SCI: Tech Fears Arise Over Norton and Pifts.exe

Well... it looks like Symantec is in full damage control mode.

www.thetechherald.com...

I've only got one thing to say... Steve Ragan, exactly how many eye witness statements did you check out before 'publishing' your story.

So much for verifying ANY of the facts...

Just because some of us proudly wear tinfoil hats , doesn't mean we can't see a disinformation story when we see it.

I hope you didn't leave too many lips marks on Dave Cole's rump...

Eh, Stevie?



PS. Something like 376,000,000 hits on Google.

What a freak show.


[edit on 11-3-2009 by golemina]

Sauron,

Thanks for the update. Seems like AboveTopSecret really did make into PCWorld. Good article to save. Made my night. Thank you.

ps. Which member was quoted?

reply to post by Tripnman


You need to go to ¨advanced search options¨ and make sure you include in the search ¨hidden files and folders¨ otherwise you will not see it

reply to post by Gouki


I was quoted, it's the first post.

Ugh, I love how they blame the thread deletion on 4chan, when they were deleting threads before 4chan even got involved. I was around for the first thread on /g/, and there were threads being deleted before the OP of that thread posted anything.

I'm not going to read through every single post, after the first few pages I believe I get the basic idea. I work in IT for a living and have always despised Norton because it always caused problems!

Just about every new computer comes with a 60 day trial of Norton Internet Security pre-installed. Besides it's half ass protection it's a resource hog. Not to mention how many computers I've had to repair after the 60 day trail expires and suddenly there internet stopped working. Either I had to eventually re-install the OS or I would have to preform various techniques to repair the tcp/ip and cryptography protocols.

i saw a consistent pattern where customers would bring in there laptop / desktop and they couldn't get net access. Today I believe it's done intentionally by Norton so you have to use there crappy products.

I'll have to get a copy of this .exe and look it over and see if I can find out anything suspicious.

In the meantime I'd start by using Norton Removal Tool (google it) and get a real security solution.

Ole Dave Coles must be getting more confident with EACH retelling of the story...

(Not really, all the net 'journalists' are PARROTING Dave Coles 'official' explanation of the events that transpired...)

Small excerpt from Robert McMillan, IDG News Service on www.thestandard.com...

PIFTS (Product Information Framework Troubleshooter) is a diagnostic program that Symantec periodically sends out to users to anonymously collect information such as the operating system and version number of the product being used in order to get a snapshot of its user base. The troublesome, unsigned PIFTS.exe file is no longer being distributed, but it never represented any kind of security threat, Kyle said. "If a user would have accepted it they should have been fine, and if they declined it they should have been fine."

Last three lines of a log file filtering some of the activity of our little friend PIFTS.EXE (presumably by Process Monitor ).

"21:42:39,1065547","PIFTS.exe","3220","CloseFile","C:\Dokumente und Einstellungen\[Benutzer]\Cookies\index.dat","SUCCESS",""
"21:42:39,1065894","PIFTS.exe","3220","CloseFile","C:\Dokumente und Einstellungen\[Benutzer]\Lokale Einstellungen\Verlauf\History.IE5\index.dat","SUCCESS",""
"21:42:39,1066223","PIFTS.exe","3220","CloseFile","C:\Dokumente und Einstellungen\[Benutzer]\Lokale Einstellungen\Temporary Internet Files\Content.IE5\index.dat","SUCCESS",""

Courtesy of www.allround-pc.com...

So much for Dave Coles explanation about what exactly PIFTS.EXE inner workings of 'operating system and version number of the product being used in order to get a snapshot of its user base'...

For those of you who might be a little slow on the draw those last three lines represent the closing of the COOKIES, HISTORY, and CONTENT index files of their respective INTERNET EXPLORER directories...

My friends that is what is known in the 'DEBUNKING' game as being busted in the act of telling a BOLD FACED LIE.

Symantec, consider yourself exposed.



None of you guys have anything in your INTERNET EXPLORER directories you don't mind some surely BENEVOLENT entity at some massive disk farm knowing EVERYTHING(?) about... Do you?



[edit on 11-3-2009 by golemina]

Originally posted by golemina
For those of you who might be a little slow on the draw those last three lines represent the closing of the COOKIES, HISTORY, and CONTENT index files of their respective INTERNET EXPLORER directories...

