Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications


 

To members of the NVDA community around the world:

 

Some of you may have heard of an add-on called Blind Extra which supposedly allows easy access to additional software products. I’m sorry to inform you that this add-on shall enter the Hall of Blacklisted Add-ons with no chance of leaving that place for all eternity. Here’s why:

 

A few days ago, I and Derek Riemer, another author of NVDA add-ons, were alerted to two reports of Blind Extra add-on breaking numerous security issues. One involved renaming files to something else without the user noticing it, and the second was remote access where someone gained access to a user’s computer and sent Skype messages. Prior to that, some users asked Derek and I to perform a scan of this add-on, and another user told us that this add-on does odd things, including suspicious activity and downloading files.

 

In case of the remote access incident, the user who was affected by this alerted Derek and I to this issue on a Skype group. After some exchanges where the hacker (under the ID of the affected user) wrote messages that were quite suspicious, we determined that it is best to blacklist this add-on which was partly responsible for this incident.

 

Thus, I would like to request the community do the following:

 

1.       Remove Blind Extra immediately.

2.       Keep Blind Extra in the list of blacklisted add-ons (this makes it the second add-on to meet this fate, with the first being Instant Translate; in case of Instant Translate, people report that the situation has improved, but due to volatility of the services used, it’ll remain an add-on under our careful watch).

3.       For resident NVDA community add-on reviewers: do not accept review requests from the author of Blind Extra (we only know this person as ‘Ahmed”).

 

Also, I’d like to remind the community to be vigilant when installing add-ons – add-ons can do amazing and powerful things, including what you read above.

 

Thank you.

Cheers,

Joseph


Jim Hunt
 

Hi,
Oh boy, I don't have BlindExtra but I used GetExtra. Are there shady
things in GetExtra too? Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@gmail.com> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which supposedly
allows easy access to additional software products. I'm sorry to inform you
that this add-on shall enter the Hall of Blacklisted Add-ons with no chance
of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons, were
alerted to two reports of Blind Extra add-on breaking numerous security
issues. One involved renaming files to something else without the user
noticing it, and the second was remote access where someone gained access
to
a user's computer and sent Skype messages. Prior to that, some users asked
Derek and I to perform a scan of this add-on, and another user told us that
this add-on does odd things, including suspicious activity and downloading
files.



In case of the remote access incident, the user who was affected by this
alerted Derek and I to this issue on a Skype group. After some exchanges
where the hacker (under the ID of the affected user) wrote messages that
were quite suspicious, we determined that it is best to blacklist this
add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1. Remove Blind Extra immediately.

2. Keep Blind Extra in the list of blacklisted add-ons (this makes it
the second add-on to meet this fate, with the first being Instant
Translate;
in case of Instant Translate, people report that the situation has
improved,
but due to volatility of the services used, it'll remain an add-on under
our
careful watch).

3. For resident NVDA community add-on reviewers: do not accept review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what you
read above.



Thank you.

Cheers,

Joseph


 

Hi,
If the author is Soft Extra (Ahmed Star), then it would be advisable to remove it.
Cheers,
Joseph

-----Original Message-----
From: nvda@nvda.groups.io [mailto:nvda@nvda.groups.io] On Behalf Of Jim Hunt
Sent: Friday, November 11, 2016 1:00 PM
To: nvda@nvda.groups.io
Subject: Re: [nvda] Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications

Hi,
Oh boy, I don't have BlindExtra but I used GetExtra. Are there shady things in GetExtra too? Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@gmail.com> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which
supposedly allows easy access to additional software products. I'm
sorry to inform you that this add-on shall enter the Hall of
Blacklisted Add-ons with no chance of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons,
were alerted to two reports of Blind Extra add-on breaking numerous
security issues. One involved renaming files to something else without
the user noticing it, and the second was remote access where someone
gained access to a user's computer and sent Skype messages. Prior to
that, some users asked Derek and I to perform a scan of this add-on,
and another user told us that this add-on does odd things, including
suspicious activity and downloading files.



In case of the remote access incident, the user who was affected by
this alerted Derek and I to this issue on a Skype group. After some
exchanges where the hacker (under the ID of the affected user) wrote
messages that were quite suspicious, we determined that it is best to
blacklist this add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1. Remove Blind Extra immediately.

2. Keep Blind Extra in the list of blacklisted add-ons (this makes it
the second add-on to meet this fate, with the first being Instant
Translate; in case of Instant Translate, people report that the
situation has improved, but due to volatility of the services used,
it'll remain an add-on under our careful watch).

3. For resident NVDA community add-on reviewers: do not accept review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what
you read above.



Thank you.

