Sunday, July 30, 2006

Opening Pandora's Box

A good while back I wrote a short post about Pandora's Music Genome Project. At the time I was briefly enamored with the novelty of creating a personalized automated playlist – introducing me to songs I’d never heard. But it didn't take long for me to get bored with it. Regardless of the quality of songs I programmed into it – and how diligently I managed my preferences, it always devolved into a monotony of sub-mediocre songs – hardly ever playing anything worthwhile. But such is life on the web.

One thing I did notice however, was that Pandora always recognized me – without ever logging in. Whenever I went to the website my 'stations' were called up instantly, even though my browser, Firefox, always wipes the cookie tray clean after cooking (whenever I close the browser.) I tried changing my IP address but it still knew who I was. I became annoyed that Pandora must be surreptitiously writing files to my hard-drive, and although I was never able to locate the dirty Pandora folder, I stopped using the site.

Today, a seemingly arbitrary series of clicks somehow managed to return me to Pandora’s main site. And lo-and-behold my crappy stations lay in waiting. I’ve since renewed my effort to locate and eradicate whatever mechanism Pandora uses to identify me, but to no avail. Now I’m hoping some of my heavy-hitting hacker friends can help me figure this one out.

In googling for help, I came across this foolishness which at least seems to confirm my suspicions that Pandora does in fact place hidden files on my computer. And apparently not just one or two small files either. Ironically it seems that in their efforts to uphold the DCMA Pandora sees fit to resort to some particularly outrageous techniques.

While I appreciate the existence of services like Pandora and respect their need to protect copyrighted information, I don’t feel that ever grants them the right to write files onto my computer without my consent. Especially when the files are hidden and I’m left without reasonable means to remove them. Most especially when the files may contain personally identifying information and may grow to consume significant portions of hard-drive real-estate.

When I created my Pandora account I never consciously downloaded any software. I’ve since re-read their Terms of Service and while it does make oblique references to software plugins, it doesn’t mention anything regarding its rights to write to my computer via any method other than cookies. It never required any special plug-in to work, and as far as can tell it only uses standard Flash plugins in order to display its pages.

In a final test I borrowed my wife’s virginal laptop and visited the Pandora page. Without creating an account, I followed the easy prompts to test-drive Pandora. I created a Hank Williams station, let a few songs play, then I left the page – deleted all cookies, browsing history, and cache – closed the browser and rebooted. When I visited the page again it opened playing another Hank Williams song. It even remembered how I’d rated the previous songs. Hank never sounded so eerie. Apparently you don’t even have to create an account or agree to any TOS in order for Pandora’s ominous identifier to work – you just have to visit their site one time.

Perhaps I’m just paranoid and there’s a simple method of identifying a specific computer. Maybe all the relevant information really is stored on their database only. I hope so. But I can’t help but wonder if my computer is slowly bloating over with invisible files I’m not allowed to touch. Like its mythical namesake – I’m regretting ever opening this one up.


Anonymous Anonymous said...

I will get my crack team of monkeys on it starting tomorrow... should even be able to make it look like work.

P.S. you have hacker friends? can I meet them?

P.P.S you really failed the anti turing test... I mean come on... ;-)

7/30/2006 10:07 PM  
Anonymous Anonymous said...

oh damn it... I always have one more thing to say that I think of just _after_ I hit send...

if you are in a hurry to figure out what is going on try changing a station and then searching for files in order of date modified... in theory if they are writing a conf file somewhere your changes will get posted to the file and then you will know where it is....

also, while you are doing this... log everything that is going into and out of your machine (personal firewall logs, or tcpdump would be even better) to see if you can see the way that they are updating the files on your machine... then you can figure out how to use their method for world domination and own all the boxes of everyone that is using this service... or get the word out and protect them... whichever your fancy.

like I said... my space monkeys are on this.. stand by...

7/30/2006 10:11 PM  
Anonymous Anonymous said...

any luck with this issue yet?


