Microsoft: The Biggest Web Bugger

An unnamed reader writes: "A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization. Less surprisingly, however, the same report shows that by making some rough traffic estimates, DoubleClick is probably bugging more web traffic than anyone else. (Except of course those big ISPs running proxy servers...wonder how long it will be before the ad agencies get into bed with the ISPs?)"

Re:Why does Microsoft do this?

This is so brazen it is breathtaking in scope.
Complain to your browser software company that there is *no* justifiable reason an IMG tag URL should return a cookie and the browser should store and serve said cookies.

And the incredibly sad part is that you are too late to "undo" the theft of your privacy. Hard drives never forget.

Web Advertisers and web-bugs are just another Napster network trading _your_ personal information instead of MP3s.

They're your cookies. If you *have* to keep them in order to use a website, then feel free to *ALTER* them. It's *your* disk drive, and your EULA clearly states that you retain the right to alter any information stored on your media, and do not allow encrypted data to be stored on it, right?

If a company insists upon storing data on your hard drive, you have a right to require they disclose any encryption used and provide a decrypted version of the data they are storing on *your* hard drive.

Work the DMCA - Your EULA for hard drives state that is your policy. Any encrypted data is a "circumventing device" intended to violate your EULA.

Diclaimer - IANAL but isn't the law for *everyone* to obey?

It's easy to block these in IE

If you use Internet Explorer, it's easy to block these. Just add any suspicious domains (e.g. *.doubleclick.net) to Restricted Sites in the Security tab of the Internet Settings control panel, disable everything (most things are already disabled for restricted sites), and that's that.

Re:Web standards

[pb]

Web standards are for *both*. If web browsers didn't render incorrect HTML, then web pages would stay clean.

However, I'd be happy if browsers even had the *option* to enforce compliance.

For instance, if browsers could actually obey the </HTML> tag, then the fascist disclaimer that is automatically appended to all of my pages at NCSU wouldn't show up. :)
---
pb Reply or e-mail; don't vaguely moderate.

Buggy vs. Bugging

[pb]

I didn't know at first if this referred to "Buggy" web pages, or "Bugging" web pages.

Microsoft is surely responsible for more buggy web pages, such as any HTML generated by Word or FrontPage, and the creation of their own Windows-only character set that often render what should be simple ASCII punctuation into question marks, or worse. Also, their webpage fonts are incredibly small on any system that doesn't support *their* fonts.

Doubleclick also is responsible for buggy code, specifically something known *as* a "web bug" or a "GIF bug", but that's also used to track people, so that would count as "bugging" as well.

The short answer for that would be to simply install JunkBuster. As for fixing Microsoft's sloppy HTML, I bet a proxy server like Junkbuster could detect a "GENERATOR" tag or maybe an undefined character code and just run the page through the Demoronizer.

But I wish people actually implemented the web standards we had originally, or put such compliance in the web browsers we have now. Netscape and IE are much prettier than Amaya, but they still read past a closing HTML tag...
---
pb Reply or e-mail; don't vaguely moderate.

Re:Buggy vs. Bugging

[popular]

I'm too tired to really respond, but in a nutshell, I'll just say that HTML needs to be all things to all people. Some people see it for the structured SGML derivative that it is, others just see it as another word processor/DTP format that *should* be WYSIWYG. Besides, HTML is a moving target -- Is it HTML 4.01 now? What version is XHTML at these days?

--

Re:Buggy vs. Bugging

[popular]

I hate this attitude about HTML. If it was "meant to be perfect", it wouldn't have drawn 99% of the interest it did. While other markup languages are for data, HTML is for presentation.

Imagine being a programmer developing a dynamically generated page. Frankly, I'm more interested in seeing if the output is correct -- the last thing I want is to have the page not render at all because it's "invalid". What if you actually did produce a valid document, and the browser's validator was buggy? It's much easier for everyone if the browser just renders the damn page.

If people want to get picky about their markup languages, may I suggest they look at SGML? If you're writing an O'Reilly book, perhaps it makes sense to use SGML and validate it against that gigantic DocBook DTD. Personally, I think it's overkill for a 13 year old making a Backstreet Boys fanpage, and HTML, for all its flaws, certainly must be better than Word!

--

Re:Buggy vs. Bugging

[raju1kabir]

Imagine being a programmer developing a dynamically generated page. Frankly, I'm more interested in seeing if the output is correct -- the last thing I want is to have the page not render at all because it's "invalid". What if you actually did produce a valid document, and the browser's validator was buggy? It's much easier for everyone if the browser just renders the damn page.

But that leads to the worst outcome of all: unpredictable results.

The one way you can be sure that a web page will work properly everywhere, is if all browsers follow the standard (any standard; I don't particularly care whose). Otherwise there are going to be pages that break some places and not others, and that means higher development costs, testing costs, and lost visitors. An awful thing for the industry (though perhaps a great thing for amateur-hour FrontPage mavens).

Re:Big Brother is Watching

[Frederic54]

Doubleclick is reputed to have amazingly accurate profiles of nearly every American household with internet access.

For "normal" user yes certainly, but all of us here usualy optout, or you can have some cookies filter.
Anyway I don't know really if optout works, as they could use your IP address to collect info on website you go. Anyway I use 127.0.0.1 for doubleclick.net :)
--

Re:Congress will investigate Web Bugs (LINK)

[PhilHibbs]

Click this link to make spammers spend money!

So how does that cost them money?

Re:"Microsoft: The Biggest Web Bugger"

[DarkClown]

I wish I had mod points to mod that back up.

Re:Bad statistics

[IntlHarvester]

Jason Kersey removed all ads from mozillazine.org, and I think he did that because people complained about that ad so much

Well, there's also the issue that there's been numerous Java install glitches with Mozilla, which probably is the primary browser hitting the site. So, it's possible the ad network figured out that half the hits they got didn't even load the ads.

I thought it funny that I could only see Mozillazine's ads in IE, anyway. (Eventually a massive JVM purge and reinstall sorted the issue out.)
--

Re:In the TANSTAFL department ....

[Geek+Boy]

I signed up for that and I put the msiepiss.gif up on my page. Their stupid bot couldn't tell the difference and it let me in anyways. For those of you who never saw it, it was an animated gif with a man who runs across the browser, drops his pants and pisses all over the MSIE logo (splash and all). I guess if it's good enough for MS, then why not?

Re:Not likely

[rde]

If you want to talk about it amongst the rest of us well educated adults, then learn to hack English appropriately!
That's 'well-educated adults'. Does this matter? No. I knew what you meant. Just like you knew what the good commander meant. So while the grammar may have been a little, shall we say, tacoish, the message - the important bit - got through loud and clear. Lighten up.
And I'm pretty sure the verb is 'to lose', not 'lose'.

Re:Web standards

[Chmarr]

Of course. It follows the standard adage: Be strict in what you emait. Be forgiving in what you accept.

Although, it would be really nice if IE, Netscape, etc, had a -strict switch.

Re:Other statistics on site

[Ensign+Nemo]

completely offtopic.

Where do you get your information? check out netcraft. It shows that Apache is most definitely NOT losing ground to IIS. They're staying roughly the same. Apache~60%; IIS~20%

Re:Defeating web bugs

[QuMa]

Hardly. Netscape keeps it's cookies in memory until you exit it, so all cookies work perfectly as long as you don't quit netscape. What I do is add the cookies I want to .netscape/cookies, then chmod 440 it... You get all the site logins etc you want, but all the non-approved cookies go away as soon as you quit netscape...

"Microsoft: The Biggest Web Bugger"

[Black+Parrot]

Well, they bugger everything else. Why not the Web?

--

Re:Who cares?

[chris.bitmead]

By sending out a lot of spam with webbugs they can match email addresses to their webbugs. Then if they link up with e-commerce sites like amazon, ebay etc they can link the email address to a real address.

Hey D.B. Re:Congress will investigate Web Bugs

[LennyDotCom]

Thanx D.B. for the plug for my war on spam page

Spammers sre scum!

Re:Who cares?

[LennyDotCom]

see post #23

We're talking about /web/ bugs here.

[TheDullBlade]

It is not trivially easy to associate web bugs you encounter while surfing with your email address, only ones in spam. And then you have to read the spam while online, and allow it to load images.
---

Re:We're talking about /web/ bugs here.

[MadAhab]

Right, it's not trivial. It works best if you put bugs into pages where the user enters the email address and you pass it through a query string, and you collect other info too, then you buy a major consumer marketing database named after a simple calculating tool, and turn around and make all your claims about aggregate information only into a big fat steaming load of shit.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:Defeating web bugs

[smutt]

I use Konquerer under KDE and set it to alert me for any cookie. If a site tries to set a cookie that I don't want, I click "Deny all cookies from that domain." That way I never get bugged about cookies from that site again. It also forces me to only allow cookies from sites that I explicitly allow.

You should use the same philosophy for cookies as you do for access lists: Anything that isn't explicitly allowed should be denied.

By the way this comment was posted in Konquerer, the coolest web browser on the planet.

Re:Bad statistics

[MadAhab]

Right, and I'm so sure they don't log that information.

