Re: New Spyware

From: sponge (mtubi@python.net)
Date: 02/10/02 

From: mtubi@python.net (sponge)
Date: Sun, 10 Feb 2002 05:02:34 GMT

 First of all, you are quoting things from two different people. Get
it straight before replying. Now, I will reply below.

On Sat, 09 Feb 2002 06:37:41 GMT, "OneLouder"
<edayaxwellmay@exoboxway.omcay> wrote:

>Jesus Christ, you really are a piece of work.
>
>Let's count some of the many ways you've been wrong.
>
>1) "However, it is also apparently embedded into many wireless devices,and
>it's an open question as to whether they ask cell phone users their
>permission to be advertised to."
>
>WRONG - Infogate does not embed software in cellphones. It's not an open
>question. Users explicitly configure everything.
>
>2) "It is apparently a large company that has been putting out software and
>wireless targeted marketing for quite some time."
>
>WRONG - Infogate has fewer than 30 people, and has been offering support for
>wireless delivery of alerts for about 9 months. It has never delivered an
>ad to a wireless user. The company has been around longer (part of us used
>to be Pointcast), but I would hope that being in business for a while in
>this economic climate says that something is being done right, not a basis
>for suspicion.
>
>3) "Of course, targeted marketing also requires fairly detailed information
>on each specific
>user, in order to do the same thing: provide customized information
>delivery, in the form of ads"
>
>WRONG - Infogate does not deliver ads based on personalization, but based on
>the content they're viewing - just like virtually every commercial web site.
>When somebody uses the product to look at their stock portfolio, we show
>banner ads relating to finance. Duh. You later say: "If Infogate does not
>do this, then it wouldn't even qualify as adware". So we're not adware by
>your own admission. All the rest of your diatribe is pure unadulterated
>speculation on your part.

 Gee, if so, then your company is way behind what the bottom-feeders
are claiming!
 In fact, you're site touts it's lovely-sounding "Infograbber
techonology". What is this? If it's simply matching ads to what a user
is looking at, as does "just like virtually every commercial web
site", then either your marketing practice is overhyped and dubious at
best, or your company does engage in utilizing more detailed
information. Which is it?
 As to the Adware/Spyware/Nowhere question, I was weighing points that
may point us in a particular conclusion. (By the way, I doubt we are
the only two people who are reading this discussion, so clarification
to the group is in order.)
 The fact is, your software and service could easily be spyware: you
require some level of registration, you require a client (and allow
use of other personal services like cell phones, etc.) and you site
heavily hypes itself with language such as "Extreme Targeting" and
"Find-Me-Follow-Me technology." You and your privacy policy claim that
your take measures to protect people's privacy. So this is where we're
at: your company has every tool, technique, and promotional technique
typical of spyware manufactuerers (which is why I initially considered
it such), but we are supposed to take your word that you don't use
this information or these tools against us, despite the fact that you
operate in an industry renowned for stealing people's privacy
information for profit, and using the most underhanded techniques
available for doing so. Re-read the end of my last post.
 I'm trying to give your company the benefit of the doubt, but it's
really hard to, in the face of all this evidence to the contrary. And,
ad hominem attacks make that even more difficult.

>4) (Regarding "underhanded affiliates") "That's putting words in my mouth
>that I've never said nor hinted upon".
>
>WRONG - your words: "...because Infogate should be more responsible than to
>affiliate itself with underhanded partners" That's at least a hint.
>Besides, who elected you to make that determination? Later you say: "In
>other words, even if Infogate is on the up-and-up, if it's affiliates are
>less-than-honest about how it's used, it can still be fairly categorized as
>spyware." This is classic "guilt-by-association", with the extra rub that
>there's not even any association.

 A lie. Here is the exact quotation from my previous post. I even
EXPLICITLY STATED THAT I WAS NOT ACCUSING INFOGATE OF THE SITUATION I
WAS DESCRIBING. It could not be any more clear than this.

   " AS LONG AS [emphasis added] Infogate is purely opt-in, it isn't
     much of a problem. But, IF Infogate does what it claims to do on
     it's website either WITHOUT user's explicit permission, or IF
     their affiliates or partners use Infogate without explicitly
     telling the user and giving them the chance to opt-out, then it
     IS spyware, because Infogate should be more responsible than to
     affiliate itself with underhanded partners. I am not accusing
     Infogate of this, only stating the case. In other words, even if
     Infogate is on the up-and-up, if it's affiliates are less-
     than-honest about how it's used, it can still be fairly
     categorized as spyware.

