Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Like their Privacy Policy ?

0 views

Skip to first unread message

qwerty

unread,

Jan 13, 2001, 9:58:58 AM1/13/01

>>>> 3) "If ABCTracker is registered, it will connect to ABCServer
>>>> servers to verify registration every time you run it.
>>>> ABCTracker sends the registration code together with
>>>> a unique ID specific to the computer to ABCServer servers.
>>>> This information is used for registration verification
>>>> only. If the verification is successful, then the information
>>>> about the verification request is immediately discarded.
>>>> If the verification fails, then the verification information
>>>> is logged, including the registration code, unique ID and IP Address"
>>>
>>>
>>> This, it would seem to me, is to find cracked copies of their software.
>>> If they detect a cracked copy, they record info to help them track down the
>>> person running it and probably send them a cease-and-desist nastygram. If
>>> the reg is legit, they discard the info immediately. Assuming you take them
>>> at their word that they actually do this, it seems reasonable.
>>
>>
>> 'Fun' is, this starts after you paid for getting rid of ad.
>> You give them credit card N and ... they start to track
>> you together with those who stole software.
>
> Which part of "This information is used for registration verification
> only. If the verification is successful, then the information
> about the verification request is immediately discarded." is unclear
> to you?
>

Communications of your software with your servers
which can not be stopped by user is potential security hole.

Is it unclear to anybody in the world?

> Go to http://www.quotetracker.com/register.htm and read the
> second paragraph from the top. It reads: "NOTE: If you register,
> QuoteTracker will authenticate the registration with our main servers at
> the start of every session. This behavior is described on our Privacy
> page. If you object to this for some reason, please do not register."

You are not sitting on place since my post.
I read your help file and see that I did not distorted or missed anything.

BTW, is this sounds as one or numerous similar hints to me to shut up and go away?
Thanks, if not. Then, please respond how without registering can I make QT
communicating only with web sites I trust (say just Etrade)
*and* get rid of QT advertisement ?

>> You know why ?
>> Because they do not believe you.
>> I guess their software is so unique, so they afraid you
>> will start same day disseminate it in millions.

> There are two reasons this is done. One is a keygen that is out there
> and dozens of people every day who try to register using it. The other
> is people (at least a couple of dozen so far) who buy one registration
> code, then publicize it to thousands of others. Both of these are
> stopped by the authentication described above. If you know of another
> method to stop such theft, please describe it.

OK, are you Medved or Bear, you have to do business not just
by russian piracy tradition.
You give yourself best security protection.
You stopped theft...
For the cost of user's security!

You have to understand: our privacy and security is most valuable for us.
If you will protect yourself only, people will continue kick you back.

And now think again what is more valuable for you.

>> Note (!), software is free with ad, which all agree is not
>> annoying at all.
>
>?

You seriously think that people who trade online can not pay
you 50 bucks ? You are kidding, man.

Your ad is not annoying at all (everyone tells that).
Besides, there will be no privacy/security if ad is running in QT.

So, there is no measurable financially reason to crack it besides one:
people afraid QT as spyware. Hence they crack QT to get rid of your custody.

Any particular additional reason you're afraid of this ?

>
>> with hidden communication with their own servers.
>
>What hidden communication? It would have been hidden if we didn't
>tell you about it. We do. Is that "hidden"?

Here I'm also pleased with your human discourse.

You offering me to discuss difference between
the fact of absence of communication at all
and presence of communication which if encrypted I can't decrypt !

You openly tell me about communication which I can not check,
because security experts will tell me that you may send something
in encrypted form and other ways.

What is heck we are trolling if may passwords may *hiddenly* leak
to you if *you* wish ?

> We do not send your username or password to anywhere except
> the broker's site. This can be easily verified by sniffing
> all outside communications that the program performs.
> This has been done by at least a dozen people in the two years that
> this program has been out and nothing objectionable was found.

Right, you may not do anything wrong.

But everyone can write the code which does not do anything during 2 years
and then during 2 milisecond will send username/password
in encrypted form so that no one will proof what was specifically sent.

Or you might set some *Day X* on 14 Dec 200x.
This day QT will start with upgrading/downloading of some dll.
After QT will send encrypted brockerage login data to your server
(together with usual QT authorisation which it did every day)
next 40 milliseconds QT will spend for erasing this dll without trace ;-(.

