IE "Persistence" Tracks Without Warning

A reader writes "Never mind if you've shut off cookies. If you are using IE 5+, the browser can still be used to track you, with no warning. An IE 5+ feature, "persistence", allows the browser to remember information, such as search queries. Which of course means that you can be uniquely identified and tracked. And since it is a feature, there is no warning either that this information is being stored or when it is given. Shutting off scripting in theory stops it. More on the story at www.news.c om ."

Re:Turning off scripting...?

[TheGratefulNet]

You know what I do when I find a site that is broken without javascript

yeah, its called "view source". read the source, decide if its worth the effort to figure out what they intend to do with scripting, then go from there.

the only good thing about jscript is that you can always view source. can't say the same with java ;-(

--

Re:I have to say it...

[nevets]

I never said that I read every line of source code. I stated that it would be possible to do so. Of course I didn't say that I would nor do I have the time to. I've read a large amount of the Linux kernel as well as XFree. But I didn't read all of it or even close to all of it.

The point is that some one just might read you bad code! You really think that a spy program or dangerous code would last long in the Open Source world? If there are not many users of the said product, then sure, you might get a way with it. But if you are successful and have lots of users, you will have lots of lines. So if 1000 people read 50 lines of code, then you have aprx 50000 lines read. Of course that is assuming that the same lines have not been read.

I'm saying that I feel safer that code is not a problem if it is open. I'm not saying that it is safe. But as I mentioned, it takes alot more nerve to post code that has mischievious actions. But it doesn't take much for closed source to do so (!seineew era sreenigne epacsteN).

It's just common sense....
But common sense ain't too common!
Steven Rostedt

Repetitive redundancy

[yali]

From Microsoft: "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."

Translation: only people who care about their privacy care about their privacy. Gee whiz, mister, that makes it all okay!

Re:Repetitive redundancy

[Azog]

Indeed. Here's a classic line from the Microsoft manager quoted in the article:

This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure..."

And, as always, Microsoft has made the call to sacrifice security and privacy for functionality.

Seriously, this must be a Microsoft corporate policy. Maybe a Microsoft-employed Slashdot reader can spill the beans, and point us to the internal web site or policy manual that says:

"If you ever need to choose between security and functionality, choose functionality. If you ever need to choose between stability and backward compatibility, choose backward compatibility. If you ever need to choose between adhering to the internet standard or adding a proprietary feature, why are you even thinking about it! Add the proprietary feature - of course! And don't document it, either!".

Or something like that. Come on, give it up, we know it's in there somewhere!

Torrey Hoffman (Azog)

Re:Repetitive redundancy

[danderson]

And, as always, Microsoft has made the call to sacrifice security and privacy for functionality.

From a _technological_ standpoint, this sucks. But from a _business_ standpoint, is this really all that bad? Most computer users look for the functionality when they buy products, because that is what they understand. Buying a product that is easy to use and astetically pleasing (or at least the packaging says so) makes them feel good about buying it and more likely to buy from the same vendor in the future. From a business standpoint, it is not so much "functionality vs. security" but "what the broadest user base wants vs. what the broadest user base doesn't understand." Microsoft is giving the customer what most of the customers want.

As far as the instability issue is concerned, this same broadest user base blames the software instability on the hardware and assumes such issues are pretty standard. They are't at all surprised when software crashes, because their "computer" crashes frequently as well. Think about it, how many times have you heard (or said): "My computer crashed" when it should have been "Windows crashed?" When something works right: "Windows is Great!!" When something doesn't: "My computer is having problems!"

That's just friggin spiffy.... Windows AND Mac?

[solios]

So Windows users can be tracked- who cares? Anyone smart enough to care is running something else, or uses their browser in such a fashion that it doesn't really matter in the end anyway. But if it affects the Macintosh as well?

I'm sorry folks, say what you will, but after three years of Macintosh useage, after running AOhelL, Lynx, Navigator 3-4, Communicator 4.XXX, IE 3, IE 4, Mozzila PR14 [I ran it three times, it crashed twice and refused to get past startup once], iCab, and iCab 2.x, Mac IE5 is the ONLY browser that meets my needs both aesthetically and from a work environment standpoint. And to have that comprimised? Hell, I may as well get a job in a steel mill or shoot myself in the head.

With as little privacy as I have on the net, I'm starting to wonder why my phyiscal life is so empty.

ONE BIG PROBLEM WITH THAT

[InfiX]

it's good that that works and that it's that simple, but the fact remains that the vast majority of computer users never change the defaults on any of their applications. if something doesn't work quite the way the want it to, they don't bother poking around in the preferences to fix it. my father complains about the recent versions of microsoft word because of those "annoying red and green squiggly lines all over the place." i say "dad, you can get rid of those in two steps." he doesn't bother. with respect to something like this, where you can't even tell that it's happening, i would wager that next to no one (outside of those reading this forum) are going to do anything about it.

Re:ONE BIG PROBLEM WITH THAT

[aozilla]

by default cookies are enabled, so this being enabled by default means nothing

Re:This is news??

[slycer]

Really? You didn't know?

That amazes me, I noticed this feature the second time I typed in "slashdot.org" in the address field. Look at that! User persistence!! Same thing when I noticed all of my previous searches on google. Or for that matter the second time I type in my username to login to slashdot. It was a pretty easy thing to see that "something" was different. And I was amazed when I realized that it kept happening after I closed IE and brought it back up. I love this feature.. I'm not turning it off.

Re:Am I the only one?

[Rombuu]

But you're right. Most people couldn't care less. They'll give up their rights for conveinence. But that doesn't mean I should have to.


You don't have too... feel free to unplug your computer.

Re:Am I the only one?

[Balial]

I totally agree with you. I don't see how people can sit around and complain about being 'tracked' (not that I've seen anyone who does) and at the same time want all the free services that many web places supply.

If I frequent an online shop I want them to know I'm back so they can show me the things I care about and none of the crap.

Tired of the paranoia

[aridhol]

Alright everybody. I'll probably get modded down to the depths of Hell, but here's what I think. There are two types of people in this world - those who should be watched, and those who should not care. Why does it matter that your browsing habits are being followed? Is there a name that goes with this? Are you going to illegal sites that you don't want people to know about? If not, what is your paranoia? If so, the authorities should know.

Re:Paranoid loosers!

[tewl]

Well, you must be paranoid too, you won't even use a user name to post, do you not want your comments attributed to your name? Is this anonymity important to you? Thought so.

Re:In related news (uSoft unSecurity)

[extenz]

Gimme a break! The user sets him/herself up to this. You have to install the service don't ya? Anyway, you keep your server/workstation in a secure space. I could make mincemeat out of a Linux box if I have direct physical access to it.

Re:This isn't as important as....

[JesusOfNazareth]

Just as an exmaple.... advaya.com is doing this through spam (or as they call it, direct mail marketing). And they sell this service to other companies. The spams contain "1x1 gifs" along with links that point to places you wouldn't normally think they would point at. Like this:

Check out these <A href=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar? b=4BF5Y7ESKTJH34789T5HTJKLGN489EI495T> hot magazines for 90 days for FREE </A>

It points to some server which records that you have clicked on this link, using that funky long string as your identifier. The string possibly holds some sort of demographic information.

There's also a 1x1 gif that comes with the spam...

<IMG src=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar.g if?b=56HJTY90JKHHJGGIJ5476">

who knows what that does :P

i'll let you judge for yourself if this is evil or not. i just wanted to point out a specific exmaple of where its being used. bye

Re:For the Mac IE too?

[pb]

Well, IE 5.0 is released for the Mac, too, and it supports DHTML, so it probably has this loophole in it as well. And it's ugly, and completely IE-specific. "Client-side cookies", basically, which is a really dumb idea. I'd trust server info to persist, but not client info...

I think Gates is past that phase; now its all about control...
---
pb Reply or e-mail; don't vaguely moderate.

IE is evil

[xDroid]

Internet Explorer is evil.
Combined with passport redirect cookie sharing and now persistent tracking, IE is a menace that should be eradicated from your computer.
I wrote this article in August. After that I installed 98lite and linux on my laptop.
I'm also scared about the .Net version of Office due out in the spring.
Just think every document running on an asp server run by MS. (shudder)

• from the windows-help.net web site...
• According to Microsoft, Office 10 will also offer significant new security features, including a central security panel; advanced password encryption; higher default security settings for Excel and PowerPoint; the option to not install Visual Basic for Applications with Office; and the functionality of the Outlook Email Security Update

Makes you wonder...

because

[Captain+Pillbug]

Because there's no technical reason why they can't be more anonymous than meatworld ones--only problems with current implementations. If we can achieve happiness but don't bother, then aren't we being silly?

So this explains...

[ukscott]

All the PoRn leaflets in my in box. JunkBuster my ass karma police.

Ease of use.

[MeNeXT]

This is why Linux is simpler to use.

You whipe out the user and create a new one. Brand new slate.

Every Joe can do this.....

If you like to tinker with files you can just edit the cookie file, etc.... :^).

Re:Ease of use.

[MeNeXT]

Nope never have the same one. OK I might onece in a while.

Re:Ease of use.

[DrTomorrow]

and you just create another IP address whenever you need one also?

Re:Ease of use.

[KnightStalker]

It would probably be better to set up a .netscape directory that you are happy with and do
rm -rf ~/.netscape
cp -R ~/backup.netscape ~/.netscape

Then you don't have to mess with the EULA crap and you can save any cookies you may wish to save.

Better yet, write protect your cookie file. Netscape will respect that and will never write a cookie permanently. And you can leave those slashdot cookies alone.

Re:Ease of use.

[pac4854]

Easier yet, rm -rf $HOME/.netscape. Its in my crontab to run every week. Sure, I have to accept the EULA and click two OKAY buttons again, but it beats having a buncha crap that I ain't sure what it does laying around on the drive worrying me.

Re:Turning off scripting...?

[Maserati]

Long answer: in the example, replace ""http://www.stupidsite.com/" with the domain name in question. The pithy comment substituting for the path is obviously going to generate a 404. All of these sites are marketing driven (or they wouldn't annoy a geek) so someone will be examining the logs. If no one is examing the logs, then they're Clueless and Doomed anyway, so don't worry about it.

Short answer: RTFM

This is absolutely sick...

[cr@ckwhore]

From the article @ cnet.com...

In the meantime, IE users can turn off the browser's scripting capabilities, on which IE persistence depends.

The first thing to do immediately after installing ie5+ (before it uploads the contents of your hard drive to microsoft ;) is to disable scripting support! We've learned this from past experience with the never ending barrage of virii (viruses for the layman) that are in reality scripting exploits!! Since 'persistence' depends on scripting support, can we assume it's a virus? Maybe. Maybe not. The best bet is to not use m$ software. Period.

This really stinks.

--cr@ckwhore

Re:Not surprising, but not a big deal

[cyber-vandal]

Yes, but MS products have spawned a huge amount of 'HOWTO' and 'for Dummies' type books, so the so-called ease-of-use seems to be a fallacy for a lot of people. I find MS Office far too complicated and intrusive but unfortunately, I don't get a chance to use anything else at work and I don't really know how the competition compare in that regard.

Re:I have to say it...

[tetrad]

This kind of thing would have never happened if IE had been open sourced. This is also why Mozilla will take the market from IE.

Mozilla will never take the market from IE, unless someone starts paying folks to use it. Most people don't give a rat's ass about features/loopholes/etc. like the one described in the story. What percentage of web users browse without using cookies? I don't know the answer to this, but I'd put money on it being a relatively small minority.

Re:I have to say it...

[GandalfGreyhame]

True, something like this wouldn't happen if the source was Free. However, there's also a matter of trust in the company. My favorite OS is mostly closed source, but I have a great deal of trust in them. Yes, they could do something like track my every movement and everything I do, but they don't.

-G

Linux is only Free if your time is worth Nothing

Chicken Tracks

[CalamityJones]

I don't know what all IE might be transferring someplace on the 'net. Something strange happened to it on my system, though. After installing ZoneAlarm (ZoneLabs) on my system, I set IE to have local access but not Internet access. Since that time, it won't load the startup page, which is on a web server on a system about ten feet away. If I switch it to have Internet access, it will load fine. Netscape works fine no matter which way I have it set.

Re:Chicken Tracks

[caetin]

local access is considered local as on your computer.. not other web servers.

Re:Chicken Tracks

[CalamityJones]

Yes, I know the difference between local and network, both from a networking point of view, and the misuse ZoneLabs makes of it. :-) And, I have all of the "look for updates" and similar options that look like they might want to get on the wire by themselves turned off. It still tries to "phone home".

Re:Chicken Tracks

[HamNRye]

Check IE preferences. Make sure that the "Automagically check for Updates" (or something like that....) is not turned on. This setting will make it so that your browser doesn't call home before going to your start page. That is most likely what your experiencing.

And as far as the other response, "Local means Local Computer"... No, local means local network. I'm sure you knew that, but....

