Like their Privacy Policy ?
qwerty
let's call it ABCTracker,
and my firewall started to report attempts to connect
to internet to 127.0.0.1. Seems it is local conection,
but I am no sure. Then I found company's Privacy policy and...
please read and decide yourselves if you like it:
1) "Periodically, ABCTracker attempts to connect to ABCServer
servers to determine whether a new version of ABCTracker
or one of it's support files is available for download.
ABCTracker does not send any information to the server
during this process"
2) "ABCTracker connects to ABCServer servers when it is started
and sends the server information indicating if it is the
first time it is started in a given day, week or month.
It also indicates if the user is registered or not. That
is the only information that is sent in this request.
We use this information to count the number of unique
ABCTracker users and to analyze the data to understand
how often ABCTracker is used (in aggregate). This information
is never tied to specific user's IP address or any other
identifying information unless a false registration code
is detected (in a separate request specific to registered users)....
3) "If ABCTracker is registered, it will connect to ABCServer
servers to verify registration every time you run it.
ABCTracker sends the registration code together with
a unique ID specific to the computer to ABCServer servers.
This information is used for registration verification
only. If the verification is successful, then the information
about the verification request is immediately discarded.
If the verification fails, then the verification information
is logged, including the registration code, unique ID and IP Address"
Like it ?
Your comments please.
p...@see_my_sig_for_address.com
and said
>
>
>Like it ?
>Your comments please.
Send them a nastygram describing your intention to burn their
software. Then do so.
Paul
--
PMRobot - freeware - apply automation macros to any Windows program
PMDOS - freeware - run any DOS command from Windows, capture the output to Windows
Stockmon - freeware - stock tracking / research program
My WWW site is at http://www.pobox.com/~pjm ,featuring free HVAC, stock market, and other free software
>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~>~~
pjm@(remove this part )pobox.com
Jim Watt
The good news is they tell you what it does, so personally I
would not use it and hopefully if enough people tell them
to shove it up their arse they will stop,
--------
Jim Watt - see the website http://www.gibnet.com
--------
The Night Stalker
trying to connect to that address sometimes happens if your cache needs to
be dumped. On IE, go to Tools | Internet Options | Then look for the part
of the window for Temporary Internet files. Select Delete Files
Stalker Steve, MCP
qwerty <NotRe...@NotReal.net> wrote in message
news:3A43FCD5...@NotReal.net...
Melinda Shore
The Night Stalker <seeking...@yahoo.com> wrote:
>127.0.0.1 is your network adapter card (loopback address).
It's your loopback address, but it's not your NIC. The
loopback interface is implemented in software and is a
different driver from the one provided with your network
adaptor.
--
Melinda Shore - Software longa, hardware brevis - sh...@panix.com
If you send me harassing email, I'll probably post it
qwerty
The Night Stalker wrote:
> 127.0.0.1 is your network adapter card (loopback address). Your browser
> trying to connect to that address sometimes happens if your cache needs to
> be dumped. On IE, go to Tools | Internet Options | Then look for the part
> of the window for Temporary Internet files. Select Delete Files
>
> Stalker Steve, MCP
>
I do not use IE. But when I did like you propose
it was no effect. 127.0.0.1 message still appears.
This software I am writing about is not relying on browsers,
it is standalone application.
So you are saying that it is no way possible to connect to 127.0.0.1
from outside?
Melinda Shore
qwerty <NotRe...@NotReal.net> wrote:
>So you are saying that it is no way possible to connect to 127.0.0.1
>from outside?
It's still not from your description what's particularly
going on, but I would guess that the software is doing a
network-wide broadcast, communicating "I am a badly-written
piece of crap, uninstall me."
It's not uncommon to see forged packets coming in with
spoofed loopback addresses in the source or destination
fields, but I doubt that's what's going on here. And then,
of course, there was that time in 1987 or so when a not-to-
be mentioned host on the NSFNet backbone lost its route to
localhost and started sending its syslog messages out to all
and sundry, but that's not what's going on here, either.
Uninstall that software. If it came in a package, burn the
package.
qwerty
pjm@see_my_sig_for_address.com wrote:
> qwerty <NotRe...@NotReal.net> , pondered obviously not long enough,
> and said
>
> >
> >
> >Like it ?
> >Your comments please.
>
> Send them a nastygram describing your intention to burn their
> software. Then do so.
>
I have no intention in doing this. The only I'd wish is
to remove all hidden and not justified by privacy/security concerns
communication with their servers (at least for registered users,
who will pay for software if they do not want to see their ad).
With existing state of this software, they may easily (like with cookies)
know who is using it, when user starts program, is software registered or
not etc.
This reminds me unfamous accident with Microsoft's Win98 beta
http://www.chguy.net/news/mar99/Andtheycallmenuts.html
or Intel's CPU ID...
Funny to me, they responded that their registration security is far better
than Microsoft's, which is also why their piracy rate is much lower.
And of course that If I or another end user do not like it,
I do not have to use it.
So seems they care about piracy of their software (which is free if
you do not bother with not as annoying ad they place in small windows),
more than about our privacy and security.
The reason why *I strongly do not like* all communication with their servers
(which is absolutely not neaded for operation of software) is because
next simple step for them is to encrypt your username and password
in brockerage (you provide it for application to start trading or just
to see real time quotes) and send to their servers.
Am I exaggerating situation too much? Your little assistence
and opinions are appreciated
Jacob Ashbury
The software is doing its job also reporting that it can't determine when he
installed it and therefore won't let him in until the "clock date" starts
ticking.
Am I wrong?
"Melinda Shore" <sh...@panix.com> wrote in message
news:9238c9$t26$1...@panix2.panix.com...
Melinda Shore
Jacob Ashbury <ch...@mindspring.com> wrote:
>Am I wrong?
What's not clear is why it's sending packets to 127.0.0.1.
It'd be interesting to know whether they're tcp/udp/icmp/
whatever, what port number, etc.
Jacob Ashbury
merely the access software (also it seems from an on-line broker) trying to
gain access to a key file on my computer. I turned off the firewall and
re-ran the program the traced the "modified" dates of files. I found the
little file and it was a date-stamp file. Erase it and the program looked
for it again. I imagine something similar is occurring
"Melinda Shore" <sh...@panix.com> wrote in message
news:923hi0$8k8$1...@panix2.panix.com...
Melinda Shore
Jacob Ashbury <ch...@mindspring.com> wrote:
>I had something similar to what I understood he said to begin with- it was
>merely the access software (also it seems from an on-line broker) trying to
>gain access to a key file on my computer. I turned off the firewall and
>re-ran the program the traced the "modified" dates of files. I found the
>little file and it was a date-stamp file. Erase it and the program looked
>for it again. I imagine something similar is occurring
Oh, brother. I have an HP Pavilion and not long after I
brought it up I noticed the light flashing 1x/sec on the hub
port where it was plugged in. It turned out that some piece
of software on the box was sending out ICMP echo requests
with a TTL of 1 (!!) every second. I shut down every
running program that looked reasonable and it still
continued. I uninstalled a bunch of software and it still
continued. I reinstalled the OS and it came back.
Eventually I ended up turning the hub around so I wouldn't
have to watch the light blink.
Several weeks ago I installed ZoneAlarm and it immediately
found that the HP *keyboard manager* was sending out pings.
Now, we can draw all sorts of conclusions as to why it might
be doing that, but if the obvious one is the case (that
they're trying to determine whether or not the network
interface is configured up and connected), they ought to be
embarrassed. That they're trying to do something legitimate
(and that remains an open question) using really stupid
means doesn't excuse the really stupid means.
m
says...
> I do not use IE. But when I did like you propose
> it was no effect. 127.0.0.1 message still appears.
> This software I am writing about is not relying on browsers,
> it is standalone application.
>
> So you are saying that it is no way possible to connect to 127.0.0.1
> from outside?
any hardware or software that addresses 127.0.0.1 is addressing itself
and not going to the nic card. A packet addressed to 127.0.0.1 ALWAYS is
a loopback address as dictated in RFC something.
The Night Stalker
Stalker Steve, MCP
Melinda Shore <sh...@panix.com> wrote in message
news:922rfv$hme$1...@panix2.panix.com...
Jacob Ashbury
I also have a HP Pav with Zone Alarm! and it also alerted me to some strange
bits- I never figured out it was the keyboard.
"Melinda Shore" <sh...@panix.com> wrote in message
news:924vu6$rhf$1...@panix2.panix.com...
qwerty
m wrote:
> Anonymous wrote:
>
>
> Well 127.0.0.1 is your machine's port, sort of a self-check. Go to a command line and type
> "ping 127.0.0.1" and see what it shows you. You
> see the response time <10ms (sometimes 1 ms)??? That means its your box and its not going
> out. They must communicate with HQ via the
> web port or something, and you might not see that unless you have a firewall that monitors
> outgoing ports (most don't).