I am saying this total paranoya.
Can you beat, somebody out of your 50000 users did not see this dream
already ?

In summary, all we know, for example, Etrade insures people up to some X $ millions.
Your words cost ...how much ?
Zero. Can you offer your liability insurance first ?
Amount of money people risking ranges probably from 1K to 100K or more.
Your risk is ZERO.

> If that is not enough for you, you can use the program without
> connecting to your broker at all - just register for Streamer
> at Datek without opening an account there - or register for Screamer
> at money.net for free.

But I will still not able to stop my computer communicate with your servers !
How anyone can sleep quietly if there exist direct pipe to authors ?
Remember similar offer to you, i.e. you purchase some software
which will be permanently connected to SOMEONE's TRUSTED servers ?
Did you agreed :-) :-) :-) :-) ????

BTW, I can ask security experts if you like better than mine respond
why your QT is still security threat in this case:

is it potentially possible to create QT such a way that it will intercept my
password I will use in some another (not QT) software, say IE ?
If yes, then due to existing security hole sending my passwords to Medved is
piece of cake.

What, you pretend to be naive ? C'mon....

>> Nicest trick out of all this is that users can not enforce this 'trust' in
>> software by additional firewalls, proxies etc
>> which would stop communication with anything user would
>> not specify manually, because software will not work.

> The program's "raison d'etre" is to communicate with the outside world.
> If you cut it off, it won't work because it won't be able to get the
> stock quotes that it needs. What's your point?

C'mon, almost everybody here feels you understand everything.

OK ( though somebody will definitely tell you much better than me):

1) For security considerations user must have choice to restrict QT communication.
Users must decide which sites they consider as trusted.
2) Unstoppable communication with Medved's servers is obvious potential security hole.
3) Users must decide and have detailed knowledge what QT upgrades and when to upgrade.

You may disagree with my wordings, they're really poor,
(I'm even not mentioning the time I'm writing this ;-( )
But you are playing bad game with people who do not suspect in
what bear corner they may fall with your QT.

qwerty

unread,

Jan 13, 2001, 10:35:12 AM1/13/01

med...@shore.net wrote:

> In comp.security.misc qwerty <NotRe...@notreal.net> wrote:
> >
> > Jim Marco wrote:
> >
> >> qwerty <NotRe...@NotReal.net> writes:
> >>
> >>
> >>> 1) "Periodically, ABCTracker attempts to connect to ABCServer
> >>> servers to determine whether a new version of ABCTracker
> >>> or one of it's support files is available for download.
> >>> ABCTracker does not send any information to the server
> >>> during this process"
> >>
> >>
> >> Sounds harmless enough. Asks server for the current version, then compares
> >> with what you're running.
> >
> >
> > What if I do not like this automatic check ?
> > Say, I'm happy with version I have now for a while.
> > I will do that later if I want, right?
> >
> > "No", they say, you mist upgrade when *we* decide.
>
> This is about QuoteTracker (http://www.quotetracker.com)
> I am the author, so I can respond to this:
>
> No, we say we check if new version is available whether
> you want to or not. You can upgrade whenever you want.
> If you use the program you know that.
>
> Some program data files (note: data files, not executables)
> are updated without asking. This can happen for two reasons
>
> 1. It's the ads-support file that the program needs changed
> so that it shows you ads from other sources.
> 2. It's a file without which the program will stop working.
> This is done automatically to reduce the amount of tech support
> email that we receive whenever one of the sites that are
> supported changes formats and the program stops working.
>
> >>> 2) "ABCTracker connects to ABCServer servers when it is started
> >>> and sends the server information indicating if it is the
> >>> first time it is started in a given day, week or month.
> >>> It also indicates if the user is registered or not. That
> >>> is the only information that is sent in this request.
> >>> We use this information to count the number of unique
> >>> ABCTracker users and to analyze the data to understand
> >>> how often ABCTracker is used (in aggregate). This information
> >>> is never tied to specific user's IP address or any other
> >>> identifying information unless a false registration code
> >>> is detected (in a separate request specific to registered users)....
> >>
> >>
> >> Also sounds relatively benign, assuming you believe them when they say
> >> they don't attach it to your IP.
> >
> > They claim this is needed to lure advertisers
> > who pay by clicks. Do I have particular reason
> > to trust them or not does not matter here:
> > if it's free program you may(or may not) loose
> > part of your privacy, right?
> >
> > But if I paid to get rid of ad, and do not want
> > to think every time when I hear about privacy violations
> > if I have to continue 'believing' to unknown guys or
> > stop it right now, then do I have reason to
> > ask them give *me* decide about allowing connection
> > to their servers or not?
> >
> > "No" they say. I did not catched trying hard.
> > But if you do not like this and try discuss this they do not like waist time ,
> > they permanently 'offer' you to leave.
> > They know people start to sleep reading privacy policies.
> >
> > Already pretty 'interesting', right ?
>
> I *really* am not parsing your statements above. You paid to get
> rid of ads, not to get rid of the communications descibed above.
> And this communication is not done for advertisers, it is done so
> that we know how many users of the program are out there. Nothing
> more sinister than that.

