Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
News Your Rights Online

RealPlayer Uploads Your ID Too 166

Posted by jamie from the just-tell-me-who-DOESN'T-send-a-GUID dept.
Wired revealed this morning a "New Privacy Glitch" which may actually be years old. Real Networks' RealJukebox isn't its only software to send a Globally Unique Identifier (GUID): RealPlayer does too. The free RealPlayer has 69 million users of all its versions; Real isn't saying which versions send the GUID. It's sad when the "good news" is that RealPlayer doesn't scan your hard drive. Oh - and by the way - Windows Media Player sends one too but it's OK because registration is not required. Are we living in cuckooland? Update: 11/08 08:44 by J : On the just-launched real.com site, their Software Privacy Statement says: "the Globally Unique Identifier - GUID has been disabled for electronic registration so it cannot be used to identify you." This is for RealPlayer 7: still, apparently, no word on earlier versions.
This discussion has been archived. No new comments can be posted.

RealPlayer Uploads Your ID Too More

RealPlayer Uploads Your ID Too

Comments Filter:
  • I've set up an special account on my linux box exclusively for the purpose of registration. Only the most recent 20K worth of email is kept (needed because some SW reg emails an unlock 'key' to you), the rest is routed to /dev/null. Mail to the account is otherwise never read. The address is ac@[myhost].com (Anonymous Coward)

  • Re:OpenSource? (Score:1)

    by Anonymous Coward
    haha... If it took this long for someone to run a packet sniffer on the real player traffic and see the GUID, how long is it going to take for someone to actually read and understand the code?? I noticed the GUID several months ago while setting up an Real's RTSP proxy kit. And you know what? I don't give a damn about it.

    Also, Zonelabs has a nice little program called ZoneAlarm [zonelabs.com] which allows per-program internet access restrictions on Win9x systems. It can't "protect" against GUIDs and things but will prevent 100% against programs that shouldn't be accessing the internet (like BO2k).

  • Re:GUID just a COM construct...? (Score:1)

    by Anonymous Coward
    UUIDs, aka GUIDs, are a remote procedure call (RPC) thing that existed in UNIX long before MS borrowed the idea for COM. ...trying to make RealPlayer DCOM compatible or some such - unlikely, most probably Real sends a GUID is used to identify you and your listening habits.

  • Re:Linux version too? (Score:1)

    by Anonymous Coward

    Try Ra2Wav. It's a windows app that will convert a .RA file to .WAV and it supports G2. Get it HERE [xoom.com].

    It works under wine, but you need to have RealPlayer G2 installed as well. The more recent wine releases will install G2 player, with a bit of messing around, it should work fine.

    Matt Borowski mkb@NOSPAMyahoo.com


  • I always provide BOGUS information on all registration forms. Look at my copy of win98, on the 'about' box it says "This software is registered to: The Public Domain". Hey! They gave me a fill in the blank SW license. This is like an already signed blank check so I filled in the name with 'the public domain'. Other software is registered to "Nobody", "Unknown User", "John Doe", and "The Bearer". And yeah, my purchase role is 'final decision' on all purchases for my company of 500,000 employees. Wheee!! And I buy over $1e6 worht of computer products every year. Oh and if they want addresses and phone numbers and email, I plug in the company's own street address, phone number, and sales@, or info@, webmaster@, or root@ at the comapnies own domain name. This isn't a court of law or legal proceeding here so there's no penalty of perjury for lying. I happily make up all sorts of stuff! And if my lies fsck up the co's statistics then that's too fscking bad. Do I have a 'right to privacy'? No, but by that same token, companies have no 'right to collect accurate marketing information about me.' Works both ways, ya know.

    To mangle Jay Leno's quote from those old Dorito commercials:

    Collect all the bogus information you want, I'll make more!

  • Only criminals want privacy. (Score:3)

    by Anonymous Coward on Saturday November 06, 1999 @11:18AM (#1556317)
    Anyone who complains about this is obviously a child molester or a drug dealer or a DVD encryption cracker or other horrible deviant. Next thing you know people will be complaining when the police start installing cameras in peoples' houses to catch burglars.

    Face it people, government and big business is your friend. They only want what's best for you. Now stop resisting, go back to work, and buy some of those fine products you see advertised on TV and the web.

  • Is this helped by proxying? (Score:3)

    by Christopher B. Brown ( 1267 ) <cbbrowne@gmail.com> on Saturday November 06, 1999 @11:16AM (#1556318) Homepage
    It's not evident whether this is helped or hindered by having proxy servers in between you and remote sites...

    There most certainly are cases where it is very nice to have something like Junkbuster= [junkbusters.com] and/or Squid [nlanr.net] in between me and remote places, as both can help keep things a bit more anonymous.

    I'm looking forward to cable modems being more ubiquitous; this will mandate having personal firewall machines, and this will encourage the development of little easily-managed boxes to help with such.

    Little Linux boxes would be perfect candidates for this sort of thing; a minimal distribution that has some proxying software, and something like Linuxconf or COAS that can be configured remotely through a secure connection (e.g. SSL) would be a killer app.

  • CDDB only records your email address when you submit a new disc. If you're just looking up disc info (like if your player is requesting a track listing), no email address is sent or recorded.