There's no indication that it's PIFTS.EXE that's directly accessing those; it seems more likely that is a side-effect of the use of the Microsoft WinINet API, specifically the call to InternetConnect().

Is it just me or is community.norton.com completely down now? DDOS?

//EDIT: Server running again, strange, just wanted to check what's going on...

[edit on 11.3.2009 by SiONiX]

Another flaw in their "we deleted threads because of spam" story (apart from the fact that they basically deleted threads from the word go): While the inept moderators were unable to take control of the situation, they still had time to "reprogram" (i.e. censor) registration names... Go ahead... Try to register a name with Pifts in it...

That login contains invalid content. Please choose a different login that does not contain 'Pift'.

This was implemented when the spamming was in full swing early yesterday morning.

Someone had the sense to stop registrations with the "forbidden word" in the login, but no-one had the sense to make a public announcement like say "Yes we know Pifts is an issue... Hand tight while we find an answer for you"?

Again - why the silence? Naughty, naughty.

reply to post by Gemwolf


It's like waiting for the rest of the pentacon tapes to be released... if there's nothing wrong then spill the beans! Instead of letting people like us run havok and cause them lots of headaches

I found a youtube video that links to ATS in their info panel when you search for Pifts on youtube:

www.youtube.com...



Is that from a member here?

[edit on Wed Mar 11th 2009 by DJMessiah]

from the blog site someone made to talk about this file...

Read this. Seems to confirm what I was saying. Not sure how accurate any of it is, but I can't imagine someone making up such elaborate backgrounds about former military intelligence officers and whatnot.


Fascinating, they call it a simple update? It is not.

The program analyzed:

»anubis.iseclab.org/?action=resul···mat=html

It clearly goes through and scrapes your history, temp files, cookies, etc, and it tries to contact a shady online storage place they recently acquired. Let's do a lookup on swapdrive! 67.134.208.160:80 is where PIFTS.exe asks to connect to.

Domain Name: SWAPDRIVE.COM

Administrative Contact:
Wallace, Marc
Web Data Group, LC
PO BOX 7241
ARLINGTON, VA 22207-0241
US
703-352-1578

www.webdatagroup.com

Click on " Competitive intelligence." Interesting! They talk about military intelligence gathering right on the page. So this "update" is scraping internet history and temp data and trying to contact a company who does online storage with shady ties to intelligence gathering. If it is datamining, Americans need not be surprised, we had AT&T do it on our phones and some act as if our computers are immune. Hey, let's look more into one of the owners of Swapdrive in the Web Data Group! There are more interesting people than Marc Wallace.

www.spoke.com...

"Roland Schumann is a former military intelligence officer, having served both on active duty and in the reserves. Trained in unconventional warfare and electronic intelligence gathering, he also has practical experience in airborne operations, human intelligence (HUMINT), counter-intelligence, and counter-terrorism. He has performed risk analyses in Latin America for the US government and in the United States for commercial and government interests."

It is helped to be run by a former military intelligence officer. So there you have it, you have very shady actions by Symantec regarding the whole thing making people suspicious by deleting any mention of it, they claim it is a simple update, and when we dive into it, we find out it scrapes your internet history and temp files, interfaces with Google Desktop (G O E C 6 2 ~ 1 . D L L ), and then where does it try to go? It tries to jump straight to Swapdrive (we know this because it asked permission to go to 67.134.208.160:80, which is Swapdrive). Who owns swapdrive? The Web Data Group based out of Arlington (wow, the same place the Pentagon is located, what a coincidence) who has a statement about using military intelligence information gathering right on their website and who has owners with shady backgrounds as army intelligence officers, and when Symantec is asked about PIFTS.exe, it immediately tries to cover it up and deletes everything related to it in a very suspicious fashion. Follow the trail, do some research, dig around.

pifts.blogspot.com...

LOL

Poor Peter Norton... Errumm he sold his likeness and bailed from Symantec.

Used to work there myself and it's absolutely no surprise they do this.

/pissed.mode.off/

[edit on 3·11·09 by DrMattMaddix]

Good research Justyc.

It looks too coincedental to be coincedence. Ex MI on the Board of a company that was owned by a company that specialises in Military Intelligence level data mining, located next door to the Pentagon. Hmmm.

