RealPlayer Uploads Your ID Too

Wired revealed this morning a "New Privacy Glitch" which may actually be years old. Real Networks' RealJukebox isn't its only software to send a Globally Unique Identifier (GUID): RealPlayer does too. The free RealPlayer has 69 million users of all its versions; Real isn't saying which versions send the GUID. It's sad when the "good news" is that RealPlayer doesn't scan your hard drive. Oh - and by the way - Windows Media Player sends one too but it's OK because registration is not required. Are we living in cuckooland? Update: 11/08 08:44 by J : On the just-launched real.com site, their Software Privacy Statement says: "the Globally Unique Identifier - GUID has been disabled for electronic registration so it cannot be used to identify you." This is for RealPlayer 7: still, apparently, no word on earlier versions.

Re:then again..

I think codecs just let it to read more types of files and decode more types of compression

Re:Privacy never has existed

My first internet experience was when AOL was brand new, and I got connected with my state-of-the-art 14.4 modem

Just to put a little history straight; AOL has been around a lot longer than that (I was using it when a 2400 modem was state of the art). IIRC, it was started back in the mid 80's. Perhaps you meant when they first offered internet access?

The rest of your post makes some excellent points, btw.

How much software REQUIRES 'net connection?

I'm not talking about internet apps here. I mean stuff like word processors, and HD utlities that won't run until they can register themselves over a modem or ethernet connection. I'm sure this is just totally unfathomable to many vendors but, not all computers are connected or able to connect to the internet! In fact, being able to download software for later installation of installation on another non-net-connect machine is just impossible with some software. Worse are the apps that download an installer app which then goes and fetches the rest of the code from some secret server listening on some secret port on the 'net. Really, I just want quicktime for my non-net-enabled laptop. What am I supposed to do?

Re:How much software REQUIRES 'net connection?

I use a Win9x app WebZip. Its an offline browser www.spidersoft.com and it connects with its web site when its started. I wonder what info its posibly sending? They need to regulate these covert operations! I'm realy getting sick of all this crap!

Re:How much software REQUIRES 'net connection?

[jeremy+f]

There's a bit of software for win9x, called MP3 Voyeur. It scans local area networks for mp3s, and other multimedia files.

The catch? It queries the author's homepage every time it's run, AND leaves the connection open during use. I haven't set anything up to see if it's sending anything back, but I'd count on it. Every time the website goes down (which isn't often), or the author feels the need to discontinue the program (which already happened once), the software lets the user know this, and refuses to run. It's painfully annoying during the few times when the outside connection goes down at our University, and we only have a local net connection. I'm more scared, however, of what the program is sending back during the time it's running / scanning.

And of course, like almost all Win apps, it's closed source. And of course, like almost all Win apps, many people use it without fully realizing what it's doing. I get chills whenever I run it, but it's very convienent, and I haven't seen another program do what it's supposed to do.

If anyone wants to test it out to see exactly WHAT it recieves / sends back from the main server, it's at http://www.jawed.com/mp3voyeur. Of course, it IS Win9x software, and I haven't had the opportunity to test it in Wine (don't have Wine installed at the moment).

umm

I have a pirated copy of realplayer g2 plus, my os is pirated... basically all software on my system that isnt free in the first place, is pirated.... could this be bad?

Re:umm

You show me an Open Source repository that deals mainly with Win9x / NT applications first :-)

Re:umm

MY question is how in the name of hell you have a pirated copy of something that comes FREE WITH NETSCAPE for example....? I can understand the win98 concern but real player is freely available for god's sakes...

Re:umm

'cause he's "l33t"... He actually has "Plus", which comes with a few features not included in the regular version. $30.

Re:umm

[Surak]

Use only Open Source software. You will never have to worry about pirating software again.

Re:umm

[Surak]

I said use only open source software. This would exclude the use Win 9x/NT

Re:umm

[turg]

I have a pirated copy of realplayer g2 plus, my os is pirated... basically all software on my system that isnt free in the first place, is pirated.... could this be bad?

yes, pirating is bad
-
<SIG>
"I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht

Re:Linux version too?

No idea myself. But I can answer the second Q. Play your RA into an audio tape player. If you can, get a good graphic equalizer too, to make the sound as best it can be. Then play it back, onto your computer, as either a WAV, or MP3 (If an input > MP3 player exists. This is also the way, to get around any "encryption" these music guys may stick on any music they release eventually though the internet. Or even video for that matter :)... Only RA > MP3 converter I saw, was a Windows program, that added something to the recording every 10 seconds. I decided to be cheap and go the way I mentioned :). (Which BTW gives you nice tapes to play in cars too. Old-time radio never sounded so fun :). Good luck!

Package says software requires following HW and ..

... what is does with that! I demand clear information what software does with my PC. t.omi

Re:Privacy never has existed

I had Quantum Link before AOL was even called AOL. Back then thet were 'Quantum Computer Services' and ran Q-Link for the C64. When they offered 'life memberships' for $150 in 198x, I bought one. The capital raised from this help start AOL. Later when Q-Link ceased operation (1994!) my life membership was transferred to AOL. So as long as I stay under my 300 free minutes every month (I have to stay on the old plan, converting to unlimited use will cancel my old free for life plan), my AOL account is free forever! Wheeeee!!!!

Re:Only criminals want privacy.

I hope that was an attempt at sarcasm...

The Obvious Answer...

to this problem is to put a monkey in a bagel

Re:The Obvious Answer...

Damnit, that's your answer for everything, isn't it?

"I'm going to be late for work" / "Just put a monkey in a bagel"
"The Apocalypse is nigh" / "Just put a monkey in a bagel"
"My bagel's cold" / "Just put a monkey in it"

(Score:5, Offtopic)

Re:GUID just a COM construct...?

[Aside: COM = Component Object Model, not "Common". Just FYI.] You are correct about GUIDs being used in COM objects. COM is a system in which a standalone software object (a component) can be used to provide a service to another piece of software. For example, the component may connect to a POP3 server or may perform mathematical computations or play RealPlayer streams. When COM was first introduced as OLE, each of these components was required to exist on the user's own machine, however the developers envisioned that one day you might be able to reach out over the network and use components that exist on some other computer somewhere. In such a system, though, you need a way to uniquely address each component that exists (i.e., this is the "naming issue" - each component needs some globally unique name). This network-aware version of COM is DCOM (Distributed Component Object Model) and the GUID is the unique name. As another poster in this thread points out, RPC uses UUIDs which are the same thing as GUIDs (actually, I think the algorithms to generate them match exactly, so GUID == UUID). So, in either RPC or DCOM, if you know the UUID or GUID of the piece of software you want to talk to, you can resolve this name and locate it on the network, make a connection to it, and use its services in your own software. It is quite a bit like a glorified version of shared libraries! As it turns out, since it is a COM object, you can embed RealPlayer in a piece of software very easily. In about 10 lines of Visual Basic code, I could embed the RealPlayer component and enable any application I write with streaming content capabilities. This is how CNN can provide little popup boxes to show you 20 minute "top of the hour" world news summaries in your web browser.

Don't forget cookies!

To simply disable or block cookies is not enough. And having a proxy site accept the cookie on your behalf? Nah. I wrote a cookie mangler! It looks for new cookies and searches out for things like numbers and expands them by 6 orders of magniture, makes them zero or negative. Random characters or phrases are inserted into strings. Total cookie length may be truncated or expanded to several K. How about uuencoded pr0n returned in the cookie. Maybe their server will crash. Gee... wouldn't that be depressing.

Re:Don't forget cookies!

[PurpleBob]

Ooh, sounds neat. You should put the code for that on the Web. (just make sure it doesn't mangle Slashdot's cookies, they're the only ones that matter)
--

Re:DOS attack?

