Microsoft Word Documents That "Phone Home" 317
ephraim writes "According to
The Privacy Foundation,
Microsoft Word documents have a 'feature' which allows the documents' creators to place web bugs within the documents that inform the author whenever somebody has opened the document via a web server's logging facilities. This 'feature' can also be used to set and view cookies on the reader's copy of Internet Explorer. The story can be found
here.
While this might be useful for tracking the distribution of confidential documents, it also raises serious red flags about privacy since most people probably aren't expecting their copy of MSWord to announce their reading habits every time they use it."
Props to their CTO
Richard M. Smith.
Here is what Microsoft had to say about it (emphasis added)...
Vendor Contact and Response
Microsoft was contacted about this issue on 8/4/00, and again on 8/25/00. They confirmed that Microsoft Word will access the Internet in order to fetch Web images that are linked to in a Word document. They went on to say that Word uses Internet Explorer to fetch images and therefore standard Web browser cookies can be both read and set from inside a Word document. However, the company claims that Word users can mitigate the use of cookies.
Regarding the potential use of Web bugs to track Word documents, Microsoft said that there is no evidence that such activities are occurring.
This would happen with HTML documents too (Score:5)
Well, that makes me feel better. (Score:5)
Since it's not happening now, it couldn't possibly start happening later. I've never seen a problem with a MicroSoft product be exploited weeks, months, even years after it was released. Now I'll be able to sleep at night.
--Ty
Um. (Score:5)
-Run arbitrary macros
-Access your hardware
-Access the Internet
-Download and upload data
-Set and send cookies
I'm beginning to think Microsoft is right: They don't know the difference between an app and an OS.
Just to spell it all out: A Word macro virus now has the ability to, say, infect all your existing Word files such that when you open one of those files the contents are sent to a named address on the Internet. Goodbye confidential documents!
--
New virus already in mind... (Score:2)
Can we say hole the size of
Great news (Score:2)
Good job, Slashdot! Keep up the good work!
This isn't much different than Web Pages already.. (Score:4)
We shouldn't be too surprised; Web Pages are already like this.
I remember the surprise that a friend of mine showed when I showed her "Apache Logs".
Her first reply was, "HOW CAN I MAKE IT NOT DO THAT?!?"
(This is a particularly paranoid friend of mine.)
General rule of thumb: If you're doing something on the Internet, you're being logged.
Do something useful: read "Transparent Society" [wirednews.com] and/or work on making yourself a more tolerant person, rather than fretting about your "privacy" (unaccountability).
Re:This would happen with HTML documents too (Score:3)
Comparing a Word document retrieving arbitrary objects off the web to an HTML document retrieving arbitrary objects off the web is like comparing a shock from a defective toaster to a shock from sticking a fork in an outlet.
How hard is it (Score:4)
WTF does Microsoft have to insist on throwing every single bell and whistle that the 1%'ers want into the mix. People want a small, reliable processor to type up homework and reports.
They went on the right track with their installation process, which splits up Word into it's vital components, and lets you choose which to install. But what good is that if it still installs components that you don't want, and don't trust on your machine (such as the topic)?
Exactly (Score:3)
And if you read *any* document with a ref to an outside object (like a one pixel
However, if you read the document in Wordpad or some other text only program you can avoid the effect. Makes for some pesky reading around markup and junk, but you will see the refrences to the web too.
Visit DC2600 [dc2600.com]
Re:Innovative Solution (Score:2)
What I'd like to know is (Score:3)
However, looking at page source it looks like something to do w/ pagecount, but you got us wondering about any image w/ WIDTH=1 HEIGHT=1
Not just the logging, though (Score:2)
--
Preventing this (Score:3)
Re:Innovative Solution (Score:2)
That doesn't bode well with Bill Gates' World Domination Plan (tm).
Re:This isn't much different than Web Pages alread (Score:2)
Has anybody checked to see if the same thing happens in Excel?
...phil
And of course HTML emails (Score:3)
Clever, but not new. Why the big MSFT-is-evil hype about this?
