Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft: The Biggest Web Bugger

Posted by timothy on from the brits-can-snicker-now dept.

An unnamed reader writes: "A recently released web bug report shows that Microsoft (via Link Exchange) is bugging more web sites than any other organization. Less surprisingly, however, the same report shows that by making some rough traffic estimates, DoubleClick is probably bugging more web traffic than anyone else. (Except of course those big ISPs running proxy servers...wonder how long it will be before the ad agencies get into bed with the ISPs?)"

13 of 188 comments (clear)

  1. Since I despise spam I find this from the FAQ by LennyDotCom · · Score: 4

    Particularly problamatic

    from the web bugs FAQ
    11. Why are Web bugs used in "junk" Email messages?
    To measure how many people have viewed the same Email
    message in a marketing campaign.
    To detect if someone has viewed a junk Email
    message or not. People who do not view a
    message are removed from the list for future mailings.
    To synchronize a Web browser cookie to a
    particular Email address. This trick allows a Web
    site to know the identity of people who come to
    the site at a later date.

    Spam sucks

    --
    http://Lenny.com
  2. This is old news by miracle69 · · Score: 4

    They made a movie about it with Sandra Bollock. Industry just got smart after that and made it to where you couldn't see the pi, even if you held down control shift. ;)

    God, that was a bad movie. Thankfully, I don't remember the title.

    --
    Linux - Because Mommy taught me to Share.
  3. Google, too by look · · Score: 4

    Yeah, I noticed Google was on the list, too. A lot of people put the canned HTML code that Google provides on their pages to provide search capability. That includes an image, but it doesn't mean Google is tracking users. I think this survey needs more meat. I shouldn't be whether a page includes images from another domain, but only if cookies from other domains are going to the user from a page.

    I could probably whip up a Perl script to do this with libwww pretty easily. I can't believe whoever did this survey didn't!

  4. Confessions of a spammer by Anonymous Coward · · Score: 5
    This is mostly work related so I am posting anonymously and am leaving out names. I've been with this company for a couple of years and I am working for one of thier clients who wants us to send email to customers as an advertisement. We are supposed to ask the customer first, but heres where problems come in. First of all we have to meet like a quota on this. This is often hard to do because of many reasons including but not limited to people not wanting the email sent to them or not having an email address. You get written up for not making quota, which may get you fired, so it goes without saying that people send the email without asking the customer's permission, or to send multiple emails to a customer so thier count increases and other craziness. When I learned of this policy I asked a friend what they do about this and they said I should do what everybody else does. Send them out to everyone because you'd get in more trouble for not sending them. I am very against the idea of sending people junkmail and I had already started getting in trouble for only sending to those who can get it and want it and missing my quota so I'm emberassed to say I've been doing the same thing as the others so that I can keep my job. I have done some things before I didn't agree with, but it bites being myself what I just about hate the most. A spammer. I'm sorry folks.

    So, I was thinking about this and that today while I was sending my stupid spam off and something came to me. I know there was a proposal or something not too long ago that had to do with a unique identifier tagging unsolicited email. Now, if ISP's and telco's are supposed to be equivalent (right?), why is it that I hear you can block unknown callers/telemarketers and stuff on your telephone, but I can't block unsolicited email without trying to filter them individually with a spam filter which seems the equivalent of using your call blocking (which by the way has a limit of a few numbers at least in my area). Even if these aren't the same things I still believe it would be best if there was a unique ID on junk email because it is just as much of a problem to me when a phone rings and its junk or when my mail notify goes off and it's junk. How in the hell these two are different is beyond me but looks like that idea just didn't float anyway.

    As far as web bugging goes, I could care less whatever doesn't steal from me or interfere with my time. Wading through junk does and it's just not fair. I may sound like a hypocrite for saying all this because of what I do at work, but I'm just following orders so I can make enough to feed myself and have something descent on my resume. I may have a fancy job with email, but i don't make much money and I'm a veteran employee. I'm not a moron, just stuck growing up in kind of a redneck area (with scarce IT jobs) and being taken advantage of by the hi tech that came to town. Cheap labor we are for them. I fully intend to get the fsck out out of dodge.

  5. So um... by Wakko+Warner · · Score: 5
    ... why have I seen Doubleclick banner ads on Slashdot, if Web Bugs Are Bad?

    - A.P.

    --
    * CmdrTaco is an idiot.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
  6. Bugger by Squeamish+Ossifrage · · Score: 5
    My goodness. This headline truly made my day.

    It's worth noting that Bugger has a few other meanings than "One who plants bugs."

  7. Associating e-mail addresses with cookies by B.D.Mills · · Score: 5

    Suppose I have my own advertising web site, "WebBugsAreEvil.com", and your e-mail address is YOUR_EMAIL_ADDRESS@yourhost.com.

    I place my bugs all over the internet. You visit a site with one of my bugs on it. This sends a new cookie to you. You now have a cookie from "WebBugsAreEvil.com" on your hard drive. Every time you visit another site with one of my web bugs in it, your cookie is sent to my host "WebBugsAreEvil.com" including the URL of the page that you are viewing. Thus, I build up a detailed profile of your web surfing habits.

    Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

    I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

    <IMG WIDTH=1 HEIGHT=1 border=0 SRC="http://track.WebBugsAreEvil.com/cgi.bin/ping? email_ID=YOUR_EMAIL_ADDRESS@yourhost.com & sequence=1928d4ae1228">

    It's a 1x1-pixel GIF that has a single clear pixel in it; this is where the euphemism "clear GIFs" comes from. You cannot see this GIF.

