I also sent an email to Adam Solomon posted here with his response, (first).


Hi Suzi,

Thanks for contacting me about this issue. I can understand why this would
anger you, and I'd like to assure you that this is not how our software
should install.

If possible, could you walk me through where you went and what you
experienced, so that I can better understand what happened?

I have some thoughts as to what might have happened, but it would be helpful
to get some more facts first. In addition, although it seems like you had a
bad installation experience, the Comet Cursor software itself is certainly
not "spyware". Please see our plain English privacy policy for more info on
our product: http://www.cometsystems.com/privacy.

We take great pride in our software products and user experience and would
like to make sure that all user problems and concerns are addressed.

Thanks in advance,

Adam

P.S. - If it's easier, please call me at my work number below and we can
walk through your issues.

Adam C. Solomon
Vice President of Business Development & Legal Affairs
Comet Systems, Inc., www.cometsystems.com
143 Varick Street, New York, NY 10013
asolomon@cometsystems.com                                     Note: This is public information,  I did remove the phone and fax number.


-----Original Message-----
Sent: Monday, June 24, 2002 3:06 PM
To: asolomon@cometsystems.com
Subject: website cursors

Mr. Solomon,

I would like to know this:  WHY when I visited a friend's website who had
comet cursor on her site it managed to download itself onto my computer
without any warning or asking me if I wanted it????????

Your company is already under fire for spyware concerns.  I am very angry
that this happened.  I have notified my friend and she immediately removed
your curse from her website.

Hopefully there will be legislation enacted soon that will prevent this kind
of deception and invasion of privacy and personal property.  In the meantime

I am posting what happened on every computing and security message board
that I can find in the Internet.

Yours truly,

Suzi


Here is where it gets really interesting:  

hi suzi

thanks for that detailed response. I believe that you're sincerely
interested in working out what happened and I appreciate the time you're
putting into this. I reiterate my willingness to talk on the phone since
when I have an old fashioned preference for human interaction, rather than
the cold medium of emailing. if you're concerned about giving out your phone
number, I can paypal you $10 to cover your costs and you can call me (212)
231-2000. I'm around tomorrow all day if you'd like to chat.

I forwarded your email with technical details to one of our technical guys
as you requested and got a detailed response below. if you prefer not to get
into technical details to this degree I can talk to you more broadly about
what's going on and address your concerns about our practices in general.
for now I'll send you what he sent me, explaining how our software gets
installed:

"Here's how it works: a site which is interested in using cursors can
contact us directly or visit our cometzone.com site where they select from a
large set of cursors. Once they select the cursor they want the cometzone
site generates a small chunk of html and javascript which they cut and paste
into the HTML of their page. That is typically all that they do. I assume
that is what Suzi's penpal did.

When someone visits the page their browser loads and executes this
javascript. First it determines what version of browser the user has. There
is a fair amount of code for dealing with Netscape browsers, but I'll focus
on the IE stuff for now. For IE this javascript writes into the page an
<object> tag, which is the way IE supports plugins. Basically, this object
tag tells the browser that the page wants to utilize a plugin. Every plugin
that can be used in IE must have a unique "Class ID" which is different from
the class ID of all other plugins. For example, our class ID is different
than that for the Flash plugin or Real's plugin.

When the browser sees this <object> tag it first checks to see if the Class
ID has already been registered on the computer by searching for it in the
registry. If it finds the Class ID it knows that the plugin has already been
installed. If it does not find the Class ID it knows that it will need to
download the plugin before it can be used.

In accordance with Microsoft's specification we package our plugin in a
special way that is supposed to make the installation more efficient and
more secure. The files which comprise our software are packaged together in
a ".cab" ("cabinet") file. A cab file is sort of like a .zip file in that it
can contain many compressed files within it. The .cab is also digitally
"signed" by us, again in accordance with the rules laid out by Microsoft.
The signed cab file contains a digital authentication certificate inside of
it which does two things. First, it guarantees that the contents of the cab
have not been modified since the signed. Secondly it creates an unforgable
trail directly back to the entity or company which signed the file. What
this means is that if anybody tried to modify even a single bit of data
inside the cab file the authentication test would fail (the browser would
determine that the digital signature had been forged and report this to the
user). Anybody who wants to digitally sign files has to go through an
approval process with an "authenticating body" (we use Verisign, the world's
largest). This process involves proving that we are a real and legitimate
business and can be held accountable for anything bad which our signed code
might do. For example, if our code was malicious and tried to steal
information or damage computers there would be no way for us to deny that we
wrote the code with our signature on it.

At this point the browser has just determined that the page is calling for a
plugin and that this plugin is not already installed on the machine. If the
browser's security setting is set to anything but "High" the browser will
download the cab file from our server. Once it gets the cab file it extracts
the digital signature and compares it to the binary contents of the
remainder of the cab.

If the browser's security is set to "Medium" the browser should then display
an  "Authenticode" dialog similar to the screen shot at
http://www.cometsystems.com/images/securitywarning.gif. Only upon the user
clicking "Yes" to that dialog box should the browser even begin to unpack
the cab, decompress the contents, copy the files to the appropriate
directories, register the code and load it. It's important to note that not
a single byte of Comet executable code is supposed to be executed before the
user clicks Yes. Think of the Comet code as sitting in quarantine,
compressed in a cab file, until the user says Yes, at which point we are
allowed to start executing.

If the browser's security setting is set to "Medium-Low" then any signed cab
file will be automatically installed without the user ever seeing an
Authenticode dialog box.

If the browser's security setting is set to "Low" then even *unsigned* cab
files will be automatically installed without any user intervention.