Re:How hard is it (Score:3)
Because those 1%ers are the ones who buy the upgrade as soon as its available, and thus start the cycle of forcing others to upgrade to stay compatible with everyone else.
Hmmm... (Score:2)
Yes, good job RMS.
Care about freedom?
Re:This would happen with HTML documents too (Score:2)
Another interesting feature... (Score:2)
Thus, this technology gives you the possibility to predict unauthorised access to your documents before it actually happens, thus enabling you to apprehend and punish the criminals _before_ they commit the crime. This technology is intended to be used in conjuction with the DMCA to prevent the unauthorised disclosure of confidential electronic documents. Slightly creepy, but very interesting technology nevertheless.
Re:What I'd like to know is (Score:5)
Jamie McCarthy
Who's reading my resume? (Score:5)
"Hi, this is Bob. I'm applying for the Internet security position, and I'm calling about my resume which you're looking at right now on your Macintosh." Freak them out but get the job.
Mapping IP addresses to user names and phone extensions is a simple matter of social engineering and common sense.
Re:Preventing this (Score:3)
Junkbuster will work here (Score:2)
Word will use Internet Explorer to do this, which also means it will use IE's proxy settings. Just another good reason to use Junkbuster [junkbuster.com]. Of course, there's a very small chance the host images are coming off of are actually in your scookie.ini.
--jbPersonally... (Score:3)
I propose that we direct our energies to tracking and hunting down people who come up with these terms and sending them to Texas. I'm sure they'll know what to do about them down there.
Now part of this I don't have a problem with (Score:2)
However, I can't stand the idea that outside of that limited arena that anyone can track the documents I read if they have any of these embedded graphics files. I have enough problems with cookies tracking how often I check certain web sites. This is intolerable. At the very least, it's an invasion of privacy, and the simple matter of 'turning off cookies' falls on deaf ears as most of the End Users won't know about this invasion of privacy or the need to turn off cookies.
In any case, Microsoft is coming out of this looking like the bad guys again, and they _still_ can't differentiate between OS's and apps...
Kierthos
Re:How hard is it (Score:2)
Who wants to see Microsoft create a slew of about 150 products that do completely different things? I think that it's great that there are just a few flavors of productivity tools to choose from. They seem to be tailored pretty well to the needs of individuals, small businesses, enterprises, and us piraters that have the premium edition.
The method of accomplishing such a comprehensive system like this is openness. Do you have any idea how easy it is to write an add-in for Outlook? There was an article in the July 2000 VCDJ (no link available) that showed very quickly how to create a full-featured add-in for Outlook. It allowed hooking into all sorts of notifications, adding buttons, getting to mail, etc... basically, really slick stuff.
The price of this openness is that little exploits like this fall through the cracks. It's all a large balancing act where you decide what is necessary, and what risks are acceptable.
Word for Unix (Score:4)
not strictly a Microsoft problem (Score:2)
Re:This isn't much different than Web Pages alread (Score:2)
So yes, this would be applicable to some other MS apps. My solution, though I don't know if it will work well, would be to continue to use a program which asks me if I want other programs to access the internet. I'm pretty sure that it would catch word before it could get the image from a server. However, I can't guarantee that, this is Microsoft afterall, and we know how open their platform is
Emacs too (Score:3)
On the topic of web bugs (Score:2)
This also happens in spam..... (Score:3)
Another fun feature... (Score:2)
MORAL: Always start from clean documents (or turn the versioning off if you can)
Re:What I'd like to know is (Score:2)
Here's a solution to keep it from happening (Score:2)
So I got curious to see how it'd react to this. Downloaded the demo document from the article and, after opening the document, it told me Word was trying to access it.
I simply didn't allow word to access the net (word was trying to contact 127.0.0.1, probably to IE).
As I didn't grant access to word, it logged:
ACCESS,2000/08/30,16:50:12 -3:00 GMT,WINWORD.EXE was temporarily not allowed to connect to the Internet (127.0.0.1).,N/A,N/A
and the bug didn't work.
