Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello

Ok, follow up on the auriate story
(this time then from a security expert (g)):

Quote:

I have been contacted by several legal firms who have requested that I post
a message in their behalf.
They are seeking anyone who is interested in becoming a representative in
your home state for a class action lawsuit against Aureate Media and its
affiliates.  If you are interested in doing this, send email that includes
your contact information to me and I will pass it on to them.

NOTICE: Neither Net-Defender or I are involved in any legal action against
Aureate or its affiliates. I have simply been requested to provide a post to
this list by the legal firm(s) who are seeking representatives from all
states.

I have also been contacted by several State Crime Investigators who are
requesting that any other State officials who are actively preparing State
Computer Crime charges against Aureate contact them through me as well.  I
will forward any contact information your provide on to them.

I AM ONLY FULFILLING REQUESTS FOR POSTING THIS INFORMATION.  NEITHER
NET-DEFENDER NOR I ARE INVOLVED BEYOND POSTING THIS MESSAGE ON THEIR BEHALF.

--
Dale Haag
CCSA/CCSE/CCSI/CNTE/CIE/CFE/CCI/CFT/VCS/CSI/ICSA/ISSA/HTCIA/HTCN
President
Net-Defender, Inc.
Seabrook, TX 77586
281-532-1488
http://www.net-defender.net


EOQ





Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/5 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

Thursday, March 02, 2000, 2:02:55 AM, tracer wrote:
> Not true, I referred to Anglefire as it had a nice visible website but
> I got the info direct from the very first guy who posted it.

Then you should have included those cites as well.  A cheap, lame HTML,
backwards site quoting someone else is hardly the way to convince people it is
real.  Hell, when I send out security alerts (which is rare) I normally cite
at least 3-4 different sources so the people know that I'm nut just making it
up nor am I just repeating something that someone else said.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Marck D. Pearlstone]

Hi Simon,

On  02 March 2000  at  14:06:23 GMT + (which was 14:06 where I
live) [EMAIL PROTECTED] wrote and made these points:

S> How-do-you-do,

Watchfully. ;-)


416E64 4D6172636B 73616964: 2249 63616E 72656164 74686973 73747522122


-- 
Cheers,
.\\arck

Marck D. Pearlstone, Consultant Software Engineer
Moderator TBUDL / TBBETA
www: http://www.silverstones.com
PGP key: 

*---
| Using The Bat! 1.41 Beta/3 S/N 14F4B4B2
| under Windows 98 4.10 Build 1998  
*---

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Steve Lamb,
On Wed, 1 Mar 2000 18:43:13 -0800 GMT your local time,
which was Thursday, March 02, 2000, 9:43:13 AM (GMT+0700) my local time,
Steve Lamb wrote:


> On Thu, Mar 02, 2000 at 09:21:13AM +0700, tracer wrote:
>> I donot mind that but you should be TOLD.
>> So you have a choice not to install or even download it.
   
> Male-cow-dung!  It is /ADWARE/.  Geez, it is common knowledge that adware
> in the past, oh, 2-3 years does tracking!  It is like all those membership
> cards everywhere.  They are there to track you!  The fact that ads are
> embedded into it is a clear indication of that.  They tell you that in the
> readme that comes with the program!  YOU ARE TOLD.

Not with dialer 2000. I even reread the help file.
That was the only one I had active.
Ok, it has an option to display or not display banners but since its
switched off, no banners




Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello István Szendrõ,
On Thu, 2 Mar 2000 07:14:05 +0100 GMT your local time,
which was Thursday, March 02, 2000, 1:14:05 PM (GMT+0700) my local time,
István Szendrõ wrote:


> Hello Steve,

> Wednesday, March 01, 2000, 7:15:17 PM, you wrote:

SL>> The point I was trying to make isn't that the program was doing something,
SL>> the point was that what the program /was/ doing wasn't confirmed by a
SL>> reputable source as anything contrary to what the user was told.  To be blunt
SL>> about it, a good portion of what those DLLs do I laughed at because I can't
SL>> see how it really effectively could do most of it.

SL>> The time to worry is when a /REPUTABLE/ source, not a joe-blow dorkwad on
SL>> angelfire (AKA, can't even afford web space of his own) who most likely
SL>> suffers from rectal-cranial inversion says that someone is doing something
SL>> wrong and sneaky.

> Would a security expert be reputable enough to you to be credible?

