Politech mailing list archives
FC: More on Microsoft products tracking users
From: Declan McCullagh <declan () well com>
Date: Fri, 01 Sep 2000 14:55:10 -0700
************
From: "D Whitehorn-Umphres" <dawumail () progarts com> To: <declan () well com>, <rms () privacyfoundation org> Subject: RE: Microsoft Word and Excel track users, invade privacy Date: Thu, 31 Aug 2000 16:01:28 -0600 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal Great. And then *their* demo violates your privacy by posting your hostname/IP address, along with a list of the previous nine visitors, to the demo page site. -D Whitehorn-Umphres
************
From: "Richard M. Smith" <rms () privacyfoundation org> To: "D Whitehorn-Umphres" <dawumail () progarts com>, <declan () well com> Cc: "Richard M. Smith" <rms () privacyfoundation org> Subject: RE: Microsoft Word and Excel track users, invade privacy Date: Thu, 31 Aug 2000 18:10:14 -0400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal We are now fixing the demo to remove this issue. Thanks. Richard
************ From: "Jonathan Zuck" <jzuck () actonline org>
To: <declan () well com> Subject: RE: Microsoft Word and Excel track users, invade privacy Date: Wed, 30 Aug 2000 14:47:41 -0400 X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal Of course the other side of this is that people might actually want to place an IMG tag in a document for legitimate reasons and there's no way for the software to distinquish them.
************
Date: Thu, 31 Aug 2000 10:49:29 -0400 From: "H. Morrow Long" <morrow.long () yale edu> Organization: Yale Univ. ITS Information Security X-Mailer: Mozilla 4.75 [en] (WinNT; U) X-Accept-Language: en To: eoghan.casey () yale edu CC: information.security () yale edu, aimee.kanzler () yale edu, declan () well com, rms () privacyfoundation org, daniel.updegrove () yale eduSubject: Re: [Fwd: FC: Microsoft Word and Excel track users, invade privacy](fwd)> Declan McCullagh wrote: > > [This is a good reason not to use Microsoft Word or other snoopable > > software. I wonder if there's a way to turn this off (short of > > unplugging your network connection), or if not, whether Microsoft will> > release a fix for those of us who aren't thrilled about this feature. --Declan]Declan -- One way to block applications (esp. some of the new 'spyware' software --freeware or shareware which may report information back to variousmarketing research firms) from opening up network connections back across the Internet is to run a personal firewall product which can block outgoingnetwork connections opened by applications.ZoneLabs ZoneAlarm personal PC firewall is one such product and has been free for personal use ( www.zonelabs.com ). I have nothing to do with theproduct other than having evaluated it.I tested out the demo MS Word doc with 'webbugs' and ZoneAlarms did indeed 'trap' the outgoing connections to the web, temporarily blocked them and popped up a dialog box asking me if I wanted to allow MS Word to open a connection to the Internet. I clicked on no. ZoneAlarm then asked if I would allow MS Word to open up a connection on the local intranet network (e.g. to do a DNS lookup against a local server). I said no. It worked.There are probably other personal PC firewall products which can block (conditionally or unconditionally) network connections from being opened by local applications to Internet sites. However most of these products generally concentrate on blocking incoming network connections & packets. Some privacy minded individuals would likely be interested in a survey of such products (in addition to products such as privacy-protecting local PCweb browser proxies, etc). - H. Morrow Long University Information Security Officer Yale University, ITS, Dir. InfoSec Office
**************
From: "Jay Holovacs" <holovacs () idt net> To: <declan () well com>, <politech () politechbot com> Cc: <rms () privacyfoundation org> Subject: Re: Microsoft Word and Excel track users, invade privacy Date: Wed, 30 Aug 2000 15:00:48 -0400 X-Mailer: Microsoft Outlook Express 5.00.2615.200 This calling back, and text source traceablility aspect was a 'feature' of Ted Nelson's Xanadu. It's a good idea to pass stuff thru a pure ASCII file before pasting or redistributing. jay
************
From: terry.s () juno com To: declan () well com Cc: rms () privacyfoundation org Date: Wed, 30 Aug 2000 17:49:41 -0400 Subject: Re: FC: Microsoft Word and Excel track users, invade privacy X-Mailer: Juno 4.0.11 Hi Declan! On Wed, 30 Aug 2000 14:47:01 -0400 Declan McCullagh <declan () well com> writes: > [This is a good reason not to use Microsoft Word or other snoopable > software. I wonder if there's a way to turn this off (short of > unplugging your network connection), or if not, whether Microsoft > will release a fix for those of us who aren't thrilled about this > feature. --Declan] Yes, sort of, subject to annoyance. McAfee Guard Dog, a program I dislike because of poor hook modules that conflict with HP & Lexmark printer drivers and some other software, did very well catching outbound connection attempts by Word or Excel, and prompting to manually allow or block a net connect. Pre-Norton AtGuard 3.22 caught the connect attempts, but didn't do as well catching outbound links before they polled for the embedded images. I've got the ZoneAlarm, Conseal, and McAfee firewalls on other machines not yet tested, and Black Ice on an associate's machine. ZoneAlarm I'd guess would catch this well, based on its focus of trapping unauthorized outbound data. Guard Dog's alert messages (unlike protocol/rule based firewall user interfaces) are almost simple enough for office worker types to manage, if they had a clue about the larger issues. I sometimes see Windows Explorer being blocked from a supposed net connect attempt during Win98 bootups. It might be interesting to do some sniffing to see if it's trying to send unauthorized data for real, or if it just has typical uSoft design flaws such that it can false trigger a firewall. As Richard's alert stated, it's not practical to block Office modules from being able to link to URLs to gather embedded images. It seems that a firewall with outbound data blocking which defaults to no connects by Office (or most other) applications, but allows per-attempt manual enable when attempted, is about the only real way to control this. Of course that assumes informed users, and a default that files from untrusted sources shouldn't be allowed to open external links. Terry
************
X-Sender: jda-ir () pop njcc com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.0.58 Date: Wed, 30 Aug 2000 22:30:06 -0700 To: declan () well com From: "J.D. Abolins" <jda-ir () njcc com> Subject: Re: FC: Microsoft Word and Excel track users, invade privacy Cc: rms () privacyfoundation org Declan and Mr. Smith,FWIW: In testing the Web bugged Office docs via a paid Anonymizer account, I found that the documents were able to see my real IP address. Didn't surprise me because I know that one trick to blowing Anonymizer and similar services' cover is to get something on the user's system that does direct communications with the site. Apparently, that's another extension of the risks presented by Web bugged Office documents.Scenario: Somebody is using an anon remailer or other identity hiding resource. The investigator wanting to know who this anon ID is puts out a Web bugged document so that it goes back to the anon user. The bug phones home and the anon cover is blown. Possible to make links to other activities from that anon ID. If these methods were around a few years ago, perhaps the CoS incursion on anon.penet.fi would have taken this route instead using manipulations to get the Finnish police to do the dirty work.J.D. Abolins
------------------------------------------------------------------------- POLITECH -- the moderated mailing list of politics and technology You may redistribute this message freely if it remains intact. To subscribe, visit http://www.politechbot.com/info/subscribe.html This message is archived at http://www.politechbot.com/ -------------------------------------------------------------------------
Current thread:
- FC: More on Microsoft products tracking users Declan McCullagh (Sep 01)