Earthlink's Extra HTTP Header

HerrHair had the first reader submission of this, but it took a few days to look into it. If you use Earthlink's customized browser/email/chat/kitchen sink application, which Earthlink recommends for all of its new customers, you are sending an extra HTTP header called HTTP_ELNSB50 with every HTTP request (every download of a file or image), and the data for this header is a lengthy alphanumeric string, which readers took to be a unique ID of some sort. This does not appear to be the case.

Steve Gibson was apparently the first one to look into this browser serial number. I'm a little hesitant to link to that page, since its contents have changed dramatically twice in the last 24 hours. Gibson initially had a page claiming it was privacy-invading unique ID. He changed it to include a disclaimer in a large red box, and has now changed it again to display the information Earthlink provided about the serial number. Earthlink provided much the same information to slashdot after our query.

The header information sent is similar to the codes below. Depending on how logging is set up on a given webserver, they may or may not be logged, but enough server logs are accessible across the net that typing ELNSB50 into any search engine will find examples. (ELNSB50, by the way, apparently stands for "Earthlink Sandbox 5.0".)

ELNSB50::0000411003200258029a012800000000050300280 0000000
ELNSB50::0000411003200258029a012d000000000503002a0 0000000
ELNSB50::0000411003200258029a013200000000050300280 0000000
ELNSB50::0000411003200258029a0132000000000503002a0 0000000
ELNSB50::0000411003200258029a013b000000000503002a0 0000000
ELNSB50::0000411003200258029a013d000000000503002a0 0000000
ELNSB50::0000411003200258029a014700000000050300280 0000000

Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.

This is what Earthlink sent us about the codes:

reserved: 14 future growth monitorDepth: 8 monitor bit depth browserFontSize: 3 browser font -- small to large connectionSpeed: 3 One of 4 categories connectionType: 4 Modem, high speed, etc. monitorHorz: 16 horizontal area monitorVert: 16 max vertical area browserViewHorz: 16 views horizontal area browserViewVert: 16 views vertical area popID: 32 numerical POP ID sandboxVersion: 32 what version of the sandbox sent this?

Most items should be self-explanatory. ConnectionSpeed has four possible values: slow dialup (<56K), fast dialup (56K), slow broadband, and fast broadband. The POP ID refers to which of Earthlink's Point-of-Presences you are dialed up to - which bank of modems you called. The rest should be clear. If you assume the codes are a number in hexidecimal, and the above are the number of bits dedicated to each bit of information, they appear to agree well. This table differs slightly from Steve Gibson's version. The differences appear to be minor and reconcilable - Earthlink doesn't seem to like the use of the word "Sandbox" in external publications, but it's their own term for their software and it seems quite appropriate: a closed environment which has all the toys you need and which you don't want to/are not able to escape from. (A screenshot of Earthlink's Sandbox is available.)

While I was looking into this, I also noted (Ethereal strikes again) that Earthlink's Sandbox sends a good chunk of data back to Earthlink's servers upon initial installation - this data is PGP-encrypted, or at least it is preceded by a header indicating that it is. This data is sent whether or not the user is signing up for a new account or just re-installing the software on an old machine. There is no easy way to determine what information is being sent back without performing a comprehensive disassembly of the software. As of press time, Earthlink has not provided any information about what is being sent to Earthlink's servers when their software is installed.

So, there you have it. Is Earthlink's code a unique ID? Apparently not. Does it reveal more information about you when you are browsing the web than is revealed by any other web browser? Yes. Can you turn it off? No, but you could use another browser. Will 99% of Earthlink's users ever know about it? No.

software phones home

Earthlink's Sandbox sends a good chunk of data back to Earthlink's servers upon initial installation ... There is no easy way to determine what information is being sent back without performing a comprehensive disassembly of the software.

Let alone the HTTP header, the installation transmission seems to be an issue. It's not the first time I see software doing it, and I'm getting sick of it. I don't want my software to "phone home" every time it's installed or run. That's when I jumped in the open source/free software bandwagon. I won't run ANYTHING without the source code available. Granted, I will not always CHECK the source code, but at least I can.

CC/PP

There is a W3C standard called CC/PP for telling web servers all about your browser (so that it can send you some useful content rather than just telling you 'this page is best viewed in 800x600 in lots of colours). This seem to be doing much the same, abeit in a non-standard way. Then again, everyone is ignoring CC/PP.

Re:CC/PP

[Shimbo]

There is a W3C standard called CC/PP ... Then again, everyone is ignoring CC/PP.

I just checked, and it seems to be still a working draft. Given that just about all browsers have basic HTTP, HTML4 or CSS2 bugs, CC/PP can probably wait a while.

CC/PP

Timely article. W3C just advanced a working draft of CC/PP to Last Call.

It stands for Composite Capabilities/Preferences Profiles. It's a language that your browser could use to describe its capabilities and your preferences, e.g. "32-bit display, 800x600 browser window, PPC hardware, no applets."

The idea is, of course you want the server to know what you've got, so it doesn't send you useless content. Like it or not, your browser will be having deeper conversations with servers, pretty soon.

...On the other hand, this language (CC/PP) looks too complicated to use.

I'm a web developer. If I'm on the server, I want to deliver content to the browser and let the browser format it appropriately, taking into account resolution, window size, color depth, user colorblindness, and so on. Heaven knows I don't want to write an IF statement for every possible pipe size.

There just needs to be a way for me to write "you've got a choice-- low-bandwidth or high-bandwidth media; 8-bit or 32-bit images" using tags in my HTML, and the user's browser should decide what to do with that information. Often it can just pick the best alternative for that client. If not, it can always just render two links and let the user choose.

-- Jason - too lazy to log in

Re:Macintouch shows even more info divulged

That could have been 4 different people visiting 4 different sites. The IDs are not unique to a person. Have you read a single word of the article or a single comment in the thread or are you just karma whoring with a perceived security problem?

THIS IS NOT UNCOMMON!!!

This is not an e-link only idea!
Nor do you have to hide this in the HTTP Header. Instead, Javascript is fully able to get this information and transmit it in --- say --- the Query of an image request to another server that logs the hit into a DB to track Page Views.