    Jay Tamboli
  • Well, I guess I'll be deleting RealPlayer from the Mac side of my machine (never found a version for LinuxPPC or I'd delete it from the Linux side too). It never worked all that well for me anyway. I guess I'll be sticking with QuickTime for my streaming video needs (there's still rumors of Apple doing a QuickTime Linux port; anyone know what ever became of those?)

    Anyone know of a program to convert .rm files to MPEG (audio and video both), on any platform? I've seen programs to convert other formats to .rm, but never one to convert .rm to anything else.
  • Perhaps I'm the clueless one, but why would such a law be clueless? All it does is require the makers of software to document all of the features therein. As far as I can tell, that's a Good Thing. How is this bad?
  • I don't know what it's doing but Realplayer is generating and accessing a lot of typoed URLs with a space in between. They show up in my squid error log and many sites under my proxy generate these errors about once every other minute. Other versions don't generate bad URLs but still access something every other minute.
  • Before some smart guy comes in and says that of course Realplayer accesses something all the time... I meant, they access the same URL at real.com every other minute, not the stream provider.
  • Boy, you're much more thorough than I am. For years now I've registered as John Satan, 9 Dante Circle, Pandemonium HL 00666+0666, tel (666) 666-0666, same for fax, email j.satan@pandenet.hl.

    Most places don't verify these things - too much work, and 99% of people fill it out honestly anyway, never once making the connection between this and the junk mail and spam they get.
  • As long as they have a privacy statement? Doesn't that maybe need something particular added on to it, like "An *appropriate* privacy statement"?

    Privacy statements can be buried on a page or contain tricky wording that when deciphered can often come out to something like this:

    FooSoft promises to never use this information in a way which would be detrimental to our consumer's privacy when it coincides with FooSoft's financial interests. Should the financial interests of FooSoft dictate that distributing information gathered from clients is in the interest of FooSoft's bottom line, appropriate actions will be taken to safeguard investor value in FooSoft.

    Sounds nice. Maybe.

  • Privacy never has existed (Score:3)

    by Uruk ( 4907 ) on Saturday November 06, 1999 @11:07AM (#1556326)
    What do you expect companies to do? Pass up an opportunity to gather important marketing information?

    Privacy hasn't been really possible ever since the real marketing sharks started to hit the internet. Remember, even though companies aren't ethical for the most part, they're not stupid. They wouldn't bother getting their codejockeys to put this stuff into the software if it wasn't making them big bucks in one way or another. It doesn't give companies a stiffy to have power over you and use your information, it's just that they're making money off of it, and that's why they do it.

    Public companies are a real bitch, because of the diffusion of responsibility. Even if they have people inside the organization that realize something is legal, yet unethical, it still gets done, because there really isn't a big boss that can say "We're doing this, and not that". There is to a point, in the CEO/CFO, but at the same time, they owe their jobs to the board and the stockholders. Failure to be ruthless and relentless in the name of corporate profits for the shareholders results in losing your job if you live in CEO land.

    Privacy hasn't existed for years and years. My first internet experience was when AOL was brand new, and I got connected with my state-of-the-art 14.4 modem. Wow was that fast. Even back then I remember getting UCE, and having marketing things tossed at me that were quite strange in their approach. (i.e. why is it that when I started, I saw ads for generic things, but the more I go along, the more specifically computer targetted ads I see? Does that have anything to do with the bulk of information I'm after?)

    The only way you can really have privacy is to use other people's networks, never sign up for an ISP or give out your name, address, email, phone, or other information, and keep changing computers so as to dodge cookies, and other "features" of the software that we don't know about yet.

    Has it ever occurred to anybody that every once in a while, people will discover one of these privacy violating features and everybody will be shocked and outraged about it - ever wonder how many of them are out there that we don't know about?

  • It's an issue because:

    1. Real didn't tell anyone that they were collecting this information. Not until they got caught with their pants down, that is. Therefore:
    2. Users had no choice. You could not decline if your privacy is more important to you than listening to RealPlayer stuff over the Net.
    3. They didn't just track how many times you used the software, they tracked where you went, what you listened to or watched, and how you used it (e.g., the comment about stats on how many sucker^H^H^H^H^Hvalued customers recorded CDs).

    And probably nobody spoofed the GUID, not if no one outside of Real knew it was being collected before.

    It is an issue because it is a hitherto undocumented invasion of privacy.

  • I guess this should explain why RealPlayer attempts (and usually, suceeds) with binding itself to every file extension the programmers could remember, even the ones it can't handle.

    That's why I removed all traces of it from my machine a long time ago. I guess I was right to do it. :) However, I also removed QuickTime for the same reasons. Why it would bind itself with files it can't handle is beyond me.

    --

  • Hrmph. It's not as if congress would actually pass a law outlawing the collection of personal info. It'll be a cold day in hell when that happens. What I'm saying here is - that's okay, but I want to know about it first.

    --
  • That's it. I say we pass a law requiring the program to document all features. They can violate our privacy, but atleast we'll know what they're up to!

    --
  • I had AOL before it offered access to the Internet. I don't quite remember why I used the service, since most everything was ugly and not very interesting... but at least they didnt track me around their service.

    Does someone know of a good port monitor or Win98 to help me see if this is happening?
  • Ah, but what if vi, emacs, more, less and every other program capable of viewing source is altered to automatically filter out the monitoring sections of the source code, huh? Huh? What about that then... damn the man...
  • First of all, theft is the wrong word. It is invasion of privacy, not stealing.