> ===========
>
>
Anonymous from comp.privacy/alt.privacy offered simple idea I easily can do.
Yes, ping is going less than 10ms. And not going outside (no complain from firewall).
ABCTracker though asks firewall to allow him to go to internet. Why ?
I.e. asks firawall to allow connection to 127.0.0.1. If all is inside, why ask ?
Melinda Shore
qwerty <NotRe...@NotReal.net> wrote:
>Yes, ping is going less than 10ms. And not going outside (no complain from firewall).
>ABCTracker though asks firewall to allow him to go to internet. Why ?
>I.e. asks firawall to allow connection to 127.0.0.1. If all is inside, why ask ?
Put a sniffer on it and find out what's actually going on.
Dima
>In article <t_516.27254$wX2.4...@typhoon.austin.rr.com>,
>The Night Stalker <seeking...@yahoo.com> wrote:
>>127.0.0.1 is your network adapter card (loopback address).
>
>It's your loopback address, but it's not your NIC. The
>loopback interface is implemented in software and is a
>different driver from the one provided with your network
>adaptor.
Just to pick a nit: it's your loopback address. whether your
os implements this particular standard, and how, is another
question.
Dima
--
dmaziuk at crosswinds dot net
-----------------------------
How do I set laser printer to stun?
qwerty
Melinda Shore wrote:
Sorry, I had one free trial packetviewer, CommView, used it, it is pretty useful but....
it is expired. I did not found others.
Besides, I wrote to their authors to make some obvious simple additions to CommView
(like implementing 'dogs functions', i.e. to check and warn if some specific packets are
leaving or coming to my computer. Now I waiting their respond. Without this
their software is kind of handicapped. I do not know why they are so lazy not to see that,
seems their software would just boom with this. Only after that I will order their software,
sometimes I'm sooooo principled ;-( )
If you can suggest any other tryware I will be glad to hear.
But it is possible that packets are encrypted, then what?
qwerty
Harry Lime wrote:
> On 25 Dec 2000 20:57:44 GMT, qwerty <NotRe...@NotReal.net> wrote:
>
> >:)Anonymous from comp.privacy/alt.privacy offered simple idea I easily can do.
> >:)
> >:)Yes, ping is going less than 10ms. And not going outside (no complain from firewall).
> >:)ABCTracker though asks firewall to allow him to go to internet. Why ?
> >:)I.e. asks firawall to allow connection to 127.0.0.1. If all is inside, why ask ?
>
> The author to your Quote Tracker programme writes in
> alt.privacy.spyware.
>
> Why not ask him there. I'd love to read his answer.
>
> This programme requires IE to be installed and that for me is reason
> enough right there to not run it.
>
> I'd do like boyz have said. I'd burn it.
You know, I do not like your and others destructive logic.
My approach is different.
I try to help people to earn money and at the same time to
implement what *I need*. This is obvious strategy,
because all software is beta and *you and me * are its betatester.
Hence let's I respond you such a way.
I know QuoteTracker.
It probably has lot of problems with privacy/security/etc
You may try it and try burn them yourself.
I know 'safe harbor' for any 'bad' software. It's so simple, guys.
Just use another computer where you have nothing besides OS.
Regards to all,
and happy holidays
Melinda Shore
qwerty <NotRe...@NotReal.net> wrote:
>Sorry, I had one free trial packetviewer, CommView, used it, it is pretty useful but....
>it is expired. I did not found others.
Try ethereal.
>I do not know why they are so lazy not to see that,
>seems their software would just boom with this. Only after that I will order their software,
Okay, look - someone who can't bother to format his posts,
puts bogus addresses on it, and can't figure out how to deal
with what's apparently a pretty simple problem really is not
in a position to be flinging rocks.
>But it is possible that packets are encrypted, then what?
Unless they're tunnelled (which I doubt very, very much that
they are) you'll at least be able to take a look at the
headers.
Jim Marco
>1) "Periodically, ABCTracker attempts to connect to ABCServer
> servers to determine whether a new version of ABCTracker
> or one of it's support files is available for download.
> ABCTracker does not send any information to the server
> during this process"
Sounds harmless enough. Asks server for the current version, then compares
with what you're running.
>2) "ABCTracker connects to ABCServer servers when it is started
> and sends the server information indicating if it is the
> first time it is started in a given day, week or month.
> It also indicates if the user is registered or not. That
> is the only information that is sent in this request.
> We use this information to count the number of unique
> ABCTracker users and to analyze the data to understand
> how often ABCTracker is used (in aggregate). This information
> is never tied to specific user's IP address or any other
> identifying information unless a false registration code
> is detected (in a separate request specific to registered users)....
Also sounds relatively benign, assuming you believe them when they say
they don't attach it to your IP.
>3) "If ABCTracker is registered, it will connect to ABCServer
> servers to verify registration every time you run it.
> ABCTracker sends the registration code together with
> a unique ID specific to the computer to ABCServer servers.
> This information is used for registration verification
> only. If the verification is successful, then the information
> about the verification request is immediately discarded.
> If the verification fails, then the verification information
> is logged, including the registration code, unique ID and IP Address"
This, it would seem to me, is to find cracked copies of their software.
If they detect a cracked copy, they record info to help them track down the
person running it and probably send them a cease-and-desist nastygram. If
the reg is legit, they discard the info immediately. Assuming you take them
at their word that they actually do this, it seems reasonable.
--
Jim Marco -- do...@uiuc.edu
SPAM alert: Remove the x to reply.
--------------------------------------
Thought for the day:
Different all twisty a of in maze are you, passages little.
qwerty
Jim Marco wrote:
> qwerty <NotRe...@NotReal.net> writes:
>
>
>> 1) "Periodically, ABCTracker attempts to connect to ABCServer
>> servers to determine whether a new version of ABCTracker
>> or one of it's support files is available for download.
>> ABCTracker does not send any information to the server
>> during this process"
>
>
> Sounds harmless enough. Asks server for the current version, then compares
> with what you're running.
What if I do not like this automatic check ?
Say, I'm happy with version I have now for a while.
I will do that later if I want, right?
"No", they say, you mist upgrade when *we* decide.
>
>
>> 2) "ABCTracker connects to ABCServer servers when it is started
>> and sends the server information indicating if it is the
>> first time it is started in a given day, week or month.
>> It also indicates if the user is registered or not. That
>> is the only information that is sent in this request.
>> We use this information to count the number of unique
>> ABCTracker users and to analyze the data to understand
>> how often ABCTracker is used (in aggregate). This information
>> is never tied to specific user's IP address or any other
>> identifying information unless a false registration code
>> is detected (in a separate request specific to registered users)....
>
>
> Also sounds relatively benign, assuming you believe them when they say
> they don't attach it to your IP.
They claim this is needed to lure advertisers
who pay by clicks. Do I have particular reason
to trust them or not does not matter here:
if it's free program you may(or may not) loose
part of your privacy, right?
But if I paid to get rid of ad, and do not want
to think every time when I hear about privacy violations
if I have to continue 'believing' to unknown guys or
stop it right now, then do I have reason to
ask them give *me* decide about allowing connection
to their servers or not?
"No" they say. I did not catched trying hard.
But if you do not like this and try discuss this they do not like waist time ,
they permanently 'offer' you to leave.
They know people start to sleep reading privacy policies.
Already pretty 'interesting', right ?
>
>
>> 3) "If ABCTracker is registered, it will connect to ABCServer
>> servers to verify registration every time you run it.
>> ABCTracker sends the registration code together with
>> a unique ID specific to the computer to ABCServer servers.
>> This information is used for registration verification
>> only. If the verification is successful, then the information
>> about the verification request is immediately discarded.
>> If the verification fails, then the verification information
>> is logged, including the registration code, unique ID and IP Address"
>
>
> This, it would seem to me, is to find cracked copies of their software.
> If they detect a cracked copy, they record info to help them track down the
> person running it and probably send them a cease-and-desist nastygram. If
> the reg is legit, they discard the info immediately. Assuming you take them
> at their word that they actually do this, it seems reasonable.
'Fun' is, this starts after you paid for getting rid of ad.
You give them credit card N and ... they start to track
you together with those who stole software.
You know why ?
Because they do not believe you.
I guess their software is so unique, so they afraid you
will start same day disseminate it in millions.
Note (!), software is free with ad, which all agree is not
annoying at all.
I even do not say about straight security risk associated
with hidden communication with their own servers.
Why we have believe them after that?