~Hammy
That Win95 Jump & Jive!

Re:In related news (uSoft unSecurity)

[cyber-vandal]

Name me one example of Palm abusing their monopoly and I'll agree with you.

Re: your .sg (OT)

[ucblockhead]

It came from Andrew Jackson. He was a famously bad speller.

Re:Oh for some privacy

[broken77]

I tried to buy some porn the other day at the local bookshop. But guess what - people look at you when you pick it up off the shelf - like everyone in the store!

Hehehe... You definitely bring up a good point. But remember here that the major issue is that when people go to the local porn shop, they know the privacy issues involved. What we're talking about here is that people have no idea what privacy issues are involved when they launch their browser. Most people will think that everything they're doing is totally anonymous, when in fact it's not. It is the responsibility of the software provider to make sure the user knows the privacy issues involved. That is the whole point of this discussion... (Well, I'm pretty sure anyway).

Re:You have a lot more to worry about

[reddeno]

Hear hear!

Re:This isn't as important as....

[great+throwdini]

There's also a 1x1 gif that comes with the spam...

<IMG src=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar.g if?b=56HJTY90JKHHJGGIJ5476">

who knows what that does :P

I work for *another* direct email marketing company [shudder?] -- not advaya -- and can tell you with about 98% certainty what that does for advaya ... it is used to measure "open" rates on HTML email: gif requested == email opened. The query string appended at the end "personlizes" the 'bug' and permits measuring of "unique" open rates for a particular mailing.

This is not to say that additional information is being pulled or corrollated, but given that direct email marketing is still in its infancy and the minimal levels of 'synergy' between direct email campaigns and other sources of personal information, I don't think you need to worry just yet that advaya knows what you had for lunch today. :P

As to what the string contains ... nothing more than a unique identifier to a database entry somewhere. There's really no point in placing the actual contents of the database in the string itself.

Re:This is news??

[broken77]

That amazes me, I noticed this feature the second time I typed in "slashdot.org" in the address field. Look at that! User persistence!!

Ok, I think there is still some confusion going on here. Everyone... please read the Bugtraq advisory, and the related MS web pages before commenting. What's going on here is not merely the "What you see is what you get" idea of how persistence can be used in IE. It's more than the fact that IE saves your searches and saves form data in form boxes automatically for you. The real problem here is that these persistence methods can be manipulated programmatically, through JScript, to store and load data, by the web page author, in the exact same manner that cookies work. Yes, I was aware that IE saved all the previous data that I've typed into the search box at AltaVista. But I didn't know (and I'll bet you that most people didn't know) that a web page could use this same technology in a similar manner that cookies are used. Make sense now? :-)

"Page Hit Counting" in IE 5.1

[quonsar]

I use IE 5.1 and there is an option in the advanced tab called "Enable Page Hit Counting". Here is what the Help says about it (emphasis is mine):

Specifies whether you want Internet Explorer to allow Web sites to track your Web page usage. Selecting this check box allows sites to create a log on your computer of which pages you view, even when you are viewing Web pages offline. That log is sent to the site the next time you go to it. By tracking the usage and popularity of specific Web pages, content providers can tailor future content to match your interests.

Looks like this has been around a while as M$ fishes for the most innocuous name possible.

"I will gladly pay you today, sir, and eat up

Re:"Page Hit Counting" in IE 5.1

[MrBogus]

Yeah, take this as a friendly reminder to open your IE prefs...

While you are there, there's a begger's banquet of potential security issues that you can mitigate. Microsoft was nice enough to provide the options, not nice enough to choose the secure default.

Advanced Tab
-----------
Profile Assistant (Allows web sites to upload information about you from somewhere. The Windows Address Book?)
Install on Demand (Web sites can install "Web Components" on demand. Vague enough for you?)
Search from the Address Bar (Unless you want to tell MSN what you are looking for..)

Security Tab
------------
ActiveX control settings (duh)
Tons of Script options which have known issues (which is why they are in this dialog box)
Automatic Logon (Sends your weakly encrypted NTLM network password hash to anyone who asks)

Re:"Page Hit Counting" in IE 5.1

[Captain+Derivative]

Actually, my personal favorite option is this, under Security -> Miscelaneous:

Software Channel Permissions:
[ ] High Safety
[ ] Low Safety
[ ] Medium Safety

Don't you love how they give you an undocumented option to change the safety for this? And yes, "Medium Safety" is the default. (Who would set this to anything but "High Safety"?! "Oh, no, 'Low Safety' sound good enough for me....")

--

Re:"Page Hit Counting" in IE 5.1

[MochaMan]

Oddly enough, in 5.5, that option is still there, and enabled by default HOWEVER, instead of being listed as "Enable Page Hit Counting" it is simply a blank field beside a checkbox. If you right-click it and do a "What's this" on it, it lists the same text you just output...

Perhaps this is some kind of "feature" to keep people from turning it off? Who knows, but it's disturbing to know they're trying to hide it.

Re:"Page Hit Counting" in IE 5.1

[quonsar]

Also oddly enough, I discovered after reading other posts and deciding it was a seperate issue, that the "Userdata Persistence" option is also in 5.1. It is found on the security tab instead of the advanced tab.

So, in 5.1, they have "Enable Page Hit Counting" and "Userdata Persistence", and in 5.5 they have "Userdata Persistence", and the page hit counting thing is unlabelled but still present. Damn, I'd like to hear what Microsleaze has to say about this crap. And I wonder, does this all have anything to do with Passport, about which Woody wrote some nasty shit in his latest newsletter. It would seem that Passport is little more than a cookie circumvention process which provides site owners with way more data than cookies can. As if M$ intends to trumpet the unwashed masses with the news that they are now safe from the evil cookie, leaving unsaid of course that the "solution" is much worse.

"I will gladly pay you today, sir, and eat up

Re:"Page Hit Counting" in IE 5.1

[MrBogus]

Likewise under Java. What, exactly, is Low Safety Java? Leave it to Microsoft...

BTW, by NTLM credentials, I mean your local NT logon. Apparently if you are are MYBOX\Adminisistrator, IE will happily advertise this and a weak hashed password to anyone who asks. Now, how many MCSEs are surfing porn sites as MYDOMAIN\Administrator right now?

Yeah, right.

[pb]

A "feature".

...like a VW with the license plate "feature", right?
---
pb Reply or e-mail; don't vaguely moderate.

Re:Turning off scripting...?

[TheGratefulNet]

good point! if you must do graphics on-the-fly and don't want to burden the server, I guess a gfx-oriented jscript might make sense.

fwiw, I've done plenty of dynamic gifs on my servers (for network management stuff) and I've never seen it become a major load.

--

Re:Turning off scripting...?

[spitzak]

Would it be possible to make Nautilus or another non-javascript browser examine the javascript source code and guess what it does?

It should be possible to get rid of all the non-functional buttons by finding url's imbedded in the javascript.

"rollover" buttons should be detectable by the multiple images in the javascript.

And otherwise, try to pick out quoted strings and display them as text.

Re:It looks to me like this can be easily disabled

Please, allow me to save potential readers time and summarize what the other replies to the parent will be stating/have stated in one form or another:

"No.. YOU'RE WRONG. OK U mite be Rite dood... but M$ STILL SUX!!!!!!!!! F.U.!! M$ sSXuXSxuSux. It's SUXK! Why? Because M$ is SuKkY!!!!!!!"

That's about it, except in different words.

Big Deal

[tetrad]

Is anyone actually using this feature to track you? I thought not.

Re:Big Deal

[tetrad]

Way to avoid the question, asshole. I read the article (did you?) and nowhere does it describe a non-trivial privacy violation. How is anyone going to use this track you?

Re:Big Deal

[Stary]

Can't answer that... You cant know if they do.

I dont use IE so theyre not tracking me with that.

Re:Big Deal

[tetrad]

Let me put it in the form of a question: How does someone use this feature to implement a non-trivial violation of privacy? (I'll even let you define "non-trivial".) Can a third-party web site get any useful information by from this feature...?

Ho! Listen here to the Microsoft doublespeak!

Well, IE 5.0 is released for the Mac, too, and it supports DHTML,

"It supports DHTML". Makes it sound like a feature. Who wants a browser that doesn't "support* [feature]. Classic "embrace and extend" MS philosophy. Adopt the standard. Add lots of extra features... Proprietary features you do not relinquish ownership of to the standard... and then proclaim that the other browsers are in abeyance of "the new protocol". Pathetic.

Re:A few privacy tidbits to ponder....

[NearlyHeadless]

If you have a supermarket discount card (like a Star Market Card), everytime you use it for purchases, retailers use it to track exactly what you've purchased, how much you spent and how often you shop. This information can then be shared (as with what website you visit) with product manufacturers who the feel you may be interested in their products.

Yeah, I really hate how they send me coupons for the products I use. I had sworn the clerks to secrecy about my Cap'n Crunch habit and used a blanket to cover my shopping cart, but, oh well.

A practice that is picking up speed in restaurants is the use of cameras spying on diners. The chefs then watch the diners so they can time when to serve the next course. I find this pretty scary that someone is watching my every bite.....

Here I'm wondering if you're even serious. Have you ever heard of waiters?

There are hundreds of ways that the private citizen is becoming less and less private, and it is sickening.

"Becoming less private" ... compared to what? Less private than the small town most people lived in fifty years ago? Ha!

ScriptBusters! Yeah!

Bugs to the left, Hacks to the right. Kill all VB-script, Fight, Fight, Fight!

Re:Evil Empire

[wuice]

I'm taking a wild guess here, a shot in the dark. I'd say $0.

Turning off scripting...?

[Idaho]

Too many sites are using scripting in a way that makes it impossible to use the site with (java)-scripting turned off. Many 'submit' buttons actually invoke simple javascript-functions that check values and then submit your form.

Lately, I tried to turn off java-script in IE, but then turned it on within a few days again, after wondering why so many buttons and links didn't work. First thought my connection was just crap, but it wasn't...

So, if turning off scripting is not an option for you (as it is for many people), what can you do against this?

Re:Turning off scripting...?

[Idaho]

Yeah, but that strategy does not really work for me. Just to keep the administration of my working hours up to date, I have to login to a site that uses javascript when logging in. And not booking my hours is not really an option :-)

A solution I found is to add this site to the 'trusted' zone and turn on javascript in that zone, leaving it off in the 'internet' zone. Works great for me, and you can keep track of which site can possibly track you.

As for my working hours, they'd better keep track of them :-)

Re:Turning off scripting...?

[quonsar]

the only good thing about jscript is that you can always view source

Bzzzzzt. Do not pass go:

<script language="JavaScript" type="text/javascript" src="fux0red.js"></script>

"I will gladly pay you today, sir, and eat up

Re:Turning off scripting...?

Check out Scalable Vector Graphics at http://www.adobe.com/SVG/. It's a W3C spec for vector graphics which allows script manipulation through the DOM.

Re:Turning off scripting...?

[Taurine]

You could use Konqueror, the browser included in the upcoming KDE 2.0 release. It allows you to specify your JavaScript and cookie acceptance settings on a site-by-site basis.

Re:Turning off scripting...?

[nhavar]

VML

Re:Turning off scripting...?

Frankly, the web is a little less ugly because of that missing functionality.

Re:Turning off scripting...?

[Krollekop]

Why would you turn off scripting? What are you afraid of?
I personally turn off scripting only when a web app don't want to take my keyboard's random noise (sample: sdljadfgaskug) when I am prompted for my phone number or zip code and I don't want to give them away. I found that 90 % of the scripts my browser runs are useful (pop-up helps, location tips, Java LiveConnect, image preloading, ...), 8 % are slightly restrictive but might have their use (zip code verification, password pre-check, ...), and 2 % are a nuisance (pop windows that porn-jack you, lost of navigation bars, ...). All in all, IMHO, there are more benefits than inconvenients.

Re:Turning off scripting...?

[Krollekop]

> The only good thing about jscript is that you can always view source. can't say the same with java ;-(

Just configure your browser to open Jad when downloading .class files...

Re:Turning off scripting...?

[Tackhead]

> You know what I do when I find a site that is broken without
> javascript? I leave and never come back.

Ditto, except I leave a present in their server logs before I go.

Like a 404 to "http://www.stupidsite.com/fuck/you/and/the/javash it/you/rode/in/on.html"

If you wanna express how pissed off you are, express it. On the sites where webmaster@ isn't a black hole, it's usually some marketroid who says "but Java's cool! you need to turn it on to see it!". I figure if anyone's actually reading the server logs, there's at least the possibility that they're geeky enough to appreciate the humor in such a log entry.

Re:Turning off scripting...?

[nhavar]

BZZZZZZZT! Browser cache????

URL ??? "www.somedumbasses.com/callMe/Leeet.js"

Save As ???

...that's 'Dumas'

Re:Turning off scripting...?

[great+throwdini]

the only good thing about jscript is that you can always view source.

