Sun Java Runtime Uploads Usage Data to RedSheriff?

stereoroid writes "

It appears as if the Sun Java 2 Runtime Environment, version 1.3.1_02 and later, is reporting usage statistics to a company called RedSheriff, presumably on behalf of Sun. This was the Win32 version, but other versions probably have the same "feature". If you load up the Java Console, you see multiple messages like this:

----------- RedSheriff Measurement -----------
Privacy: http://www.redsheriff.com/privacy.htm
Record Sent

I noticed this while setting up the latest version of Compaq Insight Manager 7, which includes JRE 1.3.1_02 (but works with 1.4.0 too). I started examining what was happening using a network sniffer, and could see several http requests to a server under http://imrworldwide.com/, a domain name owned by RedSheriff. The data in the packets included details of the system environment, and I even saw a URL that I had accessed in a previous unrelated browser session. This was a partial capture only, it doesnt happen every time, but Ill keep watching to see what else goes through. If I use the JRE, must Sun know my IP address and what OS Im running, and more? This has also been quietly commented on in Sun's Java Forums too. I'm currently digging for a way around this - any ideas, besides a firewall?"

What can you do?

[kingosric]

Send back fake results to screw up their data....

Edit.

[QuodEratDemonstratum]

If you haven't got a firewall, edit the binary and alter the URL the messages are sent to. "http:www.sun.com/abuse" should send the point when they look in their server logs.

Great idea, and here's how.

[Futurepower(R)]

Good idea. Use WinHex Binary Editor [winhex.com] to edit the file. It has a search facility.

add imrworldwide.com to your hosts file

[tswinzig]

In W2K/XP, look in winnt\system32\drivers\etc for a file called hosts. Add this line:

imrworldwide.com 127.0.0.1

Save. Reboot. (Or kill the java/browser processes and restart them.)

Re:add imrworldwide.com to your hosts file

[tswinzig]

That will make the Java runtime slow(er) though because all requests have to time out (unless you're running a webserver).

Errr no. Java is multi-threaded. Obviously they must be doing this in another thread, or every time someone uses this thing behind a firewall or off a network, it would block. I don't think so.

Re:add imrworldwide.com to your hosts file

[reynaert]

Huh? 127.0.0.1 is your own system. If you're running a webserver, the runtime will get a 404 error. Otherwise it will immediately get a "can't connect" error. It won't ever need to time out.

Re:add imrworldwide.com to your hosts file

[tswinzig]

imrworldwide.com 127.0.0.1

Whoops, I reversed it, use this instead:

127.0.0.1 imrworldwide.com

What about other OS?

[rutherford]

Can this behaviour be confirmed with other OS, like GNU/Linux or Solaris implementations from Sun?
And what about ports which based on the Sun source like Blackdown?

I think this is really bad and if it's true it shouldn't be only mentioned here on the developer page. Java users are also affected! So if this is really true and sends data like visited URL's everyone has to know it!
Perhaps it would be better to use and support free Java implementations like Kaffe [kaffe.org] than this.

Re:What about other OS?

[keesh]

What is this GNU/Linux of which you speak?

GNU/Hmmmm... GNU/Better GNU/post GNU/anonymously... GNU/Ach, GNU/why GNU/bother? GNU/It's GNU/only RMS/Karma.

Sneakiness destroys a relationship.

[Futurepower(R)]

When I discover that a person or a company has been sneaky, their reputation with me falls to zero. When I know someone has done one thing that is sneaky, it is very difficult or impossible to know if they are doing other things that are sneaky. It is difficult to put upper or lower bounds on their abusiveness. So, I end the relationship, or limit it as much as possible.

Is Sun's sneakiness worth the enormous negative publicity of being featured as a sneak on Slashdot? It's difficult to imagine that it could be.

Is Sun having financial problems, so that the company needs to scrape for nickels and dimes?

Re:Sneakiness destroys a relationship.

[fantastic]

Sounds like Sun could prove a case of malicious falsehood here

The information is not correct and is known to be not correct and is damaging to Suns reputation

I accept that he has a trojan.

[Futurepower(R)]

I accept that he has a trojan. I accept that Sun may not be the source of the trojan.

The principles stand, however. The principles do apply to all the big companies that actually have abused our trust this month, such as Microsoft (with Hotmail) and last month, such as Yahoo (with Yahoo mail).

Also, I note that no one who has commented has actually run the same test. I presume you are only guessing.