Look for Application Service Providers providing Traffic Logging services.

Re:I would love this feature if it was improved

I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts

You're making the assumption that there's a high population of these so-called "good web designers". If only that were true! It's nice that good web designers care about those things, but one has to wade through the dreck to find them.

Oh, and don't get me started on people who think that they're good web designers. You give me that goddamn javascript scroll function instead of a standard scrollbar, and you lose my eyes, instantly.

Re:AOL

aol has acouple of programs that regularly check the serial numbers of the software you have installed; all that info used to be in a file that got put in the system root directory; Thats why I use netscape. If netscape is doing this, they're at least trying to hide it; The devil I don't know is better than the one I know? Any way, the worst ones are DVD software. There are all kinds of monitoring programs with these, seems like a different version for each, but they all include MS serial numbers. Hell, even my cirrus logic modem has one of these; It puts a file called CLdma.log that has all this info in it as well. This gets sent after install as well, but none of the monitor programs I have show to who. (need better one, I guess.

A few comments....

OK, I work for Earthlink - tech support specifically (actually in one of the legacy Mindspring centers, so I may have talked to at least one of you at some point in time :), so, here's my whole take on this stuff:

The headers: Well honestly, I had heard about them maybe 48 hours before the story hit /. (figured it would have been sooner, honestly). Looking at what it info it provides, yeah they're pretty harmless. Of course, I know many of you wouldn't want this info sent out, so send emails to feedback@earthlink.net for your concerns. YES, they get read (eventually!). Hell I wouldn't be suprised if they add a switch in the next software release now. And yes, we do care about our users and their privacy. And we really hate spam too :)

Sky Dayton and Scientology: OK, Sky Dayton is a member of Scientology, and he's our chairman. Now, does that mean the whole bloody company is commited to said belief system? Of course not. From what I know of Scientology, we sure don't run our company based on their ideals. Check: http://www.earthlink.net/about/mission.html if you wanna know what kind of beliefs we use in day-to-day business (and we may not be doing our best in all those categories, but damned if we're not gonna fix that). And our people are really cool - Carter Calle, Mike McQuary, our TS managers - they rule.

Re:A few comments....

[gavinhall]

Posted by Le tech:

Figures the login didn't go through right. Stupid browser! Anyways, that's my post.

Re:You are all missing the real surfing tracker: S

[Patrick]

Since all https certificates come from and are checked against Verisign, then Verisign could theoretically track who is going to what SSL site.

Fortunately, no. Every browser that supports verification of SSL certificates includes a static list of trusted certificate authorities. The cert validation (against Verisign, Thawte, RSA, or whomever else) occurs entirely within the browser, without any network communication.

Your ISP, and anyone else on the request path, can see the source and destination IP addresses for your SSL requests. No central party, Versign or otherwise, sees all users' traffic.

Government Intervention is NOT the answer...

[gavinhall]

Posted by srvivn21:

Sadly, you can't legislate morality.

Re:I would love this feature if it was improved

[gavinhall]

Posted by Dianalyn101:

As the owner of the site you mentioned, I'd like to speak up in my defense. I don't claim to be a professional web designer anywhere in my site. I don't offer help, I don't offer my services. I never even claimed to be great as you seem to have implied I did. I'm an university freshman who just plays around with it as a hobby. Big deal. Sure, it'd be a different story if I was doing something for a company or on a topic that's going to pull in thousands of visitors. But it's not. The typical age for people who visit my site range from 13 to 23 who run on fast connections and the newer browsers. It's fine for them. In fact, if you go around and look at other sites that focus on the same genre of Japanese animation, you will find that it's pretty much the same. We're just hobbyists, like our grandparents who made model boats and collected stamps before us. And there shouldn't be a problem with that. I experiment with new scripts because I can. I'm not trying to bring in a paycheck or please the masses. The web is not full of professionals, there are just as many out there who are amateurs just like to do it. So if you really want to find designers to criticize, why don't you find someone who does do it for a living and has to do it for reasons other than leisure.

Re:As A Web Designer

[Stormie]

I couldn't tell you why Google has made the decision to use IP address rather than the Accept-Language header to determine what language to serve up files, but obviously, it has a pretty stupid result.

That's interesting. I couldn't tell you what Google are doing right now, but I noticed a couple of months ago that they were doing language picking. I'd set the default locale on my work PC (WinNT 4, IE5) to Standard French to work on a bug that only manifested itself for our French customers. While in this mode, I happened to hit Google, and got the French version of the page. So I would suggest that they were at at least one time using the Accept-Language header. Why they changed it, I don't know. Maybe to catch OS/browser combinations that did not supply the needed data.

But this is wildly offtopic, so I'll just try to drag it back by saying: the info that Earthlink are providing could be used for good or evil, but it's all pretty pointless. Sure people might be willing to code up different versions of their site for different bandwidths, languages, whatever - but who will make that effort if it only handles customers of ONE ISP, using ONE browser? Daft. I'm sure the only purpose it so Earthlink can get an idea of what settings people have from when they hit the Earthlink homepage.

Re:The real issue

[sjames]

Earthlink could do themselves a big favour by revealing exactly what is being sent.

We can make several guesses based on the fact that it is encrypted. It is encrypted because:

1. It's customer's private information that they filled in themselves.
2. It's information that Earthlink definatly doesn't want anyone to know they are gathering
3. It can be.

3 is unlikely (why spend money for a totally unnecessary feature). Since I have no idea what sort of information is entered for installation, I'll guess 1.

In the case of 1 or 2, they'll never give enough information to verify any of it. If it is 1, that's with good and honorable reason.

Re:The real issue

[sjames]

Rabid paranoia aside did you ever think that maybe they want to protect their users privacy, and that's why it's encrypted?

Actually, that's exactly what I listed as probability #1 (and my best guess). Now, who's rabid paranoia were you referring to?

Why need this information?

[Masem]

As others have stated, it's not really a uniqueid, your connecting IP is giving away more information that this. But why do they need all this data?

