Adobe Quietly Monitoring Software Use? 304
henrypijames writes "For months, users of Adobe Creative Suite 3 have been wondering why some of the applications regularly connect to what looks like a private IP address but is actually a public domain address belonging to the web analytics company Omniture. Now allegations of user spying are getting louder, prompting Adobe Photoshop product manager John Nack to respond, though many remain unsatisfied with his explanation."
2o7.net *Not* 207.net (Score:5, Informative)
The Opt-Out "Explanation" page is here: http://www.omniture.com/privacy/2o7 [omniture.com]
Still, the dubious address http://192.168.112.2o7.net/ [2o7.net] appears to be some variation of Social Engineering. http://en.wikipedia.org/wiki/Social_engineering_(computer_security) [wikipedia.org]
This might explain some of Adobe's seeming software bloating (like Acrobat Reader, etc...) http://www.google.com/search?hl=en&q=Acrobat+reader+bloat [google.com]
Phisher's Delight (Score:5, Informative)
http://blogs.adobe.com/jnack/2007/12/whats_with_adob.html [adobe.com]
the Adobe guy says:
the objections seem to center not so much on whether Adobe apps are contacting a server, but rather that the server is named "192.168.112.2O7.net,"
Note the letter O instead of a zero. 2o7.net is registered to Omniture.
WTF? If Little Snitch told me that some app was trying to connect to 192.168.112.2O7.net I would assume it was compromised, and would be debating a complete clean system reinstall of OSX.
192.168.112.2O7.net? Masquerading as an IP from my home DHCP server? Are they serious? From Nigeria? Romania?
Again, WTF?
P.S. for those of you who have not set up a LAN, 192.168.xxx.xxx is typically an IP address for an internal LAN, not something out on the Web.
Re:2o7.net *Not* 207.net (Score:5, Informative)
GET
Referer: http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf?prod=dw&ver=9.0&plat=win&lang=en&stat=full&tday=&spfx=&productName=dreamweaver [adobe.com]
x-flash-version: 9,0,45,0
User-Agent: Shockwave Flash
Host: 192.168.112.2O7.net
and returns a 2x2 pixel blank GIF.
Opt-out site (Score:4, Informative)
Firewall (Score:4, Informative)
# Block access to Omniture -- spyware vendors
block from any to 216.52.17.0/24
Re:Not about spying (Score:5, Informative)
Re:2o7.net *Not* 207.net (Score:3, Informative)
Pinging 192.168.112.207.net [216.52.17.207] with 32 bytes of data:
Pinging 192.168.112.2o7.net [216.52.17.136] with 32 bytes of data:
Re:Not about spying (Score:2, Informative)
Mind you, keeping size a secret seems to be standard for most updates even where permission is asked for. First the language is bungled. They ask for permission to 'install' updates as if it had already been downloaded. Then when you think, "Ok, may as well be up to date, since it's got the data now. It's a small patch to block a security hole.", it goes off to get 70 megs or so of update for some damn media player I don't use. (I have teenage children. Media players spontaneously generate inside my computer.)
Re:This is very common (Score:5, Informative)
Port 123 (both UDP and TCP) is the NTP port.
Double-click on the time on the right end of your taskbar to open the Date and Time Properties dialog box, then click on the Internet Time tab.
I believe it defaults to time.windows.com. I change mine to us.pool.ntp.org.
I am Immanuel Kant (Score:1, Informative)
Re:No explanation is a good explanation. (Score:2, Informative)
Re:Not firewall related (Score:3, Informative)
I would have been tripped up (fortunately, my network is much more complex now, and this hole no longer exists for me).
They can change the IP address (Score:3, Informative)
They can change the IP address since they are using a hostname. You need to also add the domain name "2o7.net" (you know, number two, letter oh, number seven, dot net) as a zone in your resolving/caching DNS server, with a wildcard labeled "A" record pointing to somewhere that will be a dead end under your control, like 127.0.0.1.
Re:How do I block it? (Score:3, Informative)
Well, Squid is a Web (TCP port 80 and friends) proxy only, whereas Little Snitch is a general monitoring app that can alert you to just about any outgoing traffic much like an outgoing firewall. So, they would work well when used in combination, since Squid can be used to control HTTP traffic in very specific ways beyond "is application X allowed to connect to site Y?" Not to mention that with a Web browser, of course you want it to be able to connect to TCP port 80 and you probably don't want to be prompted at every attempt to connect to a new Web site (it would drive you nuts), so a Little Snitch user would probably just allow the browser to use that port regardless of the site and then Squid would be the better tool to specifically control this.
People run their machines with default HOSTS?! (Score:5, Informative)
http://www.mvps.org/winhelp2002/hosts.htm [mvps.org]
And use it. That domain has long since been blocked. Jeez, people. Old news.
Re:Not about spying (Score:2, Informative)
Edit the source, remove the code that makes it connect to a strange looking host, recompile GIMP, and release a patch for others who don't want their software doing strange things.
I wouldn't call it quietly... (Score:4, Informative)
Re:No explanation is a good explanation. (Score:4, Informative)
Gee, it's funny you mention that. A long time ago, maybe Photoshop 2.0 era, I had a client who liked to submit files in
So I emailed John Knoll to ask how I could read
I don't see any