Tracking links in datasheet PDFs

And "of course" there are ways of reading PDF files other than with Acrobat and Windows. I'm thinking specifically of tools like xpdf and ghostscript, which know quite well how to get around traditional Acrobat PDF encryption.

Wthether the remoteapproach.com documents locks these other viewers out or not, I don't know.

If a manufacturer chooses to publish its datasheets in any given obscure evil way is up to them, but if viewing them is not a benign process then I won't view them and I won't buy their parts.

Datasheet wholesalers are another ball of wax!

Tim.

How did you stop this action ??

I am using XP and I could not find out how to stop just Acrobat.

Thanks,

Donald

I saw it recently in a free non-datasheet document and immediately deleted said document. Remote Approach is the name of the service.

Can you see their URL or IP (? 65.17.226.156 ?) if you open the document in a text editor? Can you point to a sample document? I'd like to block whatever they are using right at the entry firewall.

They are working on even worse stuff- like documents you won't be able to read unless a connection is made over the net and they apparently now have ones they can remotely prevent from being read (presumably by blacklisting them and transmitting information to the reader when the document comes a-calling).

I suggest nipping this ridiculous crap in the bud-- let the vendor know in no uncertain terms that this spyware stuff is not appreciated. Since it communicates via port 80, it's unlikely that most people will even notice what it's doing. Also, full Acrobat needs to be able to use port 80 to use all the features.

Best regards, Spehro Pefhany

--
"it\'s the network..."                          "The Journey is the reward"
speff@interlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com

Not very quickly, I see. 8-(

According to a post earlier this year on slashdot, the javascript code is mostly fairly benign, but it does send the entire path in the clear to the tracking company. As well as other possible security issues, if it's in the typical Windows default My Documents folder, the path could well contain the name of the current user, which is a privacy issue.

I actually can see reasonable applications for this technology, and even the more extreme versinos (for proposals, business plans and other relatively secure documents), but data sheets are not it.

Best regards, Spehro Pefhany

--
"it\'s the network..."                          "The Journey is the reward"
speff@interlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com

I signed up for their trial service and tagged an existing PDF document to test it. Blocking their domain at the firewall works fine.

Here's what you see in Acrobat 5.05

Best regards, Spehro Pefhany

--
"it\'s the network..."                          "The Journey is the reward"
speff@interlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com

I just got a datasheet on a family of inductors from a vendor. When I open the datasheet, it tries to connect to some website that tracks viewing history of this particular PDF (IP addr, serial # of document, time/date, etc.). Probably interesting information to their marketing department, but it is a nuisance to the design engineer opening the datasheet. Microsoft anti-spyware warns this is happening and allows me to block such connections. This PDF is not confidential, and is not a controlled copy.

Has anyone else seen such behavior by component vendors? I have thousands of datasheets archived for reference purposes, and I have never come across this in any other datasheet. I hope this is not going to start a trend.

-Chris

--
 /> Christopher Cole                                                                     \\>

You can get a copy of the document in question by googling for 0201cs. It is the first match. In order to get a copy of this datasheet, The company asks you for your email address so they can put a serial number that is tied to you in their tracking database. They then email an identifiable copy to you. I have written to the company in question informing them that this is not good practice. It is actually a gaping _security hole_.

Imagine what could happen if remoteapproach.com went out of business or changed their internet address some time in the future. Then, a nasty individual could regsiter that domain and set up a buffer overflow response to the acrobat reader. The security of that company is breached. The attacker now has unlimited access to the computer that opened up the PDF file. There is now a wide open tunnel between the attacker's computer and the company's internal network. Because the engineer opened the PDF file, the Acrobat reader instantiated the outbound IP connection to the rougue host. This removes the protection that the company firewall provides to its internal LAN. All further traffic is then sent through an encrypted SSH tunnel using the very port that was initiated by the reader.

Of course, this is hypothetical. If you believe that Acrobat reader and the underlying windows support libraries are 100% secure, and will never ever suffer from security holes, then there's nothing to worry about.

-Chris

--
 /> Christopher Cole                                                                     \\>

You have to add a better firewall. Basically, the inbuilt firewall, barely merits the name, since it is an 'incoming' wall only. If you add slightly better firewall packages, they will allow you to block or allow individual packages/users etc., for incoming and outgoing connections.

Best Wishes

On Thu, 08 Dec 2005 10:06:32 -0500, Spehro Pefhany wrote: ...