> You and those concerend about the matter may want to read this
> statement made by Dale A. Haag from Net-Defender (527 Hedgecroft,
> Seabrook, TX 77586; Phone: 281-532-1488)

> http://grc.com/dalehaag.zip

Added that grc.net is maintained by a guy called Steve Gibson who is  a hard
disk expert, a damned good programmer (Spinrite being on of his
products)
In case anyone wants to test he has some excellent primers on the site
about firewalls and has some scripts setup to test the holes in your
system...

Thanks for the post as I didnt know about this zipfile sitting there!

In case anyone runs 256 colours, he got the most fantastic small and
fast and assembler written screen savers or graphical trick programs
you can imagine.


Also special scsi drivers, the analysing stuff for click of death
zips/Jazz drives.



Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Steve Lamb,
On Wed, 1 Mar 2000 15:35:47 -0800 GMT your local time,
which was Thursday, March 02, 2000, 6:35:47 AM (GMT+0700) my local time,
Steve Lamb wrote:



> Joe-blow on Angelfire was reposting what someone else had said, cited a
> source I had never even heard of before and clearly hadn't done any
> investigation of his own.  Further, when it was posted here it was with a
> reference to joe-blow on angelfire and, again, with no investigation on the
> part of the poster.

Not true, I referred to Anglefire as it had a nice visible website but
I got the info direct from the very first guy who posted it.


> So, let's compare:

> 1: Some schmuck who doesn't know how computer works and clearly can barely
> code in a markup language and citing someone else who, themselves, isn't worth
> mentioning in the field of security is cited to this list.

he happens to be QUITE well known... with his own website, domain etc
etc. And I am sure that if he says data is going out its going out.
maybe one time, maybe all the time and they are still checking whats
exactly happening.
As the info says:  they arent sure whats being transmitted..
Something though IS getting out and it isnt just ads.
I have send him an email to see if I can get further details and a
request to wring those DLL's neck (his terminology)  so that they stop
talking...
I would strongly suspect that with at least 3 topgrade cracking groups
being involved and annoyed about it that these dll's will find some
dumb replacements...

> 2: Bugtraq discussion basically blowing it off as part and parcel of what the
> program does.  Bugtraq being one of the top security-related lists on the net.

The company making the dll's also denies it partly or says its just
the standard MS way of doing things...
But a security hole is a hole if owner doesnt realise its there.
Which means it needs plugging.

I have run a trojan via one of those dll's to a friend as an
experiment and with compression the antivirus doesnt see it and
neither does the firewall if the module is allowed to communicate.
(IE I had the server on my system)
My cdrom dutifully opened and closed via remote control (g)


Anyway, lets stop the discussion, it wasnt meant as discussion
subject as a starter, just so that people can make up their own mind
and are at least aware of a potential problem.
And with argueing we just get dead horses (g).
I work in security myself so I know all about fake warnings.
But also the lack of certain warnings and the rigidity of some
armchair experts.
And no, that doesnt mean you (g)



Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

On Thu, Mar 02, 2000 at 09:21:13AM +0700, tracer wrote:
> I donot mind that but you should be TOLD.
> So you have a choice not to install or even download it.
   
Male-cow-dung!  It is /ADWARE/.  Geez, it is common knowledge that adware
in the past, oh, 2-3 years does tracking!  It is like all those membership
cards everywhere.  They are there to track you!  The fact that ads are
embedded into it is a clear indication of that.  They tell you that in the
readme that comes with the program!  YOU ARE TOLD.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-
-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Leif Gregory,
On Thu, 2 Mar 2000 06:57:11 +0900 GMT your local time,
which was Thursday, March 02, 2000, 4:57:11 AM (GMT+0700) my local time,
Leif Gregory wrote:


> This weekend, I'll examine more packets from longer sessions using
> multiple advertiser supported software. I'm not saying that the
> original claims are unfounded, but I find it kind of hard to believe
> that all the information that the original poster says is being sent
> is actually getting sent.

Agreed, and I myself will do the same and ask more details from the
original poster...

However true or not true, its an unauthorised hole in my system and
that can be misused.

