Slashdot Mirror
Adobe Quietly Monitoring Software Use?
henrypijames writes "For months, users of Adobe Creative Suite 3 have been wondering why some of the applications regularly connect to what looks like a private IP address but is actually a public domain address belonging to the web analytics company Omniture. Now allegations of user spying are getting louder, prompting Adobe Photoshop product manager John Nack to respond, though many remain unsatisfied with his explanation."
To clarify the summary, the biggest issue is not the spying on users; the biggest issue is the deceptive server name, 192.168.112.2O7.net. It's at least meant to confuse unwary users, and possibly meant to confuse misconfigured firewalls.
As someone said on a blog I can't find right now, this is not a story about privacy; it's a story about lies.
The United States of America: We do what we must because we can.
So far, i have not yet read anything about the transmitted data. Finding that data one would reasonably expect to be private without explicit release would be a serious problem. However, we don't have that - or its opposite. John Nack has given the best generic response that he is able, and I won't know what to make of Adobe's actions until we learn more about the data transmitted, probably next week.
As Trombone says the misleading server name is the issue. As I perceive it, this smells bad. Microsoft-style bad to be blunt.
..did with XCP, then Adobe doesn't get to claim innocence for whatever the heck the Omniture code is doing.
Simply put, the only things on my machine that should phone out should be voluntarily invoked by me - the user. Namely the web browsers, software update, ssh, etceteras.
.doc files.
Adobe's behavior of late (and it will only get worse) is why applications like Little Snitch exist.
This kind of thing is why I wish The GIMP or similar would get useable* for those of us with hundreds of gigs of Photoshop documents.
* Open, Save, full support for all blending modes, masking modes, layer groups, and fonts/text editing capability up to at least Photoshop CS. I don't need the thing to handle Exactly Like Photoshop, but if it's going to be the "photoshop competitor" every FOSS advocate claims it is (instead of, say, the Paintshop Pro competitor that it actually is), then it ought to at least be able to handle my existing documents as well as OpenOffice handles
Clarification: That is ...'2o7.net' as in 'Two-Ocsar-Seven.net' *NOT* 'Two-Zero-Seven.net'
The Opt-Out "Explanation" page is here: http://www.omniture.com/privacy/2o7
Still, the dubious address http://192.168.112.2o7.net/ appears to be some variation of Social Engineering. http://en.wikipedia.org/wiki/Social_engineering_(computer_security)
This might explain some of Adobe's seeming software bloating (like Acrobat Reader, etc...) http://www.google.com/search?hl=en&q=Acrobat+reader+bloat
In an updated post:
http://blogs.adobe.com/jnack/2007/12/whats_with_adob.html
the Adobe guy says:
the objections seem to center not so much on whether Adobe apps are contacting a server, but rather that the server is named "192.168.112.2O7.net,"
Note the letter O instead of a zero. 2o7.net is registered to Omniture.
WTF? If Little Snitch told me that some app was trying to connect to 192.168.112.2O7.net I would assume it was compromised, and would be debating a complete clean system reinstall of OSX.
192.168.112.2O7.net? Masquerading as an IP from my home DHCP server? Are they serious? From Nigeria? Romania?
Again, WTF?
P.S. for those of you who have not set up a LAN, 192.168.xxx.xxx is typically an IP address for an internal LAN, not something out on the Web.
__ Someday, but not this morning, I'll finally learn to use the preview button.
http://www.omniture.com/privacy/2o7#optout This is the site to install an "opt-out cookie". I'm going to go ahead and guess it might help to visit this site within the embedded Opera browser in CS3. Who knows where that thing keeps it's cookies. Granted, getting this info from a comment on a post to a blog is not the way to have a good opt-out policy. Something in the installer would be nice.
# Block access to Omniture -- spyware vendors
block from any to 216.52.17.0/24
Just because you have issues with Microsoft, doesn't mean you give Adobe a free pass.
As for responsibility.
Analogy: If Ford used a third party airbag in their cars that regularly deployed when you hit 70mph, who would be held responsible? Ford, the third party or both?
Now, by "foreseeable consequences" do you mean those that are accurately predicted, or those that can be reasonably expected. If it's the latter, then you're not really a strict consequentialist. If it's the former, then you can hardly make any moral judgments at all (given how indefinite the chain of consequences of a given act is).
Shop as usual. And avoid panic buying.
GIMP *is* competing primarily with Photoshop. This isn't a matter of which commercial application's feature set it most closely resembles. It's a matter of what users actually USE.
Photoshop is the default application for doing any kind of drawing or photo editing. It might be total overkill, it might not be the best choice or whatever, but that's irrelevant. Ask yourself this instead: How many people do you think PAY hundreds of dollars for Adobe Photoshop for their own personal at-home use?
Face it, Photoshop is the standard because it's pirated so much. This isn't a question of "lost sales", since 90% of Photoshop pirates (and I'm extrapolating from people I know of, so flame away) wouldn't DREAM of laying down that amount of cash. If they were forced to go legal, they would probably buy Paintshop Pro - an application that probably suits their needs much better anyway. (So if anyone is losing sales when Photoshop is pirated, it's probably Corel).
