| TDS backdoor? There is a rather interesting but somewhat alarming discussion going on over at GRC concerning the ethics of TDS and the ethics of taking email addresses without a users knowledge or permission.
This surely appears to be an invasion of privacy, possible theft of data and a deliberate backdoor in the program, which in some respected peoples opinions, makes it probably unsafe to run their code. In light of other rumors that the program uses code written by hackers from tlsecurity I feel that this is an important issue to discuss. There is also another issue of the legality of taking peoples email addresses and sending unsolicited email to these people.
This leaves one to assume that if TDS is taking email addresses without a users knowledge then it is in fact a trojan itself.
The thread starts at »grc.com/x/news.exe?utag=&group=g···ier+Item s and continues for many pages.
It would also be interesting to hear comment from wilders.org and whether they were aware of this or not.
I don't have the technical knowledge about these programs that some of you guys do and would appreciate any feedback and your opinions about relevance of the GRC posts.
Thanks |
|
|
|
 jabbawestOrbis HirsutisPremium
join:2001-11-06
Lavon, TX
 ·Cool Access
 ·TierOneNetworks
| Edit: Never Mind--
Computer Cops | Proxomitron Web Filter | Dallas Forum
[text was edited by author 2002-03-18 13:20:03] |
|
| reply to Ryan Farmery
"This leaves one to assume that if TDS is taking email addresses without a users knowledge then it is in fact a trojan itself."
Not this "one" but nice try> |
|
 jfgnet12 Step ProgramPremium,MVM
join:2001-02-14
Limbo | reply to jabbawest
jabbawest,
Call up your link, change http: to https: and it will work !!
--
Always found in the land of Limbo |
|
 Lurkers incDon't Call Me Doink
join:2001-10-13
Seattle, WA
| reply to Ryan Farmery
For further reading of the issues also see the "survey" threads at the Wilders forum as well.
»www.security-pro.co.uk/yabb/YaBB.pl and
»www.morelerbe.com/cgi-bin/ubb-cg···t=001217
A few comments... is I do not like software sending out personal information like an e-mail address without me knowing about it before hand. From what I understand the only way that would happen is if a specific illegal keygen were used. As far as I know their have not been any complaints from legitimate customers that I can confirm. The letter sent, reaked of extortion and I beleive it was rewritten.
I think the issue is bigger than one company and important that the collective voice is heard on how far software companies can go to protect their software from piracy.
Also a Story from the Washington post might be on topic.
From the Shareware Industry, Lessons on Keeping Downloaders Honest By Rob Pegoraro.
Paul,
[text was edited by author 2002-03-18 14:31:13] |
|
| reply to Ryan Farmery
said by Ryan Farmery:
... taking email addresses without a users knowledge or permission.
This surely appears to be an invasion of privacy, possible theft of data and a deliberate backdoor in the program, which in some respected peoples opinions, makes it probably unsafe to run their code.
This is an inflammatory and grossly inaccurate rendition of the facts.
The suggestions that the code is unsafe or that the behavior in question constitutes a "backdoor" are in my opinion nothing less than false and intentional effort to foster mistrust and concern on the part of people who lack factual information about the issue.
It's especially disingenuous to raise this issue many days after its thorough discussion and while the GRC website and news server, where the facts reside, are inaccessible due to an ongoing DoS attack.
The fact is, that TDS responds to known pirated registration codes by phoning-home with the user's email address. The user is then sent an email that is in effect, a cease-and-desist message.
What it actually is, is an effort on the part of the author to control piracy of his intellectual property. He has enegaged in open dialogue about it.
It may be a very bad idea. It may be intrusive. It may be poorly justified. Much depends on your viewpoint. But it is not a "backdoor" and it does not render the product "unsafe" in any other respect. It is a very specific response to known pirated keyfiles.
There is or was a survey on the TDS site, the results of which will undoubtedly influence the author's future choices.