I think you are working at too high a level, reverse engineer the protocol, why? If you dont like them intruding on your privacy, you could just Smurf the server, all you need is the IP addy. Remember it is ALWAYS easier to destroy than create, this has been a public service anouncement on behalf of Mr N. Tropy. PS I dont condone DoS attacks, but I dont think they would pursue you as they would need to disclose everything regarding the collection and use of the collected data in court, it would make national news, and it would look very bad. N.B. Looking bad = share price drop

AND THIS IS EXACTELY WHY

Windows 98 has none/none for register info and my real player, winamp, etc all have no@no.no for a email address

I never trusted them and it looks like I was right

jason.salopek@usa.net

Re:AND THIS IS EXACTELY WHY

But now they know that you are no@no.no! You've just given the game away.... bwahaha!

Solution w HOWTO: Kill all packets to *.real.com

$ whois real.com

Registrant:
Progressive Networks, Inc (REAL7-DOM)
[...]

$ whois "progressive networks"@arin.net

PROGRESSIVE NETWORKS (NETBLK-CW-204-71-154) CW-204-71-154 204.71.154.0 - 204.71.154.255
PROGRESSIVE NETWORKS (NETBLK-CW-208-147-88) CW-208-147-88 208.147.88.0 - 208.147.88.255
PROGRESSIVE NETWORKS (NETBLK-CW-208-147-89) CW-208-147-89 208.147.89.0 - 208.147.95.255
Progressive Networks (ASN-PROGNET) PROGNET 5054 Progressive Networks, Inc (REAL7-DOM) (NETBLK-ABOVE-REAL) ABOVE-REAL 209.66.98.16 - 209.66.98.23

$ ipchains -A output -d 204.71.154.0/24 -j REJECT
$ ipchins -A output -d 208.147.88.0/24 -j REJECT
$ ipchains -A output -d 208.147.89.0/24 -j REJECT
$ ipchains -A output -d 209.66.98.0/255.255.255.224 -j REJECT

Swing batter!

Legitimate uses for this stuff

Aside from marketing, there are other legitimate uses for these types of techniques. In the software I write, I don't use a GUID per se, but I generate a random number when my software is first ran and then when they use the software to connect to my server I send the number in (along with the name and password as appropriate). Because I run an open service, I use the number to effectively ban people who are being disruptive to the service (for the sake of argument, let's say I am making an online game). Having this number eliminates the need for me to ban IP ranges for the vast majority of users who have dynamic IP's. Most good hackers quickly figure out where I keep the number and change it, but for the majority of users, it's quite effective.

Additionally, I have been known to create hash-values from already existing data on a persons machine as a means of uniquely identifying them...again, mostly to allow banning as needed.

As the operator and owner of the service, I should have the right to control access to the service. I could require mail in registrations and mail back passwords, etc etc, to try and keep a handle on it, but I prefer to have an open system that people can come to and try out quickly and painlessly. Email addresses are a dime a dozen, so that is completely ineffective at giving me access control.

Personally, I think everybody ought to be assigned a unique verifyable ID. The user should also be allowed to control who can look at that ID (applications should be required to prompt the user asking for permission to access the ID). That said, nobody would be allowed on my service unless they gave me permission to have their ID. I think that is fair to all involved...you want to use my service, you have to agree to my terms (ie. give me your ID so I can ban your ass if you are disruptive).

What about the firewall?

Got a Linux firewall, nothing from outside allowed to connect, so it's straightforward.

I know how to drop Doubleclick. Is there a line I can add to stop the outgoing identifier?

And if I can't, why not?

Whew...

Gee, it's times like this that make me proud to be an Anonymous Coward.

BFD

i don't even use real audio products. why bother. we all should fix up a new RFC.

Re:Linux version too?

There is some source code for decoding realaudio files at http://www.members.tripod.com/~ladsof t/ra.htm Supposedly it compiles on DOS, Amiga and OS/2.

Re:Linux version too?

Try Here

MAC-ID transmitted if network card present

The German computer magazine c't discovered this Real-Player feature in their lab: The original report (in German) can be found at http://www.heise.de/newsticker/data/ju-01.11.99-00 0/ They did not specify which OSs were tested. A Global Unique Identifier (GUID) is transmitted to the Server. It contains the MAC-ID of a network card if present in the system.

Was: Re:BFD Now: Real Audio alternative

I encourage the GNU community to create a standard internet audio streaming (or other media such as video) that is a better alternative to Read Audio. And to create GNU programs based on this standard. - zeosx on IRC P.S. i know, I know, I know i used Anonymous Coward as my nick, but I hate registration on the internet anytime I want to do something - and try to find where I wrote down the userid/pass when I want to do the same thing again later...

good port monitor (f)or Win98

etherpeek. full decodes.

Re:Only criminals want privacy.

Then post them videos of you and your wife doing the jiggy jiggy if you don't care about privacy you idiot. I for one i would like to KNOW who is stalking me.

Re:Win98 does it too

Even better is IE5. If you pay *very* close attention then you'll see that IE5 will occationally immediately head to a secure webpage on www.microsoft.com. It only shows up for a second or two then go to your home page. That is the true reason I use Netscape. I noticed that and then wondered how much more I haven't noticed.

Anonymous sites

Privacy is one thing, but when you are receiving free services it is not too much for the provider to ask for something in return, they just need to be forthcoming about what they are doing. What I would like to see is sites/services marked as either allowing anonymous use or not.

The operator of the site/service would then configure their site as to which to allow. If they disallow anonymous access, then they will have access to some basic information about you. If you don't want them to know your personal information, then find another site to visit.

Too many people on this board are too hung up on personal rights, what about the rights of the service provider to know who is using their services? Like I said, if you value your privacy that much, don't use their service. Somehow the majority of the /. crowd seems to think they are constitutionally entitled to whatever services they want on their own terms. Grow up people.

Reason for anonymity.

I posted anonymously because I was sure that I'd get down-moderated as "Troll" or "Flamebait" and didn't feel like taking a Karma hit. If I had known I'd get "Funny" points I might have posted under my account name. Though perhaps if I had done that I'd get the "Troll" and "Flamebait" moderation. It's happened before with posts that I thought were funny. And now that I think of it, it is funnier to post "only criminals want privacy" anonymously.

(I'm posting anonymously now because I don't want my pitiful desire for higher Karma to be associated with me.)

Re:Only criminals want privacy.

I realize you're attempting to be sarcastic... but there is a grain of truth in your first sentence. I don't care if they're tracking my every keystroke - I have nothing to hide.

But even PAYware demands reg info before it'll run

Why should I have to register software before I can use it. Isn't PAYING for it enough. Not so for more and more apps, apparently. This is... unacceptable. I'd rather find and used CRACKED pirate versions of software if the legitimate pay version demands any personal info from me before it will function.

Re:Companies privacy statements

Well, I think that a privacy statement is legally binding. So if they say they won't use data collected to track you, and they do, then they are liable for damages.

The kicker is that most privacy statements say something along the lines of:

"We reserve the right to change the terms of this agreement"

What they mean is that if they decide later to use your information, they will just say so later.

Probably not

I haven't paid for a piece of software since I bought Quake when it first came out. Since then I have gone thru numerous copies of windows and countless pieces of commercial software. Still here and talking, aren't I?

Re:It's only a matter of time...

It's time that we, as end users, start taking back our data as being private. ANY company that has been found to be transmitting ANY sort of data back to itself WITHOUT your permission should be banned by users. Let's start by boycotting RealNetworks products. This should send a message to these _____s.

Re:Privacy never has existed

Sticking it to the MAN! :) (g)

But then again, the counterpoint to that is for every Q-Link offering lifetime mebership for $150, there's 100s of similar businesses that went belly up.

Re:Set up a bogus email address for registration.

Really, do you have an example of this? I'm genuinely curious where you'd run into this... it seems like a incredibly bad idea.

I have seen this a couple times, but only on anon-ftp sites.

Re:It's only a matter of time...

99% of all people break the law any way! there is practicly not one signle person who hasnt broken any laws! Who hasnt drunk before 18?

