Slashdot Mirror
DoubleClick 'Web Bugs' On Porn, Medical Sites
The ever-vigilant
Brill's Content
sent a freebie to the ever-vigilant
Politech
that makes us long for vigilante justice. It seems the odds-on favorite for this century's Big Brother, DoubleClick, has contracted to put 1x1 pixel graphic
Web bugs
on porn and medical sites.
Read all about it.
But don't worry, we're assured by the porn sites that although "DoubleClick [secretly] collects the information [that you, John Q. Doe, personally spent 12.2 minutes at a girl-on-girl fetish page and then spent 19.7 minutes reading up on your prostate problems], it does not have the technical skill to understand it."
Bill Clinton just said that Federal sites can't use cookies anymore. What stops them from using these bugs? Not persistent, but so what?
And frankly, I don't understand the value of this to doubleclick. Everyone knows that watching girl-girl porn is the only reason to upgrade to DSL. Where's the new information?
DoubleClick must be the stupidest company on Earth. After they announced their intention to merge personal information with surfing habits, the backlash shaved 25% of their market cap--before the March downturn. Consequently, they placed a representative on a consumer privacy board and extolled the benefits of self-regulation while offering their assurances that the consumer would be protected.
Their continuing abuse only brings Internet privacy issues to the forefront, and the data they collect is not even that useful to advertisers! The benefits of ads targetted using this type of data is constanly coming under scrutiny. The only thing DoubleClick will accomplish is showing self-regulation to be the farce that it is and forcing the government to intervene.
ByteMyCode.com: A Web 2.0 code sharing community.
For the articles, obviously.
I was hoping this functionality (along with Junkbuster itself) would be integrated into Mozilla someday. Since it's an open source program, I have no doubts that someday, someone, somewhere will hack up a nifty privacy-enabled version of Mozilla.
There is an incredibly useful MUD client called zMUD that contains a feature I'd love to see more often: tiny little toggle buttons for various features that you may want to turn on or off, sitting unobtrusively to the right of the input bar. Would it be that difficult to put a little 'proxy' icon to the side of the location bar? God knows they don't have enough stupid little useless icons up there. Click it to toggle the proxy on and off, among other things. Also a little toggle for Javascript would be immensely helpful.
That's MY "what I want..."
Random and weird software I've written.
Instead of just blocking this stuff, how hard would it be to poison the database by sending back tags that were randomly generated, or exchanged with others'?
You obviously haven't done tech support much. While old-school DOS users may find it easier to 'put file X in directory Y', I've got a feeling that 90% of the people attempting this would feel FAR more comfortable booting up Internet Explorer, going to the site, downloading junkbuster, and clicking the "open this file when done" checkbox.
How often do people these days move files around directories? especially ones with big scary warnings and thousands of files like C:\windows\system? I'd venture that running an installer is much more intuitive these days than shuffling files around on the hard drive. most people don't even know how to access the hard drive and its folders, they just know how to run programs.
Random and weird software I've written.
"Is there any method of removing Web Bugs from HTML pages?
Not really. The technical problem is that there is no method of distinguishing Web Bugs from spacer GIFs which are used on Web pages for aligment purposes." -- The Web Bug FAQ
Why not just replace the location of every 1x1 gif specified on websites with the location of a local, transparent 1x1 gif? (make some add-on that filters all the html before it goes through your browser, like what is already done to get rid of ads)
TELL THEM you are, and tell them why. They may not listen, but then again, they may.
SO WHAT? Just because it is a US company doesn't mean it isn't your data being collected. The first W in www means the weak link wins, regardless of how strong the EU privacy laws are, the US' weak ones completely undermines them.
"...12.2 minutes at a girl-on-girl fetish page..."
:]
More like "12.2 seconds" is some cases. Hope that's not offtopic.
Junkbuster defaults to blocking no sites, blocking all cookies, and making your user_agent tell web servers that your using a Macintosh and an ancient version of NS. After 20 minutes of setting it up and probably not even using the cookie blocking feature (like i want to hunt for every site I use that wants cookies) you realize that a search for 'block ads hosts file' on google and a simple cut and paste to windows/hosts is all you ever needed.
JB is great for privacy power users but if you want site blocking to catch on with most users show them the easy way.
I found an animated, no-cache, zero-age, self-reloading, web bug on dice.com that has a web bug at the bottom of the page (you can see it easily at the very end of the HTML source). The fact that it is animated, with no caching, and instant expire set causes it to keep reloading, which not only tells them where you visit, but also how long you leave the page up. And it's a f---ing obnoxious annoying 5086 bytes that keeps being downloaded over and over.
Block hitbox.com (all subdomain names, too) from your web proxies!
Maybe I should make this my new sig.
now we need to go OSS in diesel cars
That server doesnt look like its owned by dn..just on their network. Internal traffic is common as a port scanner usually scans certian ports to be sure that your services that you signed up to have monitored are still running.
Do products like Junkbuster and Guidescope actually attempt to load these URL's? It would intuitively seem easier to code them not even to try the URL if it is in the blockable list.
Never trust a man in a blue trench coat, Never drive a car when you're dead
SquidGuard is quicker, and has many features not present in Junkbuster. Take a look.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
1x1 banners, or gif images do have their bona-fide uses. For example, take a look at counters. More often than not, most advanced counter scripts will actually tell you from what ip a visit was registered, what browser they were using and any other of those fun and exicting pieces of information passed along in your broswers heading. Now, leaving the paranoia at the door here, a web administrator could use these to modify the pages for you when you log in. Things like a favorite articles section, or perhaps slashdot could better organize itself to intelligently tailor itself to the types of articles that you commonly read. It has been done before. The paranoia about web bugs is only partially viable, since perhaps companies are using the demographics information provided by the banner ads to better track and market their site. Seeing when an email is read helps to present to an exec to tell how many people it has reached to see whether it is worth it to continue funding the project. Its simple enough. Now, ill give the paranoids a nod saying, yes, doubleclick has done some unscrupulous things with their information, but what is to say that all "web bugs" are malicious. What if everyone new of an ethical advertising company? What then... would it be okay for people to take web bug surveys? Or do we all have to live with an unintelligent web? Face it, what you do is tracked... --jay
How about cookie MANGLERS that send back 100K cookies with lots of funky characters (maybe crash their server)? Or cookie swappers that send back cookies to make you look like you surf random sites.
Maybe you could send them some real good virus code and hope that during a scan their virus software goes beserk! It would certainly catch someones eye!
Linux is only free if your time has no value. Windows is only free if you threaten to use Linux.
I know some of you might be saying "But that would be to expensive!" and that's exatly the point. It should be a little expensive to collect what amounts to a digital biography of a persons life.
___
Barney: Ange! I was whackin...errr, looking up info on pneumonoultramicroscopicsilicavolconeosis and now I'm getting SPAM!
Andy: Don't you worry Barn, Opie had the same problem this mornin'. He's bangin' and a sendin' on his super celery box right now!
Opie walks in
Opie: Hey Pa! I think I did right by the Golden Rule!
Andy: Whatcha do son?
Opie: I loaded web pages with all those purty lil 1x1's and cross linked them to each other, all friendly like, and published them as links on all the purty girl..um Doctor type newsgroups! I figgur they can get 2 millun cookies per hit! They shur must be hungry!
(Canned laughter)
Andy: They sho' must be Ope. Speakin' of hungry, let's go get us some of Aunt Bea's Sweeeeeeet potato pie!
Opie: Heck yeah Pa!
If the marketing companies getthere way, I think its only a matter of time before in some election somewhere, the information that one canidate views porn on line is "leaked" to the press. . . which begins an ugly war of internet info leaks. . . Realizing I feel that doubleclicks actions are bout as virtuos as putting a camera in the girls lockeroom, I still cant help but find humor in the possabilities.