This is one of the author's statements from the GRC thread, which sums it up well:
... unless you go out of your way to obtain an illegal keyfile, you won't experience any issues at all. If you choose not to buy, TDS will simply expire - it just won't let you run it for more than 30 days, this is standard in a lot of programs. If you do choose to buy, you'll receive a legal key which will allow you to use TDS fully-registered with no restrictions. Either way, you've got nothing to worry about unless you go out of your way to obtain an illegal keyfile. pchelp |
|
 catseyenuAck PfftPremium
join:2001-11-17
Fix East | reply to Ryan Farmery
It was interesting that the concerted attack of TDS seemed to come (for the most part) from unknown posters (such as here)& unregistered users, except for the one that was identified as having the handle of one of the sub-seven group. Of course when this was pointed out he conveniently disappeared.
Things that make you go Hmmm. |
|
 WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2
Security Product V..
Security
| reply to Ryan Farmery
There has been several threads going on about this at GRC and other forums and I was wondering why people in this forum weren't talking about it. 
Of course posting as anonymous doesn't help the issue but I think the subject is one that is worthy of a civilized discussion. It is an important move by DCS and one that may soon become a trend so it's important that we talk about the pros and cons of the issue and it's important that we keep it civilized and free of personal attacks.
I'm so looking forward to this discussion.
--
You can catch the Devil, but you can't hold him long. |
|
GaryK7Premium
join:2000-08-29
Miami, FL Reviews:
 ·Atlantic Broadband
| It's an ugly practice. But if people won't abide by the law then unusual solutions might be required. Does DCS clearly, and I do mean clearly, disclose that entering a pirated registration code will result in your computer being scanned for personal information that will be used to try and force you to stop using their product? Would such a warning be self-defeating?
--
Do you run IIS and need an updated browscap.ini file?
Come visit my website and grab a copy for free!
|
|
catseyenuAck PfftPremium
join:2001-11-17
Fix East | reply to Wildcatboy
"I'm so looking forward to this discussion."
Best get out your flame proof fecal retardant umbrella, it looks like rain. |
|
| reply to Ryan Farmery
i registered my copy of TDS yesterday so i guess i dont have anything to worry about.. i was worried when i first started reading this thread with all that talk of a backdoor in the program. |
|
 tke711Premium
join:2001-03-31
Everywhere | reply to Ryan Farmery
I'm not sure about this one???
While I certainly understand TDS wanting to protect their product, this may be going a little too far. I don't like the idea of a Trojan scanner, becoming what itself seeks to destroy. I know, I know...it only sends back the individuals email address IF you use a known illegal pass key. But, that is still a trojan. It may be a well-intentioned trojan, but a trojan none the less.
That being said, I really do understand what they are trying to do and I'm not too sure as to an alternative for them. The only thing I can think of is that when the 30 day trial is over, the program STOPS working all together. If you then want to purchase a licensed copy, you must download an entirely new .exe file only AFTER TDS receives your payment.
Sure, this may not stop the file from being shared on P2P programs, but it would stop people from downloading the 30 day trial program and simply applying a crack.
--
You Cannot Discover New Oceans Unless You Are Willing To Lose Sight Of The Shore |
|
| reply to GaryK7
said by Trail Blazer:
Does DCS clearly, and I do mean clearly, disclose that entering a pirated registration code will result in your computer being scanned for personal information that will be used to try and force you to stop using their product?
Apparently not, at least not initially. The tactic was implemented very recently, and almost immediately resulted in complaints. There seems to have been no prior notice.
I don't know what information is transmitted other than the email address, BTW.
quote:
Would such a warning be self-defeating?
Perhaps, but in my own opinion it's something users simply must be told. I feel sure that's where DCS will go with it.
I suspect legitimate users may be willing to buy software that does such things when pirated, but it seems clear that users of all persuasions will always react badly to learning that they were intentionally not told about it. IOW, it's more self-defeating to do it without notice.
pchelp |
|
WildcatboyPremium,Mod
join:2000-10-30
Toronto, ON
kudos:2 Host:
Security Product V..
Security
| reply to Ryan Farmery
Here's a copy of the email sent to people by DCS. This was posted on one of the boards. quote:
To whom it may concern,
TDS-3 has detected that you are using it illegally - breaking International laws - from address (and/or behind that address), and has reported your actions to our investigations team. The keyname you're using as you know is and we've never had any legal registrations from that name and/or geographical location. As you are probably aware, software piracy is a very serious crime that costs the industry hundreds of millions of dollars each year in lost revenue, so we are co-operating with US, UK and International law enforcement agencies to help stamp out this crime.