    But i definitely agree, no software, of for that matter hardware, has any right to send information to anybody or anything without your knowledge. If it said that it does this up front, then we have the ability to choose not to use it. With this bullcrap, we are unknowingly giving away vital bodily secrets.
  • Real Audio thinks I'm Bob Yaya. I live in Peoria, which is inexplicably in the Marshall Islands. Zip code? 90210, of course. They don't bother verifying even that. I happily fill their systems up with junk. And when I reinstall, I blow away the old info and register with a new, bogus ID. I think I'll be from Timbuktu next time.

    I think I just give them a bogus e-mail address each time. I don't think they require e-mailing you a registration key. If they did, I would just use one of many deflectors to bounce the e-mail for real, then shut down the account.

    Of course, if they are on the ball, they can suss out a few things. For example, they probably log my IP address, which will tell them my ISP, which will give them my geographic region.

    One thing I wonder about... isn't there rstrictions on getting information from minors? Is Real not collecting info when the registeree is under 12? Hm.

    Another question... if Real did this for so long, how do we know tha there aren;t other sleeper programs out there that might not only be reporting what you do with them... but also what you do in general. Perhaps ICQ is silently watching your web browsing? Is AIM checking up on what programs you're running? Makes you wonder.

    And, of course... if Real's player was open source, we'd probably have spotted this nonsense a while ago.
  • What would be an
    answer is to have a trusted organization,
    which would audit code, put its stamp of
    approval AND serve as the distributor
    of said code.

    In the open source world, Debian functions this way. There doesn't need to be a 'for hire' auditing agency.
    --

  • It's your GUID whether you send them your zip code or not.

    I don't have a big deal about RealPlayer collecting geographic infomation, as long as they have a privacy statement.

    A GUID is just that, a mostly random number. Although I agree, it could be used wrongly.

    -Brent
    --
  • As long as they have a privacy statement? Doesn't that maybe need something particular added on to it, like "An *appropriate* privacy statement"?

    Well, I think that a privacy statement is legally binding. So if they say they won't use data collected to track you, and they do, then they are liable for damages.

    The important thing is that the have a privacy statement. It is up to *you* to read it and determine if it is appropriate for you. If it isn't, then you don't have anything to do with them.

    -Brent
    --
  • MAC addresses belong to your NIC which can be interchanged.

    MAC addresses are easily spoofable; many NICs allow you to set the MAC address in firmware.

    Also...

    People do complain about IPv6 because it includes a protocol of assign-IP-addresse-based-on-MAC-address.

    Mmmm. Also, my NIC is totally irrelevant to my internet access. It's for networking to friends who bring laptops over. It'd be a lousy identifier 'cause I can take it out 90% of the time.

    Every computer needs a CPU - which would be a lot more expensive to change than a $20 NIC, and finally, nobody ever tried to conceal the fact that NICs have unique MAC addresses.

    Well, you -did- ask.



    --Parity
  • You got a point. But there is still a need
    for an analog of Debian (in the specific auditing
    sense) for closed source world.
  • Open source is hardly an answer, unless
    you actually read the code (I'll bet most
    people have never audited a piece of
    software in their lives). What would be an
    answer is to have a trusted organization,
    which would audit code, put its stamp of
    approval AND serve as the distributor
    of said code. Such an organization could
    be subject to NDA so it could work for
    both closed and open source.
    However, as we see from hardware review sites,
    it is important to have several audit sources,
    so a consumer would have a choice of who to
    trust. I am thinking of Nader competing with
    FSF, competing with BSD guys for public trust.
    (On second thought, FSF is unlikely to sign
    an NDA :-).
  • On that topic, what about Liquid Audio -> something standard?
  • Any user who downloads RealPlayer submits a name, e-mail address, etc. before downloading. While there's no guarantee users are submitting correct information, my guess is that most are. In any case, users are definitely aware of the request for info. Given this, why is submission of a unique ID by the program an issue? If RealNetworks asked for (and probably got) my name and e-mail address, why does it matter if they know when I'm using the software I downloaded. I don't think this is nearly as large an issue as the RealJukebox stuff.

  • No, it doesn't... (Score:3)

    by Otto ( 17870 ) on Sunday November 07, 1999 @12:14PM (#1556343) Homepage Journal
    A long time ago I was writing a simple CD player program for myself, mainly to do Auto-DJing with. I never finished it, but one of the things I did look at very hard was the CDDB protocol.

    When you send an update to the database, you are sending an e-mail with a special format.

    However, when you QUERY for info, all you send is data about the CD so it can return the cd data. NO EMAIL ADDRESS IS SENT in the query.

    Now, they have a new protocol, called cddb2 (cddb-squared, actually), and I haven't looked at it. So I don't know about it. But the standard CDDB protocol does NOT gather personal info in this way.

    They do gather info on number of queries as a whole done to their database, of course. This is a handy way to determine popular playing choices. But they have no way to determine an individual's popular playing choices.



    ---

  • privacy and the registration requirement (Score:3)

    by ottffssent ( 18387 ) on Saturday November 06, 1999 @01:13PM (#1556344)
    I don't know about the rest of you, but 'back in the day' when I had no better place to put a webpage than on Geocities, I too was required to register. I'm sure they kept every scrap of information I gave them, and I'd like them to know that it was all bullshit.

