Sun Java Runtime Uploads Usage Data to RedSheriff?

stereoroid writes "

It appears as if the Sun Java 2 Runtime Environment, version 1.3.1_02 and later, is reporting usage statistics to a company called RedSheriff, presumably on behalf of Sun. This was the Win32 version, but other versions probably have the same "feature". If you load up the Java Console, you see multiple messages like this:

----------- RedSheriff Measurement -----------
Privacy: http://www.redsheriff.com/privacy.htm
Record Sent

I noticed this while setting up the latest version of Compaq Insight Manager 7, which includes JRE 1.3.1_02 (but works with 1.4.0 too). I started examining what was happening using a network sniffer, and could see several http requests to a server under http://imrworldwide.com/, a domain name owned by RedSheriff. The data in the packets included details of the system environment, and I even saw a URL that I had accessed in a previous unrelated browser session. This was a partial capture only, it doesnt happen every time, but Ill keep watching to see what else goes through. If I use the JRE, must Sun know my IP address and what OS Im running, and more? This has also been quietly commented on in Sun's Java Forums too. I'm currently digging for a way around this - any ideas, besides a firewall?"

What can you do?

[kingosric]

Send back fake results to screw up their data....

Edit.

[QuodEratDemonstratum]

If you haven't got a firewall, edit the binary and alter the URL the messages are sent to. "http:www.sun.com/abuse" should send the point when they look in their server logs.

add imrworldwide.com to your hosts file

[tswinzig]

In W2K/XP, look in winnt\system32\drivers\etc for a file called hosts. Add this line:

imrworldwide.com 127.0.0.1

Save. Reboot. (Or kill the java/browser processes and restart them.)

Re:add imrworldwide.com to your hosts file

[tswinzig]

imrworldwide.com 127.0.0.1

Whoops, I reversed it, use this instead:

127.0.0.1 imrworldwide.com

Re:add imrworldwide.com to your hosts file

[tswinzig]

That will make the Java runtime slow(er) though because all requests have to time out (unless you're running a webserver).

Errr no. Java is multi-threaded. Obviously they must be doing this in another thread, or every time someone uses this thing behind a firewall or off a network, it would block. I don't think so.

Nothing found

[Ivan+the+Terrible]

There's nothing in the sources (as distributed) to validate this claim.

$ find /usr/local/src/jdk1_3-src -type d \( -name RCS -o -name CVS -o -name SCCS \) -prune -o -type f \! -name \*\~ \! -name \*\,v \! -name s.\* -print0 | xargs -0 -e grep -n -e imrworldwide\|redsheriff\|RedSheriff /dev/nu ll
$

This is absolutely not part of the Java Runtime

[lurp]

RedSheriff is definitely not a part of the Java Runtime. It is an applet that various web sites use to track usage statistics. A quick read of their privacy policy, a google search, or even a quick look at a security newsgroup would have told you that.

Don't slashdot editors check these stories before posting them?

Re:This is absolutely not part of the Java Runtime

No update to the story headline yet - the editor deserves flogging.

Re:This is absolutely not part of the Java Runtime

[Yarn]

If I were one of Sun's legal team I'd be sending legal flames as if it were going out of fashion ;)

I'm sorry, but I really think Slashdot needs a slap to get its house in order.

*thinks* maybe I need to have my coffee, I am a bit grumpy *thinks*

Fucking do *some* verification before posting

[gaj]

redsherrif is a spyware applet, not part of the J2SDK.

A two fucking second search on google would have given you that much info. For the record, running strings on all the bins and libs in the j2sdk1.4 showed neither imrworldwide nor redsherrif.

I know this is hard stuff, using google an all, so click here to save yourself the trouble.

Re:Fucking do *some* verification before posting

Yup, it's a spyware applet and I posted this story almost a month ago when I discovered that the news section of the BBC where using it to track usage.

A quick visit to the site suggests that they have stopped now. A visit to the redsheriff website is amusing; the 'business speak' is impressive - I would offer a link but I don't think the fish can translate from marketing b*llsh*t :)

They ignored my story and then published somebody else's badly researched version.... bah... editors.... grrr... slashdot.. paaa... Rob

Re:Fucking do *some* verification before posting

[josepha48]

This is good to know. It means that the person visited a site that had this installed and loaded it on their site. The best thing to do after this happens is to shut down your browser, manually clear your browser cache then, restart your browser.

Of course for added bonuses you could add a line in your host file that would redirect traffic to these sites to your local host. If you did this though and are not running a service on this port AND DON'T have a firewall, you may have to wait for the browser to timeout the connect to this site.

If you do start a service on that port (probably port 80) to answer the requests it would prevent the browser time outs. I'm sure a simple perl server on port 80 would handle the request and drop it to the floor.

Of course you have to realize that the person who reported this is a windows user user so they needed this dumbed down for them. A UNIX user would have searched the web first and gotton some info on this first.

Re:Sneakiness destroys a relationship.

[fantastic]

Sounds like Sun could prove a case of malicious falsehood here

The information is not correct and is known to be not correct and is damaging to Suns reputation

Probably encrypted.

[Futurepower(R)]

If the story is true: It wouldn't take an intelligent person to encrypt or obfuscate the information in such a way that a string search would not find anything.

I accept that he has a trojan.

[Futurepower(R)]

I accept that he has a trojan. I accept that Sun may not be the source of the trojan.

The principles stand, however. The principles do apply to all the big companies that actually have abused our trust this month, such as Microsoft (with Hotmail) and last month, such as Yahoo (with Yahoo mail).