Anyway, what the hell is the big deal about porn sites, so longs as the site isnt illeagal? I subscribe to http://www.nakkidnerds.com - I pay by CC. Do you think that your e-financial transaction are private? My grandfather once said, "dont say anything on the phone you wouldnt want to see printed in the local paper." I think the same is true of the internet. If you dont want anyone knowing that you look at naked girls, go to a store in a different town, buy a mag with cash. . . also wear a big hat and park your car several blocks away. I just simply refuse to be ashamed of what I do. hle I dont condone anyone snooping on me, I accept it as a fact of modern life that the possability exists that what I am doing at anytime may be monitored, and act accordingly.
Use Muffin!
/blink
/ad[s\.lvt/] /ctc/ /warped/ /jump/ /xct/ /pbx/ /clq/
Then:
strip blink
strip
tagattr embed.type strip comet
tagattr font.size replace 1 -1
kill casino
kill rawlikesushi
kill cotac.com
kill BAN_record
kill topsites.
kill spon
kill D=yahoo
kill advert
kill [^(gnu)]cash
kill ban.clk
#kill doubleclick
kill linkexchange
kill hitbox
kill banner
#kill mostcash
kill \.sbean
kill webmappro
kill [Pp]layhard.net
kill [Cc]ount
kill rush4gold
#kill click-through
kill [^d]track
kill asacp
kill rsac.org
kill netnanny
kill cyberpatrol
kill surfwatch
kill
kill whispa.com
kill eads.com
kill [Ff]lycast.com
kill imgis.com
kill [kcC]lick
kill
kill redir
kill sexswap
#kill ntrack.com
kill extreme-dm
kill account=
kill newclient
kill cash
#kill candidcash
kill
kill
kill raw_
kill alladvantage
kill enter.cgi
kill log.cgi
kill go.cgi
kill hitme.cgi
kill visit.cgi
kill amkingdom
kill gold.link
kill
kill adlink
#kill tracker.cgi
kill fourohfour
kill maximumpcads
kill statthru
kill
kill jws
kill vts-pro
kill focalink
kill fly01.exe
kill w3bstart
kill link_id
kill link4link
kill out.cgi
kill rankem
kill stat.net
kill (top([0-9]*).cgi)
kill index[^/]*\?[0-9]
kill nedstat
kill statman
kill taboo
kill stats
kill revenue
kill coupon
kill
<B> You are done!</B>
127.0.0.1 www.doubleclick.net
127.0.0.1 ad.preferances.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.preferences.com
127.0.0.1 ad.washingtonpost.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.i33.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.msn.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 adforce.imgis.com
127.0.0.1 ads.enliven.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 doubleclick.net
127.0.0.1 ads.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 banner.linkexchange.com
127.0.0.1 adcount.hollywood.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.imdb.com
127.0.0.1 www.ad-up.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 www.nrsite.com
127.0.0.1 ad-up.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.filez.com
127.0.0.1 127.0.0.1 ads.i33.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 advert.heise.de
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
___
I don't just want to lock out the net trackers, I want to screw them up and make their life as difficult as they make mine. How about cookie MANGLERS that send back 100K cookies with lots of funky characters (maybe crash their server)? Or cookie swappers that send back cookies to make you look like you surf random sites. Puting in the spammers administrative and zone contact email addresses into other spam sites that ask for an email address (Get their ISP to TOS 'em for burdening their staff unduly). Turn the tables people. Turn the tables. The best defense is a good offense.
What about WebWasher? That's what I have been using and it does a great job on literaly striping out of the html most banners, pop-up ads, and is quite configurable.
But what are they used for? I'm not sure. But look at the source code of almost any page here, and you'll see them:
e nts.pl,962468080410' WIDTH=1 HEIGHT=1>
m ments.pl,962468080410' WIDTH=1 HEIGHT=1>
. gif?962468081680' WIDTH=1 HEIGHT=1 BORDER=0>
<IMG SRC='http://209.207.224.245/Slashdot/pc.gif?/comm
<IMG SRC='http://images.slashdot.org/pagecount.gif?/co
<IMG SRC='http://images.slashdot.org/banner/gate5002en
Maybe one of the slashdot staffers could answer this.
Quidquid latine dictum sit, altum viditur.
I only post comments when someone on the internet is wrong.
Now, what I'm really waiting for is for
someone to write a proxy that can dynamically
rewrite pages as they come through an http
tunnel.
But Siemens Webwasher already does that.
© Copyright 2000 Kristian Köhntopp
"you can use the /etc/hosts method to block sites on pretty much any computer"
Sort of; the problem I encountered last time I tried this was that the clients (Win9X) were configured with the Linux masquerading box as the default gateway, but with the real dial-up DNS IP's for DNS, so /etc/hosts was completely bypassed by the clients (doh!). The Windows hosts file sucks because as far as I can tell it doesn't understand wildcards (for those servers with ads00.whatever through to adsXX.whatever ..). Nonetheless I think I'd like to have a stab at setting up a caching nameserver on the Linux box, soon as I get some time, and to use the above hosts file on the clients anyway. That ought to kill most ads. (Thanks for the link BTW)
I'm kind of surprised that companies like doubleclick haven't started using actual IP addresses. I guess it'll happen eventually when enough people start learning how to block ads.
Ok, that would make the chances of user error slightly smaller, but still, it's the most likely in my mind... I mean, why would they only do that to some people?
I was waiting for that.
Most people don't understand the need for data privacy. Even social security numbers are presumed to be pretty public, since we're forced to give them out all the time.
But they started messing with medical sites. Wrong move.
People fear their medical records getting out for all sorts of reasons--not the least of which it the concept of ownership of one's own body. Medicine is probably the one of the least networked industry when it comes to end product status, simply because the end product isn't too comfortable with firewalls being trusted to keep their personal health data secure.
There's an entire host of psychological issues that come once your health status becomes a commodity to be traded; one of the scarier endgames of no health privacy is that, since what is unknown by everyone cannot be unreported to anyone, people will refuse to inform their doctors about their health nor search online for others who have been in their predicament.
DoubleClick's antics, then, will lead to more expensive and less effective medical treatment.
DoubleClick just entered the realm of Life and Death, and that was the biggest mistake they could have ever done. Death is the ultimate liability, and it's guaranteed to happen. Be found liable for a death, and as a company, you may die yourself.
Any physician who works with DoubleClick will violate Do No Harm; I fully expect the AMA to issue a statement to this effect and will be disappointed when they don't.
It truly boggles the mind as to what kind of idiot at DoubleClick came up with the idea of spreading to medicine; when you get email regarding buying a computer while going computer shopping, you might think it's a pleasant coincidence. When you start getting Viagra spam after asking Dr. Koop about Erectile Dysfunction, you feel violated, as well you should.
Have we reached the point where DoubleClick style cross-site spies need to be suppressed, by default, in the browser?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
On WinNT, the file is called HOSTS.SAM and lives in winnt/system32/drivers/ or thereabouts On Win9x, its also called HOSTS.SAM and lives in windows/
One of the sites listed as having an invisible GIF is www.metamucil.com -- looked, found the tag, laughed, then closed the View Source window. Then laughed harder when I saw the button on Metamucil's site for the "Privacy BBBOnline" link... say what?? Contradiction!
Laughter is the Spackle of the Soul.
You don't need to write a new zonefile. You can use the "db.local" or "named.local" zonefile.
-- Real free software sites don't use GIFs.
Actually Playboy has some of the best damn articles in the business, and by that I mean the business of journalism. Their news reporting beats the hell out of that of Time or Newsweek, because they report things which are curiously absent or underreported in such "publications."
And unlike some web "news" sites, they actually WRITE ARTICLES.