 Oh, and there is association. It's right on your own website, which
hawks it's "effective" EXTENDED TARGETING" marketing!***

>5) "Unfortunately, Infogate's chosen method of business -- "targeted
>marketing" and direct advertising -- gives one every right in the world to
>be suspicious."
>
>WRONG - Our business is information delivery. We just use banner ads, like
>virtually every commercial website, to help defray our costs. We do know
>some things about our users in aggregate - for instance most of them use our
>product to track stocks, and we expose that overall demographic to potential
>advertisers. Anyone interested in appealing to those people consider us a
>better place to advertise than, say, "amateurnetcops.com". That's the
>extent of targeting. TV works the same way - you don't see many tampon ads
>on ESPN, and you see few WWF ads on Lifetime.

 This is what I intend to ascertain. Using non-personal, aggregate
information is fine. But there are a lot of thing on your site that
could and would easily lead one to believe is more specific than this.

>6) "Or, how Transponder -- the trojan that looks for keywords in ever form
>you fill out online -- swears that they protect your privacy... Or, how
>eToys tried to turn around and sell it's customer list when it filed for
>bankruptcy... Or how Comet Cursor claims to respect your privacy but resorts
>to infecting your machine in order to get you to use it, using methods
>traditionally used strictly by viruses and worms? I can easily give a dozen
>more examples."
>
>Bully for you. So, any company that has the potential of going out of
>business, and has customer information, should be blacklisted? So why us
>and not your bank? Your list should pre-emptively contain *everybody*!!!
>Not that it has anything to do with Infogate, but do you have factual reason
>to believe that Transponder or Comet have violated their privacy polices, or
>are you just paranoid that they MIGHT?

 Companies which have the potential to violate your privacy in such as
way, yes, do deserve to be blacklisted. Whether details of people's
lives and financial status are sold when the company is in business or
when the company is out of business makes no difference; that private
information has still been released to others, in spite of the
promises made by the company, and the trust emplaced in the company
has been broken.

>7) (Regarding session/affiliate ID in URL) "It's actually not that big of a
>deal, but small things like this reveal a lot about the mindset of the those
>behind them."
>
>WRONG - Well, I dispelled this myth in a earlier posting. Examine your own
>mindset, dude - you're the one you sees goblins where there aren't any.

 Yes, it does, that they have zero respect for people's privacy and
security. Why use a measure that is can (and, in most cases, is
specifically designed) to defeat some common security measures, like
cookie blocking. Also, you claimed that Infogate uses keeps track of
where the user was referred from by the "camp" item in the URL. Why
not simply use referrer URLs (just as, as you like to point out, 'most
commercial websites do'. But, ah! Blocking referrer URLs is another
common security-protection feature, provided in most web-filtering
agents and even some browsers like Netscape.
 Dude? I like that sig line someone has about self-righteous
sixteen-year-olds...

>8) "There comes a point when you learn that what a company claims if
>virtually worthless unless they can provide proof otherwise."
>
>You know, I don't think any proof will work for you - you keep setting up
>new strawmen. I tell you things, the website tells you things, and you
>arbitrarily question them with NO evidence to the contrary except your
>fabrications. Must be tough to be so right all the time, with a sense of
>justice beyond that of accepted Western legal traditions. The burden must
>weigh heavy.

 Perhaps it's the fact that the choice of words used by your company,
the aggressive nature of the way it promotes it's products and
services there, and the ethically-questionable use of URLs, tend to
refute your claims and those of your company. Combined with the fact
that your company's registration requirement and it's use of client
software is typical of spyware companies, it's even harder to believe
otherwise.
 In other words, if it walks like a duck, and quacks like a duck, it's
a duck. Which is really the point of thise whole debate, anyway. And
the only evidence to the contrary is a handful of claims by a
never-before-seen poster to a newsgroup. Hmm, which are we to
believe...?
 I am trying hard to treat your company with fairness. I am still
researching the issue, but your defensiveness and the quickness with
which you have become hostile only damage your case further.

