46 replies to this topic

[chrissmith]

Were you able to test if the Recuva key works?

I don't have a Speccy key.  I haven't investigated it because it works without having to go to the internet... unlike Recuva, which is "broken" until it does.

[Alan_B]

This is not going to increase my popularity, but could the testing be re-run in a different order please

I believe the complaint is that Recuva shows this problem once only,
and after this it can be run again without problem,
and also Speccy can run without Problem.

How about testing a system that has never seen any sort of Piriform,
and first testing Speccy to see if this shows a first time only "feature"
and then testing whether Recuva now has the problem.

I am thinking of the possibility that Microsoft look at every digital certificate,
and when they see a Digital Signature from a new signer perhaps Microsoft valid with the authority (Verisign)
and once a Piriform Signature is validated for the first product,
then any further products from Piriform with the same certification are automatically accepted.

Alan

[chrissmith]

Hi Alan,
Not to worry about your popularity!  I hold nothing against you.  In fact it's good that you pose your questions because it gives rise to discussion.

The reason I started investigating Recuva in the first place is because I noticed it took a very long time to launch (16 seconds, nominal) on some machines.  I really hadn't noticed it on other computers because I allowed the program to initially update during the install.  It was only when I didn't allow an update to happen that I noticed the program taking a long time to launch.

This is when I felt something was going on.  It threw me for quite a while because viewing the registry entries Recuva installs into the registry appeared to be the same on all the computers regardless if they were updated or not.  The only difference being the update date.  This is when I came to the forum and started this thread.

There is no doubt in my mind that Recuva is contacting an undisclosed party.  It can be proven just by messing with the authorizing registry key.

The difference is that Speccy doesn't act like Recuva.  If I open Speccy, it will launch and start running right away regardless if I block it with my firewall.  It doesn't require contact before it starts working and it doesn't stall.  If Speccy did stall out, I would investigate it too... but it doesn't, so I'm not concerned.  I don't use Speccy anyways.

This is really a privacy issue.  You may not realize it and it may not seem like a big deal to you, but you should nonetheless be concerned.

Suppose you were to open your email client and start reading your email.  Your email client, without your knowledge, notifies me that you just opened your email.  In fact, not only did it notify me, it opened a window for me so I could view what you were reading.  Would that give you something to worry about?  In this example, it's not so much that I'm able to see what you're doing, but the fact that you didn't even know your email client was doing this behind your back.  This is the premise behind what privacy issues are all about and why software companies continue to take so much flak.  Piriform knows this too, that's why they post a "Privacy Policy".  However their policy lacks sorely and gives a false impression.

So going by your suggestion, that I install Speccy first, then Recuva.  What's the difference?  Even if I do this, and Recuva works because Speccy made contact and installed a registry entry for me, didn't Speccy just contact Verisign without my knowledge too?

This is also not a Microsoft thing.  Windows doesn't even care if a cert is valid or not.  Windows might notify you, but that's about it.  If you look on your machine, you'll find numerous expired/outdated/unverified certs.  In fact, on occasion, if Windows notices an invalid cert and takes the time to warn you, say when you try to install a downloaded program from the internet, all you have to do is disregard it and you can continue on with the installation.  Windows doesn't even care, and it won't hinder a thing.

Anyways, no, I'm not going to bother with doing an experiment with Speccy and Recuva.  The outcome would be the same so it's really irrelevant.

Do you use a firewall?  If not and you're depending on Windows firewall, I suggest you change to a better one.  One that will notify you when any program attempts internet access.  Windows firewall will not do this.

Thank, Alan!

[chrissmith]

Shown below is the trace of Recuva contacting Verisign as captured by Smartsniff.  Note that the blue highlighted numbers in the capture are the same as the registry key that gets installed into the computer.

Unfortunately, a lot of data is encrypted, so I can't tell what's what.

