Adobe spies on readers: 'EVERY page you turn, EVERY book you own' leaked back to base Adobe's Digital Editions 4 ebook reader software collects detailed information about the reading habits of its users – and sends it back to the company in a format that's easy for others to slurp. An investigation by Nate Hoffelder of The Digital Reader blog showed that ADE 4 was collecting telemetry on which pages of ebooks …
Outrageous
But, of course, they'll get away with it.
I am not entirely sure a EULA/T&C is capable of overriding what amounts to illegal access of a computer (come to think of it, the convoluted way you have to dig for the T&Cs with Adobe products may very well fall foul of UK contract law so it's possible that their "agreements" are null and void to start with).
It is none of their business what else you have on your computer, so it's quite possible that this is actually a criminal activity.
It's a good thing for Adobe that the police is no longer really interested in doing, well, police work - this could have been rather entertaining to watch after a complaint. The ICO doesn't really have the right powers for this.
"We will not access, view, or listen to any of your content, except as reasonably necessary to perform the Services. Actions reasonably necessary to perform the Services may include (but are not limited to) (a) responding to support requests; (b) detecting, preventing, or otherwise addressing fraud, security, unlawful, or technical issues; and (c) enforcing these terms."
Yours faithfully,
Mr Groucho Marks.
I predict Adobe will say something like:
"This was test code that was only used during testing blah blah blah, none of the transmitted information was stored on our servers blah blah blah blah, the code is not used and no data is collected blah blah, our users are all a bunch of blah. Now shut up and go away."
What everybody misses with things like this is that you could fake it when given that assignment. Or else completely fill up their database with garbage. Anytime your data is sent back to someone in plain text, you should get in on the act, too. Give them more data than they had planned on receiving, not less. What would happen if everybody claimed to be reading the great classics of literature?
Not a bad idea, but go one better and get more bang for your buck. Add literature such as "The Communist Manifesto", "Mein Kampf", the Quran, the Bible, assorted writings by Mao, Trotsky, and maybe the ISIS crew. Then NSA, etc. will get involved. After a couple of weeks, go to children's books. They'll spend months looking for the connection and trying to figure out what you're up to.
I know about zip bombs and xml bombs, anyone know anything about json bombs?
I don't know offhand of an easy way to create a JSON "bomb" of that sort - i.e., an amplification attack. Compression-format bombs are obvious (create a data stream that decompresses maximally), and XML bombs are based on reference compression using entities. JSON is a simple flattened data format; it doesn't incorporate references to its own contents.
I suppose you could do something with Unicode transformation formats, if you know that the recipient will transcode into UTF-8. Then you could pick UTF-16 as the source format and send JSON strings containing characters that transcode into more than two bytes. It's a pretty weak attack.
That said, if you know what the recipient is going to do with the JSON data, opportunities abound for misuse. Considerable care has to be taken in the parsing and handling of JSON data. The format tempts coders into simply eval'ing it (often as a "temporary" approach that becomes lingering technical debt), which means remote code execution; even when people try to parse it properly, they may not be sufficiently vigilant.
There are likely better amplification attacks. If you have a website, fill it with hidden img or iframe elements that have http://adelogs.adobe.com as their source attribute value. Then whenever someone visits your page, their browser will pummel Adobe's server. Hidden links would make spiders do the same. Add scripting for even more attacks. And so on. Of course you shouldn't do this, as it would be unethical and might be illegal in some jurisdictions.
@JustKos
Actually, you know, that's almost worth a script + cron to randomly generate garbage with chucklesome data in it. especially moving from the last page to the first page backwards in timestamps, also.
Anon, just in case I do it and shove it onto pastebin this weekend...
That was exactly my first thought, if they want data well by all means send them data until their little spy server keels over and there is absolutely nothing they can do about it. Sure they might say they experienced a DDOS attack but how can they prove you and a billion of your closest friends aren't flipping through every page of every book ever written as fast as you possibly can, simultaneously of course? It kind of gives new meaning to the term 'book club'.
Actually, you don't need e-books or Adobe.
Sent in clear, you say? To an address quoted in the article?