Do you believe software will keep in secret your username and
password in the bank or brocker (it even encrypts it on disk)?
They not promiss, guarantee, warrant or whatever, but
you have to trust them that passwords will not be stolen.
They claim no any responsibility though (of course).
Nicest trick out of all this is that users can not enforce this 'trust' in
software by additional firewalls, proxies etc
which would stop communication with anything user would
not specify manually, because software will not work.
Nice privacy.
Super security.
Right?
qwerty
Jim Marco wrote:
> qwerty <NotRe...@NotReal.net> writes:
>
>
>> 1) "Periodically, ABCTracker attempts to connect to ABCServer
>> servers to determine whether a new version of ABCTracker
>> or one of it's support files is available for download.
>> ABCTracker does not send any information to the server
>> during this process"
>
>
> Sounds harmless enough. Asks server for the current version, then compares
> with what you're running.
What if I do not like this automatic check ?
Say, I'm happy with version I have now for a while.
I will do that later if I want, right?
"No", they say, you must upgrade when *we* decide.
"Strange", I thought
>
>
>> 2) "ABCTracker connects to ABCServer servers when it is started
>> and sends the server information indicating if it is the
>> first time it is started in a given day, week or month.
>> It also indicates if the user is registered or not. That
>> is the only information that is sent in this request.
>> We use this information to count the number of unique
>> ABCTracker users and to analyze the data to understand
>> how often ABCTracker is used (in aggregate). This information
>> is never tied to specific user's IP address or any other
>> identifying information unless a false registration code
>> is detected (in a separate request specific to registered users)....
>
>
> Also sounds relatively benign, assuming you believe them when they say
> they don't attach it to your IP.
They claim this is needed to lure advertisers
who pay by clicks. Do I have particular reason
to trust them or not does not matter here:
if it's free program you may(or may not) loose
part of your privacy, right?
But if I paid to get rid of ad, and do not want
to think every time when I hear about privacy violations
if I have to continue 'believing' to unknown guys or
stop it right now, then do I have reason to
ask them give *me* decide about allowing connection
to their servers or not?
"No" they say. I did not catched why even trying hard.
But if you do not like this and try discuss this they do not like waist time ,
they permanently 'offer' you to leave.
They know people start to sleep reading privacy policies.
Even more strange. Already pretty 'interesting', right ?
>
>
>> 3) "If ABCTracker is registered, it will connect to ABCServer
>> servers to verify registration every time you run it.
>> ABCTracker sends the registration code together with
>> a unique ID specific to the computer to ABCServer servers.
>> This information is used for registration verification
>> only. If the verification is successful, then the information
>> about the verification request is immediately discarded.
>> If the verification fails, then the verification information
>> is logged, including the registration code, unique ID and IP Address"
>
>
> This, it would seem to me, is to find cracked copies of their software.
> If they detect a cracked copy, they record info to help them track down the
> person running it and probably send them a cease-and-desist nastygram. If
> the reg is legit, they discard the info immediately. Assuming you take them
> at their word that they actually do this, it seems reasonable.
'Fun' is, this starts after you paid for getting rid of ad.
You give them credit card N and ... they start to track
you together with those who stole software.
You know why ?
Because they do not believe you.
I guess their software is so unique, so they afraid you
will start same day disseminate it in millions.
Note (!), software is free with ad, which all agree is not
annoying at all.
I even do not say about straight security risk associated
with hidden communication with their own servers.
Why we have believe them after that?
Do you believe software will keep in secret your username and
password in the bank or brocker (it even encrypts it on disk)?
They not promiss, guarantee, warrant or whatever, but
you have to trust them that passwords will not be stolen.
They claim no any responsibility though (of course).
Nicest trick out of all this is that users can not enforce this 'trust' in
software by additional firewalls, proxies etc
which would stop communication with anything user would
not specify manually, because this software will even not start !
Nice privacy.
Super security.
But isn't all *too* strange?
med...@shore.net
>
> Jim Marco wrote:
>
>> qwerty <NotRe...@NotReal.net> writes:
>>
>>
>>> 1) "Periodically, ABCTracker attempts to connect to ABCServer
>>> servers to determine whether a new version of ABCTracker
>>> or one of it's support files is available for download.
>>> ABCTracker does not send any information to the server
>>> during this process"
>>
>>
>> Sounds harmless enough. Asks server for the current version, then compares
>> with what you're running.
>
>
> What if I do not like this automatic check ?
> Say, I'm happy with version I have now for a while.
> I will do that later if I want, right?
>
> "No", they say, you mist upgrade when *we* decide.
This is about QuoteTracker (http://www.quotetracker.com)
I am the author, so I can respond to this:
No, we say we check if new version is available whether
you want to or not. You can upgrade whenever you want.
If you use the program you know that.
Some program data files (note: data files, not executables)
are updated without asking. This can happen for two reasons
1. It's the ads-support file that the program needs changed
so that it shows you ads from other sources.
2. It's a file without which the program will stop working.
This is done automatically to reduce the amount of tech support
email that we receive whenever one of the sites that are
supported changes formats and the program stops working.
I *really* am not parsing your statements above. You paid to get
rid of ads, not to get rid of the communications descibed above.
And this communication is not done for advertisers, it is done so
that we know how many users of the program are out there. Nothing
more sinister than that.
>>> 3) "If ABCTracker is registered, it will connect to ABCServer
>>> servers to verify registration every time you run it.
>>> ABCTracker sends the registration code together with
>>> a unique ID specific to the computer to ABCServer servers.
>>> This information is used for registration verification
>>> only. If the verification is successful, then the information
>>> about the verification request is immediately discarded.
>>> If the verification fails, then the verification information
>>> is logged, including the registration code, unique ID and IP Address"
>>
>>
>> This, it would seem to me, is to find cracked copies of their software.
>> If they detect a cracked copy, they record info to help them track down the
>> person running it and probably send them a cease-and-desist nastygram. If
>> the reg is legit, they discard the info immediately. Assuming you take them
>> at their word that they actually do this, it seems reasonable.
>
>
> 'Fun' is, this starts after you paid for getting rid of ad.
> You give them credit card N and ... they start to track
> you together with those who stole software.
Which part of "This information is used for registration verification
only. If the verification is successful, then the information
about the verification request is immediately discarded." is unclear
to you?
Go to http://www.quotetracker.com/register.htm and read the
second paragraph from the top. It reads: "NOTE: If you register,
QuoteTracker will authenticate the registration with our main servers at
the start of every session. This behavior is described on our Privacy
page. If you object to this for some reason, please do not register."
> You know why ?
> Because they do not believe you.
> I guess their software is so unique, so they afraid you
> will start same day disseminate it in millions.
There are two reasons this is done. One is a keygen that is out there
and dozens of people every day who try to register using it. The other
is people (at least a couple of dozen so far) who buy one registration
code, then publicize it to thousands of others. Both of these are
stopped by the authentication described above. If you know of another
method to stop such theft, please describe it.
> Note (!), software is free with ad, which all agree is not
> annoying at all.
?
> with hidden communication with their own servers.
What hidden communication? It would have been hidden if we didn't
tell you about it. We do. Is that "hidden"?
> Do you believe software will keep in secret your username and
> password in the bank or brocker (it even encrypts it on disk)?
> They not promiss, guarantee, warrant or whatever, but
> you have to trust them that passwords will not be stolen.
> They claim no any responsibility though (of course).
We do not send your username or password to anywhere except
the broker's site. This can be easily verified by sniffing
all outside communications that the program performs. This
has been done by at least a dozen people in the two years that
this program has been out and nothing objectionable was found.
If that is not enough for you, you can use the program without
connecting to your broker at all - just register for Streamer
at Datek without opening an account there - or register for Screamer
at money.net for free.
> Nicest trick out of all this is that users can not enforce this 'trust' in
> software by additional firewalls, proxies etc
> which would stop communication with anything user would
> not specify manually, because software will not work.
The program's "raison d'etre" is to communicate with the outside world.
If you cut it off, it won't work because it won't be able to get the
stock quotes that it needs. What's your point?
qwerty
med...@shore.net wrote:
>>>> 3) "If ABCTracker is registered, it will connect to ABCServer
>>>> servers to verify registration every time you run it.
>>>> ABCTracker sends the registration code together with
>>>> a unique ID specific to the computer to ABCServer servers.
>>>> This information is used for registration verification
>>>> only. If the verification is successful, then the information
>>>> about the verification request is immediately discarded.
>>>> If the verification fails, then the verification information
>>>> is logged, including the registration code, unique ID and IP Address"
>>>
>>>
>>> This, it would seem to me, is to find cracked copies of their software.