Offtopic - although viewing such source is not always so easily done as said. included scripts (using the SRC attribute) will not show up in their full glory to those with scripting turned off initially, requiring one to download and examine the included script(s) ... not exactly user-friendly.

Further Offtopic - unfortunately, the security model of browsers/javascript does not (yet) permit one to selectively deny scripts access to arbitrary objects within the DOM -- although I can only imagine a number of power-users would be very interested in just such an option.

Have I Been Trolled? - I think javascript does have its place when client-side processing can alleviate the back-and-forth of server-side processing (preliminary validation of form submissions being one case).

Re:Turning off scripting...?

[spitzak]

How would it know how to parse the scripting?

Simple. It is not totally ignorant of javascript. It knows how to "parse" it. And then it has a bunch of rules like "the tokens "foo" and "(" next to each other mean they are calling foo() and that probably means I should do this...

Actually just seeing all the string contants and assumming they are URL's should work and hardly requires even a "parser".

Re:Turning off scripting...?

[quonsar]

BZZZZZZZT! Browser cache????
URL ??? "www.somedumbasses.com/callMe/Leeet.js"

[slapping forehead] DOH!!!!!

"I will gladly pay you today, sir, and eat up

Re:Turning off scripting...?

[GypC]

I always have javascript turned off. You know what I do when I find a site that is broken without javascript? I leave and never come back.

"Free your mind and your ass will follow"

Re:Turning off scripting...?

[mangu]

fwiw, I've done plenty of dynamic gifs on my servers (for network management stuff) and I've never seen it become a major load.

I forgot to mention, speed isn't the only problem. Line graphics converted to pixmaps suck if shown on a resolution different from the one they were plotted in. Of course, graphic library designers often get carried away and cram so much useless stuff that vector drawing libraries quickly turn into bloatware. But I think "moveto(x, y)", "lineto(x, y)", and "linestyle(solid | dotted)" functions are a must in any programming environment.

Re:Turning off scripting...?

[mangu]

the only good thing about jscript is that you can always view source. can't say the same with java ;-(

Java has one thing over jscript: you can draw graphics. Jscript misses functions to draw lines and curves. If you don't want to use java, the server is burdened with generating a gif file for every graphic that's requested, and it takes much more bandwidth to send a gif than it would take to send a set of "moveto/lineto" calls, if they existed in jscript or html.

Re:Turning off scripting...?

[great+throwdini]

Would it be possible to make Nautilus or another non-javascript browser examine the javascript source code and guess what it does?

Methinks not easily (especially if it were a non-javascript browser ... how would it know how to parse the scripting :)

A more sensible approach would be to go ahead and code a full script parser (which kind of scripting? javascript? jscript? ECMAscript? VBscript?) into the browser, but allow the setting of security privleges on the various objects in the browser's DOM to permit or deny access.

So, if I hate rollovers, I can forbid write access to image objects (however modeled) but allow access to form-related objects to permit client-side validation. OTOH, this could become a web designer's nightmare :P

Netscape has (in the past) followed this tack with regards to a subset of scripting methods and objects, requiring signed scripts to access them through javascript. Certainly, client-side scripting languages should offer a bit more flexibility than the all-or-nothing approach of "off" or "on" ... at present, Microsoft actually allows more flexbility in setting privilege levels in a manner similar to this -- it is unfortunate that they fail to document it all "up front" for the end-user.

re: pulling out embedded URLs and/or multiple images -- several scripts are not so open about these things, building URLs or image names from pieces ... the only way to yank these values out as wholes (rather than constituent parts) would be to implement something that could parse [foo]script on its own. but then you would have a [foo]script browser of your own! :)

Re:Turning off scripting...?

[grokmiskatonic]

This may be a dumb question, but how can you change what shows up in their server logs? It would be cool if you could point me in the direction to find out how to do this...

System wide porn sweep and clean

[l33t]

Okay, this is how I go about it:
First, do a search for all .jpeg's, .jpg's, .jpe, .mp*
Then .gif (for those animated pictures of Pamela taking Tommy's mighty tool)
Then I delete all the temporary internet files, followed by a search for further cookies.
Next, clear Documents menu (cumsplat.jpg wouldn't look very good there) and empty the recycle bin.
Am I forgetting anything?

Re:I have to say it...

[nevets]

I thought the same thing. Actually it goes to almost anything you use. Unless you have a sniffer, you don't know what a product is sending to someone if you are using a closed sourced application and are connected to the Internet. Sure you might be able to watch your modem lights blink, but that is not the best way of catching things like this. It's even more difficult with a web brouser, since you have valid packets being sent out over the Internet.

Yes the average person will not look at the code of some product to see if it is sending or storing devious information about the user. But I would certainly be more secure in knowing I CAN view the code if I desired. Someone would really have some nerve to put a backdoor of somekind in a product that the source is viewable.

Also note. A license that is not neccessarily open source can give you the same effect. As long as you have the full source, and can compile it yourself, this problem would not exist.

Steven Rostedt

dont mean to be dumb, but...

[jmd!]

I've read the article, and all comments... I dont see how this is a security issue. The form caching is client side, to my understanding...how does this tell the remote web server anything? I don't get it...

The persistance I've worked with

[Sawbones]

I cannot guarantee that all of IE's persistance works like this, however the persistance I've worked with in developing with IE use XML to store data on the user's hard drive and is known as , surprise, "userdata". Its actually quite handy to use, but can be seperately disabled, just like cookies, in the IE security preferences (its under "allow userdata persistance"). If you'd like to take a look at what the userdata has stored on your computer, check out the XML files stored in (under win2k) "\Documents and Settings\username\Application Data\Microsoft\Internet Explorer\Userdata\"

One feature of Userdata is that it can - in theory - only be read from the same place that wrote it, much like cookies. it works from different locations on your hard drive as well - different directories cannot read eachothers userdata.

So before it gets flamed too hard, the feature is quite handy, allows for more storage of date (in terms of bytes) than cookies and is in XML.

Re:Not surprising, but not a big deal

[pesc]

My personal hate is when I want to write a price. In sweden you can add :- after the number; 10:- means 10 swedish crowns.

Try to write some amounts in Word inside parenthesis, like

I bought apples (10:-), oranges (15:-), ...

:-)

Re:You have a lot more to worry about

[ucblockhead]

Unfortunately, Microsoft is very good and creating wildly confusing API names. "ActiveX" is what is used to be called "COM", mostly, sort of. (Or maybe it is now called COM again. I can never keep up.) That checkbox just says that you don't want IE to use ActiveX controls embedded in web-pages, This doesn't mean that other programs can't use the IE ActiveX control.

It goes something like this:

A financial money manager program wants to have cool looking reports. Rather than write them from scratch, they decide to use the IE control. They embedd this control in their app and write the reports in HTML. Makes gobs of sense from their point of view. Less work. Now they are manually embedded the control, so whether or not they want to make this a user option is entirely up to them. It has nothing o do with any internet security options. The only way you could prevent them from doing this is either physically deleting the DLL or removing the control's CLSID from the registry.

Re:It looks to me like this can be easily disabled

[Barbarian]

My IE 5.5 special security edition beta or whatever it's called (the cookie-cutter one they released a few weeks ago) has this option.

--

Re:It looks to me like this can be easily disabled

[DrEldarion]

Why didn't they place the controls for such a device in a more obvious location?

Yeah, I know! Who'd have ever thought to look under SECURITY SETTINGS for something like that?! Geez! What we're they thinking?!

(cough)

-- Dr. Eldarion --

In 3 steps

[Krollekop]

It looks to me like this can be easily disabled

Sure. In three steps:

1. Ctrl-O
2. Type http://ftp.mozilla.org/pub/mozilla/nightly/latest/ mozilla-win32-installer.exe [Enter]
3. [Read Pop-up Window]

   You have choosen to download a file from this location

   ...ozilla-win32-installer.exe from ftp.mozilla.org

   What would you like to do with this file?

   • (*) Run this program from its current location
   • ( ) Save this program to disk

     [Select with Up Arrow and Enter]

Re:In 3 steps

[Pfhreakaz0id]

Then, watch as it gobbles up RAM, chokes on the simplest pages, and, oh, don't forget to install the nightly builds!
---

Re:This isn't as important as....

[Matts]

The 1x1 gif confirms that your email address is active and that you viewed the email. Another strong argument for text based email readers, I'm afraid. I really home that both KDE and Gnome are taking this into account when they create their funky new email clients with the ability to read HTML content.

Re:Oh for some privacy

[radja]

my local bookshop gets payed in cash. all they know is that some long-haired annoying geek sometimes buy porn. but since this isn't strange they won't remeber that either. they don't know where I live, what other stores I've recently visted, and what my favourite food is. even if they knew my name, they wouldn't be allowed to sell it. I would like the same anonymity on the net.

//rdj

Re:This is why LAW should require source disclosur

[mangu]

Yes, that's right. All software, commercial and non-commercial, should be MANDATED by law to include source code.

Agree with you partially - I think only source code should be copyrightable. Copyrights are intended to protect ideas, not a side effect of those ideas.

There's an interesting loophole in having binary files protected by copyrights: one could write a program that analyses an executable file, identifying all functions and respective calls. This software would then scramble the code, changing the position of the functions and fixing the calls accordingly. Would this be a copyright violation? To characterize a copyright violation should both files be absolutely identical, or would a certain sequence of identical bytes constitute a violation? If the latter, what about libraries -- a binary compiled with a certain library would make all subsequent programs linked with the same library illegal?

Re:If disabling works...

[Sarkazmo]

Yes, by all means, let's dump the best browser around because people can't dig a coupla dialogs to disable a convenience feature. People who haven't found that option or didn't care to turn it off, are mostly the same people that feature was designed for. This is not an MS bug; it's a double standard.

Anonymous surfing...

[spaceshooter]

Ok, hands up who doesn't actually turn off about 99% of the new 'features' in MS products? Just about every checkbox in my case gets cleared. So as long as these feature can be turned off, it's ok with me. But just to remind it's not just MS using these tracking things, check the Realplayer options...it seems to be a trend to send 'anonymous information' from programs (Winamp etc). Anyway, anonymous surfing is a joke. For all you who think you're safe from any tracking as you've turned off cookies etc, session tracking can be done otherwise. If you haven't noticed, long URLs (something like session_id=wekj5iogocx06498sskbi45...) are just to track you. All links are generated dynamically and include this string, so every page knows where you've been and how long. Further, browsers give lot of information about you, such as browser vendor/type/version, OS, screen modes (javascript), etc. These combined with the IP address, you (your machine) may be identified. I've even seen a site using traceroute to trace the location of a user. So maybe this "persistence" thing is not a big deal.

---------------------------

Re:Cancel My Subscription to Bugtraq

[costas]

Neah... they're just feeding the Christians to the lions so to speak. How newsworthy is a bug in Mozilla? Half the people will repeat the many-eyes, shallow bugs thing all over again and then the page views would die down. Besides, the Slashdot Queue would have nothing else.

Of course, they (that conglomerator of OSS sites, Andover.Net Inc) would much rather throw a beefy, meaty Microsoft bug at the starving flamers, err... /.ers I meant.

I mean you have to go *three* dialogs down to turn that feature off! Unbelievable! If RMS had designed IE, there would have been an option right there in ~/.ierc! Of course it would have been tab-sensitive and in ~/.ierc's unique little syntax, but you could definitely find it with a good man page and a text editor...

Double standards; not just for Redmond any more.

Re:haiku

[mparcens]

Well, I don't know what haiku you're writing, but where I'm from (admittedly, it's in the deep-seeded traditionalistic Haiku Belt in the deep South) a haiku is 5-7-5...

So many pr0n sites,
He's forgotten how to write.
must be IE's fault.

_________________
JavaScript Error: http://www.windows2000test.com/default.htm, line 91:

Re:This isn't as important as....

[Taurine]

The current CVS version of KMail (for the upcoming KDE 2.0) has 'view as HTML' as a per-folder setting, and the default is off. The idea is that you create a folder with HTML enabled and a rule that moves email from trusted HTML-mail senders into that folder when you get new email. Its a pretty neat feature.

Re:Better Documentation A Start?

[nhavar]

How about just trying "personal information" in the index of the help file?

Re:This is why LAW should require source disclosur

[webrunner]

Unfortunately, the way things are going, some group like the MPAA and RIAA will probably make it illegal to write an open source program at all in order to 'protect the author's intellectual property, and oh, did I mention, you owe me 20,000 bucks for the service'

----

Re:Bah!

[whovian]

Not to mention delivering the content they *think* you want (i.e., that which they can convince you you should have). Advertising is nifty that way.

Persistence pays off! ;)

[Halster]

Persistence is futile! - You will be Mozillinated! ;)



"How much truth can advertising buy?" - iNsuRge - AK47

It's not like this should be a surprise to anyone.

[interstellar_donkey]

I have, and I think most people have come to the conculsion that everything I do on the Internet could be public knowledge, or, in other words, I simply would not go to a website or send an email that I would not want the whole world knowing about.

