To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=51501 Issue #:|51501 Summary:|OpenOffice can compromise people's privacy by putting |UUIDs that reveal their ethernet addresses into |documents Component:|Word processor Version:|680m87 Platform:|All URL:| OS/Version:|All Status:|UNCONFIRMED Status whiteboard:| Keywords:| Resolution:| Issue type:|DEFECT Priority:|P1 Subcomponent:|code Assigned to:|mru Reported by:|nealmcb
------- Additional comments from [EMAIL PROTECTED] Sat Jul 2 22:40:36 -0700 2005 ------- Openoffice generates and discloses UUIDs in a way that can reveal the ethernet address of the computer used to generate the document. UUIDs (Universally Unique IDentifiers) are commonly used to provide unique names for things. See more at http://en.wikipedia.org/wiki/Universally_Unique_Identifier. Microsoft got bad publicity in 1999 for publishing ethernet addresses in Word documents via UUIDs (GUIDs for them) as described at http://www.cnn.com/TECH/computing/9903/08/microsoft.privacy.02/index.html and http://en.wikipedia.org/wiki/Globally_Unique_Identifier They responded by changing to random UUIDs. Now OpenOffice is doing the same thing. One example is the "Id" attribute of the Signature element in the META-INF/documentsignatures.xml file that contains document signatures inside Writer ".odt" documents generated by recent OpenOffice 2.0 snapshots. I've verified that on my Ubuntu 5.04 Linux machine running 1.9.87, my ethernet address showed up in a document I signed, and since the code looks like it would do the same thing again, I haven't waited to confirm it on a more recent build. (I assume I don't have to explain that even signed documents shouldn't generally reveal their host addresses). Since there are hundreds of places in the code where the rtl_createUuid function is told to include an ethernet address, I assume they show up in other places also. I don't know if this is a problem for OpenOffice version 1. I suspect the best way to fix this is by just using random UUIDs (version 4) like Microsoft seems to do now in their GUIDs. Search for lines of code that put ethernet addresses in freshly generated UUIDs: http://go-ooo.org/lxr/search?filestring=&advanced=1&string=rtl_createUuid.*+sal_True --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