Who would have thought.... (Score:3)
I can't wait to find out what other "innovation" gems are still out there.
Bill Gates here... (Score:5)
My name is Bill Gates. I have just written up an e-mail tracing program that traces everyone to whom this message is forwarded to. I am experimenting with this and I need your help.
Forward this to everyone you know and if it reaches 1000 people everyone on the list will receive $1000 at my expense.
Enjoy.
Your friend,
Bill Gates
Damn! This was totally true and I missed out!
-------
Re:Um. (Score:2)
have the macro embed like, 50 of these in image tags, and bingo, the thing just uploaded your document to an attackers system. It'd be even easier to do if the macro has the ability to do post methods.
That's not the half of it. (Score:3)
A=B=C -> A=C
It logically follows that they don't know the difference between a document and an OS. There is further practical proof of this from the way you can open configuration windows from their help files.
Ergo, the next version of MS-Windows will be called MS-Help. Instead of CTRL-ALT-DEL to log in, you'll use F1. Every time you want to type something in, you'll need to reassure your computer that you are indeed familiar with the operation of a keyboard, and probably still be forced to repeat the "This is the space bar. This is what we call the home row." tutorial every time you reboot.
--------
Re:Software that requres net access during install (Score:2)
The EFF or some such group should probably have a project to uncover and track such nasties.
Subscription software is a big enough pain, without all of the other skullduggery someone like M$ is likely to get into. At the very least, software publishers should be required to disclose such things and be severly slapped if they overstep their bounds. It's one thing if you decide to allow a piece of software to do this, it's another if it does it behind your back.
Is there some way to set up a firewall to prevent or at least alert us to such things?
Bugfix: Don't allow incoming word documents (Score:2)
For a company, a simple fix is: don't use Word documents from outside - only accept Postscript or PDF.
Which would be a good thing for us Lyx, [lyx.org] LaTeX or (insert non-MS office product here) users.
Re:What I'd like to know is (Score:3)
I'm sure you won't respond to this because you never respond with anything more than your obligatory response.
What /I/ would like to know is (Score:5)
It seems to me that it's lazy and irresponsible to require an extra http request.
--------
Actually that'd kick ass (Score:3)
Way to disable this? (Score:2)
List of software security problems? (Score:2)
One could then simply compare the list of installed software at home or work, best with hints on how exactly to turn things off or what replacement version to install. Previewing my comment I see that I only gave MS software examples, I'm aware that they're not the only ones screwing things up
Re:Um. (Score:2)
Remember that the web bug doesn't actually have to correspond to a real file on the hostile server; it just has to be something that the hostile server understands.
Yet Another Feature (Score:2)
Find out about the feature
Query Help for about an hour to find out how to moderate
Find it shipped enabled and then disable it
Probably my greatest annoyance with M$ products is this type of behavior. It usually costs me hours to find and disable all the annoying "features", particularly because M$ doesn't use the same terminology the rest of the world does, so it's non-obvious. Then the on/off button is deeply buried in a non-obvious location. There's a name for people who design things like this: a$$hole.
Vote [dragonswest.com] Naked 2000
Re:Um. (Score:3)
could just access the internet capabilities of
IE3.0 and above and ftp a file where-ever you
want.
Since it's known that IE is installed on almost
every machine (and that it's an activex component)
makes it just sooooo easy to say upload an entire
harddrive to a given site....
Or barring that, I'm sure there's some activex
exploit that could be used to install the internet
activex control that ships with vb(especially since activex controls signed by microsoft are automatically trusted until the user says they aren't anymore... then the sky is the limit!
Will this also work ... (Score:2)
Because that is (according to the article and MS's statement) what actually happens.
So don't use Netscape (Score:2)
Re:What I'd like to know is (Score:2)
Typical tired response is that images of such dimensions for pixel-perfect placement is usually (these days) done to get around Netscape not honoring table cell height and widths for cells lacking content -- workaround here is to use the proprietary Netscape SPACER tag in place of images for pixel-perfect layout.
