Java Spyware

Freshness Warning
This article is over 16 years old. It's possible that the information you read below isn't current.

I was minding my own business when I noticed that the Java console had appeared in my Windows taskbar. I found that odd, since I hadn’t run any Java software recently. Opening the console, I find repeated references to RedSheriff.com followed by some HTML and the words "record sent."

That got my attention. I’m sending data to some company I’ve never heard of?

Apparently RedSheriff makes tracking software for companies. They knew that people and companies were able to easily defeat traditional tracking networks by disabling cookies, using proxies, and hiding behind NAT routers. So they decided to solve this problem by creating a small Java applet that runs in your browser on their client sites and sends data to RedSheriff’s servers.

The server logs are unable to pick up information relating to both PC and RAM cache and proxy servers. Server logs will also count all users behind a firewall as one user. All of the above mean that server log files fundamentally undercount site traffic.

RedSheriff Measurement avoids these difficulties by using a patented quantitative activity measurement technology, known as instrumentation, which allows activity to be measured from the browser.

Web servers aren’t able to accurately count traffic so RedSheriff is solving this problem by installing tracking software on consumer’s PCs without their knowledge or permission, effectively transfering the traffic counting burden from the server to the client.

So what are they tracking?

Exit and Entry Pages, Page Impressions, Path Analysis, Unique Visitors, Host Summary, Unique User Sessions, Browser and Operating System, Page Durations, Java/CGI Breakdown, Session Durations, Referring URL, Country of Access, Referring Domain, Reach, Period Page Impressions, Visitor Frequency, Internal and External Referring URL, Loyalty

Of course RedSheriff’s privacy policy assures you that they believe "providing the company with your personal information is an act of trust." They’re running tracking software on my machine to send personal information without my knowledge. That sounds trustworthy.

I’ve replaced their Java class file (measure.class) with a blank file and set it to read-only. I also changed my hosts file to redirect requests to their servers to a black hole and added a filter to the Proxomitron that neuters the applet.

farmer-Bri
October 11, 2004 9:44 PM

I find it ridiculous that some of you are 'outraged' at this 'arrogant' 'intrusion' in the collecting of anonymous data. Do you realise what these metrics are routinely used for? To improve your future experience of the site you are visiting. Someone previously pointed out - this is someone's resource that they have made available - often for free. Surely then it's their prerogative to collect anonymous data on the use of their resource? It *is* anonymous - yours is one of hundreds of thousands of personally unidentifiable records from which the authors of the site can pinpoint what may be confusing to users, and how things can be improved. If you don't like the way they're using their own property you don't have to go back. If I owned such a site I think my first thought would be akin to 'good riddance'. *So what you are really affronted by is that the owners of a resource, that they have made available to you and that you obviously derive value from, have then gone on to invest money and time in trying to improve the experience for you next time you visit.* The b@stards! String 'em up I say! Oh, that's not what you're really upset by is it... the biggest complaint about redsherrif seems to be the dynamic loading and running of code on your computer via a web page - fact: *all Java Applets do this - it's what they're for.* For that matter, that's exactly what Shockwave Flash does, and activeX and JavaScript and others. So if you have issues with this behaviour in redsherrif you should disable all these things. Java and Shockwave Flash, however, are sandboxed - this means that *they are incapable of doing anything to compromise your system*, (unless, in Java's case, you explicitly agree to let them do it) or accessing data you haven't explicitly given them access to, just like JavaScript. If Java Applets crash - they only crash themselves, they don't have access to any data you haven't given to the page that contains them and they can only be run by the page that contains them which means that if you have entered your credit-card number into a page and an applet is capable of reading it - that applet is as trusted and trustworthy as the page you have made a conscious decision to trust, just like JavaScript. Nothing to worry about - if you trust the source. Some of you seem to be perfectly blasé about people and sites other than redsherrif loading and running Java Applets on your machine without your consent ("please tell me how to disable redsherrif without having to disable Java!") but you've heard that redsherrif is 'spyware' and immediately demonise it. So, what have we learned? Java is not JavaScript, but Java has the same exploitability as JavaScript and Flash (unless you have explicitly agreed otherwise). So, if Java worries you - so should JavaScript and Flash. You should turn them all off... and good luck. On a side note: I can't believe that some of you are willing to execute potentially lethal .REG files on your computer to remove a few totally benign java classes. It's like approaching a guy on the street selling pills, asking them for some medication because you sneeze once or twice every few days and blithely taking the pills without question. Is that rational behaviour? Only if you trust the source *absolutely*. The sneeze isn't really a problem - the pill might kill you. It would be the work of a few minutes to whip up a .REG file that would irrevocably destroy your computer setup, I would spend more time thinking on that, perhaps? If you are really concerned about online security and privacy then you will have a firewall and know how to use it - the best way to opt-out of the redsherrif data collection is to block their domains - a single entry... but I didn't need to tell you that, right? If you want to spend your time making meaningless gestures in the name of paranoia, be my guest... I for one have better things to do with my time.