It Is A Trojan

[Grail]

There is no "testing" required. Just look at the HTML source for the website http://www.telstra.com/ [telstra.com]

Now grep for "Red Sheriff".

There's a piece of HTML that tries several methods to get your browser to report your browsing habits to IMR Worldwide.

Nothing at all to do with Sun's JRE or JDK. Everything to do with Telstra thinking they're bigger than their boots.

What are the limits of web site visitor tracking?

[Futurepower(R)]

I did as you said.

I turned off JavaScript and Java in Opera's File/Preferences/Multimedia menu. I selected "Throw away new cookies on exit" in Opera's Privacy Preferences.

Then I went to the Telstra home page [telstra.com] and downloaded the source. (Wow, The Telstra home page is ugly.)

In the source I found mention of a RedSheriff JavaScript file, http://telstra.imrworldwide.com/a1.js [imrworldwide.com]. I downloaded that. (You can download the file by just right-clicking on the link and selecting "Save target as".)

Then I downloaded another RedSheriff Java program that I found mentioned in the Telstra home page source, http://server-au.imrworldwide.com/Measure.class [imrworldwide.com].

Embedded within this binary is RedSheriff's Privacy policy web page address: http://www.redsheriff.com/privacy.htm [redsheriff.com].

Basically it seems that RedSheriff is carrying visitor tracking to the limits, including tracking unsuspecting novices who may give them personal information.

Looking at the code, I don't see any attempt to go beyond the boundaries of what the JavaScript and Java languages allow. However, I'm not knowledgeable enough to see everything the code is doing. Can someone help with this?

Re:What are the limits of web site visitor trackin

[Grail]

It's what the code is doing that's the problem - not how it's doing it. There's nothing "bad" about the code as far as exploits is concerned.

The problem is that the code is loaded by a site (eg: Telstra) without the user being warned that this reporting is happening. From what I could see when it was working, the reporting doesn't stop when you leave the Telstra site - they're recording everywhere you go.

What a way to gather a pr0n database ;)

limewire

[dario_moreno]

Then "they" see how much I am using
Limewire...I hope they do not report
TCP/IP connection statistics also !

Worst company name... ever

[Anonymous CowboyNeal]

RedSheriff is the worst company name I've ever heard. What the fuck? Anyone have any other examples which might knock this fucker off the top of the hill in terms of really dumb names?

Re:Worst company name... ever

[RGRistroph]

Can't beat the name off hand . . .

But this business [bomarc.org] advertises itself as being "on the foreskin of technology."

Re:Worst company name... ever

[peterprior]

I used to use an isp called "RedHotAnt" in the UK..

The went horibly bust after about 6 months or so, when trading standards went to their "headquarters" and seized half their equipment.

Nothing found

[Ivan the Terrible]

There's nothing in the sources (as distributed) to validate this claim.

$ find /usr/local/src/jdk1_3-src -type d \( -name RCS -o -name CVS -o -name SCCS \) -prune -o -type f \! -name \*\~ \! -name \*\,v \! -name s.\* -print0 | xargs -0 -e grep -n -e imrworldwide\|redsheriff\|RedSheriff /dev/nu ll
$

mod parent up

[HaiLHaiL]

for his resourcefullness and expert cli usage :-)

Probably encrypted.

[Futurepower(R)]

If the story is true: It wouldn't take an intelligent person to encrypt or obfuscate the information in such a way that a string search would not find anything.

Re:Nothing found

[r6144]

Maybe because it is 1.3 or something like that, not 1.3.1_02.

It's not part of the Java runtime

[Anonymous Coward]

Redsheriff is a spyware applet as a quick search at
google would reveal. It's not part of the Java runtime.

This is absolutely not part of the Java Runtime

[lurp]

RedSheriff is definitely not a part of the Java Runtime. It is an applet that various web sites use to track usage statistics. A quick read of their privacy policy [redsheriff.com], a google search [google.com], or even a quick look at a security newsgroup [der-keiler.de] would have told you that.

Don't slashdot editors check these stories before posting them?

Re:This is absolutely not part of the Java Runtime

[Evro]

Don't slashdot editors check these stories before posting them?

Nope [slashdot.org]

Re:This is absolutely not part of the Java Runtime

[alanjstr]

If you've been reading Slashdot, you should know better than to ask that question. They don't validate links and they don't know how to spell. And no, they don't check to see if a story is true.