Thanks. I copied my linux /etc/hosts file to C:\WINNT\SYSTEM32\drivers\etc\HOSTS and immediately doubleclick.net went away forever.
(Reality reasserts itself sooner or later.)
I'm afraid that paper (or transparencies in your proposal) fall under the new DPA which, I believe, is currently in the 'phasing-in' point, but will apply fully soon.
If Doubleclick starts hiding behind hostnames in many domains, the cookies from doubleclick.foo.com won't go to doubleclick.bar.com, and they can't track. They have to use one domain to get their cookies back. And that makes them vulnerable even if you don't have an armored backhoe to dig up their net connection.
-- Real free software sites don't use GIFs.
Only thing i can think of here, adding ad.doubleclick.net to /etc/hosts as 127.0.0.1 (or c:\windows\hosts for windows users), or disable image loading. I mean, I don't want some multibillionare patentfreak company to see what pr0n sites I go to, or if I go to any other site. This scares me, because what if they sold that information to other companies - wouldn't it be evasion of privacy?. We haven't agreed to let them spy on us - so let's fight it - either by the solution first, or use lynx ;)
-Stskeeps, http://unrealircd.com
Not necessarily - just been unnoticed by moderators. 0 is the default for Anon posts.
Here's the meat of the article, and DoubleClick's defense:
"While DoubleClick does indeed record, [it] does not know that room 5 is equivalent to girls home alone." This explanation comes down to saying that while DoubleClick collects the information, it does not have the technical skill to understand it an assertion that Smith and others nd hard to believe.
The problem is, while they don't have the knowledge to link room 5 with girl-girl fetish porn, some *other* company would have no problem doing it. As we all remember, DoublClick has no problem "allying" itself with other companies; at least until their stock price plummets.
I just have to question whether these "web bugs" are really the work of DoubleClick, or just some crafty porn site administrator trying to get paid for posting ads, but keeping them at 1x1 pixels so nobody has to be bothered by them.
---
"Okay, who taught the cat how to type ctrl alt delete?"
#!/bin/sh
if [ -f ~/.netscape/lock]; then
exit
fi
for i in `cat ~/undesirable_cookies`; do
cat ~/.netscape/cookies | grep -v $i > ~/.netscape/cookies
done
# It has a race condition to it
# Please patch in replies gotta leave soon
John.
Nice idea, but that doesn't account for URL's with plain IP addresses.
If I'm not mistaken, the Web Bug on the example yahoo page already used that strategy.
TangoChaz
--------------------
TangoChaz
--------------------
Wise men talk because they have something to say, fools because the
The following should be a single click away:
With lot's of other customizations (stealth features), like: telling your browser what browser it should be tellling sites it is (no more "You need IE to view this site" when you know damn well you don't). Also let you control wether or not you actually send your username, and other information the browser happily provides that you may not even know about. You should also be able to control, from within the browser, junkbuster-like features. "Accept cookies from" list, and "block these sites" (with address lookup to prevent some aforementioned problems...keep the name and number blocked with one entry).
Mozilla may hold some of the answers, but if it's released by AOL I'm betting it won't (by default) contail anything remotely useful to protect privacy. They already ruined it's first release by including all the extra crap they do, and while they're not MS they're also not a particularly benevolent company (and I work for what will be AOL/Time Warner, so let's keep that last thought between you and me). I laughed when they offered us free AOL - it's surprising how many won't even take it for free!
----------
Stupid sexy Flanders.
The concept of information grabbing (like with cookies) has been a hot debate on the internet for years, yet no one has done anything. Until something drastic happens to someone, THEN you'll see a change. DoubleClick may have gone too far, and if so, that's a problem that needs to be addressed.
DoubleClick can gain no information if you don't give them any. Web porn sites and Medical sites rely on customer traffic to finance themselves. Those who are security conscious should probably stop going there. There will always be the panting raving idiots with knuckle herpes who goes to the sites, but, the downward trend in business will cause the site owners to notice.
If you hit them where they hurt the most, (their wallet) you have their complete attention.
It is a democratic society, and you have the right to take your business elsewhere.
krystal_blade
It will be easy to motivate our fellow man; there is hardly anything people treasure more than not being annihilated.
Junkbuster will not only allow cookies from specific sites you want, but can disable downloading anything from any site you don't want.
When we all use something like junkbuster, maybe someone will get a clue. Now it's only punishment for the uninformed.
----------
Stupid sexy Flanders.
Actually, this doesn't tell you much of anything at all. Examples:
Those are just obvious examples. More than that, I don't think the HTTP protocol really allows you to gather the sort of information you're talking about. All these people could find out was that you loaded their image once at, say, 10:00, and then you loaded another at 10:39. What you did between those two clicks is a complete mystery to them. You could have, for example, hopped over to Google, searched for whatever for a while, then came back to what you were doing previously. This example is only different in that it doesn't mean you weren't paying attention to the browser & the tagged page -- you were.
This isn't to say that there aren't frightening Big Brother aspects of this all. Certainly, I'm sure it's possible to make some more or less accurate guesses about what people are doing. But because of the basically stateless nature of HTTP (neverminding cookies for a minute), the most these peopel can get is an imperfect view of your travels, and everything else is just statistics, probabilty, and educated guesswork.
Privacy is, of course, very important, and it's important to know what information you are giving away whenever you use the web. But it's also important to know what you aren't giving away, at least with current technology, and to use that as a starting point in trying to defend your privacy.
DO NOT LEAVE IT IS NOT REAL
See Proxomitron
But is it enough that we stop the request from our compter?
So many of these sites are generating the pages on the fly - can't the server track the request? - and even if we block the actuall add, the server can log that it was going to send one.
Do we even need to see the ad for travels to be logged?
"errr... yes, i was doing research and stumbled across the site and noticed a web bug in the code."
Not just electronic data; gradually, all data held about you will have to be transparent.
Incidentally, you can search the Data Protection Register online. Eye-opening.
I used nslookup instead of dig, but..
.245 is registered to Verio and not delegated.
That doesn't tell enough. It tells me that n1.dn.net is the SOA for 209.207.224/24 C-class. Which means that said IP-block is Verio's. But I couldn't find out whether the block containing
Eg. with RIPE whois I can check IP-delegation, eg. that a Finnish IP-block is registered to some organization, delegated from a larger block registered to Finnish ISP, and in the end part of RIPE block. All of this with whois.
ARIN handles IP address delegation for the Americas. Ask whois.arin.net.
Two thoughts, actually.
/in/) This doesn't just cover ads and cookies on the web, this would also forbid someone to put a tracer on your car. What? You say that'd be an invasion of privacy? Well what a f'n surprise...
1: Why not revert to the origins of ad banners -- the image is hosted by the advertised site, rather than an ad server, and not rotated? Sure, you can still use an ad agency to get ahold of people who might be interested in your advertising... I don't know, probably too inconvenient.
2: Make it unlawful to attach a tracking system to a person without a warrent or the victim's explicit permission? (Vis, opting out isn't enough, you'd have to opt
-Owen
I've done that years ago. Tom Christiansen has made the tarball available for that, somewhere on perl.com.
-- Abigail
Rember how they had that Opt out side bar?
Once you opt out it vanishes... then after a while.. It's back...
The problem is they use a presistent cookie to opt out. That cookie expires over time so you don't opt out forever...
They should be required instead to opt in. So you opt to have a tracker cookie placed on your browser. No cookie no track. Then they will be encuraged to update and renew the cookie so it dosn't expire...
As it is they just don't care
I don't actually exist.
Actually, i had a professor that opted out. His cookie 'mystriously' would change to an opt in every now and then. He wasn't deleting cookies or anything either, it would just change. It seems they sometimes don't honor the opt out...
Also cookies expire if you don't update them.
So let's say your a normal user who NEVER flushes his cookies...
