Slashdot Mirror
RealPlayer Uploads Your ID Too
Wired revealed this morning a
"New Privacy Glitch"
which may actually be years old. Real Networks' RealJukebox isn't its only software to send a Globally Unique Identifier (GUID): RealPlayer does too. The free RealPlayer has 69 million users of all its versions; Real isn't saying which versions send the GUID. It's sad when the "good news" is that RealPlayer doesn't scan your hard drive. Oh - and by the way - Windows Media Player sends one too but it's OK because registration is not required. Are we living in cuckooland? Update: 11/08 08:44 by J : On the just-launched real.com site, their
Software Privacy Statement
says: "the Globally Unique Identifier - GUID has been disabled for electronic registration so it cannot be used to identify you." This is for RealPlayer 7: still, apparently, no word on earlier versions.
I always provide BOGUS information on all registration forms. Look at my copy of win98, on the 'about' box it says "This software is registered to: The Public Domain". Hey! They gave me a fill in the blank SW license. This is like an already signed blank check so I filled in the name with 'the public domain'. Other software is registered to "Nobody", "Unknown User", "John Doe", and "The Bearer". And yeah, my purchase role is 'final decision' on all purchases for my company of 500,000 employees. Wheee!! And I buy over $1e6 worht of computer products every year. Oh and if they want addresses and phone numbers and email, I plug in the company's own street address, phone number, and sales@, or info@, webmaster@, or root@ at the comapnies own domain name. This isn't a court of law or legal proceeding here so there's no penalty of perjury for lying. I happily make up all sorts of stuff! And if my lies fsck up the co's statistics then that's too fscking bad. Do I have a 'right to privacy'? No, but by that same token, companies have no 'right to collect accurate marketing information about me.' Works both ways, ya know.
To mangle Jay Leno's quote from those old Dorito commercials:
Collect all the bogus information you want, I'll make more!
Face it people, government and big business is your friend. They only want what's best for you. Now stop resisting, go back to work, and buy some of those fine products you see advertised on TV and the web.
There most certainly are cases where it is very nice to have something like Junkbuster= and/or Squid in between me and remote places, as both can help keep things a bit more anonymous.
I'm looking forward to cable modems being more ubiquitous; this will mandate having personal firewall machines, and this will encourage the development of little easily-managed boxes to help with such.
Little Linux boxes would be perfect candidates for this sort of thing; a minimal distribution that has some proxying software, and something like Linuxconf or COAS that can be configured remotely through a secure connection (e.g. SSL) would be a killer app.
If you're not part of the solution, you're part of the precipitate.
Well, I guess I'll be deleting RealPlayer from the Mac side of my machine (never found a version for LinuxPPC or I'd delete it from the Linux side too). It never worked all that well for me anyway. I guess I'll be sticking with QuickTime for my streaming video needs (there's still rumors of Apple doing a QuickTime Linux port; anyone know what ever became of those?)
.rm files to MPEG (audio and video both), on any platform? I've seen programs to convert other formats to .rm, but never one to convert .rm to anything else.
Anyone know of a program to convert
Perhaps I'm the clueless one, but why would such a law be clueless? All it does is require the makers of software to document all of the features therein. As far as I can tell, that's a Good Thing. How is this bad?
As long as they have a privacy statement? Doesn't that maybe need something particular added on to it, like "An *appropriate* privacy statement"?
Privacy statements can be buried on a page or contain tricky wording that when deciphered can often come out to something like this:
FooSoft promises to never use this information in a way which would be detrimental to our consumer's privacy when it coincides with FooSoft's financial interests. Should the financial interests of FooSoft dictate that distributing information gathered from clients is in the interest of FooSoft's bottom line, appropriate actions will be taken to safeguard investor value in FooSoft.
Sounds nice. Maybe.
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
What do you expect companies to do? Pass up an opportunity to gather important marketing information?
Privacy hasn't been really possible ever since the real marketing sharks started to hit the internet. Remember, even though companies aren't ethical for the most part, they're not stupid. They wouldn't bother getting their codejockeys to put this stuff into the software if it wasn't making them big bucks in one way or another. It doesn't give companies a stiffy to have power over you and use your information, it's just that they're making money off of it, and that's why they do it.