You're basically saying that guy has been trojan'd.

Re:This is absolutely not part of the Java Runtime

[Anonymous Coward]

No update to the story headline yet - the editor deserves flogging.

Re:This is absolutely not part of the Java Runtime

[Yarn]

If I were one of Sun's legal team I'd be sending legal flames as if it were going out of fashion ;)

I'm sorry, but I really think Slashdot needs a slap to get its house in order.

*thinks* maybe I need to have my coffee, I am a bit grumpy *thinks*

Fucking do *some* verification before posting

[gaj]

redsherrif is a spyware applet, not part of the J2SDK.

A two fucking second search on google would have given you that much info. For the record, running strings on all the bins and libs in the j2sdk1.4 showed neither imrworldwide nor redsherrif.

I know this is hard stuff, using google an all, so click here [google.com] to save yourself the trouble.

Re:Fucking do *some* verification before posting

[gaj]

Quitcherbitchin.

Google shows the same damn results for yours vs. mine. What bloody difference does it make?

Re:Fucking do *some* verification before posting

[Anonymous Coward]

Yup, it's a spyware applet and I posted this story almost a month ago when I discovered that the news section of the BBC [bbc.co.uk] where using it to track usage.

A quick visit to the site suggests that they have stopped now. A visit to the redsheriff website is amusing; the 'business speak' is impressive - I would offer a link but I don't think the fish can translate from marketing b*llsh*t :)

They ignored my story and then published somebody else's badly researched version.... bah... editors.... grrr... slashdot.. paaa... Rob

Re:Fucking do *some* verification before posting

[josepha48]

This is good to know. It means that the person visited a site that had this installed and loaded it on their site. The best thing to do after this happens is to shut down your browser, manually clear your browser cache then, restart your browser.

Of course for added bonuses you could add a line in your host file that would redirect traffic to these sites to your local host. If you did this though and are not running a service on this port AND DON'T have a firewall, you may have to wait for the browser to timeout the connect to this site.

If you do start a service on that port (probably port 80) to answer the requests it would prevent the browser time outs. I'm sure a simple perl server on port 80 would handle the request and drop it to the floor.

Of course you have to realize that the person who reported this is a windows user user so they needed this dumbed down for them. A UNIX user would have searched the web first and gotton some info on this first.

Re:Fucking do *some* verification before posting

[Furry Ice]

Try connecting to a port that you know doesn't have a listener on it sometime. There is no timeout. An RST is sent in response to your SYN, giving an immediate "connection refused" error message:

[phiggins@court ~]$ telnet localhost 1
Trying 127.0.0.1...
telnet: Unable to connect to remote host: Connection refused

a new low... or a conspiracy?

[soulfuct]

This sets a new low in editorial standards for Slashdot. It was bad enough when RobLimo blatantly sucked up to Microsoft, turning a blind eye to obvious bullshit, as noted here: Re:"Not weasely?" [slashdot.org] posted on Thursday April 05, @10:14AM (Score:1) attached to Windows Exec Doug Miller Responds [slashdot.org]. Now, Hemos is spreading lies and FUD that bring Slashdot down to the level of tabloid non-editors. Please go out of business soon, or be sell out to Microsoft soon and in the open, so that your damage to the industry will be limited.

False claim

[aled]

This seems a false claim to me, a careless acusation or flaming. You have only to download the sources for Java and check yourself because Sun Java is open sourced. Check also the previous posts and is obvious that a five minute search would have cleared all doubts: Java is not guilty.

"Microsoft"-ing yourself

[polrtex]

Yeah, I didn't think Sun would screw up with such a dumb "Microsoft" type of blunder.. This looked like a post from April 1 :-) A little too late...

Responses from Poster

[stereoroid]

1. You think I didn't check this first? Why did I see this behaviour on 2 different systems, starting with the installation of a new Sun JRE?
2. Yes, I used a search engine, and found the same Trojan data. Yes, it's a Trojan, but who put it on my system? From the evidence, it appears that this is being done on Sun's behalf. I know it might not have come from Sun, but this behaviour started with a new JRE, and we don't go surfing the Net on a working server console.
3. By "short of a firewall", I should have said "another firewall". I don't have the privileges to modify a corporate firewall (it's a very big company). Thanks for the reminder about modifying the hosts file - last resort, I guess.
4. You assume that because I am using some Win32 systems here at work, that I am a Windoze Luser, and can thus be dismissed with a few careless swearwords. I'm not interested in getting into a pi$$ing contest with anyone, I'll just say that I know that nothing sucks like M$, yet I can deal with them and their products professionally. And you wonder why we're not all using Linux yet, with such lame attitudes?