    When you open the mail, this new web bug is sent to WebBugsAreEvil.com. Because the URL has your e-mail address in it, and it also sends your "WebBugsAreEvil.com" cookie with the HTTP GET request, I can now associate your personal details with your surfing habits.

    In short, it is very easy to remove anonymity.

    I don't know about you, but I find the idea of anyone having this amount of knowledge about me and my browsing habits to be uncomfortably close to Big Brother's surveillance from George Orwell's novel "1984". Is your telescreen on, Winston?

    --

    --

    The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
    1. Re:Associating e-mail addresses with cookies by cyberdonny · · Score: 5
      Now suppose you place an order on one of these sites and leave your e-mail address and other personal information. The site sells your e-mail address and other personal info to "WebBugsAreEvil.com". I now have your personal information and your cookie, but the cookie ID is not yet associated with your personal information because these were collected by two different servers. I need to do one more thing to put them together.

      I do a mass mail out with all the new e-mail addresses. The e-mails are HTML-enabled e-mails. Embedded at the bottom of the e-mail is this web bug:

      Actually this extra step of sending a web-bug infested spam is not even needed in most cases. It's enough if the surfer enters his e-mail address into any form on the web which uses the GET method, and which leads to a page having a web bug/banner ad from WebBugsAreEvil.com. The site serving the form does not actually need to be in cahoots with WebBugsAreEvil, apart from the obvious contract for serving its banners. Indeed, with the GET method, form data (containing your E-mail address) will be part of the URL, and thus will be sent to WebBugsAreEvil in the Referer header field. Much more discreet and reliable than sending a webbugged spam, and much more far-reaching too: using the same method, WebBugsAreEvil can collect all kinds of interesting info: First name, last name, home address, all kinds of demographic info such as age, yearly income, hobbies (if user ever participated in a survey having such a form), credit card number (if merchant was foolish enough to have his order form submitted via GET rather than POST). N.B. Even https doesn't protect against this, as this is data that is "intentionnally" sent to WebBugsAreEvil, rather than intercepted...

  8. Defeating web bugs by B.D.Mills · · Score: 5

    Web bugs are usually used in conjunction with cookies to profile your surfing habits. I find this to be a gross invasion of privacy, so I have chosen to fight back.

    It's not hard to stop a site from using cookies as a tracking tool. If they cannot store a cookie on your hard drive, that cookie cannot be used to profile you.

    The way to defeat this is to prohibit the web sites that use web bugs from storing cookies on your computer. A good browser will have security settings that can be customised. I place all web sites that I trust in my collection of trusted sites. These sites can store cookies on my machine. Sites that are not in my collection of trusted sites must go through the default setting where I must approve each cookie with a click before it can be stored on my hard drive. Persistently annoying sites get placed in my collection of restricted sites, which are prohibited from storing cookies. Sometimes, a trusted site that I have omitted gets added to the trusted list.

    If you want to start a database of restricted domains, a good place to start is your cookie collection. You will find a lot of sites that you never visited in that list. Add anything suspicious to the restricted list before deleting the cookie.

    I have only been doing this for a few weeks, so I haven't got any good results to report so far. I'm sure I'll get good results doing this, and I invite others to try it. It does involve a little work, but eventually I hope to have reasonable web-bug-free privacy online.

    --

    --

    The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
  9. Re:And a web bug is...? by bradfitz · · Score: 5
    See the web bug FAQ:

    http://www.privacyfoundation.org/education/webbug. html

  10. Why does Microsoft do this? by Jens · · Score: 5
    I mean, they have better means.

    Like forcing you to use cookies in Internet Explorer, or rather, transmitting cookies to *.msn.com sites no matter what you configured, containing personal information about your windows installation.

    See also here (http://slashdot.org/yro/00/11/02/1639247.shtml):

    Think that's bad? How 'bout msid.msn.com cookies set as part of your install, and re-created even after deletion?

    Grab a hex editor or other file viewing tool (e.g. LIST.COM) and examine MSIE's cookie files, you'll see that msid.msn.com has a cookie set even if you don't use IE. (Reproduce: Delete - from within DOS, not Windoze, all MSIE cookie files. Reboot. Do not connect to the 'net.

    Observe that IE has re-created cookies pointing to msid.msn.com with your information in 'em, even though you never connected to the 'net. They're there on a clean install from CD-ROM, and they come back every time you delete 'em.

    For the sake of the privacy of those who must use Internet Explorer: Firewall msid.msn.com. Forever.

    --
    Home Page
  11. Bad statistics by cperciva · · Score: 5

    Looks to me like they are classifying any inline link to a different server as a "web bug".

    This is quite bogus, as evidenced by the #2 ranking of akamai; the fact that many high-traffic sites have their images served from akamai's network does not mean that akamai is tracking where people go.

    --
    Tarsnap: Online backups for the truly paranoid
  12. Who cares? by ziplux · · Score: 5

    So, they collect some *anonymous* usage statistics. So what? They can track your web surfing. Who cares? These stats are *anonymous*, people. They can't be mapped to your physical address, phone number, etc. without a call to your ISP and a good reason. These stats help advertisers market products to you more efficently. It saves them money, and you get the see ads that might encourage you to buy something that is really useful to you. So my question is, why do you care?