cz43hbjz1iqaw

Apex phoning home every minute

3 posts in this topic

I have turned off all options I can find in Apex to stop it trying to phone-home, but it just keeps trying over and over. The last 2 versions have shown this phoning home, and I can only assume that in the past the attempts and frequency was better obscured? It looks like Apex contacts the project every minute or so whilst it is running! You appear to be monitoring users very closely, or at least gaining data on them:

[2014-01-06 13:33] Update Check: could not download digital signature (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:34] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
[2014-01-06 13:34] Update Check: could not download digital signature (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:35] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
[2014-01-06 13:35] Update Check: could not download digital signature (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:36] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
[2014-01-06 13:36] Update Check: could not download digital signature (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:37] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
[2014-01-06 13:37] Update Check: could not download digital signature (A connection attempt failed because the connected party did noĂ properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:38] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
[2014-01-06 13:38] Update Check: could not download digital signature (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:39] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
[2014-01-06 13:39] Update Check: could not download digital signature (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml.sign))
[2014-01-06 13:40] Update Check: could not connect to the update server (A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. (http://update.apexdc.net/version.xml))
 
The above kind of thing just fills the system log.

IIRC the update server address has changed a few times over versions of Apex which looks like active efforts to hinder people trying to protect their privacy. When I update Apex these days I download the source and grep it first so I know what host needs null-routing (why am I telling you? If I am correct then you'll just obfuscate things).

Please can you stop this behaviour and anything related? Cheers

Share this post


Link to post
Share on other sites

That is indeed excessive. After looking into it, It will keep trying to contact the update server more often if it fails to reach it. We will fix that in the next version. :)

 

The reason the update check server has changed a few times is simply due to server load and optimisation. We initially had it on our web server but this caused major issues when we were being DDoS'ed, so we decided to offload that back to SourceForge.

Share this post


Link to post
Share on other sites

That is indeed excessive. After looking into it, It will keep trying to contact the update server more often if it fails to reach it. We will fix that in the next version. :)

 

That is an understatement, it keeps trying until it succeeds, which is excessive, because the time stamp for an update check is only updated on successful check (a slight oversight on my part).

 

But using the phrase phone home for a 3 KiB static file download (2 KiB for the xml, 1 KiB for the signature) is hardly appropriate either. There is no data being collected. Well not anymore than you have being collected when you browse this site I'd imagine (which is standard, non-verbose, nginx access logs that are deleted automatically after a few days), the only instance where I ever look at access logs is if php fails without producing a stack trace.

 

ApexDC does support http proxy as well, although a rather simplistic one but it does work.

 

If we were interested in user data (without users consent), there would be about a dozen more effective ways do it that couldn't be bypassed as easily as the update check. So the claim that we would obfuscate the update server to achieve this is ridiculous.

 

The most we might ever be interested in data wise is stuff like what operating system most of our users use, which leads into when we drop XP support for example because keeping it around is a major pain. But really if we had the time and interest to go looking for user information unannounced don't you think we would at least be smart with it and not spam the users system log about it. Common sense is golden. If we ever decide to collect usage statistics it will be entirely opt in and public (it couldn't be any other way anyways since we are open source).

Share this post


Link to post
Share on other sites