Comments on: A New Approach

A New Approach

knave — Wed, 13 Apr 2005 09:06:00 -0800

Unexpected Features in Acrobat 7: A company called Remote Approach offers a feature to PDF authors to allow them to track the dissemination of their documents. Linux Weekly News reports, "After doing a little research, we found that Adobe's Reader was connecting to http://www.remoteapproach.com/remoteapproach/logging.asp each time we opened the document."

By: orthogonality

orthogonality — Wed, 13 Apr 2005 09:15:49 -0800

To those who don't want this: your software firewall can prevent connections to this site, or you can add a line to your "hosts" file: remoteapproach.com 127.0.0.1

By: gimonca

gimonca — Wed, 13 Apr 2005 09:21:43 -0800

Or...jump off the eternal wheel of upgrades.

By: clevershark

clevershark — Wed, 13 Apr 2005 09:26:08 -0800

Adobe products... now with more spyware, because you know you want it!

By: fungible

fungible — Wed, 13 Apr 2005 09:27:24 -0800

Why do they always have to fuck up a perfectly good thing?

By: trharlan

trharlan — Wed, 13 Apr 2005 09:44:20 -0800

Are there legal obstacles to an open-source-type Adobe-compatible reader that strips out garbage like spyware and print-disabling?

By: ursus_comiter

ursus_comiter — Wed, 13 Apr 2005 09:44:54 -0800

RTFA. What many Linux users may not have realized, since Adobe did not release an Acrobat Reader 6.x for Linux, is that Adobe has added JavaScript support to PDF and the official Acrobat readers since Acrobat 6.x. For those interested in the JavaScript support and its abilities in Acrobat, see Adobe's scripting reference or scripting guide. (Both are PDFs, of course.) By default, Adobe Reader 7 turns on JavaScript, so the "tagged" document is able to "phone home" without the user's awareness. Turning off JavaScript disables the document's code, and prevents Remote Approach (or any other entity) from tracking views of the document. No doubt, Remote Approach is using features that would normally be used to submit information from a PDF form. I'm not thrilled at all about Adobe going the Microsoft route with scritping available for anyone who wants to add malicious code to a pdf document. That's bad enough without hyperbole about spyware confusing the actual issue.

By: thedevildancedlightly

thedevildancedlightly — Wed, 13 Apr 2005 09:45:10 -0800

Is this a feature in any way related to Adobe's actions, or is it a 3rd-party plugin? Seems similar to blaming Microsoft for allowing images in emails (which allow the same sort of tracking).

By: thedevildancedlightly

thedevildancedlightly — Wed, 13 Apr 2005 09:46:02 -0800

See ursus_comiter for my thoughts - this isn' t a problem with Adobe, but with the nature of the interactive internet.

By: elgilito

elgilito — Wed, 13 Apr 2005 10:16:09 -0800

Why do they always have to fuck up a perfectly good thing? People can get schizophrenic when it comes to dealing with their web users/customers. For instance, they hate spam but won't see anything wrong about mass-mailing potential customers. Others will never give their own private information to a website but will still insist on collecting private data from their visitors. They can see why it's bad for them but for some reason are unable to understand that their users/customers feel the same. Every time I discuss this matter with them I realize that they just don't connect the dots. - "I want visitors to give their name, address, phone number and email so that I know who they are, and it must be mandatory" - "Have you ever visited a website where this was mandatory? Would you like it?" - "Uh, no" Pet peeve: academics who are using other academics' data and figures (found on the internet) for their Powerpoint presentations and who keep asking me how to prevent their own on-line data and figures from being "stolen", for instance by making PDF printing impossible. I guess these are potential customers for a service such as Remote Approach.

By: slogger

slogger — Wed, 13 Apr 2005 10:21:56 -0800

another good reason to use Preview in Mac OSX to view PDFs

By: nev

nev — Wed, 13 Apr 2005 10:23:11 -0800

I uninstalled Adobe Reader on every machine I use and switched to this tiny, free application. I've opened dozens of PDFs from different sources since then and never had a problem with them, and it loads in an instant.

By: nev

nev — Wed, 13 Apr 2005 10:24:01 -0800

(That's Windows-only, though.)

By: orthogonality

orthogonality — Wed, 13 Apr 2005 10:27:12 -0800

nev writes "I uninstalled Adobe Reader on every machine I use and switched to this tiny, free application." I haven't tried this yet, but it's got the best EULA I've ever seen. Even better that the GPL EULAs, if not in terms of what it allows, in its simplicity.