You people stil use REAL junk!?!?

Realplayer and G2 format is so crap!
why do you bother...

Its like using gifs when you never knew jpegs existed.

G2 video is so crap! i mean it uses all the CPU and looks shit, use mpeg4/asf, its much better,smoother looking and uses less cpu%

Hmmm...Very Interesting

I find it amusing to register as the world famous cellist: Yo Ma Ma. Snarfvs Maximvs (who is too lazy to log in)

Microsoft Gathering DNS error info from browsers

I believe you are wrong on the error page being fetched from some deep, dank pit that exists in the heart of some overloaded Microsoft server.

Instead, the error page is fetched from within the deep, dank bowels of the Windows operating system. The html used for reporting errors is copied/created from shcoclc.dll, which is located in the windows/system directory (at least it is located there in win98).

Besides, I doubt Microsoft could create a server that could handle the load of collecting the data from millions of mistyped urls.

Re:Overload their servers with false information

Because that's stooping to their level. What they did was *unethical*... not illegal. We shouldn't bomb/hack/etc them in retribution, that's as bad if not worse than their blunder to begin with. Just don't send them money, they'll figure it out.

Re:Update

Too late, no Real Networks shit is ever going to get to my computer. I uninstalled the Jukebox and G2 Player I had and I'm telling all my friends to do the same. I can live without those things.

Re:Linux version too?

Streambox Ripper (formerly Ra2Wav) encodes directly to MP3 from RealAudio. http://www.streambox.com/products/Ripper/index.asp

Re:Isn't this illegal in Europe?

It is, but you see, laws do not apply to big corporations.

Oh yeah, because "Europe" has all the same laws

Europe isnt made up of many different countries, honest. It's just one big area with all the same laws in every place.

jeez, how can people so IGNORANT?

Your GUID is like your social security #!

Consider that that the GUID created when you install your OS can be transmitted to any company whose program you run on your computer. If somewhere along the line you have given that company your name, address, email, etc. then you have potentially put yourself onto a database where they can track you PERSONALLY whenever you use their software. It's not harmless demographic information when it identifies you as an individual. How much would a database of personal surfing habits (that Microsoft could collect via IE) be worth to startup web companies? WHERE IS THIS GUID? Is it simply in the registry where I can periodically change it? -- Anonymous Coward -- (I can never remember all these silly internet passwords... Can't they just use my GUID to log me in???) Doh!

Cuckooland

>> Are we living in cuckooland?
No Rob, you're living in the U.S.A. where 99 percent of the phones are sniffed by the feds and people have no privacy whatsoever. I live in Europe and here they are also very bureaucratic. If there's a little paper which says 1 + 1 = 3, then everyone will accept that it IS three. It's really sick.

Re:Overload their servers with false information

Yes, but I don't think the average computer-using public doesn't know this. As far as I'm concerned, if companies decide to start collecting information about me without my knowledge or consent, I simply can't guarantee the accuracy of the information that ends up on their servers. I don't see it so much as "stooping to their level" as "leveling the playing field."

Re:Linux version too?

Compile under Linux too.

Re:Only criminals want privacy.

I don't care if they're tracking my every keystroke - I have nothing to hide.
Well great, then you won't mind posting your checkbook and tax return right here, or at least the url where we can go read them.

Everybody's got something to hide except for me and my monkey.

Re:privacy and the registration requirement

i just give them my neighbours address, and wait for the black cars to turn up and cart them away - only happened once so far :-)

Set up a bogus email address for registration.

I've set up an special account on my linux box exclusively for the purpose of registration. Only the most recent 20K worth of email is kept (needed because some SW reg emails an unlock 'key' to you), the rest is routed to /dev/null. Mail to the account is otherwise never read. The address is ac@[myhost].com (Anonymous Coward)

Re:Set up a bogus email address for registration.

[Redundant()]

Mark this comment up, this is the easiest solution to the problem.

Some information gathering servers compare client domain to ensure you are who you say you are though.

I always use nospam@whateverdomainimloggedonto.com and specify a juno or hotmail account if I actually want to correspond. My windows registration is X.

Re:Set up a bogus email address for registration.

[SIGFPE]

I sometimes use an email address that reflects who I've given it to. So if I register for RealAudio I might call myself someting like realaudio@tanelorn.demon.co.uk. That way I can track down who's been giving out my e-mail address when the spam pours in.

Re:OpenSource?

haha... If it took this long for someone to run a packet sniffer on the real player traffic and see the GUID, how long is it going to take for someone to actually read and understand the code?? I noticed the GUID several months ago while setting up an Real's RTSP proxy kit. And you know what? I don't give a damn about it.

Also, Zonelabs has a nice little program called ZoneAlarm which allows per-program internet access restrictions on Win9x systems. It can't "protect" against GUIDs and things but will prevent 100% against programs that shouldn't be accessing the internet (like BO2k).

Re:GUID just a COM construct...?

UUIDs, aka GUIDs, are a remote procedure call (RPC) thing that existed in UNIX long before MS borrowed the idea for COM. ...trying to make RealPlayer DCOM compatible or some such - unlikely, most probably Real sends a GUID is used to identify you and your listening habits.

Re:Linux version too?

Try Ra2Wav. It's a windows app that will convert a .RA file to .WAV and it supports G2. Get it HERE.

It works under wine, but you need to have RealPlayer G2 installed as well. The more recent wine releases will install G2 player, with a bit of messing around, it should work fine.

Matt Borowski mkb@NOSPAMyahoo.com

And requirement to be honest on reg never existed.

I always provide BOGUS information on all registration forms. Look at my copy of win98, on the 'about' box it says "This software is registered to: The Public Domain". Hey! They gave me a fill in the blank SW license. This is like an already signed blank check so I filled in the name with 'the public domain'. Other software is registered to "Nobody", "Unknown User", "John Doe", and "The Bearer". And yeah, my purchase role is 'final decision' on all purchases for my company of 500,000 employees. Wheee!! And I buy over $1e6 worht of computer products every year. Oh and if they want addresses and phone numbers and email, I plug in the company's own street address, phone number, and sales@, or info@, webmaster@, or root@ at the comapnies own domain name. This isn't a court of law or legal proceeding here so there's no penalty of perjury for lying. I happily make up all sorts of stuff! And if my lies fsck up the co's statistics then that's too fscking bad. Do I have a 'right to privacy'? No, but by that same token, companies have no 'right to collect accurate marketing information about me.' Works both ways, ya know.

To mangle Jay Leno's quote from those old Dorito commercials:

Collect all the bogus information you want, I'll make more!

Only criminals want privacy.

Anyone who complains about this is obviously a child molester or a drug dealer or a DVD encryption cracker or other horrible deviant. Next thing you know people will be complaining when the police start installing cameras in peoples' houses to catch burglars.

Face it people, government and big business is your friend. They only want what's best for you. Now stop resisting, go back to work, and buy some of those fine products you see advertised on TV and the web.

Re:Only criminals want privacy.

[smash_phase]

Oh, you think so, how about: "Sorry kid, we won't hire you, some information we gathered showed you're online till 2 O'clock during the working days, we can't have that over here.." Or, "Sorry kid, we noticed that you visit online porn quite frequently and we are afraid that it might influence your behaviour at work, since we have to many sexual harashment cases already." Or how about sending information about how many decrypted .vobs and .mp3s you hardened criminal own on your computer (Personally, I buy a cd & stuff it in mp3 on my compu, b'cause I'm damn lazy)?!
Recently, I just pulled a CV from someones pc over the internet(just for the fun of doing it, by using a program that exploits M$ security problems), which stated the person was male and noticed a lot of male porn too. I also found some letters applying for jobs. Do you think he would like it if anyone else has access to this information? I mean look at Austrialia & America, you just need one anti-terrorist act and peopl who are in the impression Slashdot encourage anarchist & terroristic activities an online gathered information about you, would be enough to send you to jail... I can think of many other things, but my point is, everyone has the need of privacy and if you don't understand that, than you've got a lot to learn.