Public companies are a real bitch, because of the diffusion of responsibility. Even if they have people inside the organization that realize something is legal, yet unethical, it still gets done, because there really isn't a big boss that can say "We're doing this, and not that". There is to a point, in the CEO/CFO, but at the same time, they owe their jobs to the board and the stockholders. Failure to be ruthless and relentless in the name of corporate profits for the shareholders results in losing your job if you live in CEO land.
Privacy hasn't existed for years and years. My first internet experience was when AOL was brand new, and I got connected with my state-of-the-art 14.4 modem. Wow was that fast. Even back then I remember getting UCE, and having marketing things tossed at me that were quite strange in their approach. (i.e. why is it that when I started, I saw ads for generic things, but the more I go along, the more specifically computer targetted ads I see? Does that have anything to do with the bulk of information I'm after?)
The only way you can really have privacy is to use other people's networks, never sign up for an ISP or give out your name, address, email, phone, or other information, and keep changing computers so as to dodge cookies, and other "features" of the software that we don't know about yet.
Has it ever occurred to anybody that every once in a while, people will discover one of these privacy violating features and everybody will be shocked and outraged about it - ever wonder how many of them are out there that we don't know about?
-- Truth goes out the door when rumor comes innuendo. -- Groucho Marx
That's why I removed all traces of it from my machine a long time ago. I guess I was right to do it. :) However, I also removed QuickTime for the same reasons. Why it would bind itself with files it can't handle is beyond me.
--
That's it. I say we pass a law requiring the program to document all features. They can violate our privacy, but atleast we'll know what they're up to!
--
What would be an
answer is to have a trusted organization,
which would audit code, put its stamp of
approval AND serve as the distributor
of said code.
In the open source world, Debian functions this way. There doesn't need to be a 'for hire' auditing agency.
--
Business. Numbers. Money. People. Computer World.
It's your GUID whether you send them your zip code or not.
I don't have a big deal about RealPlayer collecting geographic infomation, as long as they have a privacy statement.
A GUID is just that, a mostly random number. Although I agree, it could be used wrongly.
-Brent--
MAC addresses belong to your NIC which can be interchanged.
MAC addresses are easily spoofable; many NICs allow you to set the MAC address in firmware.
Also...
People do complain about IPv6 because it includes a protocol of assign-IP-addresse-based-on-MAC-address.
Mmmm. Also, my NIC is totally irrelevant to my internet access. It's for networking to friends who bring laptops over. It'd be a lousy identifier 'cause I can take it out 90% of the time.
Every computer needs a CPU - which would be a lot more expensive to change than a $20 NIC, and finally, nobody ever tried to conceal the fact that NICs have unique MAC addresses.
Well, you -did- ask.
--Parity
--Parity
'Card carrying' member of the EFF.
Open source is hardly an answer, unless :-).
you actually read the code (I'll bet most
people have never audited a piece of
software in their lives). What would be an
answer is to have a trusted organization,
which would audit code, put its stamp of
approval AND serve as the distributor
of said code. Such an organization could
be subject to NDA so it could work for
both closed and open source.
However, as we see from hardware review sites,
it is important to have several audit sources,
so a consumer would have a choice of who to
trust. I am thinking of Nader competing with
FSF, competing with BSD guys for public trust.
(On second thought, FSF is unlikely to sign
an NDA
A long time ago I was writing a simple CD player program for myself, mainly to do Auto-DJing with. I never finished it, but one of the things I did look at very hard was the CDDB protocol.
When you send an update to the database, you are sending an e-mail with a special format.
However, when you QUERY for info, all you send is data about the CD so it can return the cd data. NO EMAIL ADDRESS IS SENT in the query.
Now, they have a new protocol, called cddb2 (cddb-squared, actually), and I haven't looked at it. So I don't know about it. But the standard CDDB protocol does NOT gather personal info in this way.
They do gather info on number of queries as a whole done to their database, of course. This is a handy way to determine popular playing choices. But they have no way to determine an individual's popular playing choices.
---
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
I don't know about the rest of you, but 'back in the day' when I had no better place to put a webpage than on Geocities, I too was required to register. I'm sure they kept every scrap of information I gave them, and I'd like them to know that it was all bullshit.