>>> If they detect a cracked copy, they record info to help them track down the
>>> person running it and probably send them a cease-and-desist nastygram. If
>>> the reg is legit, they discard the info immediately. Assuming you take them
>>> at their word that they actually do this, it seems reasonable.
>>
>>
>> 'Fun' is, this starts after you paid for getting rid of ad.
>> You give them credit card N and ... they start to track
>> you together with those who stole software.
>
> Which part of "This information is used for registration verification
> only. If the verification is successful, then the information
> about the verification request is immediately discarded." is unclear
> to you?
>
Communications of your software with your servers
which can not be stopped by user is potential security hole.
Is it unclear to anybody in the world?
> Go to http://www.quotetracker.com/register.htm and read the
> second paragraph from the top. It reads: "NOTE: If you register,
> QuoteTracker will authenticate the registration with our main servers at
> the start of every session. This behavior is described on our Privacy
> page. If you object to this for some reason, please do not register."
You are not sitting on place since my post.
I read your help file and see that I did not distorted or missed anything.
BTW, is this sounds as one or numerous similar hints to me to shut up and go away?
Thanks, if not. Then, please respond how without registering can I make QT
communicating only with web sites I trust (say just Etrade)
*and* get rid of QT advertisement ?
>> You know why ?
>> Because they do not believe you.
>> I guess their software is so unique, so they afraid you
>> will start same day disseminate it in millions.
> There are two reasons this is done. One is a keygen that is out there
> and dozens of people every day who try to register using it. The other
> is people (at least a couple of dozen so far) who buy one registration
> code, then publicize it to thousands of others. Both of these are
> stopped by the authentication described above. If you know of another
> method to stop such theft, please describe it.
OK, are you Medved or Bear, you have to do business not just
by russian piracy tradition.
You give yourself best security protection.
You stopped theft...
For the cost of user's security!
You have to understand: our privacy and security is most valuable for us.
If you will protect yourself only, people will continue kick you back.
And now think again what is more valuable for you.
>> Note (!), software is free with ad, which all agree is not
>> annoying at all.
>
>?
You seriously think that people who trade online can not pay
you 50 bucks ? You are kidding, man.
Your ad is not annoying at all (everyone tells that).
Besides, there will be no privacy/security if ad is running in QT.
So, there is no measurable financially reason to crack it besides one:
people afraid QT as spyware. Hence they crack QT to get rid of your custody.
Any particular additional reason you're afraid of this ?
>
>> with hidden communication with their own servers.
>
>What hidden communication? It would have been hidden if we didn't
>tell you about it. We do. Is that "hidden"?
Here I'm also pleased with your human discourse.
You offering me to discuss difference between
the fact of absence of communication at all
and presence of communication which if encrypted I can't decrypt !
You openly tell me about communication which I can not check,
because security experts will tell me that you may send something
in encrypted form and other ways.
What is heck we are trolling if may passwords may *hiddenly* leak
to you if *you* wish ?
>> Do you believe software will keep in secret your username and
>> password in the bank or brocker (it even encrypts it on disk)?
>> They not promiss, guarantee, warrant or whatever, but
>> you have to trust them that passwords will not be stolen.
>> They claim no any responsibility though (of course).
> We do not send your username or password to anywhere except
> the broker's site. This can be easily verified by sniffing
> all outside communications that the program performs.
> This has been done by at least a dozen people in the two years that
> this program has been out and nothing objectionable was found.
Right, you may not do anything wrong.
But everyone can write the code which does not do anything during 2 years
and then during 2 milisecond will send username/password
in encrypted form so that no one will proof what was specifically sent.
Or you might set some *Day X* on 14 Dec 200x.
This day QT will start with upgrading/downloading of some dll.
After QT will send encrypted brockerage login data to your server
(together with usual QT authorisation which it did every day)
next 40 milliseconds QT will spend for erasing this dll without trace ;-(.
I am saying this total paranoya.
Can you beat, somebody out of your 50000 users did not see this dream
already ?
In summary, all we know, for example, Etrade insures people up to some X $ millions.
Your words cost ...how much ?
Zero. Can you offer your liability insurance first ?
Amount of money people risking ranges probably from 1K to 100K or more.
Your risk is ZERO.
> If that is not enough for you, you can use the program without
> connecting to your broker at all - just register for Streamer
> at Datek without opening an account there - or register for Screamer
> at money.net for free.
But I will still not able to stop my computer communicate with your servers !
How anyone can sleep quietly if there exist direct pipe to authors ?
Remember similar offer to you, i.e. you purchase some software
which will be permanently connected to SOMEONE's TRUSTED servers ?
Did you agreed :-) :-) :-) :-) ????
BTW, I can ask security experts if you like better than mine respond
why your QT is still security threat in this case:
is it potentially possible to create QT such a way that it will intercept my
password I will use in some another (not QT) software, say IE ?
If yes, then due to existing security hole sending my passwords to Medved is
piece of cake.
What, you pretend to be naive ? C'mon....
>> Nicest trick out of all this is that users can not enforce this 'trust' in
>> software by additional firewalls, proxies etc
>> which would stop communication with anything user would
>> not specify manually, because software will not work.
> The program's "raison d'etre" is to communicate with the outside world.
> If you cut it off, it won't work because it won't be able to get the
> stock quotes that it needs. What's your point?
C'mon, almost everybody here feels you understand everything.
OK ( though somebody will definitely tell you much better than me):
1) For security considerations user must have choice to restrict QT communication.
Users must decide which sites they consider as trusted.
2) Unstoppable communication with Medved's servers is obvious potential security hole.
3) Users must decide and have detailed knowledge what QT upgrades and when to upgrade.
You may disagree with my wordings, they're really poor,
(I'm even not mentioning the time I'm writing this ;-( )
But you are playing bad game with people who do not suspect in
what bear corner they may fall with your QT.
qwerty
qwerty
med...@shore.net wrote:
Congratulations, good software. In fact, if I'd have
6 more months of free time I'd write something similar,
just for myself. But if you'd managed remove all
the hell out of present QT, you'd save me these 6 months ;-).
First, as security experts unanimously confirmed in this ng,
you leave direct security hole if your software needs connection
to your servers to start running.
User can't hide QT behind the proxies for additional protection
to have peace of mind that his/her 30 years pension funds are under
double lock. User can not restrict QT to connect only, say, with
Etrade or Datek where his account is by definition secured.
Second, after saying that, there is no way to believe you that
if you can upgrade *data* files you can not upgrade others, say some DLLs.
Your whole program may consist in future out of one/many dlls
and one small exe file will just call all of them.
You may download DLL to my computer which do whatever it needs,
and 10 millisecond later delete it.
Hence my claim is absolutely correct, that *you* and *not we* decide
when and what to upgrade.
Conclusion:
you reduced amount of tech support at the cost of our security.
Great to hear that here communication is done for no other
reason as ... curiosity.
That's insane, man
Web screams about better privacy on the net, and you are going
opposite way. People do not like to be tracked, and same time
you are splurging that you see on your monitor 50000 thousand
folks today running your QT.
We are saying this information to your servers can be intercepted
if not by you personally, then by some other third parties,
but you just roar that all that is paranoia.
We are seeking better security.
You are understanding this word just with your mentality built by
Russian software piracy tradition or something similar.
>>>> 3) "If ABCTracker is registered, it will connect to ABCServer
>>>> servers to verify registration every time you run it.
>>>> ABCTracker sends the registration code together with
>>>> a unique ID specific to the computer to ABCServer servers.
>>>> This information is used for registration verification
>>>> only. If the verification is successful, then the information
>>>> about the verification request is immediately discarded.
>>>> If the verification fails, then the verification information
>>>> is logged, including the registration code, unique ID and IP Address"
>>>
>>>
>>> This, it would seem to me, is to find cracked copies of their software.
>>> If they detect a cracked copy, they record info to help them track down the
>>> person running it and probably send them a cease-and-desist nastygram. If
>>> the reg is legit, they discard the info immediately. Assuming you take them
>>> at their word that they actually do this, it seems reasonable.
>>
>>
>> 'Fun' is, this starts after you paid for getting rid of ad.
>> You give them credit card N and ... they start to track
>> you together with those who stole software.
>
> Which part of "This information is used for registration verification
> only. If the verification is successful, then the information
> about the verification request is immediately discarded." is unclear
> to you?
>
Communications of your software with your servers
which can not be stopped by user is potential security hole.
Is it unclear to anybody in the world?
> Go to http://www.quotetracker.com/register.htm and read the
> second paragraph from the top. It reads: "NOTE: If you register,
> QuoteTracker will authenticate the registration with our main servers at
> the start of every session. This behavior is described on our Privacy
> page. If you object to this for some reason, please do not register."
