We registered as users and downloaded copies of InfoWorld’s Windows Sentinel tool and XPNet’s DMS Clarity Tracker Agent.
Based on our tests, the InfoWorld Windows Sentinel and the DMS Clarity Tracker Agent are identical. The screens that appear during setup (including the end user license agreement) are the same. MD5 checksum hashes of the file downloaded from XPNet and the one from Windows Sentinel match perfectly. The only difference is a single letter in the file name of the executable.
As for the software itself, the installer is not digitally signed. It installs two Windows services: Cfwtracker.exe and Cfwupload.exe. The tracker program adds information at regular intervals to a database (in Microsoft Access format) stored in the user profile of the currently logged-on user. The upload module periodically sends that data to a remote server.
At its website, DMS claims that the software transmits data securely:
******************
Running in tandem with the DMS Clarity Tracker Agent, the Tracker Upload service spools collected data to the exo.repository for later review. The service uses an SSL-secure web connection that is compatible with most enterprise firewalls and proxy server implementations.
******************
We found this claim to be untrue. In our tests, using machines in widely separated geographic locations, the DMS software made simple (non-secure) HTTP connections on port 80, transmitting data to a server at IP address 66.115.28.220. The IP block at 66.115.28.* has DNS A records that point to devilmount.com, xpnet.com, and csaresearch.com. All of those companies are registered to Devil Mountain Software and include the name Randall C. Kennedy in the registration information.
When we attempted to use a browser to make a secure connection to
https://xpnet.com, we received two certificate errors. The certificate associated with the site, originally issued by Equifax Secure Global eBusiness, had been issued to a different domain, csaresearch.com. In addition, the certificate had expired on September 7, 2009.
XPNet.com has no privacy policy on its site. Its license agreement contains no privacy information whatsoever. InfoWorld, however, made a prominent claim about privacy on its page that, until this weekend, offered the Windows Sentinel program:
***************
Performance data is uploaded to the exo.performance.network, where your most recent one week of data is stored for viewing and analysis. Performance data will be shared in aggregate only and never identified as linked to your individual account.
***************
The Feb. 19 exo.blog post appears to have violated that policy in a big way.
We conducted tests using the software downloaded from InfoWorld’s Windows Sentinel page and from XPNet.com and found no differences in their behavior. In both cases, the captured data was sent to the same server, which is under the control of Devil Mountain Software. As noted previously, InfoWorld pulled the software over the weekend.
