I downloaded and installed Spysubtract ( http://www.intermute.com ) last night
and ran an in-depth scan on my system. I received the following notification:
" Cleaned libexpat.dll in c:\Program Files\TrustedQSL" . It listed this as a
browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Spammers - reply freely and often to my e-mail address
The rest of you - look me up on qrz.com - N1KI

What did ARRL say when you reported your finding?

Dick, AA5VU

In article , (Phil)
wrote:

I downloaded and installed Spysubtract ( http://www.intermute.com ) last
night
and ran an in-depth scan on my system. I received the following
notification:
" Cleaned libexpat.dll in c:\Program Files\TrustedQSL" . It listed this as
a
browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Spammers - reply freely and often to my e-mail address
The rest of you - look me up on qrz.com - N1KI

What did ARRL say when you reported your finding?

Dick, AA5VU

In article , (Phil)
wrote:

I downloaded and installed Spysubtract ( http://www.intermute.com ) last
night
and ran an in-depth scan on my system. I received the following
notification:
" Cleaned libexpat.dll in c:\Program Files\TrustedQSL" . It listed this as
a
browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Spammers - reply freely and often to my e-mail address
The rest of you - look me up on qrz.com - N1KI

On Wed, 03 Sep 2003 23:58:24 GMT, (Phil) wrote:

It listed this as a
browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Probably not. The ARRL is loading your computer with software that is
designed to communicate with other software via the internet.

Then again, maybe you should verify your checking account balance,
maybe LOTW is making automatic contributions to the ARRL's BPL
account in the middle of the night :-)

Any software that's on your computer that is allowed to play the ET
PHONE HOME game has the potential of being "spyware". The fact that
your ARRL logbook software has the function of contacting the ARRL's
computer is probably why it got tagged.

The clean it up software you installed is probably just looking for
anything that makes certain system calls, i.e., does things that have
the potential to be "bad".

Just because it got tagged doesn't mean it's doing anything bad. It
just means it has the potential to do things bad. If it is doing
anything bad, it wouldn't be the first time that "trusted" software
got caught.

Anytime you load any application that's capable of communicating over
the internet with other machines, you should be very sure it's NICE
software. Trouble is, that's very hard to be sure of unless you sit
and monitor packets going in and out of your box........

And then there's the bigger problem. Not only do you need to trust
the ARRL not to intentionally do anything bad, you need to trust
that their programmer is smart enuff so that he didn't build in some
more security holes on your box so that somebody else who is bad
can use your ARRL software to do bad things.

Personally, I would never install any (especially FREE) software that
claims to be a trojan finder - who knows more about how to make a good
trojan than the guys who write software to find them. Other than Bill
Gates that is.......

I think your best protection is a firewall. One that requires you to
give specific permission to each program that requires internet
access. That way NOBODY can phone home unless you let them.

Or the ultimate protection scheme. Eventually, we are going to all
need to have at least two computers. One named GARBAGE, which we hook
to the internet, and another with the mission critical important stuff
on it which is NOT hooked to the internet.

73, Jim KH2D

On Wed, 03 Sep 2003 23:58:24 GMT, (Phil) wrote:

It listed this as a
browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Probably not. The ARRL is loading your computer with software that is
designed to communicate with other software via the internet.

Then again, maybe you should verify your checking account balance,
maybe LOTW is making automatic contributions to the ARRL's BPL
account in the middle of the night :-)

Any software that's on your computer that is allowed to play the ET
PHONE HOME game has the potential of being "spyware". The fact that
your ARRL logbook software has the function of contacting the ARRL's
computer is probably why it got tagged.

The clean it up software you installed is probably just looking for
anything that makes certain system calls, i.e., does things that have
the potential to be "bad".

Just because it got tagged doesn't mean it's doing anything bad. It
just means it has the potential to do things bad. If it is doing
anything bad, it wouldn't be the first time that "trusted" software
got caught.