>
> >>> 3) "If ABCTracker is registered, it will connect to ABCServer
> >>> servers to verify registration every time you run it.
> >>> ABCTracker sends the registration code together with
> >>> a unique ID specific to the computer to ABCServer servers.
> >>> This information is used for registration verification
> >>> only. If the verification is successful, then the information
> >>> about the verification request is immediately discarded.
> >>> If the verification fails, then the verification information
> >>> is logged, including the registration code, unique ID and IP Address"
> >>
> >>
> >> This, it would seem to me, is to find cracked copies of their software.
> >> If they detect a cracked copy, they record info to help them track down the
> >> person running it and probably send them a cease-and-desist nastygram. If
> >> the reg is legit, they discard the info immediately. Assuming you take them
> >> at their word that they actually do this, it seems reasonable.
> >
> >
> > 'Fun' is, this starts after you paid for getting rid of ad.
> > You give them credit card N and ... they start to track
> > you together with those who stole software.
>
> Which part of "This information is used for registration verification
> only. If the verification is successful, then the information
> about the verification request is immediately discarded." is unclear
> to you?
>

> > You know why ?
> > Because they do not believe you.
> > I guess their software is so unique, so they afraid you
> > will start same day disseminate it in millions.
>
> There are two reasons this is done. One is a keygen that is out there
> and dozens of people every day who try to register using it. The other
> is people (at least a couple of dozen so far) who buy one registration
> code, then publicize it to thousands of others. Both of these are
> stopped by the authentication described above. If you know of another
> method to stop such theft, please describe it.
>

> > Note (!), software is free with ad, which all agree is not
> > annoying at all.
>
> ?
>

> > with hidden communication with their own servers.
>
> What hidden communication? It would have been hidden if we didn't
> tell you about it. We do. Is that "hidden"?
>

> > Do you believe software will keep in secret your username and
> > password in the bank or brocker (it even encrypts it on disk)?
> > They not promiss, guarantee, warrant or whatever, but
> > you have to trust them that passwords will not be stolen.
> > They claim no any responsibility though (of course).
>
> We do not send your username or password to anywhere except
> the broker's site. This can be easily verified by sniffing
> all outside communications that the program performs. This
> has been done by at least a dozen people in the two years that
> this program has been out and nothing objectionable was found.
>

qwerty

unread,

Jan 13, 2001, 10:36:49 AM1/13/01

med...@shore.net wrote:

Congratulations, good software. In fact, if I'd have
6 more months of free time I'd write something similar,
just for myself. But if you'd managed remove all
the hell out of present QT, you'd save me these 6 months ;-).

First, as security experts unanimously confirmed in this ng,
you leave direct security hole if your software needs connection
to your servers to start running.

User can't hide QT behind the proxies for additional protection
to have peace of mind that his/her 30 years pension funds are under
double lock. User can not restrict QT to connect only, say, with
Etrade or Datek where his account is by definition secured.

Second, after saying that, there is no way to believe you that
if you can upgrade *data* files you can not upgrade others, say some DLLs.
Your whole program may consist in future out of one/many dlls
and one small exe file will just call all of them.

You may download DLL to my computer which do whatever it needs,
and 10 millisecond later delete it.

Hence my claim is absolutely correct, that *you* and *not we* decide
when and what to upgrade.

Conclusion:
you reduced amount of tech support at the cost of our security.

Great to hear that here communication is done for no other
reason as ... curiosity.

That's insane, man

Web screams about better privacy on the net, and you are going
opposite way. People do not like to be tracked, and same time
you are splurging that you see on your monitor 50000 thousand
folks today running your QT.

