This is my last exchance:             Sounds like she is  getting worn down!

From :   
Jamie Rosen <jamie@cometsystems.com> 
Subject :   
RE: looking over my shoulder 
Date :   
Thu, 27 Jun 2002 12:34:54 -0400 
hi suzi

I will try my best to answer your questions. see my interspersed answers
below, preceded by ">>". I have one request for you. could you please call
next time... I have trouble typing and would like to give my wrists a rest.

thanks,

jamie
212-231-2000                  

-----Original Message-----
Sent: Wednesday, June 26, 2002 4:45 PM
To: jamie@cometsystems.com
Cc: asolomon@cometsystems.com; admin@cometsystems.com
Subject: RE: looking over my shoulder


Thank you for the detailed explanation from your tech guy.  However
regarding these 2 paragraphs:


"If the browser's security is set to "Medium" the browser should then                             
display an  "Authenticode" dialog similar to the screen shot at
http://www.cometsystems.com/images/securitywarning.gif. Only upon the user
clicking "Yes" to that dialog box should the browser even begin to unpack
the cab, decompress the contents, copy the files to the appropriate
directories, register the code and load it. It's important to note that not
a single byte of Comet executable code is supposed to be executed before the user clicks Yes. Think of the Comet code as sitting in quarantine,
compressed in a cab file, until the user says Yes, at which point we are            allowed to start executing?
                                                          
If the browser's security setting is set to "Medium-Low" then any signed cab
file will be automatically installed without the user ever seeing an
Authenticode dialog box.

If the browser's security setting is set to "Low" then even *unsigned* cab
files will be automatically installed without any user intervention."


Jamie, you have still not answered my question of "what gives your company
the right to automatically install your software to my computer if the
browser setting is to medium-low to low security??"

As I asked you previously - if you left home one day and forgot to secure
your door properly, does that give someone the right to enter your home just

because you forgot to secure the door properly?  Not only that, but to carry

the analogy further, what if the person who entered your home without your
express permission looked around?  He/she might look to see what kind of
furniture you had in your home, what kind of food you had in your
refrigerator.  What if he/she looked into your closets to see what brand of
dresses or suits you wear, or what kind of shoes you wear, what kind of
perfume you wear?  And then on top of all that, he/she without your
knowledge or permission used your telephone in your home to contact friends
or business associates and tell them what was in your house?

>> there is a key distinction. we are not walking into an unlocked house
just because it is unlocked, which I agree would be wrong. think of it as
living in a building with a doorman and you go out and leave specific
instructions with your doorman: "if anyone with a package comes by for me,
please send him up and tell him to leave the package on the coffee table in
my living room."

>> the distinction is that the installation of web software (signed activex
controls in this case) is governed by the browser program (microsoft's
internet explorer), not by the maker of the web software. the comet cursor
is stuck inside a "cab" (or "cabinet") file until the browser says it's ok
to run and the browser needs the user's permission in order to send the
signal that it's ok to run. in the case of low security settings, the
browser has been told by the user, in effect: "pre-accept" all signed
activex controls. it is just as if you've left instructions with your
doorman to have your packages delivered into your apartment.


Would you be outraged?  Would you be angry?  Would you feel that your
privacy had been invaded?

I would like you to honestly answer that question.

The reason people are so down on your company, as well as other companies
that have similar practices, is that when your program downloads itself into

their computer, they feel disgusted, outraged, suspicious, angry, invaded
etc.  I do not know why you cannot understand that point.

Please tell me WHY you think it is ok for your company to do that???

>> you and I agree on this point. I know there's a shock if you come home
and see a package on your coffee table that you didn't expect. anyone would
understandably feel invaded and angry. regardless of *why* it happens (even
if it's because of a miscommunication with the doorman), I agree with you
that it's a bad thing when a package ends up on your coffee table without
your foreknowledge or consent. we didn't directly control the installation
process as we relied on the browser to do its job there. in the past few
weeks, however, we've taken steps to address this situation.