I'm using the terms "javascript" and "executable" here and an explanation
might be in order. Javascript is a language, initially developed by
Netscape, which would allow web pages to be more dynamic and intelligent.
It's a programming language which can be embedded in web pages, but it was
understood early on that if this language had too many capabilities it could
be exploited by unscrupulous people for malicious purposes. For example, you
would not want to visit some web page which contained code on it which could
delete your C: drive. You also would not want to web page to look around on
your drives for financial or personal information. For these reasons the
people who designed javascript made sure that the language could not support
these types of actions. It's impossible to delete or even read a file from
javascript, for example. A great deal of work has gone into building a
system which allows the language to do some things, but not others.

An "executable" program, on the other hand, can have no limitations placed
on it's power. Put another way, an executable program (also called "native
code") can do anything on a computer.

That is a somewhat lengthy explanation, but I wanted to be as precise as I
could. The whole process can be thought of as consisting of two steps: first
normal javascript is used to get the appropriate <object> tag on the page.
After the browser is satisfied that its security settings are satisfied it
allows the comet executable code to run."

<end of technical description -- back to jamie>

suzi, I have to say that your last point about us being arrogant seems                         Check out this statement!!
unwarranted here in our brief exchange. (how many company founders do you
think would personally respond to a customer complaint within a few hours on
a sunday?) the reality is we listen to what our users say. we care about
their problems. and we do make changes based on their feedback and
suggestions. I believe you have a right to be upset about having gotten our
software without wanting it. I just think it's unfair that you jump to the
conclusion that we're a sinister company and that we wanted this happen to
you.

best wishes,

jamie

-----Original Message-----
Sent: Wednesday, June 26, 2002 2:25 AM
To: jamie@cometsystems.com
Cc: asolomon@cometsystems.com
Subject: looking over my shoulder



Hello Jamie,

In response to your message:

"Again, I understand your skepticism, especially with all the corruption and
venality that exists in corporate america today. But don't take my word for
it... I really am not trying to convince you of anything - all I'd like to
do is understand what happened on your computer for you to have gotten an
unsolicited installation. Is there a time I could "look over your shoulder"
(via the phone, of course) to understand just what happened?

Thanks,

Jamie"


This is a detailed account of what happened.  On Sunday the 23ed, while
surfing the web, I decided to check the website of an email penpal.  I have
been to her web pages before with no unusual occurences.

When the page opened in my browser, within seconds I received an alert from
my firewall that " csi10.tmp "  quotes mine, was asking to access the
internet.  Of course I said no.  IP that it was trying to go to was
198.65.220.237:80.  When I looked up this IP with a whois query I saw that
it is:  (copied and pasted)

Verio, Inc. (NET-VRIO-198-063)
   8005 South Chester Street
   Englewood,, CO 80112
   US

   Netname: VRIO-198-063
   Netblock: 198.63.0.0 - 198.66.255.255
   Maintainer: VRIO

   Coordinator:
      Verio, Inc.  (VIA4-ORG-ARIN)  vipar@verio.net
      303.645.1900


My firewall listed this as " rd.yn.cometsystems "  quotes mine.

At also listed 198.65.220.244:80 on subsequent attempts to access the
internet.  It attempted a total of 7 times for those 2 IP's.

I also got a little pop up box that said something like "thank you for
downloading comet cursor.  The download was not successfully completed, do
you want to continue?"  to which I clicked no.
But the damage was already done.

I quickly closed the browser and ran AdAware, which found 10 (!) registry
entries and a file with csi.10.dll.  AdAware got rid of them.


As a test, I went back to the same web page to see if it would happen again.

  It did the same sequence.  Only this time the file that was asking for
access was csi12.tmp.  It made several attempts to access both IP's as
before.

So, I closed the broswer and ran AdAware again with the same findings.  10
registry entries and dll file.  Removed again.

Being curious by now, I again went to the web page.  Same thing except for
now it was csi3.tmp, then csi1A, then csi1B, then csi18 and csi22.  Each
time they were trying to access the same 2 IP's alternating between the 2.

In the three times I went to the web page, there were a total of 65 
attempts to access the internet to those 2 IP addresses.

Each time AdAware removed the same 10 registry entries and the dll file.

I am requesting that you have one of your web developers or programmers
contact me and explain how this could happen without there being *someting*
in that html code that my friend used to place the comet cursors on her web
page that caused that chain of events.

If, and I doubt it, my browser settings were set to allow unsigned or unsafe
active x scripts, that still does not make it right for your company to
download this junk into people's computers.

If you went out of your home and forgot to lock and secure the entrances
properly, does that mean that it is ok for anyone to enter your home and
look around????  I think not!

Imagine for a moment how you would feel.  Invaded, angry, outraged,
threatened? This is also how people feel when their personal property, their
computer, is entered without their express permission.

Your statement in your first email to me:

"this is not just a problem vis a vis the comet cursor - you could
unwittingly download *any* web program without even knowing it."

does not even make sense because I surf to many many websites and nothing
like this happens.  I get cookies, but that is it.
The only other time  had someting invade my computer was lop.com.  It's
scumware is even worse than yours but it is also less hidden. It is right
out front and the owner can see it immediately.

As I said, I would appreciate it if one of your programmers could explain to
me how this happened.

I assure you, you will be hearing from me again.  I am looking into how I
can take legal action. I am also having programmers review the source code
on my friend's web page and the html code on your website for inserting the
comet cursor into a web page.

I would suggest you reconsider your business tactics; from what I have read
in different articles and message boards, you and others in your company
arrogantly state that you do not intend to change.  It may be legal, albeit
unethical, now, but I believe in the not too distant future, practices like
yours will be illegal.  The sooner the better.  I am also writing to my
congesswomen and representative and the federal trade commission regarding
the issue of internet privacy (or lack of).

Yours truly,

 
Webmistress at Work
 
Email conversations with Comet Systems founder
page 2
NetRN.net