Adobe Quietly Monitoring Software Use?

henrypijames writes "For months, users of Adobe Creative Suite 3 have been wondering why some of the applications regularly connect to what looks like a private IP address but is actually a public domain address belonging to the web analytics company Omniture. Now allegations of user spying are getting louder, prompting Adobe Photoshop product manager John Nack to respond, though many remain unsatisfied with his explanation."

2o7.net *Not* 207.net

[Zymergy]

Clarification: That is ...'2o7.net' as in 'Two-Ocsar-Seven.net' *NOT* 'Two-Zero-Seven.net'

The Opt-Out "Explanation" page is here: http://www.omniture.com/privacy/2o7

Still, the dubious address http://192.168.112.2o7.net/ appears to be some variation of Social Engineering. http://en.wikipedia.org/wiki/Social_engineering_(computer_security)

This might explain some of Adobe's seeming software bloating (like Acrobat Reader, etc...) http://www.google.com/search?hl=en&q=Acrobat+reader+bloat

Re:2o7.net *Not* 207.net

[ASkGNet]

I've sniffed the data sent to that address. It includes the serial number of the software:

GET /b/ss/mxcentral/1/F.3-fb/[sn-here]?[AQB]&purl=mm&pccr=true&c2=dw&c3=9.0&c4=win&c5=en&c6=full&c7=&c8=&c9=dw_9.0_win_en_full__[AQE] HTTP/1.1
Referer: http://www.adobe.com/startpage/dw_content/dw_90_full_default.swf?prod=dw&ver=9.0&plat=win&lang=en&stat=full&tday=&spfx=&productName=dreamweaver
x-flash-version: 9,0,45,0
User-Agent: Shockwave Flash
Host: 192.168.112.2O7.net

and returns a 2x2 pixel blank GIF.

Phisher's Delight

[bobdotorg]

In an updated post:
http://blogs.adobe.com/jnack/2007/12/whats_with_adob.html
the Adobe guy says:
the objections seem to center not so much on whether Adobe apps are contacting a server, but rather that the server is named "192.168.112.2O7.net,"

Note the letter O instead of a zero. 2o7.net is registered to Omniture.

WTF? If Little Snitch told me that some app was trying to connect to 192.168.112.2O7.net I would assume it was compromised, and would be debating a complete clean system reinstall of OSX.

192.168.112.2O7.net? Masquerading as an IP from my home DHCP server? Are they serious? From Nigeria? Romania?

Again, WTF?

P.S. for those of you who have not set up a LAN, 192.168.xxx.xxx is typically an IP address for an internal LAN, not something out on the Web.

Opt-out site

[seer]

http://www.omniture.com/privacy/2o7#optout This is the site to install an "opt-out cookie". I'm going to go ahead and guess it might help to visit this site within the embedded Opera browser in CS3. Who knows where that thing keeps it's cookies. Granted, getting this info from a comment on a post to a blog is not the way to have a good opt-out policy. Something in the installer would be nice.

Re:Not about spying

[BSAtHome]

However, in this case you should block 216.52.17.0/24 to get rid of Omniture...

$ host 192.168.112.2O7.net
192.168.112.2O7.net has address 216.52.17.136
192.168.112.2O7.net has address 216.52.17.207

$ whois 216.52.17.136
[Querying whois.arin.net]
[whois.arin.net]
Internap Network Services PNAP-8-98 (NET-216-52-0-0-1)
216.52.0.0 - 216.52.255.255
Omniture PNAP-SFJ-OMNITU-RM-01 (NET-216-52-17-0-1)
216.52.17.0 - 216.52.17.255

Re:This is very common

[ptbarnett]

M$oft of cause always accesses some port 123 when starting XP.

Port 123 (both UDP and TCP) is the NTP port.

Double-click on the time on the right end of your taskbar to open the Date and Time Properties dialog box, then click on the Internet Time tab.

I believe it defaults to time.windows.com. I change mine to us.pool.ntp.org.

People run their machines with default HOSTS?!

[Tumbleweed]

Please do yourself a favour and download this HOSTS file:

http://www.mvps.org/winhelp2002/hosts.htm

And use it. That domain has long since been blocked. Jeez, people. Old news.