[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FYI] (Fwd) [RRE]I-Gear list cracked; privacy violations and error r

------- Forwarded message follows -------
From:           	<eugene.leitl@lrz.uni-muenchen.de>
To:             	<cryptography@c2.net>
Subject:        	[RRE]I-Gear list cracked; privacy violations and error rate
Date sent:      	Thu, 2 Mar 2000 17:04:35 -0800 (PST)

From: Phil Agre <pagre@alpha.oac.ucla.edu>

[See also <http://www.peacefire.org/censorware/X-Stop/xsdecode/>.
Reformatted to 70 columns.]

=-= This message was forwarded through the Red Rock Eater News Service
(RRE). You are welcome to send the message along to others but please
do not use the "redirect" option.  For information about RRE,
including instructions for (un)subscribing, see

Date: Wed, 1 Mar 2000 15:05:04 -0600
From: bennett@peacefire.org
Subject: I-Gear list cracked; privacy violations and error rate

One week after our report on the decryption of X-Stop's blocked site
list, Peacefire has released a program that can decrypt the list of
437,000 sites blocked by I-Gear, another "censorware" program now
owned by Symantec.  The codebreaker program can be downloaded from:


(This page also has instructions on how to obtain I-Gear's encrypted
list without having to download and install I-Gear.)

We performed an experiment similar to our X-Stop test: we extracted
student pages in the ".edu" domain that were blocked in the "Sex/Acts"
category, looked at the first 50 URL's that were still working, and
found that 76% of the blocked pages were obviously errors! This sounds
ridiculously high, but I saw the blocked pages myself, otherwise I
wouldn't believe it.  The list of 50 examined sites is at:


We also discovered that when you install I-Gear, it scans in your real
name and company name from your computer and uploads this information
to Symantec.  Not the "real name" that you give the program during the
registration process -- your actual real name that you used to
register your copy of Windows.  (This is the name that shows up on the
"General" tab of the System applet in Control Panel.)  Symantec's
privacy policy, on the other hand, states:


         "The choice of how much personally identifiable information
         you disclose to Symantec is completely at your discretion."

Again, we believe these discoveries will bear on the ongoing
debate over the Digital Millennium Copyright Act, UCITA (the law
strengthening the force of draconian "license agreements" that
prohibit users from examining products by reverse engineering) and the
DVD codebreaking court cases.  Reverse engineering I-Gear and
decrypting the list was the *only* way to obtain a reliable figure for
the error rate of their product, rather than just coming up with a
list of blocked sites.  Even the discovery that I-Gear retrieves and
uploads your real name to the manufacturer, was discovered through
reverse engineering.  If such reverse engineering becomes illegal, it
will become very difficult for third parties to criticize software in
general, other than the user interface and other aspects that are
visible without "looking under the hood".


bennett@peacefire.org     http://www.peacefire.org
(425) 649 9024

------- End of forwarded message -------