By: fenriq

fenriq — Wed, 13 Apr 2005 10:31:01 -0800

This is exactly what my company has been looking for. Thanks a bunch for making me the star today!

By: PissOnYourParade

PissOnYourParade — Wed, 13 Apr 2005 10:37:48 -0800

Sigh.... They added Javascript people... Which in a perfect world is really a pretty cool addition. The ability to make look alike paper forms interactive, so that a user can fill them out, get some validation, and then print them all from a locally saved document is a nice feature for alot of folks. So yes, some douchebag took those capabilities and built a webbug with it. Welcome to world of tomorrow.

By: TheDonF

TheDonF — Wed, 13 Apr 2005 10:38:30 -0800

Dang it Adobe, as if the size-bloat of Acrobat wasn't bad enough, this sucks. Still, there seems to be enough goodness in Tiger's improved PDF support to keep me happy for a while. I just want the 29th April to be here now!

By: caddis

caddis — Wed, 13 Apr 2005 10:42:27 -0800

Nice, elegant workaround orthogonality.

By: OmieWise

OmieWise — Wed, 13 Apr 2005 10:51:31 -0800

nev-thanks for that.

By: elpapacito

elpapacito — Wed, 13 Apr 2005 11:16:46 -0800

There's also an alternative to PDF , it's called DJVU originally developed by AT&T Research Labs (cool techies over there) now owned by a company (sending a safety message to corporate) but decoder/reader is open source. There's no excuse for "there's no alternative" choosing of PDF anymore, sorry. Yes, you have to work !!

By: mkultra

mkultra — Wed, 13 Apr 2005 11:20:14 -0800

Tempest in a teapot. Folks, this isn't Adobe's fault. All they did was implement a subset of Javascript to allow greater interactivity on their forms (which, IMHO, is a good thing). This "tracking" feature is not implemented by Adobe, but by a 3rd Party who wants you to upload your documents to them so they can "modify" them by adding a "phone home" Javascript and then send them back to you. From a technical standpoint, this should be simple to implement via an onOpen() (or whatever the actual method is). Blaming Adobe for this is like blaming W3C for script vulnerabilities in Mozilla. The issue here, IMHO, is that a company is asking people to pay them for the right to modify their documents and track its usage.

By: grouse

grouse — Wed, 13 Apr 2005 12:02:45 -0800

Blaming Adobe for this is like blaming W3C for script vulnerabilities in Mozilla. Actually, it's like blaming Mozilla for script vulnerabilities in Mozilla.

By: Hildago

Hildago — Wed, 13 Apr 2005 12:05:08 -0800

Why do they always have to fuck up a perfectly good thing? Personally, I've never liked Acrobat, and this is just another nail in the coffin (note: the coffin has a lot of nails already). We come from two different worlds, my friend.

By: mkultra

mkultra — Wed, 13 Apr 2005 12:11:56 -0800

Actually, it's like blaming Mozilla for script vulnerabilities in Mozilla. OK, bad analogy, but I still fail to see how this is due to some evil on Adobe's part, or even some tragic flaw in the software.

By: Foosnark

Foosnark — Wed, 13 Apr 2005 12:35:38 -0800

I like the foxit software, but couldn't print from TurboTax Online with it and had to install Adobe Reader anyway :/

By: Mitheral

Mitheral — Wed, 13 Apr 2005 13:06:22 -0800

mkultra because people (OK I) don't expect a document viewer to have scripting capabilities. And I don't expect a document reader to be a web browser unless it's advertised that way. This is going to be quite the support paradigm shift if this is easily exploitable just like when mail went from safe -> safe as long as you didn't open -> even just previewing the wrong message can totally hose your system if you haven't patched since the last exploit.

By: Mitheral

Mitheral — Wed, 13 Apr 2005 13:15:08 -0800

Geez and when you turn scripting off acrobat asks you to turn it back on at every exit, warning that the document may not rendered correctly even if you didn't have any document open. Now that's evil.

By: clevershark

clevershark — Wed, 13 Apr 2005 13:22:02 -0800

See ursus_comiter for my thoughts - this isn' t a problem with Adobe, but with the nature of the interactive internet. RTFC. The problem appears to be that Adobe has decided to add an insecure default setting for Javascript in PDF document, as ursus_comiter has pointed out.