I lost 50 pounds!!! Ask me how. Sucker.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Now I Know Who To Block...

[frenchs]

Well, thankyou Security Space for letting me know which addresses/sites to block at the firewall!

I've been too lazy to actually set it up, now I have a nice neat little list that will make my web browsing "crap free".

Steve

Re:This is old news

[bgeiger]

BTW, the IP is: 23.75.345.200

Instead, they should have used, say, 192.168.x.x?

Re:Associating e-mail addresses with cookies

[cyberdonny]

Actually, it doesn't even take a form with a GET request. Rather than use a cookie, many sites now encode a unique user id in the URL,

Well, the point was that cookies allow banner ad sites to snarf form data without the webmaster's consent. That is, Joe Webmaster just knows that www.EvilBanner.com shows banner ads, and that he gets a couple of shiny coins from them at the end of the month, but he completely ignores what else EvilBanner.com does behind his back. I know a guy who was very surprised when I pointed out to him that the valueclick banner on his site was dishing out cookies left and right!

Including identifying info in the URL itself kinda defeats this objective of sneakiness, as it needs active collaboration of the webmaster.

Re:Confessions of a spammer

[Tackhead]

Assuming you're in the United States (and that this isn't an exquisite troll ;-), if your state has any anti-spam laws, read up on 'em. If your company is breaking them, consider blowing the whistle to the Attorney-General.

That business about "making quotas" of spams makes me suspect that your employer is engaged in shady business to begin with. Something just smells fishy - like those "$10/hour college jobs". The Federal Trade Commission may also be interested if there's a violation of any one of a number of laws. The spam may not matter if they're doing pump-and-dump stock promotion (call the SEC) or unfair credit card billing practices.

Read news.admin.net-abuse.email. Maybe some properly-anonymized mail to the right places would be helpful in bringing others into the fray to enclue your employer, say, if there were sufficient evidence for an RBL nomination.

You do have options.

Re:Web standards

[Cuthalion]

Yeah, a Pedantic checkbox in the browser would be better than having to run a separate HTML Lint program on it.

Re:Who cares?

[F_Prefect]

These stats help advertisers market products to you more efficently. It saves them money, and you get the see ads that might encourage you to buy something that is really useful to you.

I don't know about you, but I haven't bought anything off of an ad that I have seen (unless it was something at Fry's Electronics). So ads are trying to get me to buy something? That'll be the day. I don't like ads (TV, Radio, Spam, Telemarketing, etc.) If I want to buy something, I'll go out and get the information myself. I don't need buisnesses telling me that they are the best (I'll make that decision)
Rick

Re:Info v Privacy

[alprazolam]

"Does nobody care about search and seizure rights?"

i don't know. are they good for the economy?

Re:Yahoo webring uses external javascript

[jesser]

Well since webrings was taken over by yahoo all new pages added to webrings require you to use javascript.

Ahh, that's right, it was webrings the guy was talking about, not LE.

clear gifs

[jesser]

Clear 1x1 gifs with width= and height= are also used as spacers on many webpages. They're used when it's difficult to get the intended layout with tables and when the target audience is not known to have a CSS-supporting browser. As long as the webpage author sets alt="" on each spacer, they're not at all evil by themselves.

Re:clear gifs

[Carnivore]

Yeah. Ad proxies like Guidescope (it's free!) look for any image that is served from a different domain and block it. It's a great way to kill bugs without screwing up most layouts.

Re:A question about the proxy use

[duplicate-nickname]

go ahead and disable it....about the only thing you will notice is slower web access. Because, you know @Home is willing sift through their proxy cache to dig up the favorite pr0n sites of their 1 million users.

I bet you disable cookies on your browser...don't you?

BTW, if by "anything necessarily bad" you mean the @Home police breaking down your door and confiscating your Linux box for violating their TOS, then don't disable the proxy.

Re:This is old news

[invdaic]

I think the title was "The Net" and it was a terrible movie.

Re:A question about the proxy use

[}{avoc]

I'm with @home and have never used the proxy... Nothing seems to be different on my end.
-Dan

Re:A question about the proxy use

[}{avoc]

I really should do that... *goes off to DNS the servers*
-Dan

Re:Defeating web bugs

[mcrandello]

What's needed is a list, a'la MAPS or something, and freeware/'free software' that automatically updates your hosts file. Have clients for every OS+browser combination you can think of, after all we WANT joe-sixpack to jump on this. Make a big deal about how faster pages will load and how much more protected your "privacy" is.

Using the arguments that featured piracy-bounty-hunter guy was using (thin of the bandwitdh!)ISPs should be all over this, and maybe even reccomend it to their customers. After all, they still get paid, their service will be faster all around, which of course equates to more overselling they can get away with...you get the drift.

Re:Who cares?

[cyoon]

Your school is then responsible for your lack of privacy, not you, as web bugs have nothing to do with it. If they were interested in your privacy, they'd put you behind a proxy.

Re:A question about the proxy use

[boneshintai]

If you choose to use it, it's your own problem. If you installed their software package (a custom set of Netscape 4.something) their proxy and annoying homesite are pre-configured. Solution 1 (mine) is to configure (Windows, Linux) myself rather than let their CD within thirty feet of my drive and ignore the dang proxy server entirely -- they don't block port 80 anything, and instead rely on a Social Science number. Solution 2, if you've installed their crap, is to change the proxy settings and the homepage.

Bad @home, no biscuit.

-Owen

Re:Who cares?

[OrionFl79]

What's to say your isp isnt going to sell them your address, phone, etc?

Re:Info v Privacy

[rhizome]

This information, if properly anonymized, is a useful commodity to other net firms as well, and helps them to provide us with better service. Could you provide some examples of this "better service" you mention that tracking has provided us? I'm certainly having trouble finding it.

But often times they are NOT anonymous

[moogla]

It is quite possible for them to get at your physical address or phone number if you've given that information once before to an unscrupulous vendor whose privacy policy you didn't review. Additionally, just having your email address is enough annoyance. Spam filters or not, it's very annoying a burden on mail servers.

the very reason I view/compose email in text only

[moogla]

When the HTML is in your email, it's like you've invited the sender's web server into your machine, with a local document that is crafted like to remote documents you request in your browser. But the average user doesn't know this, or the power that document has to do things without your knowledge. I would recommend those who like HTML messages with links and such to view email with auto-image loading OFF; if there's a funny picture within, you can load it by clicking on it. Otherwise, do use text with attachments.

Re:Who cares?

[Lord+Omlette]

Some chick at CMU put out a paper saying that you as a person can be identified with your zip code, your sex, and an age range with about 80% accuracy. If they have your IP they have your zip code. Sites targetted to an audience can probably give them a guess at your age. The same might be said for your sex. It may NOT be that hard to find out who you are. Of course, once they have your birthday, sex, and zipcode, it's about 87% accurate, but whatever...
--
Peace,
Lord Omlette
ICQ# 77863057

Re:Who cares?

[Lord+Omlette]

http://www.private.org.il/IP2geo.html basically confirms what you just said. But I do remember going to a web site which told me which city I was browsing from. I thought that was slightly freaky. They can do it, I just didn't bookmark the site (I made it a point to not go back there, and my slashdot submission was rejected)
--
Peace,
Lord Omlette
ICQ# 77863057

Re:This is old news

[Red+Pointy+Tail]

Remember the bit where she typed the 4-byte IP address in full view? I don't recall the number, but one if it is larger than 255.

I LOLed right there in the cinema, but then there must not have been many geeks around, because no one else seemed to have found it amusing...

:)

Re:Info v Privacy

[bmasel]

If someone responsible can find out who is visiting a site that posts illegal information, then they can get better data on how to fight that particular crime.

If someone "responsible" is of the opinion that visiting a site on which there is discussion of matters illegal, is unwholsum, the 1st Amendment shrinks again.

1 thing missing...

[h0mi]

How do we "protect" ourselves from these things?

I'm especially concerned about it's usage in email, newsgroup mail and the like, but how do we prevent these bugs/beacons/etc. from finding us?

Re:dude! I parsed that as "booger" not "bugger"

[jaysones]

I just like that you woke up at 9:46 PM! Tell me you're not a web guy! ; )

Re:ahh yes, marketing

[Andrewkov]

Always carry a big stick.

---

Re:Who cares?

[Andrewkov]

They slow down your surfing ... If you go to a fast web site, there is a delay while the bug loads from the slow 3rd party ad server .. same deal with banner ads. And of course, these load first before any content is shown, so you have nothing to do but wait for those few seconds.

---

Re:Who cares?

[Andrewkov]

Listen, you clueless AC's. It is NOT the DNS lookup. It is the time it takes for the ad server to respond to an HTTP request that causes the delay.

Sheesh. Why do we let people post anonymously??

---

Re:A question about the proxy use

[Andrewkov]

Me too .. the @home proxy seemed unreliable and slow at times, so I don't use it. Junkbuster and Squid run locally do a better job anyway (I know it creates more network traffic, but it runs faster at my end -- that's all the counts! ;-) ). I also reference the news and mail server by IP address, since the DNS sometimes doesn't return an address for "news" and "mail".