But you opt out...
and your not savy enough to realise... you opt out just expired....
Boy are you screwed...
I don't actually exist.
But even then, just lose the ? and replace it with a /, or a Q or whatever you feel like. It's up to the server anyway to map a URL to an object. But beside the URL, there are more things in the HTTP protocol that can be used to track people, and that aren't immediate obvious, unless someone tells you. The last modified field, for instance, which on return visits to the URL, is reported back to the server. ETag is another example. Browsers typically allow you to disable cookies, but find a browser that lets you disable ETags....
-- Abigail
I seem to remember when I did register under the DPA all those years ago that I ticked most of the boxes I thought I should ever need to use data for, including the ones 'industrial espionage' & 'overthrowing the Goverment of The Unintended States of America'
~ppppppppö
(ad slogan from long ago)
I see even classic Slashdot is now pretty much unusable on dial up anymore.
You mean, the slashdot maintainers aren't smart enough to grep through the accesslogs to find out the pagecount? (Which is not only far more efficient on both the server and clients ends, and the network in between, it's also more meaningful)
-- Abigail
My NAT box runs junkbuster, and that works for the os/2 machine attached to it too. At work we have NT. Instead of junkbuster, Proxomitron runs under NT and does a few tricks even Junkbuster can't manage: stops blinking .GIF files, intercepts "nasty" Javascripts and allows you to pop up a k3wl window to see what's going on.
having read that I quick checked my cookies file and discovered that my id was no longer opt_out.
i'm not implying some sort of conspiracy theory, but i am curious as to how this happened (linux netscape 4.7 on freebsd 3.5)
i quick wrote a little app to check the cookies file and tossed it in a cron job so i can try to find out what causes this, but in the meantime, anybody have any ideas other than user error?
----------------------------
A possible solution would be to stick the web bug warning in Mozilla's sidebar (The only legit use I can think of for that thing, in fact). --
Seems more like a user problem to me, I've used opt out for a few months, and never had any probs with it.... Or would they only do it to windows users who are less likely to notice it? :-)
No, do NOT deliberately make bad software. That's unethical. In fact, I would even argue that dragging your feet or lying about the real cost would be unethical.
A better solution is:
Step 1) Understand what you are being asked to create. Maybe your unease is caused by a misunderstanding.
2) Talk to the relevant manager (or as high as you can get access to). Explain your concerns. If there are channels, go through them. Document all conversations/memos/emails/etc.
3) If asked to implement anyway you have several choices:
a) If the action is illegal you can refuse to do it and "blow the whistle". There are laws that no action can be taken against a whistleblower so you are theoretically safe (I don't know how well this works in practice, though).
b) If the action is merely unethical the situation is murkier. If the business you are working for is part of a professional association, check their code of ethics and procedures for compliance. For instance, if a doctor wants you to write software that transmits medical data over an unsecured channel, you might be able report him to the AMA. (warning: this is only an example)
c) If your situation still hasn't been covered by the above, you may have to go it alone. Personally I would quit and maybe publish information (Internet, other media outlets, etc) regarding the proposed action. Yeah yeah, "I have mouths to feed". But a child is more than a mouth. I'd rather have my child miss a meal than seeing Daddy doing something wrong. Besides, programmer's (and engineers of all kinds) have no problem finding work. Even at McDonald's.
--
Linux MAPI Server!
http://www.openone.com/software/MailOne/
(Exchange Migration HOWTO coming soon)
otherwise, you can either set your cookie file to read-only so no changes are saved between sessions or write a batch file to delete or copy a default cookie file each time you start the browser.
you can also go to the doubleclick site and opt out of their system. they'll set a cookie that lets them know not to track you anymore. ironic isn't it?
other forms of disruption would be sharing your doubleclick cookie with hundreds of other people, rendering their data useless.
There is certainly nothing new about these "web bugs" they've been around for quite a while for page stat tracking packages. The most they could possibly gather are the variables passed by the browser such as referrer etc. and your ip of course, but we all use proxies dont we? =) I guess the main thing to wonder is why doubleclick is doing it seeing as they can get the same info from their banner ads on the same pages.
--
|-_-| . o O ( bEef!)
lateron
Another nice thing I have going is I have a VPN to my home machine from work. When I browse from work, I use my home machine as my web proxy (Junkbuster). The result: completely anonymous and encrypted web browsing from work. Pretty slick, eh?
Fialar
There are many possible scenarios, not all of which would be as annoying as the "prompt me before sending cookies" that you refer to.
For instance, an option could be to accept all potential web bugs, but store the information (page the had the bug, site requesting the info, lists of cookies planted on your HD, etc.) in a separate file that could be read at your leisure to figure out what bugs you may have encountered. This would be transparent to the user, and would allow him or her to periodically obtain more sites to add to junkbuster or somesuch.
It's just a thought, and given how open source lets folks tinker, it might be an entertaining extension to one of the open source browsers.
So, what's with the 1x1 pixel bug on all slashdot pages?
s .pl,962470762278
http://209.207.224.245/Slashdot/pc.gif?/comment
Seeing as how most of the slowdowns come from sites like doubleclick, being able to filter it out, and easily add every other site I get any advertisements from, makes downloading pages much faster.
Especially places like ZDnet, with their talkbalk farce...click on response to get stupid blathering and another new ad...another hit for ZDnet!
Ok, so adding these places to a hosts file might be even faster, but it also allows me to have cookies enabled only for specific sites I specify...can't beat that.
----------
Stupid sexy Flanders.
So, it seems to me that there are two ways of dealing with this:
1. Prevent your browser from accessing the offending site (doubleclick in this case...)
and...
2. Sending so many bogus requests to the site that any real data they collect would be totally obscured by the gazillions of bogus html requests they get in. (Hmm... an IP address associated with Senator so-n-so's office has visited the "Curing Impotence" site 5 million times in the past hour.)
How hard would it be to write a process that spoofed IP addresses on HTTP requests? You could even make it part of a virus -- imagine that, a virus that actually did something good.
--
C
Just create a file called "hosts" in the WinNT directory and it will work. Don't remember the syntax for the file off hand, but I think it's the same as the linux hosts file.
The question is, why should the obligation be on -me- to avoid being tracked? Why is Big Brother the default?
The extension .SAM stands for "sample". So the real file is C:\WinNT\System32\drivers\etc\hosts.
The only problem with this is that if your wife is savvy, she might think to ask why you have sextracker.com listed at all...
The way you do this is add the following lines to your hosts file:
127.0.0.1 www.doubleclick.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ln.doubleclick.net
Then find the area in your browser preferences where you can tell it which sites not to use a proxy for. Add these sites to that list. (On Opera it's Preferences->Proxy Servers-> Do Not Use Proxy On:... *.doubleclick.*) Once you done this any doubleclick ad just comes up as a blank box. Great fun knowing that they can't do sh*t because your machine can't "see" them.
I combined this list with a pervious one posted here. There are now 96 unique values.