You are not sitting on place since my post.
I read your help file and see that I did not distorted or missed anything.
BTW, is this sounds as one or numerous similar hints to me to shut up and go away?
Thanks, if not. Then, please respond how without registering can I make QT
communicating only with web sites I trust (say just Etrade)
*and* get rid of QT advertisement ?
>> You know why ?
>> Because they do not believe you.
>> I guess their software is so unique, so they afraid you
>> will start same day disseminate it in millions.
> There are two reasons this is done. One is a keygen that is out there
> and dozens of people every day who try to register using it. The other
> is people (at least a couple of dozen so far) who buy one registration
> code, then publicize it to thousands of others. Both of these are
> stopped by the authentication described above. If you know of another
> method to stop such theft, please describe it.
OK, are you Medved or Bear, you have to do business not just
by russian piracy tradition.
You give yourself best security protection.
You stopped theft...
for the cost of user's security and privacy!
You have to understand: our privacy and security is most valuable for us.
If you will protect yourself only, people will continue kick you back.
And now think again what is more valuable for you.
>> Note (!), software is free with ad, which all agree is not
>> annoying at all.
>
>?
You seriously think that people who trade online can not pay
you 50 bucks ? You are kidding, man.
Your ad is not annoying at all (everyone tells that).
Besides, there will be no privacy/security if ad is running in QT.
So, there is no measurable financially reason to crack it besides one:
people afraid QT as spyware. Hence they crack QT to get rid of your custody.
Any particular additional reason you're afraid of this ?
>
>> with hidden communication with their own servers.
>
>What hidden communication? It would have been hidden if we didn't
>tell you about it. We do. Is that "hidden"?
Here I'm also pleased with your human discourse.
You offering me to discuss difference between
the fact of absence of communication at all
and presence of communication which if encrypted I can't decrypt !
You openly tell me about communication which I can not check,
because each security experts will tell that you may send something
in encrypted form as well as other ways I can not catch !
What the heck we are trolling if my passwords may *hiddenly* leak
to you any time if *you* just wish ?
>> Do you believe software will keep in secret your username and
>> password in the bank or brocker (it even encrypts it on disk)?
>> They not promiss, guarantee, warrant or whatever, but
>> you have to trust them that passwords will not be stolen.
>> They claim no any responsibility though (of course).
> We do not send your username or password to anywhere except
> the broker's site. This can be easily verified by sniffing
> all outside communications that the program performs.
> This has been done by at least a dozen people in the two years that
> this program has been out and nothing objectionable was found.
Right, you may not do anything wrong.
But everyone can write the code which does not do anything during 2 years
and then during 2 milisecond will send username/password
in encrypted form so that no one will proof what was specifically sent.
Or you might set some *Day X*, say Dec 13, 200x.
This day QT will start with upgrading/downloading of some dll.
After QT will send encrypted brockerage login data to Medved server
(together with usual QT authorisation which it did every day) the
next 40 milliseconds QT will spend for erasing this dll without trace ;-(.
Now I am saying, this is total paranoya.
But can you beat, somebody out of your 50000 users
did not see this dream already ?
In summary, all we know, for example,
Etrade insures people up to some X $ millions.
Your words cost ... guess how much ?
Zero. Can you offer us your liability insurance first ?
Amount of money people risking ranges probably from 1K to 100K or more.
Your risk is ZERO.
> If that is not enough for you, you can use the program without
> connecting to your broker at all - just register for Streamer
> at Datek without opening an account there - or register for Screamer
> at money.net for free.
But I will still not able to stop my computer communicate with your servers !
How anyone can sleep quietly if there exist direct pipe to authors ?
Remember similar offer to you, i.e. you purchase some software
which will be permanently connected to SOMEONE's TRUSTED servers ?
Did you agreed :-) :-) :-) :-) ????
BTW, I can ask security experts if you like better than mine respond
why your QT is still security threat in this case:
is it potentially possible to create QT such a way that it will intercept my
password I will use in some another (not QT) software, say IE ?
If yes, then due to existing security hole sending my passwords to Medved is
piece of cake.
What, you pretend to be naive ? C'mon....
>> Nicest trick out of all this is that users can not enforce this 'trust' in
>> software by additional firewalls, proxies etc
>> which would stop communication with anything user would
>> not specify manually, because software will not work.
> The program's "raison d'etre" is to communicate with the outside world.
> If you cut it off, it won't work because it won't be able to get the
> stock quotes that it needs. What's your point?
C'mon, almost everybody here feels you understand everything.
OK ( though somebody will definitely tell you much better than me):
1) For security considerations user must have choice to restrict QT communication.
Users must decide which sites they consider as trusted.
2) Unstoppable communication with Medved's servers is obvious potential security hole.
3) Users must decide and have detailed knowledge what QT upgrades and when to upgrade.
You may disagree with my wordings, they're really poor,
(I'm even not mentioning the late time I'm writing this ;-( )
ne...@veko.mediaspamlessone.net
> I *really* am not parsing your statements above. You paid to get
> rid of ads, not to get rid of the communications descibed above.
> And this communication is not done for advertisers, it is done so
> that we know how many users of the program are out there. Nothing
> more sinister than that.
How about a really crappy analogy? If your product was a washing
machine, it would have this extra "feature" built in that would make it
able to open a door or window when you wanted it to so that you could
come into my house and make sure that I paid for this washing machine.
Of course, you're not going to do anything else, you won't make a list
of all the magazines I subscribe to, or what's in my cupboards and my
liquor cabinet. You promised this in writing and if I ever caught you
breaking it I would have to fight off the lawyers with a stick they would
be so happy. However, the fact that you *could*, might make some of us
decide to choose another washing machine.
Add to that the nervousness that some *real* crook might figure out a way
to either impersonate you or via some other way get my washing machine
to let *her* into my house instead of *you*, and a few more of us might
decide on a different washing machine.
Maybe you've already done a complete cost-benefit analysis of these
eventualities and decided that you will lose less from these lost
costomers than you would from the piracy that you're trying to stop.
But if you've done that analysis, then you've tacitly admitted that
these are not entirely ridiculous fears. Beyond that, I really can't
understand what the heck else you guys have to discuss.
--
"Microsoft has claimed that it spent 500 people years to make Windows
2000 reliable. I only reprint this number because it serves to
illustrate how inadequate 500 people-years are."
-- Bruce Schneier, in 'Secrets and Lies'
med...@shore.net
>
>> This is about QuoteTracker (http://www.quotetracker.com)
>> I am the author, so I can respond to this:
>>
>> No, we say we check if new version is available whether
>> you want to or not. You can upgrade whenever you want.
>> If you use the program you know that.
>>
>> Some program data files (note: data files, not executables)
>> are updated without asking. This can happen for two reasons
>>
>> 1. It's the ads-support file that the program needs changed
>> so that it shows you ads from other sources.
>> 2. It's a file without which the program will stop working.
>> This is done automatically to reduce the amount of tech support
>> email that we receive whenever one of the sites that are
>> supported changes formats and the program stops working.
>
>
>
>
> Congratulations, good software. In fact, if I'd have
> 6 more months of free time I'd write something similar,
> just for myself. But if you'd managed remove all
> the hell out of present QT, you'd save me these 6 months ;-).
But you see, qwerty, if we remove all the things you object to
from our software, we will drastically reduce the revenue. And
the revenue is what pays for constant maintenance, improvements
and tech support that you, as a QT user, are probably well aware of.
> First, as security experts unanimously confirmed in this ng,
> you leave direct security hole if your software needs connection
> to your servers to start running.
Every communication that any program that was not written by
you makes is a "security hole". So what.
> User can't hide QT behind the proxies for additional protection
> to have peace of mind that his/her 30 years pension funds are under
> double lock. User can not restrict QT to connect only, say, with
> Etrade or Datek where his account is by definition secured.
User can set it up so that the quote sources he works with are
not connected in any way to his brokerage accounts - why doesn't
that satisfy your requirements?
> Second, after saying that, there is no way to believe you that
> if you can upgrade *data* files you can not upgrade others, say some DLLs.
> Your whole program may consist in future out of one/many dlls
> and one small exe file will just call all of them.
No DLLs (except OS DLLs, of course) are needed to run QT - it is
a single executable. The code in the program is set up so that
updating any .exe or .dll file quietly is not allowed.
> You may download DLL to my computer which do whatever it needs,
> and 10 millisecond later delete it.
>
> Hence my claim is absolutely correct, that *you* and *not we* decide
> when and what to upgrade.
Nope. The only way your claim was correct was if the program ever
upgraded without asking you. I am telling you that it doesn't. Has
it ever happened to you? No? Then why are you worried?