---

Re:Who cares?

[Andrewkov]

Another good reason to disable HTML in email... Too bad both major browsers in Windows default to sending email in HTML format.

I need to look into reconfiguring me firewall ... I've always been more concerned with incomming packets, not thinking about web bugs and unauthorized outgoing packets. Blocking all those web-bug sites listed in the report sounds like a good idea to me.

---

Re:Who cares?

[Andrewkov]

No, smartass, I have a cable modem, which makes the delay more obvious. The delay is caused by the overloaded and slow ad server, not my connection speed. After the 3 second delay caused by the ad server, the rest of the page loads almost instantly.

---

And the answer is:

[Salsaman]

Tools | Privacy and Security | View stored cookies

DoubleClick bugging? Duh, it's what they do!

[shamino]

How do you think they can do geographic marketing? Of course they have 'bugs' in their web traffic. How else can they target an advertising campaign to a specific region?? What is Joe's Car Garage wants to advertise in upstate New York, does he really want to pay for banners served to people surfing the web in Asia?? Get a clue. Typical knee jerk reaction to something you don't understand.

Re:Associating e-mail addresses with cookies

[ahaile]

No matter what you do, they still get your IP number and your browser id string. Neither of these are guaranteed to be unique to a given user -- if you're either working on a multi-user system or use a proxy service, then other users may have the same IP and browser id string, which is why the ad companies prefer cookies. But if, like most people, you're the only user of the computer and you don't use a web proxy, then your IP is actually *better* than a cookie, since it will stay the same even if you switch to a different browser or delete/disable all cookies.

Also, the ad company can use the IP number to match up their tracking data with another site's personal data without needing any info from a GET form or a mangled URL.

Re:Who cares?

[Perdo]

Microsoft IS an ISP. MSN? Future Microsoft.NET? So, They CAN be mapped to a physical address and used to track you explicitly if you use MSN. And soon if you use any ISP but also use whistler/Microsoft.NET

Re:Defeating web bugs

[Sticky+Toejam]

Hell, all you really need to do is:

rm $HOME/.netscape/cookies (remove any cookies)
ln -s /dev/null $HOME/.netscape/cookies

Configure Netscape to accept all cookies - they will all be given to your good friend Dave Null. Of course, your SOL when a site uses cookies for their shopping carts....

How does one block all hosts in these domains?

[spankfish]

So, currently, on my NT box (yeah, yeah, I know...) I've got this in my hosts file:

127.0.0.1 ln.doubleclick.net
127.0.0.1 ad.doubleclick.net
127.0.0.1 m.doubleclick.net
127.0.0.1 doubleclick.net

What I wanna do is block ALL hosts in the doubleclick.net, akamai.net, and any other ad nets. How can one acheive this when one is not running a DNS? On NT and on Linux? Can a wildcard be used? *.blah.net?

(of course at home, I do run a DNS daemon, so that's it's a problem)

--

Re:How does one block all hosts in these domains?

[nege]

You do this in linux with your firewall (ipchains rules. Start with a DENY policy "ipchains -P input DENY" then you have to turn everything you want on, like the loopback interface with the -A flag) and you could also use /etc/hosts.deny. NT? never used it....

Re:Who cares?

[EvlPenguin]

Ah, but what if you also run a webserver from that computer, and they could then run a whois on your website's domain name, producing your physical address, real name, etc.

Not that they would; that would be to time consuming. But still, it is possible (although not a threat because most people don't run webservers from the same computer they work on).

--

Re:Ads-ISPs?

[brsett]

Its actually much worse than this.

There are at least two companies (Foveon and Naviant), that grab every web request coming out of an isp (using an oc3 splitter), and then relate that to who made the request using the info in the isp's billing database. Online ad agencies then look up the request and foveon tells you the zip code of the person who pays the bills for that request. They could just as easily get any other info -- but do not b/c they don't want to invade your privacy. There are other things I could tell you about, but I don't want to scare you too much :-).

Belgium (Telenet)

[anerki]

Pandora (Telenet) users in Belgium are lucky enough :-) long live proxies and firewalls

Re:Who cares?

[edp]

"These stats help advertisers market products to you more efficently... So my question is, why do you care?"

I don't want to be marketed to "efficiently." It is efficient for them, not me. I want to make reasoned, informed choices. Marketing statistics don't provide that to me. They help marketers increased emotional choices based on puffery, at best. I am as analytic as they come, but I can't be on guard all the time. Even if I could, the noise from "marketing" drowns out the signal of useful information about quality products.

Re:Who cares?

[morgus+morphus]

On its own, fine. Combined with passport.com, you get a very big problem indeed. Combine all of the web properties owned by MS...

Re:And a web bug is...?

[Caduceus1]

Unfortunately, the company doing the report has no idea what a bug really is. Notice that akamai.net is on the list. Akamai.net does not "bug" web sites, or serve ads, or any of that. It is the network of content caching servers located all over the world that are used by major sites like CNN, ESPN, etc. to cache content (often images) at ISPs so they are closer to the end user.

banner ads?

[Triv]

...wonder how long it will be before the ad agencies get into bed with the ISPs? Isn't that what "free" ISPs like NetZero or Freelane are doing already, trading net access for banner ads and the like? They can't get away with charging us for that...can they? (but then again, the Gap has no problem plastering their logo on their products so why not?) The reason I still pay for my access is that I don't particularly feel like being bombarded with free-floating ads (banner ads, I can ignore).

you can stop the ads from being downlaoded

[The_Flames]

just use the host file ie

127.0.0.1 xxx.com
127.0.0.1 yyy.com

The Lynx using, web-surfing, British response...

[Akardam]

Parse that, you old bugger!

Re:Who cares?

[dynoman7]

As you should know...every snowflake counts.

Re:Congress will investigate Web Bugs (LINK)

[bleeeeck]

Goto.com sells placement in it's searches. In this search for bulk email, the number one result paid $4.51 per click through to be the first search result.

I belive you have to actually click the links that result from the search before the advertiser (spammer) gets paid, so I clicked on the top ten results. (I hate spammers too).

Re:Congress will investigate Web Bugs (LINK)

[bleeeeck]

Oops.

before the advertiser (spammer) gets paid

should have been

before the advertiser (spammer) has to pay.

Sorry...

Re:Associating e-mail addresses with cookies

[Asic+Eng]

Just wondering: I use konqueror for browsing now, which has pretty cool cookie management, I assume that once I reject all cookies from WebBugsAreEvil.com (or it's real-life counterparts) I'd be safe, right?

Are there any other common ways in which an ad company could spy on surfers?

Ad Agencies

[carlcory]

...or they lobby for government restrictions on ISPs using proxy servers (like the recent Australia posting)

Re:In the TANSTAFL department ....

[purplemonkeydan]

IIRC, you had to copy the image to your server, then embed the image. And IIRC, Netscape did the same thing.

Re:Who cares? - Lots

[Technician]

Look at the server stats. I noticed that Apachie is the biggest server,followed by Netscape, followed by Unknown. The Unknown server is growing in size. I think this is deliberate!

Re:Copyright your surfing habits?

[wadetemp]

Copyright only protects duplication... I think that the sparse, mostly useless perspective that an agency like DoubleClick gets of your web browsing habits on its affiliate sites is different enough from your actual, copyrighted "surfing habits" that it's not a violation of copyright for DoubleClick to keep them. The level of abstraction is much too great.

And a web bug is...?

[kosipov]

What do they mean by web bugging?

Re:And a web bug is...?

[k9nl]

You know this doesn't have to be img tags. The same thing can be achieved through server-parsed html. Cookies don't even have to be used if every link has an id string in it. This term "web bug" doesn't mean much. The problem here is tracking by whatever means are used.

Just some thoughts...

Re:And a web bug is...?

[Cheshire+Cat]

You can find a good article on web bugs here. If you do a Slashdot search on web bugs, it'll come up with some previous articles on them.

Hope this helps.

Re:And a web bug is...?

[Goldberg's+Pants]

For all those worried by this, head to Freshmeat and grab Junkbuster. I've been running it for over a year now. A select few sites are permitted to set cookies (Slashdot for example), the rest are blocked, as are 99% of the banner ads on all sites. Browsing heaven!

---

Re:And a web bug is...?

[EvlPenguin]

From what I understand, it's more of the same cookie=bug nonsense, although they have a good reason to think so.

To elaborate on that, they are talking about those lovely cookies that places such as amazon.com and banner ad hosts such as doubleclick put place on your drive in order to indentify you for whatver reason (to track buying patterns in order to serve up custom-talored ads is the first thing that comes to mind).

As for an actual "bug" that tracks every site you visit and then processes or sends it somehow in order to do something such as physically locate you and find out who could be "trouble", well, that's just hype.

--

Re:And a web bug is...?

[bradfitz]

See the web bug FAQ:

http://www.privacyfoundation.org/education/webbug. html

Big Brother is Watching

[Jucius+Maximus]

Because Micros~1 is doing this through LinkExchange, it shows that they
a) Don't want to be identified, or
b) Don't want to get their hands dirty in the process of doing all the bugging so they outsource it to someone who will.