I wonder if people are really aware of the implications of the level of data mining that could be achieved by running simple query statements on the data that pifts.exe gathers and stores at the Swapdrive storage farm.

For example, a simple SQL statement could retreive data such as:

Which Norton users search online for weapons.
Which Norton users log onto sites linked with militia or terrorist activity.
Which Norton users log onto conspiricy websites.
Which Norton users search online for bomb making equipment.
Which Norton users log onto anti-government sites.

With some simple refinement of the querys on the data sets recovered from the previous querys they could then find out something like...

Billy Smith from 123 somewhere St, somewhereville, someplace, searched for sniper rifles and bombmaking equipment 4000 times in the last week, is a member of user forums on know militia and anti-govenrment websites, and recently purchased some balaclavas on E-bay.

Billy's gonna get a knock on his door from some guys in dark suits and dark glasses and billy's ass is never gonna be seen again!

Well, it took me over 24 hrs to finish this thread, finally!

First thing that jumped out at me when I read Dave Coles statement...the simple little patch had the "rare" occurrence to be unsigned.

Second impression, the bleaching of the pifts subject in the forums, then using the spam to justify the total bleaching, which began occurring well before the spam.

Third impression, what is the exe called now, why was so vital to get it out but now that it has caused such an outcry, it has been pulled?? Even though it is harmless and beneficial.

Fourth impression, I feel that Symantec alerted the Post themselves, just to get in the "warning" that searching google(their competitor) would give you a virus. (well if we use nortons, why should that concern us?) to prevent searches period.

Fifth, just like getting Oprah to say over 9000 penii on natrional TV, 4chan(hilarious!!!!!) got Symantec to officially incorporate Anon into the official statement. Bwahaha, pwnd anyone?


This was not handled well, and suspicions were raised, still raised, in my view. This is straight up data mining. No coincidence the files are stored at swapdrive, which in one of statements symantec proudly says why yes we bought them so we store wour data there.

"Just want to add additional comment here because of the inquiries we've seen coming in to the forum. There's been speculation that PIFTS.exe is sending information to a server in Africa, which is untrue. The servers used by PIFTS.exe are located at a SwapDrive facility in North America. Symantec completed the acquisition of SwapDrive in June 2008, so these are indeed Symantec servers. Also, PIFTS.exe does not collect or send any of our users' personal information.

We will be posting a technical write-up to the forum soon with further details on the data PIFTS.exe collects.


Tony Weiss
Norton Forums Administrator
Symantec Corporation "

From the official thread at Nortons.

community.norton.com...

Good work, ATS! Best thread I have been involved with for a while.

Edit to add:

How disturbing that Nortons considers the data mining they admit to, and users did not have an opt out feature for safe, and OK.

"Symantec explains PIFTS and debunks conspiracy theories (Update)
by Steve Ragan - Mar 10 2009, 20:25
Symantec explains PIFTS and debunks conspiracy theories.(IMG:Symantec)

Symantec explains PIFTS and debunks conspiracy theories.(IMG:Symantec)

Earlier this morning there was a good bit of rumor circulating about PIFTS.exe and Symantec (Product Information Framework Trouble Shooter). As it turns out, the removal of posts on the Norton Community Forums and the alerts from Symantec products sent conspiracy theorists into overdrive, while at the same time frustrating legitimate customers.

Symantec spoke to The Tech Herald this afternoon and explained its side of the story. For now, you can remove the tinfoil hats. Big Brother, in this case, is not watching you.

So what is PIFTS.exe and why was it blocked? According to Dave Cole, Senior Director of Product Management at Symantec, it's not all it's cracked up to be.

PIFTS is: “Not nearly as exciting as it’s been made out to be. [It’s] a diagnostic patch that we put out for the older products,” he said.

“We use it for things like determining product state and the advance of migration... like determining how many active customers there are on 2006 and 2007 products, which is who this issue affected. It was restricted to people who [use Symantec’s] 2006 or 2007 products, and who downloaded patch within a three hour period last night, [between] 4:30 – 7:40 PM PST.

PIFTS is not solely used for migration, Cole added, it does call back to Symantec with basic information about older products. The Firewall alerts were essentially saying, “Unsigned, unknown application here, what do you want to do with it?”

www.thetechherald.com...

[edit on 11-3-2009 by hotbakedtater]

Just a post to remind people to check the join dates of some people posting on this thread, there are plenty of just joined people posting debunkings of the PIFTS.exe conspiracy theories, and this alone should be cause for suspicion.