I've been told so far that...
"I highly doubt it's as nefarious as you make it but I'll check..."
"My theory is with out Proof of concept I find this entire thread to be, no offence, a wild google chase, and that the issue described within is not actually occuring, again no offence meant."
"Please provide us with the proofs from your computer and reassure us to the location that you have downloaded the install from. Else I'm going to really start wondering if this is just a rabblerouser who has us chasing our tails."

I think I've supplied enough proof, actually, beyond a shadow of a doubt, that Recuva is calling out to Verisign directly after it's first run.

Now it's up to the Moderators, and devs to answer.  Why is everyone so quite all of a sudden?  You weren't so quiet when you doubted me and thought I was just imagining this stuff.  How can anyone miss this occurring with this application... especially the Mod's who run this place?

All I'm asking is that the EULA be updated to reflect that contact will be made during Recuva's first run.  Then it will be up to the user to decide whether or not to use the app.  I no longer care about what has already been transmitted as it's too late for the machines I allowed access.  Piriform should take responsibility and update their EULA.

Trace...
==================================================
Index : 8
Protocol   : TCP
Local Address : 192.168.0.190
Remote Address : 23.67.56.11
Local Port : 1792
Remote Port    : 80
Local Host : IBM-A6E15B32522.socal.rr.com
Remote Host    : a26.ms.akamai.net
Service Name   : http
Packets    : 7  {4 ; 3}
Data Size : 1,807 Bytes  {269 ; 1,538}
Total Size : 2,396 Bytes  {429 ; 1,967}
Data Speed : 0.2 KB/Sec
Capture Time   : 4/28/2012 6:29:48 PM:316
Last Packet Time  : 4/28/2012 6:29:58 PM:330
Duration   : 00:00:10.014
Local MAC Address : 00-11-95-3b-85-9f
Remote MAC Address: 00-15-e9-ed-af-ca
Local IP Country  :
Remote IP Country :
==================================================

00000000  47 45 54 20 2F 6D 73 64  6F 77 6E 6C 6F 61 64 2F   GET /msd ownload/
00000010  75 70 64 61 74 65 2F 76  33 2F 73 74 61 74 69 63   update/v 3/static
00000020  2F 74 72 75 73 74 65 64  72 2F 65 6E 2F 34 45 42   /trusted r/en/4EB
00000030  36 44 35 37 38 34 39 39  42 31 43 43 46 35 46 35   6D578499 B1CCF5F5
00000040  38 31 45 41 44 35 36 42  45 33 44 39 42 36 37 34   81EAD56B E3D9B674
00000050  34 41 35 45 35 2E 63 72  74 20 48 54 54 50 2F 31   4A5E5.cr t HTTP/1
00000060  2E 31 0D 0A 41 63 63 65  70 74 3A 20 2A 2F 2A 0D   .1..Acce pt: */*.
00000070  0A 55 73 65 72 2D 41 67  65 6E 74 3A 20 4D 69 63   .User-Ag ent: Mic
00000080  72 6F 73 6F 66 74 2D 43  72 79 70 74 6F 41 50 49   rosoft-C ryptoAPI
00000090  2F 35 2E 31 33 31 2E 32  36 30 30 2E 35 35 31 32   /5.131.2 600.5512
000000A0  0D 0A 48 6F 73 74 3A 20  77 77 77 2E 64 6F 77 6E   ..Host:  www.down
000000B0  6C 6F 61 64 2E 77 69 6E  64 6F 77 73 75 70 64 61   load.win dowsupda
000000C0  74 65 2E 63 6F 6D 0D 0A  43 6F 6E 6E 65 63 74 69   te.com.. Connecti
000000D0  6F 6E 3A 20 4B 65 65 70  2D 41 6C 69 76 65 0D 0A   on: Keep -Alive..
000000E0  43 61 63 68 65 2D 43 6F  6E 74 72 6F 6C 3A 20 6E   Cache-Co ntrol: n
000000F0  6F 2D 63 61 63 68 65 0D  0A 50 72 61 67 6D 61 3A   o-cache. .Pragma:
00000100  20 6E 6F 2D 63 61 63 68  65 0D 0A 0D 0A no-cach e....

