[16559] in bugtraq
Re: Other file formats that can "phone" home
daemon@ATHENA.MIT.EDU (Richard M. Smith)
Mon Sep 4 22:27:08 2000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <NDBBKGHPMKBKDDGLDEEHOEIJEIAA.rms@privacyfoundation.org>
Date: Mon, 4 Sep 2000 12:31:34 -0400
Reply-To: "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>
From: "Richard M. Smith" <rms@PRIVACYFOUNDATION.ORG>
X-To: jsl2@jeditech.com
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.10.10009032102540.22191-100000@stargazer.jeditech.com>
Hi,
> There is really no distinction between web-enabled file formats and
> web-enabled apps.
Actually there is a very important difference. A "phone home"
application in general only communicates with the vendor that produced
the applicatoon. However, a "buggable" file format allows a
document to talk to anyone's servers. In addtion, document files
are more mobile than executable files and hence companies
are more interested in doing tracking.
> The ID3v2 tag format allows for embedded URLs for things like additional
> artists' informations, album graphics, etc. Clearly the ID3v2 tags are
> web-enabled, and any web-enabled MP3 player can be subverted to notify
> somebody.
Yep, for a "buggable" file format to actually work
requires an application to be Web-enabled. Applications do
not necessary handle the same file format in the same way. For example,
not all applications which can read Word .DOC files support the image
linking feature. Wordpad from Windows 98 is an example of program
that apparently does not.
> Now imagine a "smart" MP3 player that can reference an Internet DB for
> album pictures by using the title in the MP3 tag to perform a query. There
> need not be any URLs in that MP3 file... put the appropriate
> keywords in the
> title and the "smart" MP3 player can potentially be tricked to notifying
> somebody without the user's knowledge.
Are you aware of any of the popular MP3 players that support
the ID3v2 tags in MP3 files? If so, do these players automatically
render HTML content or fetch Web iamges when a song is played?
If an MP3 player only provides clickable links to external content,
then it seems to me that the privacy problems are less of an issue.
In this case, a user has to take an action to be tracked.
> Strictly speaking that is true; you can't "bug" a FILE that doesn't
> support web links. But if the goal is to identify potential
> privacy problems,
> then we must also include any web-enabled application that can
> automatically
> "reach out" without the user's knowledge.
The Privacy Center is actually in the process of wrapping up a
study of 15 browser addons that "phone home".
In addtion, my personal Web site has write-ups about other
applications that "phone home":
http://www.tiac.net/users/smiths/privacy/index.htm
> Does anyone have know if current web-enabled apps use unique User-Agent
> strings? For example, I would prefer that MS Word identify itself in the
> User-Agent string when it retrieves a link over the Web (even if
> it uses IE's
> libraries to do so)
I've seen some browser addons sending out unique
user agent strings. In general, this sounds like a pretty
good idea for the reasons that you have pointed out. However,
vendors need to be careful about making applications too
talkative. For example, sending out a product serial number
as an HTTP header is a really bad idea.
See ya,
Richard
================================================
Richard M. Smith
Chief Technology Officer
Privacy Foundation
Email: rms@privacyfoundation.org
http://www.privacyfoundation.org
================================================
