Slashdot Mirror

← Back to Stories (view on slashdot.org)

Adobe Quietly Monitoring Software Use?

Posted by Zonk on from the probably-not-that-big-a-deal dept.

henrypijames writes "For months, users of Adobe Creative Suite 3 have been wondering why some of the applications regularly connect to what looks like a private IP address but is actually a public domain address belonging to the web analytics company Omniture. Now allegations of user spying are getting louder, prompting Adobe Photoshop product manager John Nack to respond, though many remain unsatisfied with his explanation."

18 of 304 comments (clear)

  1. 2o7.net *Not* 207.net by Zymergy · · Score: 4, Informative

    Clarification: That is ...'2o7.net' as in 'Two-Ocsar-Seven.net' *NOT* 'Two-Zero-Seven.net'

    The Opt-Out "Explanation" page is here: http://www.omniture.com/privacy/2o7

    Still, the dubious address http://192.168.112.2o7.net/ appears to be some variation of Social Engineering. http://en.wikipedia.org/wiki/Social_engineering_(computer_security)

    This might explain some of Adobe's seeming software bloating (like Acrobat Reader, etc...) http://www.google.com/search?hl=en&q=Acrobat+reader+bloat

    1. Re:2o7.net *Not* 207.net by ASkGNet · · Score: 5, Informative

      I've sniffed the data sent to that address. It includes the serial number of the software:

      GET /b/ss/mxcentral/1/F.3-fb/[sn-here]?[AQB]&purl=mm&pccr=true&c2=dw&c3=9.0&c4=win&c5=en&c6=full&c7=&c8=&c9=dw_9.0_win_en_full__[AQE] HTTP/1.1
      Referer: http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf?prod=dw&ver=9.0&plat=win&lang=en&stat=full&tday=&spfx=&productName=dreamweaver
      x-flash-version: 9,0,45,0
      User-Agent: Shockwave Flash
      Host: 192.168.112.2O7.net

      and returns a 2x2 pixel blank GIF.

    2. Re:2o7.net *Not* 207.net by klui · · Score: 2, Informative

      They probably go to the same company:

      Pinging 192.168.112.207.net [216.52.17.207] with 32 bytes of data:
      Pinging 192.168.112.2o7.net [216.52.17.136] with 32 bytes of data:

  2. Phisher's Delight by bobdotorg · · Score: 4, Informative

    In an updated post:
    http://blogs.adobe.com/jnack/2007/12/whats_with_adob.html
    the Adobe guy says:
    the objections seem to center not so much on whether Adobe apps are contacting a server, but rather that the server is named "192.168.112.2O7.net,"

    Note the letter O instead of a zero. 2o7.net is registered to Omniture.

    WTF? If Little Snitch told me that some app was trying to connect to 192.168.112.2O7.net I would assume it was compromised, and would be debating a complete clean system reinstall of OSX.

    192.168.112.2O7.net? Masquerading as an IP from my home DHCP server? Are they serious? From Nigeria? Romania?

    Again, WTF?

    P.S. for those of you who have not set up a LAN, 192.168.xxx.xxx is typically an IP address for an internal LAN, not something out on the Web.

    --
    __ Someday, but not this morning, I'll finally learn to use the preview button.
  3. Opt-out site by seer · · Score: 4, Informative

    http://www.omniture.com/privacy/2o7#optout This is the site to install an "opt-out cookie". I'm going to go ahead and guess it might help to visit this site within the embedded Opera browser in CS3. Who knows where that thing keeps it's cookies. Granted, getting this info from a comment on a post to a blog is not the way to have a good opt-out policy. Something in the installer would be nice.

  4. Firewall by QuoteMstr · · Score: 3, Informative


    # Block access to Omniture -- spyware vendors
    block from any to 216.52.17.0/24

  5. Re:Not about spying by BSAtHome · · Score: 4, Informative
    However, in this case you should block 216.52.17.0/24 to get rid of Omniture...

    $ host 192.168.112.2O7.net
    192.168.112.2O7.net has address 216.52.17.136
    192.168.112.2O7.net has address 216.52.17.207

    $ whois 216.52.17.136
    [Querying whois.arin.net]
    [whois.arin.net]
    Internap Network Services PNAP-8-98 (NET-216-52-0-0-1)
    216.52.0.0 - 216.52.255.255
    Omniture PNAP-SFJ-OMNITU-RM-01 (NET-216-52-17-0-1)
    216.52.17.0 - 216.52.17.255
  6. Re:Not about spying by bornwaysouth · · Score: 2, Informative

    Agree. I installed CS3 on Boxing day. Christmas present, to finally update my Paintshop pro 7. I was annoyed to find some hours later that it was 200 megs into a 370 meg download. It may have subtly asked my permission, but it did not flag the size of the download.