Tired response #2 is that this is not quite the same thing as a 1x1 buglet, as the dimensions involved are those *represented in the HTML* and not the *actual dimensions* of the linked image. In order to know the latter, the client/recipient would have to download the image in question -- instant logging activity. To effectively block buglets in advance, you would have to know that it is a buglet (1x1 dimensions) by looking at the markup HEIGHT and WIDTH hints and guessing that the image(s) in question are buglets before making the request for them.
Unless the pixel-perfect layout you seek is in nice 1x1 chunks -- not a 1x1 transparent GIF stretched using HEIGHT and WIDTH to arbitrary dimensions -- the level of identity between 1x1 web bugs and your general purpose 1x1 shim image cannot be ascertained without requesting the image and verifying its dimensions.
Of course, the web bug functionality is probably better served by using a lightweight, "real" image (for example, a closing horizontal rule or company logo) and not something as obvious as a 1x1 graphic pasted on to the end of a document, page, or HTML mailing
Er, wrt PostScript and TeX/LaTeX (Score:2)
When I was playing with PostScript, I always wanted to come up with a PostScript worm that would propigate from printer to printer and once there, scan for the word "strategic" and replace it with the word "satanic." If I'd been able to figure out how to open a network socket in the language, I could have pulled it off too...
TeX/LaTeX are also computer languages, allowing at least for conditionals and possibly looping as well (I never got THAT much into them.) They read kind of like LISP without the parentheses.
While I'm not aware of any actual instances, the potential for mayhem is there.
Re:How hard is it (Score:2)
Regardless of the security implications, no sane programmer would chose the former method. It wastes time, it makes the UI inconsistent, it bloats the code, and it creates many more opportunities for bugs. Even if those limitations aren't a problem, it would still never happen, because good programmers would sooner quit than be forced to cut-and-paste code (instead of using shared libraries.)
Microsof chose the latter option. All "active documents" can contain elements from any other COM object provider. The "downside" of this is that Office programs are now "too flexible" for many Slashdot types. IMHO, for the reasons above, I think that this is a fair trade-off.
Not a real bug (Score:3)
MS just took the next logical step. They built a feature into the application that programmers had been scripting into it for years.
We need more fine-grained access control (Score:2)
Re:What I'd like to know is (Score:2)
The crew wants to count the page hits. How can you do that? Every time a main page is generated by the Perl? Bzzt, that doesn't work, way too expensive. This place serves more pages/min then I'd ever care to count, and I damn well wouldn't want a script counting it for me every time it's used.
The main page is dynamic too, so you can never be sure how many images will be loaded, so there goes analysis through that means.
Beyond that, just counting the number of hits against the '/' isn't accurate because of incomplete page loads, etc. If you put a small image in there, chances become that if that image is loaded, the rest of the page was too.
Bang, you can suddenly count, far more accurately, the total number of completed page loads. It's a totally controlled variable. It is appended to the logs by the web server, not by some script. What could be better?
Now, this is all speculation, but I put this together in my head after no less then 5 minutes of thinking. Maybe you should try that too. Besides which, they are images loaded from
So even if they have no reason to be there, that's no reason, not a bad reason. Logically, there can't be a bad reason.
Re: On the topic of web bugs (Score:2)
Who is WildTangent?
Former Microsoft Multimedia evangelist and DirectX creator, Alex St. John, and his partner Cambridge mathematician Jeremy Kenyon founded WildTangent Inc. in June 1998. WildTangent pursues the vision of building a richer more communicative Internet experience through the use of 3D graphics, sound, animation, and interactivity.
and
How did the web driver get installed on my system?
Our web driver provides advanced multimedia capabilities to your web browser. It was installed by a product that needed its services, such as one of our music visualizers, screensavers, or games. It could also have been installed when you visited a web page or by a third party product. In all cases, the web driver announces its installation through a series of licensing screens. If you missed this information, you can view our license agreement or our privacy statement.