> Leif Gregory 



Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Steve Lamb,
On Wed, 1 Mar 2000 10:15:17 -0800 GMT your local time,
which was Thursday, March 02, 2000, 1:15:17 AM (GMT+0700) my local time,
Steve Lamb wrote:




> The time to worry is when a /REPUTABLE/ source, not a joe-blow dorkwad on
> angelfire (AKA, can't even afford web space of his own) who most likely
> suffers from rectal-cranial inversion says that someone is doing something
> wrong and sneaky.

The original writer has a website of his own, even a domain...
And I happen to know him and he most certainly wouldnt waste his time
on something which is a fake.
Its excellent programmer and runs one of the wellknown cracking
groups... in his spare time...
And he knows security

If he messes up with something as basic as this, believe me he gets
more noise and laughter then recognised experts being wrong (g)

Anglefire was a repost, the cleaner though has a saving option instead
of the original which just zapped.
Afterall I can hardly post his password protected site here on the
net...
As said renaming files is better as some programs insist on them being
present, dialer 2000 being one of them.


Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Tom Plunket,
On Wed, 1 Mar 2000 10:11:21 -0800 GMT your local time,
which was Thursday, March 02, 2000, 1:11:21 AM (GMT+0700) my local time,
Tom Plunket wrote:


> tracer wrote:

t>> Wednesday, March 01, 2000

t>> Hello Bat-users,

t>>   http://www.angelfire.com/rock/fangthane/index.html

t>>   if you like your privacy worth reading and following whats
t>>   happening...

> What's happening is that you're downloading shareware that's
> "supported by advertisements."  The "fix" is to not download or use
> software that uses these DLLs in the first place, not to try to
> circumvent the mechanism through which shareware authors are actually
> getting paid.

I donot mind that but you should be TOLD.
So you have a choice not to install or even download it.
As said my firewall now pulls their teeth And I wouldnt spend one cent
on a program using tricks like this as you will never be sure what a
registered version does. I use reget (registered) as it clearly
offered the choice between the 2 types of usage. So I paid..



Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Steve Lamb,
On Wed, 1 Mar 2000 09:54:54 -0800 GMT your local time,
which was Thursday, March 02, 2000, 12:54:54 AM (GMT+0700) my local time,
Steve Lamb wrote:


> Wednesday, March 01, 2000, 9:46:43 AM, tracer wrote:
>> If you had read whats being uploaded from ones system then its clearly
>> not exactly what they are telling...

> I read it and I don't trust the person who posted it /UNLESS/ it is from a
> recognized security source.  I named two.  Why?

> How many people told you about the Goodtimes virus through the years?
> 'nuff said.

Agreed.
When it has to do with virus strains and those silly broadcast mails.

However while you may not consider the various cracking groups
recognised experts, they arent ignorant end users and some of the guys
involved know more about security then most security experts
Admittedly some fluff and false rumours will be involved but like in
my own case dialer 2000 happily installs no warning and it doesnt run
without that dll being present.
I expect in the next few days a replacement dll to apear keeping the
various programs happy but not wanting to talk to outsiders...



> Yeah, block outbound connections to port 1975, yay, that was hard.  No, it
> shouldn't be accepted but paranoia is also not to be accepted.  I'm big on
> privacy, but I'm also tired of all the bogus alerts going around which are not
> confirmed through people who stake their names and reputations on verifying
> such exploits and privacy violations.

Ok, not what I use myself but so what?
Something simple to plug a hole is better then nothing.

Its not a bogus alert unless you like things to run without realising
they do.
Check your own system which of those dll's you have...
I noticed several emailers and news mailers on the list so likely you
do!


As a test I hung a trojan on the dll's and they happily communicated
as trojan and as dll as before and thats a danger...

If a firewall enables the program/dll you could have a damned trojan
at the same time...
Unauthorised transmissions in and out of my system I consider a
security hole, doesnt even matter what they get out of it.




Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Shanmugam Ganeshkumar]

Hello Leif,

Hello Leif,

Just the point that I was trying to make to before, but got out of my
way. Well, for all who missed the actual threads, here are some of
them;

Read this first ;

http://grc.com/aureate.htm


for more;

http://kumite.com/myths/

http://pub3.ezboard.com/fzorsboardgeneraldiscussion.showMessage?topicID=839.topic

http://pub3.ezboard.com/fzorsboardgeneraldiscussion.showMessage?topicID=866.topic

there are few more anispy removers coming up these days to get rid of
those auerate dll's.

Ganesh.