Moore
November 17, 2004 8:05 PM

Good topic.. I have been blocking Red Sherrif worldwide for a while now , there are a lot worse things to be worried about , but still something worth avoiding. To Quote farmerbri : "If you are really concerned about online security and privacy then you will have a firewall and know how to use it...the best way to opt-out of the redsherrif data collection is to block their domains - a single entry" Which single entry would that be ? I have a firewall and there is lot more than just a single IP range to block , as well a large range of domains to be blocking in a Hosts file. Of course if you have something like Outpost firewall or some type of adfiltering program you can disable java applets from running altogether. The IESpyad .REG file is from a completly trustworthy source and has been used and recommended for many years on most sane security forums , it's hardly a serious risk to use. Also the post above which displays the format for effectively blocking RedSherrif in a Hosts file is not correct. since it was originally supllied by RedSherrif that may be the reason why it's incorrect. The Host file entries should actually be listed with localhost first : 127.0.0.1 server-au.imrworldwide.com A great Hosts file for blocking dangerous spyware can be found here : http://www.mvps.org/winhelp2002/hosts.htm There was a good discussion a while back on Spyware info on preventing RedSherrif connecting to your computer : http://www.spywareinfo.com/forums/index.php?showtopic=2239 And really it's not about being paranoid , I will block anything I want during my internet travels , since I own my computer and pay for my internet connection , it is therefore my choice who I allow to connect to me. :) cya

Posteller
January 12, 2005 7:34 AM

That´s the point: if there is everything correct and friendly, why is it done secretely? K. P.

farmer-Bri
January 12, 2005 3:47 PM

websites do *lots* of things without notifying you... Just because a web page doesn't notify you each time it wants to change an image on a roll-over (by running code you haven't installed and didn't approve blah blah blah...) doesn't mean there's something sinister about the roll-over. There's an enormous amount of stuff going on inside your computer that you will never know about - and even on a clean install some of those things are considerably more sinister then what redSherrif does...

Anonymoose
March 23, 2005 12:32 PM

Wow! Symantec had nothing I could find on Red Sherriff, but I learned a lot here!

Jockdownsouth
April 11, 2005 1:58 AM

The constant reappearance of this baby was beginning to worry me. Like Anonymoose I've learned more from this site than any other I've looked at. I now know that the reason Ad-Aware keeps finding Imrworldwide on my machines is probably the BBC. I now know it's not particularly harmful but I've added the site and IP addresses to Zonealarm and put it in my IE resticted sites. I don't think I'll risk the more technical suggestions. Thanks to everybody.

Anon
August 27, 2005 5:44 PM

Ever since I stopped using Java of any description, all my Spyware worries seemed to dissappear. Sure makes it difficult to view some pages properly, but is well worth it. Forget Java - its LAME.. and infectious.

farmer-Bri
September 18, 2005 11:34 PM

Well, thank you Anon for that tremendously uninformed opinion... you may think Java is 'LAME' and 'infectious', but I can assure it is neither by nature. By deliberately causing yourself browser woes you are merely punishing yourself for your own ignorance. If your spyware issues seem to have disappeared since removing Java it is only because you are blind to the nearly infinate non-java spyware issues. Educate yourself and post again. cheers.

von-hill karl
January 2, 2006 5:51 AM

I GO TO NZDATING .COM THEY HAVE IMRWOIRLDWIDE.COM ON THERE SITE ..I FOUND SPY BUG ON MY COMPUTER AFTER SCAN ..IT SAID IMRWORLDWIDE,COM..PLEASE REMOVE SPY BUG. HELP IS THAT WEB SITE SPYING. OR WHO IS

iamu
February 13, 2006 8:28 PM

There thieves. These companies (BBC.com.uk ect.)have sent theives to our computers and thieves cannot be trusted. It shows they have no care for the people dealing with them. I have to pay for my internet connection. It gives me an amount I can download and my upload is included as download in that figure. These programs are stealing my bandwidth. I dont care what they want to collect I dont want to pay for it and I dont care how little it is. It is like going to someones buisness office and while there they go through my pockets and have a key cut for the backdoor of my house then go there and sent letters back to them using my stamps. How can anyone condone that? Any company using this technology has no integrity Wheres my cheque.

