Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
NetZip and Netscape SmartDownload Spy On You

By Incognegro in News
Fri Jul 14, 2000 at 02:22:37 PM EST
Tags: Security (all tags)
Security

[Excerpt from Steve Gibson's latest newsletter]

NetZip's "Download Demon" was purchased by Real Networks and renamed "Real Download". then Netscape/AOL licensed it from Real and called it "Netscape Smart Download."

By watching the "packet traffic" flowing in and out of one of my machines while downloading a file through the Internet, I verified the rumors which you may have heard regarding these programs: All of these programs immediately tag your computer with a unique ID, after which EVERY SINGLE FILE you download from ANYWHERE on the Internet (even places that might not be anyone else's business) is immediately reported back to the program's source where it is logged and recorded along with your machine's unique ID.


A SERIOUS New Spyware Threat ... Excerpt from Steve Gibson's latest newletter

NetZip's "Download Demon" was purchased by Real Networks and renamed "Real Download". then Netscape/AOL licensed it from Real and called it "Netscape Smart Download."

By watching the "packet traffic" flowing in and out of one of my machines while downloading a file through the Internet, I verified the rumors which you may have heard regarding these programs: All of these programs immediately tag your computer with a unique ID, after which EVERY SINGLE FILE you download from ANYWHERE on the Internet (even places that might not be anyone else's business) is immediately reported back to the program's source where it is logged and recorded along with your machine's unique ID. They also have the opportunity to capture and record your machine's unique Internet IP address.

This information is then compiled and used to create a detailed "profile" about who you are based upon the web sites you visit and the files you have downloaded.

Perhaps you don't mind being watched and tracked as you move around the Internet ... and then having every file you download logged and cataloged and used to assemble "your profile". But the idea of this seems extremely invasive to me, and unless you have carefully read the program's license you might not be aware that this is going on or that "you agreed to it" when you accepted the terms of the license!

More than 14 Million people are already using the original NetZip Download Demon. NetZip knows the exact number, since every copy of their program "phones home" to report on what their users are doing! And I'm sure people are downloading Real Network's ReadDownload and Netscape's SmartDownload like crazy.

A Class Action lawsuit was recently filed against Netscape/AOL because of this privacy invasion, so perhaps the PC industry will begin to receive the message that this sort of secret spying and profiling is not okay with the rest of us, even if it is buried within a lengthy license agreement. You decide.

And, of course, the next release of my own OptOut spyware detection and removal utility WILL consider these programs to be dangerous, and warn its users of their presence in their systems. But I wanted to be sure that you knew RIGHT AWAY what was going on, and that I had independently confirmed that this invasive file download tracking really was occurring.

If you have questions or comments, please see ... The Newsletter Forum ... or ... Web Discussion

Thank you for your time. I hope this has been useful to you.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Steve Gibson's latest newsletter
o latest newletter
o The Newsletter Forum
o Web Discussion
o Also by Incognegro


Display: Sort:
NetZip and Netscape SmartDownload Spy On You | 40 comments (20 topical, 20 editorial, 0 hidden)
First topical comment (1.50 / 2) (#19)
by cesarb on Fri Jul 14, 2000 at 02:50:53 PM EST

Come on, I canīt believe an history got to the front page but didnīt generate any discussion!

Re: First topical comment (3.80 / 4) (#23)
by kkeller on Fri Jul 14, 2000 at 06:12:19 PM EST

What's to discuss? *Everyone* is spying on you. Didn't you know that?

  • If you're on PPP/DSL, then generally your TCP/IP packets can be snooped by your ISP.
  • If you're on cable modem, then it's even possible your layer 2 frames can be read, too. Not just by your ISP, but also by your neighbors.
  • Every ISP that owns a router on the route from you to your destination can sniff your packets.
  • We're not even above layer 3 yet. Remember this story? FTP sites can log your IP and your file transfers. Web sites can log your IP and your transfers.

    Paranoid? Maybe. But if you're transferring unencrypted bits over the network, you're creating numerous opportunities for spying. And few sites are rigged to allow arbitrary encrypted data transfer. (This is mostly limited to commerce sites, at least in my experience.)