Ten lines of 'C' embedded in a tight loop will send them data like they never saw before, at the maximum rate that ADSL is capable of. I, personally, would recommend sending binary files, in the hope that they have carelessly-written analysis software, reading all this data.
Maybe that's just the romantic in me...
As much as I keep that book in high regard, recent developments caused it being referred to so bloody often that it pretty much lost all its meaning by now. It's not the book's fault, but its "punch" has been diluted worse than the proverbial "wolf!" outcry (except of course we really DO have that many "wolves" around, sadly).
Are Adobe competent enough to be able to monetise all the lovely data they're picking up?
I wouldn't mind all that, if the software wasn't the most unutterable piece of shit I've ever had the misfortune to deal with. Actually that's unfair, I'm sure I've dealt with worse, maybe.
You can't change the text size on their reader. Amazing! I was setting it up for an aquaintance's wife who has macular degeneration. Sadly she's also got arthritis, so a tablet's not really suitable either. And they'd already got a laptop before I could persuade them to get something else. But they wanted library service books, so have to use Digital Editions.
Except you can't read in fucking digital editions becauase your only option is 12 pt type. I don't think it did voice either, but anyway that's no good - as artificially read text is a real aquired taste.
So next option was to use some competent reading software on said laptop. But no. You can authorise the copyright so you can read on other devices, but not on the PC itself. Horrible pile of crap. Maybe it's improved since. I'd have just broken the encryption, it's apparently easy enough, but that wasn't a process an IT illiterate couple in their late 70s were going to be capable of.
Worth complaining to the data commissioner about?
Nah, the ICO doesn't have the right powers for this, too soft. As far as I can tell, they are accessing parts of your computer entirely without your permission. What else you read is none of their business and they're not law enforcement either so this is as far as I can tell a straight up criminal offence of a worse nature than the Sony rootkit.
They need to be properly prosecuted for this. Otherwise, if they are allowed to do it you cannot convict a hacker either.
The UK one does not and the politicos will ensure that it never will (even if this means alignment to common goals with Belarus with regards to human rights).
However, I would not be so sure about the German, Austrian and/or Scandinavian equivalents of an ICO... Hmm... Those may be worth writing a letter to (if you can manage the apropriate teutonic or viking speak).
One thing software companies should realize by now is that anything they release is going to have the debugger run over it, have its network data transmission scrutinized, etc. by someone, and the results will be blogged about. I'm assuming this is just some developer testing feature that got left on...software companies wouldn't send this kind of data in cleartext.
One would think that if a software company wanted to collect analytics in a way that violated the terms and conditions, it would at least be encrypted and set to be dribbled out at random intervals or embedded in the DRM requests to make detection more difficult.
"I'm assuming this is just some developer testing feature that got left on"
I'm not assuming that, I'm assuming that it was done on purpose and they didn't think they'd get found out.
I'm more willing to accept the plain text bit was a mistake, but not the phoning home.
I'm assuming this is just some developer testing feature that got left on
Sure, with two servers, connected to the internet that receive user data of a million readers. These just happened to be set up by accident and no-one noticed...
(Where is the irony icon?)
Do either of those avoid the requirement to initially open an Adobe DRMed ebook bought from Kobo in the Adobe reader on first reading? It is a constant irritation that I have to do that prior to stripping the DRM via the Apprentice Alf plugin for Calibre and turning the file into an epub. I'd much rather have nothing to do with Adobe at all.
This post has been deleted by its author
and another: 193.104.215.0/24
$ host adelogs.adobe.com
adelogs.adobe.com is an alias for adelogs.wip4.adobe.com.
adelogs.wip4.adobe.com has address 193.104.215.99
$ whois 193.104.215.99
inetnum: 193.104.215.0 - 193.104.215.255
netname: ADOBE-NET
descr: Adobe Systems Software Ireland Ltd.
country: IE
> It's also a possible breach of the software's terms and conditions, which state:
Dear Adobe,
Thank-you for confirming that you do not consider the terms and conditions distributed with your software to be binding on yourselves. I, for my part, do not consider them to be binding on myself. Having reached agreement on this happy state, I intend to use your software without further payment and to disseminate it as I see fit.
Yours etc.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