This shows how the pieces are falling into place for an Orwellian society. Sure, the useage statistics are anonymous, but through web bugs or cookies or fake-dated images as cookie substitutes they can tag most people with an "anonymous ID." But all it takes is for you to buy one item online and then they'll have your credit card number associated with a cookie. They can look up your identity, credit history, and all their anonymous stats won't be so anonymous anymore.

Doubleclick is reputed to have amazingly accurate profiles of nearly every American household with internet access.

The architecture and systems are all there and ready for Big Brother to emerge...if he hasn't already done so in the form of AOL/TimeWarner. The big ISPs have their transparent proxies and carnivore is on the loose. Micros~1 is only a small part of it.

And really, if AOL/Doubleclick/M$ are watching and catalouging our every move all linked to personally identifiable information, how would we know? How would anyone know? What's stoping them from covertly moving towards that right now? The Law? Ha! Who's going to sue them? The government of the country whose economy they prop up? Unlikeley. Groups like the EFF seem to be the last bastion of hope.

Let's just say that I'm glad I don't live in the United States.

O'Toole's Commentary on Murphy's Law:

Re:Big Brother is Watching

[ImaLamer]

Two funny things I have to say. Isn't LinkExchange OWNED by Microsoft? And didn't the gov't of my U.S. sue Microsoft. If Microsoft knew so much about me then I'd like to see them put it into their products. Everyone at the top must fall, it's a law of the pecking order. So these big companies which I really don't like aren't a threat forever. When I ordered a pizza today I gave the lady my CC number - I don't think she's going to look up my history. And so what if she did and sold it? I'd just get credit card offers in the mail. Verisign... beware of verisign - they encrypt your info so they can steal it faster. Ahhh!

Re:Big Brother is Watching

[ichimunki]

How alarmist can you get without actually providing any facts?

Even if they are able to track everything perfectly, no one has time to sift that information for anything other than the blandest types of information. Given that all the marketing efforts in the world don't seem to be able to consistently deliver well-targeted ads to either my real mailbox (most of these don't even have my name spelled correctly) or my emailbox assures me that it will be some time before there is really an issue here.

I'm far more worried about the very real news that the FBI engages in constant stings (and in the process may be one of the major providers) for child pornography. I'm a lot more concerned that European police are actually arresting people for "crimes" like using Napster or writing software like DeCSS. In the end, we have much bigger privacy worries with police forces using extremely sensitive infrared, microwave, and other devices to scan our houses (so much for curtains) and maintaining computerized, nationalized databases on citizens (just wait until some hacker manages to get a few good FBI or IRS files).

You say you're glad to not live in the US, so which country can I join you in where freedom is eternal, easy, and government mandated?

Re:Associating e-mail addresses with cookies

[sumengen]

That's why you shouldn't use html email. Use a decent email client which lets you only display plain text.
By the way, did you notice that hotmail (and users) began sending "HTML ONLY" emails. No plain text part. It is another strategy from Microsoft.

Re:This is old news

[eris_crow]

555 numbers are used internally by the phone companies for various things. Some have test equipment, some provide customer name and lookup (tell you who owns the phone your calling from), some provide things like directory assistance (as others have mentioned).

The actual usage varies from one bell to another, but if you really want details, try looking for phreaking info.

Eris

it's not just for advertising...

[q000921]

Web bugs and other cross-site tracking methods (static IP addresses, as with cable and DSL, are even better for tracking) give advertisers instant information about your interests and browsing history. But they don't just give that information to advertisers, they also give it to on-line businesses that you buy from. If you don't turn this off, when you fill in an on-line insurance or credit application, the company you apply for can get your browsing history just like an advertiser would. It's cheap, it's easy, why in the world would they not do it if they can?

You may say "I have nothing to hide". Neither do I. But the statistical analysis programs that grovel through browsing data are trained on the statistical average. For oddball populations like the readership of Slashdot, they may perform in completely haphazard ways. They might classify you as an educated person with great income potential, based on your fondness of gadgets, or they might classify you as a disturbed sociopath with violent tendencies, based on your fondness for computer games and fast computers you share with the Columbine high school kids. And if you get investigated or have credit or insurance denied because some program misclassified you, you'll never know what hit you.

The only way to deal with this is to not let the information get collected in the first place. Once it has been collected, it's impossible to keep it from being used for discriminatory purposes (in fact, often, that happens completely unintentionally).

Re:This is old news

[Da+Masta]

Yup..."The Net"...yup...that was one shit assed movie! Got the plot sucked...the technicalities sucked. In the whole theme of sucking, the plot would have been MUCH better if maybe the bad dude just posted a vid of their sex romp on the net or something! (Of course then, there'd be no problems with her not existing...she just has to find the right 13 year old's house to crash ;-)

Re:Confessions of a spammer

[grondu]

Instead of spamming, try a respectable career. For example, hitman, serial killer, etc.

Re:Other statistics on site

[sacremon]

Carefully reread the title of the post 'Other statistics on site'. Does that give you an idea as to where the information is from? In fact, I give the title of the area on the site where the statistics come from.

What more do you need?

I was stating that their statistics show that. I didn't say that this was gospel. Sheesh - this is *marketing* research, which is virtually an oxymoron.

Re:Other statistics on site

[leviramsey]

Because it's a federal judge, he can be impeached using the same procedure used for all federal officials (such as the president). (i.e.: the House impeaches and the Senate may remove from office). The "high crimes or misdemeanors" standard applies, but it's generally thought that this means whatever Congress thinks it means at that particular moment (I'm not sure if an impeachment can be overturned by the Supreme Court).

The first federal judge to be impeached was John Pickering, the judge of the US District Court for New Hampshire, who was removed from office in 1804. Since then, 12 judges have been impeached, of whom 6 were convicted and removed from office. One of the 12, though, resigned before the trial.

Re:A question about the proxy use

[Mastagunna]

How do you enable it, or do you need to use there software to get it, or is it automatic.

Re:This is old news

[raju1kabir]

Yup, and then she leaned over, rested her hand on my thigh, and whispered this URL into my ear.

Re:This is old news

[raju1kabir]

Oops, she must have had a little too much to drink, because the actual URL is this.

Re:This is old news

[raju1kabir]

Oh, kinda like how phone numbers in most movies start with 555 (an invalid prefix, or at least it used to be, not sure if it still is)

At least in Los Angeles they've started using it. Not sure about other places.

Re:Bad statistics

[rfsayre]

Ok, you need to admit when you're wrong. It's O.K.

Basically, you're saying that akamai customizes content like the ny times does ad inserts. Right.

And you also left out a key quote from the akamai.com website.

Here's your quote--
"...accurately identifying the geographic location from which users access your Web site"

What the quote should have been, if not for foolish pride--
"...accurately identifying the geographic location from which users access your Web site and the network origin of the user's request. "

Your quote should have at least ended in three periods, acknowledging that there was more to the sentence. But that probably would still be a lie, because you would be implying that what came after the quoted section was unimportant to your argument.

What do you think "network origin" means?
To me it means IP address.
Keep in mind that the phrase is "network origin", not "network of origin", lest we endure further misquoting.

Not likely

[Maskirovka]

"...wonder how long it will be before the ad agencies get into bed with the ISPs?)"

In my experiance most ISPs avoid forcing adds down a customers throat to that degree. Actually it almost seems to be an industry taboo. AOL is an exception of course.
Many newbies (and others) consider adds a form of spam, and if they were required to view them to use the web (or even worse, the net as a whole) the isp would loose a great deal of business, unless they had some kind of incentive like being free.
What I would like to see would be a broadband provider that made you watch adds in exchange for free service with unlimited bandwidth. While I'm dreaming I'd also like a G4 powerbook with a gig of ram. And a hummer. And a....you get the idea.

Maskirovka

-.

Re:Not likely

[s390]

FYI: the correct English verb for loss of money, market-share, whatever, is "lose" not "loose" despite Slashdot's spelling dysfunctionalities. Cmdr Taco is guilty of this.

If all you children want to hack software, fine. If you want to talk about it amongst the rest of us well educated adults, then learn to hack English appropriately!

Ads-ISPs?

[BuckMulligan]

"wonder how long it will be before the ad agencies get into bed with the ISPs?)"

They have...it's called AOL-Time Warner.

Marketing is one thing, what about Big Brother.

[ImaLamer]

Wouldn't it just be easier to just buy the stats from the web sites instead of doing it the hard way. Yahoo and other such sites track what you may click on after a search - so bother them for stats. See, what would bother me is if MicroSoft was turning around and selling the info to the gov't. Who cares if a stupid marketing company gets my info, they won't care if I click on a "How to make Crystal Meth" page? To marketing companies just remember you are only a number!

Re:Who cares?

[Zuchinis]

Useful ads? Useful ads? Maybe an ad is useful to you or me or Joe Blow when it contains relevant and reliable information about the product or service being sold. That information is freely available to marketers if they want it, all they have to do is call up the product people at the other end of the company. the only reason why they want marketing information from web bugs and such is to learn what you think you want so as to manipulate you into buying something whether it is useful to you or not.