    Well, at least I'm ''generating discussion'', eh? :-)

    [ Parent ]

  • Info, duuude (3.00 / 2) (#20)
    by Anonymous Hero on Fri Jul 14, 2000 at 03:46:05 PM EST

    you can find Steve Gibson's page at www.grc.com and test your firewall by going to some portscanning pages he made... pretty cool.

    toss in a Carnivore and you've got a great recipe. (none / 0) (#24)
    by ribone on Fri Jul 14, 2000 at 06:25:53 PM EST

    Gee, after reading about the FBI's little toys for the last day or so I can see where this could get really scary if AOL ever decided to allow (assuming they haven't done so already) the FBI into their network... use your imagination.

    Re: toss in a Carnivore and you've got a great rec (4.00 / 1) (#32)
    by Metrol on Sat Jul 15, 2000 at 07:55:19 PM EST

    The FBI's use of Carnivore is based on whether or not an ISP has a member on their service that they wish to monitor. Considering the number of people who use AOL, the smart money would be betting on having a couple of Carnivore boxes in permanent residense at AOL.

    Out of 30 million subscribers, there is always going to be at least one that the FBI has an interest in. Heck, they don't even really need to be interested in any of them for a criminal investigation, they just need to justify 1 solitary member every once in a while for a warrant. How difficult could that possibly be? Make no mistake, the FBI could probably justify a search warrant on darn near anybody for some kind of federal violation. There's plenty of laws on the books that would make this possible.

    In addition, you can just bet that Earthlink and other nationwide ISP's also fall under the same kind of scrutiny. Of course, the FBI has a history of how worthy of trust they are. Along these lines, I'd like to leave a special message here.

    Bombs
    Allah
    President
    UN
    malitia

    Thank you

    [ Parent ]
    Totally shameless self-promotion (4.00 / 2) (#25)
    by Anonymous Hero on Fri Jul 14, 2000 at 06:31:48 PM EST

    This has been hashed out already in the editorial comments, but I figure this should be metioned in the topical comments as well. The last paragraph of the story says it all:
    And, of course, the next release of my own OptOut spyware detection and removal utility WILL consider these programs to be dangerous...
    The whole "story" is just a stupid advertisement. Ugh.

    Re: Totally shameless self-promotion (4.00 / 1) (#26)
    by Anonymous Hero on Fri Jul 14, 2000 at 06:42:13 PM EST

    It's an advertisement for a free product.

    [ Parent ]
    Re: Totally shameless self-promotion (5.00 / 1) (#27)
    by kkeller on Fri Jul 14, 2000 at 07:52:22 PM EST

    Unfortunately, it's not. There *is* a free OptOut package (which looks free as in beer, not free as in freedom), but it only detects one kind of ''spyware'' that Gibson describes. The *commercial* version of OptOut will have more ''features'' that demand charging a fee and keeping the source code closed.

    I do want to point out that the original poster in this thread cut off his quote a little early: the article goes on to say that (paraphrased) he wanted to get word of this ''spying'' out before his commercial product is released, to warn the public.

    (Whether this is a play on people's paranoia is another issue. Will paranoia sell copies of his software? Who cares? Is his product open-source? No. Will I buy it? No.)

    [ Parent ]

    Re: Totally shameless self-promotion (none / 0) (#40)
    by soulhuntre on Tue Jul 18, 2000 at 09:21:10 PM EST

    I don't get what your bitched at. The story on the website gives you complete information on the threat including all the information you need to decide whether to remove the program by hand or not.

    The information is complete, detailed and accurate. So stop whining.



    [ Parent ]
    What shall I block? (4.00 / 2) (#28)
    by KindBud on Fri Jul 14, 2000 at 08:35:46 PM EST

    Since you've done the research, would you care to share with us the ports and IP addresses to which this information is being sent, so I can block it at my network borders?

    Or would that cut into your revenues from selling OptOut Gold, or whatever the not-free-as-in-beer version will be called?

    --
    just roll a fatty

    heh (none / 0) (#29)
    by henrik on Fri Jul 14, 2000 at 10:48:17 PM EST

    Maybe it's a good thing i never got the darn thing working back in my windows days :)

    -henrik

    Akademiska Intresseklubben antecknar!

