From: Phil Agre <[EMAIL PROTECTED]> [See also <http://www.peacefire.org/censorware/X-Stop/xsdecode/>. Reformatted to 70 columns.] =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This message was forwarded through the Red Rock Eater News Service (RRE). You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Date: Wed, 1 Mar 2000 15:05:04 -0600 From: [EMAIL PROTECTED] Subject: I-Gear list cracked; privacy violations and error rate One week after our report on the decryption of X-Stop's blocked site list, Peacefire has released a program that can decrypt the list of 437,000 sites blocked by I-Gear, another "censorware" program now owned by Symantec. The codebreaker program can be downloaded from: http://peacefire.org/censorware/I-Gear/igdecode/ (This page also has instructions on how to obtain I-Gear's encrypted list without having to download and install I-Gear.) We performed an experiment similar to our X-Stop test: we extracted student pages in the ".edu" domain that were blocked in the "Sex/Acts" category, looked at the first 50 URL's that were still working, and found that 76% of the blocked pages were obviously errors! This sounds ridiculously high, but I saw the blocked pages myself, otherwise I wouldn't believe it. The list of 50 examined sites is at: http://peacefire.org/censorware/I-Gear/igear-blocked-edu.html We also discovered that when you install I-Gear, it scans in your real name and company name from your computer and uploads this information to Symantec. Not the "real name" that you give the program during the registration process -- your actual real name that you used to register your copy of Windows. (This is the name that shows up on the "General" tab of the System applet in Control Panel.) Symantec's privacy policy, on the other hand, states: http://www.symantec.com/legal/privacy.html "The choice of how much personally identifiable information you disclose to Symantec is completely at your discretion." Again, we believe these discoveries will bear on the ongoing debate over the Digital Millennium Copyright Act, UCITA (the law strengthening the force of draconian "license agreements" that prohibit users from examining products by reverse engineering) and the DVD codebreaking court cases. Reverse engineering I-Gear and decrypting the list was the *only* way to obtain a reliable figure for the error rate of their product, rather than just coming up with a list of blocked sites. Even the discovery that I-Gear retrieves and uploads your real name to the manufacturer, was discovered through reverse engineering. If such reverse engineering becomes illegal, it will become very difficult for third parties to criticize software in general, other than the user interface and other aspects that are visible without "looking under the hood". -Bennett [EMAIL PROTECTED] http://www.peacefire.org (425) 649 9024