Re:Who cares?

[cavemanf16]

Well, you do realize that despite all the flames posted to /., M$ is still a multi-billion dollar company. If doing what you describe nets them an extra half a billion, well, then, they've just recouped their costs and made more money in the process. I'm sure a hundred million won't set them back much if it means making another billion in the long run.

LinkExchange

[Archanagor]

Hm. LinkExchange has the largest number of "bugs"

Why doesn't this suprise me? Everyone and their dog has an LEFastCounter on their personal home page.

I forget everything that LE offers. I think they have banners that link to other sites, But mostly I see the counters.

Of course, a counter is going to sit there and track. That's what counters do: Track the number of users who have hit your site.

Same goes for #4 on the list: extreme-dm.com
Extreme-dm produces a small icon you place on your page that gives all sorts of statistics on who visits your page. I've used it once or twice to get a bead on which browser visits my page most often, and if by not supporting netscape how it would affect my user base.

Both of these services have been placed in the same category as DoubleClick, and why? becuase they post information back to their service. I mean-- it's not like what Doublclick and other unsavory types do, It's an obvious image. The Extreme-DM icon (Looks like a globe with lightning) or the LEFastcounter. The page visitor knows there there, and knows what they do, and can see the information they collect. This is not the same as secretly gathering demographic information for the purpose of targeted marketing. (Though, extreme does allow the content creator to focus on geo regions, browser types, or OS types ...)

Perhaps they should look at the source of the so-called "web bugs", before labeling them as such?

---

Re:Confessions of a spammer

[Archanagor]

Man. Working at the local McDonalds would be better than that job ...

... Seriously, get a new job!!

---

Re:A question about the proxy use

[bigbadwlf]

I've been using @Home forever, and I have NEVER used the proxy... and I've never regretted it.

Re:Who cares?

[mech9t8]

Well, all you have to do is e-mail your favorite web sites (you can start with Slashdot), tell them to stop using the banner ads, and suggest how they make up the traffic/revenue they got from them.

Simple.

Re:This is old news

[Nickoty]

of course they would. "Haha, don't they know that number is a private net number". At least if it were like 10.45.12.4 - if it was 192.168.*.* it might show that it was intentional.

Ads Suck, Here's My $0.02 Fix

[SkewlD00d]

As 'root,' of course: # echo spamnets | xargs -I /sbin/route add -net '{}' reject Here's some spam and ad nets I reject at my router: 205.188.140.0/24 207.46.188.0/24 208.32.211.0/24 207.68.180.0/24 206.41.20.0/24 207.211.106.0/24 204.253.104.0/24 152.163.180.0/24 208.48.126.0/24 199.172.144.0/24 63.210.68.0/24 208.184.29.0/24 Just don't do this! 0.0.0.0/0 :P

Patent Fun

[Jesus+IS+the+Devil]

Hey I think I'm gonna patent "web bugs" and sue Microsoft and Doubleclick. He he...


---------
Did you just fart? Or do you always smell like that?

Re:Bugger

[tbarrett]

It is also slang in Australia, with a meaning similar to the the American usage of 'damn'.

Slashdot uses web bugs

[OlympicSporsor]

It's true; check out the source for the front page. Is it right to complain about web bugs and then use them at the same time? No! Fucking hypocrites.

Re:A fact of life...

[SacredSalt]

I think it's less that users don't care, and more that users are not aware, nor are the fixes always simple. What do you expect you when you make a GUI interface that gets people onto the net with little technical skill, but then wont allow them to edit these types of privacy settings with the same lack of technical skill? You get what we have know. Some of it's probably there by design (evil conspiracy?), and some of it purely uninteded consequence of trying to add new features to the web.

Re:Now I Know How To Waste My Time

Start off with akamai.net... now there's a WHOLE BUNCH of web bugs there! Man, I can't even go to cnn.com without those damned Akamai people knowing exactly what I'm doing!

And that wunderground.com place... what kind of shady organization is the Weather Underground? Are they the people who always make sure that it rains right after I go through a car wash because I carry a cellphone with me? The feds should shut them down!!

Seriously... all they did was search through a bunch of web sites and counted the number of resources (images, frames, etc) pulled down from other sites. This means nothing, because the original web site already has access to everything the other sites do, if not more! If your goal is hiding from marketing people, I suggest the following acl:

access-list 100 deny tcp any any 80
access-list 100 permit ip any any

This will block most traffic that could cause your Web privacy to be breached, protecting you, yourself, from the distant chance that someone, somewhere, might want to know what your computer, in specific, is doing. And note that I said "your computer" -- the web site has no idea who you are, where you are, how to contact you personally, or how to distinguish you (as in, yourself) out of all of this.

'sides, the worst that'll happen is your computer will start getting USEFUL banner ads that you'll WANT to click on, because it's for something you'd like. And what's the problem with THAT?

Whew. First slashdot post in awhile. I think I'll leave this one anonymous ;-)

Re:Who cares?

[Caine]

As my hostname contains the following information; Where i study, and therefore which town and country and more importantly it also contains my whereabouts down to my roomnumber, so I'm not that hard to track based on it, I find it rather relevant.

Re:Info v Privacy

[ChaosDiscord]

If someone responsible can find out who is visiting a site that posts illegal information, then they can get better data on how to fight that particular crime.

From there it's not too long until someone realizes that someone "responsible" can find out who is visiting a site that posts unpopular informaiton so they can get better data on how to fight that thought crime. It's just a another step until unpopular becomes "unamerican," and suddenly your curious browsing of, say, the World Socialism pages lead to you answering the question, "Are you now, or have you ever been a communist?" You need real privacy to listen to free speech. Without privacy, free speech is worthless.

Does this mean...

[matthewg]

...that the US DoJ's hotshot young lawyer is going to use the Little Doctor on them?

Why not create a privacy object model

[gelfling]

Bundle, package and commoditize your own personal information into a privacy object that can be sliced into smaller sub objects and sell or lease that package to whomever wants to pay you for it.

Re:Confessions of a spammer

[JoeBuck]

You are making your living in an unethical manner. The sooner that you "get out of dodge", the better.

You are aware that "I'm just following orders" is known as the Nuremburg defense? It is not an excuse for actions that are deeply harmful to society. As for "mak[ing] enough to feed myself", being on welfare is more honorable than being a spammer, and the unemployment rate is still so low that most warm-blooded life forms should be able to find a better job than that.

In my view you do not have "something decent on your resume". You have a black mark. Your resume identifies you as a professional spammer.

Error in title of article

[PD]

That should be "Microsoft: The Biggest Web Buggerer"

Transplanted web pages can cause this, too.

[edhall]

There are other causes as well. For example, people who have set up a web site on GeoCities, Xoom, or wherever frequently make copies of their site by saving pages with their browser. This includes any code that was inserted by that service, whether for advertising or for site features such as counters and statistics, or even clip art. When they decide to move their site to another service they upload these copies -- including all the stuff the old service inserted into the pages. As long as nothing overtly breaks, this sort of stuff just accumulates as pages get moved or updated.

If you're asking youself why anyone would be so stupid, recall that all these page hosting services provide tools for building web pages; the average person with a web page knows little or nothing about HTML, and so doesn't have the slightest idea that some JavaScript appended to their page isn't necessary, and in fact wasn't actually part of the stored page in the first place.

For example, GeoCities inserts a web bug to give each user statistics concerning their web pages and to provide an optional counter. The bug is useless outside of GeoCities, yet I see it fairly frequently on other services. The same with Xoom's counter code, and so on. I suspect in most cases the "foreign" appearances of these bugs just represent noise to the site of origin.

-Ed

Exactly how long before ISPs and Spammers unite

[griffjon]

is equal to when I go buy ZeroKnowledge or full anonymizer services, less five minutes. Frankly, I'd be surprised if there isn't some of that already going on (naturally, NetZero and the like, but I mean normal, paid ISPs)

Re:This is old news

[dillon_rinker]

This was probably on the same level as using 555 as a telephone exchange on TV.

Congress will investigate Web Bugs (LINK)

[B.D.Mills]

Hey Lenny! Great anti-spam page. Spammers are up to $4.50 on goto.com! Slashdotters, start clicking the link below to make spammers pay. Click this link to make spammers spend money!

Obligatory on-topic message:

Visit Junkbusters and view information on Web Bugs.

The industry uses the euphemism "clear GIFs" to describe web bugs. Search for "clear gifs" in a search engine as well as "web bugs" if you're after more information. I use TopClick because it is a privacy-respecting search engine that doesn't use cookies and I have found it to be very good.

*** NEWS FLASH ***
Congress to investigate Web Bugs. More details here at intenetnews.com.
--

Re:This is old news

[B.D.Mills]

Oh, kinda like how phone numbers in most movies start with 555 (an invalid prefix, or at least it used to be, not sure if it still is)

Instead of using numbers above 255 for fake IP addresses, they should use numbers like 192.168.X.X, 10.X.X.X or other similar numbers assigned to local networks. The clueless won't know the difference. The clueful will appreciate the 555-like nature of the address and won't embarrass themselves for apparently laughing incongruously in a serious scene.