To summarize: GIMP competes primarily with *illegitimate* Photoshop users.
Competition. That's the only solution to this. Adobe has become a very arrogant and supply-side centric company over the past few years. Or rather, an even more arrogant company than it always was.
It has almost no competition in most markets it trades in. Where it did have competition, it bought it out with the Macromedia purchase. That's a problem. It's not just this privacy/lying issue, it's price fixing, it's bloated features, it's the product delays (the universal binary versions), it's the (a la Microsoft) packaged versions that make it hard to get standalone versions.
I use Adobe Software every day (always firmly controlled by Little Snitch from install I may add). I don't like using it, it is not the best they can do, but it is the best available. I use it, but I will jump ship tomorrow.
I really, really, really want to use products from a better company. Surely there MUST be developers out there who can make better products than Adobe.
I didnt see it posted and I dont read most EULAs, but as long as this has a line about the 'phoning home' process then all is ok. Now if they never post anything in the EULA then that is a big problem! You accept anything the software does when you click I agree. You dont have to agree and use the software. Anytime I think about EULAs, I think they are made to legal like that noone is going to read it and those that do will most likly just say 'yea whatever, i want to use the software'. Which reminds me of the one software that had a written reward in the EULA and after like 5 years (or longer, i dont remember) and a lot of users some guy saw a lil statement that said the the effect 'email us this code and we will send you $5000'
Port 123 (both UDP and TCP) is the NTP port.
Double-click on the time on the right end of your taskbar to open the Date and Time Properties dialog box, then click on the Internet Time tab.
I believe it defaults to time.windows.com. I change mine to us.pool.ntp.org.
Anyone with a (personal) firewall can control this "phone home" behavior.
And everyone should have locks on their doors.
But its still going to piss me off if I come home and forgot to lock my doors and you're sitting on my couch eating my milk and cookies.
"I am the king of the Romans, and am superior to rules of grammar!"
-Sigismund, Holy Roman Emperor (1368-1437)
This seems so simple.
If Adobe and other companies want to retain their paying customers' trust, their applications shouldn't be doing unexplained things behind the user's back.
If they want to pop up a window saying "To insure better product quality, we would like to have this application send information to internet address thus-and-such. To read a detailed description of the information we send and how we use it, press 'details.' To allow us to do this, press 'allow.' If you do not want us to do this, press 'no,'" then everything would be cool.
But if an application does stuff we don't expect it to do, and they don't even mention it in advance, it's not terribly paranoid to assume that the reason is that they're doing something they don't want us to know about.
"How to Do Nothing," kids activities, back in print!
You sure? Back when my home network was simpler, I had a high-up firewall rule to allow all traffic from/to 192.168.*
I would have been tripped up (fortunately, my network is much more complex now, and this hole no longer exists for me).
Stasis is death. Embrace change.
Even having nothing to hide (read: de-centralized backup copies) and using mostly Linux, running a personal firewall that not only controls incoming, but also outgoing software is a total must nowadays. For Windows, there are several, even freeware (e.g. Ashampoo does a pretty good job), or things like Apparmor under Linux ... So with any program suddenly requesting internet connection, just deny it once, or for good ...
... guess one of these days, you won't be allowed to even launch your commercial apps without the software's main server confirming you're not running a pirated copy. Then, if the company dies, all the programs die with it ...
I guess that's the curse of the ever-growing number of always-on internet users
I absolutely agree that the software vendor thinking that they have some right to do this spying is very arrogant and serious. But think about this. The fact that the connection is structured to LOOK like something connecting internally only goes to show that not only are they doing this, but they are doing this with the intent to try to obscure it. It would be one thing if they were on the up and up about it. But they would not need to do this 2o7.net stuff if they were. They could connect to "reg7.adobe.com" or some such name. But no ... they tried to add a layer of obfuscation to it.
They know they are spying on you because they are doing it. But they also know you won't like it. And that is obvious from the effort to hide and obscure it. Doesn't that make it at least twice as bad, if not triple or worse?
now we need to go OSS in diesel cars
They can change the IP address since they are using a hostname. You need to also add the domain name "2o7.net" (you know, number two, letter oh, number seven, dot net) as a zone in your resolving/caching DNS server, with a wildcard labeled "A" record pointing to somewhere that will be a dead end under your control, like 127.0.0.1.
now we need to go OSS in diesel cars
Well, Squid is a Web (TCP port 80 and friends) proxy only, whereas Little Snitch is a general monitoring app that can alert you to just about any outgoing traffic much like an outgoing firewall. So, they would work well when used in combination, since Squid can be used to control HTTP traffic in very specific ways beyond "is application X allowed to connect to site Y?" Not to mention that with a Web browser, of course you want it to be able to connect to TCP port 80 and you probably don't want to be prompted at every attempt to connect to a new Web site (it would drive you nuts), so a Little Snitch user would probably just allow the browser to use that port regardless of the site and then Squid would be the better tool to specifically control this.