    Mind you, keeping size a secret seems to be standard for most updates even where permission is asked for. First the language is bungled. They ask for permission to 'install' updates as if it had already been downloaded. Then when you think, "Ok, may as well be up to date, since it's got the data now. It's a small patch to block a security hole.", it goes off to get 70 megs or so of update for some damn media player I don't use. (I have teenage children. Media players spontaneously generate inside my computer.)

  7. Re:This is very common by ptbarnett · · Score: 4, Informative

    M$oft of cause always accesses some port 123 when starting XP.

    Port 123 (both UDP and TCP) is the NTP port.

    Double-click on the time on the right end of your taskbar to open the Date and Time Properties dialog box, then click on the Internet Time tab.

    I believe it defaults to time.windows.com. I change mine to us.pool.ntp.org.

  8. I am Immanuel Kant by Anonymous Coward · · Score: 1, Informative

    Incorrect.

  9. Re:No explanation is a good explanation. by padonak · · Score: 2, Informative

    Update: Apparently it's now called Sunbelt Personal Firewall or something like that.

  10. Re:Not firewall related by SleepyHappyDoc · · Score: 2, Informative

    You sure? Back when my home network was simpler, I had a high-up firewall rule to allow all traffic from/to 192.168.*

    I would have been tripped up (fortunately, my network is much more complex now, and this hole no longer exists for me).

    --
    Stasis is death. Embrace change.
  11. They can change the IP address by Skapare · · Score: 2, Informative

    They can change the IP address since they are using a hostname. You need to also add the domain name "2o7.net" (you know, number two, letter oh, number seven, dot net) as a zone in your resolving/caching DNS server, with a wildcard labeled "A" record pointing to somewhere that will be a dead end under your control, like 127.0.0.1.

    --
    now we need to go OSS in diesel cars
  12. Re:How do I block it? by causality · · Score: 2, Informative

    would using Squid offer any advantages over using, Little Snitch for such purposes?

    Well, Squid is a Web (TCP port 80 and friends) proxy only, whereas Little Snitch is a general monitoring app that can alert you to just about any outgoing traffic much like an outgoing firewall. So, they would work well when used in combination, since Squid can be used to control HTTP traffic in very specific ways beyond "is application X allowed to connect to site Y?" Not to mention that with a Web browser, of course you want it to be able to connect to TCP port 80 and you probably don't want to be prompted at every attempt to connect to a new Web site (it would drive you nuts), so a Little Snitch user would probably just allow the browser to use that port regardless of the site and then Squid would be the better tool to specifically control this.
    --
    It is a miracle that curiosity survives formal education. - Einstein
  13. People run their machines with default HOSTS?! by Tumbleweed · · Score: 4, Informative

    Please do yourself a favour and download this HOSTS file:

    http://www.mvps.org/winhelp2002/hosts.htm

    And use it. That domain has long since been blocked. Jeez, people. Old news.

  14. Re:Not about spying by jimdread · · Score: 2, Informative

    Suppose you discovered that GIMP was connecting to a strange looking host -- what would you do then?

    Edit the source, remove the code that makes it connect to a strange looking host, recompile GIMP, and release a patch for others who don't want their software doing strange things.

  15. I wouldn't call it quietly... by LilGuy · · Score: 3, Informative

    I noticed something odd from the first moment I fired up CS3 and tried to create a new image. It hung for a few moments and then I noticed some heavy network use. This happens every single time I fire up CS3. I knew about this quite a while ago, but never did sniff to see what exactly was happening. I did disable my network connection once to see if it would still allow me to create a new image, which it did.

    --

    You're nothing; like me.
  16. Re:No explanation is a good explanation. by sakusha · · Score: 3, Informative

    Now, if he had saved in some odd SGI format circa 1990, I'd agree with you.

    Gee, it's funny you mention that. A long time ago, maybe Photoshop 2.0 era, I had a client who liked to submit files in .sgi format. He worked on an SGI Irix or something, he didn't have any way to convert them to something I could read.
    So I emailed John Knoll to ask how I could read .sgi files in Photoshop. He wrote back and asked for a sample .sgi file for testing. I sent him one, and the next day, he emailed me a brand new .sgi file import plugin. I was amazed, so I emailed him back that I couldn't read Scitex CT files either. He wrote me a plugin for that too, same 24 hour turnaround. They were both publicly released through Adobe.
    I don't see any .sgi support in the current CS3 release, but that's probably because it's deprecated. It does have Scitex CT support, though.