--

Buggy vs. Bugging vs. Buggering

[Saint+Nobody]

actually, for a second when i saw the title of the story, i thought it was talking about buggering web pages.

Re:Who cares?

[ryanr]

They can't be mapped to your physical address, phone number, etc. without a call to your ISP

Umm... and what do you think happens when you oder something online from one of these sites that has the web bug?

Re:Other statistics on site

[s390]

The above post is a Micro$oft troll. Typical M$ - turn the facts on their heads and assert the opposite of the truth: enough folks will believe you, if you _sound_ sincere.

In fact, Linux based (i.e. Apache) Internet servers gained market share _faster_ than M$ last year, according to IDC. It has been well reported here and elsewhere.

What's worse, this same approach seems successful in pulling the wool over the eyes of a whole US Appeals Court on the DoJ vs M$ antitrust case!

Anyone got the email addresses of the US Appeals Court judges hearing the DoJ vs M$ Antitrust case?

Is there any process available for impeaching Federal judges for rampant cluelessness in office?

Re:Info v Privacy

[MadAhab]

Well, if you know that they not only surf blowjob-related pages, but also interracial hardcore pages, you can recommend the oral "services" of a "talented" immigrant from your favorite ex-commie or capitalist dictatorship nation.

And don't you think your wife wouldn't pay for that info, too (if you give me a twenty, I'll tell you what she paid for it).

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Re:Confessions of a spammer

[prizog]

AC said: "I have done some things before I didn't agree with, but it bites being myself what I just about hate the most. A spammer. I'm sorry folks."

If you e-mail me your snail mail address and agree to sell out your company - that is, take as much proprietary information from them as you can and put it on the web, publish their name, basically be a real whistle-blower, I'll mail you a check for $50. It's not much, but it's what I can do right now.

Just following orders is not an excuse and never has been. You're making a moral choice, and by your own admission, you're making the wrong one. You're not only hurting your company's targets, but your own sanity by doing something you know is wrong. Ghandi said: "Almost everything you do is meaningless, but it is still important that you do it." These are words to live by.

ahh yes, marketing

[Zule_Boy]

It is like those darn marketing people. Always wanting numbers and statistics from people like me. I work in a good sized (250000+ users) ISP and this is always a hot topic. Maybe if we follow people around on the web, we can market things at the more effectively. It makes me sick. What do you do with these marketing people anyways?

Re:ahh yes, marketing

[EvlPenguin]

Well, you could put them all in a line and test out how many people a real railgun could shoot through.

It's not without purpose either! Based on the result, iD Software would be able to make the next Quake's railgun more realistic.

--

Re:Bad statistics

[cyberdonny]

Iframes will probably allow cookies for a short amount of time after browsers fix a similar problem for images

...
I also heard someone tell me that some linkexchange ads were at some point in order to allow linkexchange to update the entire banner code whenever they needed to

Actually, the main reason for the script src seems to be the same as for iframes: allow the ad to set cookies, where a simple image couldn't. Just try it in netscape: In Edit->Preferences->Advanced, check the box labeled "Only accept cookies originating from the same server as the page being viewed", and watch how it still lets pass cookies attached to all kinds of includes, such as scriptsrc, iframe etc. Seems only cookies from offsite images are blocked.

Shoot, I parsed it as something entirely different

[devphil]

...as in, I say there old chap, bloody Microsoft seems to have gone and buggered my web page again.

Re:dude! I parsed that as "booger" not "bugger"

[radja]

Oh great.. Now microsoft is gonna invent a cure for the common cold, and prohibit anyone from making their own boogers..

//rdj

Web standards

[Cuthalion]

Web Standards are for content creators to adhere to, not for browsers to enforce. Browsers should show standard compliant HTML according to the standard, and everything else, they should make their best guess on. Because when it comes right down to it, Joe User (such as, oh, for instance, me) just wants to read the page. They don't want to hear "We could render this page, but won't because there's no tag." Not that many people complain "I hate this product. It doesn't break when it's supposed to."

I agree that web tools should output standards copliant HTML, for precisely the same reason - people don't want to fuck around with this shit, they just want it to work. The best way to do this is to only output well-formed files, but load and display any mess of angle brackets that you can figure out.

Re:dude! I parsed that as "booger" not "bugger"

[Nailer]

I parsed it as `Microsoft biggest web - bugger'.

`Bugger', asides from referring to someone who sodomizes others, is also colloqially used in Australia as a curse.

Re:Bad statistics

[jesser]

On http://truc.hypermart.net/, a "random" link exchange site, I see an iframe, not just image. Iframe ads are annoying for several reasons, although I doubt advertisers use them just to be annoying.

- IE4 (but not later versions) will replace an entire page with a placeholder page if you go to a site with a missing iframe.

- If you try to block the hoster of an iframe using a "hosts" file and you use Mozilla as your browser, you get an alert each time you visit a site with a missing iframe. Hopefully this will be fixed in bug 28586 by implementing placeholder pages for all missing pages.

- Iframes will probably allow cookies for a short amount of time after browsers fix a similar problem for images, simply because it takes more coding to fix the problem for iframes. (Have any major browsers fixed the cookies-on-images bug?)

- Iframes allow Java ads, such as the infamous punch-the-monkey ad. (Jason Kersey removed all ads from mozillazine.org, and I think he did that because people complained about that ad so much.) LE doesn't seem to use Java ads at this point, although I have seen several "fake dialog" ads there.

I also heard someone tell me that some linkexchange ads were <script src="something.linkexchange.com"> at some point in order to allow linkexchange to update the entire banner code whenever they needed to. I think this might have just been a rumor -- can you imaging what a cracking target that would turn linkexchange into? Can anyone confirm or deny this rumor?

Btw, why is it that when I click a linkexchange banner, the site linked to almost never has a linkexchange banner itself?

Re:dude! I parsed that as "booger" not "bugger"

[}{avoc]

However, Microsofts Booger would undeniably be placed behind a glass case, where we may only look at it, and marvel at the massive size. However, the booger of your average open source company would be completely moldable and customizable.. You could choose your own color, wetness, and basic shape, plus, it would come with free instructions on how to make your own boogers! Yay!
-Dan Posting without reading what I just typed, or checking for any coherent message, or spelling, or anything since... 3 minutes ago.

Re:Bad statistics

[cperciva]

So, how do you "customize content" without "tracking where people go"?

By doing exactly what they say they are doing... "accurately identifying the geographic location from which users access your Web site".

Akamai has servers distributed around the world; whenever there is an incoming request, it gets passed to the server closest to the user. Simply looking at which server is handling the request allows akamai to customize content based on the geographic location of users.

A fact of life...

[DESADE]

The trend is moving away from individual rights. This stuff has been going on for some time, and the marketing droids are just getting better at it. I'm sure MS uses this to "make their sites and products better" but it's a bad sign that users just don't seem to care.

Get ready for hooks in the os that work with web site tracking tools. Not far away.

The problem is...

[malfunct]

Just because an image doesn't come from the same server as the page doesn't make it any more or less likely or more or less capable of tracking your usage. These stats are fully bogus and give you no real idea of who is tracking what. More information is tracked on the same server that hosts the page than is tracked on the ad server I will nearly garuntee that.

Basically people you need to realize that marketing knows what you are doing and they use this to make more money off of you. Furthermore you need to realize that they make more money off of you by providing you advertising of something you actually want. Is this awful?

Another thing to realize is that none of these companies does a very good job at using the stats they collect. Few if any companies provide an automated targeted ad system. Few if any have solved the problem of sorting these large lists of numbers.

I mean how scared can you get when you get 3 calls a week from the phone company asking you to order phone service that you already get. They don't know what you are doing because there is just to much info.

dude! I parsed that as "booger" not "bugger"

[StandardDeviant]

Proof positive I need to drink at least one cup of coffee before reading /. after waking up. The thought of M$ being invovled in some sort of webcam-of-giant-booger, and what nefarous reasons they would have, dude, that's just wrong. :-)

--
News for geeks in Austin: www.geekaustin.org

Re:Who cares?

[yamla]

You are kidding, right? It is trivially easy to associate web bugs with your email address at the very least. Of course, it requires that your email client supports HTML, but most do these days.

--

Re:Who cares?

[Boulder+Geek]

You should. see this missive from Phil Greenspun. Scan down to the section that says "I want to know the age, sex and zip code..."

How to squash web bugs

[plover]

If you feel the need, use a proxy program that can "fix" the incoming HTML to recognize web bugs and "neuter" them.

I use this feature with the Proxomitron, a proxy that greps incoming HTML for bad stuff and replaces it with good stuff. I now have my copy looking for web bugs, and modifying the HTML to eliminate them. Specifically, I have it searching for IMG tags that include height and width components that are both five pixels or less. Instead of removing the image (which would cause severe image alignment problems) I simply replaced the SRC= with SRC=.\black.gif, which is just a small black image that gets stretched to fit the requested space. Extra benefit: no waiting for the HTTP connection to the web bug server! The local .GIF loads instantly.

John

In the TANSTAFL department ....

