Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sun Java Runtime Uploads Usage Data to RedSheriff?

Posted by Hemos on from the any-news-on-this dept.

stereoroid writes "

It appears as if the Sun Java 2 Runtime Environment, version 1.3.1_02 and later, is reporting usage statistics to a company called RedSheriff, presumably on behalf of Sun. This was the Win32 version, but other versions probably have the same "feature". If you load up the Java Console, you see multiple messages like this:

----------- RedSheriff Measurement -----------
Privacy: http://www.redsheriff.com/privacy.htm
Record Sent

I noticed this while setting up the latest version of Compaq Insight Manager 7, which includes JRE 1.3.1_02 (but works with 1.4.0 too). I started examining what was happening using a network sniffer, and could see several http requests to a server under http://imrworldwide.com/, a domain name owned by RedSheriff. The data in the packets included details of the system environment, and I even saw a URL that I had accessed in a previous unrelated browser session. This was a partial capture only, it doesnt happen every time, but Ill keep watching to see what else goes through. If I use the JRE, must Sun know my IP address and what OS Im running, and more? This has also been quietly commented on in Sun's Java Forums too. I'm currently digging for a way around this - any ideas, besides a firewall?"

7 of 52 comments (clear)

  1. add imrworldwide.com to your hosts file by tswinzig · · Score: 3, Informative

    In W2K/XP, look in winnt\system32\drivers\etc for a file called hosts. Add this line:

    imrworldwide.com 127.0.0.1

    Save. Reboot. (Or kill the java/browser processes and restart them.)

    --

    "And like that ... he's gone."
  2. Nothing found by Ivan+the+Terrible · · Score: 5, Informative
    There's nothing in the sources (as distributed) to validate this claim.
    $ find /usr/local/src/jdk1_3-src -type d \( -name RCS -o -name CVS -o -name SCCS \) -prune -o -type f \! -name \*\~ \! -name \*\,v \! -name s.\* -print0 | xargs -0 -e grep -n -e imrworldwide\|redsheriff\|RedSheriff /dev/nu ll
    $
  3. It's not part of the Java runtime by Anonymous Coward · · Score: 1, Informative

    Redsheriff is a spyware applet as a quick search at
    google would reveal. It's not part of the Java runtime.

  4. This is absolutely not part of the Java Runtime by lurp · · Score: 5, Informative
    RedSheriff is definitely not a part of the Java Runtime. It is an applet that various web sites use to track usage statistics. A quick read of their privacy policy, a google search, or even a quick look at a security newsgroup would have told you that.

    Don't slashdot editors check these stories before posting them?

    1. Re:This is absolutely not part of the Java Runtime by Anonymous Coward · · Score: 2, Informative

      No update to the story headline yet - the editor deserves flogging.

  5. Fucking do *some* verification before posting by gaj · · Score: 5, Informative
    redsherrif is a spyware applet, not part of the J2SDK.

    A two fucking second search on google would have given you that much info. For the record, running strings on all the bins and libs in the j2sdk1.4 showed neither imrworldwide nor redsherrif.

    I know this is hard stuff, using google an all, so click here to save yourself the trouble.

  6. Re:Sneakiness destroys a relationship. by fantastic · · Score: 2, Informative

    Sounds like Sun could prove a case of malicious falsehood here

    The information is not correct and is known to be not correct and is damaging to Suns reputation