The only thing that it would seem to me is that it is because Earthlink has poor web page design (not browser, their internal web pages!) that they require to know 1) what speed you can handle , as to adjust A/V content as to suit your connection speed, 2) what your screen layout is as to probably used fixed width tables effectively in the HTML layout, and 3) where you are located in the country (via the POP bank info). Neither of which is even necessary if you follow HTML 4 specs, with effective use of the OBJECT tag, relative table sizes, and use of the standard HTTP header and/or cookies, respectively.

In other words, their customized browser appears to be covering up for lame web page designers.

Re:Why need this information?

[jonbrewer]

Why would I need this information?

Choices concerning data presentation.

The fact is that given a large dataset, I'd rather present a java grid to people with the bandwidth than the ten pages of html tables required for friendly modem usage.

I'd like to make it as big as I can fit on the user's screen. With HTML I don't have a choice - if there are eighteen columns the users will have to scroll horizontally and vertically. With a Java grid I can size it perfectly, but only if I know how big the user's screen is beforehand.

You make the assumption that "web pages" are all about good design or poor design, and you take a dig at their designers. You forget that some people actually use the web to present data.

Hopefully now you'll see some usefulness in these new HTTP headers.

Re:Why need this information?

[HiThere]

You seem to be assuming that the user will be browsing with the screen maximized, which I never do. When I hit a site that insists upon that, I immediatly leave it, even when, as occasionally happens, it means killing the browser.

Don't design for the maximum possible screen size. That is very bad manners.

Caution: Now approaching the (technological) singularity.

Re:Why need this information?

[Kynn]

Actually, it's not necessarily poor web design at all, and HTML 4.0 is certainly not the solution. I'm not talking out of my ass here. I'm a member of several W3C working groups, and from experience, it's clear that the HTML 4.0 specification -- and indeed, the whole HTML model of web interaction -- is woefully inadequate for allowing authors to describe user interfaces. My work at Edapta -- now owned by Reef -- has focused on using dynamic generation of web-based user interfaces to allow optimized presentation based on the user's needs, settings, and preferences. The more information that the user chooses to provide, the better the match for the resulting web UI. This is necessary because current HTML/XHTML standards do not meet the needs of the users, the authors, or anyone else, except in the barest minimum sense that you can build a graphical layout which is nearly completely lacking in semantic information. This means, for example, that the site is useless for anyone who does not use a graphical browser -- such as users with disabilities, with screenreaders. The solution is not to try to force a "one size fits all" when doing web design -- the real solution is to have intelligent, user-aware servers which will automatically transform/morph content into a format that is most useful by the end user. --Kynn

Re:Google.com, from non-US anyone ?

[Malc]

This automatic redirection is really irritating. www.expedia.com has done this for sometime based on language settings in IE. I've basically stopped using the site as I can't be bothered to change my language settings just to go there.

Re:Sig Critic

[RobKow]

And it seems the following is growing, too:

- anti-heterosexual

<RANT>Stupid people go overboard on everything. I hate 'political correctness,' and fail to see the point. Idiots.<RANT>

Disclaimer: I'm not heterosexual (so take that, PC boys)

Re:As A Web Designer

[WWWWolf]

As a web designer, I'd love to have this information. I only wish more browsers immediately told me what speed the person was at. Then you could do the high/low quality links for them.

Personally, even if stuff like this would be given in HTTP headers, I would still let them choose.

Even at high speeds, it's often much cooler to use the light version - what if I don't want to use the gigabit ethernet capacity all at once? =)

It's just the same problem as with processor speed vs. optimization - "Don't care about the size, the user will upgrade the hardware." At least in web, it's possible to optimize...

Re:Obfuscated information

[valmont]

you are obviously talking out of your ass. just *look* at the specs and then *think*. geez.

Re: Misunderstanding?

[hany]

You are talking about page setting based upon user's request.
'prizog' is talking about page settings based on what browser reveals to server.

Firts I consider "behaviour based on user's choises", second I consider "bahaviour based on server operator's choises" (because users ussualy can't easily change headers sent by browser nor they can predict how will server interpret them).

Thus first thing I consider good (as you too), second I consider "not that good and inpolite" (as prizog).

Re: is HTTP_ELNSB50 header negotiation?

[hany]

Is HTTP_ELNSB50 header negotiation?

If I can specify somewhere in browser settings, thet I want pages rendered for 14.4kbit modem, 640x480 resolution and 16 colors, than we can call it "negotiation".

But if browsers just takes my systems setting, assumes for me, that I'm browsing with windows maximized and that I like HEAVY graphics (because of my fat connection), then it is not negotiation.

Re:Damn Straight!

[hany]

Damn Straight! (Score:3, Funny)
by Greyfox (nride@uswest.net) on Tuesday March 20, @15:41 CET (#54)
(User #87712 Info)
http://www.paratheoanametamystikhood.net
It's like The Prisoner...

Web Designer: What do you want?
Customer: Information!
Web Designer: You won't get it!

That's not funny, that's real.

Re:Horrors!

[Genom]

Ahh - I see my error - I was under the impression that once they encrypted it, it counted as a "work" and was thus implicitly protected.

I stand corrected.

Re:Horrors!

[Genom]

The sad thing is, the law actually goes the other way and protects THEM from YOUR possible DECRYPTING of the information.

They invade your computer, grab some personal information and encrypt it, then send it back to their servers (without your knowledge). You find out about this, and find a way to decrypt it. You find out they've taken a LOT more than anyone would want them to, so you publish your findings. They don't like this (it's bad press) so they sue you under the terms of the DMCA (the material was "protected" by encryption, and decrypting it for any reason is illegal...)

Sad state of affairs in this country. Very, very sad.

Re:I would love this feature if it was improved

[Jenz]

I thought webdesigners job was to care about style. Journalists should take care of content.

I agree with you when it comes to usability though.

--
Fredrik Borg

Re:Horrors!

[Ares]

Well, the DMCA only works (theoretically) if they hold the copyright on the information they're encrypting. If it's on my PC, chances are pretty good that Earthlink, or whoever might do what has been suggested, has no copyright on said information, and the DMCA therefore does not apply to their "access control".