None of the above comments go any way towards answering my question. l33t nerds - who needs 'em?

Re:Responses from Poster

[Kwil]

Could it be bundled with the Compaq Insight Manager 7 that you were installing? I know HP at least likes to put a sh'load of monitoring and reporting software into their installs.

ie, did you try getting the JDK straight from Sun?

Re:Responses from Poster

[stereoroid]

It wouldn't surprise me if Compaq, did that stuff. According to the product roadmaps, Insight Manager is heading for the grave anyway, to be replaced by HP OpenView family products.

The JRE did come straight from Sun - the CIM console sends you straight there...

Thanks for a civil response..!

Re:Responses from Poster

[scrytch]

I was going to address your points individually, but frankly I think you've written everyone off already. I hope you're putting up an anti-Sun page right now, excoriating them for their spyware, and calling for a class-action suit or something. Would serve you right when you end up with egg on your face.

None of the above comments go any way towards answering my question.

What question? You started with an accusation. Your accusation was demolished. You weren't told what you want to hear, so you're throwing a tantrum. By all means, do pick up your ball and go home.

Rejected Slashdot story submission

[Futurepower(R)]

Subject: What are the limits of web site visitor tracking?

There is a very interesting story in this, but the Slashdot editors didn't think so.

RedSheriff [redsheriff.com] tracks visits to web sites, and claims to be "the world's largest interactive media business intelligence specialist". RedSheriff claims "incomparable accuracy" [redsheriff.com] using "superior patented technology" that "records user activity at the source, giving clients unprecedented access to data that accurately describes user behaviors". This raises a question: How much can they know about you?

To investigate RedSheriff claims, I visited the web sites of two of RedSheriff's clients, Telstra [telstra.com] and Virgin Direct's Virgin Money [virginmoney.com].

(I prepared by turning off JavaScript and Java in Opera's File/Preferences/Multimedia menu, and selecting "Throw away new cookies on exit" in Opera's Privacy Preferences.)

I went to the Telstra home page [telstra.com] and downloaded the HTML source. (Wow, the Telstra home page is ugly.) In the source I found mention of a RedSheriff JavaScript file, http://telstra.imrworldwide.com/a1.js [imrworldwide.com]. I downloaded that. (Save the effort of re-configuring your browser by just right-clicking on the link and selecting "Save target as".) Virgin Money's site has a different RedSheriff Javascript file, http://server-uk.imrworldwide.com/a3.js [imrworldwide.com]. Do a search for "Red Sheriff", with a space.

Then I downloaded a RedSheriff Java program that I found mentioned in the Telstra and Virgin Money home page sources, http://server-au.imrworldwide.com/Measure.class [imrworldwide.com]. Embedded within this binary is RedSheriff's privacy policy web page address: http://www.redsheriff.com/privacy.htm [redsheriff.com]. ("RedSheriff Cares about Your Privacy", it says, humorously trying to have it both ways in the same web site.)

Basically it seems that RedSheriff is carrying visitor tracking to the limits, including tracking unsuspecting novices who may foolishly but voluntarily give them personal information. Looking at the code, I don't see any attempt to go beyond the narrow boundaries of what the JavaScript and Java languages allow. However, I'm not sure I see everything the code is doing. Can someone help with this? What are the limits?

Slashdot had a story about RedSheriff, Sun Java Runtime Uploads Usage Data to RedSheriff? [slashdot.org] Judging from the comments, there is some doubt about who is RedSheriff's client in that situation. The story submitter defended his information [slashdot.org], and no one seems to have done a verifying test. (It would be easy to hide encrypted references to RedSheriff sites within binary. It would be easy include something in the binary that was not in the freely distributed source.) Note that the first part of one of the RedSheriff Javascript URLs above contains the name of the client, Telstra.

Weird, just ask

[KinkyClown]

I don't get it. If they do this simply to measure the amount of people that actually use the software instead of just downloading, why not simple ask? I normally do not like surveys but if I can contribute in any way to the downfall of Microsoft I will :)

Slashdot, please do the right thing...

[L3WKW4RM]

Update this story so as not to confuse anyone else. Is it that much egg on the face to admit when you're wrong?