Slashdot Mirror
IE "Persistence" Tracks Without Warning
A reader writes "Never mind if you've shut off cookies. If you are using IE 5+, the browser can still be used to track you, with no warning. An IE 5+ feature, "persistence", allows the browser to remember information, such as search queries. Which of course means that you can be uniquely identified and tracked. And since it is a feature, there is no warning either that this information is being stored or when it is given. Shutting off scripting in theory stops it.
More on the story at www.news.c om ."
From Microsoft: "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."
Translation: only people who care about their privacy care about their privacy. Gee whiz, mister, that makes it all okay!
it's good that that works and that it's that simple, but the fact remains that the vast majority of computer users never change the defaults on any of their applications. if something doesn't work quite the way the want it to, they don't bother poking around in the preferences to fix it. my father complains about the recent versions of microsoft word because of those "annoying red and green squiggly lines all over the place." i say "dad, you can get rid of those in two steps." he doesn't bother. with respect to something like this, where you can't even tell that it's happening, i would wager that next to no one (outside of those reading this forum) are going to do anything about it.
Just as an exmaple.... advaya.com is doing this through spam (or as they call it, direct mail marketing). And they sell this service to other companies. The spams contain "1x1 gifs" along with links that point to places you wouldn't normally think they would point at. Like this:
? b=4BF5Y7ESKTJH34789T5HTJKLGN489EI495T> hot magazines for 90 days for FREE </A>
g if?b=56HJTY90JKHHJGGIJ5476">
:P
Check out these <A href=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar
It points to some server which records that you have clicked on this link, using that funky long string as your identifier. The string possibly holds some sort of demographic information.
There's also a 1x1 gif that comes with the spam...
<IMG src=3D"http://bigstar.ad6.net:8080/jsp/t/bigstar.
who knows what that does
i'll let you judge for yourself if this is evil or not. i just wanted to point out a specific exmaple of where its being used. bye
Mozilla will never take the market from IE, unless someone starts paying folks to use it. Most people don't give a rat's ass about features/loopholes/etc. like the one described in the story. What percentage of web users browse without using cookies? I don't know the answer to this, but I'd put money on it being a relatively small minority.
I use IE 5.1 and there is an option in the advanced tab called "Enable Page Hit Counting". Here is what the Help says about it (emphasis is mine):
Specifies whether you want Internet Explorer to allow Web sites to track your Web page usage. Selecting this check box allows sites to create a log on your computer of which pages you view, even when you are viewing Web pages offline. That log is sent to the site the next time you go to it. By tracking the usage and popularity of specific Web pages, content providers can tailor future content to match your interests.
Looks like this has been around a while as M$ fishes for the most innocuous name possible.
"I will gladly pay you today, sir, and eat up
Sacred cows make the best burgers.
Why didn't they place the controls for such a device in a more obvious location?
Yeah, I know! Who'd have ever thought to look under SECURITY SETTINGS for something like that?! Geez! What we're they thinking?!
(cough)
-- Dr. Eldarion --
my local bookshop gets payed in cash. all they know is that some long-haired annoying geek sometimes buy porn. but since this isn't strange they won't remeber that either. they don't know where I live, what other stores I've recently visted, and what my favourite food is. even if they knew my name, they wouldn't be allowed to sell it. I would like the same anonymity on the net.
//rdj
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
Agree with you partially - I think only source code should be copyrightable. Copyrights are intended to protect ideas, not a side effect of those ideas.
There's an interesting loophole in having binary files protected by copyrights: one could write a program that analyses an executable file, identifying all functions and respective calls. This software would then scramble the code, changing the position of the functions and fixing the calls accordingly. Would this be a copyright violation? To characterize a copyright violation should both files be absolutely identical, or would a certain sequence of identical bytes constitute a violation? If the latter, what about libraries -- a binary compiled with a certain library would make all subsequent programs linked with the same library illegal?
It is not as easy as you think. The IE ActiveX control is pretty much built into the OS. This makes it pretty much a given that anyone who wants to render HTML in their app is going to be using IE. We aren't necessarily talking obvious browser apps, either. It is very, very likely that you are using IE at times and not even knowing it.
The cake is a pie
The capability, described as a "feature" by Microsoft, came to light on the BugTraq mailing list three days ago after an angry user revealed that his copy of IE 5.1 had phoned his wife to tell her about his subscription to hotmonkeylovin.com.
"This is a perfectly standard feature of any web browser," said a Microsoft spokesman. "As with all aspects of life on the internet, there is a tradeoff here between a very valuable capability and a vanishingly small, almost theoretical loss of privacy."
Free Software Foundation guru Richard M. Stallman was unavailable for comment. A source close to the programmer said that Stallman was "busy reformatting his Windows partition."
Carousel is a lie!