At the same time, however, the whole world probably does'nt care.

If Microsoft wants to track where I go, I guess it does'nt bother me. There's nothing they could do to use that information against me. At the very least, if I have to get spam, or see banner ads when I visit a website, at least those ads/email will be catered to my interest. And, perhaps if companies were able track my behavor for the past 6 years, in which time I have never responded to a Spam email, they will eventually stop sending them.

Then again, that probably will not happen.

I know that there are some people who want to protect their privacy, and to them I say 'let the buyer beware'. Microsoft has proven again and again that they opperate with questionable ethics, and while it is to be assumed that nothing you do on the Internet is truly private, it is also to be assumed that Microsoft will attempt to profit from it's users regardless of right or wrong. We still don't know the contents of the source. of the Windows OS, and what information it stores and could potentially send out, so if you use a Microsoft product, always assume the worst.

If your concerned with privacy, run linux on an AMD processor.

Re:You have a lot more to worry about

[ucblockhead]

It is not as easy as you think. The IE ActiveX control is pretty much built into the OS. This makes it pretty much a given that anyone who wants to render HTML in their app is going to be using IE. We aren't necessarily talking obvious browser apps, either. It is very, very likely that you are using IE at times and not even knowing it.

Announcement: IE Calls Spouse, Parent W/O Warning

[Saint+Aardvark]

Redmond, WA (AP) -- Microsoft (NASDAQ: MSFT) today admitted that Internet Explorer, from version 4.2, has had the capability to phone the user's spouse or parents without warning and inform them of the user's browsing habits, including listing specific sites and the names of image and movie files downloaded.

The capability, described as a "feature" by Microsoft, came to light on the BugTraq mailing list three days ago after an angry user revealed that his copy of IE 5.1 had phoned his wife to tell her about his subscription to hotmonkeylovin.com.

"This is a perfectly standard feature of any web browser," said a Microsoft spokesman. "As with all aspects of life on the internet, there is a tradeoff here between a very valuable capability and a vanishingly small, almost theoretical loss of privacy."

Free Software Foundation guru Richard M. Stallman was unavailable for comment. A source close to the programmer said that Stallman was "busy reformatting his Windows partition."

Re:It's a Feature!

[Black+Parrot]

> > "This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure," said Michael Wallent, product unit manager for IE at Microsoft. "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."

<babblefish>Unless you find all the other security problems we built into IE, there's not much reason to worry about this one. If you use IE, they're going to get the information, one way or another.</babblefish>
--

Re:This is why LAW should require source disclosur

[Karellen]

It's an interesting point that I thought up while considering the DeCSS ruling.

The Judge did point out that object (machine) code could not be considered "speech" to get 1st amendment protection as it was not expressive enough.

If the object code is not artistically expressive though, is it copyrightable?

There's a lot of overlap between 'copyrightable' & 'free speech' - I was hard pressed to think of things that fell into one category and not the other. Anyone?

Re:In related news (uSoft unSecurity)

[Trracer]

There are several programs which allows you to execute any program as a service, or since you are a programmer, just write your program to be a service (if that fits).

Re:Better Documentation A Start?

[Spoing]

Clearly documented explanations of the security features that one can toggle in the Internet Options -> Security tab would be one thing, but the lack of context-specific, right-click help (try it and see) or even the word persistence in the indexed help file (search and see) is somewhat silly.

While I agree, I think you're expecting too much from Microsoft's documentation group. They have different -- and Annoying(tm) -- ideas about what should go in a help system. Let me say up front that I neither agree or misunderstand why they dumb-down the docs -- we aren't thier main clients!

It's like an anti-man-page attitude; say How to do something not What something is or Why it is valuable. Much of the help provided is along the lines of "Print prints somethig to a printer" or worse "This button prints". In context, these might be OK...but the lack of extra details anywhere is just part of the design goal. Less is better...since it's not really necessary, is it? Anything more detailed would be confusing to a typical user.

MS is, after all, the company that don't document the switch /MBR for thier fdisk program (try it - fdisk /?)...why give detailed help on something that is much more of a user-level tool then a disk partitioning tool?

Re:Not surprising, but not a big deal

[David+Hume]

Somebody please mod this up. I laughed my ass off. The only weird thing is that what he describes is probably more intuitive than what is actually required.

Slightly O/T: Deteriorating quality of MS docs

[Cat+Mara]

On a related note, has anyone else noticed the abysmal quality of recent Microsoft help and documentation? I recently downloaded the Windows Scripting Host help (in that wretched HTMLHelp format of theirs) and found it atrocious. The Office help system is equally poor; much of it isn't even installed by default! Is it any wonder that users are barely scratching the surface of Microsoft's gigantic apps with documentation this poor? Meantime, bored teenagers flood the world with macro viruses, because they're the only people with enough time on their hands to decipher the obtuse, uninformative, and shoddily-written dreck that MS tech writers serve up as `help' these days.

IMHO, in the days when MS were building their market share, their online help and documentation were regarded as showcases to demonstrate the cool features of their products as well as an exploratory tool. Now they have everyone locked into their platform, help and doc is at best considered a revenue drain or a potential cash-cow, where you have to take out a subscription to get access to information that used to be free.

It sucks. Open Source documentation is often badly-written (often because English is not the native language of the writer) or woefully lacking, but at least most Open Source writers are genuinely interested in teaching you about their wares and solving your problems. Whereas these days, MS `help' seems only there so MS can write `fully hyperlinked online Help system!' on the back of the box.

Re:In related news (uSoft unSecurity)

[webrunner]

Okay, umm, is it just me or is there some "-1 flamebait" happy moderator reading this? I've seen 3 instances where even slightly anti-ms messages in this discussion got 'flamebait' - mine wasn't even that anti-ms, just about the misleading 'windows password' system.
----

Re:Not surprising, but not a big deal

Just type Esc-WindowsKey-Alt-space while holding down the right mouse button and moving the mouse in a "U" shape. When the secret room appears, run and grab the magic goblet. This will let you kill the clipboard assistant, which then lets you do whatever you want. It's in the manual.

Re:It looks to me like this can be easily disabled

[kaphka]

But why doesn't it shut off when you have your security level set as high as it can be?

It does.

Why didn't they place the controls for such a device in a more obvious location?

What would be more obvious than Options->Security?

Does "user data persistence" even give you a clue as to what it's actually doing?

You've got me there. It doesn't even have a help topic, like many of the security settings. That's a bit of a pain.

Re:It looks to me like this can be easily disabled

[RickHunter]

And people claim that windows is less obscure than the Unix command line.... ;-)

-RickHunter

Re:It's a Feature!

[Zaaf]

So you only have a problem if you use it on a pc which contains privacy sensitive information and / or programs other than those used for web-access.
Yeah, so there's no problem. hmpff.

---

Re:This isn't as important as....

[DrTomorrow]

You mean like this???

<IMG SRC="http://images2.slashdot.org/Slashdot/pc.gif?/ article.pl,968716987" WIDTH=1 HEIGHT=1>

and

<IMG SRC="http://images.slashdot.org/pagecount.gif?/art icle.pl,968716987" WIDTH=1 HEIGHT=1>

How exactly does this TRACK you?

[BradleyUffner]

As far as I can tell this data is only accessable from the local computer, so how does this invade your privacy? And how can it be used to track your movements on the web? So it will tell someone sitting at your computer that you went to MS knoloagebase and tried to find a VC++ problem... It doesn't tell them what links you actually followed, or what you did. This doesn't seem like a big security issue at all. Plus it can be easily turned off under the preferences dialog.

Re:It is easily fixed

[Hammer]

There is an even easier fix.
Use Linux and Mozilla :-)

Re:This isn't as important as....

[Rahoule]

You mean like this???
<IMG SRC="http://images2.slashdot.org/Slashdot/pc.gif?/ article.pl,968716987" WIDTH=1 HEIGHT=1>
and
<IMG SRC="http://images.slashdot.org/pagecount.gif?/art icle.pl,968716987" WIDTH=1 HEIGHT=1>

Good observation. There's also Slashdot's tracking cookie, for extra measure. What's with the "anon=" cookie?

When I load the main page, or any page run by a Perl script I get a cookie like this: "anon=-1-pbfSkYi0dH". This has only been introduced in the last few months.

Can anyone who worked on the Slash source explain this? I persists even when I'm logged in. Is this a way to indentify people who post or browse anonymously by logging out? Or is it used by advertisers?

I thought Slashdot was against tracking users in this manner!

Where is the security threat exactly?

[guinsu]

Ok, I guess I don't understand which feature of IE they are refering to because I can't seem to figure out what the problem is.

The persistance feature is what lets me go to google, start typing in a search term and have all my old search terms with that letter pop up in a drop down box right? So how does this let a site uniquely identify me? Is this information accessible to Javascript running on that page? Does the entire list of everything I searched for get sent to the server or is it just kept on my hard drive?

Re:Two issues... [wonder if this will ever get rea

[Ergo2000]

Point #2 is classic and dubious : If you EVER use a PC that isn't under your complete control them you shouldn't be doing anything you shouldn't be doing. All your keystrokes, your pacing, you web sites, etc., can and possibly are logged.

Re:This is why LAW should require source disclosur

[mangu]

Id have to say most companies dont want to release the source code of their products because:

a) They are afraid that someone will actually see how shitty they made the program

b) Have no idea there is an open source movement out there

c) They want to keep all their eggs in one basket so to speak.

And don't forget:

d) Such decisions are made by lawyers and managers, who have no idea how software is created.

This isn't as important as....

[caetin]

oh, say, bug files? Now you can't even turn those off.. for those of you who do not know, bug files are little 1x1 gifs (or any other image/html/etc format) that links to a page somethin like: ... very suspicious address? indeed. With the right server-side encoding (php can do it, asp can do it, cgi can do it) you can make the browser think its getting a 1x1 image, when in reality its sending unique identification information. Unfortunately i don't remember the link to the place that had a nice big write up on it. They had a list of some big and oft-visited sites which used this method. Next time you're bored check out some big sites's source and see if you see any questionable image tags. Makes local stored data from stupid searches seem kinda trivial now doesnt it?

Re:This isn't as important as....

[alexpage]

Now you can't even turn those off..

Unless you install something like WebWasher and get it to filter out 1x1 gifs. Of course, you lose a little functionality on sites which have a legitimate use for them, so you could always script up your own. I'd suggest filtering 1x1 gifs which (a) have an argument string or (b) come from a different domain.

Re:This isn't as important as....

[great+throwdini]

Somewhat offtopic, and oft-mentioned on SlashDot ... if you are looking for an example of web 'bug' implementation, look no father than the HTML direct email marketers send out... 'bugs' of this sort are a threat only insofar as they might be tied into long-term tracking databases. You overlook the fact that the images need not be 1x1 in size, as more clever implementations can return any image while still capturing the desired information

The purported threat here is that 'persistent userdata' may permit access to information other than that commonly available to web 'bugs' ... that may or may not be the case, but I would suspect that any meaningful exploit of this feature would require someone or someones capable of tracking the information across sites and/or someone or someones maliciously accessing stored preferences from other sites.

Don't see any evidence of either as of yet, only the potential for future (ab|mis)use.

Re:This isn't as important as....

[caetin]

sorry, i forgot about the whole html linkage part of things :) bug files are in the format: <img src="http://servername.ext/somefile.ext?querystrin g=blahblah"> ... etc i still havent found the page, i really am looking.. its a very good read.. makes stuff like this seem less than trivial..

Re:This isn't as important as....

[Village+Idiot]

On a similar note if you are interested in filtering out some of these 1x1 gifs and ads from sites you can find sample windows hosts.sam files with a list of less than desirable web ad sites etc at Fravia's Searchlores page. Just do a local search on his site for doubleclick and you get quite a few links to lists of addresses you could add to your hosts.sam file(in windoze) or i assume (as I havent tried it yet) /etc/hosts. A direct link to one of the lists can be found here

Better Documentation A Start?

[great+throwdini]

From the article

Hint, the link is there to remind you to read it

Microsoft defended the feature and pointed out that the vast majority of Web surfers already are knowingly vulnerable to the same level of exposure. "This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure" [...]

Not to rant, but I cannot understand how such specious reasoning would find its way out of the mouth of a Microsoft representative. How could they possibly argue that since users are already at much greater risk from other features/exploits, one more "minor" inconvenience shouldn't matter?

Clearly documented explanations of the security features that one can toggle in the Internet Options -> Security tab would be one thing, but the lack of context-specific, right-click help (try it and see) or even the word persistence in the indexed help file (search and see) is somewhat silly.

Why would I have to journey to the developer's corner (link lifted from article) to learn what features are present in my browser? Maybe it's time that end-users insist on better [more immediate] documentation from Microsoft, especially with regards to things categorized under the heading of security

ps - SlashDot still has its woes when dropping in long URLs. God bless the preview button

Re:Better Documentation A Start?