00000000  48 54 54 50 2F 31 2E 31  20 32 30 30 20 4F 4B 0D   HTTP/1.1  200 OK.
00000010  0A 43 6F 6E 74 65 6E 74  2D 54 79 70 65 3A 20 61   .Content -Type: a
00000020  70 70 6C 69 63 61 74 69  6F 6E 2F 78 2D 78 35 30   pplicati on/x-x50
00000030  39 2D 63 61 2D 63 65 72  74 0D 0A 4C 61 73 74 2D   9-ca-cer t..Last-
00000040  4D 6F 64 69 66 69 65 64  3A 20 54 75 65 2C 20 30   Modified : Tue, 0
00000050  32 20 4A 61 6E 20 32 30  30 37 20 31 38 3A 35 33   2 Jan 20 07 18:53
00000060  3A 30 39 20 47 4D 54 0D  0A 41 63 63 65 70 74 2D   :09 GMT. .Accept-
00000070  52 61 6E 67 65 73 3A 20  62 79 74 65 73 0D 0A 45   Ranges:  bytes..E
00000080  54 61 67 3A 20 22 35 34  35 63 32 66 33 66 39 66   Tag: "54 5c2f3f9f
00000090  32 65 63 37 31 3A 30 22  0D 0A 53 65 72 76 65 72   2ec71:0" ..Server
000000A0  3A 20 4D 69 63 72 6F 73  6F 66 74 2D 49 49 53 2F   : Micros oft-IIS/
000000B0  37 2E 35 0D 0A 58 2D 50  6F 77 65 72 65 64 2D 42   7.5..X-P owered-B
000000C0  79 3A 20 41 53 50 2E 4E  45 54 0D 0A 43 6F 6E 74   y: ASP.N ET..Cont
000000D0  65 6E 74 2D 4C 65 6E 67  74 68 3A 20 31 32 33 39   ent-Leng th: 1239
000000E0  0D 0A 44 61 74 65 3A 20  53 75 6E 2C 20 32 39 20   ..Date:  Sun, 29  
000000F0  41 70 72 20 32 30 31 32  20 30 31 3A 32 34 3A 35   Apr 2012  01:24:5
00000100  31 20 47 4D 54 0D 0A 43  6F 6E 6E 65 63 74 69 6F   1 GMT..C onnectio
00000110  6E 3A 20 6B 65 65 70 2D  61 6C 69 76 65 0D 0A 58   n: keep- alive..X
00000120  2D 43 49 44 3A 20 32 0D  0A 0D 0A 30 82 04 D3 30   -CID: 2. ...0‚.Ó0
00000130  82 03 BB A0 03 02 01 02  02 10 18 DA D1 9E 26 7D   ‚.» .... ...ÚÑ�&}
00000140  E8 BB 4A 21 58 CD CC 6B  3B 4A 30 0D 06 09 2A 86   è»J!XÍÌk ;J0...*†
00000150  48 86 F7 0D 01 01 05 05  00 30 81 CA 31 0B 30 09   H†÷..... .0�Ê1.0.
00000160  06 03 55 04 06 13 02 55  53 31 17 30 15 06 03 55   ..U....U S1.0...U
00000170  04 0A 13 0E 56 65 72 69  53 69 67 6E 2C 20 49 6E   ....Veri Sign, In
00000180  63 2E 31 1F 30 1D 06 03  55 04 0B 13 16 56 65 72   c.1.0... U....Ver
00000190  69 53 69 67 6E 20 54 72  75 73 74 20 4E 65 74 77   iSign Tr ust Netw
000001A0  6F 72 6B 31 3A 30 38 06  03 55 04 0B 13 31 28 63   ork1:08. .U...1(c
000001B0  29 20 32 30 30 36 20 56  65 72 69 53 69 67 6E 2C   ) 2006 V eriSign,
000001C0  20 49 6E 63 2E 20 2D 20  46 6F 72 20 61 75 74 68 Inc. -  For auth
000001D0  6F 72 69 7A 65 64 20 75  73 65 20 6F 6E 6C 79 31   orized u se only1
000001E0  45 30 43 06 03 55 04 03  13 3C 56 65 72 69 53 69   E0C..U.. .<VeriSi
000001F0  67 6E 20 43 6C 61 73 73  20 33 20 50 75 62 6C 69   gn Class  3 Publi