Re:Only criminals want privacy.

[Issue9mm]

You apparently didn't realize that the post in which you just responded to is a joke. Sheesh. (Henceforth, Score 2 : Funny, get it?)

Re:Only criminals want privacy.

[n0stram]

But you still remains anonymous...

Is this helped by proxying?

[Christopher+B.+Brown]

It's not evident whether this is helped or hindered by having proxy servers in between you and remote sites...

There most certainly are cases where it is very nice to have something like Junkbuster= and/or Squid in between me and remote places, as both can help keep things a bit more anonymous.

I'm looking forward to cable modems being more ubiquitous; this will mandate having personal firewall machines, and this will encourage the development of little easily-managed boxes to help with such.

Little Linux boxes would be perfect candidates for this sort of thing; a minimal distribution that has some proxying software, and something like Linuxconf or COAS that can be configured remotely through a secure connection (e.g. SSL) would be a killer app.

Re:CDDB players do it too

[Roast+Beef]

CDDB only records your email address when you submit a new disc. If you're just looking up disc info (like if your player is requesting a track listing), no email address is sent or recorded.

Jay Tamboli

Dammit...

[Millennium]

Well, I guess I'll be deleting RealPlayer from the Mac side of my machine (never found a version for LinuxPPC or I'd delete it from the Linux side too). It never worked all that well for me anyway. I guess I'll be sticking with QuickTime for my streaming video needs (there's still rumors of Apple doing a QuickTime Linux port; anyone know what ever became of those?)

Anyone know of a program to convert .rm files to MPEG (audio and video both), on any platform? I've seen programs to convert other formats to .rm, but never one to convert .rm to anything else.

Re:Dammit...

[gordyf]

For Windows: http://www.streambox.com/Products/Ripper/index.asp

Its shareware, but it works for 15 days uncrippled.

Converts from RA/WMA/MP3/WAV/CDDA to WMA/MP3/WAV.

Re:Dammit...

[tlhIngan]

Does that cover RM G2 formats, too?

(BTW, here's anothe rprogram for Win* users):

2B Systems makes RA2Wav, converts RA streams to WAV, and for all those pesky pnm:// stream servers, X-FileGet will get pnm:// streams (as well as the usual FTP/HTTP transfers).

Re:Grrr!

[Millennium]

Perhaps I'm the clueless one, but why would such a law be clueless? All it does is require the makers of software to document all of the features therein. As far as I can tell, that's a Good Thing. How is this bad?

it also spams your proxy logs

[toni]

I don't know what it's doing but Realplayer is generating and accessing a lot of typoed URLs with a space in between. They show up in my squid error log and many sites under my proxy generate these errors about once every other minute. Other versions don't generate bad URLs but still access something every other minute.

Re:it also spams your proxy logs

[toni]

Before some smart guy comes in and says that of course Realplayer accesses something all the time... I meant, they access the same URL at real.com every other minute, not the stream provider.

Re:privacy and the registration requirement

[cpt+kangarooski]

Boy, you're much more thorough than I am. For years now I've registered as John Satan, 9 Dante Circle, Pandemonium HL 00666+0666, tel (666) 666-0666, same for fax, email j.satan@pandenet.hl.

Most places don't verify these things - too much work, and 99% of people fill it out honestly anyway, never once making the connection between this and the junk mail and spam they get.

Companies privacy statements

[Uruk]

As long as they have a privacy statement? Doesn't that maybe need something particular added on to it, like "An *appropriate* privacy statement"?

Privacy statements can be buried on a page or contain tricky wording that when deciphered can often come out to something like this:

FooSoft promises to never use this information in a way which would be detrimental to our consumer's privacy when it coincides with FooSoft's financial interests. Should the financial interests of FooSoft dictate that distributing information gathered from clients is in the interest of FooSoft's bottom line, appropriate actions will be taken to safeguard investor value in FooSoft.

Sounds nice. Maybe.

Re:Companies privacy statements

[bmetzler]

As long as they have a privacy statement? Doesn't that maybe need something particular added on to it, like "An *appropriate* privacy statement"?

Well, I think that a privacy statement is legally binding. So if they say they won't use data collected to track you, and they do, then they are liable for damages.

The important thing is that the have a privacy statement. It is up to *you* to read it and determine if it is appropriate for you. If it isn't, then you don't have anything to do with them.

-Brent
--

Re:Companies privacy statements

[quonsar]

The kicker is that most privacy statements say something along the lines of:
"We reserve the right to change the terms of this agreement"
What they mean is that if they decide later to use your information, they will just say so later.

But not until after the story is on /.

:-)

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Privacy never has existed

[Uruk]

What do you expect companies to do? Pass up an opportunity to gather important marketing information?

Privacy hasn't been really possible ever since the real marketing sharks started to hit the internet. Remember, even though companies aren't ethical for the most part, they're not stupid. They wouldn't bother getting their codejockeys to put this stuff into the software if it wasn't making them big bucks in one way or another. It doesn't give companies a stiffy to have power over you and use your information, it's just that they're making money off of it, and that's why they do it.

Public companies are a real bitch, because of the diffusion of responsibility. Even if they have people inside the organization that realize something is legal, yet unethical, it still gets done, because there really isn't a big boss that can say "We're doing this, and not that". There is to a point, in the CEO/CFO, but at the same time, they owe their jobs to the board and the stockholders. Failure to be ruthless and relentless in the name of corporate profits for the shareholders results in losing your job if you live in CEO land.

Privacy hasn't existed for years and years. My first internet experience was when AOL was brand new, and I got connected with my state-of-the-art 14.4 modem. Wow was that fast. Even back then I remember getting UCE, and having marketing things tossed at me that were quite strange in their approach. (i.e. why is it that when I started, I saw ads for generic things, but the more I go along, the more specifically computer targetted ads I see? Does that have anything to do with the bulk of information I'm after?)

The only way you can really have privacy is to use other people's networks, never sign up for an ISP or give out your name, address, email, phone, or other information, and keep changing computers so as to dodge cookies, and other "features" of the software that we don't know about yet.

Has it ever occurred to anybody that every once in a while, people will discover one of these privacy violating features and everybody will be shocked and outraged about it - ever wonder how many of them are out there that we don't know about?

Re:Privacy never has existed

[Listerine]

I had AOL before it offered access to the Internet. I don't quite remember why I used the service, since most everything was ugly and not very interesting... but at least they didnt track me around their service.

Does someone know of a good port monitor or Win98 to help me see if this is happening?

Re:Privacy never has existed

[the_tsi]

I got a lifetime membership to The Source (for god knows how few dollars) back on my Apple IIe in 80-something. That got bought by CompuServe, who honored my membership, who got bought by AOL, who honor my membership. Mmm. Gotta love it. Makes me wish I had gotten one of the lifetime memberships to National Geographic when they still offered them...

-Chris

Re:Why is this an issue?

[knuth]

It's an issue because:

1. Real didn't tell anyone that they were collecting this information. Not until they got caught with their pants down, that is. Therefore:
2. Users had no choice. You could not decline if your privacy is more important to you than listening to RealPlayer stuff over the Net.
3. They didn't just track how many times you used the software, they tracked where you went, what you listened to or watched, and how you used it (e.g., the comment about stats on how many sucker^H^H^H^H^Hvalued customers recorded CDs).

And probably nobody spoofed the GUID, not if no one outside of Real knew it was being collected before.

It is an issue because it is a hitherto undocumented invasion of privacy.

This explains a lot...

[pen]

I guess this should explain why RealPlayer attempts (and usually, suceeds) with binding itself to every file extension the programmers could remember, even the ones it can't handle.

That's why I removed all traces of it from my machine a long time ago. I guess I was right to do it. :) However, I also removed QuickTime for the same reasons. Why it would bind itself with files it can't handle is beyond me.