We are saying this information to your servers can be intercepted
if not by you personally, then by some other third parties,
but you just roar that all that is paranoia.

We are seeking better security.
You are understanding this word just with your mentality built by
Russian software piracy tradition or something similar.

Communications of your software with your servers
which can not be stopped by user is potential security hole.

Is it unclear to anybody in the world?

> Go to http://www.quotetracker.com/register.htm and read the

> second paragraph from the top. It reads: "NOTE: If you register,
> QuoteTracker will authenticate the registration with our main servers at
> the start of every session. This behavior is described on our Privacy
> page. If you object to this for some reason, please do not register."

You are not sitting on place since my post.
I read your help file and see that I did not distorted or missed anything.

>> You know why ?

>> Because they do not believe you.
>> I guess their software is so unique, so they afraid you
>> will start same day disseminate it in millions.

OK, are you Medved or Bear, you have to do business not just
by russian piracy tradition.
You give yourself best security protection.
You stopped theft...

for the cost of user's security and privacy!

You have to understand: our privacy and security is most valuable for us.
If you will protect yourself only, people will continue kick you back.

And now think again what is more valuable for you.

>> Note (!), software is free with ad, which all agree is not
>> annoying at all.
>
>?

You seriously think that people who trade online can not pay
you 50 bucks ? You are kidding, man.

Your ad is not annoying at all (everyone tells that).
Besides, there will be no privacy/security if ad is running in QT.

So, there is no measurable financially reason to crack it besides one:
people afraid QT as spyware. Hence they crack QT to get rid of your custody.

Any particular additional reason you're afraid of this ?

>
>> with hidden communication with their own servers.
>
>What hidden communication? It would have been hidden if we didn't
>tell you about it. We do. Is that "hidden"?

Here I'm also pleased with your human discourse.

You offering me to discuss difference between
the fact of absence of communication at all
and presence of communication which if encrypted I can't decrypt !

You openly tell me about communication which I can not check,

because each security experts will tell that you may send something
in encrypted form as well as other ways I can not catch !

What the heck we are trolling if my passwords may *hiddenly* leak
to you any time if *you* just wish ?

Right, you may not do anything wrong.

Or you might set some *Day X*, say Dec 13, 200x.

This day QT will start with upgrading/downloading of some dll.

After QT will send encrypted brockerage login data to Medved server
(together with usual QT authorisation which it did every day) the

next 40 milliseconds QT will spend for erasing this dll without trace ;-(.

Now I am saying, this is total paranoya.
But can you beat, somebody out of your 50000 users

did not see this dream already ?

In summary, all we know, for example,
Etrade insures people up to some X $ millions.

Your words cost ... guess how much ?
Zero. Can you offer us your liability insurance first ?

Amount of money people risking ranges probably from 1K to 100K or more.
Your risk is ZERO.

> If that is not enough for you, you can use the program without

> connecting to your broker at all - just register for Streamer
> at Datek without opening an account there - or register for Screamer
> at money.net for free.

But I will still not able to stop my computer communicate with your servers !

How anyone can sleep quietly if there exist direct pipe to authors ?
Remember similar offer to you, i.e. you purchase some software
which will be permanently connected to SOMEONE's TRUSTED servers ?
Did you agreed :-) :-) :-) :-) ????

BTW, I can ask security experts if you like better than mine respond
why your QT is still security threat in this case:

What, you pretend to be naive ? C'mon....

>> Nicest trick out of all this is that users can not enforce this 'trust' in

>> software by additional firewalls, proxies etc
>> which would stop communication with anything user would
>> not specify manually, because software will not work.

> The program's "raison d'etre" is to communicate with the outside world.
> If you cut it off, it won't work because it won't be able to get the
> stock quotes that it needs. What's your point?

C'mon, almost everybody here feels you understand everything.