[Zero__Kelvin]

I remember Microsoft used to offer certain levels of access to MSDN (The Microsoft Developers Network) as long as you put a IE Logo on your web page in the form of a link to theirs. I used to think it was an exchange of information that should already be available for free and free advertisement. Now I finally see their real reason for doing this - maybe.

P.S. TANSTAFL == There aint no such thing as a free lunch

Missing the point.

[caduguid]

Notwithstanding all the previous posts that pointed out the foolishness in assuming 'anonymous' tracking will stay 'anonymous', I think you're missing the real point...

'Anonymous' tracking isn't harmless by any stretch of the imagination.

60% of people who visit the SMAP fanclub homepage visit pages on ecstasy parties within 2 hours afterwards.
Omigod. Call your congressman. SMAP causes drug abuse!
28% of visitors to the XYZ health center visit pages on abortion access.
Where do you get your funding, XYZ?
And, of course, there is a 93% correlation between readers of /. and visitors to the pages of the SPCJK (society for the promulgation of cruelty to jonkatz).

*They* don't care about *You* anyways. *You* are insignificant.
But if they could learn how to manipulate/control/smear the whole lot of you, now that would be worth something.

A question about the proxy use

[Lostman]

Sup guys... my ISP, @home, has a proxy installed as my default proxy for web traffic and I am wondering if this could cause a problem--eg: they watching everything I do, etc. Also, would anything "necessarily" bad happen if I choose to disable this? I would worry that they log all my traffic for use in some huge conspiracy, but its much more likely they use it for advertisements... any aid with problems with the @home proxy and if there is a problem with disabling it?

Re:A question about the proxy use

[raju1kabir]

my ISP, @home, has a proxy installed as my default proxy for web traffic and I am wondering if this could cause a problem--eg: they watching everything I do

If they cared what you do, they could watch your traffic with roughly equal ease whether or not you used the proxy.

Re:BSD

[firewort]

feeding the trolls again, I am.

Since you've convinced yourself that the real value you and your employer seek can only be found in paid for systems, excluding BSDI, may I recommend you look further at AIX?

At least IBM is contributing to the community that does find value in open-source/free-software, while continuing to improve the AIX offering. Technologies like LVM and JFS, for instance, and others, make AIX a great system. Granted, it still uses CDE, but I expect that'll change, and you can always load your own, or go with that free one, GNOME, like Solaris is choosing to use.

Thanks for voicing your opinion, now go and spend your employer's money. Spread your deathknells for BSD elsewhere, we don't need 'em.

See, you can't kill a free-software (or alternatively, BSD licensed) operating system as long as people continue to use it or work on it. A proprietary operating system can be killed by the company that sells it, but as long as one person uses the system, and one person develops for it, it's a live system.

Now excuse me, I'll be installing Darwin for Intel and OpenStep 4.2 as dual-boot on the same machine. Not exactly free software, but definately open-source, and certainly not dead.

A host is a host from coast to coast, but no one uses a host that's close

What? Me worry?

[Alien54]

I'm not all that worried about the connection of MS to web bugs, etc. I am not even that sure that they are the largest benefactor, although this makes sense.

After all, they give me plenty else to worry about. (My thoughts here)

Don't worry, just a bad case of caffiene deficiency syndrome.

Re:This is old news

[micromoog]

At least in Los Angeles they've started using it. Not sure about other places.

Is that what the girl at the bar told you when you asked for her number?

How can you blame MS for this?

[wadetemp]

A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization.

From the data presented, it seems LinkExchange is the most common "web bugging" service. But that's what it is, a service. The companies paying for LinkExchange ads are the ones driving the "bugging". Without companies wanting to advertise and do business cheaply on the web there would be no LinkExchange/bCentral. Just because LinkExchange seems to be the most popular of web ad services doesn't mean it's some evil MS plot to bug the world. It just seems to be doing good business. If you ran an ad service, wouldn't you dream of the same?

Re:Who cares?

[at_18]

YES, it slows my surfing. I have to DNS lookup the server, contact it, make a GET and retrieve the image.
It sums up to a lot of packets.

Damn Buggers

[HongPong]

All I know is that Andrew Wiggin has the best shot at taking out the damn things once and for all.

--

Re:This is old news

[acceleriter]

Those aren't equivalent. An octet greater than 255 is just outright impossible. Someone keying in a non-routable IP address (e.g. 10.x.x.x or 192.168.x.x) during a flick would be more equivalent to a phone number starting with 555, and less likely to be laughed out loud at :).

You think that's bad?

[NineNine]

• Then don't watch cable/satellite TV. Those companies all know EXACTLY what you're watching at every second of the day.
• Then don't use a credit card. Those companies know exactly what you buy, where, and when you buy it.
• Then don't use a bank. They know exactly how much money you make and where it comes from.
• Then don't use a telephone. The telephone companies knows exactly who you call, when, and for how long.

Get the idea? Lots more more personal, and more in-depth information is gathered about you EVERY DAY from MANY sources. Ad banners are NEGLIGIBLE when compared with any one of these other sources of information gathering.

Other statistics on site

[sacremon]

One of the other summaries was server market share theft/upgrades - or how many servers were switched from one type of web server to another.

The interesting thing was that while Apache still has the lion's share of web servers in the survey, it has been losing ground to IIS. Given all the hacks on IIS-based servers recently, this is an unsettling trend.

Info v Privacy

[perdida]

Where does "free" as in open information end, and private information begin?

The ISP is doing this service: connects me to the internet, hosts a lot of the sites I am reading, protects me from spam.

Knowing traffic on certain sites helps my ISP do that.

This information, if properly anonymized, is a useful commodity to other net firms as well, and helps them to provide us with better service.

If someone responsible can find out who is visiting a site that posts illegal information, then they can get better data on how to fight that particular crime.

It is up to users to determine where this technology is applicable. But I wouldn't dismiss web-bugging as a tactic out of hand.

Re:Info v Privacy

[Syllepsis]

Whatever...in a toltalitarian police state crime effectively drops to zero, but who wants that?

By invading the private lives of every american household, and doubling the world's incarceration rate, the US can effectively wipe out marijuana use completely.

By warehousing consumer data large corporations can market more effectively, that is, convince you that you are not happy w/o their product.

Time to wake up the populace: Your well being is not a univariate function depending only on GDP growth. Crime prevention will not help your well being if the means outweigh the ends. Does nobody care about search and seizure rights?

Re:Bad statistics

[rfsayre]

This is quite bogus, as evidenced by the #2 ranking of akamai; the fact that many high-traffic sites have their images served from akamai's network does not mean that akamai is tracking where people go.

What exactly do you think Akamai does, aside from providing infrastructure? Do you think any MBA in his right mind would go for such a one sided business model? As long as you're delivering content, you might as well track it, or so the thinking goes.

And now for a highlight from akaikai.com -- In today's fierce competition for Internet eyeballs, customized Web site content is big news. Customizing your content to individual end-users makes your site more relevant, enticing visitors to stick around longer-and come back more frequently. Akamai's EdgeScape service enables you to make customization a reality by accurately identifying the geographic location from which users access your Web site and the network origin of the user's request. So, how do you "customize content" without "tracking where people go"?

Re:Who cares?

[ziplux]

True, but even without a webbug, anyone with access to the server logs could do this....so why the fuss about webbugs?

Copyright your surfing habits?

[adadun]

Wouldn't it be possible to patent or copyright your surfing habits? You could say that your surfing habits are an artwork made by you, and therefore belongs to you. If the web ad companies use the information of your surfing habits, you would be able to sue them for copyright infringement or make them pay you licencing money for using you patent. Stranger things have been patented lately, so it doesn't seem *too* impossible.

This would not only make it possible for us normal web users to make a few bucks, but should also shut down this act of privacy violation rather quickly!

You are _not_ anonymous

[ChaosDiscord]

Advertisers are very interested in connecting those anonymous statistics to real people. DoubleClick actually did so, but stopped after a public backlash. But they will try again, it's just a matter of time. In the meantime, whenever you enter contact information for a web site, that site may decide to sell that information to someone like DoubleClick. Advertisers really want this information, and they'll keep trying until they get it.

Re:So um...

[ChaosDiscord]

Perhaps because they have an effective wall between the editorial staff and the advertising staff, thus ensuring that editorial policy (as much as Slashdot has such a thing) is not tainted by advertisers?

Whodathunkit

[ottffssent]

Microsoft: The Biggest Web Bugger, eh?

Yeah, I think we can all agree that Microsoft has buggered the web...

Re:Associating e-mail addresses with cookies

[B.D.Mills]

You are correct.

Another way would be to put a web bug in the e-mail that the site uses to confirm the order.

--

Re:Who cares?

[Malcontent]

You may be right. After all It's not like Microsoft is some giant corporation with hundreds of subsidiaries, thousands of programmers, or terrabytes of storage at their disposal.

How could they ever muster enough money, processing power, database space, and brain power to try and corrolate the information they get from web bugs, sales at one of their subsidiaries, registrations at popular web sites like MSN or hotmail or msnbc, and product registrations of office and IE.
Why that would take millions of dollars and I really don't think MS can afford such a large outlay even if it means making tens of millions selling that information to others.

