1 March 2000


Date: Wed, 01 Mar 2000 16:12:10 -0500
To: politech@vorlon.mit.edu
From: Declan McCullagh <declan@well.com>
Subject: FC: I-Gear blocking software blacklist cracked and available online



Date: Wed, 1 Mar 2000 15:05:04 -0600
From: bennett@peacefire.org
Subject: I-Gear list cracked; privacy violations and error rate

One week after our report on the decryption of X-Stop's blocked site list, Peacefire has released a program that can decrypt the list of 437,000 sites blocked by I-Gear, another "censorware" program now owned by Symantec.  The codebreaker program can be downloaded from:

http://peacefire.org/censorware/I-Gear/igdecode/

(This page also has instructions on how to obtain I-Gear's encrypted list without having to download and install I-Gear.)

We performed an experiment similar to our X-Stop test: we extracted student pages in the ".edu" domain that were blocked in the "Sex/Acts" category, looked at the first 50 URL's that were still working, and found that 76% of the blocked pages were obviously errors!  This sounds ridiculously high, but I saw the blocked pages myself, otherwise I wouldn't believe it.  The list of 50 examined sites is at:

http://peacefire.org/censorware/I-Gear/igear-blocked-edu.html

We also discovered that when you install I-Gear, it scans in your real name and company name from your computer and uploads this information to Symantec.  Not the "real name" that you give the program during the registration process -- your actual real name that you used to register your copy of Windows.  (This is the name that shows up on the "General" tab of the System applet in Control Panel.)  Symantec's privacy policy, on the other hand, states:

http://www.symantec.com/legal/privacy.html

"The choice of how much personally identifiable information you disclose to Symantec is completely at your discretion."

Again, we believe these discoveries will bear on the ongoing debate over the Digital Millennium Copyright Act, UCITA (the law strengthening the force of draconian "license agreements" that prohibit users from examining products by reverse engineering) and the DVD codebreaking court cases. Reverse engineering I-Gear and decrypting the list was the *only* way to obtain a reliable figure for the error rate of their product, rather than just coming up with a list of blocked sites.  Even the discovery that I-Gear retrieves and uploads your real name to the manufacturer, was discovered through reverse engineering.  If such reverse engineering becomes illegal, it will become very difficult for third parties to criticize software in general, other than the user interface and other aspects that are visible without "looking under the hood".

-Bennett

bennett@peacefire.org     http://www.peacefire.org
(425) 649 9024

--------------------------------------------------------------------------
POLITECH -- the moderated mailing list of politics and technology
To subscribe: send a message to majordomo@vorlon.mit.edu with this text:
subscribe politech
More information is at http://www.well.com/~declan/politech/
--------------------------------------------------------------------------