However, IT'S NOT TOO LATE FOR YOU. We're offering an amnesty to you and we're prepared to forget about your illegal use of our software if you legally register TDS-3 now, and all investigations and legal proceedings against you will be dropped immediately. We don't ask for any extra money and we're not even asking for an apology - all we ask is that you pay us for the software we created that you use, like any honest citizen with morals would. You'll then be welcomed aboard as a LEGALLY licensed TDS-3 operator, and you will then receive ALL the benefits, including free database updates, a free upgrade to TDS-4 Professional when it is released this year, free access to our private members forum, and much more.
If you do not register the copy of TDS-3 that you've been using illegally we will have no other option but to turn the matter over to the law enforcement agencies to investigate further, which is a path I don't think anybody wants to take.
I also need to mention that TDS will automatically run an update upon installation and check the information against their database. It remains to be seen whether the personal information is transferred after it's determined the software is illegal or it's done in order to determine that.
The information seems to include the email address, username, "Geographical information"? which could be anything from the IP address to the personal registration information on your OS.
It is also important to note that once it's determined the software is pirated, a program runs automatically and deletes TDS files from your computer. This brings the question that if the software is deleted, why the email tries to force people to pay for it. There hasn't been any illegal use and the program no longer resides on the computer so no copy right laws have been broken. So why is there the threat and the scare tactic to get money?
I think the issue here is not necessarily whether piracy is good or bad. The answer to that is a big yes by majority of our members including me. The question is how far a company should be allowed to go in order to protect their interests.
--
You can catch the Devil, but you can't hold him long. |
|
| I have also been reading about this on GRC.com! From what I understand the quote that Wildcatboy posted is on a web page that pops up when an illegal keyfile is detected not in an email (at least that’s the impression I got on grc).
I don't blame him for trying to protect his program but I don’t agree with the way in which he has gone about it.
Should he have just let the crackers get on with it? No, everyone knows its wrong.
Should he of included the uninstall routine? Yes, I don’t see a problem with this. If it was being used illegally then tough luck on the pirate.
Should he have collected default emails? No, I believe not. I don’t see what purpose this serves. As the web page what pops up contains the message then why does he need the email?
I am no lawyer but I don’t think collecting emails is legal or if it is legal then it defiantly is not moral. I know that the using a cracked copy is also wrong but hey, two wrongs don’t make a right.
I get the impression from the quote and what has been said on grc.com that this warning is a kind of pay up or else you will be sent to court or whatever, I don't think Wayne meant it like this as he seems pretty level headed bloke. I also fail to see how every single user from the 12yr old who uses his dads PC that got an illegal keyfile to the 45yr old pro pirate that has been selling copies with cracked keys will be sent to court if they don’t pay up.
Anyway, what I am trying to say is I totally agree with removing the program from the users system or disabling it or whatever but not (illegally?) collecting emails which are not in any way part of TDS and therefore not his property.
[text was edited by author 2002-03-18 16:42:25] |
|
 jfcjrusPremium
join:2001-12-09
New England | reply to pchelp7
I am a licensed user of DCS's TDS-3. (two machines)
I've spent the last hour reading thru lots of posts on three sites about this issue.
(If I read it right - after filtering thru pages of emotion)
DCS, for what they thought was a good reason, hijacked info from someones pc. Specifically, they got the default email address & sent them a strongly worded email to stop using this illegal copy of TDS-3 (with a pirated key?).
In myopinion;
DCS did exactly what I bought TDS-3 to stop!
Now, I'm not so ignorant that I don't realize that many (if not all) of my security applications could steal my private info if they wanted (after all, I've given them quite a bit of control?), but for DCS to actually do it is awful!
That they did it at all is more important, to me, than why they did it. Customer trust (especially in their field!) is pretty important.
I like TDS-3, thought I was buying one of the best.
I didn't like what I read about what they did.