--

Re:Grrr!

[Signal+11]

Hrmph. It's not as if congress would actually pass a law outlawing the collection of personal info. It'll be a cold day in hell when that happens. What I'm saying here is - that's okay, but I want to know about it first.

--

Grrr!

[Signal+11]

That's it. I say we pass a law requiring the program to document all features. They can violate our privacy, but atleast we'll know what they're up to!

--

Re:Grrr!

[turg]

I say we pass a law requiring the program to document all features. They can violate our privacy, but atleast we'll know what they're up to!

Hmm... Then we'd be hearing companies saying "It's not a feature, it's a bug"
-
<SIG>
"I am not trying to prove that I am right... I am only trying to find out whether." -Bertolt Brecht

Re:Grrr!

[waddgodd]

I can just see it now--the Anti-Microsoft defense: that's not a feature, that's a bug!

Re:Grrr!

[toast0]

yeah, thats just what we need, more clueless laws from congress about things they can't keep up with.


(sorry thats knee-jerk)

Re:It's only a matter of time...

[benbean]

Ah, but what if vi, emacs, more, less and every other program capable of viewing source is altered to automatically filter out the monitoring sections of the source code, huh? Huh? What about that then... damn the man...

Re:then again..

[Musc]

First of all, theft is the wrong word. It is invasion of privacy, not stealing.

But i definitely agree, no software, of for that matter hardware, has any right to send information to anybody or anything without your knowledge. If it said that it does this up front, then we have the ability to choose not to use it. With this bullcrap, we are unknowingly giving away vital bodily secrets.

Yup, me too

[Croaker]

Real Audio thinks I'm Bob Yaya. I live in Peoria, which is inexplicably in the Marshall Islands. Zip code? 90210, of course. They don't bother verifying even that. I happily fill their systems up with junk. And when I reinstall, I blow away the old info and register with a new, bogus ID. I think I'll be from Timbuktu next time.

I think I just give them a bogus e-mail address each time. I don't think they require e-mailing you a registration key. If they did, I would just use one of many deflectors to bounce the e-mail for real, then shut down the account.

Of course, if they are on the ball, they can suss out a few things. For example, they probably log my IP address, which will tell them my ISP, which will give them my geographic region.

One thing I wonder about... isn't there rstrictions on getting information from minors? Is Real not collecting info when the registeree is under 12? Hm.

Another question... if Real did this for so long, how do we know tha there aren;t other sleeper programs out there that might not only be reporting what you do with them... but also what you do in general. Perhaps ICQ is silently watching your web browsing? Is AIM checking up on what programs you're running? Makes you wonder.

And, of course... if Real's player was open source, we'd probably have spotted this nonsense a while ago.

Re:Yup, me too

[quonsar]

Perhaps ICQ is silently watching your web browsing? Is AIM checking up on what programs you're running? Makes you wonder.

It is not an attempted deceit, but as you may know, one of ICQ's features is a message history. My earliest version was on a machine I used for about 18 months. A friend and I use ICQ everyday all day. We hate the chat modes, we just send ICQ messages back and forth. Mostly these revolve around attempts to upstage each other in the humor department.

One day I got poking around and discovered this massive file with every word we had exchanged over the entire 18 months. It was very clear that without the context of the moments in which we said those things, an unclued reader could come to some damaging conclusions.

I'm not claiming this is something evil. I'm just saying that its easy to forget that something you use all the time may be keeping track of history - and to behave or configure accordingly.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

Re:OpenSource?

[IntlHarvester]

What would be an
answer is to have a trusted organization,
which would audit code, put its stamp of
approval AND serve as the distributor
of said code.

In the open source world, Debian functions this way. There doesn't need to be a 'for hire' auditing agency.
--

Registration doesn't make a difference.

[bmetzler]

It's your GUID whether you send them your zip code or not.

I don't have a big deal about RealPlayer collecting geographic infomation, as long as they have a privacy statement.

A GUID is just that, a mostly random number. Although I agree, it could be used wrongly.

-Brent
--

Because...

[Parity]

MAC addresses belong to your NIC which can be interchanged.

MAC addresses are easily spoofable; many NICs allow you to set the MAC address in firmware.

Also...

People do complain about IPv6 because it includes a protocol of assign-IP-addresse-based-on-MAC-address.

Mmmm. Also, my NIC is totally irrelevant to my internet access. It's for networking to friends who bring laptops over. It'd be a lousy identifier 'cause I can take it out 90% of the time.

Every computer needs a CPU - which would be a lot more expensive to change than a $20 NIC, and finally, nobody ever tried to conceal the fact that NICs have unique MAC addresses.

Well, you -did- ask.



--Parity

Re:OpenSource?

[Compuser]

You got a point. But there is still a need
for an analog of Debian (in the specific auditing
sense) for closed source world.

Re:OpenSource?

[Compuser]

Open source is hardly an answer, unless
you actually read the code (I'll bet most
people have never audited a piece of
software in their lives). What would be an
answer is to have a trusted organization,
which would audit code, put its stamp of
approval AND serve as the distributor
of said code. Such an organization could
be subject to NDA so it could work for
both closed and open source.
However, as we see from hardware review sites,
it is important to have several audit sources,
so a consumer would have a choice of who to
trust. I am thinking of Nader competing with
FSF, competing with BSD guys for public trust.
(On second thought, FSF is unlikely to sign
an NDA :-).

Re:Linux version too?

[gehrehmee]

On that topic, what about Liquid Audio -> something standard?

Why is this an issue?

[yobtah]

Any user who downloads RealPlayer submits a name, e-mail address, etc. before downloading. While there's no guarantee users are submitting correct information, my guess is that most are. In any case, users are definitely aware of the request for info. Given this, why is submission of a unique ID by the program an issue? If RealNetworks asked for (and probably got) my name and e-mail address, why does it matter if they know when I'm using the software I downloaded. I don't think this is nearly as large an issue as the RealJukebox stuff.

No, it doesn't...

[Otto]

A long time ago I was writing a simple CD player program for myself, mainly to do Auto-DJing with. I never finished it, but one of the things I did look at very hard was the CDDB protocol.

When you send an update to the database, you are sending an e-mail with a special format.

However, when you QUERY for info, all you send is data about the CD so it can return the cd data. NO EMAIL ADDRESS IS SENT in the query.

Now, they have a new protocol, called cddb2 (cddb-squared, actually), and I haven't looked at it. So I don't know about it. But the standard CDDB protocol does NOT gather personal info in this way.

They do gather info on number of queries as a whole done to their database, of course. This is a handy way to determine popular playing choices. But they have no way to determine an individual's popular playing choices.



---

privacy and the registration requirement

[ottffssent]

I don't know about the rest of you, but 'back in the day' when I had no better place to put a webpage than on Geocities, I too was required to register. I'm sure they kept every scrap of information I gave them, and I'd like them to know that it was all bullshit.

According to geocities, my name is John A. Doe. I live at 1234 main street, LA California. I make over $150,000 per year, am married, and am female.

Though I'm not going to tell you the truth either, I will say that I'm male, live far far away from LA california, make a small fraction of the listed income, am not married, and don't even know anyone whose initials are JAD.

The USPS is happy to provide the zip+4 address that many registration programs require to verify that you really do live there. Go to http://www.usps.gov/ncsc/lookups /lookup_zip+4.html and give them an address. Many sites also require you to enter an area code for similar reasons. This is also easily spoofed. Go to http://www.555-1212.com/area_codes.html and list the place you've decided to tell them you live at. Some place (LA, for example) have several area codes. All will be listed, and you'll have to try them until they work. For example, LA has 323, 213, 310, and 424 so you'll be shooting in the dark. Fortunately, not many places are as big as LA, and if it's only got 4 area codes, your favorite burg likely has only 1.