>9) "But what's left unanswered is whether or not other parties can or do.
>Infogate pitches its ability to deliver customized, personalized information
>to wireless devices. How exactly is this done?"
>
>I've told you at least twice *exactly* how this is done. Through SMS
>gateways. Everything related to it is opt-in. Jesus. Buy a vowel.

 Yeah, SMS really means a lot! What is SMS????? Your codewords mean
nothing. You only answered part of my question. Your service talks to
the client. Fine. Your service can send an email to q user who
requests your service, fine. ***How does it talk to a cell
phone??????????????*** (Oh, and again, let me repeat that I am not
well-versed in web-cell technology, so it would be nice if you told
me. You don't have to divulge any company secrets, just explain
basically how data from Infogate makes it's way into a cell phone.
Other than email or using a custom Infogate client, I cannot figure
out how this would work.

>10) "The web-based version of Infogate uses a piece of installed software,
>in the form of a toolbar,
>from what I've seen."
>
>WRONG - the website does not require the toolbar. It's simply a website.
>The toolbar is a more convenient way to view the content, that's all. We
>prefer you use it, because that's what make us different from other
>informational websites, and we can offer other services like the alerts. I
>think I'm beginning to get the picture: it seems any installed downloadable
>software that connects to the web is spyware. Gotcha. Jesus.

 The website seems to be mainly a promotional tool for your company,
just as most are. I am not overly concerned about the website.
 And, if the downloadable software exhibits certain properties or the
service readily has the capability to associate personal identity
(such as registration info) with data collected by the program, yes,
it's spyware! Please, learn what the group is about before posting!

>11) "But do providers like AT&T and Sprint offer or recommend Infogate? Can
>they harvest the information collected by or passing through Infogate for
>their own use?"
>
>As I said before, Infogate has no relationship with carriers. As to whether
>the carriers can/do monitor SMS traffic, I suggest you ask them. Oh right!
>Sorry, I meant just add them to your spyware list.

 I asked if you were careful and RESPONSIBLE as to who you elect to do
business with. I guess we have our answer. No.

>12) (regarding software embedded in the phone) "It's based on references on
>Infogate's webpage concerning it's ability to work with "wireless devices""
>
>WRONG - Nowhere in the release you cite does it say anything about software
>embedded in the phone. "Work WITH wireless devices" does not imply "works
>IN wireless devices". You made it up, then manufactured a plethora of
>subsequent "problems" with it.

 Instead of giving me and the group a straight answer, you tip-toe
around it by throwing out lovely-sounding, meaningless phrases like
"SMS." Your company's evasiveness only hurts it's (so far) feeble
attempts to clarify the issue.
  Why do you assume I know what SMS is? You could also say in an
advertisement "Usenet works WITH my news reader." But the fact is that
I NEED my newsreader or some other kind of client in order to READ
NEWSGROUPS! In the absence of a real explanation, what the am I
supposed to think?
 If you had simply explained how information gets from WEBSITE to CELL
PHONE without elusive catch-phrases, this point would have been
settled.
 And, of course, I've also asked questions and pointed out possible
weakness and asked how they're addressed. Beyond touching on using
encryption for some things, you have not answered this. Apparently you
don't have an answer for these weaknesses in your system. If you knew
anything about Internet Security, or security in general, a huge part
of it is analyzing weaknesses and potential faults, because that's
where attacks and exploits will come from. Security is a major part of
what this group is about.

>13) "So A relies on B. But, isn't it reasonable to say that B also relies on
>A"
>
>Take a class in formal logic. "Socrates relies on air, therefore air relies
>on Socrates". Hmmmm.

 Do you even know what industry you are in? Re-read my post. You are
in a position to collect detailed information on individuals. In fact,
your service needs to know what the user is interested in in order to
deliver it's service. At the same time, you also offer "Infograbber
Technology" as a part of your "Extended Targeting" service
advertisements. Well, that's how the rest of the industry works. An
irrelevant metaphor does not change this.
 (Oh, by the way, If Socrates doesn't exhale carbon dioxide, how are
plants going to produce oxygen to make more air... Sorry, but I
couldn't resist throwing a monkey wrench into your little game! ;-) )

>14) "You said that there's no client running on the cell phone, so how else
>would Infogate deliver its information? I am not up-to-speed on web-cell
>technology, so that would be a worthwhile clarification"
>
>Ain't THAT the fucking truth. You apparently don't have a clue about mobile
>devices so you make *** up. And we get blacklisted because of it.