Of course, I ain't a lawyer, and given the sad state of affairs in the judicial system, the perpetrator could probably buy their way through it.

Causes Extra Bandwidth?

[wynlyndd]

By implementing this extra header on every HTTP request (every html, every jpg, every gif) can we estimate how much extra bandwidth Earthlink incurs?

Re: It's not even "much" more they find out.

[Ross+C.+Brackett]

It's bad enough you can do it with JavaScript. What they should really do is not design resolution/color depth/etc specific HTML pages. The W3C should have opposed those additions to Javascript (and Javascript in its current form in general) as well as these stupid HTTP headers.

Sigh. I'm a geezer at 20.

This, BTW, is why "the browser is the platform" is perhaps not the best idea. CSS2 widgets encourage browsers to be uniform, but it's browser diversity that encourages people to not code for a specific platform. HTML just wasn't designed to do this faux bitmap garbage that passes for a website nowadays, nor should it have.

for anyone too lazy to do it themselves....

[mcramer]

print join("\t", qw(reserved monitorDepth browserFontSize connectionSpeed connectionType monitorHorz monitorVert browserViewHorz browserViewVert popID sandboxVersion)), "\n";
while(<>) {
($misc, $monx, $mony, $browsx, $browsy,
$popid, $sand) = map {hex} unpack("A8 A4 A4 A4 A4 A8 A8", $_);

$res = ($misc & 0xffc0000) >> 18;
$dep = ($misc & 0x003fc00) >> 10;
$fon = ($misc & 0x0000380) >> 7;
$spe = ($misc & 0x0000070) >> 4;
$typ = ($misc & 0x000000f);

print join("\t", $res, $dep, $fon, $spe, $typ, $monx, $mony, $browsx, $browsy, $popid, $sand), "\n";
}

Re:The real issue

[Sentry21]

90% is too low. No one should believe and report anything they can not verify themselves.

Yes, the good and right thing to do would be - what, exactly? Give out their private key for all to see?

My guess would be that they encrypt the data so it can't be sniffed en-route to their servers, but I'm sure they'd be happy to send personal information over the net unencrypted.

Seriously though, sometimes paranoia goes just a bit too far. This ludicrous 'trust no one' philosophy makes no sense whatsoever. If you're so scared of people out to get you, go live in a cave or something, and quit annoying the rest of us.

Re:More proof we need government intervention

[seichert]

If the government intervened they would probably require that all such personal information be registered with the government so that they could "protect" you. If the government intervened they would probably demand that a copy of all retrieved personal information be sent to the FBI just to make sure a criminal wasn't online.

Remember the government does not want privacy on the internet. They want the exact opposite. They need to be able to mine as much data about their subjects as humanly possible. Anything preventing this is detrimental to their goals.
Stuart Eichert

Re:I would love this feature if it was improved

[devious]

Maybe they don't care about us just wanting usefullness or content. The majority of visitors love those fancy/flashy intros anims etc.
So why should they care as long as they're selling?

Though some might not know otherwise.. :)
is ignorance bliss?

Re:Not an HTTP header

[wik]

It's an HTTP header. Check the HTTP 1.1 RFC, around page 116. HTTP is a generic application-level protocol that is frequently used to transfer text/html files, but also Content-types of image/jpeg and other useful data formats.

Re:As A Web Designer

[wik]

Even high-speed people mind waiting if you have a complex page!

Take a look at www.microchip.com. On every page they serve, they have a unobtrusive link called "Page Options" at the top where you can choose what page you want to get: text only, graphics or Java frame. As it turns out, I use all three versions from my university ethernet connection, depending on if I want the heavy-duty search in Java (like a MSFT help search, index, etc box), I just want to browse (I'll use graphics) or I really need something fast (text-only). It's not polite to NOT give these choices to the user!

It works great! I don't know how much more it costs them to do this, but it definitely makes for happy customers. Each version is based off a different root directory on the server and all three are probably generated automatically without the web designer having to think twice.

As far as having something else to do, generally it's looking at one or two other active Netscape windows.

Re:OFF TOPIC-Re:Great googly-moogly

[teasea]

How old is this Maggie thing. Frank Zappa used this exlamation in 'Cosmic Debris' in the very early 70's. Just wondering.

Re:More proof we need government intervention

[Dr.Dubious+DDQ]

Of course, the odds of such a law happening are slim; the odds of a well-crafted law passing are about zero.[emphasis added]

This, unfortunately, is EXACTLY why many of us disagree with your subject line...though your suggestion of a good privacy law is not unreasonable, the fact is, US Govt. Inc. has been showing itself more likely to do harm rather than good when it interferes. After all, the DMCA (for example) and the Indecent Communications Act [Yes, I called it that on purpose :-) ] were both, arguably, intended to protect artists and/or children...but only served to attempt serious harm to the rights of US internet users (and, indirectly, internet users elsewhere in the world). The CDA was fortunately swiftly slammed. I can only hope the DMCA is next, but fear there's too much money pouring in through lobbyists to fix it completely.

Given this track record, I'd be worried that the hypothetical "Internet Users Privacy Act" might contain provisions to, say:

1. Require ISP's to send copies of personal data to a new Federal Office of Internet Privacy Protection to be checked for violations [and, "of course", to help track down child pornographers and/or tax evaders. Hey, this IS congress we're talking about...]
2. Appropriation of $15,000,000 to investigate possible shady activities of Hormel [a clause tacked on by minimally clueful legislators trying to appear "tough on Spam"...]
3. A clause making it illegal to make a left turn on tuesdays during a full moon unless your name is Myrna. [Don't you just love riders?]
4. 27 clauses amending the DMCA and making it less comprehensible...
5. Details of how complaints of privacy violation should be handled, such as requiring complaints be submitted as Microsoft Word 2001 documents...

Okay, okay, that's enough necro-equine flagellation from me...
---
"They have strategic air commands, nuclear submarines, and John Wayne. We have this"

I Beg to Differ - "PDF isn't interactive"

[Eravau]

"PDF isn't interactive."