8/01/2006 11:08 AM  
Blogger Dædalux said...

Thanks for the offer of help - I'll try to see if I can figure out how to properly configure and monitor my logs as you suggest later today.

Here are the things I'm trying to figure out:

1) Does it create hidden files on my computer? If so how?

2) Does it modify existing files not obviously associated with the service, or ones typically used for other purposes?

2) Is the manner of it's operation demonstrate an exploitable weakness I should be concerned about? (Even if the service itself is relatively benign)

3) If it does write to my computer, does it limit itself to a particular cache size? What if I made a dozen stations and left them playing day and night for a week? Does it clean up after itself? Has it blocked off specific resources for it's use only?

At any rate I'll be learning more about how my computer works. I'll post whatever I discover and hopefully you all will do the same . . . .

8/01/2006 1:31 PM  
Blogger Aanen said...

look through your registry for entries relating to pandora. I also have a registry cleaning program you can use.

Sometimes when you uninstall a program, there are still bits and pieces of it left in the registry. Just make sure you have a back up handy in case something goes to shit.

8/03/2006 12:26 PM  
Blogger Dædalux said...

Although I'm no computer security expert, I was able to figure out how to configure my firewall logs and determined that Pandora was accessing a 'temp' folder titled plugtmp5. I'm not so sure why these are considered temp folders though - there were other plugtmp folders too - the earliest was created way back in March on the day I first discovered Pandora. They were all apparently empty and I didn't bother trying to reveal hidden files in them - I just deleted them all. (I'm not interested in ripping-off music - I just want to better understand how to protect my computer and take control of what gets written to it.)

Unfortunately, Pandora still recognizes me - which is strange because now there are no new plugtmp folders - despite the fact that it was definately accessing one of them minutes earlier.

So I still don't really understand how or what happens. I am recognizing that I'm a bit out of my element and have decided to stop messing with it until I get further guidance from experts. Perhaps I should simply write Pandora and ask how to delete my account and remove, if necessary, any files. But as I stated before I'm not so worried about Pandora doing nefarious things as I am about Pandora using nefarious techniques (which could be emulated by others against me/us.)

I've also noted that neither ~()-()~ nor his helper-monkeys have responded back - which I can only assume means that I've stumpled apoun a caper of national-security proportions and duty obligates him to remain silent until he can make the world safe again.

Just let me know when it safe to play on the internet again, okay?

8/05/2006 6:37 PM  
Anonymous Anonymous said...

I think it uses Flash Player's "Website Storage" facility, which by default allows each Flash Application 100 KB of local storage on your hard disk.

You can access these settings by right-clicking the Pandora player, then clicking Advanced..., then in the web page which comes up, click "Website Storage Settings Panel" under "Settings Manager" in the Table of Contents on the left.

You will have a list of the Flash applications that have installed data on your computer, how much they are using, and how much you have permitted them to use.

In the file system, this data is located in:

C:\Documents and Settings\User\Application Data\Macromedia\Flash Player\#SharedObjects\????????\\


8/16/2006 6:08 AM  
Blogger Dædalux said...

Thanks J - be you helper monkey or random visitor. You certainly figured it out, and you managed to explain it well enough for even me to understand. Turns out it was a simple enough solution too.

I've left my Flash settings on default. It seems it's already set to give access only to the paritcular information each specific site chose to put there. It's interesting to see which sites use the Flash storage though. It's sort of an alternative to cookies I guess. And now that I know how to adjust its settings should I choose to, I once again feel like I have some control over who writes what to my computer - which is nice.


8/16/2006 10:49 AM  
Anonymous annoyed no more said...

Thank you so much for this information! I've been having the same annoying problem with Pandora magically logging me in on every visit (on my PC at work on top of that). It's been driving me nuts especially since I was trying to change my username and registered a second account. Talk about a mess.
Now I finally got it all cleaned up. Thanks again!

8/22/2006 8:27 AM  

Post a Comment

<< Home