 You've been evasive about this from the beginning. And you refuse to
educate me or anyone else, instead preferring some pat answers and ad
hominem attacks. Your defensiveness indicates that I've getting pretty
warm.

>Get a pencil and write down this special sooper-sekrit URL that contains
>information that only the special wireless spyware companies have access to:
>http://www.google.com. Type the magic phrase "SMS" and behold! The magic
>cablistic truth will be revealed! Shhhhh! Don't tell anyone.

 Ok, I did. Found a decent site called www.text.it. So, it's a cell
standard to transmit text messages. Why didn't you say that upfront?
We're on an INTERNET newsgroup, and, as you might have seen, many of
us are very familiar with Internet technology. That doesn't mean we're
also familiar with cell phone technology.

>15) "To some degree, as long as Infogate is engaged in "targeted", direct
>marketing, it will be judged by the company it keeps.[*snip*] Perhaps
>Infogates' best strategy would be to distance itself from the sleaze
>infesting the industry."
>
>What the *** are you talking about? You're the only one making the
>associations. Exactly what do you suggest we do to calm down paranoiacs
>such as yourself? We don't do any business with any of these people, we
>don't do any of the things they do. There is no club we can resign from.
>What more do you fucking want? We documented our policies and you don't
>believe them. Do we need a special "Sponge Official Junior Kop Klub Seal of
>Approval" so we can continue to do business?

 Your industry is the one fucking itself. With it's sleazy tactics,
buying and selling of all sorts of information, literally stealing it
off computers and out of web connections. Some members of your
industry even resort of literally INFECTING systems who just happen to
be browsing websites. And, most say to your face that they "respect
your privacy" all while fucking you. Gee, what do you expect?
 And, on top of that, your own company hawks its products and services
with an aggressiveness and a keen choice of words that would make the
dead scared shitless. "Find-Me-Follow-Me technology"? "Extended
Targeting"? " Infograbber technology"? Yeah, that's a real fucking
good way to reassure people! You folks are brilliant!

>*** it. Enough of this. I could go on for hours disputing your unwarranted
>allegations, suspicions, and insinuations.
>
>In the late 1950's various self-appointed people would compile lists of
>alleged Communists and make anonymous phone calls to employers and potential
>employers, or supply lists to "warn" them. Typically, people ended up on
>these lists based on the flimsiest pretexts - alleged "associations" with
>other people on the list, the vast majority of them equally innocent. It
>was devilishly difficult to get off these lists, even if you somehow found
>out you were on one - claims of innocence got you even more attention, for
>daring to defy the righteous blacklisters. Only troublemakers with
>something to hide question blacklisters. Maybe you'd get promises of "we'll
>look into it", but the lists continued to grow. The anonymity protected the
>blacklister, and there was no accountability. Eventually it got to the point
>that Sen. Joseph McCarthy called then 10-year-old Shirley Temple to testify
>to the House Un-Amercican Activities Committee (HUAC) about Communist
>influences in Hollywood, and even accused the US Army of being a Communist
>organization. The whole thing began to unravel not too long after that.

 Nice non-sequitur. Well, if you really want to play that game, the
direct marketing/targeted advertising industry has an extensive
history of underhanded, unethical, abusive, reckless, malicious,
possibly criminal behavior. So, following your irrelevant off-base
argument, perhaps we should not generalize that child molesters are
underhanded, unethical, abusive, reckless, malicious, and even
criminal because, maybe, somehwere, there are some "good ones" among
the 99% are bad...? That's really what you're arguing.

