Jan 2 2008

The Adobe spying debacle …

[Disclaimer: I hate to be spied on and I happen to work for Adobe. I’m not speaking on behalf of Adobe, but only express my own opinion below. All tests below were done on a Windows XP Professional system with both IE and Firefox installed. I have not verified the information on Mac OS X installations. To debug/sniff HTTP requests I used a Windows version of tcpdump and I also used the excellent Charles tool. The purpose of this post is to show what information is being sent to *.adobe.com and/or *.2o7.net. This post does not address the strange looking 192.168.xxx URL issue. ]

It all started with this uneasysilence.com article. Dan claimed that his copy of Adobe InDesign CS3 was spying on him. When starting the application it would make several HTTP requests to a host named “192.168.112.2o7.net” (that’s an “o” in “2o7” and not the digit “0”). The story was picked up quickly by news-sites and blogs around the world. You can see the extent of the spread via this Technorati-search. Dan and others feared that Adobe was secretly transmitting his serial-number to the 2o7.net host whenever he launched the application locally [Correction: Dan himself never stated that he was afraid that the serial number was transferred. However in comments on other sites that picked up the story, people were afraid that this was the case. Dan, sorry for the error.].

What’s going on here?

Some CS3 applications include a feature that’s called “Start Page”. When one of those CS3 applications is launched, you’ll get an initial window that allows you to access some often used features directly from this “Start Page”. Below is the start page for Fireworks CS3:

2008-01-02-fwstart.gif

The “Start Page” is a Flash application. The “Open a Recent Item”, “Create New”, “Extend” and “Getting Started” portions are controlled by the application (Fireworks) itself (the loaded Flash file, will call out to the core application and ask it for the list of “Recent items” for example). The bottom right content (with the “Fw” logo) is constructed dynamically. This area will show different information depending on whether you have the trial-version or full-version of Fireworks installed (you can see the different versions right here in your browser by selecting one of the following links: trial version or full version). In order to get that Flash content from the web, the application will make the following request to Adobe’s servers (I had to wrap some of the long lines in the following request dump and for others below):

GET /startpage/fw.swf?&ver=9.0&plat=win&lang=en&stat=full&spfx=FW HTTP/1.1
Referer: file:///C|/Program%20Files/Adobe/Adobe%20Fireworks%20CS3/English/
Movies/startpage.swf
x-flash-version: 9,0,42,0
If-Modified-Since: Wed, 30 Jun 2004 15:27:29 GMT
If-None-Match: “8d9-9795fa40”
User-Agent: Shockwave Flash
Host: www.adobe.com

That request will return a short 2 KByte SWF (Flash) file. That loaded Flash file will make another request to Adobe’s servers and download a “fw_customize.xml” file with the following content:

<?xml version=”1.0″ encoding=”iso-8859-1″?>

<active_params names=”ver,stat,lang” />
<active_languages names=”” />

and then it will load yet another SWF-file using the following request:

GET /startpage/fw_content/fw_90_full_default.swf?prod=fw&ver=9.0&
plat=win&lang=en&stat=full&tday=&spfx=FW&productName=fireworks HTTP/1.1
Referer: http://www.adobe.com/startpage/fw.swf?&ver=9.0&plat=win&lang=en&
stat=full&spfx=FW
x-flash-version: 9,0,42,0
User-Agent: Shockwave Flash
Host: www.adobe.com

That 2nd loaded SWF file then becomes active and makes a number of other web-requests that define the information that is being displayed on the “Start Page”.

And that 2nd SWF is also responsible for requests that started the initial outcry on uneasysilence.com.

Adobe (like lots of other companies) uses some Omniture technologies to find out how its web-site and web-services are being used. When browsing the Adobe web-site (and lots and lots of other sites) “events” are being sent to omniture’s servers (“192.168.112.2o7.net” in this case) in order to track your path through the site. Analyzing those aggregated events later on gives Adobe a picture on how users navigated the site, what was interesting to them and what was not. That’s standard practice and helps Adobe to change its site to meet its customers needs. There are lots of companies out there offering tracking solutions and even Google provides a framework (Google Analytics) that provides detailed reports on how a web-site is being used.