[NaughtyEddie]

Yeah, coz you'd never get specious reasoning on Slashdot.

Let's all laugh at the funny Microsoft man.

Re:Better Documentation A Start?

[Surak]

Not to rant, but I cannot understand how such specious reasoning would find its way out of the mouth of a Microsoft representative.

Ummmm...we are talking about a Microsoft representative here ... :)

Maybe it's time that end-users insist on better [more immediate] documentation from Microsoft, especially with regards to things categorized under the heading of security

<facetious mode%gt; But Microsoft's applications are so easy to use, they don't need documentation. I mean, you know, Linux is so much harder to use than Windows, so they actually need it, but Microsoft....nahh...it's just point and click. </facetious mode>

Re:Better Documentation A Start?

[great+throwdini]

How about just trying "personal information" in the index of the help file?

Originally, I was referring to the use of the Search feature to ferret out anything in the immediate documentation that had to do with persistent userinfo.

Your suggestion, though it makes sense, doesn't turn up any meaningful information, either. At least not in *my* IE5.5 help files.

Re:Better Documentation A Start?

[TheNightOwl]

...I cannot understand how such specious reasoning would find its way out of the mouth of a Microsoft representative. How could they possibly argue that since users are already at much greater risk from other features/exploits, one more "minor" inconvenience shouldn't matter?

It is amazing what "Public Relations" folks can come up with. This is essentially a "troll"; it attempts to change the focus of a discussion by raising a partially related, but potentially inflamatory point. Most good journalists/interviewers wouldn't let them get away with this without providing a counterpoint.

Re:Complex problem, simple solution

[pb]

Try w3m; it's really usable in a big xterm, especially with the mouse support and whatnot.

However, if you need a graphical browser on that box... well... There are a few browsers around designed for low-end machines, like Arachne, but they probably work better in DOS. And some other ones that tend to be pretty were generally designed primarily as file-browsers, like kfm...
---
pb Reply or e-mail; don't vaguely moderate.

Re:Oh for some privacy

[caetin]

hahahaa..you brought out a very serious issue in a funny manner :). people act like if anyone (especially microsoft.. ohhhhh) can see *anything* they do online, its an absolute breach of privacy. what about telemarketers, junk mail (the paper kind) and people seeing you in public? the best way to get absolute privacy online? ditch your computer. stop whining that somebody may be able to see your yahoo search for "how to use grep"

Re:In related news (uSoft unSecurity)

[sirhc]

I take a blank palm pilot to your computer, which is locked, and I sync with it and copy all of your palm pilot data

Except that when you syncronise a blank palm pilot the PC asks you which user this is for, and if the machine is locked you can't select one.

turn off access to the serial port, USB, port

What a good idea, and why not network traffic as well. In your world you couldn't leave a machine working with anything outside the box and lock it. How secure. How sensible.

Re:For the Mac IE too?

[pb]

I don't think so, but more than one poster has mentioned something about a userdata persistence option...
---
pb Reply or e-mail; don't vaguely moderate.

A few privacy tidbits to ponder....

[tewl]

Some people may not care who sees what websites you visit, etc., but I do. I don't want this information shared with other companies who can then use me as a target consumer for their products.

Think about how much this goes on in every day life......

If you have a supermarket discount card (like a Star Market Card), everytime you use it for purchases, retailers use it to track exactly what you've purchased, how much you spent and how often you shop. This information can then be shared (as with what website you visit) with product manufacturers who the feel you may be interested in their products.

Insurance claims. The information on your medical records is not protected by federal law, but something as inane as a video rental records are. Everytime you make an insurance claim and signing the form, you authorize doctors to release sensitive information to insurers and other third parties, like the Medical Information Bureau, which keeps records of health problems on some insurnace applictions and forms and informs insurers about pre-exisiting conditions, making it potentially harder to receive quality insurance. These records can be shared with various companies, but in half of the states in the US, you don't have the legal right to see your own medical records.

A practice that is picking up speed in restaurants is the use of cameras spying on diners. The chefs then watch the diners so they can time when to serve the next course. I find this pretty scary that someone is watching my every bite.....

Everyone knows that cell phones aren't safe, don't say anything on them or on portable phone that you don't want your worst enemy to hear. It can easily intercepted, and I know this from first hand experience, living in a dorm, a few of suitemates would sit around every night and listen in on numerous conversations going on the dorm every night!!!!

Consumer advocates and the Clinton Administration say financial privacy has been further endangered by a federal law passed last year that made it easier for banks to merge with other financial firms, such as brokerages and insurance companies. Though the law includes provisions to protect consumer privacy, critics say that there are loopholes that could lead, for example, to a bank denying a loan to a customer because its health-insurance affiliate's data reveals that he or she is being treated for a life-threatening illness.

There are hundreds of ways that the private citizen is becoming less and less private, and it is sickening.

For more, check out LHJ.

Re:A few privacy tidbits to ponder....

[jeffry_smith]

Insurance claims. The information on your medical records is not protected by federal law, but something as inane as a video rental records are. Everytime you make an insurance claim and signing the form, you authorize doctors to release sensitive information to insurers and other third parties, like the Medical Information Bureau, which keeps records of health problems on some insurnace applictions and forms and informs insurers about pre-exisiting conditions, making it potentially harder to receive quality insurance. These records can be shared with various companies, but in half of the states in the US, you don't have the legal right to see your own medical records.

Actually, they are protected by the Health Insurance Portability and Accountability Act (HIPAA), which mandates that they get your signature for release, places stiff penalties on misuse of medical records (including fines and jail time for disclosing them improperly), etc. it also mandated that Secretary of HHS define the rights of the individual who is insured in regards to the records.

No, they use C-notes

[mangu]

That "100 USA" strip inside the paper in the $100 bills is a beacon transmitter that can be tracked by the Space Shuttle. I saw it in a documentary.

Re:You have a lot more to worry about

[costas]

I personally have taken the version of VIM with embedded Python, spliced in Python's built-in HTTP client classes, and use vi to view the source text, with the garbage tags stripped out.

I would've used Emacs for this, but I cannot trust LISP (the language's emphasis on parenthesies is antithetical to a prototypical architecture of a secure steganographical system) and I am worried that RMS may one day demand that the pages I view be switched to the GPL since I am using a GPL program to look at them.

I am now working on a kernel patch for /dev/web, which would map the Web's raw feed to a device that I can just cat to my standard out.

Explorer kicks ass, BTW.

Re:This is why LAW should require source disclosur

[cpt+kangarooski]

Frankly, I've got to agree with you here. As a society, we have created copyrights out of whole cloth (no Virginia, you aren't just entitled to them) to promote the further advancement of the arts and sciences.

So why should software be copyrightable if the part that permits the most significant advancement (the source) is kept under lock and key? They don't even need to supply it to users directly - just being required to deposit a copy with the Library of Congress in order to register the copyright would be enough to make me happy.

We already require this for patents; software is an amalgamation of a creative written work (copyright) and a functional device (patent) so why not require it? It's not as though it would be hard to find out who was copying the source code for non protected purposes (Fair use would of course apply)

Re:This is why LAW should require source disclosur

[jeffry_smith]

Slight correction - ideas are protected by patent. Copyright is intended to protect the EXPRESSION of an idea. i.e. the idea of waterbeds could have been protected by patents (except the person who developed the idea didn't think it was NOVEL enough). However, writing stories that include waterbeds are protected by copyright, and I could (if I had any talent) write one, even though many others have written them.

Re:If disabling works...

[Fishstick]

>I tried to use the junkbuster proxy behind IE, and half the time, IE went directly to the site in question, bypassing junkbuster

How's that again? That doesn't seem likely. I've used IJB for a while as my proxy on my home firewall, IE doesn't have any other way out of my home LAN (masq set up for lots of things, :80 not one of them) so if IE were to ignore the connection settings (half the time?) I wouldn't be able to surf (the times when I use IE5).

I do agree with the sentiment, 'when in doubt, diable'.

Re:Not surprising, but not a big deal

[nhavar]

OMG that would mean that I would actually start getting ads for *GASP* things that I want to buy?!? Oh the horror. And as someone pointed out previously, what the fuck do I care that bob@bob.com is getting e-mail about new tractors for sale, or hot TEEEEEN action. Most times when software/sites ask me to register I give them bogus shit anyway as do many of the people I know out there. So Achmed Pettoooie I apologize for all the porn mail you've received because of people tracking me across the internet...

this is mostly bullshit anyway. As a web developer I develop shit all day that depends on being able to track a users every move and there are probably more server side ways to do it then there are client side. Most sites once you hit the site you've already been tracked, every browser sends a nice little readable data package that you can use to determine what to give them and track them when they go to the next page on your site. Does anyone know what "session" is and how to destroy one?

WAKE UP PEOPLE THIS IS NOTHING NEW.

Re:In related news (uSoft unSecurity)

[Ergo2000]

If you want your program to run under a configured account when the computer is booted them you want to create a service and that'll do exactly what you want. If you don't have tools that can create a service (all major tools can. On Friday I quickly modified a server app from a Delphi application to a multithread service) then use the NT Resource Kit and the program "SRVANY.EXE" which is used to wrap a standard application as a service. Of course generally if an application is a service you forsake a GUI (which should be ay okay).

Cheers

Re:You have a lot more to worry about THE SOLUTION

[jccq]

I completely agree with you this is a serious problem. Software track what you do what files you handle without telling anything to you .. I recently had an arguments with the ACDSee coders over their "feature" of storing a complete database of everything you saw with their software (complete paths and filenames, togeter with small thumbnails sometimes) and they refused to acknoledge that there might be some users that DONT WANT the whole world to knwo what they have been looking at on their computer.

The solution? the only solution that's 100% safe and simple is to keep an entire machine as a VMWARE file all inside a BESTCRYPT file!

in a SINGLE move get rid of any chanche for any forensic software to snoope into your OS details :-)))) AH.. of course you dont have to keep your DATA into the virual machien.. you can leeave your BESTCRYPT file in the HOST machine and access it via VIRTUAL NETWORK from the VMWARE machine! :)) (on which you must have installed bestcrypt as well). Email me if you want to discuss details more. I am writing some web pages about all this.

Re:You have a lot more to worry about

[webrunner]

I've never understood the fascination with Opera. They charge for a web browser that does LESS then what their competition (Netscape, IE, Mozilla, etc) does for free.
----

Re:haiku

[l33t]

Bah! It was a free form Haiku, the kind I used write when we didn't even have web-browsers, and had to surf the web using sticks and bits of glass... boy, that was back in the day...

Re:Am I the only one?

[cmeik]

Ok, you have brough up a excellent point.

I am definately giving you credit for that one..

Chris

Re:In related news...

[Ergo2000]

A lot of FTP servers also do a reverse identd connection as well. Lots of SMTP servers do this as well. I've always been rather curious as to why they do this : How many people have REAL information in there?

What is this "E" browser?

[IGnatius+T+Foobar]

I'm confused. It looks like some weird version of Netscape -- except there's an "E" where the "N" should be, it has lots of security problems, and it doesn't seem to work on Linux. Is this somebody's idea of a joke?
--

Re:Am I the only one?

[TWR]

the only people that care are the ones who are doing something illegal. if you were searching for "cute puppies" would you care if anyone knew? if you were searching for "how to grow your own pot" or "methlabs for dummies" you might get a bit more worried..

The problem is who defines "Illegal?" If you're in China and you search for "Falun Gong," do you want the secret police showing up at your door?

If you think that sort of thing couldn't happen in the Free World, try this example: What if you were searching for "DeCSS" in the good ol' US of A and visited a WWW site owned by some company which is associated with the MPAA? Wouldn't they like to know about that?

-jon

Re:Not surprising, but not a big deal

[Kaa]

My personal hate is a numbered list where I want 1,2,3,3a,4 and Word wants 1,2,3,4,5.

I could never understand why is it that people are so pround of their inability to deal with software. Proud enough to boast of it on Slashdot!

Making Word do 1,2,3,3a,4 is trivial. Look into Format/Bullets and Numbering/Outline Numbered. Click the Customize button and specify whatever you want, your favorite sequence included.

Kaa

What about the mm*.dat files?

[(H)elix1]

I remember a while back that the mm256.dat and mm2048.dat files would cache cookies, URLs, query strings, and (not sure about this one) installed programs. Win95 and NT were real bad.... You can imagine the surprise when I showed my boss we could tell he was surfing p0rn - even with a "cleared" history and using the phone jack in his cube.

I see 98SE + IE5 has at least one copy (visible)...

Anyhow, a quick google search turned up this link if you want a bit more info.

Re:So?

[Foogle]

Occasionally people install software to *use* it, not to play around with all the pretty sliders and buttons.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:You have a lot more to worry about

[Starselbrg]

Your rant about RMS was stupid, but I like your other two ideas. /dev/web sounds interesting. I wish I knew more about devices and the kernel to consider it's implications.

