With that in mind, I would like to make our users aware of some recent activity regarding these tools, and would like to explain what exactly is going on and how it may concern our users. At the end of the post you can find steps to follow in order to ensure you are protected from the malicious activity.
Lastly, we would like to encourage Tom_BMX to respond to these allegations, and provide explanation as to why he has done this.
We are not trying to stir up any "bad blood", and any posts from forum users which are hostile in nature will be removed from this topic.
PS: There's a summary at the bottom for the lazy people out there
Back in August 2012, I discovered that Tom_BMX's Xmodel Export Utilities (which was still a new program) was sending data to Tom's servers paired with your public IP address. I then publicly warned that since Tom has access to the ZM user database (which contains your IP address), he could match up your ZM username's IP with his program database of IPs, therefore making the data collection not anonymous. This information could be used to track you and also in some cases obtain your general location (based on your ISP's setup - sometimes it's completely inaccurate).
At some point since then it seems he changed the program (via an update) so that it no longer sends specific xmodel data upon export.
With the recent posts from [You are not allowed to view external links. Register or Login to see them] and [You are not allowed to view external links. Register or Login to see them] regarding Tom's actions, some new information has come to light which should concern you.
Using a network monitoring tool called [You are not allowed to view external links. Register or Login to see them] , I was able to determine that Tom's Xmodel Utilities, BO Sound Tool, and xAnim Exporter send non-anonymous data to Tom. I encourage you to try it yourself and look at the data ([Instructions]). The destination IP address is 184.108.40.206, which is the server for tom-bmx.com
The data includes:
- Your IP Address
- Your computer username (whatever is at the top of your Start Menu)
- How many times you have used the program (Only for Xmodel Utilities)
- How many models you have exported (Only for Xmodel Utilities)
Here is an example of the data collection he is doing, as seen in Wireshark (Click the image to zoom):
As you can see, his program is reporting that my IP address has used the program 73 times, exported 37 models, and my name is Andy King. The program reports these stats to Tom every time it checks for updates, which is every time you open the program.
When I brought this up in the past, Tom responded by saying that his program(s) only collected anonymous statistics (I would quote the topic but he deleted it shortly after). This would be harmless if it were true. Instead he is collecting your username and pairing it with your IP address. This way even if your IP address changes regularly or you use a proxy, he can still identify you by your username.
The reason I have arrived at this conclusion is because BigDave claimed today that Tom_BMX said the following to him in confidence at some point in a conversation between the two of them:
Assuming this is true, Tom is not just using your information to attach your stats to a name; he is keeping track of your identity so that if he wanted to, he could attack your computer or otherwise track you. This is entirely illegal and violates privacy laws in both the US and UK.. You did not agree to give up personal information or to be tracked when you downloaded this program.
BigDave also had this to say, which raises more concerns:
Source: [You are not allowed to view external links. Register or Login to see them]
Here are some key points of the Privacy Laws in the United States, which are the same in over 80 other countries in the world - which includes the UK where Tom_BMX resides:
- For all data collected there should be a stated purpose.
- Transmission of personal information to locations where "equivalent" personal data protection cannot be assured is prohibited.
Regarding the first point, Tom has not stated a purpose for why he needs to store all of our personal names and IP addresses, other than in certain cases where he may want to remotely run unauthorized commands on our computers through malicious code in his programs.
If the purpose was purely for statistics, he should not be collecting our names (much less storing them!) and our IP addresses should not be stored either (but there is no way to prevent collection since this is how the internet works). There is also no notice in the program or on his website or in any License Agreement/EULA that notifies you that data is collected for statistical reasons.
For the second point, we have no assurance that our personal information is safe or protected in any way, which means that collection is prohibited by law. Again, the model exporting statistics are not the issue here - it's our usernames and IP addresses, and the threat of malicious intent.
How do I protect myself?
First, get a firewall if you don't have one already. If you have Windows Firewall turned off, turn it back on. Use it to block Tom's programs from connecting to the internet. If you want to check for updates, visit his website directly instead of using the in-app update checking (which will be blocked by the firewall).
Secondly, make sure you are taking the necessary precautions against unknown incoming connections. Check Google for more info on this.
If you don't want to use a firewall and don't care about not being able to check for program updates, you can do the following:
Right click the file named "hosts" and choose "Open". Select Notepad from the list. Scroll to the bottom of the file and use your Enter key to make a new line. Add:
to the bottom of the file. File->Save the file, then close it.
By adding that line, you are telling your computer to redirect all outbound tom-bmx.com requests to 127.0.0.1, which is a fancy way of saying that you are blocking all outbound connections from your computer to tom-bmx.com. This will prevent him from collecting data from your computer.
Tom_BMX's applications are violating the privacy laws of over 80 countries, including the US and UK. He is collecting your IP address and Windows username, and storing them in a database on his server for personal use. He has also (allegedly) put malicious code inside his application that he can use to remotely run commands on the computers of application users. Use a firewall to block these connections or edit your hosts file.