The SWF executes three HTTP GET requests to a host named “192.168.112.2o7.net”. The first request downloads the crossdomain.xml file. The “crossdomain.xml” file is part of the security features of Flash (you can read more about it here on Adobe’s site). Next it will make two more (almost) identical requests to the same server. Here’s the first one of them:

GET /b/ss/mxcentral/1/F.3-fb/s1199292440907?[AQB]&purl=mm&pccr=true&
c2=fw&c3=9.0&c4=win&c5=en&c6=full&c7=&c8=FW&
c9=fw_9.0_win_en_full__FW[AQE] HTTP/1.1
Referer: http://www.adobe.com/startpage/fw_content/fw_90_full_default.swf?
prod=fw&ver=9.0&plat=win&lang=en&stat=full&tday=&
spfx=FW&productName=fireworks
x-flash-version: 9,0,42,0
User-Agent: Shockwave Flash
Host: 192.168.112.2O7.net
Pragma: no-cache

Let’s take a look at this request and examine what is being sent to 192.168.112.2o7.net. The beginning portion of the URL “/b/ss/mxcentral/1/F.3-fb/s” is static content, which means each copy of Fireworks CS3 that contacts the 2o7.net server will begin exactly with the same path (the “mxcentral” portion is actually derived from the information that was downloaded by requesting http://www.adobe.com/startpage/om_acct_nm.txt).

Let’s move on to “s1199292440907”: some commenters suspected that this is the serial number of the application. Well, I’m afraid that’s pretty far-fetched and is NOT true. The string simple consists of the letter “s” and the current time stamp in seconds. To verify that I used perl and asked it to print the current timestamp soon after making the request:

C:>perl -e “print time(),qq{\n}”
1199292440992

C:>

Let’s move on to the remaining portion that follows the “?”. Given that some automated process on the server “192.168.112.2o7.net” will read the information from that request, I believe developers wanted to make extra sure they can identify the beginning and the end of the submitted information. I have to assume that “[AQB]” and “[AQE]” are beginning- and end-markers (hence the “B” and “E”) for the information that’s submitted. So, the receiving server will extract the portion between those markers for analysis purposes.

The portion saying “&purl=mm&pccr=true&” is again “constant”, it is baked into the 2nd SWF file that was downloaded earlier on. I verified that by dumping the SWF contents using swfdump from the swftools package.

The last portion is “c2=fw&c3=9.0&c4=win&c5=en&c6=full&c7=&c8=FW& c9=fw_9.0_win_en_full__FW” and as far as I can tell, this just defines the application (“fw”), version number (“9.0”), platform (“win”), language (“en”), trial or full version (“full”), again the application (“FW”) and a compound string with all the previous items concatenated (“fw_9.0_win_en_full__FW”).

No other information is transferred to Adobe and/or *.2o7.net. Based on my analysis, I don’t see any evidence that serial-numbers are being sent to to either *.adobe.com or *.2o7.net.

It’s interesting and unfortunate at the same time that this issue surfaced 2 days after Adobe shut down for the holiday break. That did not allow Adobe people to react fast enough before the story rippled through the blogosphere. A lot of FUD is being spread without people actually looking at the facts. Adobe’s John Nack tried to stay on the top of the issue and I’m absolutely certain that he will post follow-up information on his blog once he managed to track down the responsible parties at Adobe and/or Omniture. Please subscribe to John Nack’s RSS feed if you’re interested in the final resolution to this issue.

14 Responses to “The Adobe spying debacle …”

  • Chris Says:

    Tobias – you were the first person I thought of when I read about this. I wondered if you would have a take on the issue that you could share publically. Very interesting. Thanks for doing the legwork and sharing out on it. I wasn’t too concerned, I have a properly licensed CS3 and am not fearful of how I use it. However, I am always interested in how the guts of stuff works. I appreciated reading this.

    – Chris

  • Dan Says:

    Tobias-

    For the record I never made any direct or indirect accusation that Adobe was spying on serial numbers. I simply pointed out that Adobe programs were calling out to a service noted for behavioral analytic monitoring. Also, I pointed out that it was in a way that tried to mask that it was pinging out.

    I would ask that you correct the post. If this needs more discussion feel free to email me.

    [Dan, I corrected the mistake and added some more information to the first paragraph. I hope this clears things up – thanks!]

  • James Conner Says:

    My concern is that I had no idea that Adobe had equipped some CS3 applications with a Call Home function that was turned on by default. It should damned well be turned off by default. I want my computer to communicate with the outside world only when I tell it to. And once I have an application installed and activated, I never want it to communicate with the outside world again.

    InDesign CS3 on my Mac has a similar screen to the screen from Fireworks. I thought it was handy, but slow. But now, I’m turning it off — and I’m considering turning off my modem before I launch Adobe’s applications.