The real worth of your post, however, is this idea with Python used to use VI as your browser. Perhaps you have the source of this work up somewhere?

Disable Stuff -- reg edit

[KiboMaster]

I found this program quite a while ago... it's a real handy reg tweaking utility. With all of the available plugins you can download off the page you can disable all of IE's "features"

http://www.xteq.com/main.html

The program is called x-setup... you can find links to more plugins on the page.

Oh, Great, now I need 2 browsers

[SatelliteBoy]

One for general surfing, one for surfing pr0n^h^h^h^h private matters.

Though I don't run IE (hard to do in Linux), all these browser bug reports have me concerned about protecting privacy. I'm coming to the conclusion that connecting to a network ends any reasonable expectation of privacy.

I'm too young to be bitter and cynical, but there you are.

-SB

Two issues... [wonder if this will ever get read]

[AstynaxX]

1. if it is saved, it is in a file somewhere. If it is in a file somewhere, it can be retrieved with enough persistence.

2. Its an even worse physical location security problem. Say you go to a university computer lab, or browse from work [at lunch or after hours, so as not to loaf on company time, of course;)], and visit sites you'd rather not have folks at that location know you've been to, this feature is another bullet to dodge.


-={(Astynax)}=-

Re:In related news (uSoft unSecurity)

[caetin]

what about people with usb keyboards? how are they gonna press ctrl-alt-del to access it? People forget one thing-- someone has to have physical access to the comptuer to do this. if you cant trust the people around you with that kind of stuff, close the hotsync manager when you're done with it.

Re:You have a lot more to worry about

[\\x/hite+\\/ampire]

Last time ActiveX had a major security flaw (I think it was a year or two ago) there was a clear cut way of disabling the ActiveX "feature." I wish I remember exactly how this was done but its been many moons since I've even touched Windoze.

I honestly don't know if this has changed since W2K came but the option was in one of the main IE control panels.

Re:Am I the only one?

[cmeik]

I would have to agree with this. I don't really care where my movements are tracked. I use the web for slashdot, uf, freshmeat, thinkgeek and copyleft. Occasionally other stuff like google if I need to research a problem, /etc. But I mean, so what if they track you. What are they really going to use the information for? Advertising, I dunno. I guess I am just trying to say that I am not surprised, oh no, and that I don't see why it is that big of a deal.

Oh for some privacy

[SIGFPE]

I tried to buy some porn the other day at the local bookshop. But guess what - people look at you when you pick it up off the shelf - like everyone in the store! It's worse - when you go and pay you actually have to interact with another human! It's even worse - they remember who you are and the next time you go shopping there and your wife comes along it's very embarassing. I think there must be some kind of multinational corporation conspiracy thing going on with the retailers in cahoots with the publishers in order to track me. Scary stuff.
--

Re:Oh for some privacy

[rOZn]

Security Conscious Translation:

I tried to buy some bondage porn yesterday at the local bookshop. I've been trying to spice up the marriage ya know? But when I went to pick it up, everyone near me pulled cameras out and took my photograph. From like a half dozen angles! It's worse, when you go and pay you have to interact with another human being who asks for your ID, not only checks your age, but writes down your Social Security number and photocopies your driver's license next to the BDSM porn you just bought. He puts it all into a Big Black Book behind the counter. The next time, when I went into the bookstore with my 5 year old daughter, I had a sales clerk come up to me with a copy of Whips and Chains Monthly. I tried going to a different store, but they already knew me because the first bookstore had given them a copy of The Big Black Book. I left the store with my hat pulled over my face. Unfortunately it was too late and now I receive subscription adds to Bondage Babes at my house constantly.

I think there must be some kind of multinational corporation conspiracy thing going on with retailers in cahoots with the publishers in order to track me. Scary Stuff.

End Translation

Re:Oh for some privacy

[Foogle]

Very funny, and very true. Why do people expect that online transactions should be any more anonymous than physical ones? Are we so afraid that others should know what we're doing? Privacy is important, but it's not the end-all to life.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Re:Oh for some privacy

[Plonk]

..when people go to the local porn shop, they know the privacy issues involved.

Do they? Or are they presuming the privacy issues? The fact that other customers can see them there is obvious, but how do they know what the proprietor will do in respect of the customers spouse.. or potential marketing firm?

Plonk

It doesnt matter whether a room is hot or cold.. it's still room temperature (bastardised from Steven Wright)

In related news (uSoft unSecurity)

[Black+Parrot]

This just in on comp.risks (digest 21.04) -

Date: Fri, 8 Sep 2000 15:03:39 GMT
From: rubin@research.att.com (Avi Rubin)
Subject: Windows NT/2000 "Lock Computer" allows palm sync

In Windows NT and 2000, you can hit Alt-Ctr-Del, and one of the options is to lock the computer. Then, a password is required to unlock it. A reboot also requires a password to log in, so it would seem that this is a pretty safe state to leave your computer in when stepping away from your desk.

The other day, I pushed the button to sync my palm pilot, and it worked. Then I realized that I had locked my computer. I did some testing on Windows
NT and 2000, and apparently, the Palm synchronization always works when the computer is locked.

There are several risks/attacks:

- I take a blank palm pilot to your computer, which is locked, and I sync with it and copy all of your palm pilot data. Many people keep a master list of accounts and passwords on their pilot, among other valuable/sensitive data.

- In a more malicious version of the previous attack, I sync all your palm data. Then, I zero out the contents of each record in every database. Then I sync again. The result is very likely that I will delete all of the data on the PC, and that the next time you sync, all of the data will be deleted on the palm. I know of a case where this "attack" worked in practice, by accident.

- I write a palm hack that does whatever I want it to do to your data. I then sync with your PC, and the hack gets copied to your pilot desktop. The next time you sync, the hack is installed on the palm.

I am sure there are other attacks that I haven't thought of. Anyway, I think that if Windows NT/2000 is going to have an option to lock the computer, it must make access to something as important as all of the Palm Pilot databases inaccessible. Perhaps turn off access to the serial port, USB, port, etc, and not just the keyboard.

Avi http://avirubin.com/

Ah, well. We should have known Microsoft had an, uh, innovative definition of "locked".

--

Re:In related news (uSoft unSecurity)

[askheaves]

I tend to agree with my peers on this one. In fact, I don't think they go far enough with this concept. I don't like that I have to be logged in on a server computer in order to run software. Some server side apps (especially multiple ones from different vendors) need to have Administrator access to run. I would rather that the computer could be started and these services were run without a login... since I hate leaving a computer running that is already logged in as Administrator (root, to most folks here).

Now, it would be easy to make the screen saver kick in and lock the computer, but what happens in the event of a reboot (malicious or power failure). The idea of this knocking out my Rational server until somebody walks into the room and types a password is rediculous. I can't have it automatically log in as Administrator, because in the minute before the screen saver kicks in, the malicious guest 0wnz me.

Maybe I'm just dumb. I'm a software developer, not a network administrator. But, in my limited experience, I haven't found a way to auto-run anything without a login.

Overall, the idea of locking a WinNT computer is that the user can't start altering settings/data easily. But, applications should certainly continue running. If Palm decided that they don't mind protecting their data when running on a "Locked" computer, I don't fault Microsoft.

Re:In related news (uSoft unSecurity)

[costas]

Hmm... so you're suggesting that MS should have locked all input devices coming in to the box, when you hit "Lock computer". I guess that would include the NIC, mouse and keyboard. Unlocking the machine would be a tad challenging then, I imagine.

Surely the blame doesn't lie with the manufacturer of the device that doesn't check with the OS for what it should do. Or the author of the program. Because "they" are Palm Computing, which is a *good* monopoly, because of course they are not Microsoft.

I see now.

Re:Am I the only one?

[caetin]

the only people that care are the ones who are doing something illegal. if you were searching for "cute puppies" would you care if anyone knew? if you were searching for "how to grow your own pot" or "methlabs for dummies" you might get a bit more worried..

Re:You have a lot more to worry about

[FFFish]

So remove MSIE completely. In the future, return any software that turns out to require MSIE components.

The process is quite nicely automated by [98Lite] which, despite the site name, actually has utilities that will remove MSIE from Win95, Win98, WIN98SE, and WinME. It'll nuke MSIEv3 through v5.x, and it does it safely.

Worth a shot, at any rate!


--

Re:Not surprising, but not a big deal

[Aussie]

My personal hate is a numbered list where I want 1,2,3,3a,4 and Word wants 1,2,3,4,5.

Re:For the Mac IE too?

[linuxgod]

Yes.

An Enlightenment.....

[linuxgod]

M$ tries to do this all the time.. If you think about it..... Last night I was trying to make a NT domain on Samba for a 2000Pro machine that im using for a class project. It seems that M$ is trying to FORCE you to use 2000. The 98 machine will logon to the NT domain, but the 2000 one won't. The only think i can do is use the shares. Bill gates won't gain anything from this but a bunch of pissed off people.

Re:In related news...

[cyb3r0ptx]

Whats keeping you from using that same logic when speaking of other web sites? Site so-and-so is providing me w/ a service, why should I care if they are tracking information about me. As a web programmer, I think that keeping information about someone is acceptable in order to make their experience on a particular site easier and more enjoyable. However, there is a line where it becomes an invasion of privacy... that I DON'T agree with.

p.

It looks to me like this can be easily disabled

I just looked at IE, and under security settings, it gives you the option of disabling "userdata persistence".

Re:It looks to me like this can be easily disabled

[Inoshiro]

Alright, so it can be disabled there.

But why doesn't it shut off when you have your security level set as high as it can be? Why didn't they place the controls for such a device in a more obvious location? Does "user data persistence" even give you a clue as to what it's actually doing?

Deleting all cookies, emptying the cache and removing everything from the Temporary Internet Files folder does not make a difference. Hmmm, eh? Why go to the trouble of making it so hard to find this, even for people who know where to look?

There's not even an option for you to be warned when servers set data...

Most average windows users don't even know of that final tab to the IE config which has a list of random options in random order (how helpful of the programmers).

I, for one, am glad I don't use IE at all on my workstation [dual boot] (revenge of mozilla is your friend :)).
--

Re:If disabling works...

[Mija+Cat]

Sark,
Ignoring your assertion that IE is best for the moment, why do you accept that MS has the right to make it easy to track someone elses' online activities?

Meow.

So?

[quantum+bit]

Hee, hee, I've had this turned off for forever. It's under the advanced options and I never really knew what it did, but I didn't like the sound of "Userdata Persistence"...

rm -rf /

Re:So?

[quantum+bit]

Exactly; same here. Doesn't everyone go through *all* the dialogs, context-menus, and preference items every time they get/install a new application?

I think that's the point of the argument... Should they have to? After all, most users don't bother changing anything from the defaults... Why do you think so many windows boxes have the same blue color scheme and cloud background?

"Where's the any key?"

Re:For the Mac IE too?

[loglan]

This is a good reaon to use sherlock. You can do you searches (for porn) without even touching a browser.

For the Mac IE too?

[cozimek]

Are Macs also being affected by this loophole? Is Gates trying to get everyone's information to make us buy more of his products?!

Moderators, note this for insightful

[Keybounce]

[the parent message to this message is insightful, and worth reading]

You have a lot more to worry about

[Rurik]

Just stop using IE. That's as simple as it can get. Besides all the security flaws that come out every hour, it's a nightmare for users.
I work with a government forensics lab, and you wouldn't believe how easy it is to find out exactly where you've been, locally. IE stores everything you do in index.dat/user.dat/temporary internet files/cookies/application data, and a dozen more places in un-readable locked files, and in the registry.

You would think, if it's THIS easy to grab from the local side, how many places are left open for the outside world to read?
Just drop IE. Use opera, then you just have to erase your vlink4/cache4, and a few other things to clear up most of your activities.

Re:You have a lot more to worry about

[costas]

Here I was, making a stupid sarcastic post --yeah the rip on RMS was cheap, but so is this thread, me thinks-- and someone had to actually consider my joke on its technical merits. I like that.

So, yes I am pretty sure /dev/web is doable (no, I aint working on it), and probably already done in Inferno or Plan 9. Probably a hack involving wget (or actually, Python :-) would go a long way there.

As for the Vim browser: no I haven't done it (I am happily surfing on IE 5.5, thanks), but somewhere on vim.org, I have seen a vim-with-embedded-python. And python does allow you to send and receive stuff through http transparently, so yes, it is theoretically possible to built an entire browser within vi. Why? I dunno. I am using IE, remember?

Re:Go to Microsoft Knowledgebase...

[Foogle]

I think what he's trying to say is that it's bad that we can't explicitly delete this information, because MS has hidden it from us. Which begs the question, "What else are they hiding from us".

I don't really worry too much about autocomplete though, since it's only a local feature, and if you're worried about privacy on your own machine, then you're a little kooky.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Not just draw graphics!

