Re: Other file formats that can "phone" home

[jsl2 () JEDITECH COM]

On Sat, 2 Sep 2000, Richard M. Smith wrote:

> However, clearly not every web-enabled application has this problem.
> The key issue is not if the application is web-enabled but
> if a *file format* supported by an application is web-enabled.

        There is really no distinction between web-enabled file formats and
web-enabled apps. Privacy Foundation's advisory mentions MP3, so I will use
that to illustrate a point:

The ID3v2 tag format allows for embedded URLs for things like additional
artists' informations, album graphics, etc. Clearly the ID3v2 tags are
web-enabled, and any web-enabled MP3 player can be subverted to notify
somebody.

Now imagine a "smart" MP3 player that can reference an Internet DB for
album pictures by using the title in the MP3 tag to perform a query. There
need not be any URLs in that MP3 file... put the appropriate keywords in the
title and the "smart" MP3 player can potentially be tricked to notifying
somebody without the user's knowledge.


> For a file format to be "buggable" it needs to support
> embedded HTML content or links to Web images that
> are automatically activated when a file is opened.

        Strictly speaking that is true; you can't "bug" a FILE that doesn't
support web links. But if the goal is to identify potential privacy problems,
then we must also include any web-enabled application that can automatically
"reach out" without the user's knowledge.

Does anyone have know if current web-enabled apps use unique User-Agent
strings? For example, I would prefer that MS Word identify itself in the
User-Agent string when it retrieves a link over the Web (even if it uses IE's
libraries to do so) The point is:

- people can block specific applications from the 'Net by a proxy or
firewall;
- people who do not want Word to identify itself via User-Agent can use a
proxy like JunkBusters (or hex-edit the executable!)

-James