/lookup_zip+4.html and give them an address. Many sites also require you to enter an area code for similar reasons. This is also easily spoofed. Go to http://www.555-1212.com/area_codes.html and list the place you've decided to tell them you live at. Some place (LA, for example) have several area codes. All will be listed, and you'll have to try them until they work. For example, LA has 323, 213, 310, and 424 so you'll be shooting in the dark. Fortunately, not many places are as big as LA, and if it's only got 4 area codes, your favorite burg likely has only 1.
According to geocities, my name is John A. Doe. I live at 1234 main street, LA California. I make over $150,000 per year, am married, and am female.
Though I'm not going to tell you the truth either, I will say that I'm male, live far far away from LA california, make a small fraction of the listed income, am not married, and don't even know anyone whose initials are JAD.
The USPS is happy to provide the zip+4 address that many registration programs require to verify that you really do live there. Go to http://www.usps.gov/ncsc/lookups
In short, while I'm distressed by the business practice of grabbing what info they can however they can so you don't know about it, I've developed ways to give them verifiable but totally useless information to satisfy registration requirements. As a matter of course, I provide such bogus information even to reputable institutions like the new york times, where I have over a half-dozen registrations for myself and various friends.
But wait! you say. What about scams where I have to provide an email address so I can get a registration key? That brings us back to geocities. Or hotmail. Or any one of a hundred different similar services. Hotmail and their ilk are probably the best in this instance because they're webmail (as opposed to geocities' pop server, which while slow is very nice if it's your main email address) and don't require any re-configuring of your mail settings to get at. Send the key there. Then ignore all the mail you get. If you don't use the service anymore, it'll delete you. If you do keep using it, just ignore the junk mail that piles up and grab the keys you need.
High-speed Road Trip (18.000KPH)
Now that privacy issues are getting more and more press, the time is ripe for a cartoony privacy mascot. Companies can attach his picture to their products if their software doesn't reveal or track any user info. I'm gonna suggest 'Peter, the Privacy Panda.' Maybe he can hang out with Smokey the Bear and McGruff.
:) (For those who don't have Comedy Central: they had an episode featuring sexual harassment, which featured, among other things the "Sexual Harassment Panda" along with various stupid mascots that didn't make sense.)
You've obviously been watching too much South Park lately
My journal has hot
I said use only open source software. This would exclude the use Win 9x/NT
My journal has hot
http://www.apple.com/quicktime/dow nload/support/
Enjoy
"I have a cunning plan..."
Yes, they do. But the difference is, every time you query the CDDB database YOU are accessing their server. It would make sense that their server could keep track of this.
IN the case of real player, why should it send information to RealNEtworks when it's not required to?
Same goes for browsers, in case nobody noticed.
If you mis-type a URL, the error page is fetched from Microsoft (Or Netscape, as the case may be)
This is BAD> Just because I mistyped something does not mean they should know about it.
funny as hell. a heisenberg attack on marketing.
+&x
There's a bit of software for win9x, called MP3 Voyeur. It scans local area networks for mp3s, and other multimedia files.
The catch? It queries the author's homepage every time it's run, AND leaves the connection open during use. I haven't set anything up to see if it's sending anything back, but I'd count on it. Every time the website goes down (which isn't often), or the author feels the need to discontinue the program (which already happened once), the software lets the user know this, and refuses to run. It's painfully annoying during the few times when the outside connection goes down at our University, and we only have a local net connection. I'm more scared, however, of what the program is sending back during the time it's running / scanning.
And of course, like almost all Win apps, it's closed source. And of course, like almost all Win apps, many people use it without fully realizing what it's doing. I get chills whenever I run it, but it's very convienent, and I haven't seen another program do what it's supposed to do.
If anyone wants to test it out to see exactly WHAT it recieves / sends back from the main server, it's at http://www.jawed.com/mp3voyeur. Of course, it IS Win9x software, and I haven't had the opportunity to test it in Wine (don't have Wine installed at the moment).
I don't think the average sales/marketing person cares to violate my rights or to uphold it. Instead there is a mutual interest, they want to send ads that are more or less relevent to people who'd be interested in their good or service, and my interest is only to receive ads that would be of interest to me. In fact, I appreciate the fact that MP3.com sends me an email only once a month or so with links to the latest releases of music in the genre's I am interested in...and not "spam" for Wayne Newton's compilation album.
But essentually any information they have about me is just a blip of my music browsing habits. It isn't contianing information that supposed evil people in a weird corperate/government conspiracy of satanic alluminati freemasons bent on world domination would find relevent, even if paranoid scitzophrenics have been right all along about the existance of such.