0.0.0.0 javascript-of-unknown-origin.netscape.com
127.0.0.1 localhost
127.0.0.1 127.0.0.1 ads.i33.com
127.0.0.1 ad.adsmart.net
127.0.0.1 ad.atlas.cz
127.0.0.1 ad.blm.net
127.0.0.1 ad.ch.doubleclick.net
127.0.0.1 ad.dogpile.com
127.0.0.1 ad.doubleclick.com
127.0.0.1 ad.doubleclick.net
127.0.0.1 ad.infoseek.com
127.0.0.1 ad.linkexchange.com
127.0.0.1 ad.net-service.de
127.0.0.1 ad.preferances.com
127.0.0.1 ad.preferences.com
127.0.0.1 ad.vol.at
127.0.0.1 ad.washingtonpost.com
127.0.0.1 ad10.doubleclick.net
127.0.0.1 ad11.doubleclick.net
127.0.0.1 ad12.doubleclick.net
127.0.0.1 ad13.doubleclick.net
127.0.0.1 ad14.doubleclick.net
127.0.0.1 ad15.doubleclick.net
127.0.0.1 ad16.doubleclick.net
127.0.0.1 ad17.doubleclick.net
127.0.0.1 ad18.doubleclick.net
127.0.0.1 ad19.doubleclick.net
127.0.0.1 ad2.doubleclick.net
127.0.0.1 ad20.doubleclick.net
127.0.0.1 ad3.doubleclick.net
127.0.0.1 ad4.doubleclick.net
127.0.0.1 ad5.doubleclick.net
127.0.0.1 ad6.doubleclick.net
127.0.0.1 ad7.doubleclick.net
127.0.0.1 ad8.doubleclick.net
127.0.0.1 ad9.doubleclick.net
127.0.0.1 adbot.com
127.0.0.1 adbot.theonion.com
127.0.0.1 adbureau.net
127.0.0.1 adcount.hollywood.com
127.0.0.1 add.yaho.com/
127.0.0.1 adex3.flycast.com
127.0.0.1 adforce.adtech.de
127.0.0.1 adforce.imgis.com
127.0.0.1 adimage.blm.net
127.0.0.1 adlink.deh.de
127.0.0.1 adpick.switchboard.com
127.0.0.1 ads*.focalink.com
127.0.0.1 ads.criticalmass.com
127.0.0.1 ads.csi.emcweb.com
127.0.0.1 ads.doubleclick.com
127.0.0.1 ads.doubleclick.net
127.0.0.1 ads.enliven.com
127.0.0.1 ads.filez.com
127.0.0.1 ads.i33.com
127.0.0.1 ads.imagine-inc.com
127.0.0.1 ads.imdb.com
127.0.0.1 ads.infospace.com
127.0.0.1 ads.jwtt3.com
127.0.0.1 ads.lycos.com
127.0.0.1 ads.mirrormedia.co.uk
127.0.0.1 ads.msn.com
127.0.0.1 ads.narrowline.com
127.0.0.1 ads.newcitynet.com
127.0.0.1 ads.realcities.com
127.0.0.1 ads.realmedia.com
127.0.0.1 ads.smartclicks.com
127.0.0.1 ads.switchboard.com
127.0.0.1 ads.tripod.com
127.0.0.1 ads.usatoday.com
127.0.0.1 ads.washingtonpost.com
127.0.0.1 ads.web.aol.com
127.0.0.1 ads.web.de
127.0.0.1 ads.web21.com
127.0.0.1 adserv.newcentury.net
127.0.0.1 adservant.guj.de
127.0.0.1 adservant.mediapoint.de
127.0.0.1 adserver-espnet.sportszone.com
127.0.0.1 ad-up.com
127.0.0.1 advert.heise.de
127.0.0.1 banner.linkexchange.com
127.0.0.1 banners.internetextra.com
127.0.0.1 bannerswap.com
127.0.0.1 commonwealth.riddler.com
127.0.0.1 customad.cnn.com
127.0.0.1 dino.mainz.ibm.de
127.0.0.1 doubleclick.net
127.0.0.1 ganges.imagine-inc.com
127.0.0.1 globaltrack.com
127.0.0.1 globaltrak.net
127.0.0.1 nrsite.com
127.0.0.1 Ogilvy.ngadcenter.net
127.0.0.1 oz.valueclick.com
127.0.0.1 www.ad-up.com
127.0.0.1 www.doubleclick.net
127.0.0.1 www.nrsite.com
Need a website host? Try out http://WebQualityHost.net
What indeed? Let him be caught surfing for pr0n by all means ;)
That doesn't work.
1. Some people are required to take users' privacy into account. "Let skript kiddiez read his mail, he's just an ignorant user" doesn't work with responsible sysadmins, and neither should intrusive tracking.
2. When Doubleclick gets big enough, it can buy Congress and get ad filtering banned, (It worked for the MPAA.)
-- Real free software sites don't use GIFs.
I'll be generous and suggest that these images are there to count doubleclick banner impressions, and that the third-party off-site bug is a third-party offsite counter of banner impressions. But who knows? It doesn't resolve any reverse DNS. Traceroute has it going through Verio. It could be anything.
Andover has a privacy policy linked from every page which reads in part: "If you choose to give us personal information via the Internet that we or our business partners may need -- to correspond with you, process an order or provide you with a subscription, for example -- it is our intent to let you know how we will use such information. If you tell us that you do not wish to have this information used as a basis for further contact with you, we will respect your wishes."
I'll give them the benefit of doubt and not block it, but it is curious.
--
I guess no one bothered to read the source to the page you are currently looking at.
Up the top you will find (just above the banner ad), a 1x1 pixel image (or javascript) that slashdot uses to track which pages are being viewed. Of course, I trust slashdot, but really, as people have already mentioned, you dont need that image to track where people are going; you can just look at the server logs.
Of course, the problem with getting doubleclick to load the image is that all your surfing is tracked at a single point, and its easier to correlate your behaviours.
If this worries you, just make your nameserver point doubleclick.net elsewhere (i point it to a cgi script which tracks refferers, so i can see who is doing what) - and bob is your uncle.
It goes without saying that you shouldn't have notify on in your zone file
Unless you want to be silly.
:wq ~ ~ ~ ~ ~
If a company is being unethical, solve the problem via technical means. If you work for the company, stall, drag your feet, and if you have to engineer the privacy-invading feature, remember these words "Yes, it's possible, but it would cost too much to do it".. and if they try anyway, make sure you're very well paid and that the product develops all kinds of bugs.. like suspicious dialog boxes in spyware that give your company's URL along with a "please report this error: Error collecting data on ${USER}, please contact sales@mycompany.com".
Balderdash. If a company is being unethical, your suggested remedy is to be unethical yourself? This view is myopic and unprofessional in the extreme, and it hardly qualifies as "civil disobedience."
Civil disobedience would be to resign before you commit immoral acts and to bear the consequences of your convictions.
Remember: no company can survive without people.
Even people who commit acts of sabotage?
Eerie; while I was reading this page, I had another window open with an Altavista advanced search. Suddenly that page refreshed to a "file not found" error, and I noticed in the URL a reference to ad.doubleclick.net, along with the contents of my search query. I backed up and read the source of the Altavista home page, and sure enough, there was the 1 pixel gif.
Shame, Altavista. Guess I will only use alltheweb.com from now on.
Ask SuSE too. Ask Slashdot.
The message on the other side of this sig is false.
What Junkbuster does do is provide a sample list of advertising sites. This can easily be converted for use as an ad-blocking /etc/hosts file. (Then you just set up a web server that sends back a 1x1 transparent png for any request--or better yet redirects you to a 1x1 transparent png so as not to pollute your cache.)
/etc/hosts for you. Then if we could get distributions to start installing it by default...
Now what we need is a nice package that installs such a web server (possibly a stripped-down Apache) and updates the
Windows NT has no c:\windows\hosts file. What would the equivalent be?
(Reality reasserts itself sooner or later.)
I thought I'd mention that there is a way to Opt-Out from DoubleClick. I don't really know if they are trustworthy regarding how they've behaved before though... But it seems to be for real. If it weren't and someone would find out - they'd be sued to oblivion...
Thank you.
//Frisco
--
"At the end of the journey, all men think that their youth was Arcadia..." -Goethe
$HOME is where the
-- silver_p
Here's the best way to stop this, give your ISP a market incentive to block this kind of stuff from being sent to their users. It shouldn't be too difficult for ISP's to block content from certain domains like say..... doubleclick's. It could be done on a $.25-$.50 per blocked domain and/or IP basis.