> > "This feature has a trade-off, like almost every other feature on the Web--in this case, between functionality and a minor, potential privacy exposure," said Michael Wallent, product unit manager for IE at Microsoft. "The consumer that enables first-party cookies is even more exposed. This should only be an issue for someone who has disabled all cookies and is concerned about unique identification."
<babblefish>Unless you find all the other security problems we built into IE, there's not much reason to worry about this one. If you use IE, they're going to get the information, one way or another.</babblefish>
--
Sheesh, evil *and* a jerk. -- Jade
While I agree, I think you're expecting too much from Microsoft's documentation group. They have different -- and Annoying(tm) -- ideas about what should go in a help system. Let me say up front that I neither agree or misunderstand why they dumb-down the docs -- we aren't thier main clients!
It's like an anti-man-page attitude; say How to do something not What something is or Why it is valuable. Much of the help provided is along the lines of "Print prints somethig to a printer" or worse "This button prints". In context, these might be OK...but the lack of extra details anywhere is just part of the design goal. Less is better...since it's not really necessary, is it? Anything more detailed would be confusing to a typical user.
MS is, after all, the company that don't document the switch /MBR for thier fdisk program (try it - fdisk /?)...why give detailed help on something that is much more of a user-level tool then a disk partitioning tool?
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
MSK
oh, say, bug files? Now you can't even turn those off.. for those of you who do not know, bug files are little 1x1 gifs (or any other image/html/etc format) that links to a page somethin like: ... very suspicious address? indeed. With the right server-side encoding (php can do it, asp can do it, cgi can do it) you can make the browser think its getting a 1x1 image, when in reality its sending unique identification information. Unfortunately i don't remember the link to the place that had a nice big write up on it. They had a list of some big and oft-visited sites which used this method. Next time you're bored check out some big sites's source and see if you see any questionable image tags. Makes local stored data from stupid searches seem kinda trivial now doesnt it?
when you're this sexy, do you really need a witty signature?
From the article
Hint, the link is there to remind you to read it
Not to rant, but I cannot understand how such specious reasoning would find its way out of the mouth of a Microsoft representative. How could they possibly argue that since users are already at much greater risk from other features/exploits, one more "minor" inconvenience shouldn't matter?
Clearly documented explanations of the security features that one can toggle in the Internet Options -> Security tab would be one thing, but the lack of context-specific, right-click help (try it and see) or even the word persistence in the indexed help file (search and see) is somewhat silly.
Why would I have to journey to the developer's corner (link lifted from article) to learn what features are present in my browser? Maybe it's time that end-users insist on better [more immediate] documentation from Microsoft, especially with regards to things categorized under the heading of security
ps - SlashDot still has its woes when dropping in long URLs. God bless the preview button
I personally have taken the version of VIM with embedded Python, spliced in Python's built-in HTTP client classes, and use vi to view the source text, with the garbage tags stripped out.
/dev/web, which would map the Web's raw feed to a device that I can just cat to my standard out.
I would've used Emacs for this, but I cannot trust LISP (the language's emphasis on parenthesies is antithetical to a prototypical architecture of a secure steganographical system) and I am worried that RMS may one day demand that the pages I view be switched to the GPL since I am using a GPL program to look at them.
I am now working on a kernel patch for
Explorer kicks ass, BTW.
I tried to buy some porn the other day at the local bookshop. But guess what - people look at you when you pick it up off the shelf - like everyone in the store! It's worse - when you go and pay you actually have to interact with another human! It's even worse - they remember who you are and the next time you go shopping there and your wife comes along it's very embarassing. I think there must be some kind of multinational corporation conspiracy thing going on with the retailers in cahoots with the publishers in order to track me. Scary stuff.
--
-- SIGFPE
So remove MSIE completely. In the future, return any software that turns out to require MSIE components.
The process is quite nicely automated by [98Lite] which, despite the site name, actually has utilities that will remove MSIE from Win95, Win98, WIN98SE, and WinME. It'll nuke MSIEv3 through v5.x, and it does it safely.
Worth a shot, at any rate!
--
--
Don't like it? Respond with words, not karma.
I just looked at IE, and under security settings, it gives you the option of disabling "userdata persistence".
Hee, hee, I've had this turned off for forever. It's under the advanced options and I never really knew what it did, but I didn't like the sound of "Userdata Persistence"...
rm -rf /
I was just at a ftp server that grabbed my IP and reverse-resolved my name even though I was logged in "anonymously". This could be used to track me too.
And no, it wasn't IIS.
- My password is slashdot
And you don't have to turn off javascript. It's just in the IE Preferences dialog, but it's enabled by default.
To turn it off, do the following in IE:
Click Tools->Internet Options.
Choose the 'Security' tab.
Click the 'Custom level' button
Search for 'Userdata persitence' (it's near the bottom, in the 'Miscellaneous' section)
Select the 'disable' option.
That's it!
Every expression is true, for a given value of 'true'