The Adobe/Omniture/ Controversy and the Danger of Closed Source

If you haven’t been following, there’s a bit of a scandal in the blogosphere these days about Adobe software products (like Photoshop and their whole CS3 suite) phoning home to a suspicious-looking (indeed, intentionally deceptive) domain name – That’s “two oh seven” not “two zero seven”. It’s designed to look like an IP address on/from your local network (192.168.x.x is a very common private IP range). People started noticing these calls, and wondered what the heck Adobe was up to.

Turns out, the calls to that address were use to send usage statistics/data to web metrics company Omniture. This, in itself, is not a big deal. Almost everyone uses some kind of web metrics. Google Analytics is a popular one – I use it on this blog. We even use Omniture to track stats on Intel Software Network. Web sites do this all the time, and it’s normal. But when it’s an application, not a web page, making these calls, and it’s happening without the users knowledge or permission, and when it’s going to an address that was intentionally made to deceive people, well, folks get mad.

Adobe blogger John Nack has been doing an admirable job providing answers during this fiasco (he has a good FAQ post on the topic). (On a side note, I’m proud of Adobe for having bloggers to talk about stuff like this. Imagine how much worse for them it would be if they didnt.) But there’s one question that Adobe hasn’t given a satisfactory answer to (an, surprisingly, it’s because they say they don’t know the answer):

Q.: Why does Adobe use a server whose name is so suspicious-looking?
A.: I’m afraid the answer is that we don’t really know. The fact is that this SWF tracking code already existed on the Macromedia side at the time the companies merged, and it was adopted without change by a number of products for CS3. The people who wrote the code originally did not document why they used that server name, and we can’t find anyone who remembers. I’m sorry we aren’t able to provide a more solid, definitive explanation.

Emphasis mine. Besides the fact that they’re blaming this on the guys at Macromedia who wrote the code that’s doing these calls, they’re basically saying “uhh, we just had all this code that we dropped in there, and we don’t know what’s in it, and we didn’t review it, and it’s not documented, and nobody who worked on the original code works here anymore. So we don’t know why it’s doing that.”

Not exactly confidence-inspiring, is it?

So why is this post titled “the Danger of Closed Source”? Simple. If this were an open source project, with an active community of developers involved, the code would be available for anyone to review, and this kind of deceptive trickery would have been exposed a lot sooner. Not to mention the fact that a patch to remove it would have been made available already. Or the fact that the quality of the code in general, and the documentation, would probably be a lot better. Open source doesn’t magically make these things happen, but in a popular, well managed open source project, it’s more likely to happen than in a closed source project.

I’ve been doing a lot of reading about open source, its culture, and its practices. I highly, highly recommend a couple of books on the topic: The Cathedral and the Bazaar by Eric S. Raymond and Open Sources 2.0, a collection of essays compiled by Google’s Chris DiBona and my friend Danese Cooper (those are both affiliate links). Both books, and the essays they contain do a terrific job of getting past the “hype” and stereotypes of open source software, and explaining why increasingly, closed source software is a bad idea, in software quality, customer experience, and as a business model.

This latest example with Adobe and the nefarious domain name only serves to illustrate that point. I actually feel bad for them. They acquired a company and it’s “assets” (a bunch of code that they had to integrate into their own products). They probably chose not to spend the resources necessary to go over every line of code (of which there are probably millions) to understand everything it’s doing. Who would? So, they do the best they can, integrate the code, test it, make it work, and, having done their best, release it to the world.

And then something like this comes along and bites them. And even though they did their best, they’re still getting hammered for it. By the press, bloggers, and eventually, shareholders to whom they’re accountable.

But it gets worse! Want to think of something REALLY scary? If Adobe “just doesn’t know” what’s in the code that’s on millions of people’s computers around the world, who’s to say there’s not something a lot more dangerous, a lot more malicious, and a lot better hidden lurking in there? What if a disgruntled Macromedia developer hid some code that would give him backdoor access to every computer running Photoshop? What is there’s code in one of these apps that’s silently searching hard drives for passwords and other identity information, and sending it off to some evil dude in a foreign country?