OK ( though somebody will definitely tell you much better than me):

You may disagree with my wordings, they're really poor,

(I'm even not mentioning the late time I'm writing this ;-( )

med...@shore.net

unread,

Jan 13, 2001, 6:23:54 PM1/13/01

In comp.security.misc qwerty <NotRe...@notreal.net> wrote:
>

> med...@shore.net wrote:
>
>> This is about QuoteTracker (http://www.quotetracker.com)
>> I am the author, so I can respond to this:
>>
>> No, we say we check if new version is available whether
>> you want to or not. You can upgrade whenever you want.
>> If you use the program you know that.
>>
>> Some program data files (note: data files, not executables)
>> are updated without asking. This can happen for two reasons
>>
>> 1. It's the ads-support file that the program needs changed
>> so that it shows you ads from other sources.
>> 2. It's a file without which the program will stop working.
>> This is done automatically to reduce the amount of tech support
>> email that we receive whenever one of the sites that are
>> supported changes formats and the program stops working.
>
>
>
>
> Congratulations, good software. In fact, if I'd have
> 6 more months of free time I'd write something similar,
> just for myself. But if you'd managed remove all
> the hell out of present QT, you'd save me these 6 months ;-).

But you see, qwerty, if we remove all the things you object to
from our software, we will drastically reduce the revenue. And
the revenue is what pays for constant maintenance, improvements
and tech support that you, as a QT user, are probably well aware of.

> First, as security experts unanimously confirmed in this ng,
> you leave direct security hole if your software needs connection
> to your servers to start running.

Every communication that any program that was not written by
you makes is a "security hole". So what.

> User can't hide QT behind the proxies for additional protection
> to have peace of mind that his/her 30 years pension funds are under
> double lock. User can not restrict QT to connect only, say, with
> Etrade or Datek where his account is by definition secured.

User can set it up so that the quote sources he works with are
not connected in any way to his brokerage accounts - why doesn't
that satisfy your requirements?

> Second, after saying that, there is no way to believe you that
> if you can upgrade *data* files you can not upgrade others, say some DLLs.
> Your whole program may consist in future out of one/many dlls
> and one small exe file will just call all of them.

No DLLs (except OS DLLs, of course) are needed to run QT - it is
a single executable. The code in the program is set up so that
updating any .exe or .dll file quietly is not allowed.

> You may download DLL to my computer which do whatever it needs,
> and 10 millisecond later delete it.
>
> Hence my claim is absolutely correct, that *you* and *not we* decide
> when and what to upgrade.

Nope. The only way your claim was correct was if the program ever
upgraded without asking you. I am telling you that it doesn't. Has
it ever happened to you? No? Then why are you worried?

Let me put it this way: do you have any guarantees that Microsoft's
NOTEPAD.EXE does not have code inside it to one day wipe out your
hard disk maliciously? You don't? Why aren't you worried about it?

Do you have any guarantees that MSIE is not collecting all the
passwords that you type in for all the sites, then secretly
transmitting it to Microsoft every time you go to www.microsoft.com?
You know that it is very easy to hide that information in the total
stream that it sends out. Why aren't you worried about it?

> Conclusion:
> you reduced amount of tech support at the cost of our security.

Since I wrote the program in question and I know the code intimately,
no, I reduced the amount of my tech support at NO cost to user's
security. You may worry about it, but, as I have shown you above,
you may worry about any program that you're running.

>>I *really* am not parsing your statements above. You paid to get
>>rid of ads, not to get rid of the communications descibed above.
>>And this communication is not done for advertisers, it is done so
>>that we know how many users of the program are out there. Nothing
>>more sinister than that.
>
> Great to hear that here communication is done for no other
> reason as ... curiosity.
>
> That's insane, man

It is not curiosity, knowing the total # of users (note: the total #,
not who every one of the users is) is very important for marketing
the program, getting new revenue sources etc.

> Web screams about better privacy on the net, and you are going
> opposite way. People do not like to be tracked, and same time
> you are splurging that you see on your monitor 50000 thousand
> folks today running your QT.

You are not being tracked. When the program "calls in" once a day
it sends out no personal information about you at all - you can
easily check the GET parameters it is passing - they are very simple.
The server-side program, when receiving the call, adds 1 to the total
of daily, weekly, etc. users. That's all. How is this damaging to you?

> We are saying this information to your servers can be intercepted
> if not by you personally, then by some other third parties,
> but you just roar that all that is paranoia.

Since nothing "secret" or "personal" about you is sent out to our
servers, who cares about "interceptions". What - someone will find
out how many daily users QT has? - they can just call us and we will
tell them.

> We are seeking better security.
> You are understanding this word just with your mentality built by
> Russian software piracy tradition or something similar.

There is a balance between user's paranoia and software vendor's
piracy concerns. We think the line we draw is pretty balanced. You
may disagree.