By: orthogonality

orthogonality — Wed, 13 Apr 2005 13:25:39 -0800

Mitheral writes "Geez and when you turn scripting off acrobat asks you to turn it back on at every exit, warning that the document may not rendered correctly even if you didn't have any document open. Now that's evil." There's a windows patch that gets rid of the box asking you to turn javascript back on. I saw it on Slashdot, I think, or of course you can google for it.

By: cstross

cstross — Wed, 13 Apr 2005 14:09:55 -0800

Anyone know if Adobe Reader on OS/X uses Apple's Webkit for HTTP requests? Or goes via the standard defined proxy server? (If so: Adobe, meet privoxy.)

By: denpo

denpo — Wed, 13 Apr 2005 14:17:46 -0800

Big big thanks nev, this pdf reader is a gem. It loads and run several magnitude faster than the bloated original, I stopped at its 6th version, but the loading time of it was already nearing grotesque, even longer than Photoshop CS behemoth. I can even remember giving up on the loading of a pdf, killing the task. A lost for Adobe, a win for the PDF format.

By: dreish

dreish — Wed, 13 Apr 2005 14:27:45 -0800

Folks, this isn't Adobe's fault. All they did was implement a subset of Javascript to allow greater interactivity on their forms (which, IMHO, is a good thing). Are you serious? You honestly don't see how allowing PDFs to do things like connect to remote servers is boneheaded? Do you think a PDF should be able to read and write arbitrary files, too? They could have easily designed it to pop up a window asking, "Do you want to allow this document to connect to blah.blah.com?" once per document by default, with a preference option to give a default answer rather than ask the question every time. I would have thought anyone who was alive and had access to the Internet in 2005 would understand the need for this. It absolutely is incumbent upon application programmers to anticipate these sorts of obvious problems with any new functionality that is added. I like to imagine that someone at Adobe raised this issue and suggested something more-or-less like what I suggested, but was shot down by someone in marketing.

By: ontic

ontic — Wed, 13 Apr 2005 14:45:20 -0800

Thanks to both orthogonality and nev. This is a terribly useful discussion.

By: elvolio

elvolio — Wed, 13 Apr 2005 16:22:45 -0800

orthogonality's approach only works as long as (a) Remote Approach uses that hostname exclusively (instead of, say, pdf.remoteapproach.com) and (b) no one else whips up a script in their PDFs that does the same thing to their servers. The comments to the original article discuss this in great detail. It's a wallpaper fix that doesn't solve the real problem (sorry). A better approach (in Linux) is to use iptables to deny outbound connections from acroread. Don't know how you would do such a thing in Windows.

By: orthogonality

orthogonality — Wed, 13 Apr 2005 16:40:34 -0800

elvolio writes "A better approach (in Linux) is to use iptables to deny outbound connections from acroread. Don't know how you would do such a thing in Windows." elvolio is absolutely right, the host tables approach is brittle. That's why I mentioned software firewalls first ;) Basically, with a windows software firewall, you can deny outbound connections from acroread, just as elvolio suggests doing under linux. For instance, my software firewall (kerio -- highly recommended and free for personal use) is set to ask me on all outbound connections except for my HTML proxy, and I specifically disallow outbound connections from my mail reader to anywhere except my mail server, and only then on ports 25 and 110. This means that if I get spam with webbugs (basically any image that isn't included in the email itself) those are not loaded, so the spammer doesn't learn I got the message at all. So yes, deny outbound connection for acroread, but do it by only allowing outbound connections where those connections are actually doing you some good, and deny (or have the software firewall ask permission for) all others. (I have no idea, for instance, why Microsoft's mouse driver software likes to "phone home" every week or so, but I also know that it doesn't get to complete that connection from my machine.)

By: mkultra

mkultra — Wed, 13 Apr 2005 18:35:12 -0800

dreish- That's true, it ought to have a permission box. And I'm certainly with you that this lame attempt at "DRM" is pretty horrendous. But, the ability to deliver an offline interactive form that can, in turn, deliver results to a centralized database is still, IMHO, a good thing. What I've found about Adobe's "advanced" (read: non-standard) PDF features is that they tend to degrade nicely, allowing other PDF display engines to still render the static content correctly, only without the bells and whistles.

By: Merlin

Merlin — Thu, 14 Apr 2005 00:44:46 -0800

The FOXIT thing just loads heaps faster than Acrobloat. That alone is worth the change, never mind the javascript thing...... Woot!