Serious question about Roboform security

[Bob]

For everyone out there who's using Roboform...
What assurances do we have that the neat little tool we're using won't
someday - or maybe already has - send the contents of the passcards,
safenotes and identities back to it's maker? Everyone is under the belief
that it's not spyware - and as far as I can tell, it's not. But that's the
problem. It does periodically call in, and check for a new version.
When activating it, it accepts commands from them - invisibly to you - in
the same browser window that you are watching. I captured what it sends one
day, and it looks like a bunch of alphabet soup at the end of a url.
Anything could be in there - it does 3des - and we'd never know what it
contains. All this happens without any complaint from software firewalls
because it talks through IE or Netscape, of whatever other browser that you
use.
After all, you've allowed it to happen so you could use it. Just think, it
knows how to access your bank accounts, credit card accounts, mortgage, etc.
You may have also taught it how to fill in forms that want to know who you
are. Name, address, ssn, phone, birthdate, place 'o birth, drivers license
#.
This thing has shown that it has an effective mode of backchannel
communications. Text can be pretty effectively compressed. It wouldn't even
have to send it all at once. Little pieces here and there.
Any crypto experts out there that can shed some light on this, and what's in
the data it sends on the command line? I asked, and was told it was just to
ensure that it's requests make it the net.

 

[Bob Adkins]

For everyone out there who's using Roboform...
What assurances do we have that the neat little tool we're using won't

I hear you.

The only thing that is reassuring is that RoboForm is not Freeware, so
back-stabbing their customers would not be in their best interest. But
still...

Bob

 

[Ben Cooper]

For everyone out there who's using Roboform...
What assurances do we have that the neat little tool we're using won't
someday - or maybe already has - send the contents of the passcards,
safenotes and identities back to it's maker?

[snip]

Paranoia will destroy ya!
If Roboform was behaving badly, someone would have sniffed
it out by now.

 

[Jackson]

For everyone out there who's using Roboform...
What assurances do we have that the neat little tool we're using won't
someday - or maybe already has - send the contents of the passcards,
safenotes and identities back to it's maker?

While I use and trust Roboform, I would not even consider putting any
significant passwords or credit card numbers or ... on it or any other
software or (unless encrypted) on my harddisk. That is a risk with no
significant return. I let Roboform have a generic password and my
e-mail address, but then even you (all) have access to that address.
It's not a disaster if someone learns that sort of thing.

 

[Werner]

Frankly, I have had the same concerns. But then, I trusted Gator for the
longest time till I got tired of the popups..

Roboform is NOT freeeware??

 

[Bob Adkins]

Frankly, I have had the same concerns. But then, I trusted Gator for the
longest time till I got tired of the popups..

Roboform is NOT freeeware??

It's liteware or crippleware.

What I'm saying is it's in the RoboForm author's best interest for many
users of the liteware version to register and get the full version. If he
goes to the dark side and word gets out, he's done.

Bob

 

[Bob Adkins]

Paranoia will destroy ya!
If Roboform was behaving badly, someone would have sniffed
it out by now.

Agreed! Nevertheless, I keep sniffing for any suspicious behavior. The
stakes are pretty with RoboForm having access to my credit card numbers.

Bob

 

[Bob]

This is an example of Roboform communicating with it's maker:
http://www.roboform.com/?aaa=KICMIM...ICMPMJNHICMEKMICNJJCKJNBJCMNLAJNJJNKJCMJNNICM

What's in here, I've got no idea. I've also captured a web page directed
towards it that has stuff hidden in the background:

* RoboForm did not attach to this browser:
<br>
&nbsp;&nbsp;
Open Internet Explorer and use it to activate RoboForm.

<FORM ID="ActivationForm" METHOD=POST
ACTION="http://www.siber.com/php/pums/pums_actchk.php">
<!-- Filled by PUMS -->
<INPUT TYPE='text' NAME="orderid" STYLE="WIDTH:0" MAXLENGTH="10"
VALUE="04183454354">
<!-- Filled by RoboForm -->
<INPUT TYPE='text' NAME="actcode" STYLE="WIDTH:0" MAXLENGTH="30"
VALUE="a8dfe79aab23">
<INPUT TYPE='text' NAME="useruuid" STYLE="WIDTH:0" MAXLENGTH="36">
<INPUT TYPE='text' NAME="affiliateid" STYLE="WIDTH:0" MAXLENGTH="5">

<INPUT TYPE='hidden' NAME="IPaddress"
VALUE="66.157.250.191">

After paying for it, and finding a problem on their activation page, I've
determined that they are a pretty hardheaded group of people. (person???)

No, they will if someday they decide to retire to the Bahamas.
It talks back to them all the time in an encrypted form, touching only the
things it should - your account info. How does anyone know what it's
sending?

 

[Bob]

I tried calling to get a better feeling about the security issue....
http://www.siber.com/contact.html
I called 703-716-4292, and got what sounded like a home answering machine.
So, I ran a reverse lookup
http://www.anywho.com/qry/wp_rl?npa=703&telephone=7164292&btnsubmit.x=51&btnsubmit.y=13
Right address, wrong name.
What other people - whoops, companies are on that street?
http://www.anywho.com/qry/wp_rl?street=Rock+Manor+Court&city=HERNDON&STATE=VA&whiteshark.type=a
So, Roboform (Siber systems) is a one man (or woman - can't tell) operation.
Now, on a positive note, I find that Discover Deskshop (Discover Card) says
it contains AI Roboform form filling technology. This means that at least
Discover Card must trust them to some extent.

 

[Klein]

I find that Discover Deskshop (Discover Card) says

it contains AI Roboform form filling technology.

The first iteration of Discover software was abruptly pulled by
withdrawn because of the company's serious security concerns. I
frankly would not trust any vendor-tied software like this, Ebay
PSWDs in Zone Alarm, or anything of the sort.

Some macro recorder/player software is smart enough to position
at TOP OF PAGE then tab to the proper input fields and enter
predefined data. The issue of keeping the macro code (and
embedded passwords) confidential is a potential problem on a PC
that is shared with others.