-------
Trojan! (Score:2)
Re:WHY DON'T YOU EVER ANNOUNCE STORIES LIKE *THIS* (Score:2)
Re:On the topic of web bugs (Score:2)
Re:Actually that'd kick ass (Score:2)
Great stuff if your applying for a security position...scare them into hiring you.
RD
Re:This isn't much different than Web Pages alread (Score:2)
FilterProxy [wisc.edu] can successfully remove web bugs.
This message has been brought to you by Blatent Plug-O-Matic(tm)
--Bob
SBS e-banking passwords (Score:2)
Re:Bugfix: Don't allow incoming word documents (Score:2)
The only solution is to accept only plaintext, and to only open plaintext documents on old computers that were headed for Asset Recovery anyway, and which are not connected to the Net.
And to never leave your home or get in the bathtub or eat anything but cabbage.
--
snowcrash (Score:2)
--
I can see it now... (Score:2)
- the web site can be shut down too easily
- it gives away your identity
). Or even better: only upload those documents that contain the words company confidential, for internal use only, trade secret or series of long numbers that look like bank account numbers. That way, you make better use of bandwidth.Ouch, that would hurt. Better buy those MSFT puts right away...
Idunno about you (or that other guy) (Score:2)
I am, however, worried as hell when my connection lights are flashing like the dickens and the ZoneAlrm graph stands still. I complained to my ISP, and they say it's RIP (!). Good thing I'm not actually paying for service...
Re:Well, that makes me feel better. (Score:2)
It was part of the fine print in the User Agreement that says " All content created with Microsoft Word belongs to Microsoft, and will be tracked accordingly."
Does this affect people using ISP's? (Score:2)
My understanding is that my IP address is dynamically assigned when I connect -- it's not the same from session to session.
So what is gained from a web bug other than the knowledge of which ISP I'm using?
It's not like my computer name (tacogato) would tell them anything. The ISP doesn't have my address, so a web bug can't get it either unless they can convert the IP to phone number and then reverse lookup to get my address. Is any of this possible? Or is this only a concern for those with static IP addresses?
What about small businesses, often using a shared modem setup? Do they generally have static IPs? If not, it seems the web bug is not broadyly useful.
Could someone enlighten me please?
-----
D. Fischer
Why not? (Score:2)
Uwe Wolfgang Radu
Re:This would happen with HTML documents too (Score:2)
Do not forget slow spread. (Score:2)
unless...
you make yours much more discrete than Melissa and Iluvu. Do not mail yourself to every address book entry. No, just hook yourself into MAPI, and silently infect outgoing messages which the user sends. But only do it if the intended receiver has Outlook too (easy to find out by scanning the inbox and the archive for the last message by that user and looking at its headers). Even with this slow spread, one week should be enough to acquire a sizeable target market. One day before activation, go into "fast mode", and fire off automatic messages to all users who recently mailed us, and who have outlook. Subject would be Re: Subject of last received messages. Text would be entire quoted text of last received message. And then, let that puppy bark [slashdot.org].
Re:What I'd like to know is (Score:2)
By your logic, any webpage with a 'counter image' or any image whatsoever has 'web bugs' in it. As I said, if I was managing
And look, I managed to make a coherent argument without resorting to name-calling. You still have yet to do that. Sod off.
this is great! er, except for MP3 piracy... (Score:2)
What's the big deal? How many Word documents does anyone write that they distribute? How many Word documents written by someone else do you read? Who cares if the original author knows you are reading the document? Why would you be reading a Word document from an untrusted source anyway?
what we should really be worried about is this part:
so there could eventually be Trojaned mp3 floating on Napster someday. Only way to avoid this would be to never upgrade Sonique, Winamp, or Media Player again...