00000200  63 20 50 72 69 6D 61 72  79 20 43 65 72 74 69 66   c Primar y Certif
00000210  69 63 61 74 69 6F 6E 20  41 75 74 68 6F 72 69 74   ication  Authorit
00000220  79 20 2D 20 47 35 30 1E  17 0D 30 36 31 31 30 38   y - G50. ..061108
00000230  30 30 30 30 30 30 5A 17  0D 33 36 30 37 31 36 32   000000Z. .3607162
00000240  33 35 39 35 39 5A 30 81  CA 31 0B 30 09 06 03 55   35959Z0� Ê1.0...U
00000250  04 06 13 02 55 53 31 17  30 15 06 03 55 04 0A 13   ....US1. 0...U...
00000260  0E 56 65 72 69 53 69 67  6E 2C 20 49 6E 63 2E 31   .VeriSig n, Inc.1
00000270  1F 30 1D 06 03 55 04 0B  13 16 56 65 72 69 53 69   .0...U.. ..VeriSi
00000280  67 6E 20 54 72 75 73 74  20 4E 65 74 77 6F 72 6B   gn Trust  Network
00000290  31 3A 30 38 06 03 55 04  0B 13 31 28 63 29 20 32   1:08..U. ..1© 2
000002A0  30 30 36 20 56 65 72 69  53 69 67 6E 2C 20 49 6E   006 Veri Sign, In
000002B0  63 2E 20 2D 20 46 6F 72  20 61 75 74 68 6F 72 69   c. - For  authori
000002C0  7A 65 64 20 75 73 65 20  6F 6E 6C 79 31 45 30 43   zed use  only1E0C
000002D0  06 03 55 04 03 13 3C 56  65 72 69 53 69 67 6E 20   ..U...<V eriSign  
000002E0  43 6C 61 73 73 20 33 20  50 75 62 6C 69 63 20 50   Class 3  Public P
000002F0  72 69 6D 61 72 79 20 43  65 72 74 69 66 69 63 61   rimary C ertifica
00000300  74 69 6F 6E 20 41 75 74  68 6F 72 69 74 79 20 2D   tion Aut hority -
00000310  20 47 35 30 82 01 22 30  0D 06 09 2A 86 48 86 F7 G50‚."0 ...*†H†÷
00000320  0D 01 01 01 05 00 03 82  01 0F 00 30 82 01 0A 02   .......‚ ...0‚...
00000330  82 01 01 00 AF 24 08 08  29 7A 35 9E 60 0C AA E7   ‚...¯$.. )z5�`.ªç
00000340  4B 3B 4E DC 7C BC 3C 45  1C BB 2B E0 FE 29 02 F9   K;NÜ|¼<E .»+àþ).ù
00000350  57 08 A3 64 85 15 27 F5  F1 AD C8 31 89 5D 22 E8   W.£d….'õ ñ­È1‰]"è
00000360  2A AA A6 42 B3 8F F8 B9  55 B7 B1 B7 4B B3 FE 8F   *ª¦B³�ø¹ U·±·K³þ�
00000370  7E 07 57 EC EF 43 DB 66  62 15 61 CF 60 0D A4 D8   ~.WìïCÛf b.aÏ`.¤Ø
00000380  DE F8 E0 C3 62 08 3D 54  13 EB 49 CA 59 54 85 26   ÞøàÃb.=T .ëIÊYT…&
00000390  E5 2B 8F 1B 9F EB F5 A1  91 C2 33 49 D8 43 63 6A   å+�.Ÿëõ¡ ‘Â3IØCcj
000003A0  52 4B D2 8F E8 70 51 4D  D1 89 69 7B C7 70 F6 B3   RKÒ�èpQM щi{Çpö³
000003B0  DC 12 74 DB 7B 5D 4B 56  D3 96 BF 15 77 A1 B0 F4   Ü.tÛ{]KV Ó–¿.w¡°ô
000003C0  A2 25 F2 AF 1C 92 67 18  E5 F4 06 04 EF 90 B9 E4   ¢%ò¯.’g. åô..ï�¹ä
000003D0  00 E4 DD 3A B5 19 FF 02  BA F4 3C EE E0 8B EB 37   .äÝ:µ.ÿ. ºô<îà‹ë7
000003E0  8B EC F4 D7 AC F2 F6 F0  3D AF DD 75 91 33 19 1D   ‹ìô׬òöð =¯Ýu‘3..
000003F0  1C 40 CB 74 24 19 21 93  D9 14 FE AC 2A 52 C7 8F   .@Ët$.!“ Ù.þ¬*RÇ�
00000400  D5 04 49 E4 8D 63 47 88  3C 69 83 CB FE 47 BD 2B   Õ.Iä�cGˆ <iƒËþG½+
00000410  7E 4F C5 95 AE 0E 9D D4  D1 43 C0 67 73 E3 14 08   ~OÅ•®.�Ô ÑCÀgsã..
00000420  7E E5 3F 9F 73 B8 33 0A  CF 5D 3F 34 87 96 8A EE   ~å?Ÿs¸3. Ï]?4‡–Šî
00000430  53 E8 25 15 02 03 01 00  01 A3 81 B2 30 81 AF 30   Sè%..... .£�²0�¯0
00000440  0F 06 03 55 1D 13 01 01  FF 04 05 30 03 01 01 FF   ...U.... ÿ..0...ÿ
00000450  30 0E 06 03 55 1D 0F 01  01 FF 04 04 03 02 01 06   0...U... .ÿ......
00000460  30 6D 06 08 2B 06 01 05  05 07 01 0C 04 61 30 5F   0m..+... .....a0_
00000470  A1 5D A0 5B 30 59 30 57  30 55 16 09 69 6D 61 67   ¡] [0Y0W 0U..imag
00000480  65 2F 67 69 66 30 21 30  1F 30 07 06 05 2B 0E 03   e/gif0!0 .0...+..
00000490  02 1A 04 14 8F E5 D3 1A  86 AC 8D 8E 6B C3 CF 80   ....�åÓ. †¬��kÃÏ€
000004A0  6A D4 48 18 2C 7B 19 2E  30 25 16 23 68 74 74 70   jÔH.,{.. 0%.#http
000004B0  3A 2F 2F 6C 6F 67 6F 2E  76 65 72 69 73 69 67 6E   ://logo. verisign
000004C0  2E 63 6F 6D 2F 76 73 6C  6F 67 6F 2E 67 69 66 30   .com/vsl ogo.gif0
000004D0  1D 06 03 55 1D 0E 04 16  04 14 7F D3 65 A7 C2 DD   ...U.... ..Óe§ÂÝ
000004E0  EC BB F0 30 09 F3 43 39  FA 02 AF 33 31 33 30 0D   ì»ð0.óC9 ú.¯3130.
000004F0  06 09 2A 86 48 86 F7 0D  01 01 05 05 00 03 82 01   ..*†H†÷. ......‚.
00000500  01 00 93 24 4A 30 5F 62  CF D8 1A 98 2F 3D EA DC   ..“$J0_b ÏØ.˜/=êÜ
00000510  99 2D BD 77 F6 A5 79 22  38 EC C4 A7 A0 78 12 AD   ™-½wö¥y" 8ìħ x.­
00000520  62 0E 45 70 64 C5 E7 97  66 2D 98 09 7E 5F AF D6   b.EpdÅç— f-˜.~_¯Ö
00000530  CC 28 65 F2 01 AA 08 1A  47 DE F9 F9 7C 92 5A 08   Ì(eò.ª.. GÞùù|’Z.
00000540  69 20 0D D9 3E 6D 6E 3C  0D 6E D8 E6 06 91 40 18   i .Ù>mn< .nØæ.‘@.
00000550  B9 F8 C1 ED DF DB 41 AA  E0 96 20 C9 CD 64 15 38   ¹øÁíßÛAª à– ÉÍd.8
00000560  81 C9 94 EE A2 84 29 0B  13 6F 8E DB 0C DD 25 02   �ɔ). .o�Û.Ý%.
00000570  DB A4 8B 19 44 D2 41 7A  05 69 4A 58 4F 60 CA 7E   Û¤‹.DÒAz .iJXO`Ê~
00000580  82 6A 0B 02 AA 25 17 39  B5 DB 7F E7 84 65 2A 95   ‚j..ª%.9 µÛç„e*•
00000590  8A BD 86 DE 5E 81 16 83  2D 10 CC DE FD A8 82 2A   Š½†Þ^�.ƒ -.ÌÞý¨‚*
000005A0  6D 28 1F 0D 0B C4 E5 E7  1A 26 19 E1 F4 11 6F 10   m(...Äåç .&.áô.o.
000005B0  B5 95 FC E7 42 05 32 DB  CE 9D 51 5E 28 B6 9E 85   µ•üçB.2Û Î�Q^(¶�…
000005C0  D3 5B EF A5 7D 45 40 72  8E B7 0E 6B 0E 06 FB 33   Ó[ï¥}E@r �·.k..û3
000005D0  35 48 71 B8 9D 27 8B C4  65 5F 0D 86 76 9C 44 7A   5Hq¸�'‹Ä e_.†vœDz
000005E0  F6 95 5C F6 5D 32 08 33  A4 54 B6 18 3F 68 5C F2   ö•\ö]2.3 ¤T¶.?h\ò
000005F0  42 4A 85 38 54 83 5F D1  E8 2C F2 AC 11 D6 A8 ED   BJ…8Tƒ_Ñ è,ò¬.Ö¨í
00000600  63 6A   cj