    According to geocities, my name is John A. Doe. I live at 1234 main street, LA California. I make over $150,000 per year, am married, and am female.

    Though I'm not going to tell you the truth either, I will say that I'm male, live far far away from LA california, make a small fraction of the listed income, am not married, and don't even know anyone whose initials are JAD.

    The USPS is happy to provide the zip+4 address that many registration programs require to verify that you really do live there. Go to http://www.usps.gov/ncsc/lookups /lookup_zip+4.html [usps.gov] and give them an address. Many sites also require you to enter an area code for similar reasons. This is also easily spoofed. Go to http://www.555-1212.com/area_codes.html [555-1212.com] and list the place you've decided to tell them you live at. Some place (LA, for example) have several area codes. All will be listed, and you'll have to try them until they work. For example, LA has 323, 213, 310, and 424 so you'll be shooting in the dark. Fortunately, not many places are as big as LA, and if it's only got 4 area codes, your favorite burg likely has only 1.

    In short, while I'm distressed by the business practice of grabbing what info they can however they can so you don't know about it, I've developed ways to give them verifiable but totally useless information to satisfy registration requirements. As a matter of course, I provide such bogus information even to reputable institutions like the new york times, where I have over a half-dozen registrations for myself and various friends.

    But wait! you say. What about scams where I have to provide an email address so I can get a registration key? That brings us back to geocities. Or hotmail. Or any one of a hundred different similar services. Hotmail and their ilk are probably the best in this instance because they're webmail (as opposed to geocities' pop server, which while slow is very nice if it's your main email address) and don't require any re-configuring of your mail settings to get at. Send the key there. Then ignore all the mail you get. If you don't use the service anymore, it'll delete you. If you do keep using it, just ignore the junk mail that piles up and grab the keys you need.

  • Re:umm (Score:1)

    by Surak ( 18578 )
    Use only Open Source software. You will never have to worry about pirating software again.
  • Now that privacy issues are getting more and more press, the time is ripe for a cartoony privacy mascot. Companies can attach his picture to their products if their software doesn't reveal or track any user info. I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

    You've obviously been watching too much South Park lately :) (For those who don't have Comedy Central: they had an episode featuring sexual harassment, which featured, among other things the "Sexual Harassment Panda" along with various stupid mascots that didn't make sense.)

  • Re:umm (Score:2)

    by Surak ( 18578 )
    I said use only open source software. This would exclude the use Win 9x/NT
  • After several complaints about the net only installer, Apple did release the full binary installer here...

    http://www.apple.com/quicktime/dow nload/support/ [apple.com]

    "This stand-alone QuickTime 4 installer does not require a Internet connection during initial installation. To update QuickTime to a future version, you can run the QuickTime Updater on the Internet or download a future version of this stand-alone installer."


    Enjoy
  • I got a lifetime membership to The Source (for god knows how few dollars) back on my Apple IIe in 80-something. That got bought by CompuServe, who honored my membership, who got bought by AOL, who honor my membership. Mmm. Gotta love it. Makes me wish I had gotten one of the lifetime memberships to National Geographic when they still offered them...

    -Chris

  • Re:umm (Score:1)

    by turg ( 19864 )
    I have a pirated copy of realplayer g2 plus, my os is pirated... basically all software on my system that isnt free in the first place, is pirated.... could this be bad?

    yes, pirating is bad
    -
    <SIG>
    "I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht
  • I say we pass a law requiring the program to document all features. They can violate our privacy, but atleast we'll know what they're up to!
    Hmm... Then we'd be hearing companies saying "It's not a feature, it's a bug"
    -
    <SIG>
    "I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht
  • Yes, they do. But the difference is, every time you query the CDDB database YOU are accessing their server. It would make sense that their server could keep track of this.

    IN the case of real player, why should it send information to RealNEtworks when it's not required to?

    Same goes for browsers, in case nobody noticed.
    If you mis-type a URL, the error page is fetched from Microsoft (Or Netscape, as the case may be)

    This is BAD> Just because I mistyped something does not mean they should know about it.
  • Dunno about your first question, but there's a real audio decoder for windows here.. [streambox.com]Wish there was a linux or os/2 version, but not yet. I'm using it to convert the hours of slack [subgenius.com] to mp3s for easy in-car listening when pine's spiffy mp3 cd player [pineusa.com] is released..
  • For Windows: http://www.streambox.com/Products/Ripper/index.asp

    Its shareware, but it works for 15 days uncrippled.

    Converts from RA/WMA/MP3/WAV/CDDA to WMA/MP3/WAV.
  • I'm surprised this hasn't been found earlier. I wonder how long this has been going on?
  • I was

    Honestly
    I'm not able to forsee the future
    What I posted earlier this week [slashdot.org]
  • Does this refer to the linux version too?
    BTW, does anyone know a way to convert .ra files into .mp3?

  • Having a company collect trivial marketing information should be of no concern to anybody. There are laws in place to prevent abuse of information gathered in this way. It's just like a doctor or lawyer knowing the goods on you - yeah, they know, but if they abuse the info, they're going to jail.