JOIN !LINK CLUB! [slashdot.org]
Re:How hard is it (Score:4)
The average user of MS Office knows their way around the interface, and may even be able to throw together a few quick-and-dirty macros, but they are by no means an experienced object-oriented programmer, or a distributed systems designer. They will not expect to have to check every Word processing document they receive for potential security risks; nor will they automatically run any filtering or TCP/IP monitoring software. Hence, there will continue to be millions of computers comprimised to attackers on a regular basis.
I have little symphathy for system administrators who fail to take basic precautions like changing default passwords or disabling unneeded services -- that's their job, and they should know better. However, I don't expect the same level of dilligence from an inexperienced user who's trying to type view a business letter sent to them from outside the office. Microsoft distributes even their "basic" productivity applications with all the functionality of a basic operating system, makes that power easy to harness (for whatever purpose), and demonstrates little more to their average user than how easy it makes dragging and dropping a spreadsheet chart into a business report. That's irresposible and misleading.
Re:On the topic of web bugs (Score:2)
It came installed with something you installed on your system. If you're the type that habitually ignores license screens and just blindly clicks Next when you install stuff, you deserve what you get.
Are you really that concerned that this piece of software is contacting an updates server? Do you have any idea how much software nowadays does this sort of thing? Why is it everyone considers a piece of software that, behind the scenes, checks to see if there are updates of itself an "evil" piece of privacy-invading software? It just seems silly to go through the effort of setting up things like firewall filters just because you don't "trust" what this piece of software is doing. If you really don't trust it, why the hell are you installing it? If you're going to say, "But I didn't know I was installing it!", something else you apparently do trust did install it, so perhaps some trust relationships there need to be looked at.
Re:This isn't much different than Web Pages alread (Score:2)
Who knows, maybe you even read some Word documents infested with those webbugs already.
Re:How hard is it (Score:2)
JASC Paintshop Pro is overkill for most people's graphics needs. It sells for what, a hundred bucks? Yet Photoshop is pirated like mad -- *not* because it's better, but because it's considered professional-grade. Joe Blow will never use 1/3rd its features... but it's what he wants.
The same applies for wordprocessors.
Unfortunately, what most people don't seem to realize is that there's a whole level of professionalism that's quite apart from the level of marketing.
One thing that frustrates me is that so many products are de-facto standard not because they are superior, but because they were well-marketed.
Corel has a suite of applications that is superior to the competition in almost every way:
* by most accounts, CorelDraw is better than Illustrator, Freehand and PageMaker.
* by many accounts, WordPerfect is superior to MS-Word.
* by all accounts, Ventura Publisher is superior to Quark and FrameMaker.
PhotoPaint versus Photoshop seems to be the only upset to Corel's domination on the basis of functionality and ease-of-use.
Yet Corel is sinking like a stone, while these other inferior products continue to maintain de-facto status.
It bothers me, 'cause I *hate* using inferior tools just because they're popular!
Er, anyway, rant off. My point is: people don't want simple or minimalist. They want *professional* tools. Even if they are overkill.
--
Re:Personally... (Score:2)
(For the clueless, this is a reference to a famous Pace Picante Sauce commercial - a group of cowhands on the trail are looking at the salsa provided by their new "cookie" and discover it's not the good stuff from San Antonio, but is made in "New York City??!!". The lead cowpoke turns to another and orders, "Git a rope!", as Cookie gulps and realizes he's about to get stretched. The only reason I bother to explain this is for non-US readers...)
Re:Why Word Documents Aren't a Big Deal. (Score:2)
I really hope we live in such a utopia someday.
But, how long has there been a Microsoft Word? How much human information, knowledge, and communication is bound up in Microsoft Word documents, and how long will much of that legacy be relevant?
And, considering how long there has been one, and the size and relevance of the legacy-- how long do you think we'll be dealing with binary formats like Word?
The future usually maps better to William Gibson and Ridley Scott: There's the new, but those old layers of decades dirty old grunge and tech still persist refusing to die. I predict that we'll still need to open MS Word documents in 2010. Hell, I just had to open a WP v4 document the other day..
Re:Software that requres net access during install (Score:2)
-
The EFF or some such group should probably have a project to uncover and track such nasties.
