OS X 10.4.3: Minor Case of Phoning Home

Martin Dittus · 2005-12-10 · osx, privacy, software, stuff · 21 comments

tcpdump_session.png

I just updated to 10.4.3, and after the first reboot Little Snitch reported a network request by Dock.app to apple.com -- something which had never happened before. The first time I let it slip, but the second request came when I opened Dashboard for the first time, and this time I started tcpdump before granting access.

Among the expected traffic (updating the weather forecast) was a rather unusual request:

22:19:57.059318 IP (tos 0x0, ttl  64, id 27097, offset 0, flags 
[DF], length: 147) 192.168.0.4.50428 > www.apple.com.http: P 
[tcp sum ok] 1:108(107) ack 1 win 65535
        0x0000:  ..[.q>..$..^..E.
        0x0010:  ..i.@.@.........
        0x0020:  .[...P..B.N.fvP.
        0x0030:  ...\..GET./widge
        0x0040:  ts/widget.info.H
        0x0050:  TTP/1.1..User-Ag
        0x0060:  ent:.CFNetwork/1
        0x0070:  0.4.3..Connectio
        0x0080:  n:.close..Host:.
        0x0090:  www.apple.com...
        0x00a0:  .

...i.e., an HTTP request for http://www.apple.com/widgets/widget.info, with a user agent of CFNetwork/10.4.3 (CFNetwork is Apple's new networking API introduced with OS X 10.4). The requested plain-text document is as succinct as it is weird:

bert

...and that, as far as I can see, was the full conversation. (I've omitted the reply's HTTP headers as they contain nothing unusual.)

This conversation contains no identifying information, no serial numbers or unique identifiers apart from my IP address, so I'm not really worried about my privacy. And as a Mac user you quickly get accustomed to applications phoning home. But still, usually this happens to check for application updates, so this seemingly senseless request is a bit unordinary, even more so coming from an Apple application.

I'm not really clear about what this means -- at the very least Apple at some point in the near past chose to be notified of certain user actions; maybe they simply want to monitor how often their Dashboard service is used, and in which countries.

But as long as I have no immediate benefit from this transaction I'd like to have a choice to disable these requests, so I started searching for a preference to turn them off -- but there seems to be no plist file that contains the requested URL string, and the Dashboard application doesn't contain it either, nor do the two widgets I use (Apple's weather widget and Widget Machine's Flip Clock). In the end I found the string hard coded in the Dock.app binary:

/System/Library/CoreServices/Dock.app/Contents/MacOS $ strings Dock | grep widget.info
http://www.apple.com/widgets/widget.info

There seems to be little information on this on the web -- a Google search leads to a short discussion in the MacMod forum which more or less documents exactly the same, and at least shows that other people have found this on their systems as well (notably also by having Little Snitch running in the background). And that's about it.

I'd like to document the circumstances under which this kind of traffic occurs, so contact me or write a comment if you find additional information -- e.g. it would be interesting to know if this has been introduced with 10.4.3, so if you haven't updated yet you could check if your Dock binary also contains the same URL.

(By the way, other strings you can find in the Dock binary: "Bunny Rabbit", and "Dashboard: delete widget thread could not create timer. You are hosed".)

Next article:

Previous article:

Recent articles:

Comments

Interesting

Adam, 2005-12-11 13:15 CET (+0100) Link

I find it odd that when I attempt to access that page in firefox (1.0.7), it prints out 'bert', and has a "still loading symbol". The status bar says 'Transferring data from tracker.measuremap.com'.

gringer, 2005-12-11 13:16 CET (+0100) Link

Does that mean you are Ernie?

Big Bird, 2005-12-11 14:27 CET (+0100) Link

"I find it odd that when I attempt to access that page in firefox (1.0.7), it prints out 'bert', and has a "still loading symbol". The status bar says 'Transferring data from tracker.measuremap.com'."

It says Bert in any browser. I didn't get a still loading symbol. You need to update Firefox. 1.5 is availible.

cbccfhxf, 2005-12-11 15:07 CET (+0100) Link

@Gringer, tracker.measuremap.com is sourced from this news article, courtesy desktop.de.

Bert, 2005-12-11 15:40 CET (+0100) Link

"bert", short for "Bertrand"?

browse, 2005-12-11 17:30 CET (+0100) Link

use Konfabulator. www.konfabulator.com (same as Dashboard, but has been around ALOT longer) Mac coppied off Konfabulator... and i hate mac...

DansFloyd, 2005-12-11 18:38 CET (+0100) Link

FYI DansFloyd....Konfabulator developer used to work for Apple.

Jiggles, 2005-12-11 19:13 CET (+0100) Link

Konfabulator was copied off of Apple's Desk Accessories, which debuted with the Macintosh in 1984.

Waldo Jaquith, 2005-12-11 19:28 CET (+0100) Link

I have noticed the same issue apon start up. I always thought it was a third party app. that I had installed, and it was calling home.

Adam, 2005-12-11 20:24 CET (+0100) Link

Future use. Developers always stick in random text when they need a placeholder for something. At least, I do.

I've used the word 'bort' for similar testing/placeholding. If it were 'foo' or 'bar' or 'no carrier' or something, people wouldn't be as curious. Bert is a rather odd choice, though.

booc0mtaco, 2005-12-11 20:26 CET (+0100) Link

One good theory I've heard is that it's a way to test for a live network connection so all the widgets don't continuously bash their heads against the wall if the computer's not online.

Reaperducer, 2005-12-11 22:34 CET (+0100) Link

The web site http://www.apple.com/widegts/widget.info does not work, what was it going to say?

White V6, 2005-12-12 03:06 CET (+0100) Link

BERT = Bit Error Rate Test

JS, 2005-12-12 03:25 CET (+0100) Link

You typed it wrong. You put:
http://www.apple.com/widegts/widget.info
Try
http://www.apple.com/widgets/widget.info

It returns BERT

chinajon, 2005-12-12 11:08 CET (+0100) Link

bert has an evil touch to it.

feersum, 2005-12-12 14:51 CET (+0100) Link

I always knew:
http://www.bertisevil.tv/

m00gy, 2005-12-12 15:23 CET (+0100) Link

http://en.wikipedia.org/wiki/Bert_(disambiguation)

According to the above page Bert could refer to an old Macintosh program by the same name.

Matthew, 2005-12-12 16:20 CET (+0100) Link

See the comment about Bit Error Rate Test.

Try turning off the "automatic bandwidth detection" in Quicktime and see if BERT goes away.

John, 2005-12-12 16:42 CET (+0100) Link

Well, I am no Mac user, but this is what I see.

Its connecting to the nice "bert" page. But behind the sence is really talking to measurmap.com. Which is a tracking service to see how many users hit your "blog". Maybe appel is keeping tabs to see how many users hit there dock?

Then again, you think they could do that them selves.

TuxUser, 2005-12-13 21:51 CET (+0100) Link

TuxUser,

as "cbccfhxf" mentioned above, the request to measuremap comes from this page. Look at the page source.

martin, 2005-12-13 22:01 CET (+0100) Link

Comments are closed. You can contact me instead.