>> it makes sense to say: "take it up with your doorman... we just do what
he tells us and he told us to put it there...". that's what microsoft
dictates with its activex control protocol (that is, relying on the browser
to handle installation permissions). why microsoft even has a "low" security
setting in its browser is beyond us. (it is worth pointing out that if you
never change your security settings, they should remain at the default
level: medium).

>> but we appreciate that browser security settings can be confusing and
people may have them inadvertently set to a lower level than they "should".
rather than have people have to worry about browser settings at all, we've
taken them out of the picture with a recent change.

>> we added a secondary protective layer of instructions that says, in
effect: "if the doorman tells you to go upstairs and leave the package in
the person's apartment, don't believe him! don't do it. instead, wait
outside the person's apartment until they return and make sure they are OK
with this." in other words, we changed our installation process so the
question of security settings goes away.

>> specifically, the latest version of our software "sniffs" for
low-security settings and inserts a "backup" consent box to ask whether the
user is ok with installing the software. previously, we relied on
microsoft's standard protocol for activex installation, like all the other
companies that make activex controls. but we changed this because of
feedback from users. people were upset for the reasons you articulate so we
came up with a way to fix it. (incidentally, I don't know of any other
software company that has implemented a special mechanism like this to
safeguard against low-security installs of activex controls.) this will
address this problem going forward.


Another question:  Why should people have to be so vigilant about their
computer's security and browser settings?  What gives your company the RIGHT

to take advantage of the lower security?  Just like what right does it give
someone to enter your home without your permission without your permission
because you didn't lock it properly??

>> again, we agree. security settings are now out of the picture.

Also your tech guy did not address as to why the csi10.tmp and other similar

files were trying to access your company's IP address.  What information
from my computer was that file going to give you???

>> from what you were saying that the software was in the midst of
downloading. that's why you got a message saying "thank you for downloading
comet cursor. The download was not successfully completed, do you want to
continue?". no personal information gets sent to us from your computer. the
information that would have been sent in this case relates to the progress
and status of the installation process itself. this lets us know if, for
example, the installation failed in the middle for some reason.

Also - FYI this link:  
>http://www.cometsystems.com/images/securitywarning.gif
did not work when I clicked on it.

>> it works from my computer. perhaps the server was momentarily down. just
to be safe, I have attached to this email the graphic file that is posted on
that page.

>> hope that addresses your concerns - jamie

Yours truly,
Suzi


-----Original Message-----
Sent: Wednesday, June 26, 2002 4:45 PM
To: jamie@cometsystems.com
Cc: asolomon@cometsystems.com; admin@cometsystems.com
Subject: RE: looking over my shoulder


Thank you for the detailed explanation from your tech guy.  However
regarding these 2 paragraphs:


"If the browser's security is set to "Medium" the browser should then
display an  "Authenticode" dialog similar to the screen shot at
http://www.cometsystems.com/images/securitywarning.gif. Only upon the user
clicking "Yes" to that dialog box should the browser even begin to unpack
the cab, decompress the contents, copy the files to the appropriate
directories, register the code and load it. It's important to note that not
a single byte of Comet executable code is supposed to be executed before the
user clicks Yes. Think of the Comet code as sitting in quarantine,
compressed in a cab file, until the user says Yes, at which point we are
allowed to start executing.

If the browser's security setting is set to "Medium-Low" then any signed cab
file will be automatically installed without the user ever seeing an
Authenticode dialog box.

If the browser's security setting is set to "Low" then even *unsigned* cab
files will be automatically installed without any user intervention."


Jamie, you have still not answered my question of "what gives your company
the right to automatically install your software to my computer if the
browser setting is to medium-low to low security??"

As I asked you previously - if you left home one day and forgot to secure
your door properly, does that give someone the right to enter your home just
because you forgot to secure the door properly?  Not only that, but to carry
the analogy further, what if the person who entered your home without your
express permission looked around?  He/she might look to see what kind of
furniture you had in your home, what kind of food you had in your
refrigerator.  What if he/she looked into your closets to see what brand of
dresses or suits you wear, or what kind of shoes you wear, what kind of
perfume you wear?  And then on top of all that, he/she without your
knowledge or permission used your telephone in your home to contact friends
or business associates and tell them what was in your house?