In short, while I'm distressed by the business practice of grabbing what info they can however they can so you don't know about it, I've developed ways to give them verifiable but totally useless information to satisfy registration requirements. As a matter of course, I provide such bogus information even to reputable institutions like the new york times, where I have over a half-dozen registrations for myself and various friends.

But wait! you say. What about scams where I have to provide an email address so I can get a registration key? That brings us back to geocities. Or hotmail. Or any one of a hundred different similar services. Hotmail and their ilk are probably the best in this instance because they're webmail (as opposed to geocities' pop server, which while slow is very nice if it's your main email address) and don't require any re-configuring of your mail settings to get at. Send the key there. Then ignore all the mail you get. If you don't use the service anymore, it'll delete you. If you do keep using it, just ignore the junk mail that piles up and grab the keys you need.

Re:privacy and the registration requirement

[PurpleBob]

When forms ask for a city, state, country, and zip code, I put in:
Shneederville, New Hampshire, Albania, 66666.
I haven't encountered a form yet that cares about the inconsistencies or the fact that there's no town anywhere named Shneederville.
--

Re:Privacy Panda

[Surak]

Now that privacy issues are getting more and more press, the time is ripe for a cartoony privacy mascot. Companies can attach his picture to their products if their software doesn't reveal or track any user info. I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

You've obviously been watching too much South Park lately :) (For those who don't have Comedy Central: they had an episode featuring sexual harassment, which featured, among other things the "Sexual Harassment Panda" along with various stupid mascots that didn't make sense.)

Re: Apple does offer an offline installer

[lucidvein]

After several complaints about the net only installer, Apple did release the full binary installer here...

http://www.apple.com/quicktime/dow nload/support/

"This stand-alone QuickTime 4 installer does not require a Internet connection during initial installation. To update QuickTime to a future version, you can run the QuickTime Updater on the Internet or download a future version of this stand-alone installer."

Enjoy

Re:CDDB players do it too

[mindstrm]

Yes, they do. But the difference is, every time you query the CDDB database YOU are accessing their server. It would make sense that their server could keep track of this.

IN the case of real player, why should it send information to RealNEtworks when it's not required to?

Same goes for browsers, in case nobody noticed.
If you mis-type a URL, the error page is fetched from Microsoft (Or Netscape, as the case may be)

This is BAD> Just because I mistyped something does not mean they should know about it.

Re:Linux version too?

[dizco]

Dunno about your first question, but there's a real audio decoder for windows here..Wish there was a linux or os/2 version, but not yet. I'm using it to convert the hours of slack to mp3s for easy in-car listening when pine's spiffy mp3 cd player is released..

New Glitch.

[mikeel]

I'm surprised this hasn't been found earlier. I wonder how long this has been going on?

I was only joking, I'm sorry

[Nodatadj]

I was

Honestly
I'm not able to forsee the future
What I posted earlier this week

Linux version too?

[ABadDog]

Does this refer to the linux version too?
BTW, does anyone know a way to convert .ra files into .mp3?

Re:Linux version too?

[Amish+Mafia]

i don't know about Linux, but for windows i have (or had, i forget) a RA -> wav decoder. Then you just encode the wav

Re:Linux version too?

[discore]

i dont see why the linux version wouldn't.. although that is just a guess.

ive never heard of a program that specifically does ra -> mp3, but there's ways. maybe record a big .wav and encode it? i dunno.. just a guess

tyler

Who cares?

[pel]

Having a company collect trivial marketing information should be of no concern to anybody. There are laws in place to prevent abuse of information gathered in this way. It's just like a doctor or lawyer knowing the goods on you - yeah, they know, but if they abuse the info, they're going to jail.

Besides, if it means that I might be exposed to products and/or information that is more specifically targetted to my needs and desires, then so be it.

Funny (OT)

[Wah]

if you haven't been watching Southpark lately, try to. It's hilarious. "Alabama Man" action figures, sue happy schoolchildren, kenny's halloween costume and ensuing death, (an at-at harponed by circling snowspeeders) and chinpokomon ("ooh, you all have such very large penises").

moderate this up

[Wah]

funny as hell. a heisenberg attack on marketing.

Updated Real Privacy Statement in R7

[Malo]

Odd considering all the debate about this issue. This gem appears in the registration screen for the Real Player Plus 7 Beta.

I wonder how fast they turned around and updated the text files to take this into account. And I particularly love how they don't mention prohibited uses of the information.

Ah, such is life.

"Privacy Implications

By electing to submit an electronic registration, you are sending some personal information to RealNetworks, such as your name and e-mail address. RealNetworks will never sell, rent, or share your personal information supplied during electronic registration without your consent unless compelled by law or court order to do so.

No unique product ID is sent during this communication (the Globally Unique Identifier - GUIDs has been set to zeroes for electronic registration so it cannot be used to identify you).

For more information about GUIDs, RealPlayer and privacy, please read RealNetworks' Consumer Software Privacy Statement:
http://www.realnetworks.com/company/privacy/softwa re.html

UK Data protection Act.

[noidd]

Someone asked about UK laws on such issues... I have just finished a course of the "UK Data protection Act"... There are 8 principles. I'll list a few which are relivant.

1) The data protection act covers Personal data. Personal Data is defined as data that is about a person (or sole trader or partnership) which is about and is identified to a person.

Harvesting playlists is dodgy. Doing it with an identifiable ID is *illegal* without their consent.

2) The data must be used in a fair manner and kept up to date. This wonderfull ruling makes dealing with credit ratings easy ;)

3) Data must only be used for the specified use. Saying you are using it for one thing and then using it for something else is illegal.

4) Data must not be passed on to a country which does not have these safeguards in place.

NOTE: The US is specified directly in the course that I took - You are NOT allowed to propergate data to the US.

Breaking the above gets you an enforcement order, ignoring it gets you unlimited fine and jailtime.

Red

Simple.

[noidd]

1) MAC address' can be changed
2) MAC addresses (in current ip) don't go any further than your local lan
3) They don't record your MAC address when you buy your NIC.

It would take all three of those above to change for it to be a problem.

Privacy and Contract Law

[Quirk]

I've quired /. re the following but have not received a reply so let's see what happens here. As an eco/com grad I had to take multiple semesters of biz law although I openly admit to limitaions as to my knowledge I am of the opinion that where one party, say a software developere or a web site derives a benefit from another party, say a users or visitors private info and the second party also derives a benefit, i.e., use of the software or some "freebie" then a contarct has been entered into and as such the terms and conditions of said contract are subject to contract law.

Is there an org somewhere on the net looking into the legal implications of the above. I think a few gig class action suits would chill the big boys out fairly quickly and we wouldn't have to put up with the equivocation and backsliding. But as long as the Corporate entities know users won't do more than occasionally bitch they will continue every possible abuse to make a buck.

cheers

That does it! Real* is out, asf is in.

[Kilzall]

I like to record memorable episodes of Simpsons/Futurama/Family Guy etc. and compress them with realencoder. The only reason I've been using this instead of asf is the cool splicing utility that comes with it that allows me to get rid of commercials and stick files together. Now I'm resuming my search for an asf editor because I can use ATIplayer to view them instead of the proprietary realplayer, they look a helluva lot better and they compress 3x as fast (Ill put up with M$ for a copy of The Matrix at VHS quality for only 576 MB). Anyone know of a splicing utility for asf?
--

my guess is........

[RoLlEr_CoAsTeR]

(I'm probably way off on this one, but..)
you could always look around/ask around for older versions of the software. Of course, can't the new versions run without using the net? Then again, I don't use quicktime.

A question for you:
Why isn't your laptop net enabled? If it is not net enabled, then I'm going to have to assume that you acquire all of your software from some other method: another computer that is net enabled, other people, or by buying the stuff (ouch).

hmm..........

Re:Win98 does it too

[NKJensen]

Well it could be a simple Netbios DNS on 137-139.

I'll see this until you set up your Workgroup correctly. You can also let Samba handle the Netbios DNS lookup to prevent unwanted dialing.

