Adobe modifies hosts file to detect whether Creative Cloud is installed (osnews.com)
105 points by rglullis 2 hours ago
matsemann 44 minutes ago
Oh well, as a teenager, blocking adobe servers in hosts file was how you got to "phone activation" and could generate a code. So I guess we're even, heh.
lousken 2 hours ago
How is defender not flagging this? Changing hosts file should raise alarms
Asmod4n an hour ago
Defender warns you this happened.
xattt an hour ago
Can this not be blocked with file permissions? Or a symlink to a file in a ro folder?
SoftTalker 21 minutes ago
Most software installers demand to be run as root/Administrator.
The fact that this is largely seen as acceptable or even sensible is rather silly in this day and age.
hypeatei 41 minutes ago
Most users won't care, especially if the Adobe installer warns them that a security warning might popup after installation. Besides, in practice, any malware editing the hosts file isn't going to get much because of HTTPS; one cannot simply redirect "google.com" traffic to their own IP without issue.
raverbashing an hour ago
I wonder how this works on Windows, if any service overrides/resets it
gjsman-1000 2 hours ago
The hosts file is not sacred on Windows. Anyone who is administrator can just edit it. I've done it to add domain names to localhost.
For anyone hand-wringing over this, this used to be normal. The hosts file was invented a decade before DNS. The end user, or app, would edit their hosts file purposefully after downloading a master copy from the Stanford Research Institute which was occasionally updated.
jacobgkau an hour ago
> For anyone hand-wringing over this, this used to be normal.
People editing hosts files for other reasons was normal (a long time ago-- and it stopped being normal for valid reasons, as tech evolved and the shortcomings of that system were solved). A program automatically editing the hosts file and its website using that to detect information about the website visitor is not the same thing; that usage is novel and was never "normal."
wtallis an hour ago
psyclobe 4 minutes ago
The most difficult of tasks is trying to un-unstall this pos app on windows.
1bpp 12 minutes ago
I owe thousands of dollars to amtlib.dll.
Dwedit 27 minutes ago
Browsers could still do something about mixed Internet and LAN/Localhost requests by IP address regardless of the domain name.
SahAssar 24 minutes ago
This does not request a local/LAN file, it's a remote server but without any DNS entry unless the hosts file entry is present.
Terr_ an hour ago
Recycling a comment from prior discussion (4 days, 68 points, 13 comments): https://news.ycombinator.com/item?id=47617463
_______
Oh helllll no. Let's imagine an analogy for Adobe leadership:
1. You hired a night janitor to clean and vacuum your executive offices.
2. That janitor secretly stops at every desk-phone to alter the settings of voicemail accounts.
3. After the change, any external caller can dial a certain sequence to get a message of "Yes, this office was serviced by Adobe Janitorial!"
What's your reaction when you discover it? Do you chuckle and say something like "boys will be boys"? No! You have a panic-call, Facilities revokes access, IT starts checking for other unauthorized surprises, HR looks into terminating contracts, and Legal advises whether you need to pursue data-breach notifications or lawsuits or criminal charges.
* Is it acceptable because they had some permission to touch objects in the rooms? No.
* Is it acceptable because the final effect is innocuous? No.
* Is it acceptable because the employment contract had some vague sentence about "enhancing office communication experiences"? No.
* Is it acceptable if they were just dumb instead of malicious? No.
No person that would blithely cross those lines can be trusted near your stuff, full-stop.
jacobgkau an hour ago
To be fair, your analogy has one flaw:
> 3. After the change, any external caller can dial a certain sequence to get a message of "Yes, this office was serviced by Adobe Janitorial!"
Theoretically, it's not "any external caller." Only the janitor's department calling in can dial that sequence and get "Yes, you serviced this office!" If anyone else tries to dial the extension, the desk-phone pretends it doesn't know what it means. (Because it seems Adobe's server serving the analytics image checks the request origin and only serves the image if the origin is Adobe's own website.)