I Am Not A Programmer, but this is something I'd really like to see as a Gnome or KDE panel applet. Except having the applet specific to Junkbuster, you could customize it to toggle anything on/off with perhaps a little pseudo-LED and label to indicate status. A tiny gkrellm plugin wouldn't be a bad idea either. Maybe this could be a project for my 4-day weekend...
Oh, sure, and Doubleclick would never continue to collect data on people who've clicked on their opt-out cookie.
'Cuz that'd be, like, not honest, and they've got a Trust-E seal on their site, which means they never lie!
(Irony: The state of being highly enriched in iron.)
Data miners can have my privacy when they pry it from my cold, dead fingers. Opt-out is a cop-out.
There is a nice list of ad server already set up in a hosts file format here#, along with instructions to set it up on *N*X, Mac, & Windows, according to page it is even tailored to slashdot readers.
one proviso is that you may have do disable javascript occasionally, or when you load a page with an ad on sometimes it will bounce you to a 404 on you local machine. Naming no names, but you actually have to disable Javascript to get to netscape's Javascript manuals (from the front page, may be ok if you go straight there).
~ppppppppö
I'm new to DNS and HTTP, so please pardon me if this seems like a stupid question. It would seem to me like all that's necessary is to blackhole anything from a doubleclick.net domain, right? Is routing to 127.0.0.1 the same as routing spam email to /dev/null? Besides doubleclick, I've also seen adforce.imigis.com a bunch. Anybody ever heard of these schmucks?
________________ Joe Hylkema WINTEL-FREE ZONE This is a 100% Microsoft-free message. No M$ product participated
Much appreciated, thank you.
Randal Schwartz's really simple proxy was what I used as a framework for a one-shot "slashdot munger" to fix a particularly crack-addled wide layout this site was using for a while, and this one looks full-featured but still under development. (Abigail's didn't come up in a perl.com search though.)
-- Real free software sites don't use GIFs.
it just doesn't get any easier . . . :)
~ppppppppö
man dig :)) or. 224.207.209.IN-ADDR.ARPA. 2h54m49s IN SOA ns1.dn.net. dnsadmin.dn.net. ( 1999112401 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum or . . . $ ftp 209.207.224.245 Connected to 209.207.224.245. 220 ProFTPD 1.2.0pre8 Server (linux335) [linux338.dn.net] I ^c'd it then so I don't know what's on there. of if it allows anon logins.
~ppppppppö
Sure.. They of course track that too and then you go on the other list, the list that gets you a knock at the door by Federal agents. They'd have lots of questions for you. Why do you, John Q. Public, need so much privacy? What's so special about you? You must have something to hide not to want to receive 'targeted advertisements' over 'regular mass advirtisements'. In fact, why don't you come down to the station to fill out some paperwork? We'd like to keep a close eye on you... For your protection, of course.
:P
Never mind, we're the problem.
The way I understand it, when you opt out doubleclick places a cookie that indicates you've opted out. So let's say you do opt out. Then later on you decide to clear out all your old cookies. You're back where you've started and probably don't even realize it.
Try surfing a few porn sites, and then look at your cookies from hitbox.com. You will discover that hitbox.com saves the URLs and/or titles of some of the pages you surfed in plain text in your cookie.
So you can end up with plain text such as "Wild_Bondage" in your cookies.
I asked the general counsel and chief privacy officer of hitbox.com's parent company to at least start encrypting this info in the cookie, on the grounds that cross-domain cookie reading is possible for anyone (86 percent of the online population) who uses Explorer. That was a month ago. They checked out the demo I recommended, according to the logs, but never answered my e-mail. The demo is at http://www.pir.org/nocookie.html (toward the bottom of the page).
Sabotage is proactive. It's the one way that a person who doesn't have any power can make their convictions felt. And honestly, in this corporatized world, how much power does one programmer have?
Sabotage might not be the most dignified thing to do, it may not satisfy your ideals of honor, it may not seem like strong conviction. But unlike quitting, sabotage actually does something. Sabotage actually changes something. Quitting just means you're no longer part of the problem, but it doesn't make you part of the solution.
Someone who commits sabotage doesn't get much respect, and does not receive recognition (at least if they don't get caught). But isn't that actually more selfless? Doing something not because of what people think of it, but because you know it's right?
OK, we at /. all know how to edit our HOSTS files to take care of this. But what about John Q. User, who would be hard pressed to save a file in a text editor? What we need here is a piece of software similar to, dare I say it, CyberPatrol, that maintains a list of privacy-encroaching hosts and edits the HOSTS file(s) for you. Hell, there could be a central repository of host names that routinely track peoples' habits online, and the software could run periodic updates. Of course, there would have to be some way to allow the user to disable certain hosts, but I don't think this would be too tough to write.
"You done taken a wrong turn."
-Bill McKinney, in Deliverance
Applies to windows users mainly ..
I downloaded a file somewhere recently (from a linked page form slashdot) called nasties.reg; it adds a reasonably extensive list of domains (e.g. "*.doubleclick.net") to the registry marked to not allow cookies from those domains.
You still get ads and images though, so they will still get your IP address etc, but they won't be able to tie that information to anything in the way of useful online profiling, without cookies. Of course, the list itself can no doubt also be used to map in /etc/hosts to localhost, but I believe more comprehensive lists can be obtained from elsewhere.
Can anyone remember where it might have come from, or where to get a sample /etc/hosts with an extensive list in?
John Q. Doe, personally spent 12.2 minutes at a girl-on-girl fetish page
How can a webbug track your time? I've seen that 30% of people or more only look at one page on a site and then go away. So you can measure the time between clicks? Also, people might click on Page 1 then Page 2 and then use the back button to read Page 1 more.
One way I can see of tracking time is to use an IMG tag to load an image on a remote server. Instead of sending the data to the client the server "stalls" the connection feeding just enough data so that it doesn't time out. When the client goes to another page, the browser will close the connection and you can record the time.
The problem there is the borwser will never report the page has been loaded (i.e. the spinny thingy keeps going). Plus, I don't know if the browser will try to reload the image when the client comes to that page again.
An approach I've been playing with is to use a tiny Java app. The start() function records the time and the stop() sends a message to the server with the clients time. This works perfectly, but a good number of people have Java turned off (including myself). Plus if the user doesn't have a JVM loaded then your page can look like it is very slow to load.
Anyhow, I admit it's a bit on the devious side - but I'm only using it on my personal website to find out what types of information people are interested in - so I can focus my attention in a productive manner. A page hit doesn't really tell you that kind of information, and very few people take the time to provide feedback.
In the last 2 days, people have spent an average of 97 seconds per page on my web site (of those running Java). However, people who don't stick around long enough for the java app to be loaded aren't counted. If you want to see the applet in action click on my sig.
-- Virtual Windows Project
This may be a stupid question, but if Slashcode is Open Source, doesn't that mean you can just read the code to see what is done?
I am of two minds about this. On one hand, if you *DON'T* take pains to anonymize your travels on the web you are only asking for trouble; much like getting money out of an ATM in a sleazy part of town alone after dark. As it appears that there is more money to be made than risk to be faced by behaving the way Doubleclick does the result is not suprising.Not that we know of any software companies that have made a similar calculation. OTOH, I would dearly love to see them get their clock cleaned in some sort of class action lawsuit. If the Feds have to deal with the Freedom of Information Act then why should any business be invunerable? Of course the really interesting questions are Who owns the information about you, and towhat nefarious purposes could it put?
"Everyone is entitled to their own opinion, but not their own facts."
Yeah, just set your junkbuster to block all doubleclick :-)
I hate it when they go by IP though, but then I usualy find that unique path to block....
I had to do that for thoes 1x1 pixel images that our very own slashdot uses on its entry page.
Later
Mike
The DPA has many flaws too, of course (e.g., effectively banning fingerd and log files), but that is a separate issue.