Let me put it this way: do you have any guarantees that Microsoft's
NOTEPAD.EXE does not have code inside it to one day wipe out your
hard disk maliciously? You don't? Why aren't you worried about it?
Do you have any guarantees that MSIE is not collecting all the
passwords that you type in for all the sites, then secretly
transmitting it to Microsoft every time you go to www.microsoft.com?
You know that it is very easy to hide that information in the total
stream that it sends out. Why aren't you worried about it?
> Conclusion:
> you reduced amount of tech support at the cost of our security.
Since I wrote the program in question and I know the code intimately,
no, I reduced the amount of my tech support at NO cost to user's
security. You may worry about it, but, as I have shown you above,
you may worry about any program that you're running.
>>I *really* am not parsing your statements above. You paid to get
>>rid of ads, not to get rid of the communications descibed above.
>>And this communication is not done for advertisers, it is done so
>>that we know how many users of the program are out there. Nothing
>>more sinister than that.
>
> Great to hear that here communication is done for no other
> reason as ... curiosity.
>
> That's insane, man
It is not curiosity, knowing the total # of users (note: the total #,
not who every one of the users is) is very important for marketing
the program, getting new revenue sources etc.
> Web screams about better privacy on the net, and you are going
> opposite way. People do not like to be tracked, and same time
> you are splurging that you see on your monitor 50000 thousand
> folks today running your QT.
You are not being tracked. When the program "calls in" once a day
it sends out no personal information about you at all - you can
easily check the GET parameters it is passing - they are very simple.
The server-side program, when receiving the call, adds 1 to the total
of daily, weekly, etc. users. That's all. How is this damaging to you?
> We are saying this information to your servers can be intercepted
> if not by you personally, then by some other third parties,
> but you just roar that all that is paranoia.
Since nothing "secret" or "personal" about you is sent out to our
servers, who cares about "interceptions". What - someone will find
out how many daily users QT has? - they can just call us and we will
tell them.
> We are seeking better security.
> You are understanding this word just with your mentality built by
> Russian software piracy tradition or something similar.
There is a balance between user's paranoia and software vendor's
piracy concerns. We think the line we draw is pretty balanced. You
may disagree.
>>>>> 3) "If ABCTracker is registered, it will connect to ABCServer
>>>>> servers to verify registration every time you run it.
>>>>> ABCTracker sends the registration code together with
>>>>> a unique ID specific to the computer to ABCServer servers.
>>>>> This information is used for registration verification
>>>>> only. If the verification is successful, then the information
>>>>> about the verification request is immediately discarded.
>>>>> If the verification fails, then the verification information
>>>>> is logged, including the registration code, unique ID and IP Address"
>>>>
>>>>
>>>> This, it would seem to me, is to find cracked copies of their software.
>>>> If they detect a cracked copy, they record info to help them track down the
>>>> person running it and probably send them a cease-and-desist nastygram. If
>>>> the reg is legit, they discard the info immediately. Assuming you take them
>>>> at their word that they actually do this, it seems reasonable.
>>>
>>>
>>> 'Fun' is, this starts after you paid for getting rid of ad.
>>> You give them credit card N and ... they start to track
>>> you together with those who stole software.
>>
>> Which part of "This information is used for registration verification
>> only. If the verification is successful, then the information
>> about the verification request is immediately discarded." is unclear
>> to you?
>>
>
>
> Communications of your software with your servers
> which can not be stopped by user is potential security hole.
>
> Is it unclear to anybody in the world?
>
As I pointed out to you above, ANYTHING you ever run on a Windows
system that is not written by you is a "potential security hole".
That's not narrowing it down much.
>> Go to http://www.quotetracker.com/register.htm and read the
>> second paragraph from the top. It reads: "NOTE: If you register,
>> QuoteTracker will authenticate the registration with our main servers at
>> the start of every session. This behavior is described on our Privacy
>> page. If you object to this for some reason, please do not register."
>
>
> You are not sitting on place since my post.
> I read your help file and see that I did not distorted or missed anything.
In order to register, the users go through the registration page on our
Web site. The quote that I gave above is at the top of that page.
> BTW, is this sounds as one or numerous similar hints to me to shut up and go
> away? Thanks, if not. Then, please respond how without registering can I
> make QT communicating only with web sites I trust (say just Etrade)
> *and* get rid of QT advertisement ?
Nope. See reasons below.
>> There are two reasons this is done. One is a keygen that is out there
>> and dozens of people every day who try to register using it. The other
>> is people (at least a couple of dozen so far) who buy one registration
>> code, then publicize it to thousands of others. Both of these are
>> stopped by the authentication described above. If you know of another
>> method to stop such theft, please describe it.
>
> OK, are you Medved or Bear, you have to do business not just
> by russian piracy tradition.
Russian piracy tradition? We log every keygen attempt to register QT.
Once I tried to run the IP traces on the IP that attempted it. They
were 90% inside US. Seems the piracy tradition is alive and well in the
US.
> You give yourself best security protection.
> You stopped theft...
> for the cost of user's security and privacy!
It's a choice - either you trust me, one entity, or I have to trust
every one of millions of potential users out there not to use keygens,
not to download "warez" and not to spread around registration codes.
> You have to understand: our privacy and security is most valuable for us.
> If you will protect yourself only, people will continue kick you back.
>
> And now think again what is more valuable for you.
Last week, there were 50,000 users or so who trusted me (2GK Inc)
enough to use the program.
Let me put it to you this way: I decided that the number of people
who are "turned off" from using the program because they don't trust
me is less than the number of people who would pirate it and I would
see no revenues from. Do you understand this logic?
> You seriously think that people who trade online can not pay
> you 50 bucks ? You are kidding, man.
Not if they can use freely floating around keygens and get the same
result without sending me 60 bucks.
> Your ad is not annoying at all (everyone tells that).
> Besides, there will be no privacy/security if ad is running in QT.
>
> So, there is no measurable financially reason to crack it besides one:
> people afraid QT as spyware. Hence they crack QT to get rid of your custody.
That's naive. If someone has a choice of:
1. Go to the Web site, pull out your credit card, fill out the form
and send the author $60 - then wait for a few hours, receive the
registration code in the email, and use it to remove the ads.
2. Do a quick keygen search, download a 30K keygen and remove the ads
right away.
BTW, note that this is a personal, not a corporate, program, and the
usual big threats of punishment for corporations pirating programs do
not apply.
What % of the users, in your opinion, will pick 2, and what % will pick 1?
Really, I'd like to hear your opinion. In my opinion it would be 10 to 1.
> Any particular additional reason you're afraid of this ?
See above.
>>
>>> with hidden communication with their own servers.
>>
>>What hidden communication? It would have been hidden if we didn't
>>tell you about it. We do. Is that "hidden"?
>
> You offering me to discuss difference between
> the fact of absence of communication at all
> and presence of communication which if encrypted I can't decrypt !
"If encrypted". It isn't. Outgoing communications from QT (unless
they are with brokerage sites that use SSL) are not encrypted.
> You openly tell me about communication which I can not check,
Sure you can - every character of it.
> because each security experts will tell that you may send something
> in encrypted form as well as other ways I can not catch !
>
> What the heck we are trolling if my passwords may *hiddenly* leak
> to you any time if *you* just wish ?
Nope they can't - because ther is no code that does it. As for
"what if" - see my examples about NOTEPAD.EXE and MSIE.
>> We do not send your username or password to anywhere except
>> the broker's site. This can be easily verified by sniffing
>> all outside communications that the program performs.
>> This has been done by at least a dozen people in the two years that
>> this program has been out and nothing objectionable was found.
>
>
> Right, you may not do anything wrong.
>
> But everyone can write the code which does not do anything during 2 years
> and then during 2 milisecond will send username/password
> in encrypted form so that no one will proof what was specifically sent.
And everyone can write the code that does not do anything for years
then suddenly reformats your hard disk. Your point?
> Or you might set some *Day X*, say Dec 13, 200x.
> This day QT will start with upgrading/downloading of some dll.
> After QT will send encrypted brockerage login data to Medved server
> (together with usual QT authorisation which it did every day) the
> next 40 milliseconds QT will spend for erasing this dll without trace ;-(.
>
> Now I am saying, this is total paranoya.
> But can you beat, somebody out of your 50000 users
> did not see this dream already ?
Of course they do. Those who worry that much about it, do not use QT.
Those who don't worry that much, do.
> In summary, all we know, for example,
> Etrade insures people up to some X $ millions.
> Your words cost ... guess how much ?
> Zero. Can you offer us your liability insurance first ?