Best regards,
Niels Kr. Jensen
Denmark

Re:then again..

[Coward,+Anonymous]

windows media player also gets "codecs" i think from some microsoft.com server occasionally. im not a big MS person so.. does anyone know what these are?

Codec stands for Compression/Decompression. Some file formats, like avi, can be compressed with any compression routine and a reference to the library used is stored in the file. If you don't have the appropriate decompressor, you can't play the avi, so media player attempts to download a dll so that you can play the avi.

Privacy of consumerism, one fish among many

[MagusOceanus]

I don't think the average sales/marketing person cares to violate my rights or to uphold it. Instead there is a mutual interest, they want to send ads that are more or less relevent to people who'd be interested in their good or service, and my interest is only to receive ads that would be of interest to me. In fact, I appreciate the fact that MP3.com sends me an email only once a month or so with links to the latest releases of music in the genre's I am interested in...and not "spam" for Wayne Newton's compilation album.

But essentually any information they have about me is just a blip of my music browsing habits. It isn't contianing information that supposed evil people in a weird corperate/government conspiracy of satanic alluminati freemasons bent on world domination would find relevent, even if paranoid scitzophrenics have been right all along about the existance of such.

I think it would be nice some day not to get called at dinner time for alluminum siding when I don't own a home, or calls for a charitable donation when I am an utterly selfish scrooge with my money. The only way that is going to be possible is if they already have information about me in some subroutine that flags me and says "don't bother calling/emailing/snailmailing him for this product, it's a waste of resources". I have yet to get a phonecall from a telemarketer that gave me information about what I like to spend my disposable income on; like a new sushi resteraunt!!! When that day comes I think everybody will be happy, and privacy wont seem as important as not being nagged for what you don't care to buy.

Johnny

German Magazine C't has an interview

[georgk]

The c't-magazine http://www.heise.de claimed sort of the discovery in issue 23 from friday. They' ve also got a statement from real. I cannot find it online, but it sounded like real wanted to remove it.
Real couldn' t say if they saved e-mail information and other "identifiers" with the GUID, but they pointed more than once to their privacy-statment.
georg

Re:Privacy Panda

[quonsar]

I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

Definitely a job for McMoo - The Anti-Drug Cow.

======
"Rex unto my cleeb, and thou shalt have everlasting blort." - Zorp 3:16

RealPlayer IDs

[chown]

All versions of RealPlayer G2 Send it, and I beleive all versions of 5.0 did as well. They look like this:

22a7cc46-7962-11d2-8612-006097a1ae04

It gets logged by RealServer G2, which is sort of funny, since it doesn't really do RealServer admins a whole lot of good, I guess you could get accurate numbers of how many REALLY unique hits you got, on a per-player basis, but I usually just do it by IPs and nobody seems to care. So one would assume that RBN is tracking this in some fashion for their own use.

DOS attack?

[Ungrounded+Lightning]

I wonder if anybody will reverse engineer enough of the protocol to flood the servers with bogus tracking data?

B-)

Re:DOS attack?

[Ungrounded+Lightning]

I think you are working at too high a level, reverse engineer the protocol, why? If you dont like them
intruding on your privacy, you could just Smurf the server, all you need is the IP addy.

First: I don't intend to do this. I was just wondering whether/how long until someone did.

Second: Smurfing the server just stops it from collecting new information. Handing it bogus data corrupts what has already been collected.

Re:It's only a matter of time...

[toast0]

hmmm i'm probably spinning this the wrong way, but that seems like a darn good reason for using open source software.....

If you're really that paranoid, you can check the source to see where your keypresses are going. :)

Re:then again..

[MikeBabcock]

A CODEC is CODE DECODE shortened up ... a short form for an algorithm that encodes and decodes a stream of data (in this case).

For instance, Real Player G2 will see a stream and notice that it doesn't know what to do with, say, RealFlash 2.0 data, so it downloads the RealFlash2.0 "CODEC" to handle it.

They both do this.

IMHO, this is what all software should do.


- Michael T. Babcock <homepage>

RealPlayer uploads your id

[samantha]

Why do I care that programs upload a guid? UUIDs are a very efficient tool for a lot more than keeping track of who is using the product and their various pieces of registration information. We are sort of schizoid about this stuff. Privacy is effectively dead through techological innovation. You are literally watched or watchable almost every moment of the day. Or didn't anyone notice these capabilities? We groan about RP getting our id and at the same time would like to live in a world that tailors itself to our likes and dislikes a bit more closely including advising us of various opportunities and products (at least when we want to know). This sort of stuff can't be done without gathering information and knowing who you are. Online business cannot be finalized without you effectively having a digital signature/fingerprint.

Perhaps the needed balance is the ability to simply say NO when we wish to or provide alternate minimum information.

Re:OpenSource?

[thopkins]

In Open source, even if most people don't read the source code, chances are that a programmer will and will see that the program sends out information and will tell everyone about it.

Privacy Panda

[gad_zuki!]

Now that privacy issues are getting more and more press, the time is ripe for a cartoony privacy mascot. Companies can attach his picture to their products if their software doesn't reveal or track any user info. I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.

If we're lucky some guy in a Panda suit will follow around the fed's new anti-hacking mascot around to all the gradeschools.

If we're really lucky he'll pick a fight with the anti-hack gerbil as he tries get converts for the CIA kids program. "No kids, snitching is bad, take that you filthy gerbil!"

Re:Win98 does it too

[atallah]

No, it isn't sending out info... It is checking your net connection. I had a similar thing happen to me and i checked what it was doing, it was trying to access windowsupdate.

Re:This seems unfair

[atallah]

I agree 100%. Everyone is complaining about things like these, remember when Intel came out with the PIIIs? ALL ethernet cards have a unique 12 character code, these numbers are used for DHCP purposes and could(i'm sure they are) be used for tracking purposes. Shouldn't someone complain about that?

GUID just a COM construct...?

[eries]

I hope someone who is more knowledgeable about this will correct me if I'm wrong, but isn't a GUID just a part of MS's Common Object Model. My understanding was that each component in a COM system is assigned a GUID. In order to access other components on the system, you need to ask the system for them by GUID instead of by name (as in a smart system like Java). Seems like this could just be a some software engineer out there trying to make RealPlayer DCOM compatible or some such. Anyone know anything about that possibility?

Cookie Cutter?

[PhatKat]

There are all sorts of programs available for finding and killing cookies. Are there network sniffing resources that can detect and report this sort of thing? Maybe even catch and kill them on their way out? A little program like this would be a good way to catch more programs like this before they've been circulated to > 69 Million users.

Insanity.

[Guyle]

I've always been one who hasn't worried much about posting personal-ish information in various places, because if someone really wanted to find out information on me, they could get it somehow, so why bother hiding it? Nevertheless, things like this piss me off. Companies who assign you a number and then track the things you do with their software without EXPLICTLY informing you of their intentions BEFOREHAND are way out of line. It doesn't matter how valuable the information is in their endeavors to earn money via advertising and whatnot - it's blatantly infriging upon our personal rights. It might be more acceptable for them to state that before you are able to install the software (ie - software agreement), because then that way you know what you're getting into, and you can make a choice then based upon what they're collecting and what they're doing with it.

It is of my opinion that companies should be mandated to include these statements in licensing/software agreements. Having RealNetworks finally come forward with this after getting poked in the ass is not acceptable. Remember when Microsoft used to send hardware information when you'd register online? How many people's feathers did that one ruffle? Use of RealPlayer is almost as broad as that of Windows 95/98 (it's on this computer I'm using now in a computer lab on campus, even). People need to take a serious look at what's going on, and take measures to deal with it.

then again..

[discore]

with the millions of people that use both windows media player and real audio i dont think its too big of a privacy concern. more of a marketting concern i would guess.

windows media player also gets "codecs" i think from some microsoft.com server occasionally. im not a big MS person so.. does anyone know what these are?

tyler

Re:then again..