    The Transfer is the Key (5.00 / 1) (#30)
    by Deus Ex Machina on Sat Jul 15, 2000 at 02:17:29 AM EST

    I wonder, what port does this information get sent out on? What transfer method? What kind of IPFW or ipchains filters would be applicable to use in this instance, to make sure that this information doesn't get out? A previous poster mentioned that this newsletter is also a shameless plug for a new product - though I do not believe this to be so (or at least, I don't think that it is so nefarious as to be shameless) I do believe that it would have been _far_ more effective to give this kind of information. People who are interested in computer security need to know this sort of information, and Mr. Gibson should be aware of this sort of thing. I'm not saying that it was his responsibility to let us know such things - just that it would have been nice.

    If anyone else knows the pertinent answers to my first two queries (what port?, what transfer method?) please respond!

    An alternative viewpont (3.00 / 1) (#31)
    by sms on Sat Jul 15, 2000 at 11:00:33 AM EST

    I read this article a couple of days ago from the register. It seems to give a little more info. http://www.theregister.co.uk/content/6/11895.html

    Define "download a file" (none / 0) (#33)
    by skim123 on Sat Jul 15, 2000 at 11:06:33 PM EST

    Is it just when you download a file like a ZIP or EXE or is it also everytime you "download" an HTML page as well?

    Money is in some respects like fire; it is a very excellent servant but a terrible master.
    PT Barnum


    Re: Define "download a file" (none / 0) (#34)
    by Anonymous Hero on Sat Jul 15, 2000 at 11:43:40 PM EST

    I think Gibson means when you download a file using NetZip or SmartDownload. Not using your browser.

    [ Parent ]
    Code of Ethics (2.50 / 2) (#35)
    by Anonymous Hero on Sun Jul 16, 2000 at 09:18:29 AM EST

    To me, this seems to be one of the issues that favors making the practice of software a licensed profession like law:

    • in order to practice software you must be licensed
    • in order to be licensed you must be a member in good standing with the SPPS (Software Practitioners' Professional Society)
    • in order to be a member in good standing your must adhere to a written code of ethics
    • that code of ethics makes specific statements with regard to such things as privacy
    • For example, in that code of ethics the creation of software, which tracks a user without informing that user, could be considered unethical and potentially just cause for revoking the author's membership in the SPPS. If membership in the SPPS is effectively a pre-requisite for professional employment, there are then some teeth in the code of ethics.

      The public is largely unaware of how technologies work and what the implications are of specific technologies. The interests of the government and of corporations are too closely aligned. There needs to be a third, informed, point of view being made from an organization that can put real weight behind its decisions. This would be the role of the SPPS.

      My (Peter Hoffman) web site has some pages on this subject at www.OpenSourcerers.com.



    Re: Code of Ethics (none / 0) (#36)
    by Anonymous Hero on Sun Jul 16, 2000 at 09:35:52 AM EST

    That is really, really stupid.

    Let's impose more restrictions on people!

    Pfft.

    nf
    nf@bigpond.net.au

    [ Parent ]
    Re: Code of Ethics (none / 0) (#37)
    by Anonymous Hero on Mon Jul 17, 2000 at 01:38:16 PM EST

    Oh my goodness. Yes what the programming profession really needs is some centralized authority to say who can and who can't program for pay. Maybe you should team up with Microsoft. I'm sure they could get behind this, purely for the public good of course.

    I'm pretty sure the answers to protecting individual privacy are not going to be found by giving more and more powers to some authority figure or other.


    [ Parent ]
    Re: Code of Ethics (none / 0) (#39)
    by Anonymous Hero on Mon Jul 17, 2000 at 11:46:32 PM EST

    Microsoft will be completely opposed to this idea and will fight it tooth and nail. Making the practice of software a licensed profession will increase salaries to a point on a par with the salaries of corporate lawyers.

    Peter Hoffman
    Open Sourcerers



    [ Parent ]
    Re: Code of Ethics (none / 0) (#38)
    by Anonymous Hero on Mon Jul 17, 2000 at 11:26:57 PM EST

    In reply to the other two posters...

    My point is that the privacy issue and many others are going to be decided for us by politicians and corporate executives because there is no one representing programmers.

    It does no one any good to pretend the inevitable is not going to happen. Software will become a regulated industry as is nearly every other industry. We can sit back and wait to be told how to run our show or we can form a credible group and be professionals.

    If we fail to make the transition from an ad hoc trade to licensed profession soon we will lose the opportunity.

    Peter Hoffman
    Open Sourcerers

    [ Parent ]
    NetZip and Netscape SmartDownload Spy On You | 40 comments (20 topical, 20 editorial, 0 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest Đ 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!