When biometrics becomes mainstream they will also be able to tell you are typing with one hand. I think this is homebrew justice actually, the watchers being watched. How do you think the porn actors felt!
-- http://thegirlorthecar.com funny dating game for guys
Sabotage is proactive. It's the one way that a person who doesn't have any power can make their convictions felt.
/.? Writing a congressperson? Joining and supporting a privacy special interests group? Quitting and working for a competitor who does not perform such immoral and unethical activities? I guess you're right--blowing up the factory is the only way you can "make your convictions felt." I feel sorry for your employer.
Talking to coworkers and management? Talking to the press? Posting a story on
You and Signal11 are advocating performing "civil disobedience" by taking money to do that same thing that you find so unethical and immoral. Sure, you may drag your feet on the project a little, but you'll still cash that paycheck. This hardly places you or your cause in a sympathetic position.
The civil rights movement in the US being a classic example, by your standards civil disobedience would be for black people to boycott restaurants that refused to server them.
Notice that nobody introduced rat poison into the water supplies of the restaurants you mention. Nobody firebombed the places. Nobody threw bricks at restaurant patrons as they left the establishments. Dr. King did not advocate acting immorally to accomplish civil rights goals, despite the heavy-handed treatment he and his companions received from the peacekeepers of the day. Instead, the activities he supported were specifically designed to raise public sympathy for the movement, something your acts of sabotage will never do.
Actually, I just put junkbuster on one of my other computers today, and it's not really all that difficult if you have an rpm-based distribution. All you have to do after installing the package is su root and run the junkbuster init script. There's one pre-packaged (and slightly modified) version of junkbuster right here that comes with premade blockfiles even. On the site, he maintains some blocklists that get updated every month, and even if you don't want to be bother to get new ones all the time, the ones that come in the package will still block 90% of your ads for a good long time to come.
Here's an easier way. Just add the following to /etc/hosts (Linux or a variant) or c:\windows\hosts (Windows).
0.0.0.0 doubleclick.net
0.0.0.0 www.doubleclick.net
I highly doubt it...he was teaching OS classes before windoze even existed. And the problem was on his UltraSparc10 box :)
What would it take to make a little applet to toggle junkbuster on & off? Sometimes my setting isn't quite right to allow me to do something that requires cookies, and I turn it off for a moment... but forget to turn it back on.
Any good way to make this easy / automatic?
---
Doesn't IE dislike this sort of stuff? I remember back when IE 4 came out we used to send cookies to remote domains via 1x1 gifs and IE started to make it so a 1x1 gif couldn't set a cookie if it was loaded from another domain. Anyone else remember this? Netscape will still let you set a cookie with a 1x1 gif from another domain, but when, for the time being, IE has won the browser war you cater to them.
My Slashdot account is old enough to drink...
PIcture this. I have a webcam on nerp.net, and some web page space on another site. The other site sends me a report every night at 12am with pretty much a raw Apache weblog of who visits my web pages(on that site).
So what I did was stick a blank GIF file on my webcam page that belonged to the other server. now every night I can find out who exactly hit my webcam, and when.
It's not 'lmhosts', it's just 'hosts'.
'lmhosts' is for LAN Manager (now Windows Networking) over TCP/IP.
Gordon.
He that breaks a thing to find out what it is has left the path of wisdom.
-- J.R.R. Tolkien
Erm, seems like Junkbuster would be an easier implementation of this? Well not neccessarily easer, but more organized and with the ability to match hostnames and directories with regular expressions.
Most of those would be taken care of with two or three regexps. Just a thought. I hate doubleclick enough that I put them in my
The 1x1 pixel gif is used by many adserving products. They normally deliver it with every ad, and the cookie that the adserver sets is normally attached to this gif. This gif is used to count how many ads are delivered. Clicking on the main image / flash feature will then count the click, by having an href that normally looks something like :l ick_an_ad.cgi/SITENAME/PAGENAME/CAMPAIGN NAME?_REDIRCT_TO="http://theadvertiserssite.com""
A Href="http://bad.evil.adserver.com/Software/ads/c
The sitename, pagename and campaignname are normally variables in whatever ad tag code you are putting on your page. These are then parsed by the adserver when it serves the ad and filled in with data that is meaningful to the server. This data can normally be completely meaningless to the web server that is serving it. The pagename doesn't have to match the pagename on the webserver, but merely the commonly agreed upon name. So I could lable a page as www.mysite.com/apage and schedule ads to that. But the site itself, would actually be www.mysite.co.uk/anotherpage.html and would just ask the server for an ad for www.mysite.com/apage
When you click on an ad, that data is sent back to the adserver so that it knows what ad you are trying to click through on, and what campaign to assign the click-through to.
This is all from memory and may be slightly flawed. But if you can read passed my garbled wording and see the idea, you'll have the picture.
DISCLAIMER: I used to work with web adverting but I'm just an (ab)normal sysadmin now.
/* Wayne Pascoe
I installed junkbuster this week, and I found that it really slowed down web page loading. I turned it off after a short time--I just couldn't stand waiting twice as long for pages to load.
Perhaps people with modem connections won't notice the extra delay.
I also didn't like how pages that had load errors came up with junkbuster-generated pages instead of the same info they normally would come up with.
Yes, Junkbuster is a more full-featured package, but there's a world of difference between telling someone/anyone "here's a file, name it 'blah' and put it in 'blah folder'" and "he's a site, spend a while downloading junkbuster over your dialup connection, install it, set it up correctly, and maintain it". Ideally, everyone should do the latter, but it'd be a wonderful start for more people to do at least the former.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Information is power... I like power.. DoubleClick has information = Doubleclick had power = I like DoubleClick..
I seriously don't have a problem with these things, but, on one condition; that anyone can cover one self up as much as one likes..
- cfelde
I tried whois at nsi.com, but came up with nothing. What's the current way for checking up IP-blocks? Because I clearly remember "-L ddd.ddd.ddd" responding with the whois record of the c-class owner..
Still, reverse lookups came up with dn.net (Verio), and also that ns1.andover.net was 196. Unfortunately I still didn't know how to properly check IP-block delegation, so I can't be sure, but it seems to me that andover.net has 207.209.224.196/26, which comes from Verio's 207.209.224.0/24 C-class. It also might be that the reverse DNS hasn't been delegated from Verio to Andover, and so Andover doesn't have reverses set up for all systems - a common situation even though unfortunate.
As I wrote in another comment to this story, the "off-site" graphic traceroutes through dn.net via exodus.net. Both sites (Digital Nation and Exodus) are sites that Andover uses to host some of its services. In other words, the "off-site" graphic probably isn't off-site at all.
I'll ask the slash development team what the deal is. If more than 3 or 4 people care (feel free to email me), maybe I can get Timothy to drop the results in the next Slashback or something. But I'll bet you dollars to donuts they're all page-counters.
Jamie McCarthy
Jamie McCarthy
jamie.mccarthy.vg
(a couple of employees viewing website traffic reports for www.hotxxx-lesbo-hardcore.com)
"Geez this guy is sick, 39 minutes on one picture"
"Yeah too bad our little bug can't show us what he's seeing
"Hey that would be cool I'll talk to the programmers. Just remember we don't actually know anything!"
So what's next? Double Click isn't very smart getting into something like this now. They really can't deny getting information!
Never knock on Death's door:
The Anti-Blog
Check out Naviant - they're doing the same thing - teamed with 24/7 Media and Matchlogic to actually serve the ads. But they have a huge database of names and addresses and match these up with the cookie IDs used by the advertisers. So while DoubleClick will know that a particular computer frequently visits Asian foot fetish sites, Naviant will be able to tell that it's really Bob Shemolie at 1212 Main Street and then send him a catalog in the mail. So block those cookies, everybody!