>>>>> 3) "If ABCTracker is registered, it will connect to ABCServer
>>>>> servers to verify registration every time you run it.
>>>>> ABCTracker sends the registration code together with
>>>>> a unique ID specific to the computer to ABCServer servers.
>>>>> This information is used for registration verification
>>>>> only. If the verification is successful, then the information
>>>>> about the verification request is immediately discarded.
>>>>> If the verification fails, then the verification information
>>>>> is logged, including the registration code, unique ID and IP Address"
>>>>
>>>>
>>>> This, it would seem to me, is to find cracked copies of their software.
>>>> If they detect a cracked copy, they record info to help them track down the
>>>> person running it and probably send them a cease-and-desist nastygram. If
>>>> the reg is legit, they discard the info immediately. Assuming you take them
>>>> at their word that they actually do this, it seems reasonable.
>>>
>>>
>>> 'Fun' is, this starts after you paid for getting rid of ad.
>>> You give them credit card N and ... they start to track
>>> you together with those who stole software.
>>
>> Which part of "This information is used for registration verification
>> only. If the verification is successful, then the information
>> about the verification request is immediately discarded." is unclear
>> to you?
>>
>
>
> Communications of your software with your servers
> which can not be stopped by user is potential security hole.
>
> Is it unclear to anybody in the world?
>

As I pointed out to you above, ANYTHING you ever run on a Windows
system that is not written by you is a "potential security hole".
That's not narrowing it down much.

>> Go to http://www.quotetracker.com/register.htm and read the
>> second paragraph from the top. It reads: "NOTE: If you register,
>> QuoteTracker will authenticate the registration with our main servers at
>> the start of every session. This behavior is described on our Privacy
>> page. If you object to this for some reason, please do not register."
>
>
> You are not sitting on place since my post.
> I read your help file and see that I did not distorted or missed anything.

In order to register, the users go through the registration page on our
Web site. The quote that I gave above is at the top of that page.

> BTW, is this sounds as one or numerous similar hints to me to shut up and go
> away? Thanks, if not. Then, please respond how without registering can I
> make QT communicating only with web sites I trust (say just Etrade)
> *and* get rid of QT advertisement ?

Nope. See reasons below.

>> There are two reasons this is done. One is a keygen that is out there
>> and dozens of people every day who try to register using it. The other
>> is people (at least a couple of dozen so far) who buy one registration
>> code, then publicize it to thousands of others. Both of these are
>> stopped by the authentication described above. If you know of another
>> method to stop such theft, please describe it.
>
> OK, are you Medved or Bear, you have to do business not just
> by russian piracy tradition.

Russian piracy tradition? We log every keygen attempt to register QT.
Once I tried to run the IP traces on the IP that attempted it. They
were 90% inside US. Seems the piracy tradition is alive and well in the
US.

> You give yourself best security protection.
> You stopped theft...
> for the cost of user's security and privacy!

It's a choice - either you trust me, one entity, or I have to trust
every one of millions of potential users out there not to use keygens,
not to download "warez" and not to spread around registration codes.

> You have to understand: our privacy and security is most valuable for us.
> If you will protect yourself only, people will continue kick you back.
>
> And now think again what is more valuable for you.

Last week, there were 50,000 users or so who trusted me (2GK Inc)
enough to use the program.

Let me put it to you this way: I decided that the number of people
who are "turned off" from using the program because they don't trust
me is less than the number of people who would pirate it and I would
see no revenues from. Do you understand this logic?

> You seriously think that people who trade online can not pay
> you 50 bucks ? You are kidding, man.

Not if they can use freely floating around keygens and get the same
result without sending me 60 bucks.

> Your ad is not annoying at all (everyone tells that).
> Besides, there will be no privacy/security if ad is running in QT.
>
> So, there is no measurable financially reason to crack it besides one:
> people afraid QT as spyware. Hence they crack QT to get rid of your custody.

That's naive. If someone has a choice of:

1. Go to the Web site, pull out your credit card, fill out the form
and send the author $60 - then wait for a few hours, receive the
registration code in the email, and use it to remove the ads.

2. Do a quick keygen search, download a 30K keygen and remove the ads
right away.

BTW, note that this is a personal, not a corporate, program, and the
usual big threats of punishment for corporations pirating programs do
not apply.

What % of the users, in your opinion, will pick 2, and what % will pick 1?
Really, I'd like to hear your opinion. In my opinion it would be 10 to 1.