The origin "security" doesn't excuse the complexity and the potential for both exploits and human-error breakage in the future.
gray_-_wolf 26 minutes ago
> Only the janitor's department calling in can dial that sequence
Is this the case though? Cannot any website use the same trick Adobe does to check whether you have Creative Cloud installed? Like, the entries in /etc/hosts are not magically scoped to work just on Adobe's web, no?
nashashmi 35 minutes ago
So can I fool the website that I have CC installed?
vondur 2 hours ago
If you don't like Adobe modifying your hosts file then I'd not use them. The checking for the software this way is kinda interesting though.
dlev_pika an hour ago
I wonder how many Adobe users are aware of this sketchy behavior tho
tonyedgecombe an hour ago
My guess is most Adobe users have no idea there is a hosts file nor what it does.
OptionOfT an hour ago
Can't even reproduce it when setting location to Belgium, or CA or AZ.
I must be missing something.
ramon156 an hour ago
To be fair, to crack all adobe products requires a few reg keys. It's wild that they have just given up on pirates.
snapcaster an hour ago
They don't want to be too hard on piracy, its their new/young user on ramp method
kenhwang 29 minutes ago
Also a lot of recent features are AI related and rely on talking to Adobe servers, which would require a valid subscription. They're probably betting the AI features are valuable enough that local only pirated copies aren't a threat long term.
hypeatei an hour ago
Looks like they got a wildcard certificate for *.creativecloud.adobe.com[0] so that the HTTPS connection works and so they don't have to publish DNS records for the "detect-ccd" subdomain to obtain a cert. Pretty neat setup, but also kinda hacky.
j45 an hour ago
Make affinity sound like a smarter and smarter choice.
ChrisArchitect an hour ago
jameskraus an hour ago
Honestly a pretty nifty way to detect if it's installed. I'm sure this can power a lot of nice features, like linking directly into adobe products if they're installed.
turtlebits an hour ago
It can power even more security issues too. This is absolutely horrendous.
tonyedgecombe an hour ago
I’m wondering how this can be exploited.
cromka 2 hours ago
> for a very stupid reason.
I cannot stomach Thom's articles. So borderline judgmental, holier than thou, feels like he only writes whenever there's something to criticize.
No, it's not a stupid reason. Reason is OK, the execution is controversial.
tombert an hour ago
I don't know anything about Thom, but I've kind of grown to prefer the pissy opinionated tones of blog posts. I think impartiality is difficult or impossible for a lot of tasks, and I'd rather people lay out their opinions plainly than trying to pretend that what they're saying is "objective".
Also, I think writing only when you have things to criticize is a valid enough thing to do; what's the point of writing a glorified "I agree!" article?
I only ever blog when I have something that I think is unique to say, and as such a lot of the time my posts end up being kind of negative. I don't think I'm that negative of a person, I just don't see the point of flooding the internet with more echo-chambers.
pessimizer an hour ago
> No, it's not a stupid reason. Reason is OK, the execution is controversial.
This is a muddled statement. It is a stupid reason to "execute" the act of silently modifying your host file.
If I murder somebody to keep them from stepping on my foot, and the judge says that it's a stupid reason to murder somebody, it's silly to say that the reason is "OK" because it hurts to have one's foot stepped on.
Steeeve 2 hours ago
It's literally a 2 sentence article. Might as well have just tweeted "Adobe makes me mad"
gjsman-1000 2 hours ago
> Reason is OK, the execution is controversial.
And even then, only controversial to nerds with opinions. Nothing else about it is controversial.
If anything, knowing whether the app is installed or not is kinda important? If you open a file shared with you in the browser, the option to "Open in Desktop" versus "Install Desktop App" actually works correctly?
rglullis 2 hours ago
> In which case, how else would you propose doing it?
- Registering an url handler?
- Asking the user?
gjsman-1000 2 hours ago
jacobgkau an hour ago
> If anything, knowing whether the app is installed or not is kinda important? If you open a file shared with you in the browser, the option to "Open in Desktop" versus "Install Desktop App" actually works correctly?
This is not an approach any other app on any platform has historically used, and it doesn't seem sustainable if every app you install has to modify your hosts file to use a hack like this to detect whether it should handle files or not.
If you want the browser to be able to give the OS a file handler and have the OS present an option to install the app if it's not installed, that should be handled at the platform level, not on the website using a hack like this.
Why can a file not simply be downloaded with a page displayed showing a link to install the app and also instructions to open the file, trusting the user will know if they already have it installed? At best, you're talking about a very small UX optimization. Emphasis on the "kinda" in "kinda important."