>Look in the mirror, bucko. However you started, and whatever your intent,
>you've become an anonymous vigilante blacklister, who shoots first, and
>_maybe_ asks questions later. You seem to be intent on keeping the Infogate
>product on one of your lists. If I hadn't spotted it, there's little doubt
>we'd still be on the spyware list - and in fact we're probably still on some
>blacklist of some of your "customers" who haven't updated or aren't
>following this discussion. Look at this thread - there's no presumption of
>innocence, and you call into question virtually everything you read. You

 If it looks like a snake and slithers like a snake, it's a snake!
That's what this whole thing boils down to. I've been exceedingly
open-minded, trying to give you guys the benefit of the doubt and
asking you to clarify some things for me. And, instead of clarifying
them, you simply attack like a schemer caught in a lie.
 Learn something about life: sometimes you have to call 'em as you see
'em.
 To some extent, what you say is true; there's no presumption of
innocence, because your industry has backstabbed consumers and the
public every step of the way. Do you really think you're the "victim"
when your industry is the one preying on innocent people, taking
advantage of them? And your own company has the means, uses most of
the same methods, and has all the tools available to do what the rest
of the bottom-feeders are doing. On top of everything else, your
company's lovely choice of words fuel suspicion like pouring gas on a
fire. Hmm, and we are supposed to BELIEVE you, when you provide sparse
information and absolutely no way of verifying it?
 Oh course, chiciness and gall seems to be the M.O. of your industry.
After all, your industry thinks it has the "right" to steal data right
off people's computers, to infect their browsers, to spam kids with
porn ads...need I go on?
 And I haven't even asked you for verification. I'm going it alone,
verifying some things based on packet sniffing, and perhaps signing up
under a pen name and a different email address so as to see if you
really are misusing personal information. Yeah, you could settle all
this if I could actually see what's going on inside your servers and
find out whether or not your programs and your service back-associates
information with a person's name or other personally-identfiable
information. Care to allow me access to them? Didn't think so.

>create "facts" that have no basis, you create fictions about things you
>admit you're ignorant about. You've never contacted the company to simply
>ask, and your methods of "research" are not documented but seem to involve
>simple packetsniffing and registry sleuthing. There is no standard of
>proof, there is no notification, there is no appeal. We're guilty until
>proven innocent, and probably even then.

 WRONG! Evidence is a big part of my business, internet security. It
involves a little bit more than packet sniffing and procedure
intercepts, but the fact is, your company exhibits EVERY SIGN of being
a spyware company, and appears to USE TECHNIQUES typical of them. And
boasts about its services. Then, you come along out of nowhere to
provide a handful of limpwristed explanations. Some are reassuring,
some are completely elusive.
 And, I haven't even asked you for any kind of verification! That's
what the network stuff is for, but that's limited. Basically, I'm to
take the word of an anonymous poster who shows up in the newsgroup one
day that every shred of evidence that I see, all of which paints a
picture of a typical spyware company, is somehow wrong. Sorry, bub, I
believe the evidence I see, the evidence on your own website, not you.

>Go ahead, try and honestly tell me I'm wrong about anything in that last
>paragraph.
>
>Unlike you, I've disclosed my identity, and have given out contact info in
>the form of a valid email address. Any idiot can look up the phone number
>of the company and talk to someone directly. I've taken the time to supply

 Talk to the company...so I can be lied to? What are you going to say,
"Oh, yeah, doesn't listen to that privacy policy...we really do
collect your personal information. We just say that privacy stuff so
you'll use our service."
 Again, remember Amazon.com, Comet Cursor, RealNetworks, and
others...?

>information that rebuts virtually every rational allegation you've made to
>the point of absurdity. I'm standing in the light, and I've taken the
>gamble that I might be harassed by people who think I shouldn't defy your
>righteous judgement.

 Hypocrisy. If you're so honest, if you're so unafraid of the
nefarious tricks of your own industry, then why do you munge your
email address?
 You stand as the representative a business. You're point being? I
would be more willing to use my real email and possibly my name if I
didn't have to worry about the bottom-feeders and the spammers. like
the ones infesting your industry. Oh, and by the way, spam is
generally considered part of the direct marketing industry, if by some
to be an unwelcome part of it. However, I see EVEN YOU are concerned
enough as to Mask-ay your Email-ay. Hmmm...

>Let me help you prepare your rationalizations, since a long documented
>history of blacklisters who have have the light turned on them. This is
>what they inevitably say:

(sarcasm mode: on)
 No, I'm just asking people to add five zillion rules to their
firewalls for shits and giggles. I just spent hundreds of hours
researching this because securing servers and stopping
Denial-ofService attacks isn't a high priority...brilliant, my friend,
real smart. (sarcasm mode: off)

>1) Well, the list is only a suggestion, you know, for guidance; people don't
>have to use it.