    Besides, if it means that I might be exposed to products and/or information that is more specifically targetted to my needs and desires, then so be it.
  • Does that cover RM G2 formats, too?

    (BTW, here's anothe rprogram for Win* users):

    2B Systems [2bsys.com] makes RA2Wav, converts RA streams to WAV, and for all those pesky pnm:// stream servers, X-FileGet will get pnm:// streams (as well as the usual FTP/HTTP transfers).
  • if you haven't been watching Southpark lately, try to. It's hilarious. "Alabama Man" action figures, sue happy schoolchildren, kenny's halloween costume and ensuing death, (an at-at harponed by circling snowspeeders) and chinpokomon ("ooh, you all have such very large penises").
  • funny as hell. a heisenberg attack on marketing.

  • Odd considering all the debate about this issue. This gem appears in the registration screen for the Real Player Plus 7 Beta.

    I wonder how fast they turned around and updated the text files to take this into account. And I particularly love how they don't mention prohibited uses of the information.

    Ah, such is life.

    "Privacy Implications

    By electing to submit an electronic registration, you are sending some personal information to RealNetworks, such as your name and e-mail address. RealNetworks will never sell, rent, or share your personal information supplied during electronic registration without your consent unless compelled by law or court order to do so.

    No unique product ID is sent during this communication (the Globally Unique Identifier - GUIDs has been set to zeroes for electronic registration so it cannot be used to identify you).

    For more information about GUIDs, RealPlayer and privacy, please read RealNetworks' Consumer Software Privacy Statement:
    http://www.realnetworks.com/company/privacy/softwa re.html
  • Someone asked about UK laws on such issues... I have just finished a course of the "UK Data protection Act"... There are 8 principles. I'll list a few which are relivant.

    1) The data protection act covers Personal data. Personal Data is defined as data that is about a person (or sole trader or partnership) which is about and is identified to a person.

    Harvesting playlists is dodgy. Doing it with an identifiable ID is *illegal* without their consent.

    2) The data must be used in a fair manner and kept up to date. This wonderfull ruling makes dealing with credit ratings easy ;)

    3) Data must only be used for the specified use. Saying you are using it for one thing and then using it for something else is illegal.

    4) Data must not be passed on to a country which does not have these safeguards in place.

    NOTE: The US is specified directly in the course that I took - You are NOT allowed to propergate data to the US.

    Breaking the above gets you an enforcement order, ignoring it gets you unlimited fine and jailtime.

    Red
  • 1) MAC address' can be changed
    2) MAC addresses (in current ip) don't go any further than your local lan
    3) They don't record your MAC address when you buy your NIC.

    It would take all three of those above to change for it to be a problem.
  • I can just see it now--the Anti-Microsoft defense: that's not a feature, that's a bug!

  • I've quired /. re the following but have not received a reply so let's see what happens here. As an eco/com grad I had to take multiple semesters of biz law although I openly admit to limitaions as to my knowledge I am of the opinion that where one party, say a software developere or a web site derives a benefit from another party, say a users or visitors private info and the second party also derives a benefit, i.e., use of the software or some "freebie" then a contarct has been entered into and as such the terms and conditions of said contract are subject to contract law.

    Is there an org somewhere on the net looking into the legal implications of the above. I think a few gig class action suits would chill the big boys out fairly quickly and we wouldn't have to put up with the equivocation and backsliding. But as long as the Corporate entities know users won't do more than occasionally bitch they will continue every possible abuse to make a buck.

    cheers
  • I like to record memorable episodes of Simpsons/Futurama/Family Guy etc. and compress them with realencoder. The only reason I've been using this instead of asf is the cool splicing utility that comes with it that allows me to get rid of commercials and stick files together. Now I'm resuming my search for an asf editor because I can use ATIplayer to view them instead of the proprietary realplayer, they look a helluva lot better and they compress 3x as fast (Ill put up with M$ for a copy of The Matrix at VHS quality for only 576 MB). Anyone know of a splicing utility for asf?
    --
  • (I'm probably way off on this one, but..)
    you could always look around/ask around for older versions of the software. Of course, can't the new versions run without using the net? Then again, I don't use quicktime.

    A question for you:
    Why isn't your laptop net enabled? If it is not net enabled, then I'm going to have to assume that you acquire all of your software from some other method: another computer that is net enabled, other people, or by buying the stuff (ouch).

    hmm..........
  • There's a bit of software for win9x, called MP3 Voyeur. It scans local area networks for mp3s, and other multimedia files.

    The catch? It queries the author's homepage every time it's run, AND leaves the connection open during use. I haven't set anything up to see if it's sending anything back, but I'd count on it. Every time the website goes down (which isn't often), or the author feels the need to discontinue the program (which already happened once), the software lets the user know this, and refuses to run. It's painfully annoying during the few times when the outside connection goes down at our University, and we only have a local net connection. I'm more scared, however, of what the program is sending back during the time it's running / scanning.

    And of course, like almost all Win apps, it's closed source. And of course, like almost all Win apps, many people use it without fully realizing what it's doing. I get chills whenever I run it, but it's very convienent, and I haven't seen another program do what it's supposed to do.