On the contrary, PDFs can be very interactive. With Acrobat you can create a PDF with:

• Links - from graphics/buttons or text - to other pages in a PDF (the present one or another), to web sites, or to other documents/apps on your machine
• Forms that will submit info to web servers
• Javascript actions that occur on page openings, link clicks, etc.
• Embedded animation and sound

No, the interactivity of PDFs isn't quite as slick as inside of a web browser, but it's far from being non-interactive. But PDF is about the most platform-independent format you can use if you want something to look the way you originally created it...because sometimes form does matter when presenting your content.

Re:Google.com, from non-US anyone ?

[ethereal]

You lost it. A search on 'nazi volkswagen badge' from google.fr get me straight to an ebay auction for that kind of shit (but yahoo.fr don't give it).

And, thanks to your brilliant idea, I will now have my phone line taped by french secret services due to illegal activities on the net. Thanks :-)

Bienvenue a France, vive le thoughtcrime :)

Re:I would love this feature if it was improved

[198348726583297634]

• Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers.

What else are web designers for?????? That seems to be _exactly_ their purpose! dressing up the content! Web designers don't provide you with the content, they _design_ the website! If you have a beef with the fact that they're not providing the content how you like it, take it up with the content provider (the person the web designer is designing for) and demand that _they_ give it to you. Don't knock the web designer for doing their job.

Re:As A Web Designer

[sammy+baby]

This is bad for two reasons:

I disagree about as strongly as it's possible to disagree. Content negotiation is a Good Thing(tm).

Here's an example: when I go to a web site, I expect (hope?) that the content of the site will be rendered in English. For large web sites with a multi-lingual user base, that's not always a safe assumption. Fortunately, content negotiation makes that possible.

3.10 Language Tags
A language tag identifies a natural language spoken, written, or otherwise conveyed by human beings for communication of information to other human beings. Computer languages are explicitly excluded. HTTP uses language tags within the Accept-Language and Content-Language fields.
- from RFC 2616

Apache makes on-the-fly decisions about what content to send based on this.

Does that mean that webmasters need to be careful about how they set up their sites if they're using this technique? Sure. But it also opens up a wide range of options.

1. It's more expensive to design 2 sets of pages. That money should be spent on more content.

Speaking on behalf of webmasters everywhere: thanks for telling me how to spend my money. Allow me to suggest that doing two versions of the same image - one at a high bit-depth, and another at a lower quality - isn't too much of a strain on my budget.

2. Sometimes people with slow modems don't mind waiting - maybe they let your site load in the background while they do something else. It's not polite to make these choices for your users.

Content negotiation doesn't have to be like making the choice for the user. Instead, it can work as a reasonable best-guess. Besides which, I've seen plenty of sites which simply assume high bandwidth (or pathetic bandwidth) and make all the design decisions based on that information. In what way is that giving the user a choice, other than to vote with his feet?

-----
"You owe me a case of beer. Sucka'."

Re:As A Web Designer

[sammy+baby]

Yeah, exactly. Content negotiation is a good thing - when you do it the right way. I couldn't tell you why Google has made the decision to use IP address rather than the Accept-Language header to determine what language to serve up files, but obviously, it has a pretty stupid result.

I'll tell you what I'd really like to see (now that it's just occurred to me) - a "Reject-MIME" heading. That way, if I get sick and tired of watching some hack's Flash movies, I could tell the server not to send 'em to me. Or a "Max-Content-Length" heading, so sites wouldn't shoot 5 meg files at me without asking.

-----
"You owe me a case of beer. Sucka'."

Re: is HTTP_ELNSB50 header negotiation?

[sammy+baby]

You're right: not only is the header not a standard HTTP header (standard compliance good! embrace and extend bad!), it's not even easily accessed by the user.

I didn't mean to suggest that this particular header was a good idea: I meant that content negotiation based on bandwidth constraints isn't a bad one.

-----
"You owe me a case of beer. Sucka'."

Re:Earthlink customer service sucks

[HiThere]

I haven't tried them recently, but when I tried last year the service was quite good. And two years ago they were willing to research what I would need to do to set up a Linux connection (basically add some DSN lookup #'s).

Stupid cost cutting can happen anywhere, but perhaps you just hit a peak time.

Caution: Now approaching the (technological) singularity.

Re:I would love this feature if it was improved

[Tim+C]

Not to mention that the questions mentioned can be answered using client-side javascript, at least in modern browsers.

(Okay, so you can only test capability and not preference...)

Cheers,

Tim

Re:Will 99% of Earthlink's users care?

[Sly+Mongoose]

Do 99% of food-eaters check the fine print to see what addatived are being "forced down their throat"? No. Which is why it is more important than ever, that watchdog organizations keep a careful eye on things for us. It is good to have these things brought to light and discussed. In the event that there is no real danger, then fine. But without someone taking the time to check we would never discover the instances of real abuse.

Re:Enough bits?

[Todd+Knarr]

I think they're referring not to just the number of bits but to the amount of variation ( or lack thereof ) between different headers for that number of bits. Sure you've got 192 bits, but they don't change enough between different user's browsers to be usably unique. Compart that to MS GUIDs, that vary drastically from one system to another.

Information revealed

[Todd+Knarr]

Actually I don't think the Earthlink header reveals too much unpleasant. In any browser that has Javascript active, any Web page out there can pull out the same information. The only thing they can't is the POP ID, and they can infer that from the IP address you're using if they want to. I don't like that they're sending the info without saying they are, but the info itself isn't particularly distressing. Maybe we need something like P3P but working the other way, telling you what information your browser is going to send and making sure that matches your preferences before sending it?

Re:Judge "DMCA" Kaplan

[Royster]

He says that it is not an affirmative defense to a Section 1201(b) trafficing violation.

Re:Horrors!

[Royster]

The sad thing is, the law actually goes the other way and protects THEM from YOUR possible DECRYPTING of the information.

Don't misstate the DCMA which is bad enough as it is. If a Technical Protection Measure is an effective access control (where "effective" dosn't mean that it works well or is hard to crack) protects a copyrighted work, then you may not circumvent it without authorization.