Cheers,

Joseph


derek riemer
 

yes. It appears that this whole site is bad. The addon and get extra which is packaged with it seems to allow any file the hacker wants to be downloaded to your computer and executed remotely. For example, a person had his keyboard locked, and the computer controlled to send messages over Skype, including some messages sent in Arabic to the NVDA Tech/Dev discussions group making fun of blind people. The hacker claims this addon installs several useful cracked synths into ones computer. Don't fall prey to cracked synths. Often these illegal software come with viruses and/or ability for viruses.


On 11/11/2016 2:00 PM, Jim Hunt wrote:
Hi,
Oh boy, I don't have BlindExtra but I used GetExtra.  Are there shady
things in GetExtra too?  Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@...> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which supposedly
allows easy access to additional software products. I'm sorry to inform you
that this add-on shall enter the Hall of Blacklisted Add-ons with no chance
of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons, were
alerted to two reports of Blind Extra add-on breaking numerous security
issues. One involved renaming files to something else without the user
noticing it, and the second was remote access where someone gained access
to
a user's computer and sent Skype messages. Prior to that, some users asked
Derek and I to perform a scan of this add-on, and another user told us that
this add-on does odd things, including suspicious activity and downloading
files.



In case of the remote access incident, the user who was affected by this
alerted Derek and I to this issue on a Skype group. After some exchanges
where the hacker (under the ID of the affected user) wrote messages that
were quite suspicious, we determined that it is best to blacklist this
add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1.       Remove Blind Extra immediately.

2.       Keep Blind Extra in the list of blacklisted add-ons (this makes it
the second add-on to meet this fate, with the first being Instant
Translate;
in case of Instant Translate, people report that the situation has
improved,
but due to volatility of the services used, it'll remain an add-on under
our
careful watch).

3.       For resident NVDA community add-on reviewers: do not accept review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what you
read above.



Thank you.

Cheers,

Joseph





--

Derek Riemer

  • Department of computer science, third year undergraduate student.
  • Proud user of the NVDA screen reader.
  • Open source enthusiast.
  • Member of Bridge Cu
  • Avid skiier.

Websites:
Honors portfolio
Awesome little hand built weather app!

email me at derek.riemer@...
Phone: (303) 906-2194


 

Its a pitty people use their software skills for this stuff.
I myself am always looking for things that help people rather than the other way round.
My idea for something like this would be a service you would have to pay yearly where, you had something that monitered certain events the user did and programs, ie drivers, updates, errors, etc.
You would get a way to log things aults, with qualified support people, or queary things, ie you found a program which you had to pay for, but wanted to see if there was an alternit program, someone could active search for it and say what it was.
Goes without saying there would be reviews of things on the website.
Ofcause it goes without saying you would have free and opensource first, then low to medium, to high cost comercial software.
There would be some sort of point system to like a store club card, buying certain things got you so many points.
Maybe small orders of things could be allowed within certain grounds, bigger ones would cost the user a bit.
You could potentially buy things like extra hardware software, etc.
You would have to have local distribution points for things like batteries and such though.
Something complex that could do everything from checking the weather, update your software, or if someone had a crash or there was something happening which didn't work right you could get an email with it and or have them handle it for a charge.
Something like that would really rock.
Its to complex for me to write and I am not a business man.
But if someone did something like that, combined with password manager, file encription data and cloud storage, websites etc depending what it was who knows something I'd like to work with.
I can't make that myself.
What is sad is that the current addon is semi loosly based on a system like that.
Another thing I have always wandered with is getting ransomware to work for you, have the root user system within windows no uac just password.
Ie you go away and do whatever, you could try to access something say a user tries to modify things or you had something go nuts, you could get a message, about your files bbeing encripted and the reason why, to unlock you would have to enter a password.
Ofcause you would have to get some way to get that password if you were admin, etc.

On 12/11/2016 10:42 a.m., derek riemer wrote:
yes. It appears that this whole site is bad. The addon and get extra
which is packaged with it seems to allow any file the hacker wants to be
downloaded to your computer and executed remotely. For example, a person
had his keyboard locked, and the computer controlled to send messages
over Skype, including some messages sent in Arabic to the NVDA Tech/Dev
discussions group making fun of blind people. The hacker claims this
addon installs several useful cracked synths into ones computer. Don't
fall prey to cracked synths. Often these illegal software come with
viruses and/or ability for viruses.


On 11/11/2016 2:00 PM, Jim Hunt wrote:
Hi,
Oh boy, I don't have BlindExtra but I used GetExtra. Are there shady
things in GetExtra too? Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@gmail.com> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which
supposedly
allows easy access to additional software products. I'm sorry to
inform you
that this add-on shall enter the Hall of Blacklisted Add-ons with no
chance
of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons, were
alerted to two reports of Blind Extra add-on breaking numerous security
issues. One involved renaming files to something else without the user
noticing it, and the second was remote access where someone gained
access
to
a user's computer and sent Skype messages. Prior to that, some users
asked
Derek and I to perform a scan of this add-on, and another user told
us that
this add-on does odd things, including suspicious activity and
downloading
files.