> Any particular additional reason you're afraid of this ?

See above.

>>
>>> with hidden communication with their own servers.
>>
>>What hidden communication? It would have been hidden if we didn't
>>tell you about it. We do. Is that "hidden"?
>

> You offering me to discuss difference between
> the fact of absence of communication at all
> and presence of communication which if encrypted I can't decrypt !

"If encrypted". It isn't. Outgoing communications from QT (unless
they are with brokerage sites that use SSL) are not encrypted.

> You openly tell me about communication which I can not check,

Sure you can - every character of it.

> because each security experts will tell that you may send something
> in encrypted form as well as other ways I can not catch !
>
> What the heck we are trolling if my passwords may *hiddenly* leak
> to you any time if *you* just wish ?

Nope they can't - because ther is no code that does it. As for
"what if" - see my examples about NOTEPAD.EXE and MSIE.

>> We do not send your username or password to anywhere except
>> the broker's site. This can be easily verified by sniffing
>> all outside communications that the program performs.
>> This has been done by at least a dozen people in the two years that
>> this program has been out and nothing objectionable was found.
>
>
> Right, you may not do anything wrong.
>
> But everyone can write the code which does not do anything during 2 years
> and then during 2 milisecond will send username/password
> in encrypted form so that no one will proof what was specifically sent.

And everyone can write the code that does not do anything for years
then suddenly reformats your hard disk. Your point?

> Or you might set some *Day X*, say Dec 13, 200x.
> This day QT will start with upgrading/downloading of some dll.
> After QT will send encrypted brockerage login data to Medved server
> (together with usual QT authorisation which it did every day) the
> next 40 milliseconds QT will spend for erasing this dll without trace ;-(.
>
> Now I am saying, this is total paranoya.
> But can you beat, somebody out of your 50000 users
> did not see this dream already ?

Of course they do. Those who worry that much about it, do not use QT.
Those who don't worry that much, do.

> In summary, all we know, for example,
> Etrade insures people up to some X $ millions.
> Your words cost ... guess how much ?
> Zero. Can you offer us your liability insurance first ?

If you ever have a claim that QT stole $ from you, you can always sue.
That's the insurance. You realize that what you're talking about is
a felony as well, right? Punishment is pretty severe.

> Amount of money people risking ranges probably from 1K to 100K or more.
> Your risk is ZERO.

My risk (if I am the conman who wrote this program, waited for it
to become popular over several years, then sprung the con) is going
to jail for a long time, plus civil litigation for untold millions.
Why in the world would I do that?

>> If that is not enough for you, you can use the program without
>> connecting to your broker at all - just register for Streamer
>> at Datek without opening an account there - or register for Screamer
>> at money.net for free.
>
>
> But I will still not able to stop my computer communicate with your servers !
> How anyone can sleep quietly if there exist direct pipe to authors ?
> Remember similar offer to you, i.e. you purchase some software
> which will be permanently connected to SOMEONE's TRUSTED servers ?

If you're paranoid enough, run it on a computer that has absolutely
no personal information about you on it. Then your privacy is complete.

> BTW, I can ask security experts if you like better than mine respond
> why your QT is still security threat in this case:
>
> is it potentially possible to create QT such a way that it will intercept my
> password I will use in some another (not QT) software, say IE ?

It *could* monitor and record all your keystrokes, sure (although
technically in Windows you must do that through a DLL, and since
QT has no DLLs, that's proof that it doesn't). So what? As I said
above, use it on a computer that has no personal information on it
if you're that paranoid - it's no skin off my nose.

>> The program's "raison d'etre" is to communicate with the outside world.
>> If you cut it off, it won't work because it won't be able to get the
>> stock quotes that it needs. What's your point?
>
> C'mon, almost everybody here feels you understand everything.
>
> OK ( though somebody will definitely tell you much better than me):
>
> 1) For security considerations user must have choice to restrict QT
> communication. Users must decide which sites they consider as
> trusted.
> 2) Unstoppable communication with Medved's servers is obvious potential
> security hole.
> 3) Users must decide and have detailed knowledge what QT upgrades and
> when to upgrade.
>

We're going around in circles. If you have no trust in the software
vendor, do NOT run its programs - since any program that you did not
compile yourself can have all sorts of hidden code in it that may wake
up some day and do despicable things to your computer - ask the
"security experts" on this newsgroup.

0 new messages