[cruise]

How could you think that the theaft of ANY of your information without your consent is anything but a privacy concern. If I listen in on your telephone conversations I can go to jail.. If software vendors listen in on something even as simple as our GID they should also be jailed. rpm -e realplayer

Win98 does it too

[spectro]

I was updating from win95 to win98 and have a small home network with a linux machine as a dial-on-demand router to the internet. I remember when win98 installation was almost finish the linux started calling the internet. The trigger was a DNS query I couldn't log at that moment, but unplugged the net connection to the win98 box. It was hanging for about two minutes before continued and finished win98 install.

Who cares?

[TummyX]

Gee it's a GUID. The last part of it has the id that your network card contains...or it's faked if you don't have a card.
It's no more of a concern that having your IP tracked. Or having to use a credit card.

Relax ok. The only ones who have anything to fear are people who crack.

Re:Money for marketers = no privacy

[Connor_]

"Your ISP can record EVERY MOVE YOU MAKE" What about a nice blowfish SSH to your friend's box and doing lynx? (yes I realize then it's his ISP watching)

"... He loved Big Business..."

[Greyfox]

With apologies to George Orwell.

Who let Scott McNealy have an account here, anyway?

CDDB players do it too

[isaac_akira]

CDDB (www.cddb.com) has been tracking every cd you listen to using your email address. Sure you can enter a bogus address when you are asked for one, but you can enter bogus info with RealNetworks or any of the others too.

- Isaac =)

Money for marketers = no privacy

[blakestah]

This is no surprise at all. The surprise is how
many of these exist that are not publicized.

And I doubt it stops there. I would think every
major ISP is tracking hits from every user,
particularly to correlate web purchases with
web site visits. That is very valuable info. Your
ISP can record EVERY MOVE YOU MAKE if they are
so inclined. And it is worth a lot, so in business
terms they would be idiots not to track you.

This seems unfair

[nowindowz]

People always bitch about being loged haveing serial numbers on their computer, well why hasent anyone started bitching about the MAC address on your nic card it is a unique number and is easy for anyone to get ???

Who cares!

[Kombat]

Good grief people, it's just a number. Most software/freeware gathers far more info from you (or tries to anyway) when you download it from their site. And why shouldn't they? Hell, they invested the time and money to write it, and all they want in return is to know who's using it. The least you can do is answer honestly, or don't whine about the free software. Are you forgetting that the whole damn Linux movement is central to the concept of "free"?

Geez, people, they're GIVING it away. If you don't like what you get, write your own damn players. Don't bitch about something you get for free because it does something horribly invasive like sending a unique random number to some server every time you use it. Ooo! Scary! Get a life.

Re:It's only a matter of time...

[smash_phase]

How about creating an ethernet network card that chooses a random MAC adress at boot? I've been told ethernet cards are easy to make and with ~16^12 possibilities you aren't likely to gonna have a MAC collide..
Now the only thing for the Windows OSes is, that I don't know if the MAC adress is stored in the registry at the installation of the OS and if so, are windows programs retreiving their information from it?
And the next thing to do, is finding a way to fool IPV6...

A joke?

[smash_phase]

This is what I get to hear all the time at work, with friends etc.. Why do I need privacy? You think it's funny to yoke around with? Wait till all pieces of the puzzle come together!

It's only a matter of time...

[Keelor]

It's only a matter of time before I'm going to disconnect my ethernet card so that I can be _sure_ that nobody is transmitting every key press.

What everyone seems to be overlooking is that it's obvious that Real is just a front. Truthfully, Real=Echelon. It's a conspiracy--MP3s, streaming music, everything was made by the world-wide government to

A. Hand out free software that allows them to track all usage.

B. Encourage illegal activity so that anyone can be arrested for pirating whenever it's needed.

~=Keelor

I'm not insane... the voices told me so.

Re:It's only a matter of time...

[Relforn]

And if you're really, really, really paranoid, you'll realize that you can't ever really read all the source, yourself, and expect to understand where the back door is hidden. Obfuscated code is nothing new.

Plus, the fact that you build it from source means that the source lives on your machine somewhere, where it can be corrupted by other processes. And it probably links against library code when it builds. That means you'd better check all the library code as well. It only takes one slip into your machine from the outside to plant something there.

And forget it, if you thought installing via RPMs was a good idea. Or do you look at the contents of each and every RPM before you install it?

Anyway, just a heads up, because people assume that Open Source offers tremendously greater security. It doesn't. In some cases it's somewhat better. In other ways, it presents new problems.

Isn't life complicated? Isn't life fun? I think so.

Re:It's only a matter of time...

[Fuhrer]

I've not

Overload their servers with false information

[kaos_]

Why don't we monitor what type of connections are being made and then make a program to submit random junk constantly so their 'tracking' would be worthless?

Why do these media players think they're so cool?

[DaveMcD]

I was thoroughly disgusted from the sheer bloatedness of realplayer from the start. Why can't there be a simple player that just opens the file and plays it? Thats all I want the thing for. not whatever lame news servers they have or any of that crap. It's the same with Quicktime. They don't have a simple viewer, they gotta make this big deal out of it and throw these stupid "give us money" questions in your face for just the viewer. it's really sad. (and a few meg. pretty gay.) and yes, if there was a simple program that played media files and wasn't bloated to hell, I would pay for it.

Update

[HeadGeek]

http://www.real.com/company/pressroom/pr/99/update advisory.html Well, a step in the right direction anyways.

A few concerns

[Raindeer]

When hearing this story, it sounds like I am hearing the same story that I have heard way too often in the last 5 years, but now with Real's name in subject header. I really start to wonder the following things.

1. Why does everything have to be recorded with a GUID embedded in the program. If anything use cookies that are only sent back to the site they originate from. This way it will be a bit harder to cross referencing, but they are still useful for the purpose of figuring out what certain groups like.

2. Why does it seem that these things are always found by the same people. It doesn't sound too difficult to me to monitor what is going in and out of your machine.. (but I am not a techie, so shoot if I am wrong) Basically, why is there no group that are occupied with this? A concerted action might make that certain companies think twice before doing it.

3. Why do these things allways get called bugs and glitches. I have seen some pretty stupid coding in my life, but I have the faint idea that you don't get this by letting your cat walk over the keyboard. (Again, correct me if I am wrong). Somebody put them there for a reason and I get the idea that there are alot more then we know...

Well those are my two cents. I am waiting for the day my teachers call me and tell me that their data shows, that my reading of Slashdot is negatively affecting my grades :-)

-----------------

Re:OpenSource?

[cribeiro]

Open Source would be too hard to push on... I think that Open Protocols are the *real* answer. If all Internet protocols were published things like that would never happen. You would get a truly competitive market - for every commercial, closed product, there would be several competitors, including Open Source efforts.

There are other reasons why I think that we should push Open Protocols over the Internet. First of all, the technical ones: it would become easier to spot security problems, protocols could be optimezed, and interoperability could be achieved. And then the "other" ones: safety for the user that know what is going on, freedom of choice... and its not incompatible with the commercial software industry. The software industry already implements a lot of commercial software based upon open specs, so why not make it mandatory?

OpenSource?

[retep]

Just another reason to go with open source...

The amount of data apps can send about you is scary. Anyone with a network connection is at risk. Perhaps we should be watching what our app are doing with some network monitoring tools?

I wonder what stuff that would turn up...

Re:OpenSource?

[retep]

But the fact is that in any case with open source you have a chance of such things being found.

Sure about %99 of people will not look in the code at all. But that %1 can always tell the rest of the world. And that %1 will get fame, although not fortune, for finding any leaks. Just imagine what would happen if a serious privacy violation like the one in RealPlayer was found in a OpenSource project. It would be a great way to get your name known.

Anyway with closed source you have to look much harder to find privacy problems. You can't just look at the source code.

Isn't this illegal in Europe?

[nightspd]

I thought Europe had laws against this kind of stuff??