    If anyone wants to test it out to see exactly WHAT it recieves / sends back from the main server, it's at http://www.jawed.com/mp3voyeur. Of course, it IS Win9x software, and I haven't had the opportunity to test it in Wine (don't have Wine installed at the moment).
  • Well it could be a simple Netbios DNS on 137-139.

    I'll see this until you set up your Workgroup correctly. You can also let Samba handle the Netbios DNS lookup to prevent unwanted dialing.

    Best regards,
    Niels Kr. Jensen
    Denmark
  • windows media player also gets "codecs" i think from some microsoft.com server occasionally. im not a big MS person so.. does anyone know what these are?

    Codec stands for Compression/Decompression. Some file formats, like avi, can be compressed with any compression routine and a reference to the library used is stored in the file. If you don't have the appropriate decompressor, you can't play the avi, so media player attempts to download a dll so that you can play the avi.
  • I don't think the average sales/marketing person cares to violate my rights or to uphold it. Instead there is a mutual interest, they want to send ads that are more or less relevent to people who'd be interested in their good or service, and my interest is only to receive ads that would be of interest to me. In fact, I appreciate the fact that MP3.com sends me an email only once a month or so with links to the latest releases of music in the genre's I am interested in...and not "spam" for Wayne Newton's compilation album.

    But essentually any information they have about me is just a blip of my music browsing habits. It isn't contianing information that supposed evil people in a weird corperate/government conspiracy of satanic alluminati freemasons bent on world domination would find relevent, even if paranoid scitzophrenics have been right all along about the existance of such.

    I think it would be nice some day not to get called at dinner time for alluminum siding when I don't own a home, or calls for a charitable donation when I am an utterly selfish scrooge with my money. The only way that is going to be possible is if they already have information about me in some subroutine that flags me and says "don't bother calling/emailing/snailmailing him for this product, it's a waste of resources". I have yet to get a phonecall from a telemarketer that gave me information about what I like to spend my disposable income on; like a new sushi resteraunt!!! When that day comes I think everybody will be happy, and privacy wont seem as important as not being nagged for what you don't care to buy.

    Johnny
  • The c't-magazine http://www.heise.de claimed sort of the discovery in issue 23 from friday. They' ve also got a statement from real. I cannot find it online, but it sounded like real wanted to remove it.
    Real couldn' t say if they saved e-mail information and other "identifiers" with the GUID, but they pointed more than once to their privacy-statment.
    georg

  • I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

    Definitely a job for McMoo - The Anti-Drug Cow [redmeat.com].

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • Perhaps ICQ is silently watching your web browsing? Is AIM checking up on what programs you're running? Makes you wonder.

    It is not an attempted deceit, but as you may know, one of ICQ's features is a message history. My earliest version was on a machine I used for about 18 months. A friend and I use ICQ everyday all day. We hate the chat modes, we just send ICQ messages back and forth. Mostly these revolve around attempts to upstage each other in the humor department.

    One day I got poking around and discovered this massive file with every word we had exchanged over the entire 18 months. It was very clear that without the context of the moments in which we said those things, an unclued reader could come to some damaging conclusions.

    I'm not claiming this is something evil. I'm just saying that its easy to forget that something you use all the time may be keeping track of history - and to behave or configure accordingly.

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16


  • The kicker is that most privacy statements say something along the lines of:
    "We reserve the right to change the terms of this agreement"
    What they mean is that if they decide later to use your information, they will just say so later.

    But not until after the story is on /.

    :-)

    ======
    "Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

  • RealPlayer IDs (Score:3)

    by chown ( 62159 ) on Saturday November 06, 1999 @11:50AM (#1556377)

    All versions of RealPlayer G2 Send it, and I beleive all versions of 5.0 did as well. They look like this:

    22a7cc46-7962-11d2-8612-006097a1ae04

    It gets logged by RealServer G2, which is sort of funny, since it doesn't really do RealServer admins a whole lot of good, I guess you could get accurate numbers of how many REALLY unique hits you got, on a per-player basis, but I usually just do it by IPs and nobody seems to care. So one would assume that RBN is tracking this in some fashion for their own use.

  • I wonder if anybody will reverse engineer enough of the protocol to flood the servers with bogus tracking data?

    B-)
  • I think you are working at too high a level, reverse engineer the protocol, why? If you dont like them
    intruding on your privacy, you could just Smurf the server, all you need is the IP addy.

    First: I don't intend to do this. I was just wondering whether/how long until someone did.

    Second: Smurfing the server just stops it from collecting new information. Handing it bogus data corrupts what has already been collected.

  • Ooh, sounds neat. You should put the code for that on the Web. (just make sure it doesn't mangle Slashdot's cookies, they're the only ones that matter)
    --
  • When forms ask for a city, state, country, and zip code, I put in:
    Shneederville, New Hampshire, Albania, 66666.
    I haven't encountered a form yet that cares about the inconsistencies or the fact that there's no town anywhere named Shneederville.
    --
  • hmmm i'm probably spinning this the wrong way, but that seems like a darn good reason for using open source software.....

    If you're really that paranoid, you can check the source to see where your keypresses are going. :)
  • yeah, thats just what we need, more clueless laws from congress about things they can't keep up with.


    (sorry thats knee-jerk)
  • A CODEC is CODE DECODE shortened up ... a short form for an algorithm that encodes and decodes a stream of data (in this case).