    My concern arises from two horrible experiences last summer with Adobe’s update checker, which was calling home and downloading updates without my permission. In Acrobat Reader 8 on the Mac, the preferences for the update checker are well hidden, and I think intentionally hidden to discourage people from turning off the function. I won’t go into details, and I cheerfully admit to a couple of blunders, but I lost the use of Photoshop CS3 Extended and InDesign CS3 for a couple of weekends while searching the ‘net looking for a fix to the havoc wreaked by the updates downloaded by the updater.

    Sometimes there is a fine line between exercising legitimate curiosity and becoming a Peeping Tom. I think Adobe is starting to cross that line and needs to step back.

  • Mike Says:

    Tobias, thanks for a well researched and clearly explained piece.

    I note that Dan was keen for you to correct your (unintentional) mistake.

    I wonder if he has considered that if he himself had hestitated to write his first article until he had put some time and effort into researching the facts, he would hot have caused unnecessary concern and thereby wasted many people’s time.

    One of the unfortunate aspects of easy access to the internet is the way in which ‘writers’ anxiously try to fill their blogs/whatever with little more than idle gossip.

  • tobias Says:

    @James: I’m with you, James. I’m equally upset about the situation and I want to make sure that we do everything to regain your and others confidence that we do the Right Thing ™. As mentioned earlier on, I hate to spied upon as much as everybody else. However, in this case I would not call it spying, but providing up-to-date information with negative side-effects.

    There are tons of applications out there which phone-home to check whether there’s an update to the software you installed. I find this valuable at times and annoying if it is not done right. My Logitech software telling me “There’s an update” without telling me what the update is about, falls into the annoying category. Some other software showing me the release notes for all the versions between my installed version and the current version and whether those updates are security-related or not, falls into the valuable category.

    I think there’s value in getting up-to-date information from the web via Adobe’s start page feature: if we find a severe security error in the application (god forbid) and we wanted to inform you about a related update, the start page could serve as the vehicle to transport this information.

    I’m sorry to hear about your troubles with a past Reader update. You have my email address now, should you have problems in the future, please don’t hesitate to contact me.

    @Mike: Thanks for your kind words!

  • KAa Says:

    I’ve not even been able to install CS3 … and nobody at Adobe seems to know what the problem is. By the way, I’ve learned that there are a lot of people holding CS3 DVDs they can’t install. Adobe is wasting time (? skills/expertise) in collecting information, whilst some of us are left holding $200 useless DVDs

  • tobias Says:

    KAa – if you have a DVD of CS3 that you can’t install and Adobe’s customer support can’t help you, why are you holding on to it and not return it for a refund? I know I would send it back if I and tech-support would not be able to install.

    I’d be happy to do a screen-sharing session with you to see if we together can manage to get it installed. Please send email to thoellri-at-adobe.com and let’s setup a quick online meeting.

  • tobias Says:

    And for the records: I had some email exchange with KAa and offered to assist him with his CS3 installation. We were scheduled to “meet” today (Sunday) to determine what’s wrong with the installer. KAa tried it last night again and successfully installed CS3 then. No need to meet.

  • Klause Mosenberg Says:

    You are an engineer and Adobe and had to research it ?!?! Don’t you know what you are putting into your own products?!?!?

  • tobias Says:

    Klause –

    1) I have 6500 colleagues all over the world and I don’t know what everybody of them is up to.
    2) We are split up into multiple divisions and while everybody knows what each division is roughly doing, we certainly don’t know intricate details about each of them.
    3) My personal work is completely unrelated to the subject at hand.
    4) The news broke over the christmas/new years shutdown and people who knew about these areas had better things to do.
    5) I wanted to investigate the problem as everybody else outside of the company would see it.

    Hope that explains it – let me know if you have more questions.

    Tobias

    PS: Next time leave a valid email address …

  • Wardropper Hardy Says:

    An interesting side issue to the Omniture issue is the appearance of the following in my Firefox status bar when I access the Washington Post online:

    “Read omniture.secure.miisolutions.net”

    Reading this url clearly slows down my access to this site, sometimes grinding to a complete stop until I reload the page.
    I have a registered copy of Adobe Photoshop and Dreamweaver on my computer – could that somehow get involved in my newsreading habits???

  • Tobias Says:

    Thanks for your comments Wardropper! I’ve seen similar situations with my browser as well, especially when using something like AdBlock to block certain ad/tracking sites.

    There is absolutely no correlation between the installation of Photoshop/Dreamweaver and the weird browsing behavior. Those two applications or parts thereof are not being used (run) at all when you browse through Firefox.

    Cheers – Tobias

  • Wardropper Hardy Says:

    Thank you for the reassurance, Tobias.
    Much appreciated.

  • roar Says:

    Karl Marx anyone?

Leave a Reply