Earthlink would have a very hard time demonstrating that the information they send is copyrightable because it is just a set of facts about your machine. Therefore, the encryption is not a section 1201 TPM. Furthermore, Fair Use is an affirmative defence.

Couldn't be a good GUID????

[sterno]

I mean fine, I'm willing to believe earthlink here, but your suggestion that it's not long enough to be a GUID seems specious. If you look at the numbers we can clearly see that each number can be at least 0-d which implies that it is probably either an 8 bit character or a 4 bit character (i.e. hexidecimal). So, you say:

Microsoft's GUID had 128 bits; a good hash function might have 160 bits;

Well, if each character in that string was a 4 bit number, then you are talking 4 bits in 48 places which means it is at least a 192 bit number. So, your logic seems somewhat faulty.

---

Re:Couldn't be a good GUID????

[slamb]

The information he provided to you should be trivial to disprove if this is a GUID. He gave specific meanings for each byte in the string. All you have to do (assuming you are an Earthlink customer, if not I don't see how this concerns you) is to find out what your string would be if the meanings given are correct. Then use a proxy server or packet sniffer to find out what your machine sends to remote sites. If the information is correct, the two will be identical. If it is false, maybe it is a GUID; it is also possible michael made a typo or something.

Re:Couldn't be a good GUID????

[The+Pim]

Did you look at the example IDs? There were seven of them, and they varied in only 8 bits.

Re:Couldn't be a good GUID????

[startled]

Hmm, he actually said, "even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs.". While he did go on to count bits immediately after that, he mentioned that since these numbers were taken from widely scattered machines, they should be a lot more different. The issue wasn't really the length-- it was that the numbers were almost identical for a bunch of different machines. They aren't too short-- they're too similar.

This does solve one problem....

[EvilJohn]

...with targeted ads. One of the most desired features from current advertisers is the ability to target ads based on the users location. Doing this by IP is very spotty, the POPID would solve that problem fairly safely.

// EvilJohn
// Java Geek

Re:This does solve one problem....

[jonathanclark]

I can get your location from your IP address fairly accurately.

checkout:
http://jonathanclark.com/where.php

--

Re:This does solve one problem....

[Caspuh]

From your IP address, I guess that you are from Orlando,_United_States.

Nice try. I'm on the other side of the country, in LA.

Re:This does solve one problem....

[bildstorm]

True enough... Posted my opinion below, but again, when I worked for an ISP, this was what it was all about.

We were also looking at ways of even filtering out other ads on other sites and replacing them with our own ads for our users.

Re:As A Web Designer

[cHiphead]

Technically speaking, wouldn't smashing a 21" monitor over your head be doing something about it?

-=Gargoyle_sNake
-=-=-=-

Re:As A Web Designer

[Nightpaw]

1. It's more expensive to design 2 sets of pages. That money should be spent on more content.

Duh, you put the content in really plain HTML files and use Perl or PHP to use the right template as the page goes out.

Re:As A Web Designer

[King+Babar]

I understand your position. However, as another web designer, I would love to at least have easy access to your preferences. Typically the browser settings would be a good indication of the user preferences. Possibly a better solution would be a "preferences" header. This way each user could set up things like "prefered size", "prefered resolution", "prefered font and size". These could be transmitted to the server and utilized appropriately.

And this is where I always wonder about web designers, including Earthlink. On the one hand, I could understand how some of this could be important if we were talking about sending full-fledged web apps to the user. On the other hand, it appears that what most web designers really want is the ability to send me content that would be far better off rendered as a pdf file. There are exceptions, but most of those are better handled using CSS (and we know how popular *that* sensible solution is). I mean, I know what my preferred fonts and sizes are. I set them up in my browser, and 98% of everybody who *doesn't* try to give me some kind of special web experience and just sends me html ends up giving me something I'm happy to look at. Again, I really wouldn't mind too much if designers at least used CSS consistently, since I can arrange things there so that nothing too horrible happens.

But that leaves all the rest of you, and I'll guess we'll just have to wait until you either learn or lose your jobs.

whats happening to slashdot?

[Apps]

"but it took a few days to look into it"
first they remove a post because of the Scientology movement threatning to sue, now they are researching the stories before posting them!!

I remember the old days when this sort of thing would never happen ;-)

Re:whats happening to slashdot?

[cyberdonny]

> first they remove a post because of the Scientology movement threatning to sue, now they are researching the stories before posting them!!

Didn't Scientology actually own Earthlink at a certain time? Or still own it?

Re:The real issue

[cruelworld]

I think the very fact that it's encrypted must mean it's either child-porn or terrorist plans.

Or maybe Terrorist Child-Porn Plans.

Re:I would love this feature if it was improved

[COLUG]

> I want the old internet back.

gopher://gopher.heatdeath.org/00/the%20gopher%20ma nifesto.txt

Back far enough for ya?
---------

This isn't anything special, folks.

[Jobe_br]

Not to offend anyone, but this information just isn't anything special. Of the information that is provided by the sandbox:

• monitor depth
• browser font size
• connection speed
• connection type
• monitor horz
• monitor vert
• browser view horz
• browser view vert

The only portion that can't be gleaned from the browser via JavaScript is the connection speed/type. While you probably won't be able to determine the connection type, it certainly isn't difficult to determine the connection speed. And when it comes to anything related to web design, the connection type itself is unimportant. Hence, when you determine the connection speed via a simple server-side script, you have all the relevant information that the sandbox provides.

Now, I agree with many of the posters - you shouldn't use connection speed info to determine what you serve up, maybe to make an informed decision of the default, but if you have multiple types of content created, you should always give the user the option to choose.

Note that gleaning the sandbox info and using it to determine what content to serve up may backfire on you anyway: two cases come to mind: a shared network at home is one, the second is downloading the kernel or maybe the latest Mandrake iso while you're surfing the web ... in either case, there may not be nearly as much bandwidth available as the sandbox reports.

Re:As A Web Designer

[0xdeadbeef]

For the uninitiated, when a web designer says this, he actually intends the obnoxious, bandwidth hogging version to be "high quality". They're funny like that.
--
Bush's assertion: there ought to be limits to freedom

Re:Do your math

[jellicle]

I'm aware of that. But since the numbers from widely varying machines are not widely varying, most of the number isn't available for use as a unique ID - this is clear immediately.