>> there is a key distinction. we are not walking into an unlocked house
just because it is unlocked, which I agree would be wrong. think of it as
living in a building with a doorman and you go out and leave specific
instructions with your doorman: "if anyone with a package comes by for me,
please send him up and tell him to leave the package on the coffee table in
my living room."

>> the distinction is that the installation of web software (signed activex
controls in this case) is governed by the browser program (microsoft's
internet explorer), not by the maker of the web software. the comet cursor
is stuck inside a "cab" (or "cabinet") file until the browser says it's ok
to run and the browser needs the user's permission in order to send the
signal that it's ok to run. in the case of low security settings, the
browser has been told by the user, in effect: "pre-accept" all signed
activex controls. it is just as if you've left instructions with your
doorman to have your packages delivered into your apartment.


Would you be outraged?  Would you be angry?  Would you feel that your
privacy had been invaded?

I would like you to honestly answer that question.

The reason people are so down on your company, as well as other companies
that have similar practices, is that when your program downloads itself into
their computer, they feel disgusted, outraged, suspicious, angry, invaded
etc.  I do not know why you cannot understand that point.

Please tell me WHY you think it is ok for your company to do that???

>> you and I agree on this point. I know there's a shock if you come home
and see a package on your coffee table that you didn't expect. anyone would
understandably feel invaded and angry. regardless of *why* it happens (even
if it's because of a miscommunication with the doorman), I agree with you
that it's a bad thing when a package ends up on your coffee table without
your foreknowledge or consent. we didn't directly control the installation
process as we relied on the browser to do its job there. in the past few
weeks, however, we've taken steps to address this situation.

>> it makes sense to say: "take it up with your doorman... we just do what
he tells us and he told us to put it there...". that's what microsoft
dictates with its activex control protocol (that is, relying on the browser
to handle installation permissions). why microsoft even has a "low" security
setting in its browser is beyond us. (it is worth pointing out that if you
never change your security settings, they should remain at the default
level: medium).

>> but we appreciate that browser security settings can be confusing and
people may have them inadvertently set to a lower level than they "should".
rather than have people have to worry about browser settings at all, we've
taken them out of the picture with a recent change.

>> we added a secondary protective layer of instructions that says, in
effect: "if the doorman tells you to go upstairs and leave the package in
the person's apartment, don't believe him! don't do it. instead, wait
outside the person's apartment until they return and make sure they are OK
with this." in other words, we changed our installation process so the
question of security settings goes away.

>> specifically, the latest version of our software "sniffs" for
low-security settings and inserts a "backup" consent box to ask whether the
user is ok with installing the software. previously, we relied on
microsoft's standard protocol for activex installation, like all the other
companies that make activex controls. but we changed this because of
feedback from users. people were upset for the reasons you articulate so we
came up with a way to fix it. (incidentally, I don't know of any other
software company that has implemented a special mechanism like this to
safeguard against low-security installs of activex controls.) this will       
address this problem going forward. 

Can we believe this???                                                


Another question:  Why should people have to be so vigilant about their
computer's security and browser settings?  What gives your company the RIGHT
to take advantage of the lower security?  Just like what right does it give
someone to enter your home without your permission without your permission
because you didn't lock it properly??

>> again, we agree. security settings are now out of the picture.

Also your tech guy did not address as to why the csi10.tmp and other similar
files were trying to access your company's IP address.  What information
from my computer was that file going to give you???

>> from what you were saying that the software was in the midst of
downloading. that's why you got a message saying "thank you for downloading
comet cursor. The download was not successfully completed, do you want to
continue?". no personal information gets sent to us from your computer. the
information that would have been sent in this case relates to the progress
and status of the installation process itself. this lets us know if, for
example, the installation failed in the middle for some reason.

Also - FYI this link:  
>http://www.cometsystems.com/images/securitywarning.gif
did not work when I clicked on it.
 
Is Comet Cursor Spyware?
 
Email conversations with founder of Comet Systems
page 3
Webmistress At Work
NetRN.net