Also, I note that no one who has commented has actually run the same test. I presume you are only guessing.

Responses from Poster

[stereoroid]

1. You think I didn't check this first? Why did I see this behaviour on 2 different systems, starting with the installation of a new Sun JRE?
2. Yes, I used a search engine, and found the same Trojan data. Yes, it's a Trojan, but who put it on my system? From the evidence, it appears that this is being done on Sun's behalf. I know it might not have come from Sun, but this behaviour started with a new JRE, and we don't go surfing the Net on a working server console.
3. By "short of a firewall", I should have said "another firewall". I don't have the privileges to modify a corporate firewall (it's a very big company). Thanks for the reminder about modifying the hosts file - last resort, I guess.
4. You assume that because I am using some Win32 systems here at work, that I am a Windoze Luser, and can thus be dismissed with a few careless swearwords. I'm not interested in getting into a pi$$ing contest with anyone, I'll just say that I know that nothing sucks like M$, yet I can deal with them and their products professionally. And you wonder why we're not all using Linux yet, with such lame attitudes?

None of the above comments go any way towards answering my question. l33t nerds - who needs 'em?

Re:Responses from Poster

[stereoroid]

It wouldn't surprise me if Compaq, did that stuff. According to the product roadmaps, Insight Manager is heading for the grave anyway, to be replaced by HP OpenView family products.

The JRE did come straight from Sun - the CIM console sends you straight there...

Thanks for a civil response..!

Re:Responses from Poster

[scrytch]

I was going to address your points individually, but frankly I think you've written everyone off already. I hope you're putting up an anti-Sun page right now, excoriating them for their spyware, and calling for a class-action suit or something. Would serve you right when you end up with egg on your face.

None of the above comments go any way towards answering my question.

What question? You started with an accusation. Your accusation was demolished. You weren't told what you want to hear, so you're throwing a tantrum. By all means, do pick up your ball and go home.

What are the limits of web site visitor tracking?

[Futurepower(R)]

I did as you said.

I turned off JavaScript and Java in Opera's File/Preferences/Multimedia menu. I selected "Throw away new cookies on exit" in Opera's Privacy Preferences.

Then I went to the Telstra home page and downloaded the source. (Wow, The Telstra home page is ugly.)

In the source I found mention of a RedSheriff JavaScript file, http://telstra.imrworldwide.com/a1.js. I downloaded that. (You can download the file by just right-clicking on the link and selecting "Save target as".)

Then I downloaded another RedSheriff Java program that I found mentioned in the Telstra home page source, http://server-au.imrworldwide.com/Measure.class.

Embedded within this binary is RedSheriff's Privacy policy web page address: http://www.redsheriff.com/privacy.htm.

Basically it seems that RedSheriff is carrying visitor tracking to the limits, including tracking unsuspecting novices who may give them personal information.

Looking at the code, I don't see any attempt to go beyond the boundaries of what the JavaScript and Java languages allow. However, I'm not knowledgeable enough to see everything the code is doing. Can someone help with this?

Rejected Slashdot story submission

[Futurepower(R)]

Subject: What are the limits of web site visitor tracking?

There is a very interesting story in this, but the Slashdot editors didn't think so.

RedSheriff tracks visits to web sites, and claims to be "the world's largest interactive media business intelligence specialist". RedSheriff claims "incomparable accuracy" using "superior patented technology" that "records user activity at the source, giving clients unprecedented access to data that accurately describes user behaviors". This raises a question: How much can they know about you?

To investigate RedSheriff claims, I visited the web sites of two of RedSheriff's clients, Telstra and Virgin Direct's Virgin Money.

(I prepared by turning off JavaScript and Java in Opera's File/Preferences/Multimedia menu, and selecting "Throw away new cookies on exit" in Opera's Privacy Preferences.)

I went to the Telstra home page and downloaded the HTML source. (Wow, the Telstra home page is ugly.) In the source I found mention of a RedSheriff JavaScript file, http://telstra.imrworldwide.com/a1.js. I downloaded that. (Save the effort of re-configuring your browser by just right-clicking on the link and selecting "Save target as".) Virgin Money's site has a different RedSheriff Javascript file, http://server-uk.imrworldwide.com/a3.js. Do a search for "Red Sheriff", with a space.

Then I downloaded a RedSheriff Java program that I found mentioned in the Telstra and Virgin Money home page sources, http://server-au.imrworldwide.com/Measure.class. Embedded within this binary is RedSheriff's privacy policy web page address: http://www.redsheriff.com/privacy.htm. ("RedSheriff Cares about Your Privacy", it says, humorously trying to have it both ways in the same web site.)

Basically it seems that RedSheriff is carrying visitor tracking to the limits, including tracking unsuspecting novices who may foolishly but voluntarily give them personal information. Looking at the code, I don't see any attempt to go beyond the narrow boundaries of what the JavaScript and Java languages allow. However, I'm not sure I see everything the code is doing. Can someone help with this? What are the limits?

Slashdot had a story about RedSheriff, Sun Java Runtime Uploads Usage Data to RedSheriff? Judging from the comments, there is some doubt about who is RedSheriff's client in that situation. The story submitter defended his information, and no one seems to have done a verifying test. (It would be easy to hide encrypted references to RedSheriff sites within binary. It would be easy include something in the binary that was not in the freely distributed source.) Note that the first part of one of the RedSheriff Javascript URLs above contains the name of the client, Telstra.