Beware: FamilyFriendlyDNS

Yesterday, someone posted a comment on a post of mine discussing a critical bug in NetNanny, software that can be used to help children use a computer safely (including browsing the internet without stumbling across inappropriate material). At least, it could be used, once they fix this absolutely devastating bug that makes it absolutely useless.

The commenter was recommending an alternative, familyfriendlydns.com. (That link is a "nofollow" link. It will become clear as you read on that they're desperate to build their search engine rank by having lots of sites link to them; I won't indulge them).

Their comment indicated they hadn't properly read my blog post before commenting. My blog post says: "NetNanny has this really serious problem; I'm writing it up so that you understand why it's not working if you've been struggling with this." Their comment says: "Sure, NetNanny's good, but here's something better because it's free".

When someone clearly hasn't read a post before commenting, it's clear they're using my site for link juice rather than joining in the (genuinely stimulating, in the case of that particular post) conversation. So, as is my tendency, I did a little digging.

First, some background. With software like this, your predisposition needs to be caution. The burden of proof is on the software authors to prove their software is trustworthy before you install it. This is so for two reasons.

Beware System-Wide Software

Software like this will require administrative permissions to run. It works by changing the DNS system on your computer, and that's not something a regular users can do. Therefore, the installer will also need administrative permissions to install the software.

If you install a program on your computer that has administrative rights, it can read anything, change anything, do anything. It may do something malicious from the off, like delete all your files, or encrypt all your files until you pay a ransom. It may leak your privacy from the off, like start sending the addresses of the websites you visit to a third party. It could even send session cookies to a third party, allowing someone else to log into websites you visit as if they were you. You get the idea.

It may do none of those things. But the point is you need to satisfy yourself that you trust them before installing their software. In this regard, this parallels the problems with with the dodgy Chrome extension CrxMouse. There, the problem was that the extension changed its behaviour some time after many people first installed it. So the question is not only "does this software have malicious behaviour", but "might the people who developed this software use its inbuilt update mechanism to introduce malicious behaviour at a later date", or even "could this software later be sold to others who could monetize it in a malicious way".

So there are two questions: Do you trust the software, and, do you trust the people who wrote and publish the software?

Beware DNS Modifying Software

In this case, there's another issue. The way it works is by modifying the DNS system on your computer, so that malicious sites cannot be found.

Here's why you need to be very, very careful here. The DNS system is like the phone book for the internet. It tells your computer how to turn the web addresses you enter in your browser (like amazon.com) into the numerical addresses (IP addresses) that identify the server hosting the website you want. It would be possible for someone to poison your DNS, so that you think you're logging into your internet banking (because the browser address bar gives their domain), but actually you're communicating with a server somewhere in another country run by fraudsters. Therefore, software that alters your computer's DNS needs to be installed only after carefully ensuring you can trust the authors.

[Also note that DNS modifying software will only be effective to a degree. NetNanny, when it worked, could distinguish pages on Wikipedia that discuss adult topics from ones that did not. Whereas a DNS-based blocking system either blocks all of Wikipedia or none of it. There will also be no mechanism for parents to override a blocked site, say for a homework project.]

So how does this software match up against the needs for the software and its authors to be transparently trustworthy? Not well. Here are 6 big concerns I have.

1. It's New

The domain was registered on 14th May, 11 weeks ago, so it's a brand new product.

2. They're Hiding

They have had domain privacy enabled since registration, and they give no real-world contact details on their website. All they have is a gmail address.

They also use CloudFlare for their hosting. CloudFlare is a proxy content delivery network system that can greatly speed up websites that are viewed all over the world. But it also has the effect of hiding the true hosting location of the site. That means we cannot find out even what country their website is hosted in.

3. They're Thin on Detail

The website is thin. There's no documentation. No support system. Just a single page, a download link, a template privacy policy (we'll come back to this), and a gmail address. That's it.

4. They Don't Tell you How They'll Use Your Data

They do have a privacy policy. It starts out well:

The personal information listed above is collected solely on the basis of your explicit consent, given to us by you accessing and/or using the Application. The information collected is limited to what is strictly necessary for the proper functioning of the Application and does not include any sensitive personal information.

But then there's another section that makes no sense:

In order to be able to deliver our services, we use data storage provided to us by our service providers (data processors). Such providers are obligated to keep your data secure, not disclose your information to any third parties and do not have the right to access your data for any purpose bar data storage.

If all the software does is change the DNS settings on your computer to use other DNS providers, how would any of your data pas through any of the storage used by this person / company? The earlier statement that they collect nothing should be enough.

Furthermore, these days it's common to have something in there about where that data will be stored. I can't see that. The privacy policy isn't tied tightly enough, for my liking, to the use of the software to which it relates, in order to reassure me.

It seems to me they've taken a template privacy policy, added a section about what their software does, but not removed other general sections about how your data might be used. The result is that the sections that are designed to reassure you are undermined by ones that list more general uses for your data, uses that shouldn't apply here.

5. It's Shilled

Shilling is recommending a product or service whilst having a vested interest or connection, whilst passing yourself as a casual bystander or an actual customer.

No, I may be wrong here, but: I've found a lot of comments on blogs and forums by people who "just found" this software that's been "absolutely brilliant" at blocking inappropriate websites, and they're been using it "for a while". Mostly, those comments were posted within a month of the domain being registered.

How do all these people discover something in a search engine, when it hasn't existed for any length of time, has no organic links to its websites to help search engines find it, and has so little content on its own website for the search engines to index? Furthermore, how have they been using this for some time, when it was only published a month ago?

6. It's Free

This is only a problem in the light of the other 5 issues. Overall, I'm a big supporter of both free software and open-source software. However:

When a product is free, it's either run by someone purely altruistic (who is willing to cover their own domain, web hosting and software development costs themselves) or you (the end-user) are the product.

So the question is: What do the owners of FamilyFriendlyDNS stand to gain from you using their product?

That's something that the privacy policy should answer, but it doesn't seem to have been written carefully with this in mind.

In any case, there's no guarantee that the privacy policy will match what a piece of software actually does. That's where their hidden identity bothers me. There's no means to contact them if there's an issue, and so no way for you (or law enforcement agencies) to hold them to account.

Yet, whilst it's unclear what they stand to gain from you using their product, their proliferation of (probably shilled) comment-spam suggests they're really very eager for lots of people to start using it. Why?

Conclusion

None of the above guarantees this is bad software.

But they certainly haven't put enough information out there to reassure me they're good.

With software that works like this, the burden of proof falls on them to demonstrate they can be trusted. They haven't done that.

My advice to my readers: Treat with suspicion, and avoid.

PostScript

This isn't the first time someone has searched for a keyword on the internet and posted spam comments on my website. In fact, it happens a lot. But it's also not the first time that, by doing so, they've alerted me to something I think is well worth warning my readers about. See Fake Anti-Virus Support Sites, for example (with some enjoyable and predictable irony in the comments section!)

I know the comment-spammers' bots won't read this paragraph before posting something, but please: If you're thinking of using your website to promote some scam or other, think again. [Again, I'm not implying that FamilyFriendlyDNS is definitely a scam, only that there's not enough information for us to trust it].

Rather than leading to lovely links as people discover your website or service, you'll more likely get a detailed write-up warning against what you offer.