[Krollekop]

Java in the browser can also offer you:

• Security enhancements (like proprietary handshakes a la SSL, ...)
• Handling callback from the server (with signed applets)
• Have a richer user interface: compared to HTML, AWT is not so bad, after all.
• Access to legacy application: you can make your applet talk CORBA or other TCP-IP protocols to your back-end applications.
• Make Java applets load third-party dynamic libraries like smartcard-reader, fingerprint tools, etc ... (signed applets again)
• Run a ftp server on your machine!

Hahaha

[fridgepimp]

That's why I use netscape 1.12. They hadn't even thought up all of these stupid ideas back then. And it's really small too.

-fp

They will be

[flimflam]

They might not be using it now, but they will be, if they can. Companies would love to have a tracking mechanism that can't be disabled by privacy-minded individuals.

Re:Am I the only one?

[Ergo2000]

the only people that care are the ones who are doing something illegal

That is a VERY dangerous belief and one that demonstrates the pawns that people can become. Let me guess: Only terrorists use PGP? I've had this exact same debate with several unreasonable folks regarding PGP and their belief that there's nothing to hide and only criminals need to encrypt their messages: That is absurd and frightening. I point simply to the excellent forward to the PGP manual by Mr. Zimmerman regarding people's complete ignorance to privacy in the computer realm, yet they strangely seek privacy is far less trackable methods such as letter mail. The paradox is that in the computer realm email messages, surfing habits, etc. can be monitored in the billions of hits/messages and archived FOREVER, whereas someone trying to read people's letter mail or listen to voice conversations would require massive resources to operate.

Computers and the net in general allow for information to be gathered in absolutely massive quantities learning just about everything about all of us without privacy safeguards. What if you DID want to form an unbiased opinion about drugs (I'm not stating a stand here I'm merely giving an example) so you went searching out looking for material about the effects and statistics for illicit substances : Is that illegal? NO. That's the foundation of a democracy, but it falls crashing to the ground when idiots claim that there's no reason someone should be doing that so the jackbooted storm troopers go storming in to stop this 'illegal' activity. There aren't geniuses in ivory towers setting the rules and guiding our way, instead there are politicians who generally follow the publics whims. When the publics whims are based on ignorance or fear is that the way a democracy should work? Hardly. How can you question the way things are done if you are deprived of the methods to even do it? It is SCARY SHIT. Please read Animal Farm and 1984 by George Orwell as soon as you can. While this may seem extremist, it isn't whatsoever. They say that you get the government you deserve and that portends a very gloomy future given people's gross ignorance about their own privacy and rights.

No matter how much people yap about how this doesn't matter and they don't mind if marketers know, etc, you really do care you're just too naive to realize it. What if we started recording all your phone calls and I could grab them in Napster as MP3s? Your emails should be accessible as well so that we can peer review whether you're worthy as a human being. Hell we'd like to know you DNA structure so if there are any weaknesses you can be relegated to the mundane low-value positions lest you waste our time. Hell the second you look up any disease (no matter what your reaosn) we'll ensure that you can't get insurance and your bank refuses credit. If you look at porn you must be a child molestor : GET HIM UP AGAINST THE WALL!

Don't be a FUCKING IDIOT. There are so many people out there that are insanely naive it defies logic. Computers and the "information highway" bring a whole new ballgame to the table : One where privacy is astronomically more threatened than ever before. Yet previously where people would worry about their phone calls being monitored (why do new cell phones encrypt the messages? Must be a bunch of criminals!) or their mail being steamed open by secret operatives en route to Grandma in the next town, now people casually brush off technology that can permanently log every action, search phrase and browsing habit for life. Did you accidentally follow a goatsex link? Well I hope you don't get a job in upper management later in life because sometime somewhere they'll correlated IPs with users (hey what does it matter if those darn marketers use the information wisely?) and you'll be outed as a giant stretched anus loving freak. GET HIM UP AGAINST THE WALL!

Wise up.

Re:In related news...

[Foogle]

A lot of FTP servers do this. Most of them say, right up front, that you presence is being logged. And why shouldn't they? They're providing you with a service and, in exhange, they're logging your actions. Most of the time this is done purely for security reasons, however if they decided to sell that info, as logged statistical information about their visitor base... I don't think there's anything wrong with that.

-----------

"You can't shake the Devil's hand and say you're only kidding."

Bah!

[nbot]

I am really sick of all thse things of how you are being watched over the internet. You know what? great. If they can watch me and gather info, perhaps someone will deliver the content I want. How could this information hurt you? Are there the "Seach Query Police" that come after you if you search on how to make a bomb? No.

Re:Bah!

[tang]

"Are there the "Seach Query Police" that come after you if you search on how to make a bomb? No."

Not yet. Someday? Probably.

Easy

[moderatorssuckdotcom]

If you are the paranoid kind, then forget about all these problems/features and surf the net anonymously. Use something like freedom from Zero Knowledge. Or use Linux. I find it funny that all the anti-microsoft pro-linux geeks (I put the accent on it because geeks are supposed to be a lot more computer litterate than normal people) are complaining about all the security problems in windows/IE. Stop using them already! Put OpenBSD if you want security. Don't use IE if you don't want to be tracked. Use Netscape or Opera.

Re:This is news??

[broken77]

Has news.com just discovered that IE caches previous search requests? This feature has been in the product for months.

You're missing the point. Although news.com did not do a very good job of explaining the problem. You should read the security advisory and the related links at the advisory page. Basically, the web page author can put MS scripting into the page that loads and saves data in the persistence object just like you can do in cookies. A quote from the MS web page regarding this technology:

The userData behavior persists data across sessions, using one UserData store for each object. The UserData store is persisted in the cache using the save and load methods. Once the UserData store has been saved, it can be reloaded even if Microsoft® Internet Explorer has been closed and reopened.

Sounds just like cookies, eh? I can tell you that I didn't know that IE5+ had this feature before reading this article. Did you?

In related news...

[logistix]

I was just at a ftp server that grabbed my IP and reverse-resolved my name even though I was logged in "anonymously". This could be used to track me too.

And no, it wasn't IIS.

Re:In related news...

[Ergo2000]

Just came upon an example : 131.159.72.9.

Persistence?

[mindstrm]

Someone fill me in here.. So your browser remembers the last few queries you did... this is somehow a way for 'them' to track you? Sheesh. Bash history remembers the last 20 commands you typed (or way more.. whatever). God-forbid that an OS such as unix should have such subversive things in it. I *LIKE* the fact that IE remembers the last bunch of searches I did. I mean.. you can say 'privacy'.. what if someone steals my computer, they'd know what I did...

Re:Am I the only one?

[cmeik]

Good point. Hopefully the people wanting to know more information about methlabs might be a little more selective on their search. I mean if they searched for "marijuana", I don't see what the big deal. The feds aren't going to check out every dude looking for marijuana on the internet. ( I can't really say the people searching for it probably don't use it, because that is most definately not the case)

Re:This is why LAW should require source disclosur

[drinkypoo]

Any old geeks here remember when every electronic device (TV, radio, alarm clock, etc.) came with a full schematic of the device? Well the schematics didn't hurt sales of electronics nor result in counterfiet copies being made... and neither too will they if software is required to come with source. And no one fears piracy of automotive design because some 3rd party (Haynes or Chilton) releases a book on your car with complete break away assembly diagrams and functional descriptions of all the parts. Again, neither will releasing source with software result in piracy... because if you going to pirate the source, why not just pirate the software and safe effort? Thus, releasing source will not harm product sales.

Only your last point (about why not just pirate the software) is at all valid, and even it is total nonsense. Your other points are merely worse.

If you have the source, you can more easily remove any copy protection methods. You think you see "cracks" of programs to remove a CD-check quickly now? Just watch how quickly that software hits the warez sites/newsgroups when the malicious "give-away-other-people's-software" types get their hands on the source.

Comparing people having the source to people having schematics for electronics or the plans to a car is also complete nonsense. With those things you have to acquire and frequently fabricate parts, and then go through a lengthy assembly process. Surely some people actually did this back in the day with those schematics of amplifiers and so on, but for the most part, it was not the case. But all you have to do to compile something from the source is to put it into the development environment and click (or select from the menu) the "Make" option. A few minutes later, you have all the libraries and executables, assuming their project/make files are set up correctly.

Also, Chilton's manuals are basically based on reverse engineering, but they do not actually tell you how to build a car, only how to service one. Furthermore, they suck compared to a Factory Service Manual, so they can only barely be seen as a competing product. They do not provide the level of detail you get from a FSM. In any case, those manuals are based on a tear-down and rebuild of the car in question, and they don't tell you how to build one - That would be arguably illegal.

In summary:

• Releasing the source would make it easier to "crack" software.
• If they can keep the software from being cracked for a while, they can sell more of it.
• Therefore, releasing source is probably not an option for most companies.

Mind you, they really ought to give away the source to free software...

Am I the only one?

[Rombuu]

Who really doesn't care if my movements on the web are tracked? I mean, what's the big deal?

Re:Am I the only one?

[Ergo2000]

You don't have too... feel free to unplug your computer.

That's an idiotic reply. The issue at hand is that there's yet another method for people who we probably don't want tracking us (for whatever our reasons. No one has to justify to anyone else why they feel they deserve basic privacy) and it wasn't made apparent to most users. Many companies take privacy way too loosely and it's unfortunate that people like yourself feel that that's ay okay.

Re:Am I the only one?

[Lysander+Luddite]

Because nobody is innocent. If somebody wanted all your habits they just watch your behavior. While this can be done via credit and financial records, the trash or even old fashioned spying, it was often resource intensive and provided an incomplete record. Some of the means of gathering that data may fall into legal gray zones.

The difference with this is it can just fill up a database, recording everything you do. While advertising is certainly the most likely commercial application, such tactics could be used in other ways such as legal action. Its also a good way of enforcing censorship in controlled environments for the majority of target audiences. Whether this information may be of value may be debateable, but I wouldn't want anybody (especially a marketer) to know what social vice website I view nor political or religious sites, site sin other countries etc etc. Just because the chances of it being used are small doesn't mean it won't be used. Imagine being busted for speeding and having the cops know you visit illicit drug sites. Do they now have probable cause for search? What if I was in Iran and viewed porn? Would I likely be arrested? No. But if I got arrested for being at some political rally would a record of viewing prohibited material be used as leverage?

But you're right. Most people couldn't care less. They'll give up their rights for conveinence. But that doesn't mean I should have to.

Re:I have to say it...

[mindstrm]

Just an aside..
But many people who use 'open-source' stuff would never read the source, and never look for things.

The key point is that, these days, if you do not seek to understand what is going on, you are vulnerable.

Cancel My Subscription to Bugtraq

[Andrew+Dvorak]

It seems that everytime some minimal flaw in a Microsoft product ignites the idea that much shame should be dropped upon the Redmonian company. Companies don't make mistakes, people do. Companies are made of people.. I am up to betting that developers of Linux and related software products have even introduced far more serious bugs.

anyways .. I'd prefer that Slashdot not obsolete my bugtraq subscription. We have already established that MSIE is introduced 5 bugs for every 1 fixed.. let it be .. and REMEMBER THE ALAMO! (i mean Bugtraq: http://www.securityfocus.com/ TOAST: Here's to hoping for the re-purification of Slashdot -- like in the past!

Anybody else getting the impression that there must not be too much newsworthy submissions in the queue causing Slashdot to resort to such posts as this? Has computing has gotten to the point that many topics are better understood by the "general public" for the niche that Slashdot once filled?

<constructive editorialism!/>

Re: your .sg (OT)

[anonymous+cowerd]

He was a famously bad speller.

A famously creative speller, you mean. An inspiration to us all; in that sense like Shakespeare, who even occasionally mis-spelled (? but wouldn't he be the authority?) his own name as "Shaxpere." You owe it to yourself to violate at least one law a day. I mean, whose language is it, theirs or yours?

Yours WDK - WKiernan@concentric.net

Re:OK

[Duke+of+Org]

WHY THE HECK WAS THIS MOD'ED DOWN!!!!!
It Was Funny
Not a troll
YOU MODERATORS NEED TO GET YOU ACT TOGETHER!!!!!

Re:This is why LAW should require source disclosur

[drinkypoo]

Software is already being cracked in what is called "zero day warez" (studly competition among warez doodz) which means cracked on the same day as its retail release. Releasing source will not make zero any smaller than zero.

No, but it will make numbers larger than zero smaller than their current value. You've neglected to notice that not all software is cracked that quickly. Things like Alias, SoftImage, and Lightwave 3D (note the trend here) which have more complex protection schemes take significantly longer to crack. For that matter, how long was it before there was a useful crack for BPFTP?

Re:It's a Feature!

[Plonk]

Thanks, Microsoft, for giving me the most feature laden browser!

Yep... so feature laden that it doesn't even conform to ISO 8879 (SGML).

It's about time they forgot about adding more "features", and started bringing it up to standard.


Plonk

Those who say it can't be done.. should stay out of the way of those that are doing it..