On Thu, 2 Mar 2000, Leif Gregory wrote:

Hello Steve, 

On Wed, 1 Mar 2000 at 10:15:17 [GMT -0800], you wrote:
SL> The point I was trying to make isn't that the program was doing
SL> something, the point was that what the program /was/ doing wasn't
SL> confirmed by a reputable source as anything contrary to what the
SL> user was told. To be blunt about it, a good portion of what those
SL> DLLs do I laughed at because I can't see how it really effectively
SL> could do most of it.

I'll side with Steve on this issue. The first time I saw this was from
a similar post to TBBETA. I also checked around on other sites to see
what was being said about the whole issue. What I found mostly, is
that the other pages were just either repostings or paraphrasing of
the original.

I couldn't find any other information to support the original claim.
While I did D/L the cleaner utility, I didn't run it because I
couldn't immediately see anything out of the ordinary when examining
the captured packets between my machine and the advertiser host while
running CuteFTP advert supported software.

This weekend, I'll examine more packets from longer sessions using
multiple advertiser supported software. I'm not saying that the
original claims are unfounded, but I find it kind of hard to believe
that all the information that the original poster says is being sent
is actually getting sent.



Leif Gregory 

-- 
TBUDL/TBBETA List Moderator
ICQ 216395 <[EMAIL PROTECTED]>
Web Site   
TBUDL FAQ  

PGP Key ID: 
  0x8604279A (DH/DSS)
Fingerprint: 
  9E16 4316 FA42 5DC6 EB1D  D0ED D37A 858A 8604 279A


Using The Bat! 1.41 Beta/3 under Windows 98 4.10 Build  A  
on a Pentium III 500 MHz notebook with 128MB.

Tagline of the day:
If there was a rule for jumping off a bridge, you'd probably use it.



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : [EMAIL PROTECTED]



 ___
|   |
| Shanmugam Ganeshkumar |
| Asian Center for Research on Remote Sensing (ACRoRS)  |
| School of Advanced Technology |
| Asian Institute of Technology |
| POBox 4, Klong Luang, Pathumthani 12120, Thailand |
| Lab (+66)(2) 524 6148  Office (+66)(2) 524 5580 Fax (+66)(2) 524 6147 |
| Official : [EMAIL PROTECTED]  Personal : [EMAIL PROTECTED] |
| http://www.acrors.ait.ac.th   http://www.acrors.ait.ac.th/gac |
|___|

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

Wednesday, March 01, 2000, 3:17:44 PM, Simon wrote:
> what happens next? Does it get ignored? Does everyone shout "ahh, its
> a stupid lamer creating more bogus alerts"? Some will, but eventually

However, before I made that determination about this case I /DID/ check
bugtraq and found discussion on it dismissing what it did.  I also posted that
on here as a URL for all to look at.  I then also downloaded it and installed
it to see what it does, how it presents itself and how it works in a general
sense.

Joe-blow on Angelfire was reposting what someone else had said, cited a
source I had never even heard of before and clearly hadn't done any
investigation of his own.  Further, when it was posted here it was with a
reference to joe-blow on angelfire and, again, with no investigation on the
part of the poster.

So, let's compare:

1: Some schmuck who doesn't know how computer works and clearly can barely
code in a markup language and citing someone else who, themselves, isn't worth
mentioning in the field of security is cited to this list.

2: Bugtraq discussion basically blowing it off as part and parcel of what the
program does.  Bugtraq being one of the top security-related lists on the net.


I dunno about you, but I'd side with BugTraq.  I'll grant that sometimes
L0pht, BugTraq, CERT, SERT(sp?) and a few other organizations will not be the
first to report it.  This is not the case here.  When they do report it, which
is the case here, I'm more apt to go with them.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Leif Gregory]

Hello Steve, 

On Wed, 1 Mar 2000 at 10:15:17 [GMT -0800], you wrote:
SL> The point I was trying to make isn't that the program was doing
SL> something, the point was that what the program /was/ doing wasn't
SL> confirmed by a reputable source as anything contrary to what the
SL> user was told. To be blunt about it, a good portion of what those
SL> DLLs do I laughed at because I can't see how it really effectively
SL> could do most of it.

I'll side with Steve on this issue. The first time I saw this was from
a similar post to TBBETA. I also checked around on other sites to see
what was being said about the whole issue. What I found mostly, is
that the other pages were just either repostings or paraphrasing of
the original.