It is a miracle that curiosity survives formal education. - Einstein
Please do yourself a favour and download this HOSTS file:
http://www.mvps.org/winhelp2002/hosts.htm
And use it. That domain has long since been blocked. Jeez, people. Old news.
Is this a reasonable answer to someone who may just use the computer to edit their photos for publishing and checking email? Is this a good way to respond to someone asking for help with their router?
You are saying they need to learn more about their router, and yet when they asked about it you say they should not be using their computer because they don't know the answers. They are damned if they do and damned if they don't.
Some Internet connections are metered, usually based on the data volume (per kb). If Adobe uses your network connection to transmit data, then this means that some bandwidth (however small) that you pay for is wasted, especially if one is using an Adobe program a lot. Yes, it may be only a few bytes, but the principle holds true: Adobe may be using some of your metered Internet connection. Is this explained in their agreement? There are a lot of reasons why one should dislike this, apart from privacy.
I noticed something odd from the first moment I fired up CS3 and tried to create a new image. It hung for a few moments and then I noticed some heavy network use. This happens every single time I fire up CS3. I knew about this quite a while ago, but never did sniff to see what exactly was happening. I did disable my network connection once to see if it would still allow me to create a new image, which it did.
You're nothing; like me.
I won't speak in the name of others, but clearly The Gimp is not a competitor to photoshop. If PS was to be competing against The Gimp, Adobe would have to release native file format information, plus access to the code. For those among FOSS supporters like me, failing on both counts is a total show stopper for even considering a switch, much like the burden of your previous work is to you.
The Gimp is like the plank cabin you build on your grounds : there might be holes, it might not be completely comfortable, and the roof might even leak, but nevertheless, you're the king in your own private kingdom, because you're considered to be the owner of the place. PS is more like a rented flat : nice view, good furnitures, central heating, but if your landlord happens to be a complete moron, and suddenly decides to lock all the doors at 9 pm, you're fscked, and either you're in by the curfew, or you're homeless for the night.
You decide what's acceptable to you.
Software companies are now clearly overstepping the boundaries of acceptability. This has behavior subtly creeping it's way into applications in recent years. They start with the "do you want to this application to check for updates automatically"? Then comes "activation", then 3rd party bundled toolbars - Acrobat reader, among many other non-Adobe apps come with opt-in 3rd party toolbars which you can opt out of but WTF is it doing there in the 1st place? I won't install any app that has such software bundled in for fear that it's doing something despite my opting out of the toolbar.
These companies will not learn their lesson and back off until we have sufficiently voted with our wallets. I will say that Adobe will never again get a dollar out of my wallet.
He may be a great program manager but if I were Adobe I would stop him from blogging as quickly as I could. Here are some choice quotes from his responses to user comments. With responses like these I wouldn't believe anything he has to say:
[Are you saying you can't figure out how to remove applications? That's really saying something. --J.]
[You're a complete moron, and I don't have time to bother poking holes in your litany of ridiculous assertions. --J.]
[Sorry to hear that things aren't going well, Ryan. Have you called tech support? If not, why not? --J.]
[What sucks is how gullible, lazy, and reckless people prove to be. --J.]
And on and on it goes...
This is why I only use cracked software. Even if I purchase the software, which all of mine actually is, i run it cracked with lot of firewall rules.
I have never trusted any software company that attempts to make an outbound connection for ANY reason. Certain programs being an obvious exception like web browsers.
The fact that behavior like this is now coming from Adobe provably, is no surprise to me at all. Adobe has been almost militant in it's defense against piracy. If they had their way, all computers would be hooked up to a central database and run only authorized code decided by a "high council" of software developers.
I know some may say that the "jury is still out", but I don't believe that any of this was done without Adobe's knowledge or consent. After all, any software developer would be stupid and negligent if it subbed out development work or services to a 3rd party without verifying the functionality of the code or auditing the services.
In any case, for a company with Adobe's reputation, this is very damaging.
I'll take the roof that doesn't drop cold water on me throughout the night.
Let me know when I can be master of a kingdom with a roof that doesn't leak.
paintball
"Don't use Adobe."
And what are the alternatives? Gimp? That's not a professional quality app yet and doesn't support CMYK. Quark XPress for page layout? OK for legacy files, trying hard to stay in the game, but has fallen out of favour with many agencies, designers and commercial printers for a variety of reasons. Freehand for vector work? That's owned by Adobe now so you might as well use Illustrator (which Adobe would prefer you do) unless you want to try and get away with an app that has basically become the redheaded stepchild of their software lineup.
This is what happens when a single company basically crushes and buys out it's competition. You end up with an increasingly arrogant, unresponsive and less diligent behemoth that basically does whatever the hell it wants, customers be damned because they have little or no choice. This is what's happening with Adobe, now that is basically the only game in town.
Stay tuned for more public complaints about this company.
The pursuit of absolute tolerance leads to the most rigorous and ludicrous intolerance. - REX MURPHY