Anytime you load any application that's capable of communicating over
the internet with other machines, you should be very sure it's NICE
software. Trouble is, that's very hard to be sure of unless you sit
and monitor packets going in and out of your box........

And then there's the bigger problem. Not only do you need to trust
the ARRL not to intentionally do anything bad, you need to trust
that their programmer is smart enuff so that he didn't build in some
more security holes on your box so that somebody else who is bad
can use your ARRL software to do bad things.

Personally, I would never install any (especially FREE) software that
claims to be a trojan finder - who knows more about how to make a good
trojan than the guys who write software to find them. Other than Bill
Gates that is.......

I think your best protection is a firewall. One that requires you to
give specific permission to each program that requires internet
access. That way NOBODY can phone home unless you let them.

Or the ultimate protection scheme. Eventually, we are going to all
need to have at least two computers. One named GARBAGE, which we hook
to the internet, and another with the mission critical important stuff
on it which is NOT hooked to the internet.

73, Jim KH2D

On Wed, 03 Sep 2003 19:58:24 -0400, Phil wrote:
I downloaded and installed Spysubtract ( http://www.intermute.com ) last
night and ran an in-depth scan on my system. I received the following
notification: " Cleaned libexpat.dll in c:\Program Files\TrustedQSL" .
It listed this as a browser hijacker in the TrustedQSL portion of the
LOTW beta software I had installed earlier. Is the ARRL loading our
computers with spyware now?

The TrustedQSL software makes use of the "expat" library for parsing XML
documents (see: http://www.libexpat.org/). This library is used in a
number of software projects, and libexpat.dll is the Windows version of
the library. It is not spyware by the remotest stretch of the imagination.
Clearly, Spysubtract is confused.

73, Jon, KE3Z

On Wed, 03 Sep 2003 19:58:24 -0400, Phil wrote:
I downloaded and installed Spysubtract ( http://www.intermute.com ) last
night and ran an in-depth scan on my system. I received the following
notification: " Cleaned libexpat.dll in c:\Program Files\TrustedQSL" .
It listed this as a browser hijacker in the TrustedQSL portion of the
LOTW beta software I had installed earlier. Is the ARRL loading our
computers with spyware now?

The TrustedQSL software makes use of the "expat" library for parsing XML
documents (see: http://www.libexpat.org/). This library is used in a
number of software projects, and libexpat.dll is the Windows version of
the library. It is not spyware by the remotest stretch of the imagination.
Clearly, Spysubtract is confused.

73, Jon, KE3Z

To Phil N1KI and others,

Jon Bloom, KE3Z (lead for the ARRL's LoTW project) ask me to relay the
following note.

Dick, AA5VU

------ Forwarded Message
From: "Bloom, Jon, KE3Z"
Date: Thu, 4 Sep 2003 12:04:34 -0400
Subject: LOTW contains spyware? on rec.radio.amateur.dx

The TrustedQSL software makes use of the "expat" library for parsing XML
documents (see: http://www.libexpat.org/). This library is used in a number of software projects, and
libexpat.dll is the Windows version of the library. It is not spyware by
the remotest stretch of the imagination. Clearly, Spysubtract is
confused.

I'd appreciate your relaying this info to wherever you see the rumor
circulating.

73, Jon

----- End of Forwarded Message


In article , (Phil)
wrote:

I downloaded and installed Spysubtract ( http://www.intermute.com ) last
night and ran an in-depth scan on my system. I received the following
notification:
" Cleaned libexpat.dll in c:\Program Files\TrustedQSL" . It listed this as
a browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Spammers - reply freely and often to my e-mail address
The rest of you - look me up on qrz.com - N1KI

To Phil N1KI and others,

Jon Bloom, KE3Z (lead for the ARRL's LoTW project) ask me to relay the
following note.

Dick, AA5VU

------ Forwarded Message
From: "Bloom, Jon, KE3Z"
Date: Thu, 4 Sep 2003 12:04:34 -0400
Subject: LOTW contains spyware? on rec.radio.amateur.dx

The TrustedQSL software makes use of the "expat" library for parsing XML
documents (see: http://www.libexpat.org/). This library is used in a number of software projects, and
libexpat.dll is the Windows version of the library. It is not spyware by
the remotest stretch of the imagination. Clearly, Spysubtract is
confused.