If you ever have a claim that QT stole $ from you, you can always sue.
That's the insurance. You realize that what you're talking about is
a felony as well, right? Punishment is pretty severe.
> Amount of money people risking ranges probably from 1K to 100K or more.
> Your risk is ZERO.
My risk (if I am the conman who wrote this program, waited for it
to become popular over several years, then sprung the con) is going
to jail for a long time, plus civil litigation for untold millions.
Why in the world would I do that?
>> If that is not enough for you, you can use the program without
>> connecting to your broker at all - just register for Streamer
>> at Datek without opening an account there - or register for Screamer
>> at money.net for free.
>
>
> But I will still not able to stop my computer communicate with your servers !
> How anyone can sleep quietly if there exist direct pipe to authors ?
> Remember similar offer to you, i.e. you purchase some software
> which will be permanently connected to SOMEONE's TRUSTED servers ?
If you're paranoid enough, run it on a computer that has absolutely
no personal information about you on it. Then your privacy is complete.
> BTW, I can ask security experts if you like better than mine respond
> why your QT is still security threat in this case:
>
> is it potentially possible to create QT such a way that it will intercept my
> password I will use in some another (not QT) software, say IE ?
It *could* monitor and record all your keystrokes, sure (although
technically in Windows you must do that through a DLL, and since
QT has no DLLs, that's proof that it doesn't). So what? As I said
above, use it on a computer that has no personal information on it
if you're that paranoid - it's no skin off my nose.
>> The program's "raison d'etre" is to communicate with the outside world.
>> If you cut it off, it won't work because it won't be able to get the
>> stock quotes that it needs. What's your point?
>
> C'mon, almost everybody here feels you understand everything.
>
> OK ( though somebody will definitely tell you much better than me):
>
> 1) For security considerations user must have choice to restrict QT
> communication. Users must decide which sites they consider as
> trusted.
> 2) Unstoppable communication with Medved's servers is obvious potential
> security hole.
> 3) Users must decide and have detailed knowledge what QT upgrades and
> when to upgrade.
>
We're going around in circles. If you have no trust in the software
vendor, do NOT run its programs - since any program that you did not
compile yourself can have all sorts of hidden code in it that may wake
up some day and do despicable things to your computer - ask the
"security experts" on this newsgroup.
med...@shore.net
> In alt.computer.security med...@shore.net wrote:
>
>> I *really* am not parsing your statements above. You paid to get
>> rid of ads, not to get rid of the communications descibed above.
>> And this communication is not done for advertisers, it is done so
>> that we know how many users of the program are out there. Nothing
>> more sinister than that.
>
> How about a really crappy analogy? If your product was a washing
> machine, it would have this extra "feature" built in that would make it
> able to open a door or window when you wanted it to so that you could
> come into my house and make sure that I paid for this washing machine.
> Of course, you're not going to do anything else, you won't make a list
> of all the magazines I subscribe to, or what's in my cupboards and my
> liquor cabinet. You promised this in writing and if I ever caught you
> breaking it I would have to fight off the lawyers with a stick they would
> be so happy. However, the fact that you *could*, might make some of us
> decide to choose another washing machine.
You're right, the analogy is poor. A washing machine is a physical
"thing" not something you can copy. Thus, the "piracy concern" is
non-existant and the measures that you describe above are unreasonable.
> Add to that the nervousness that some *real* crook might figure out a way
> to either impersonate you or via some other way get my washing machine
> to let *her* into my house instead of *you*, and a few more of us might
> decide on a different washing machine.
See above.
Let me put it to you this way: there were (are?) companies out there
that give out cars to people for free in return for wrapping the cars
in advertisements. They have fairly strict rules about it - like you
*have* to park the car in public places, you cannot take the ads off
etc (one is http://www.freecar.com). Now if you got one of those cars
from them would you object to them checking up on you that you did not
violate those rules or would you indignantly insist that by doing that
they are violating your privacy?
> Maybe you've already done a complete cost-benefit analysis of these
> eventualities and decided that you will lose less from these lost
> costomers than you would from the piracy that you're trying to stop.
Did and decided. It's a sad fact that piracy is rampant among
private users. People think nothing of ripping off someone by
using a cracked key or a keygen. Thus measures have to be taken.
> But if you've done that analysis, then you've tacitly admitted that
> these are not entirely ridiculous fears. Beyond that, I really can't
> understand what the heck else you guys have to discuss.
I admit that there is a percentage of users out there that is
paranoid enough that even after all the explanations and clear
spelling out of everything the program ever sends will not use
the program. IMO the number of users who would pirate it is a
lot higher. It's an easy choice to make.
ne...@veko.mediaspamlessone.net
> In comp.security.misc ne...@veko.mediaspamlessone.net wrote:
> Let me put it to you this way: there were (are?) companies out there
> that give out cars to people for free in return for wrapping the cars
> in advertisements. ...
> etc (one is http://www.freecar.com). Now if you got one of those cars
> from them would you object to them checking up on you that you did not
> violate those rules or would you indignantly insist that by doing that
> they are violating your privacy?
It depends. With a car, they could simply watch. To be closer to the
s/w analogy, they'd have a key to the car.
> I admit that there is a percentage of users out there that is
> paranoid enough that even after all the explanations and clear
> spelling out of everything the program ever sends will not use
> the program.
But do you admit that we've seen dozens of these kind of innocuous little
features get exploited by hackers in ways you couldn't have foreseen?
If your little checkup-feature were to be exploited by a hacker to
compromise 100,000 boxes out there, would you fight the lawsuit? Or would
you say "our lawyers spelled this out in clear language that you're taking
the risk, not me."
I think this is a legitimate concern, not just paranoia.
> IMO the number of users who would pirate it is a
> lot higher. It's an easy choice to make.
If I was in your position I'd probably make the same decision,
particularly if I'm the guy who signs all the checks. The problem is
that ever since the joint stock company was invented, companies have
promised one thing then gone and done something different. This is
not your fault; it's also not my fault that there are airline tourists,
but I've still got to go through that damn scanner thingy.
med...@shore.net
> In alt.computer.security med...@shore.net wrote:
>> In comp.security.misc ne...@veko.mediaspamlessone.net wrote:
>
>> Let me put it to you this way: there were (are?) companies out there
>> that give out cars to people for free in return for wrapping the cars
>> in advertisements. ...
>> etc (one is http://www.freecar.com). Now if you got one of those cars
>> from them would you object to them checking up on you that you did not
>> violate those rules or would you indignantly insist that by doing that
>> they are violating your privacy?
>
> It depends. With a car, they could simply watch. To be closer to the
> s/w analogy, they'd have a key to the car.
They probably do.
>> I admit that there is a percentage of users out there that is
>> paranoid enough that even after all the explanations and clear
>> spelling out of everything the program ever sends will not use
>> the program.
>
> But do you admit that we've seen dozens of these kind of innocuous little
> features get exploited by hackers in ways you couldn't have foreseen?
Since I programmed it, I know what it does. I also hacked in my time.
I put in every protection I could think of.
> I think this is a legitimate concern, not just paranoia.
It is. You have to trust the programmers to have prevented it.
>
>> IMO the number of users who would pirate it is a
>> lot higher. It's an easy choice to make.
>
> If I was in your position I'd probably make the same decision,
> particularly if I'm the guy who signs all the checks. The problem is
> that ever since the joint stock company was invented, companies have
> promised one thing then gone and done something different.
My company is not public, it is family owned and what we say is
what we do.
> This is
> not your fault; it's also not my fault that there are airline tourists,
> but I've still got to go through that damn scanner thingy.
You meant "terrorists" not "tourists". True. Good analogy.
med...@shore.net
> On Sat, 13 Jan 2001 23:42:11 GMT, med...@shore.net wrote:
>
>>:)I admit that there is a percentage of users out there that is
>>:)paranoid enough that even after all the explanations and clear
>>:)spelling out of everything the program ever sends will not use
>>:)the program. IMO the number of users who would pirate it is a
>>:)lot higher. It's an easy choice to make.
>
> Theses weeks of "discussion" have boiled down to just this point.
>
> You have your concerns.
>
> We have ours.
>
> Both have made their choices.
>
> Let's leave it at that.
>
> I am starting to look at your constant circling as a new form of spam
> to publicize a product that has to this crowd anyway an unacceptable
> level of privacy invasion.
If your "crowd" stops labeling programs like mine "spyware" - even
though we disclose every outside call the program makes - then I will
stop posting. Deal?
ne...@veko.mediaspamlessone.net
> In comp.security.misc ne...@veko.mediaspamlessone.net wrote:
>>> I admit that there is a percentage of users out there that is
>>> paranoid enough that even after all the explanations and clear
>>> spelling out of everything the program ever sends will not use
>>> the program.