Not easy without the source.Now, what would be a good idea, would be to write a new, open source, OS, web browser, and office suite. If these were open source, it would be quite transparant when people tried to sneak this kind of crap into their products.
G
Bitch, Whine, and Moan!! (Score:2)
Tracking internal document consumption - If you can place a cookie, you can track who and how many time something is read.
Changing document data to reflect different visitations. If a user has already read the document and it hasn't changed it doesnt download the Word document.
I am reminded of a Shakespeare when I hear this: (approximation) Nothing is neither good nor evil but thinking makes it so. Of course somebody can do something malicious, but somebody can also do something positive. If your that worried about it, download the document, open up your favorite text editor (insert here), open the Word document, strip out the header and footer information, and read it. Very simple. And for the joker who will point out what it if has pictures or some really brutal formatting that doesnt show up; well tell the folks that put it up on the website to save their document as HTML or a TXT file. Laters
/me gets off my soapbox
Hangtime
If you continue to think what you have always thought, you will continue to get what you have always got.
-Anonymous
Re:Who's reading my resume? (Score:2)
Major companies nowadays are requesting only textual resumes. This way they are light on space, can be easily searched and easily integrated in the company's internal resume system (assuming they have one), and people within the company looking for applicants have to do less work and can deal with a standardized document format. It's rare that a company will request a Word format, but it happens.
If someone is blindly sending you a resume in Word, there are other reasons to reject it that don't necessarily have anything to do with the applicant's skills at system security.
Re:Emacs too (Score:3)
Re:Does this affect people using ISP's? (Score:2)
To get the ISP logs, presumably, you need a subpeona, which means it's a criminal issue. If they are backtracking from an emailed document, couldn't use the recipient's server info, to backtrack the email to your ISP, and then to you.
But if the web bug is a marketing tool, will the company be able to convert my dynamic IP to my email, username, etc. without those server logs? I guess it is helpful in that it would give general information about how a document is being spread geographically, and perhaps what companies are accessing it. But that's pretty vauge, and certainly not a personal privacy problem.
I don't want to imply I think this is a good thing, but I don't see how it's a big deal so far (at least until everyone has their own static IP).
-----
D. Fischer
Re:This isn't much different than Web Pages alread (Score:3)
I cannot stress this enough, people. Read the articles referenced by slashdot before you post obvious questions.
The article clearly states:
So I would imagine that the answer is "yes. Someone has checked."
Re:Who's reading my resume? (Score:2)
Generally speaking, downloading a Word document from the web only nets the malicious user your IP address and/or hostname, nothing more than what they would get if you browsed an "evil" web page at their web site.
Re:Why not? (Score:3)
Or maybe you mean a more advanced architecture -- one that could apply different security models to code depending on whether it was being executed from a local or remote source, and which put potentially "suspect" applications into a limited sandbox? (Why, that sounds an awful lot like Java, circa the mid-90s...)
Basically, Microsoft, however good they are at UI design, code reuse, or marketing, often drops the ball when it comes to security. They push the envelope of functionality far before they're ready to deal with the vulnerabilities that it can cause. That wouldn't even bother me so much if they didn't try to pass their tools off as "secure by default," and keep problems and risks under wraps until they can be silently patched in the next service pack.
Re:This would happen with HTML documents too (Score:5)
This may be totally offtopic, but I think this troll may be onto something. What if someone were to embed the DeCSS code into a Word macro virus? Just imagine the possibilities!
Each time someone opens an infected document, it spreads copies the code into all .doc files on the hard drive. Given all the mystery bloat that typically accompanies Word documents anyway, I doubt anyone would even notice.
As an added bonus, the Outlook-enhanced version could also send copies to 50 people in the address book!
Before long, if it circulates far enough, we might even be getting copies of DeCSS which were inadvertantly sent directly MPAA themselves! Oh, sweet irony.