Now, what I'm really waiting for is for someone to write a proxy that can dynamically rewrite pages as they come through an http tunnel. Then, we can block ads, the associated javacrap, and other stuff - like pages containing the string "MAKE MONEY FAST!" I prefer not to get involved with the ethical side of business - business long ago proved to me they have no real ethics, hence I focus on creating technical solutions which either force them to be ethical, or force them away from me.
I think the technical community should make a stand and say we will not tolerate this, and then proceed to distribute easy-to-use software which blocks companies money-grabbing attempts. Remember: no company can survive without people. If a company is being unethical, solve the problem via technical means. If you work for the company, stall, drag your feet, and if you have to engineer the privacy-invading feature, remember these words "Yes, it's possible, but it would cost too much to do it".. and if they try anyway, make sure you're very well paid and that the product develops all kinds of bugs.. like suspicious dialog boxes in spyware that give your company's URL along with a "please report this error: Error collecting data on ${USER}, please contact sales@mycompany.com".
Civil disobedience.
These "web bugs" are nothing new, and do nothing more insidious than can be done with ANY other type of HTTP request.
Any web resource can be used to track you. You could have web bug *.jar's, web bug *.js's, web bug *.htm's, web bug *.php's, or web bug *.pl's ALL DAY LONG but we wouldn't call 'em web bugs. We'd call it information accumulators being a little more aggressive we're particularly comfortable with.
The problem is not with images, but rather that you can include just about anything you like in the query search portion (the part after the ?) of the URL of any HTTP request.
I develop opt-in marketing automation software (ummm...the pay's good?;), and we've been gathering info for years. To this point, our high-ups don't know much about it, but we developers use it as an easy way for the browser to communicate back to the server without having to do full submissions. Used this way, it can save lots of unnecessary traffic. Can be a very handy, and useful feature.
Of course it's going to be capitalized on, tho.
Don't see of much way around it, since the "web bug" doesn't have to come from a different server at all. Once processed, the original request can be forwarded to any server the original recipient likes.
Guess someone could add a scrubber component to the browser's which'd truncate the URL's at the ?, but chances are lots of requests would fail if that would happen...
More people should try that one :
Even though we decrypted copy-protection on your dvd, we do not have enough inteligence to watch the movie after we do it...
Yeah right.
Hey!
Wouldn't web-banner blocking programs (i.e. Norton Internet Security) block these 'web bugs' out? Furthermore, wouldn't it be easy to get a porn-site-listing-and-blocking firewall and change the names of porn sites for those of companies like doubleclick? If everyone did this, doubleclick wouldn't get the views.
SUB MANICLAUGH {
write("They would be crushed BWHAHAHAHAH!")
}
This would be a good thing for privacy. If we could get a big ISP like AOL into the blocking, it would be interesting to see the results.
Michael Tandy
"Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
Lately, I've gone to reading the HTML source, because often the image's URL comes from a redirector which does the actual logging, and I want to block it before access to the redirector.
(By the way, do you know that slashdot has a web bug on its pages? I have it blocked. You should, too.)
Anyway, a while ago I noticed that doubleclick.net was getting some ads past my filters, despite the fact that their domain (and various IP addresses) are at the top of my blockfile.
The sneaky bastards were using https. Proxies generally ignore than and pass it straight through. With 128-bit encryption, too; better than most of the e-commerce sites. (I would have noticed; I have everything 56 bits and below turned off.) I had to admire their ingenuity.
However, I still had to put an end to this. I told my DNS server that it was now authoritative for doubleclick.net, and that the zone was empty, so any address lookup attempt will fail. And I fetched the zone from their servers and added it to the firewall rules. Each was tested as adequate independently. Both is backup.
As I've been reading over that last year what a bunch of nosy bastards they are at doubleclick, I'm more and more glad that my computer hasn't deigned to send a packet to them for a very long time.
Although it'll probably make them change tactics again, I thought I'd share the DNS trick. It works pretty well. (And it gives you reason to learn about DNS zone files - I carefully haven't given an example, even though it is trivial.)
Problem was the stupid thing wrecked havoc with our banner code (we were using Cold Fusion and it didn't like dealing with the banner and 1x1 pixel in one shot), so I cleverly "omitted" the pixel. :) My boss never knew about it.
- I don't care if they globalize against free speech. All my best free thoughts are done in my head.
---
What exactly are the commercial possiblilities of Ovine Aviation?
For anyone who doesn't have a hosts file built, you can grab one from my ftp server ftp://www.b-wdesigngroup.com/pub/Windows/hosts It's CR/LF for windoze but you know how to deal with that, right?
The opt-out option from DoubleClick is reasonable for what is does:
It does not stop tracking of visited web pages, it simply stops associating that tracking information with you.
So DoubleClick will still know that somebody visited the lesbian p0rn site (or whatever the original example was) and it will know the IP address that the request came from (I always go through a web cache that my provider supplies: this provides some degree of anonymity) but it will not know it is "you" and will not be able to associate this visit with the one you made yesterday (and the day before and the day before that, ...)
It's fairly easy to check that the opt-out is working by simply checking the cookies for DoubleClick. If you are using Netscape 4.x and are unfortunate enough to use it on Windows NT, then look for the file:
Search in here for .doubleclick.net. (Other systems will find a similar file somewhere.)
Hi!
Actually, they can't collect any cookiebased info from you when you opt out, because the cookie is set to a default value which is the same for everyone who opts out. You can check that. (Still, I prefer the dumping of huge amounts of *.doubleclick.net servers in my hosts file.)
I guess that since I do all my browsing through a Stanford proxy (mmm, vBNS), use Proximitron and no cookies, along with a browser that barely supports HTML 3, I really don't have a whole lot to worry about, eh?
http://slashdot.org/comments.pl?sid=00/06/23/12402 14&cid=46
When users are giving up information about your company without knowing it, it's just like any other exploit. Users don't know how to block it so it's up to you. (And we are talking company information here -- unless all they do is look at porn and stock tickers.)
It is your responsibility to block doubleclick.net web tracking, just like it's your responsibility to keep people outside your organization from reading /var/log/maillog.
I've posted this quick-and-dirty way to block doubleclick before, and I'll post it again:
zone "doubleclick.net" {
type master;
file "db.local";
};
See this privacy note for detailed instructions for Red Hat and Debian. With a 5-minute tweak, you can protect the web traffic of everyone who uses your name server. (While you're logged in to the name server anyway, make sure you have the latest BIND.)
Yes, it's better to run a real proxy, or go around to everyone's machine and disable cookies, or do it some other "Right Way." But better to do what you have time for than to not do anything.
-- Real free software sites don't use GIFs.
I have from time to time see a doubleclick redirector appear when I go to slashdot. Get here by selecting slashdot from a bookmark. The bookmark does not slashdot address defined with the redirector. So what is up?
Perhaps one of the open source web browsers could be modified to provide a feature that automatically warns a user if he/she encounters a page with a possible web bug, and queries whether the user wants to follow the link? At the very least this would allow interested parties to monitor who is using this new technology, and it would make open source products more attractive to those who have an interest in maintaining their privacy.
Opt out here . I'm more worried about agents that we don't know about and don't have to provide services such as this.
-- http://thegirlorthecar.com funny dating game for guys
Can someone pass me the can of Raid? Or better yet, the Black Flag!
--
...vividly encapsulates that post-Watergate/pre-punk/coked-up moment when you could trust no one, least of all yourself.
So with all this feedback these sites will know exactly what the most popular and most visited images are. With this information .XXX will naturally evolve, displaying women in just the right way to appeal to mens prurient lustings. Sounds kind of Darwinian doesn't it. Gee all the girls have to do is surf .XXX to see what guys want in the bedroom. Or maybe that would be like us guys reading the Cosmo perfect man articles to see what women want?