    For instance, Real Player G2 will see a stream and notice that it doesn't know what to do with, say, RealFlash 2.0 data, so it downloads the RealFlash2.0 "CODEC" to handle it.

    They both do this.

    IMHO, this is what all software should do.


    - Michael T. Babcock <homepage [linuxsupportline.com]>
  • i don't know about Linux, but for windows i have (or had, i forget) a RA -> wav decoder. Then you just encode the wav
  • Why do I care that programs upload a guid? UUIDs are a very efficient tool for a lot more than keeping track of who is using the product and their various pieces of registration information. We are sort of schizoid about this stuff. Privacy is effectively dead through techological innovation. You are literally watched or watchable almost every moment of the day. Or didn't anyone notice these capabilities? We groan about RP getting our id and at the same time would like to live in a world that tailors itself to our likes and dislikes a bit more closely including advising us of various opportunities and products (at least when we want to know). This sort of stuff can't be done without gathering information and knowing who you are. Online business cannot be finalized without you effectively having a digital signature/fingerprint.

    Perhaps the needed balance is the ability to simply say NO when we wish to or provide alternate minimum information.

  • In Open source, even if most people don't read the source code, chances are that a programmer will and will see that the program sends out information and will tell everyone about it.

  • Privacy Panda (Score:4)

    by gad_zuki! ( 70830 ) on Saturday November 06, 1999 @11:43AM (#1556388)
    Now that privacy issues are getting more and more press, the time is ripe for a cartoony privacy mascot. Companies can attach his picture to their products if their software doesn't reveal or track any user info. I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

    If we're lucky some guy in a Panda suit will follow around the fed's new anti-hacking mascot around to all the gradeschools.

    If we're really lucky he'll pick a fight with the anti-hack gerbil as he tries get converts for the CIA kids program. [cia.gov] "No kids, snitching is bad, take that you filthy gerbil!"

  • No, it isn't sending out info... It is checking your net connection. I had a similar thing happen to me and i checked what it was doing, it was trying to access windowsupdate.
  • I agree 100%. Everyone is complaining about things like these, remember when Intel came out with the PIIIs? ALL ethernet cards have a unique 12 character code, these numbers are used for DHCP purposes and could(i'm sure they are) be used for tracking purposes. Shouldn't someone complain about that?
  • I hope someone who is more knowledgeable about this will correct me if I'm wrong, but isn't a GUID just a part of MS's Common Object Model. My understanding was that each component in a COM system is assigned a GUID. In order to access other components on the system, you need to ask the system for them by GUID instead of by name (as in a smart system like Java). Seems like this could just be a some software engineer out there trying to make RealPlayer DCOM compatible or some such. Anyone know anything about that possibility?
  • There are all sorts of programs available for finding and killing cookies. Are there network sniffing resources that can detect and report this sort of thing? Maybe even catch and kill them on their way out? A little program like this would be a good way to catch more programs like this before they've been circulated to > 69 Million users.
  • I've always been one who hasn't worried much about posting personal-ish information in various places, because if someone really wanted to find out information on me, they could get it somehow, so why bother hiding it? Nevertheless, things like this piss me off. Companies who assign you a number and then track the things you do with their software without EXPLICTLY informing you of their intentions BEFOREHAND are way out of line. It doesn't matter how valuable the information is in their endeavors to earn money via advertising and whatnot - it's blatantly infriging upon our personal rights. It might be more acceptable for them to state that before you are able to install the software (ie - software agreement), because then that way you know what you're getting into, and you can make a choice then based upon what they're collecting and what they're doing with it.

    It is of my opinion that companies should be mandated to include these statements in licensing/software agreements. Having RealNetworks finally come forward with this after getting poked in the ass is not acceptable. Remember when Microsoft used to send hardware information when you'd register online? How many people's feathers did that one ruffle? Use of RealPlayer is almost as broad as that of Windows 95/98 (it's on this computer I'm using now in a computer lab on campus, even). People need to take a serious look at what's going on, and take measures to deal with it.
  • with the millions of people that use both windows media player and real audio i dont think its too big of a privacy concern. more of a marketting concern i would guess.

    windows media player also gets "codecs" i think from some microsoft.com server occasionally. im not a big MS person so.. does anyone know what these are?

    tyler
  • i dont see why the linux version wouldn't.. although that is just a guess.

    ive never heard of a program that specifically does ra -> mp3, but there's ways. maybe record a big .wav and encode it? i dunno.. just a guess

    tyler

  • Win98 does it too (Score:3)

    by spectro ( 80839 ) on Saturday November 06, 1999 @12:26PM (#1556396) Homepage
    I was updating from win95 to win98 and have a small home network with a linux machine as a dial-on-demand router to the internet. I remember when win98 installation was almost finish the linux started calling the internet. The trigger was a DNS query I couldn't log at that moment, but unplugged the net connection to the win98 box. It was hanging for about two minutes before continued and finished win98 install.
  • Gee it's a GUID. The last part of it has the id that your network card contains...or it's faked if you don't have a card.
    It's no more of a concern that having your IP tracked. Or having to use a credit card.

    Relax ok. The only ones who have anything to fear are people who crack.
  • "Your ISP can record EVERY MOVE YOU MAKE" What about a nice blowfish SSH to your friend's box and doing lynx? (yes I realize then it's his ISP watching)
  • With apologies to George Orwell.