There was a document linked about a pifts which could indicate that this problem goes way beyond datamining and actually into remote censorship, I'll see if I can edit the link into this post... Ah, here we go:

Originally posted by SeanU
Pift = Probabilistic Information Filtering Tool

Maybe there are people interested in flagging people searching for certain phrases on google?

Google Books Link to research paper

[edit on 10-3-2009 by SeanU]

Reading the first few pages of that gives the idea that this goes a bit further than data mining and actually into information filtering. A cybercoup to take over people's pc's and filter incoming information would explain the anxiousness over at symantec. Thanks to SeanU for the link.

Maybe this isn't the case, I am just speculating, but all eyes should stay on this issue now.

Regardless, symantec will never be installed on any of my computers again and to all the people who ask me for advice I will say that they should never use any of their products. What has already transpired is enough for symantec to be on a consumer blackout list. Sorry to the good people working there and who likely have no fault in the actions of management.

And some day I'll be changing to linux, windows is getting a bit too controlling for my liking, it's like a bad relationship.

[edit on 11-3-2009 by Zepherian]

A Thought occurs.

Everyone's looking JUST at PIFTS.exe ... I was wondering- what if this program was little more than a 'detonation cap' for something a little more insidious in the guts of the program? Whatever random action (ZoneAlarm hiccuping on it, ect) brought this little item to light... but what's going on in the AV? What does this do inside the program? Could it trip something else? What if it's like a bullet for a gun- one cannot function without the other..

As a former Norton Refugee- I am really suspicious of what this thing could do... Not by itself, but integrated into the whole software package. The rest of the pieces are probably hunkered down in there- and when it's integrated, the original file goes poof- leaving no traces of itself. And then, the fun begins...

I remember back to when I was going to yank AOL off my computer. I ended up going places I didn't wanna go, like the registry, and then... when it refused to die- I found AOLBACK. A complete and total backup of *everything* I just yanked from the computer. It was also hidden in the deep dark recesses of the hard drive. Once AOL was murdered, my computer sprang to life with a vengeance.

This does make me a little paranoid... if Norton's got crap swimming around in it... So does yahoo messenger, toolbar.... And potentially anything else Symatec has it's greedy lil paws in.

reply to post by wylekat


This thread was moving a little too fast for me to keep up/ post yesterday, but Wylekat, I think you've hit a really good point on the head. Given Symantec's backpedaling today and the facts we know about the app, I have to wonder the same thing. Been there, done that with AOL(sic).

I've also seen spy software that will embed itself so deeply as to mimic normal Windows registry entries hiding itself. This stuff was in the computer so tight I actually ended up having to wipe the drive, I could never find all of it to get it out.

Scary stuff out there - seriously makes one wonder if it all could have been a distraction Symantec allowed to bloom out of control to distract from what pifts was really doing/ interacting with.

Originally posted by CeltAngel
Given Symantec's backpedaling today and the facts we know about the app, I have to wonder the same thing. Been there, done that with AOL(sic).

I've also seen spy software that will embed itself so deeply as to mimic normal Windows registry entries hiding itself. This stuff was in the computer so tight I actually ended up having to wipe the drive, I could never find all of it to get it out.

I'm so glad to hear so many users out there have had to go through the same problems I've had over the past few years. I have my own "blacklist" whereas Norton, AOL, and other spyware are on it. Every time I cringe when people bring it up they ask "what's wrong?" whereas I try to explain and they look at me like I'm superstitious cavedweller from the dark ages. Despite my howling into the wind, they reply, "Anyway, can you get my AOL working? I like it when it says 'You've got mail!' " Apparently this vocal feature is worth $19.95 a month whereas most other e-mail is free.

Originally posted by CeltAngel
Scary stuff out there - seriously makes one wonder if it all could have been a distraction Symantec allowed to bloom out of control to distract from what pifts was really doing/ interacting with.

When I heard Microsoft had put in all kinds of crazy filters for Internet Explorer to meet China's restriction on 'harmful speech/images' I knew that governments were deeply vested into software creation and have implemented cooperative efforts. On the whole, I can see where they can be used for good, but much like a knife it can either be used to prepare food or remove a life.

[edit on 11-3-2009 by saint4God]