Example: if you have an ID string from a machine in China and a machine in New York and the two strings are:

FOOBAR-5654375

FOOBAR-6327264

You'd probably suspect that the FOOBAR- part of the string did not differ between machines and so can't count for uniqueness. Go look at the examples provided again.

Re:Some thoughts on Earthlink...

[jellicle]

It would, except that, as I noted, it is sent whether or not you are signing up for a new account.

Re:As A Web Designer

[Kartoffel]

Use Opera.
Opera is MDI. bletch.
--

Even a cursury examination...

[Calmacil]

Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs

That is being somewhat harsh, especially because my cursory examination shows 192 available bits. Just because they don't look randomly assigned doesn't mean they aren't unique. There are lots of ways to write 0001, 0002...

BTW, this doesn't mean I think Eartlink is lying. I believe them.

Re:The real issue

[taer]

Or they could have given the public key, as public key encryption allows you to do, which would require no passphrase or private key.

Re:The real issue

[spectecjr]

These utilities sound very useful. Could you please post links to their websites?

I'm not the original poster, but...

SysInternals has the goods...

Si

Re: It's not even "much" more they find out.

[spudnic]

Let's say that I'm not writing for a specific platform, but I would like to be able to find out the horizontal viewing area in the browser window so I can set a textarea to a pleasing width without resorting to javascript shananigans.

Would that be so horrible? I think it's a great idea. Make it a standard. No harm done. It's not intruding on my privacy in the least. I don't care if they know I'm running at 1280x1024 and I've got a cable modem.

Re:Not a Big Deal, you don't see the issue

[spudnic]

I don't understand the objection to targeted advertising. Maybe someone can help me out here.

While watching TV I know that I'd much rather see commercials for XYZ, Inc's new fiber widget or the new fall line of ThinkGeek t-shirts rather than something on vaginal dryness. If ThinkGeek knew the 75,021 TV's that might be interested in their products, they could afford a national ad campaign directed at those people.

It works for everybody. Advertisers don't waste money on people who will never buy their product, and I might not use my Tivo to fast forward through all the boring commercials that have nothing to do with me.

Maybe I'm just not paranoid enough.

Re:Google.com, from non-US anyone ?

[simong]

Google Europe went online a couple of weeks ago, and as far as anyone can work out, they're using IP address based redirects to send users to their country local site. The upshot has been that there were lots of problems in the first few days as the database was being sorted out. I wasn't getting redirected to Google.FR or anything but for a while my searches were getting results in Swedish first.

Re:Sig Critic

[thal]

As a side note, Ted Turner just had to apologize after calling people with ashes on their foreheads "Jesus freaks".

Yeah, but that's a Catholic thing, who are very much a minority in the US.

--

Re:The real issue

[Salamander]

Oh yeah? Check out HKCU\Software\Human\BodyParts\Boobs\Parameters, and you'll see a DWORD value for it. If you don't, you probably need to fix your registry, because several MS applications will crash if they can't find it.

Re:I would love this feature if it was improved

[Kynn]

The neatest way to improve this feature would be to implement the W3C's Composite Capabilities/Preferences Profiles specification. It's still under development now, but you can read an old, old article I did years ago for the HTML Writers Guild's newsletter, at ccpp.org, or you can just check out the W3C's web site. There's a public draft currently available. --Kynn

Re:Not an HTTP header

[MemRaven]

It's probably rightfully considered an HTTP header indicating that what follows is HTML. HTML is only considered in the payload of the transmission, and that occurs in the HTTP header before you get to the payload. Otherwise, it would make little sense to have text/plain as a Content-type, since you can transmit that over HTTP with no HTML coming in at all. Content-type: text/html just indicates that what's about to come over the wire is in HTML form.

CongressCritters

[Grendel+Drago]

We need some Slashdotters in Congress, I guess...

I can just imagine...

Senator 1:Ah'd like to introduce the Incredibly Dense and Verbosely Named Act here...
Senator 2:ALL j00r bAse ar3 b3l0ng t00 us!!
Senator 3:Mod this up!
Senator 2:Richard Stallman fucks goats!
Senators 4-99:Windows Sucks!
Senator 100: [Insightful and penetrating response to the proposal]
Jon Katz:In our POST-COLUMBINE SOCIETY, it's important to remember how right everything I say is.
Senator 2:Penis birds! Natalie Portman!
Senator 2:I bent my Wookie.
And so on.

Ugh... you probably meant that what Congress needs is Dave Touretzky (whose name I've certainly misspelled) in office.

-grendel drago

Re:As A Web Designer

[prizog]

"As a web designer, I'd love to have this information. I only wish more browsers immediately told me what speed the person was at. Then you could do the high/low quality links for them."

This is bad for two reasons:

1. It's more expensive to design 2 sets of pages. That money should be spent on more content.

2. Sometimes people with slow modems don't mind waiting - maybe they let your site load in the background while they do something else. It's not polite to make these choices for your users.

Where are the mod points when I need them?

[wiredog]

Perhaps someone who has the points could mod this up for me? Clinko makes a good point here.

Darn it

[wiredog]

How am I supposed to be paranoid when you people keep throwing reality at me?

Re:Google.com, from non-US anyone ?

[wiredog]

They just don't want to get sued by France (as yahoo did) if you, or other users, look up sites containing Certain Illegal(in France) Information. Try doing a google search (from the redirect) on that info. Bet it won't allow it.

Re:I would love this feature if it was improved

[Mr.+Slippery]

I think that screen size falls under "function" and not "form". People with small screens need information (regardless of what it is) presented in a long tall format so they only have to scroll down, not side to side. People with huge screens need information presented in a short wide format so they don't have to scroll at all.

Does no one remember that ancient mantra, "Trust The Browser"?

Way back when (you know, like four or five years ago), there was this idea that web servers would serve content. And web browsers would format it and display it. So, if my server was serving up, say, my resume, you could make your browser window skinny or fat or whatever and your browser would format it long and tall or wide-screen as needed.

