Software that can spy on you BY SIMSON GARFINKEL (06/15/00)
I'm the ex-Broderbund programmer that wrote the DSS software that Simson Garfinkel wrote about. Here's exactly what it does: It provides dynamic splash screens (hence the initials) that show when the application starts up. Nothing more, nothing less. It doesn't spy on you, it doesn't look for or send any personal, private or other kind of data. It doesn't use any encryption whatsoever, but it does digitally sign its content. It simply sends you the occasional JPEG file.
It was designed to be used by all Broderbund programs, not as something to invade children's privacy. The idea is that, if you owned Print Shop, you might see a startup screen plugging an upgraded version, or perhaps a related Broderbund product. Periodically, the agent wakes up, checks to see if you're online and, if you are, sends a list of DSS-enabled products you have installed. It receives either a message saying "go back to sleep -- nothing new" (99 percent of the time), or a JPEG file used as a new splash screen meant for an application you have. When Print Shop starts up in early May, it might show for 15 seconds an ad for free Mother's Day clip art. It's as simple as that.
There were plans to add the ability to add new content to some applications that could use it (say, adding new levels to a game), but that was never implemented. Points to Garfinkel for finding the Pretty Good Privacy (PGP) code, and the e-mail and Web references. However, he jumps to several erroneous conclusions. We used PGP to digitally sign each data chunk we receive to ensure that all communications come directly from Broderbund, not to hide anything by encryption.
The agent was built using a networking library (that I also wrote) that has lots of features, but all it uses is the ability to talk to a specific Web server via HTTP. Why HTTP? Because most firewalls let it through. Garfinkel gets most exercised because the software is installed in the Windows system directory (that directory always exists; the agent is shared by all Broderbund programs), that we "went to great lengths" to hide it (we didn't), that it runs at startup (I have at least half a dozen things on my system that have installed themselves to run at startup without asking), that it gets installed even if he didn't ask for it (has he ever looked at the gunk in a default Windows install that he will never use?), and that there was no copyright message (it's on the Properties tab, just like for every other system file). He gets most upset when he imagines that this might be part of kids' software.
Exactly where is information about anyone being collected, with or without their consent? He discovers something he doesn't understand and reflexively assumes his privacy is being invaded. And to throw around groundless fears about rogue Mattel employees stealing your financial information or sending you kiddie porn is simply paranoid at best and possibly libelous at worst. By the way, he must have missed the part of the installation where it asks if you want the Brodcast feature activated. It's been there from the very beginning. Mattel might have changed its installers when the COPPA went through, but that's just because they're paranoid too. Oh, and about that bug that tried to dial his modem when he was offline? Sorry about that. We jumped through hoops to keep that from happening. It worked perfectly when I wrote the code three years ago, but, unfortunately, Windows has grown and nobody has touched that code since. Nobody is left at the company that even knows that code exists, let alone how to modify it to make it invasive, build it and ship it out.
-- Tom Chipperfield
Welcome to the wonderful world of closed source software. It is sad that they chose to include such a program in their distribution. However, it serves as a poignant reminder of the risks we take when we use closed source software, purchased or free. The fact is, any software company can do this to you: Microsoft, Apple, Oracle, and so forth. To me, open source software is not about stability or adding the features I want, but about freedom and maintaining control over my information. I hope that this unfortunate revelation will help others see closed source software for the danger that it poses.
-- Gary Jackson
If you're seriously concerned about your computer privacy, if you're fed up with virus attacks, and if you're truly alarmed by the flood of stories about one company after another doing things on your computer behind your back, stop using Windows. Get a Macintosh, where these problems simply don't exist. And it's not because "so few people use Macs no one bothers with them," as Windows apologists and Microsoft PR types proclaim, it is because the Macintosh operating system, unlike Windows, always does what its operator tells it to do -- and nothing else. While Macs have only one door, which only their operators can open, every programmer in the world knows that Windows has more back doors than a New Orleans cat house. And most assume Microsoft either put or left them there on purpose.
-- Ted Logan
More and more programs are designed to transmit information without your knowing it. Steve Gibson, programmer and founder of the Gibson Research Corporation, found this out the hard way and decided to do something about it. He created "ShieldsUp!" and "OptOut" to scan for open ports that appear to be less-than-benevolent (his idea is "if I didn't put it there, it's not benevolent on my system, and if you didn't put it there, it's not benevolent on your system"), and to scan for ad-ware and other idiocy that communicates over the Internet without your knowledge or consent. Furthermore, he links to ZoneAlarm, which is a nifty utility from ZoneLabs.com that tracks all attempts to use your network by any packet coming in or going out, as well as allowing you to specify, on a per-application basis, exactly what applications you want to be able to use the network. It's free for personal use, $19.95 for business use, and (while I don't mean to sound like an employee of the company, because I'm not) it's the greatest thing for distributed network security since packet filtering was invented. I'm a network administrator for a living and I've been dealing with multi-user system security issues since before I was legal to drive (I'm 23 now). It appears that the large corporations are just going to push and prod and poke holes in the fabric of the laws that hold our society together, and there isn't anything that we're going to be able to do about it.
-- Mat Butler