John Charville
April 16, 2006 4:03 AM

Dear People, Might I suggest that you all have a look at EC Directive 2002/58/EC paying particular attention to recitals 17, 24, and 25 (The paragraphs of the Preamble to the Directive itself) and then have a look at Article 5. Directive 2002/58/EC makes the deployment of spyware, cookies and anything else totally unauthorised if your fully informed consent is not obtained. Then have a look at section 1 of the Regulation of Investigatory Powers Act 2000, and sections 3 & 1 of the Computer Misuse Act 1990. These make the deployment of cookies and interception of traffic data a criminal offence, since such deployment and interception is clearly unauthorised. I hope that this helps. Regards John Charville John.Charville@ntlworld.com

daniel vernede
July 3, 2006 8:26 AM

hello...i for some reason am unable to get onto my favourite site at the moment i can get onto www.afl.com.au but when i try to get to the kelloggs nutri-grain dream team competition it comes up with "this page cannot be displayed" it loads up "http://secure-au.imrworldwide.com/cgi-bin/a/ci_451207/et_2/cg_800509/pi_1003253/ai_819400" please can i have some info as to how i can fix this problem because i MUST be able to access that site... please email me at wot_chu_want@hotmail.com asap its very important that i fix this problem kind regards daniel

Will
March 1, 2007 3:26 PM

secure-us.imrworldwide.com it's on Pandora !? VV

John Charville
February 15, 2009 5:31 AM

The UK has actually annulled the obligations created by Directive 95/46/EC through Sections 22 & 23 from the Data Protection Act 1998.

John Charville
February 15, 2009 5:33 AM

The secretary of state has refused failed to produce the Orders that Sections 22 & 23 from the Data Protection Act 1998 refer to.

These are the last 15 comments. Read all 46 comments here.


Your comments:

Text only, no HTML. URLs will automatically be converted to links. Your email address is required, but it will not be displayed on the site.

Name:

Not your company or your SEO link. Comments without a real name will be deleted as spam.

Email: (not displayed)

If you don't feel comfortable giving me your real email address, don't expect me to feel comfortable publishing your comment.

Website (optional):

Follow me on Twitter

Best Of

  • How not to apply for a job Applying for a job isn't that hard, but it does take some minimal effort and common sense.
  • Movie marketing on a budget Mark Cuban's looking for more cost effective ways to market movies.
  • California State Fair The California State Fair lets you buy tickets in advance from their Web site. That's good. But the site is a horror house of usability problems.
  • Customer reference questions. Sample questions to ask customer references when choosing a software vendor.
  • Comment Spam Manifesto Spammers are hereby put on notice. Your comments are not welcome. If the purpose behind your comment is to advertise yourself, your Web site, or a product that you are affiliated with, that comment is spam and will not be tolerated. We will hit you where it hurts by attacking your source of income.
  • More of the best »

Recently Read

Get More

Subscribe | Archives

Recently

Assumptions and project planning (Feb 18)
When your assumptions change, it's reasonable that your project plans and needs change as well. But too many managers are afraid to go back and re-work a plan that they've already agreed to.
Feature voting is harmful to your product (Feb 7)
There's a lot of problems with using feature voting to drive your product.
Encouraging 1:1s from other managers in your organization (Jan 4)
If you’re managing other managers, encourage them to hold their own 1:1s. It’s such an important tool for managing and leading that everyone needs to be holding them.
One on One Meetings - a collection of posts about 1:1s (Jan 2)
A collection of all my writing on 1:1s
Are 1:1s confidential? (Jan 2)
Is the discussion that occurs in a 1:1 confidential, even if no agreed in the meeting to keep it so?
Skip-level 1:1s are your hidden superpower (Jan 1)
Holding 1:1s with peers and with people far below you on the reporting chain will open your eyes up to what’s really going on in your business.
Do you need a 1:1 if you’re regularly communicating with your team? (Dec 28)
You’re simply not having deep meaningful conversation about the process of work in hallway conversations or in your chat apps.
What agenda items should a manager bring to a 1:1? (Dec 23)
At least 80% of a 1:1 agenda should be driven by your report, but if you also to use this time to work on things with them, then you’ll have better meetings.

Subscribe to this site's feed.

Contact

Adam Kalsey

Mobile: 916.600.2497

Email: adam AT kalsey.com

Twitter, etc: akalsey

Resume

PGP Key

©1999-2019 Adam Kalsey.