 Yes. I'm not planning on secretly installing it in the browsers of
anybody who happens to visit my webpage. That's the trademark of
spyware makers and direct marketers.

>2) Well, it's for the greater good of the children/country/Internet.

 To some degree. Some people don't know they're being exploited.
That's why we have consumer protection laws. That's why we have a
Constitution - to protect people from harm and exploitation. From the
likes of the targeted-marketing industry.

>3) *Somebody* has to do *something*, and I elect myself.

 Who else is going to do it? Some puppets elected by the DMA?
 Security is my job, one I've been doing for a number of years.
Grabbing people's information without their knowledge or permission,
whether individually or in aggregate, is yours. Obviously, you're
trying to protect your interests as I am trying to protect mine.
 Then again, I suppose your industry would prefer we all lie around
like spineless jellyfish, ready to be gobbled up by your predators...

>4) If a few innocents get caught up in the net, well, that's the price we
>have to pay to rid ourselves of the evil people.

 Clean up your industry. Then we'll talk. Your industry has the
ability to do a great amount of harm by gathering information on
people against their will and/or without their knowledge. And, I've
tried to give you the benefit of the doubt, but the evidence is
overwhelming and your attacks highly counterproductive.

>Every one of these statements was made recently in defense of censorware. If
>you find yourself thinking any of these, then you'd be kin to Joe McCarthy,
>Roy Cohn and Samuel Parris. Watch the Twilight Zone episode called "Four
>O'Clock" - you might pick up some helpful tips. Hint: buy some small
>furniture.

 Once again, you're non-sequitur shows that you continue to evade the
true issues here. But, again, I'll play your little game for a moment:
 I see where this is going: you're going to hide behind the First
Amendment -- the same way child molesters, kiddie porno makers, folks
who publish bomb-making instructions, spammers, and so on, do? You've
done such a lovely job, what with child molesters being able to get
three squares a day and a roof over their heads while guys who fought
to protect our country get the priviledge of sleeping under a
newspaper on a bench...
 It's also nice that your friends, the spammers, (who are also
considered direct-marketers), feel it's their First Amendment right to
send kiddie porn emails to your 9-year-old, or how they post their
lovely ads for fake credentials, and then hide behind the First
Amendment as well. By your logic, it would be so wrong for us to
"censor" their right to sell fake IDs to every kook, nut and terrorist
out there, wouldn't it?
 But, enough with your game. I don't recall even the First Amendment
permitting one the right to steal or to vandalize people's property,
as your industry so generously does. Your industry is so irresponsible
and reckless, it invites controls.
 (oh, hey, I could also say it's my "First Amendment right" to call
your crap spyware, and that you are simply trying to censor me...)
Touche.

>So here's the REAL test, sponge - I've pretty thoroughly demonstrated that
>you have no real (ie non-imaginary) basis to keep the Infogate product on
>*any* of your lists - spyware, adware, whatever. So - are you going to do
>the right thing, or are you going to carry on the hoary tradition of the
>blacklister and keep us on despite the truth?

 Actually, I already downgraded Infogate to Adware, which it is by any
definition anyway, since it does nag you with ads. Adware is not a
condemning definition, because it causes no real harm, other than the
annoyance of ads and maybe a loss of a tiny bitty fraction of
bandwidth. And, by your own admission, it serves ads based on what you
are looking at. But I'll check it out. If I find the client sending
back a unique identifier which could be used to back-associate user
data against registration data, then I may put it back on the full
spyware list, unless you can show that you don't associate any GUID
with registration information.
 More than any other reason, the reason why I am doing that is that I
hope I haven't been hasty and that Infogate is the shining star of an
industry pervaded by bottom-feeders. We'll see if you live up to your
claims.

>I think I already know the answer. Surprise me.

 Your turn to surprise me. Let me find out you're not gathering
personal information, or that you're preventing the association of
registration information with data collected. Let me peek inside your
servers. If you don't want me logging in remote, accept my offer and
if I'm ever out in San Diego I'll take you up on it.
 Let's see you back up your claims.
 Oh, by the way, if your product is not spyware, why are you
monitoring a spyware group?

>-- Duane
>
>P.S. Have a nice day.

 Toodles. Kiss the wife for me.