I couldn't find any other information to support the original claim.
While I did D/L the cleaner utility, I didn't run it because I
couldn't immediately see anything out of the ordinary when examining
the captured packets between my machine and the advertiser host while
running CuteFTP advert supported software.

This weekend, I'll examine more packets from longer sessions using
multiple advertiser supported software. I'm not saying that the
original claims are unfounded, but I find it kind of hard to believe
that all the information that the original poster says is being sent
is actually getting sent.



Leif Gregory 

-- 
TBUDL/TBBETA List Moderator
ICQ 216395 <[EMAIL PROTECTED]>
Web Site   
TBUDL FAQ  

PGP Key ID: 
  0x8604279A (DH/DSS)
Fingerprint: 
  9E16 4316 FA42 5DC6 EB1D  D0ED D37A 858A 8604 279A


Using The Bat! 1.41 Beta/3 under Windows 98 4.10 Build  A  
on a Pentium III 500 MHz notebook with 128MB.

Tagline of the day:
If there was a rule for jumping off a bridge, you'd probably use it.



-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

Wednesday, March 01, 2000, 10:27:56 AM, Simon wrote:
> 'reputable source'. Some Joe-blah suffering from rectal-cranial
> inversion might just save your arse one day because you might have
> been looking up your own dark side for a bit to long!.

WARNING

I just discovered a new threat on the internet!  It seems that most
everyone has a program installed on their machine, often with out their
consent, which contacts remote machines and transmits their username and
password /IN THE CLEAR!/  This is a gross violation as anyone along the path,
not to mention the end site, can retrieve this information and use it to log
on as the user!  Often this is done on ports 110, 143 or 220!

The following programs have been found to contain this security threat!
You should immediately block the above mentioned ports or remove the following
programs until this /SEVERE/ security hole is plugged!

Eudora
Netscape
The Bat!
PMMail
Calypso
Outlook
ICQ
Powerbar

As more are found we'll update our list!!!

WARNING















So, how many of you identified that as POP, IMAP2/4 and IMAP3 and the
username/password sent is needed to gain access to the remote mailboxes.  IE,
it is a part of how the software was described to be used?

Now tell me, how is the above different from some schmuck on angelfire
spreading FUD about a company when he probably doesn't have the basic
understanding of what is going on in the first place?  Nothing.  Both describe
a product in a paranoid manner even though both are most likely operating in
exactly the manner described.

That is why you should rely upon reputable reports from people who know
their business and not from some crack-pot newbie.  The newbie, invariably,
gets it wrong and causes more damage in his chicken-little act than good.


-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Tom Plunket]

tracer wrote:

t> Wednesday, March 01, 2000

t> Hello Bat-users,

t>   http://www.angelfire.com/rock/fangthane/index.html

t>   if you like your privacy worth reading and following whats
t>   happening...

What's happening is that you're downloading shareware that's
"supported by advertisements."  The "fix" is to not download or use
software that uses these DLLs in the first place, not to try to
circumvent the mechanism through which shareware authors are actually
getting paid.


-tom!
-- 
[EMAIL PROTECTED]

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

Wednesday, March 01, 2000, 10:00:18 AM, Simon wrote:
> Privacy is privacy. Sneaky tactics are sneaky tactics. These companies
> need to get with the program and shouldn't get away with it. If they
> don't have our permission then they just shouldn't be allowed to do
> it. Yeah, blocking a port is OK, and easy, but how many blasted ports
> do we end up blocking?

The point I was trying to make isn't that the program was doing something,
the point was that what the program /was/ doing wasn't confirmed by a
reputable source as anything contrary to what the user was told.  To be blunt
about it, a good portion of what those DLLs do I laughed at because I can't
see how it really effectively could do most of it.

The time to worry is when a /REPUTABLE/ source, not a joe-blow dorkwad on
angelfire (AKA, can't even afford web space of his own) who most likely
suffers from rectal-cranial inversion says that someone is doing something
wrong and sneaky.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

Wednesday, March 01, 2000, 9:46:43 AM, tracer wrote:
> If you had read whats being uploaded from ones system then its clearly
> not exactly what they are telling...

I read it and I don't trust the person who posted it /UNLESS/ it is from a
recognized security source.  I named two.  Why?

How many people told you about the Goodtimes virus through the years?
'nuff said.