Re:Associating e-mail addresses with cookies

[ahaile]

Actually, it doesn't even take a form with a GET request. Rather than use a cookie, many sites now encode a unique user id in the URL, often after a '$', like http://company.com/page.htm$USERID. (Sites do this so that they can track session data on you even if you deny their cookie and even if you move across servers or domains.) Since WebBugsAreEvil.com gets this full URL, they now have your USERID at the site you visited and can connect their data with the data collected by the site.

Re:Who cares?

[Mojojojo+Monkey+Inc.]

A 1x1 pixel image slows your surfing? You still on a 9600 baud modem there?

Since I despise spam I find this from the FAQ

[LennyDotCom]

Particularly problamatic

from the web bugs FAQ
11. Why are Web bugs used in "junk" Email messages?
To measure how many people have viewed the same Email
message in a marketing campaign.
To detect if someone has viewed a junk Email
message or not. People who do not view a
message are removed from the list for future mailings.
To synchronize a Web browser cookie to a
particular Email address. This trick allows a Web
site to know the identity of people who come to
the site at a later date.

Spam sucks

This is old news

[miracle69]

They made a movie about it with Sandra Bollock. Industry just got smart after that and made it to where you couldn't see the pi, even if you held down control shift. ;)

God, that was a bad movie. Thankfully, I don't remember the title.

Google, too

[look]

Yeah, I noticed Google was on the list, too. A lot of people put the canned HTML code that Google provides on their pages to provide search capability. That includes an image, but it doesn't mean Google is tracking users. I think this survey needs more meat. I shouldn't be whether a page includes images from another domain, but only if cookies from other domains are going to the user from a page.

I could probably whip up a Perl script to do this with libwww pretty easily. I can't believe whoever did this survey didn't!

Confessions of a spammer

This is mostly work related so I am posting anonymously and am leaving out names. I've been with this company for a couple of years and I am working for one of thier clients who wants us to send email to customers as an advertisement. We are supposed to ask the customer first, but heres where problems come in. First of all we have to meet like a quota on this. This is often hard to do because of many reasons including but not limited to people not wanting the email sent to them or not having an email address. You get written up for not making quota, which may get you fired, so it goes without saying that people send the email without asking the customer's permission, or to send multiple emails to a customer so thier count increases and other craziness. When I learned of this policy I asked a friend what they do about this and they said I should do what everybody else does. Send them out to everyone because you'd get in more trouble for not sending them. I am very against the idea of sending people junkmail and I had already started getting in trouble for only sending to those who can get it and want it and missing my quota so I'm emberassed to say I've been doing the same thing as the others so that I can keep my job. I have done some things before I didn't agree with, but it bites being myself what I just about hate the most. A spammer. I'm sorry folks.

So, I was thinking about this and that today while I was sending my stupid spam off and something came to me. I know there was a proposal or something not too long ago that had to do with a unique identifier tagging unsolicited email. Now, if ISP's and telco's are supposed to be equivalent (right?), why is it that I hear you can block unknown callers/telemarketers and stuff on your telephone, but I can't block unsolicited email without trying to filter them individually with a spam filter which seems the equivalent of using your call blocking (which by the way has a limit of a few numbers at least in my area). Even if these aren't the same things I still believe it would be best if there was a unique ID on junk email because it is just as much of a problem to me when a phone rings and its junk or when my mail notify goes off and it's junk. How in the hell these two are different is beyond me but looks like that idea just didn't float anyway.

As far as web bugging goes, I could care less whatever doesn't steal from me or interfere with my time. Wading through junk does and it's just not fair. I may sound like a hypocrite for saying all this because of what I do at work, but I'm just following orders so I can make enough to feed myself and have something descent on my resume. I may have a fancy job with email, but i don't make much money and I'm a veteran employee. I'm not a moron, just stuck growing up in kind of a redneck area (with scarce IT jobs) and being taken advantage of by the hi tech that came to town. Cheap labor we are for them. I fully intend to get the fsck out out of dodge.

So um...

[Wakko+Warner]

... why have I seen Doubleclick banner ads on Slashdot, if Web Bugs Are Bad?

- A.P.

--
* CmdrTaco is an idiot.

Bugger

[Squeamish+Ossifrage]

My goodness. This headline truly made my day.

It's worth noting that Bugger has a few other meanings than "One who plants bugs."

Associating e-mail addresses with cookies

[B.D.Mills]

Suppose I have my own advertising web site, "WebBugsAreEvil.com", and your e-mail address is YOUR_EMAIL_ADDRESS@yourhost.com.

I place my bugs all over the internet. You visit a site with one of my bugs on it. This sends a new cookie to you. You now have a cookie from "WebBugsAreEvil.com" on your hard drive. Every time you visit another site with one of my web bugs in it, your cookie is sent to my host "WebBugsAreEvil.com" including the URL of the page that you are viewing. Thus, I build up a detailed profile of your web surfing habits.

Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

<IMG WIDTH=1 HEIGHT=1 border=0 SRC="http://track.WebBugsAreEvil.com/cgi.bin/ping? email_ID=YOUR_EMAIL_ADDRESS@yourhost.com & sequence=1928d4ae1228">

It's a 1x1-pixel GIF that has a single clear pixel in it; this is where the euphemism "clear GIFs" comes from. You cannot see this GIF.

When you open the mail, this new web bug is sent to WebBugsAreEvil.com. Because the URL has your e-mail address in it, and it also sends your "WebBugsAreEvil.com" cookie with the HTTP GET request, I can now associate your personal details with your surfing habits.

In short, it is very easy to remove anonymity.

I don't know about you, but I find the idea of anyone having this amount of knowledge about me and my browsing habits to be uncomfortably close to Big Brother's surveillance from George Orwell's novel "1984". Is your telescreen on, Winston?

--

Re:Associating e-mail addresses with cookies

[cyberdonny]

Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

Actually this extra step of sending a web-bug infested spam is not even needed in most cases. It's enough if the surfer enters his e-mail address into any form on the web which uses the GET method, and which leads to a page having a web bug/banner ad from WebBugsAreEvil.com. The site serving the form does not actually need to be in cahoots with WebBugsAreEvil, apart from the obvious contract for serving its banners. Indeed, with the GET method, form data (containing your E-mail address) will be part of the URL, and thus will be sent to WebBugsAreEvil in the Referer header field. Much more discreet and reliable than sending a webbugged spam, and much more far-reaching too: using the same method, WebBugsAreEvil can collect all kinds of interesting info: First name, last name, home address, all kinds of demographic info such as age, yearly income, hobbies (if user ever participated in a survey having such a form), credit card number (if merchant was foolish enough to have his order form submitted via GET rather than POST). N.B. Even https doesn't protect against this, as this is data that is "intentionnally" sent to WebBugsAreEvil, rather than intercepted...

Defeating web bugs

[B.D.Mills]

Web bugs are usually used in conjunction with cookies to profile your surfing habits. I find this to be a gross invasion of privacy, so I have chosen to fight back.

It's not hard to stop a site from using cookies as a tracking tool. If they cannot store a cookie on your hard drive, that cookie cannot be used to profile you.

The way to defeat this is to prohibit the web sites that use web bugs from storing cookies on your computer. A good browser will have security settings that can be customised. I place all web sites that I trust in my collection of trusted sites. These sites can store cookies on my machine. Sites that are not in my collection of trusted sites must go through the default setting where I must approve each cookie with a click before it can be stored on my hard drive. Persistently annoying sites get placed in my collection of restricted sites, which are prohibited from storing cookies. Sometimes, a trusted site that I have omitted gets added to the trusted list.

If you want to start a database of restricted domains, a good place to start is your cookie collection. You will find a lot of sites that you never visited in that list. Add anything suspicious to the restricted list before deleting the cookie.

I have only been doing this for a few weeks, so I haven't got any good results to report so far. I'm sure I'll get good results doing this, and I invite others to try it. It does involve a little work, but eventually I hope to have reasonable web-bug-free privacy online.

--

Why does Microsoft do this?

[Jens]

I mean, they have better means.

Like forcing you to use cookies in Internet Explorer, or rather, transmitting cookies to *.msn.com sites no matter what you configured, containing personal information about your windows installation.

See also here (http://slashdot.org/yro/00/11/02/1639247.shtml):

Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net.

Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

For the sake of the privacy of those who must use Internet Explorer: Firewall msid.msn.com. Forever.

Bad statistics

[cperciva]

Looks to me like they are classifying any inline link to a different server as a "web bug".

This is quite bogus, as evidenced by the #2 ranking of akamai; the fact that many high-traffic sites have their images served from akamai's network does not mean that akamai is tracking where people go.

Who cares?

[ziplux]

So, they collect some *anonymous* usage statistics. So what? They can track your web surfing. Who cares? These stats are *anonymous*, people. They can't be mapped to your physical address, phone number, etc. without a call to your ISP and a good reason. These stats help advertisers market products to you more efficently. It saves them money, and you get the see ads that might encourage you to buy something that is really useful to you. So my question is, why do you care?