    Who let Scott McNealy have an account here, anyway?

  • CDDB (www.cddb.com) has been tracking every cd you listen to using your email address. Sure you can enter a bogus address when you are asked for one, but you can enter bogus info with RealNetworks or any of the others too.

    - Isaac =)
  • Mark this comment up, this is the easiest solution to the problem.

    Some information gathering servers compare client domain to ensure you are who you say you are though.

    I always use nospam@whateverdomainimloggedonto.com and specify a juno or hotmail account if I actually want to correspond. My windows registration is X.

  • This is no surprise at all. The surprise is how
    many of these exist that are not publicized.

    And I doubt it stops there. I would think every
    major ISP is tracking hits from every user,
    particularly to correlate web purchases with
    web site visits. That is very valuable info. Your
    ISP can record EVERY MOVE YOU MAKE if they are
    so inclined. And it is worth a lot, so in business
    terms they would be idiots not to track you.
  • People always bitch about being loged haveing serial numbers on their computer, well why hasent anyone started bitching about the MAC address on your nic card it is a unique number and is easy for anyone to get ???
  • Good grief people, it's just a number. Most software/freeware gathers far more info from you (or tries to anyway) when you download it from their site. And why shouldn't they? Hell, they invested the time and money to write it, and all they want in return is to know who's using it. The least you can do is answer honestly, or don't whine about the free software. Are you forgetting that the whole damn Linux movement is central to the concept of "free"?

    Geez, people, they're GIVING it away. If you don't like what you get, write your own damn players. Don't bitch about something you get for free because it does something horribly invasive like sending a unique random number to some server every time you use it. Ooo! Scary! Get a life.
  • Oh, you think so, how about: "Sorry kid, we won't hire you, some information we gathered showed you're online till 2 O'clock during the working days, we can't have that over here.." Or, "Sorry kid, we noticed that you visit online porn quite frequently and we are afraid that it might influence your behaviour at work, since we have to many sexual harashment cases already." Or how about sending information about how many decrypted .vobs and .mp3s you hardened criminal own on your computer (Personally, I buy a cd & stuff it in mp3 on my compu, b'cause I'm damn lazy)?!
    Recently, I just pulled a CV from someones pc over the internet(just for the fun of doing it, by using a program that exploits M$ security problems), which stated the person was male and noticed a lot of male porn too. I also found some letters applying for jobs. Do you think he would like it if anyone else has access to this information? I mean look at Austrialia & America, you just need one anti-terrorist act and peopl who are in the impression Slashdot encourage anarchist & terroristic activities an online gathered information about you, would be enough to send you to jail... I can think of many other things, but my point is, everyone has the need of privacy and if you don't understand that, than you've got a lot to learn.
  • How about creating an ethernet network card that chooses a random MAC adress at boot? I've been told ethernet cards are easy to make and with ~16^12 possibilities you aren't likely to gonna have a MAC collide..
    Now the only thing for the Windows OSes is, that I don't know if the MAC adress is stored in the registry at the installation of the OS and if so, are windows programs retreiving their information from it?
    And the next thing to do, is finding a way to fool IPV6...
  • This is what I get to hear all the time at work, with friends etc.. Why do I need privacy? You think it's funny to yoke around with? Wait till all pieces of the puzzle come together!
  • It's only a matter of time before I'm going to disconnect my ethernet card so that I can be _sure_ that nobody is transmitting every key press.

    What everyone seems to be overlooking is that it's obvious that Real is just a front. Truthfully, Real=Echelon. It's a conspiracy--MP3s, streaming music, everything was made by the world-wide government to

    A. Hand out free software that allows them to track all usage.

    B. Encourage illegal activity so that anyone can be arrested for pirating whenever it's needed.

    ~=Keelor

    I'm not insane... the voices told me so.

  • I sometimes use an email address that reflects who I've given it to. So if I register for RealAudio I might call myself someting like realaudio@tanelorn.demon.co.uk. That way I can track down who's been giving out my e-mail address when the spam pours in.
  • But you still remains anonymous...

  • A few concerns (Score:3)

    by Raindeer ( 104129 ) on Saturday November 06, 1999 @12:31PM (#1556415) Homepage Journal
    When hearing this story, it sounds like I am hearing the same story that I have heard way too often in the last 5 years, but now with Real's name in subject header. I really start to wonder the following things.

    1. Why does everything have to be recorded with a GUID embedded in the program. If anything use cookies that are only sent back to the site they originate from. This way it will be a bit harder to cross referencing, but they are still useful for the purpose of figuring out what certain groups like.

    2. Why does it seem that these things are always found by the same people. It doesn't sound too difficult to me to monitor what is going in and out of your machine.. (but I am not a techie, so shoot if I am wrong) Basically, why is there no group that are occupied with this? A concerted action might make that certain companies think twice before doing it.

    3. Why do these things allways get called bugs and glitches. I have seen some pretty stupid coding in my life, but I have the faint idea that you don't get this by letting your cat walk over the keyboard. (Again, correct me if I am wrong). Somebody put them there for a reason and I get the idea that there are alot more then we know...

    Well those are my two cents. I am waiting for the day my teachers call me and tell me that their data shows, that my reading of Slashdot is negatively affecting my grades :-)

    -----------------

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close