> However uploading ones personal data isnt something one should accept.
> For those who use at guard firewall, settings can be supplied to pull
> the teeth of the dll's in question.

Yeah, block outbound connections to port 1975, yay, that was hard.  No, it
shouldn't be accepted but paranoia is also not to be accepted.  I'm big on
privacy, but I'm also tired of all the bogus alerts going around which are not
confirmed through people who stake their names and reputations on verifying
such exploits and privacy violations.

-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[tracer]

Hello Steve Lamb,
On Wed, 1 Mar 2000 09:10:55 -0800 GMT your local time,
which was Thursday, March 02, 2000, 12:10:55 AM (GMT+0700) my local time,
Steve Lamb wrote:


> Wednesday, March 01, 2000, 8:53:28 AM, tracer wrote:
>>   http://www.angelfire.com/rock/fangthane/index.html

>>   if you like your privacy worth reading and following whats
>>   happening...

> Hmmm, anything on Angelfire is worthy of suspicion.  Any CERT/Bugtraq
> advisories on the matter?

Well, there are other sites on the web with similar data, this happens
to be a site where I dug up the best cleaner..


> Yup, here's a Bugtraq article:

> 
>http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-04-22&[EMAIL PROTECTED]

> Summary: The port is opened to get banner updates, nothing more.

> In fact, I looked through several threads and not only is this the case,
> but all the information on the angelfire site was known to the bugtraq people
> and have been said to explained to the customer that it was being downloaded
> in the first place.  Hardly something worthy of a notice like this.


If you had read whats being uploaded from ones system then its clearly
not exactly what they are telling...

or just to quote a short piece of one of the texts:

Quote:

 Here is a review of the contents and
 code contained in the DLL's that Aureate makes use of. Here are a
 few of my findings up to this point:

 advert.dll
 ===

 This DLL creates a hidden window every time you open your browser. It
 creates and sends 4 pages of information to the Aureate servers using
 port 1749 on your system, these pages include:

 1. Your name as listed in the system registry ( not the name you
 installed one of the programs with )
 2. Your IP address
 3. The reverse DNS match of your address. ( tells them what ISP and
 area of country you are in )
 4. A listing of ALL software that is shown in your registry as being
 installed. ( Not just the companies they work with )
 5. This DLL sends the following information to their server on all
 URL's you visit:
 A.) ad banners you may click on
 B.) all downloads you do showing the filename/file
 size/date/time/type of file(image, zip,executable, etc)
 C.) full time and date stamps of all your actions while
 using your
 browser
 D.) the remote dialup number you are dialing in on (taken out of
 your dialer configuration)
 E.) dialup password if saved, does not "appear" at first glance
 to send this through to them.
 6. Contains programmers note: "Show me the money! I want to
 be Mike!"

EOQ

And agreed, this subject has been discussed on various sites on the
web.
However uploading ones personal data isnt something one should accept.
For those who use at guard firewall, settings can be supplied to pull
the teeth of the dll's in question.

And considering the list of programs using this trick (calypso being
one of them) worth it to remove these undesirable dll's...




Best regards,
 
tracer
-- 

Using theBAT 1.41 Beta/3 with Windows 98
mail to : [EMAIL PROTECTED]
I am using FireTalk: 321338
ICQ: on request 
Website: www.phuketcomputers.com
Our special website hosting/mailservers are now operational

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org

Re: OT: some programs, emailers as well use buildin spy modules....

[Steve Lamb]

Wednesday, March 01, 2000, 8:53:28 AM, tracer wrote:
>   http://www.angelfire.com/rock/fangthane/index.html

>   if you like your privacy worth reading and following whats
>   happening...

Hmmm, anything on Angelfire is worthy of suspicion.  Any CERT/Bugtraq
advisories on the matter?

Yup, here's a Bugtraq article:

http://www.securityfocus.com/templates/archive.pike?list=1&date=1999-04-22&[EMAIL PROTECTED]

Summary: The port is opened to get banner updates, nothing more.

In fact, I looked through several threads and not only is this the case,
but all the information on the angelfire site was known to the bugtraq people
and have been said to explained to the customer that it was being downloaded
in the first place.  Hardly something worthy of a notice like this.



-- 
 Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
 ICQ: 5107343  | main connection to the switchboard of souls.
---+-

-- 
--
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
   
To Unsubscribe from TBUDL, double click here and send the message:
   
--

You are subscribed as : archive@jab.org