Ie doing stuff behind my back

[Reziac]

Whenever I find myself forced to use IE (I prefer Netscape) I later discover files on my computer, evidently from web sites *that I have never visited*. I now believe IE is also what writes a large unmovable block on my Windows drive, which can't be identified by everyday tools. (There aren't anywhere near enough hidden or system files to account for this large block of up to 100mb or so.) It goes away if I don't run IE for several weeks.

This alone has made me suspicious that IE tracks me behind my back. And I have everything but cookies turned off.

It is easily fixed

[Idaho]

And you don't have to turn off javascript. It's just in the IE Preferences dialog, but it's enabled by default.

To turn it off, do the following in IE:

Click Tools->Internet Options.
Choose the 'Security' tab.
Click the 'Custom level' button
Search for 'Userdata persitence' (it's near the bottom, in the 'Miscellaneous' section)
Select the 'disable' option.

That's it!

This is news??

[Ars-Fartsica]

Has news.com just discovered that IE caches previous search requests? This feature has been in the product for months.

Just mouseover the cached queries and hit the delete key on your keyboard.

Re:I have to say it...

[Ergo2000]

As long as you have the full source, and can compile it yourself, this problem would not exist.

Wow you read every line of every product or port that you install? Wow. I just did a line count of my /usr/src/sys directory (free BSD) and came out with 795,565 lines of code : Let's guess that you can absorb and understand 6 lines of code a minute (GROSS OVERESTIMATION! The various dependencies and interrelaitons make it incredibly difficult to understand and reasonably follow large projects without a considerable time investment. As projects get larger the time per line increases exponentially) : In just 2,209 hours you'll be ready to install that software! Whoops you want to play Nethack 3 (hehe...I remember downloading that from a BBS way back when through a FTP-through-email relay. It was a massive download at the time and I believe I was responsible for plugging the internet pipe for a while for that BBS.) : That's another 363,961 lines of code for you to browse through (BTW: These are overstated values as I'm too lazy to fix the recursive line count script). I hope you don't dare to install it without reviewing it. Of course those other trustworthy guys must have thoroughly reviewed it....right...

Presuming software is safe because it's open source is a false belief. Hell recently I noticed my firewall was catching several packets outgoing from my BSD machine to curious destinations : I still don't know where they're coming from.

Not surprising, but not a big deal

[Tyrannosaurus]

Does this really surprise anybody? How many 'features' do MS products have that piss you off by doing things you didn't ask you to? Just the other day, I was writing a paper in Word that used bulleted highlite points. Got it the way I wanted it, saved it, re-loaded it later and the bullet numbers were completely screwed up. Fixed it, saved it, re-loaded it, same thing. WTF? Point is, this is par for the course for MS, and shouldn't really surprise anybody. They don't care whether or not it makes life hard for those that know what they're doing--if it saves some dumb-ass from RTFM, then it's a good feature to them.

At the same time, I don't see this as that big of an issue. If somebody can come up with a worst-case scenario of an exploit for this 'feature' that will format my hard-drive, then I'll be concerned. Until then, I must accept the fact that I use Windows, and must therefore deal with this kind of crap.

---

Re:Not surprising, but not a big deal

[SgtAaron]

At the same time, I don't see this as that big of an issue. If somebody can come up with a worst-case scenario of an exploit for this 'feature' that will format my hard-drive, then I'll be concerned.

Well, it's your hide, I guess. We already know that companies are using such private information to track you right now. We know that if you get into enough marketing databases, for example, they can correlate your web browsing and tailor it to specific advertising. All those cookies lying around on various web servers are worth their weight in gold to marketers.

Once we were looking for a new tape drive, and I searched the web for good deals. A couple or three weeks later I started getting snail mail ads for a tape backup company! Coincidence? Perhaps. But it got me thinking very hard.

When you enter information into a web form, your information can be used against you. Your IP address can be logged and correlated with other cookie logs from other web sites. Your home address, even if you don't give them your e-mail address, can be correlated with the database maintained by our friendly Internet neighbour: Netsol. Think about it, all they need is an IP address that resolves back to somewhere in your domain, your real name, and that's it! Smart marketing weasels are just that: they are smart.

For this reason and many others, we have available for our customers a filtering proxy server running JunkBuster. It's not paranoia, just prudence. If you don't care whether you get spammed or have to pay to dispose of the junk mail (I sure do), that's OK with me, really. Personally, I can't stand the thought of being tracked on my browsing. It would be like having a clerk walking with you in the store and marking down everything you looked at. Ack, annoying!

Until then, I must accept the fact that I use Windows, and must therefore deal with this kind of crap.

Man, I almost cried when I read that! Don't give in and accept it, use something else! :-)

Good luck,

Fixing Bugs

[Grasshopper]

How ironic that the first release of Internet Explorer to fix the cookie exploit contains another privacy issue along the same lines.

It makes you wonder if Microsoft was really trying to fix the problem or just alter it in a way they had hoped would go unnoticed.

A Media Plug please!

[JCCyC]

Someone with cash available has to plug this story in the media with a twist:

- It is an "Internet Privacy" story (media likes that);
- It is a "Microsoft is Evil" story (media likes that too; MS and Bill are today's O.J.)
- MENTION THE ALTERNATIVE: OPEN SOURCE! Like, get someone at the Mozilla or Nautilus or Konqueror project to talk about it and why it prevents those dangers.

Go to Microsoft Knowledgebase...

[Uselessness]

Try this yourself if you've got IE5 or higher... Go to www.microsoft.com, click on the Support menu up top, then click on Knowledgebase...

Enter some search terms and look through the wondrous bugzilla that MS runs... Just give it one or two search terms or something... Now close out, wipe out your History, wipe out your Temporary Files and all the hoohah. Then wipe out cookies.

Now come back in and check Knowledgebase. Hurrah! It remembers your search term, because you've got SECRET INFOES in some XML file buried deep somewhere.

BORING.

Re:Complex problem, simple solution

[drinkypoo]

Switch to an open source browser! Volunteer developers have no interest in building a browser that's going to spy on it's users...

Unless, of course, they're an Evil Genius.

The problem with the available open-source browsers is that they don't have IE's functionality. As lame as IE is, it has better standards support (And I don't mean the M$-defined standards, either) and more functionality (And here I am talking about Micro$haft-specific stuff, like activeX and client-side VBscript.) They also support CSS more fully than any other browser, and last I checked, that included arena, the W3C's (now yggdrasil's)standards-flagship buggy-as-all-hell featureless browser.

Of course, Arena is basically now all but dead. The only sign of life that I could see is that it still has a webpage. It's been replaced in the W3C with Amaya, which claims it "supports HTML 4.0, XHTML 1.0, HTTP 1.1, MathML 2.0, and many CSS 2 features". Amaya has an ungodly slow display engine.

By contrast, in a quote from the W3C website (C&P'd from Amaya, BTW) we see the following: "000327 Microsoft shipped Internet Explorer 5 for the Macintosh. It apparently supports full CSS1, the first browser to do so." IE5.5/windows still doesn't do this, reportedly. I don't have a test suite handy, so I can't verify any of this one way or another.

Mozilla is tres crashy. Netscape is agonizingly slow. Arena is slow and painful, ditto for Amaya. Opera finally has Java working properly, or so I hear (haven't run it recently) so I guess you can take it seriously, but the default layout made me shudder. It's also not as easy to customize (Or at least, to understand what you're doing) as I had thought it would naturally be. I guess the Mac users have a couple of other options, but they're missing major functionality, too, right?

So what's left? If you discount IE for privacy reasons - nothing. Though I do use Mozilla for Mail, and occasionally K-Meleon to check out a small webpage quickly, or to load something that IE has network problems with. And Netscape and Mozilla both have dramatically faster implementations of Javascript and GIF89a animation.

It's really funny...

[Jadecristal]

I find it really funny that /. will jump on any tiny little perceived "hole" or "privacy breach" in any Microsoft product, but refuses to even note that a new version of an MS product has been released. Hmmm...?

Mozilla

[l33t]

I wonder will Mozilla copy this feature?

lunatic

[millette]

I found this old little bit just 2 days ago here. Thought I might shed some light on the subject at hand:

Q: The first document talked about extending standard protocols as a way to "deny OSS projects entry into the market." What does this mean?
A: To better serve customers, Microsoft needs to innovate above standard protocols. By innovating above the base protocol, we are able to deliver advanced functionality to users. An example of this is adding transactional support for DTC over HTTP. This would be a value-add and would in no way break the standard or undermine the concept of standards, of which Microsoft is a significant supporter. Yet it would allow us to solve a class of problems in value chain integration for our Web-based customers that are not solved by any public standard today.

must be crazy for quoting m$ here...

Re:OT: Sig

[Zaaf]

Dat was reely stupid, of me. I am a stupid troll, i will report myself to Detritus, sorry

---

Re:Complex problem, simple solution

[quantum+bit]

I know what you mean... I use lynx where I can but there are so many pages that just absolutely break when viewed in text mode. Somebody mentioned "links" which has real table support, I may give that a try. Javascript would be nice since so many pages use that, but I'm probably already asking too much from a text based browser :)

Graphical would certainly be nice, but X barely runs on this box as it is... kfm actually doesn't run half-bad, but the version that I have is pretty out-of-date and is missing a lot of features.

Of course, I guess the correct Open Source answer would be to write it myself. But I don't have that much free time! :)

Will work for a good .sig

Conspiracy!!!!

[cOdEgUru]

Everytime theres an article that comes close to mentioning the evil empire, slashdot puts "Bill Vader" out on the right hand corner of the Article. However this time, its the blue IE icon.. Why ?? Did Lord Vader pay Hemos to keep his face away from the public ? Did Microsoft buy Slashdot ? Did Hemos get married to Lord Vaders daughter ? Mysteries abound...

Not a big deal.

[jasamaman]

This really doesn't affect most people because Microsoft cannot sell the information to other companies. The only way it could invade someone's privacy is if you have a spying boss.

Big Freakin' Deal

[M$+Mole]

Does this really bother anyone here? I mean, come on...most of the people here have cookies enabled to make browsing more simple and enjoyable. Like the MS guy said, this only becomes an issue for people who want to turn cookies off and be "shielded" from the net. Here we've got a rather tame problem for a few people that the company is going to work to fix. They'll just make the feature optional and add a warning to explain to the users what is happening. There are worse things going on at MS and elsewhere than this.

Evil Empire

[e-matt]

Well as usual the Evil Emprie is up to the normal trickery and tracking.

I wonder how much money they make selling the free demogrpahic information the collect

Use Opera, not MSIE ...

[Naum]

... yes, I'm gonna "pimp" the Opera browser again ...

Why do I prefer Opera over MSIE, even though I had to shell out 18 schmolies (student price) for a copy?

• For someone who finds keyboard controls (old time hacker who is used to command line interfaces ...), OPERA is much more suited to me - using [1], [2] to swap windows, [a], [q] to move from hyperlink to hyperlink, [0], [9] to zoom in and out, [shift][enter] to open new window it "drives" much easier - granted, it takes some time to get comfy with the dashboard but it has speeded up my surfing 10 fold - not having to open a new instance of the browser (like MSIE) every time I want a new window is the way to go ...
• I could give a rat's ass about java script though Opera supports most flavors of javascript (or the standard ecma-script just fine) there is an occasional site that employs a MS-centric navigational trick but even NS has troubles with that - only other glitch is on some sites where they have sloppy code on the select box change on selected item and include no GO button ...
• java support provided, but again I stay away from java and javascript sites ... even between various versions of MSIE, the results arn't consistent ...
• Opera provides the most support for the CSS models - even according to the W3C folks ... Netscape browsers give developers trying to use CSS fits not only with its partial support, but more tragically, its inconsistent results that cause GPF crashes or render pages totally unreadable ...
• Opera is indeed customizable, and allows the user to control much more options than available on the other browsers ... all new programs look "hokey" at first, until you give it a whirl ...
• Although, it's not the biggest feature bonus, I love that when I zoom in/out, that images also zoom in and out ...
• Easy ability to turn off images, or substitute my own CSS or settings if I visit a site that seems to be ignorant of basic design concepts ...
• I am willing to pay to use a product that competes with M$, especially one that I feel is a superior program ...

Re:Complex problem, simple solution

[quantum+bit]

Okay, could somebody please point me toward a fully-functional standards-compliant open-source browser that works with 99.99% of web sites; oh and WITHOUT BLOAT? I don't like it any more than anyone else here, but sometimes the truth hurts...

Galeon maybe? It uses gecko, a kick ass engine, sure, but it still has a big memory footprint and doesn't work with quite everything yet... I think Opera's working on a Linux port, but it's not open source and core dumped immediately when I tried their beta. Grrr...

Suggestions anyone? I need something that will run on my 486 laptop without taking 5 years to load (6 months is acceptable as I know it's a slow machine).

"If a tree falls in the forest when no one's around, and hits a mime, does anyone care?" -- Gary Larson, the Far Side