>>
>> But do you admit that we've seen dozens of these kind of innocuous little
>> features get exploited by hackers in ways you couldn't have foreseen?
> Since I programmed it, I know what it does. I also hacked in my time.
> I put in every protection I could think of.
>> I think this is a legitimate concern, not just paranoia.
> It is. You have to trust the programmers to have prevented it.
Okay, the part that was snipped there pertained to potential lawsuits that
could result if you missed something and gobs of people got hacked. If
you trust your own software enough to not put in one of those ridiculous
"if you get hacked it's all your problem, we disclaim any responsibility"
statements, then you would definitely be having it both ways. Do you
and are you?
>> This is
>> not your fault; it's also not my fault that there are airline tourists,
>> but I've still got to go through that damn scanner thingy.
> You meant "terrorists" not "tourists". True. Good analogy.
LOL! Wow, what a hilarious slip that was. Thnx for getting the point
in spite of myself.
med...@shore.net
> In alt.computer.security med...@shore.net wrote:
>> In comp.security.misc ne...@veko.mediaspamlessone.net wrote:
>
>>>> I admit that there is a percentage of users out there that is
>>>> paranoid enough that even after all the explanations and clear
>>>> spelling out of everything the program ever sends will not use
>>>> the program.
>>>
>>> But do you admit that we've seen dozens of these kind of innocuous little
>>> features get exploited by hackers in ways you couldn't have foreseen?
>
>> Since I programmed it, I know what it does. I also hacked in my time.
>> I put in every protection I could think of.
>
>>> I think this is a legitimate concern, not just paranoia.
>
>> It is. You have to trust the programmers to have prevented it.
>
> Okay, the part that was snipped there pertained to potential lawsuits that
> could result if you missed something and gobs of people got hacked. If
> you trust your own software enough to not put in one of those ridiculous
> "if you get hacked it's all your problem, we disclaim any responsibility"
> statements, then you would definitely be having it both ways. Do you
> and are you?
We live in an extremely litigious society, and one needs to protect
oneself from (mostly frivolous) litigation in any way one can. If
I put the "if you get hacked it's all your problem, not my responsibility"
and the user can seriously prove that he got hacked because of my
program, the clause quoted above will not hold in any court of law
anyway. It will deter some frivolous lawsuits, though.
>>> This is
>>> not your fault; it's also not my fault that there are airline tourists,
>>> but I've still got to go through that damn scanner thingy.
>
>> You meant "terrorists" not "tourists". True. Good analogy.
>
> LOL! Wow, what a hilarious slip that was. Thnx for getting the point
> in spite of myself.
So, to continue your analogy, why would you object to anti-piracy
protection on the program, while acquiescing to the anti-terrorism
scanner in the airport? The scanner, after all, is very intrusive -
it shows to the people behind the monitor all contents of your
luggage, and they can ask you to open it and go through it if
they like. The anti-piracy thingie in QT is simple - once a session
it sends your registration code and ID to our servers to see if they
are in the list and returns either ACK or NAK. Doesn't send us any
other info on you whatsoever.
Going through the scanner and subjecting yourself to search is a
condition that airlines and government put on you if you want to
use commercial air travel.
Authenticating your registration is a condition that I put to you
if you want to use QT without ads.
If you don't want to go through the scanner, put your luggage through
an X-Ray and be subject to a search - don't fly using commercial airlines.
If you don't want your registration to be authenticated in QT - don't
register.
By the way, on the subject of disclosure - I have yet to see the
disclosure on a airline ticket of every intrusive security measure
that airlines take. Why no objections to that? In contrast, my
program discloses every call it makes.
ne...@veko.mediaspamlessone.net
> Going through the scanner and subjecting yourself to search is a
> condition that airlines and government put on you if you want to
> use commercial air travel.
Ah yes, the government. Maybe that's the reason we don't bother complaining
about it as much, as it seems that much more futile, however ...
> Authenticating your registration is a condition that I put to you
> if you want to use QT without ads.
Well, I recognize that what the airline is doing protects me as well as them.
I'm not sure how your registration check is protecting me.
> By the way, on the subject of disclosure - I have yet to see the
> disclosure on a airline ticket of every intrusive security measure
> that airlines take. Why no objections to that? In contrast, my
> program discloses every call it makes.
Who says I don't object to them? I just feel more futile objecting to them.
Dimitri Maziuk
..
>
>If your "crowd" stops labeling programs like mine "spyware" - even
>though we disclose every outside call the program makes - then I will
>stop posting. Deal?
It's not crowd, it's just a couple of trolls and if you care about
your/your company's/QT's -- errmm, what's the word, reputation? --
you'd stop participating in this trollfest (hint: add qwerty to
killfile).
URL of your privacy statement is the only relevant argument here.
HTH,HAND
Dima
--
E-mail dmaziuk at bmrb dot wisc dot edu (@work) or at crosswinds dot net (@home)
med...@shore.net
>
>>:)By the way, on the subject of disclosure - I have yet to see the
>>:)disclosure on a airline ticket of every intrusive security measure
>>:)that airlines take. Why no objections to that? In contrast, my
>>:)program discloses every call it makes.
>
> I have been digesting your message about your piracy measures
> spreading to Mickeysoft and it suddenly struck me. I don't like big
> brother.
Nobody likes "big brother". People have different concepts of
what "big brother" is.
> Microsoft may have found out what the public thinks about privacy,
> well they are now going to learn that they hate big brother as much as
> they like privacy.
>
> I started with basic and paper tape for storage. I have learned all
> the OS along the way. I am now 60, have a bad heart and I am tired.
> I don't want to learn a new system but you know what....I hate a
> dictator worse. I am going to learn Linux and Gates can go screw
> himself and all the rest of the big brothers with him.
>
> I remember being stunned at how fast CP/M died. Maybe Gates has that
> lesson to learn as well... we will see.
>
> That's what I don't like about your approach. It's big brother
> checking up on me.
It's a company checking up on registrations to make sure they
are not pirated.
Face it, if piracy in personal (non-corporate) software was at
the level of 5% these measures would not be needed and, if
implemented, would be rightly condemned as excessive. Unfortunately,
piracy is much higher than that (I know, since I can see the number
of keygen and stolen code attempts to register QT every day) and
the measures are needed.
qwerty
Harry Lime wrote:
> On Tue, 16 Jan 2001 06:11:20 GMT, med...@shore.net wrote:
>
> >:) Unfortunately,
> >:)piracy is much higher than that (I know, since I can see the number
> >:)of keygen and stolen code attempts to register QT every day) and
> >:)the measures are needed.
>
> OK I think we have come to a place of closure here.
>
> You resent that I assume that you are a data miner.
>
> I resent that you assume that I am a pirate.
>
> We each think we have "evidence" that the other finds inconvenient to
> accept.
>
> Time to go our separate ways. Bye.
I did not visited newsgroups for a while and see that all my links
expired. The only I see is your last message in this thread.
I prepared respond to medved but text grown to enormous size
not worth of continuing. Of course,
I still have questions to him which security experts here are
welcome to comment. But in essence, leaving aside all irony,
the only I can suggest to author is to offer versions of QT let's call it
bronze (current free version),
gold (current ad free version for $60) and
platinum (no link to developer server, probably even more expensive)
with last one is doing : no leacking, no tracking, no autoupgrades, no ad
If platinum is impossible in this or other form, then all following
discussions have no sense. Being too expensive for platinum is not acceptable too,
because some another solutions (see suggestion below)
offers ultimate security at acceptable cost.
Due to 500+ titles for similar software I can not accept just to
trust each of their developers without additional security measures from my side.
Trust must be insured. I.e. if some software offer trading online
then it must provide whole service like all E-trades/Dateks/etc do
with insurances appropriate to my funds.
If it is not insured then I prefer only *stealth* solution when no
leack is possible even potentially.
I stopped with the following scenario of using of all of such software
(not just medved). Your miles may vary.
That means to install 'leacky' software you want on separate clean PC with OS only.
Use it for just information purposes (market analysis, charting etc.)
and never allow to visit online trader.
Some small questions to security/privacy experts still remain:
- because software could be advare/spyware, it sends clicks-throughs,
sends some info to developers site etc can user of PC be eventually personalized?
- can ISP's username/passwords be captured (say, if some of this software
will be real spyware) ?
The software which communicates with online trader
must not leack anything to developers or other places,
must not autoupgrade,
must be on separate PC too and
not visit any other sites besides trusted online trader, even Microsoft.com
(just to be consistent ;-( )
This is *price for ultimate security* , which looks acceptable.
What privacy/security folks think about this ?