In case of the remote access incident, the user who was affected by this
alerted Derek and I to this issue on a Skype group. After some exchanges
where the hacker (under the ID of the affected user) wrote messages that
were quite suspicious, we determined that it is best to blacklist this
add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1. Remove Blind Extra immediately.

2. Keep Blind Extra in the list of blacklisted add-ons (this
makes it
the second add-on to meet this fate, with the first being Instant
Translate;
in case of Instant Translate, people report that the situation has
improved,
but due to volatility of the services used, it'll remain an add-on under
our
careful watch).

3. For resident NVDA community add-on reviewers: do not accept
review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what you
read above.



Thank you.

Cheers,

Joseph


Brian's Mail list account <bglists@...>
 

Yes there are one heck of a lot of dodgy programs around just now, some may be just a nuisance like viruses of old were, but many are malicious hostage ware and trojans and bots and key loggers etc. I guess the honeymoon period for the disabled being included in such scams and exploits is now at an end, sadly. Lets not make it a good Christmas for the Crooks.
Brian

bglists@blueyonder.co.uk
Sent via blueyonder.
Please address personal email to:-
briang1@blueyonder.co.uk, putting 'Brian Gaff'
in the display name field.

----- Original Message -----
From: "derek riemer" <driemer.riemer@gmail.com>
To: <nvda@nvda.groups.io>
Sent: Friday, November 11, 2016 9:42 PM
Subject: Re: [nvda] Important notice: Blind Extra add-on is hereby blacklisted for all eternity due to security implications


yes. It appears that this whole site is bad. The addon and get extra
which is packaged with it seems to allow any file the hacker wants to be
downloaded to your computer and executed remotely. For example, a person
had his keyboard locked, and the computer controlled to send messages
over Skype, including some messages sent in Arabic to the NVDA Tech/Dev
discussions group making fun of blind people. The hacker claims this
addon installs several useful cracked synths into ones computer. Don't
fall prey to cracked synths. Often these illegal software come with
viruses and/or ability for viruses.


On 11/11/2016 2:00 PM, Jim Hunt wrote:
Hi,
Oh boy, I don't have BlindExtra but I used GetExtra. Are there shady
things in GetExtra too? Should I remove it?
Jim

On 11/11/16, Joseph Lee <joseph.lee22590@gmail.com> wrote:
To members of the NVDA community around the world:



Some of you may have heard of an add-on called Blind Extra which supposedly
allows easy access to additional software products. I'm sorry to inform you
that this add-on shall enter the Hall of Blacklisted Add-ons with no chance
of leaving that place for all eternity. Here's why:



A few days ago, I and Derek Riemer, another author of NVDA add-ons, were
alerted to two reports of Blind Extra add-on breaking numerous security
issues. One involved renaming files to something else without the user
noticing it, and the second was remote access where someone gained access
to
a user's computer and sent Skype messages. Prior to that, some users asked
Derek and I to perform a scan of this add-on, and another user told us that
this add-on does odd things, including suspicious activity and downloading
files.



In case of the remote access incident, the user who was affected by this
alerted Derek and I to this issue on a Skype group. After some exchanges
where the hacker (under the ID of the affected user) wrote messages that
were quite suspicious, we determined that it is best to blacklist this
add-on which was partly responsible for this incident.



Thus, I would like to request the community do the following:



1. Remove Blind Extra immediately.

2. Keep Blind Extra in the list of blacklisted add-ons (this makes it
the second add-on to meet this fate, with the first being Instant
Translate;
in case of Instant Translate, people report that the situation has
improved,
but due to volatility of the services used, it'll remain an add-on under
our
careful watch).

3. For resident NVDA community add-on reviewers: do not accept review
requests from the author of Blind Extra (we only know this person as
'Ahmed").



Also, I'd like to remind the community to be vigilant when installing
add-ons - add-ons can do amazing and powerful things, including what you
read above.



Thank you.

Cheers,

Joseph

--
------------------------------------------------------------------------


Derek Riemer

* Department of computer science, third year undergraduate student.
* Proud user of the NVDA screen reader.
* Open source enthusiast.
* Member of Bridge Cu
* Avid skiier.

Websites:
Honors portfolio <http://derekriemer.com>
Awesome little hand built weather app!
<http://django.derekriemer.com/weather/>

email me at derek.riemer@colorado.edu <mailto:derek.riemer@colorado.edu>
Phone: (303) 906-2194