But, I may be wrong. The various threads were somewhat disjointed.
I'm looking forward to further reports & comments.
|
|
mytoy
join:2002-03-18
600084 | reply to Ryan Farmery
This topic has upset me real bad to post a reply. I don't do this!
why can some people here saying that it is ok for TDS to take my email address? a question...
When i bought TDS they take my email from my browser? If so I AM REAL MAD! to email address that i put in my browser is mine to me. I have split personality. At nite is turn into a sex godess i not want anyone knowing who i is. i dont care a security firm!
From the last message i read like they are doing it for MONEY ONLY! I going delete TDS my computer and start using aothor program!!!
If I was a cracker i still not want anyone get my email address!!! This is bad to me!!! I never trust TDS programs again!!! |
|
| reply to jfcjrus
Enron or end run..that is my question???? Kind of reminds me of the strategy every company does when they are thinking about getting out of the business and selling off the product, the assest and the goodwill.
The first thing you do for a new potential buyer is clean up the mess and make the purchase more attractive in one neat package.(or the best you can)
That letter is then something I would do.
Hey guy I am not starting a rumor here..just looking at the big picture..what is now happening in the Security field, the partnerships forming with others all over the world..and then who is going to be left behind.
I think it is a great time to sell..if you have anything of real value..and the subscription thing looks good on paper to any accountant..on the guy with the bucks. |
|
 vampirefo1Trojanhunter Rules
join:2002-01-16
Huntington, WV | reply to Ryan Farmery
Re: TDS backdoor? I have had my say on the subject in several forums, I have been told to leave called a thief, called a Moron, cause I misspelled vendor. And the sad thing is I was invited to help or provided suggestions, on how companies can fight piracy. I strongly disagree with TDS-3, method, he has designed a Trojan, that does nothing less then steal, TDS-3 is doing exactly what they want others not to do.
What else has or can TDS-3 do no ones knows, We only know what the author wants us to know, On the forum I was attacked on, we all were on the same side, trying to fight piracy, but anyone that disagreed, with the method TDS-3 using is called a thief, and you better speak proper English, and use correct grammar, or you are a Moron, simply cause you wont let TDS-3 have their way with your pc.
His supporters, attacking me and others, don't help TDS-3 at all, it only shows, poor judgement, and will cause TDS-3 losses, if one can not have a difference of opinion, and one vendors way in the only way, then not only is privacy lost but so is freedom, I fully support TrojanHunter, and I am posting his statement on the subject below.
Over the last few days I've received a relatively large amount of e-mail where people have asked if TrojanHunter transmits any personal data. I can understand the concern some people may have, especially with respect to recent developments, and have therefore decided to post the below text publically to perhaps cut down on the number of people who have concerns about this.
No part of TrojanHunter collects or transmits any personal data whatsoever from the user's machine. In fact, TrojanHunter does not collect any data at all from machines it is installed on. The program was designed to search for and remove trojans, and that is what it does. It is not spyware, and this for several reasons:
(1) As an anti-trojan application, TrojanHunter should most certainly do its best to not behave like a trojan in any way, be it intentionally or unintentionally. It's just plain common sense.
(2) In my opinion, respecting the privacy of users always comes before any other agenda points, including fighting piracy. This means that TrojanHunter sacrifices any anti-piracy measures in favor of respecting the privacy of users.
I hope that this statement has clarified any questions concerning this matter in an unambiguous way. If you have any questions whatsoever, please don't hesitate to ask.
Regards,
Magnus
--
NTFS is not Needed!!!!!!!! |
|
 MuddlyIt's a grey area.
join:2001-07-16
Canada | reply to Ryan Farmery
It's amazing how anybody could compare the actions of DCS to a trojan horse program. Trojans, by definition, masquerade as something they are not. The stated purpose of the program and the offered terms of use are a lie. DCS, on the other hand, is doing nothing more than enforcing the terms of use already agreed to by the user. No small distinction.
DCS doesn't offer the program for illegal use. They actively discourage illegal use. People are complaining that TDS isn't functioning the way they expect it to while they're using it illegally with a bogus key. That's a joke, not a privacy issue. |
|