I'd appreciate your relaying this info to wherever you see the rumor
circulating.

73, Jon

----- End of Forwarded Message


In article , (Phil)
wrote:

I downloaded and installed Spysubtract ( http://www.intermute.com ) last
night and ran an in-depth scan on my system. I received the following
notification:
" Cleaned libexpat.dll in c:\Program Files\TrustedQSL" . It listed this as
a browser hijacker in the TrustedQSL portion of the LOTW beta software I had
installed earlier. Is the ARRL loading our computers with spyware now?

Spammers - reply freely and often to my e-mail address
The rest of you - look me up on qrz.com - N1KI

On Thu, 04 Sep 2003 12:28:35 -0400, kh2d wrote:
On Wed, 03 Sep 2003 23:58:24 GMT, (Phil) wrote:

It listed this as a
browser hijacker in the TrustedQSL portion of the LOTW beta software I
had installed earlier. Is the ARRL loading our computers with spyware
now?

Probably not. The ARRL is loading your computer with software that is
designed to communicate with other software via the internet.

No, that's not how it works. The TrustedQSL software simply prepares files
to be sent to LoTW. The sending is done by the user with an email program
or a Web browser file-upload. The TrustedQSL software has no ability to
communicate via the network at all.

Then again, maybe you should verify your checking account balance, maybe
LOTW is making automatic contributions to the ARRL's BPL account in the
middle of the night :-)

Any software that's on your computer that is allowed to play the ET
PHONE HOME game has the potential of being "spyware". The fact that your
ARRL logbook software has the function of contacting the ARRL's computer
is probably why it got tagged.

I don't know what caused the false positive. My guess -- and it's only a
guess -- is that libexpat.dll was also used in a product that *is*
spyware. Since libexpat.dll is freely available, that wouldn't be too
surprising.

The clean it up software you installed is probably just looking for
anything that makes certain system calls, i.e., does things that have
the potential to be "bad".

I can't imagine what system calls a text-parsing library might do that
anyone would consider potentially "bad."

Just because it got tagged doesn't mean it's doing anything bad. It just
means it has the potential to do things bad. If it is doing anything
bad, it wouldn't be the first time that "trusted" software got caught.

It's also worth noting that the spyware-detection software in question has
a "whitelist" capability so the user can tell it to skip a particular file
or files. Clearly, TrustedQSL isn't the only false positive they detect!

Anytime you load any application that's capable of communicating over
the internet with other machines, you should be very sure it's NICE
software. Trouble is, that's very hard to be sure of unless you sit and
monitor packets going in and out of your box........

And then there's the bigger problem. Not only do you need to trust the
ARRL not to intentionally do anything bad, you need to trust that their
programmer is smart enuff so that he didn't build in some more security
holes on your box so that somebody else who is bad can use your ARRL
software to do bad things.

True but moot since the TrustedQSL software is completely network unaware.

Personally, I would never install any (especially FREE) software that
claims to be a trojan finder - who knows more about how to make a good
trojan than the guys who write software to find them. Other than Bill
Gates that is.......

I think your best protection is a firewall. One that requires you to
give specific permission to each program that requires internet access.
That way NOBODY can phone home unless you let them.

That, plus using a mail client not known to be a virus magnet. (There was
an article in the local paper just today stating that and listing
alternative mail clients such as Eudora and Pegasus.)

Or the ultimate protection scheme. Eventually, we are going to all need
to have at least two computers. One named GARBAGE, which we hook to the
internet, and another with the mission critical important stuff on it
which is NOT hooked to the internet.

I leave my Linux box hooked to the 'Net all the time, with both an
external firewall and its internal one configured to expose only what
needs to be exposed. And my mail client just does text unless I explicitly
ask it to open something. And I do regular security updates of the system.
So far, so good.

Jon, KE3Z