That’s the danger of closed source software. When you use it, you’re putting yourself completely at the mercy of the people who wrote it. You’re giving them your trust. Based on what? Hope and blind faith? The fact that nothing bad has happened so far? Adobe trusted the source code, and customers trusted Adobe. And look what happened.

Are you a little bit more wary about closed source software after reading this? I hope so.


8 thoughts on “The Adobe/Omniture/ Controversy and the Danger of Closed Source

  1. Pingback: StumbleUpon - Your page is now on StumbleUpon!

  2. Pingback: Luke Gedeon - Solutions Researcher » The dangers of growing to fast.

  3. Mike says:

    I agree that it’s tough for Adobe to integrate products from another company and be absolutely sure that everything is perfect. But that’s their job and their consumer promise, they get hit in the bottom line if they screw it up and that’s the way it should be. Besides, they’ve had how long to integrate Macromedia? Since early 2005?

    But I disagree on your thought that open-source software is more secure than closed-source. What about open-source makes it inherently more secure? There’s still people working on it and, no offense to the open source community, it’s quite possible that one of the open-source developers has nefarious intentions and creates a back-door or viral payload that some other developer either cannot se or just plain misses in review.

    My point is that we are always putting ourselves at the mercy of a large group of developers, cosed or open source, and really have no practical method for determining the safety of the product other than the brand. In this case, Adobe got burned and so did we, but that could happen with any software. At least the brand signifies quality until that brand ruins its image; and when the brand image is ruined, then we know to stay away.

    Full Disclosure: I currently own CS3 suite, run open-source software, keep a box running Ubuntu (just for fun and as backup system).

  4. Pingback: Luke Gedeon - Solutions Researcher » The dangers of growing too fast.

  5. I agree that there’s some deceptive stuff going on here, but I think it’s a bit misleading to say that it’s a closed source/open source issue.

    The adobe rep doesn’t say they don’t know what’s in the source. he says they don’t know why someone chose and registered that URL. I think that answer is bunk, I also think they could easily register another domain ( for example) and update the software. However, this isn’t an issue of closed vs open source. This is an issue about the way a company treats its customers.

    I do think there’s an issue regarding transparency and accountability, and that open source could be ONE way to help address that, but its not the only solution.

    BTW, one of my Ignite submissions that is coming today is very much related to this topic.

  6. Todd says:

    I don’t buy it. They’re pinging a website every time an app is open, and they don’t know the specifics of why they’re doing it? No one remembers??? This phenomenon isn’t a tiny blip on the radar. It’s obvious who they’re pinging, and since it happens every time someone opens and app, they must be getting zillions of hits every day… what kind of bandwidth do they need to support this scheme that’s funneling information to Individual users may not be tuned into subtle things like every IP that pops up on their network and send 150k, but from Adobe and Omniture’s standpoint, we’re talking about something the size and weight of a tsunami! They hadn’t even noticed it. They must have missed it. Yeah, right! How can you miss that?? Glib liars! Makes you trust them even less.

  7. Pingback: wolfbeast: Omniture

  8. SpockMonster says:

    Well, the situation that Adobe doesn’t know what’s in the code, relaly has nothing to do with the issue of being deceitful about the use of cookies.  So, as two sepasrate issues:

    1. They should just explain to people that “by using these cookies, companies are better able to figure out what it is your are interested in and then find partner companies to provides those goods and services to you”.  Nothing malicious in that.  And no, I am not in the Marketing business, but I am a programmer and I know how this stuff works. To me it seems benign and maybe even beneficial.  My 2 cents.  Of course, it is revealing, in a Freudian kind of way, that Marketing folks would decide to deceive rather than be honest, but I think that’s just their mindset.

    2. Not knowing what is in the code, that afflicts any kind of program.  It could be Omniture/Adobe, but it coudl be any other script on any website.  How about the code that makes up JQuery – used by millions (guess) of websites, if that library had malicious code in it (such as through hacking) then lots of websites would be compromised.  Or benign shopping cart script anywhere could be comromised.  Just saying, it has nothing to do with the 2o7.Net issue.


Comments are closed.