Well, screw Acrobat anyway. When I'm _required_ to use Doze, I use Acrobat reader v.4 or so, but in Linux I just use KPDF, which don't have no truck with such shenanigans. ;-)

I was somewhat astonished the other day - the PHB got a few TIFFs in a(an?) RFQ, and asked me to convert them to PDF and print them out for him. Well, Paint Shop Pro 4.12 does just a jim-dandy job of opening any file, and printing[1]. I said, "But I don't have software to make a PDF." He shows me "PDF995", which blew my socks off. It's free, which they can afford because every time you use it, you get two ads. :-/ But all it is is, you install it, and it becomes a printer in your "printers" "folder". It's a total WYSIWYG, and quite cool.

I wonder if it'd be worth the bother to open the offending docs in Reader 4, and print them to PDF995? I think there are also PDF utilities for Linux, but I haven't really pursued it.

As far as the documents that want to phone home, I say we boycott those vendors.

Vote with your feet!

Cheers! Rich [1] I downloaded it about 10 years ago, and when I finally got around to having $20.00 to spare, I emailed them, and asked, "Where should I send my check?" and they never answered. :-)

try reading it with this fast PDF reader

see if it still happens

martin

As I think someone else mentioned, if you turn them off in preferences, it pops up a warning and dongs, if you tell it to ignore, then it doesn't seem to bother you again that session.

Will turning off Javascript break any innocent or useful documents?

Best regards, Spehro Pefhany

--
"it\'s the network..."                          "The Journey is the reward"
speff@interlog.com             Info for manufacturers: http://www.trexon.com
Embedded software/hardware/analog  Info for designers:  http://www.speff.com

Rich Grise, but drunk said

Another option. Ad free.

It's license doesn't even exclude commercial use.

What happens if you turn off Acrobat JavaScript? Acrobat has a JavaScript enable in the preferences.

--
Mark

I experimented with one of Remote Approach's PDFs with the phone home feature.

You can see it talking back to the home location. You can disable this by turing off javascript in Acrobat's preferences. You will get nag screens about the document containing java script. Just say no to javascript!

If you crack the password on the PDF, you can delete the javascripts on each page to remove the phone home feature.

What's all this pussyfooting around about? The company is Coilcraft, and the document is simply their line of 0201CS Chip Inductors.

These are interesting small parts, but it's not worth the hassle and control insult they put one through to get the datasheet. In fact, with my computer's security settings I'm unable to get the datasheet, perhaps that's what they intend.

I note they updated the web page just yesterday, "Updated: December, 08 2005 Your comments and suggestions are welcome. Contact snipped-for-privacy@coilcraft.com Copyright © 2005, Coilcraft, Inc."

I suggest we write this webmaster and voice our opinions. Perhaps he will wiseup? If not, we can always write the company president. I'm a longtime loyal Coilcraft customer and don't appreciate being yanked or jerked around by marketing or by an errant, off-the-wall webmaster.

I save datasheets in my computer, carefully filed in organized company folders, with the files often renamed for clarity in finding them. In fact I have a nice collection of datasheets in my Coilcraft folder, but not the new 0201CS chip-inductors parts. It's a shame I'm not going to be looking at that datasheet. Does Coilcraft want to make this a trend? I'm forced to wonder if I should avoid ever looking again at the other Coilcraft datasheets I have in my computer, perhaps I should erase them. Or at least erase the 30% of my Coilcraft files that have 2005 dates.

Sheesh!

I've been having so much damn trouble lately with my collection of six active Windows computers that I'm getting more than a little paranoid about allowing files into them that muck around with them in any way.

--
 Thanks,
    - Win

Following this thread I disabled javascript in Adobe 7, but now I see something else.....

In Preferences --> Trust Manager there is a box headed Pdf File Attachments that says "Allow documents to open other files and launch other applications".

It is ticked by default.

Should I untick it?

--
Tony Williams.

I would.

Cheers! Rich

Displays quite happily in xpdf (for RISC OS)... no Javascript in sight :-)

Theo

My collection at this point would require at least three DVDs. I appreciate your suggestion, but I object to any manufacturer providing any datasheets that prudently require extraordinary measures to look at them safely.

I'm already fed up with the new padlocked datasheets that don't allow me to add any comments, such how I'd use the part, what distributor has stock, etc. I routinely do this with parts I keep in inventory, or am thinking about using. Moreover, they won't let me extract a few pages to insert to the manual of an instrument using the parts. They're saying, "Hands up! Back off, stop even thinking about using these parts."

--
 Thanks,
    - Win