track changes feature of word. After selecting Tools, and Track Changes, we clicked on "Highlight changes in document" and voila, suddenly a whole bunch of red appeared on the screen. We looked at it closely and realized that everything in red represented changes in the document that my counterpart's lawyer had written.

We got a good look at the previous version of the contract, as well as a bunch of comments and justifications that the lawyer wrote to his client. It was an eye opening experience. It appears that instead of selecting "Accept all changes" before sending it to me, the other party to the contract simply turned off the highlighting to the track changes feature.

This is obviously a case of an unsophisticated person misusing a feature. However, it is very dangerous. Lawyers send word documents around all the time, and many of them do not really understand all the features that they use, nor should they have to. I imagine that I was not the first person to see some behind the scenes conversation in an important word document, that I was never intended to see.

Do you have any loved ones in the hospital with a life-threatening medical condition?

New HDTV signal shuts down Baylor heart monitors [ncl.ac.uk]

On 26 Feb 1998, WFAA TV (Channel 8) in Dallas turned on their new digital HDTV signal. As a result, 12 heart monitors stopped working in a Baylor University Medical Center heart surgery recovery unit; they happened to be on the same frequency. The monitors were made in the mid-1980s, and were slated for replacement. [But the patients weren't?] In the interim, WFAA has stopped transmitting -- because there are no commercial receivers yet anyway. [Source: * Dallas Morning News*, 5 Mar 1998. PGN Abstracting]

Peter G. Neumann [sri.com], moderator of the Risks forum, wrote a book called Computer Related Risks which draws on the material in the forum and discusses it in more depth.

It has ISBN 020155805X and you can purchase it online from:

• http://www.fatbrain.com [fatbrain.com]
• http://www.barnesandnoble.com [barnesandnoble.com]
• http://www.amazon.com [amazon.com]
• http://www.chapters.ca [chapters.ca] - in Canada

If you teach a course in programming in any school (even high school), I suggest you put the book on the recommended reading list. If you teach a course on embedded or fault-tolerant computing, I urge you to include it in the required reading.

Mike

Tilting at Windmills for a Better Tomorrow

Why open source is nice, part LXXVIII

In this age where even the average e-shopper is so worried about "electronic privacy", where Microsoft Internet Explorer warns you constantly not to install untrusted plugins, and where the ILOVEYOU e-mail worm did six billion dollars worth of damage, it constantly amazes me that consumers in general still run software which hasn't been inspected by a reliable and unbiased third party. Perhaps people's trust of the Big Corporations have grown to such a point that we automatically assume that "they wouldn't be spying on us, they're our friends"; or perhaps it's because the 92% of the population that uses Windows 95 fails to see the risk.

Hopefully people will eventually learn that you shouldn't trust any software that you can't inspect, or that somebody else can't inspect for you. Wo