Fallacy of the Transparent Society (Score:2)
I don't buy it. The premise that privacy and anonymity are a necessary casualty of technological advance is not necessarily true. It has been true thus far largely because privacy wasn't a design consideration in many of the systems we used. Most internet protocols were not designed to support privacy. HTTP is certainly in that category. The message is going out that privacy should be a design consideration. Zero Knowledge, for example, offers an service which reportedly encrypts your traffic and passes it through a series of servers to hide content and origin. Common cleartext protocols like telnet and ftp are being replaced by encrypted alternatives. Mr. Brin discusses privacy degrading technologies but doesn't concern himself with privacy preserving technologies which will grow in parallel.
Realize too that concern about loss of privacy is well founded. If and when privacy evaporates there will be consequences, and not just decreased crime, which isn't necessarily true either. How many convenience store robberies have you seen on the local news, committed right in front of the obvious cameras? Criminals aren't known for their intelligence. Recall the story of the gentleman who fell in the supermarket and was confronted with his purchase record, which included regular purchases of alcohol, and the threat that this record would be used in any lawsuit brought against the store. Just because you've done nothing wrong, but rather something "everyone" does now and again, doesn't mean that information (which, quite frankly, is none of their concern) won't be misrepresented and turned against you.
I've honored your request and read the article (again). Please do something useful as well: read Database Nation [amazon.com] and understand the consequence of burning the privacy bridge. It's not an easy one to rebuild.
Nope, ZoneAlarm catches Word. (Score:3)
Clearly you don't realize how either the "Internet Explorer component", or ZoneAlarm, works. Though Word uses the same HTML renderer, it is from within its own EXE. Granted, I don't kid myself that this will trap ALL instances of non-obvious internet use, but it goes a long way towards making me feel like I'm still in control.
----
Re:Why not? (Score:2)
True, true. Except when it comes to making file system security understandable to mere mortals. I'm still somewhat in the dark regarding file access privileges. The other week I couldn't share a folder on my drive out as read-only, no matter what I did other users couldn't see the contents of subfolders. Eventually it turned out that the subfolders of this folder had somehow received their own privileges and the parent folder's security settings weren't being inherited. I had to go through all the subfolders and files and reset the privileges on each one before it finally worked. Ok, somewhat off topic, but still regarding MS-and-security.
Uwe Wolfgang Radu
Re:Does this affect people using ISP's? (Score:2)
Oh, I agree [slashdot.org] with you that this isn't a big deal from a privacy perspective. But you asked if a dynamic IP could mask your personal identity, and the short answer is, it can't. So someone who really wanted to know, and had the (legal, technological?) means to find out, could find out who you are.
But you give out your IP every time you surf to any webpage anywhere, so this Word document *feature* is no worse a privacy concern than Apache weblogs, in my opinion. In fact, I would argue that this is a very useful feature. Most of the complaints seem to be knee-jerk anti-M$ sound and fury.
JOIN !LINK CLUB! [slashdot.org]
Re:Emacs too (Score:4)
That's not true. Emacs does not execute arbitrary lisp code embedde in a document. It certainly doesn't follow hyperlinks and set up cookies transparently. You have to explicitly do all of these things.
The wheel is turning but the hamster is dead.
Re:I have just one thing to say.... (Score:2)
Star Office
Good point. From the Document Web Bugs FAQ [privacyfoundation.org]:
HTH, HAND.
Cheers,
Pot, Kettle, Black (Score:3)
==
This post sponsored by the American Obstetrics Society:
Re:What /I/ would like to know is (Score:3)
tealover, I don't see an email address for you in your user info. Because you're misquoting Hemos and saying some pretty outlandish stuff, I suppose you're just trolling. But if you'd like to talk seriously about this, please just email me [mailto] and I can clear up any questions you might have.
I don't think trying to allay your fears in posts here is going to be very fruitful. I'm not trying to silence you here, though; it goes without saying that any email discussion we'd have about this, you could feel free to post.
Jamie McCarthy
Re:Pot, Kettle, Black (Score:3)