Pseudo Psecurity Pseller
ICQ Users Beware!
Saturday, 28 August 1999


ICQ users should be alert to an individual calling himself "Scott Davis" who apparently lurks on ICQ seeking out contacts with people, and attempting to sell them Lockdown2000.

I have had evidence for some time now, that Scott Davis is in fact none other than Michael Paris, the primary operator of Harbor Telco, producer of Lockdown2000.

I have just received the latest in a string of emails about this individual.

Because of my web pages debunking Lockdown, I am often contacted by persons curious about the product, or with experiences to relate. I have received numerous emails about Scott Davis. "Scott Davis" (Michael Paris) reportedly contacts individuals on ICQ at random, strikes up a conversation and winds up warning them about the danger of remote-access trojans. He claims to be a satisfied customer who was rescued by Lockdown2000, swears by the product, and suggests that people download it for their own protection. He directs them to the Lockdown2000.com website and may often help his subjects through the process of setup.

Lockdown2000 is not a credible security application, and it does not meet the majority of its glowing claims. But from the perspective of an unsophisticated user, Lockdown may appear quite credible. Even some computer professionals have failed to see through its facade.

When a user installs the eval version of Lockdown2000, if Lockdown finds a file it interprets as a trojan, it immediately produces dire warnings and prompts the user to buy the registered version (for $100) in order to remove the hostile program.

Because Lockdown's trojan "signatures" consist of nothing more than file sizes, it frequently identifies a non-hostile program or system component as a trojan. Since this misidentification is to the seller's advantage, they appear to have no intention of improving the product's accuracy. This tragically-flawed detection method has been preserved through several version changes. As Lockdown's impressive-seeming list of "detected" trojans grows, so do the number of alarm-producing file sizes... which of course increases the odds of false alarms. Naturally, Lockdown's "detected" list has grown to prodigious proportions, regardless of the fact that Lockdown is incapable of removing a significant number of the trojans it "detects."

File size is nowhere near an adequate means of trojan identification. The size of any program file is easily altered by a variety of means. Trojans are very frequently compressed to render them unrecognizable to virus scanners. Many trojans have variable file sizes; for example, a Back Orifice trojan can be virtually any size. Some trojans are even random, a different size every time.

Furthermore, Lockdown2000 incorrectly interprets all contacts on the ports it watches, as either attempted break-ins or as "nuke" attacks (attempts to crash a victim's system). Lockdown will sound an alert, leap to the desktop, and declare to its user that it has stopped the attack. In fact these port scans, even when done by serious potential intruders, are harmless unless a trojan is already installed on the machine. As for "nuke" attempts, while Lockdown will sometimes detect them, it will usually misidentify them and it does nothing to prevent their effects.

Some have reported that Lockdown raised its port-watch alarms almost immediately after installation, which is unlikely to be coincidental. This presents the possibility that Paris or an accomplice may be contacting their machines after they install Lockdown, in order to to produce alarms which will worry the user and convince him that Lockdown is providing vital protection. In the grifter's lingo, this is known as "setting the hook."

My emails also raise the possibility that Paris may be scanning people's systems, possibly in advance of his contacts, to find those who may be trojan-infected or vulnerable to intrusion.

(By the way, if you happen to discover that you actually have a trojan in your system, you should know that most trojans can be removed by following simple instructions which are widely available on the Web, or by using free utilities. It is rarely necessary to spend any money at all to deal with a trojan. All you need is the right information.)

Persons who have encountered "Scott Davis" or any other individual who promotes Lockdown2000 similarly, are encouraged to contact me. I need the assistance of victims to document this abuse more comprehensively. Please don't be embarrassed. If you've been bilked, it is completely understandable and it is not your fault.

I would appreciate full copies, including headers, of any emails you've received. Addresses Paris has used include:

(The voot.com email address is bogus; the domain exists but it is not functional and it has no mail service.)

I'll add to this list as further information arrives.

Two of the ICQ User ID Numbers (UINs) of "Scott Davis" are 28088062 and 3347486. ICQ's listings for this individual can be found at http://wwp.icq.com/scripts/srch.dll?Uin=28088062 and http://wwp.icq.com/scripts/Srch.dll?Uin=3347486. Bear in mind, an ICQ user can use any name he pleases, and may easily maintain multiple UINs. It is entirely possible Paris maintains accounts under other names as well.

I consider it likely that Michael ("Scott Davis") Paris will change the contents of his ICQ listings in response to my publication of this webpage. So I have reproduced the listings as they currently appear (28 August 1999). The first, for UIN 28088062, shows his nickname as I-C-Q.help -- it's possible he tries to pass himself off as some sort of ICQ helpdesk official.

The second listing, for UIN 3347486, contains some identical information, but he claims to live in Boston, Massachusetts. Paris apparently lives in nearby New Hampshire -- but his ISP is based in Boston; which fact renders the false address credible if his IP address happens to be traced. When using this persona, Paris' nickname is WinHelp.

Michael Paris is not there to help others. He is there to help himself -- to their pocketbooks.

A little bit of good advice would help people far more than his product does.

Perhaps you're wondering if an individual who contacted you is actually Michael Paris. There's a way you might find out if you received any email from him. Check the originating addresses in the email's headers. If you see the name ne.mediaone.net or an IP number starting with 24.128, then you can consider it likely that the actual sender was Michael Paris. That's his usual ISP. However, Paris may be using other accounts or mailservers. It's also possible some of his resellers may be using similar methods.

Remember: someone who recommends Lockdown2000 is almost certainly making money on the sale. Paris pays about half the proceeds to resellers, and anyone can be a reseller. Lockdown2000 has few unpaid advocates, if any.


More on Michael Paris

Home