[Augeas]

chrissmith, on 28 April 2012 - 09:44 PM, said:

Now it's up to the Moderators, and devs to answer.  Why is everyone so quite all of a sudden?  You weren't so quiet when you doubted me and thought I was just imagining this stuff.  How can anyone miss this occurring with this application... especially the Mod's who run this place?

All I'm asking is that the EULA be updated to reflect that contact will be made during Recuva's first run.  Then it will be up to the user to decide whether or not to use the app.  I no longer care about what has already been transmitted as it's too late for the machines I allowed access.  Piriform should take responsibility and update their EULA.

The moderators, as you have already been told in this thread, are ordinary users who keep offensive material off the board and try to help others when they can.

Nobody has denied this is happening. It happens with a lot of software, even, according to some external Zone Alarm posts, with Windows Explorer. You are concerned about this, perhaps others aren't so concerned. I think you have had a great deal of lattitude to express yourself and investigate the events. Whether Piriform will change anything is up to them. Please don't let your concern develop into insults.

[chrissmith]

Hey sorry guys, that was my friend Winston messing around.  I really apologize!  I don't know what to say!  Stupid jerk!  God, I can't believe he did that!

Anyways, (from me)... I do hope Piriform will consider changing their EULA so users are notified.

Gotta apologize again!  Sorry!

[cartel]

OCSP.TKO2.VERISIGN.COM 199.7.57.72

The new version does it too.
Why does recuva do this and Ccleaner doesn't?

I found it stores files in AppData\LocalLow\Microsoft\CryptnetUrlCache\Content and MetaData
I have Ccleaner set to clean these folders, They are a securely encrypted copy of your entire windows and internet browsing history on the system.

Maybe thats why?


It has this key:  recuva.txt   10.39K   4 downloads