I think it would be nice some day not to get called at dinner time for alluminum siding when I don't own a home, or calls for a charitable donation when I am an utterly selfish scrooge with my money. The only way that is going to be possible is if they already have information about me in some subroutine that flags me and says "don't bother calling/emailing/snailmailing him for this product, it's a waste of resources". I have yet to get a phonecall from a telemarketer that gave me information about what I like to spend my disposable income on; like a new sushi resteraunt!!! When that day comes I think everybody will be happy, and privacy wont seem as important as not being nagged for what you don't care to buy.
Johnny
All versions of RealPlayer G2 Send it, and I beleive all versions of 5.0 did as well. They look like this:
22a7cc46-7962-11d2-8612-006097a1ae04
It gets logged by RealServer G2, which is sort of funny, since it doesn't really do RealServer admins a whole lot of good, I guess you could get accurate numbers of how many REALLY unique hits you got, on a per-player basis, but I usually just do it by IPs and nobody seems to care. So one would assume that RBN is tracking this in some fashion for their own use.
I wonder if anybody will reverse engineer enough of the protocol to flood the servers with bogus tracking data?
B-)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If we're lucky some guy in a Panda suit will follow around the fed's new anti-hacking mascot around to all the gradeschools.
If we're really lucky he'll pick a fight with the anti-hack gerbil as he tries get converts for the CIA kids program. "No kids, snitching is bad, take that you filthy gerbil!"
I've always been one who hasn't worried much about posting personal-ish information in various places, because if someone really wanted to find out information on me, they could get it somehow, so why bother hiding it? Nevertheless, things like this piss me off. Companies who assign you a number and then track the things you do with their software without EXPLICTLY informing you of their intentions BEFOREHAND are way out of line. It doesn't matter how valuable the information is in their endeavors to earn money via advertising and whatnot - it's blatantly infriging upon our personal rights. It might be more acceptable for them to state that before you are able to install the software (ie - software agreement), because then that way you know what you're getting into, and you can make a choice then based upon what they're collecting and what they're doing with it.
It is of my opinion that companies should be mandated to include these statements in licensing/software agreements. Having RealNetworks finally come forward with this after getting poked in the ass is not acceptable. Remember when Microsoft used to send hardware information when you'd register online? How many people's feathers did that one ruffle? Use of RealPlayer is almost as broad as that of Windows 95/98 (it's on this computer I'm using now in a computer lab on campus, even). People need to take a serious look at what's going on, and take measures to deal with it.
I was updating from win95 to win98 and have a small home network with a linux machine as a dial-on-demand router to the internet. I remember when win98 installation was almost finish the linux started calling the internet. The trigger was a DNS query I couldn't log at that moment, but unplugged the net connection to the win98 box. It was hanging for about two minutes before continued and finished win98 install.
HTML is obsolete. It's time for a new, simpler and richer markup language.
Who let Scott McNealy have an account here, anyway?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I sometimes use an email address that reflects who I've given it to. So if I register for RealAudio I might call myself someting like realaudio@tanelorn.demon.co.uk. That way I can track down who's been giving out my e-mail address when the spam pours in.
-- SIGFPE
When hearing this story, it sounds like I am hearing the same story that I have heard way too often in the last 5 years, but now with Real's name in subject header. I really start to wonder the following things.
:-)
1. Why does everything have to be recorded with a GUID embedded in the program. If anything use cookies that are only sent back to the site they originate from. This way it will be a bit harder to cross referencing, but they are still useful for the purpose of figuring out what certain groups like.
2. Why does it seem that these things are always found by the same people. It doesn't sound too difficult to me to monitor what is going in and out of your machine.. (but I am not a techie, so shoot if I am wrong) Basically, why is there no group that are occupied with this? A concerted action might make that certain companies think twice before doing it.
3. Why do these things allways get called bugs and glitches. I have seen some pretty stupid coding in my life, but I have the faint idea that you don't get this by letting your cat walk over the keyboard. (Again, correct me if I am wrong). Somebody put them there for a reason and I get the idea that there are alot more then we know...
Well those are my two cents. I am waiting for the day my teachers call me and tell me that their data shows, that my reading of Slashdot is negatively affecting my grades
-----------------
Use Adsense for Charity