Tom Swiss | the infamous tms | http://www.infamous.net/

Re:As A Web Designer

[droleary]

Speaking as "another web designer" myself that's also a tech, you're the kind that have given us all a bad name and screwed up the web. What you're looking for is more ways to push style over substance, and I'm asking you to reconsider that position. Yes, everyone has different preferences, so how about giving them content they can use regardless of those choices instead of trying to manage the myriad of different user preference combinations that might want to see your pages? You don't have to do jack to give the user what they want given the preferences they have chosen.

Re:I would love this feature if it was improved

[cyberdemo]

or, you could write a page that will open in any browser.
--

Re:I would love this feature if it was improved

[Backward+Z]

Why leave out a user's option to customise?

Imagine this: a preferences tab

(Autoloading)
(X)Assume Flash
( )Assume HTML

(X)Automatically send resolution information

( )Send lots of personal information that /.'ers shit bricks over

Come on. Don't assume the worst on everything. I wouldn't mind hitting a button ONCE that defaults me to Flash if I like Flash. It's like how IE autosaves passwords. It's convenience. Turn if off if you don't want it.

Of course, we can't assume that a lot of companies would allow this preference, but I'm sure some would pioneer and make a name for themselves.

-Backward Z

Re:Excellent news.

[Tackhead]

> I don't know if you know or not, but you do not have to use EarthLink's browser with their ISP service. Its not like AOL, which a gateway to the internet (or it was last time I checked).

While this is true today (I, too, set up M$ DUN manually when dealing with any ISP), it may not be in the future.

There have been persistent rumors over the past month or so that ELNK is about to be bought out by MSN.com.

Earthpink's business goal is to become the next AOL. "Sandbox" is an apt word - they market themselves as "the real Internet" (the anti-AOL), but the reality is that they're trying to be AOL.

Browser language preferences

[nano-second]

In my experience Google decides which page to give you based on your browser preferences. Since these are set by the user, I don't think there's anything wrong with that.

(If you use Netscape, look in the preferences area under language, you probably have French set as 1 in the order.)
---

Re:Browser language preferences

[f5426]

> That really sux. Please do us both a favour - mail them and tell them to at least provide a 'in english, please'-link that can be bookmarked.

They already provide a bookmarkable link that works for me. It is <http://www.google.com/intl/en>. This one is not redirected, and is in english.

But the big issue, for me, is that they may start to use different databases for various audience, in which case I may not be able to access google.com content from france, only a english version of google.fr.

So I mailed them anyway.

Cheers,

--fred

Re:Browser language preferences

[f5426]

> In my experience Google decides which page to give you based on your browser preferences

You experience don't map mine.

See the log below. It is just a telnet to google port 80. I only sent a 'GET / HTTP/1.0' and google redirects me to the french page. Hardly a user preferences.

This is recent behaviour, started a couple of weeks ago.

15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=985100364 ; domain=.google.com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html

<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%

Cheers,

--fred

Re:Browser language preferences

[RedWizzard]

Could this be a reaction to that brain dead French court ruling on Yahoo? Maybe Google is filtering out Nazi related stuff if the reverse DNS indicates you're in France? Of course that wouldn't excuse them from only providing a French language page.

Re:Browser language preferences

[perlyking]

Can you not change your language preferences at http://www.google.com/preferences ?

--

Re:Browser language preferences

[Nickoty]

That really sux. Please do us both a favour - mail them and tell them to at least provide a 'in english, please'-link that can be bookmarked.

Re:Not an HTTP header

[hucke]

> Umm... isn't Content-type: text/html an HTML header, not an HTTP header?

Uh, no. HTML is a language that uses tags enclosed in angle brackets ("<" and ">") to define the structure of the document. HTTP headers precede a document of any type and are of the form "keyword: value". "Content-type: text/html" is not HTML, it's HTTP.

Re:I would love this feature if it was improved

[romco]

"Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers."

I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts

Maybe not. (Also offtopic.)

[Ungrounded+Lightning]

Ha! another Maggie and the Ferocious Beast afficionado!

Possibly not. It was also used (no doubt as a throwaway reference) in a storyline in Phil Foglio's _XXXenophile_ comic. (X rated, so most of the M&FB fans will have to wait a few years to view it.)

Phil throws in a lot of references to other works. It's nice to know where this one came from.

Re: It's not even "much" more they find out.

[Nurgled]

Re:The real issue

[goldmeer]

What is even more insane is if it *IS* PGP, then they've given you a private key, and probably the passphrase.

Nope.

It's likely that the key used is their public key. That way, only their private key can decrypt.

That's the beauty of PGP.

-Joe

Agree with it's a big deal

[ButtChicken]

While this sounds innoculous there are only so many permutations on a person's browser that are different before it will uniquely identify them against someone else This also certainly gives EL loads of good marketing information for pop-ups (e.g., buy a new monitor if screen res is 640x480, etc.) Inserting conspiracy theory here L

Re:As A Web Designer

[GOiNK]

If such headers were commons, it'll take a couple of year until: 1/ Users will have only one link and the server will choose what content is best for him 2/ Users with browsers that don't give the info will be redirected to a please-use latest IE page. It have been that way for most web [mis]features.

I even get (2) today by going to hotmail (with IE 5.5). It's wonderful what "referer rewrite" in a proxy can do. No way in heck I want to let people know what browser I use. Like opera, where you can select which one, "Identify as MSIE 5" :) Cool

Clams are very active these days...

[BlueUnderwear]

At the risk of making a barbecue of my karma:

Seems like the quota-hunters moderate everything down which is remotely critical of their cult... Parent is on-topic: this is the very ISP the article talks about, and was a direct response to the question asked in parent! The article was about a header which could have been used for snooping, and the "cult" would gladly engage in these kinds of activities.

Re:I would love this feature if it was improved

[jesser]

Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"

What if I resize my browser window? Are you going to have a script that forces a page reload every time I resize?

Re:You can get this info with a standard browser

[jesser]

Sites can silently collect information sent in HTTP headers (or use a script to look through logs afterward). With JavaScript, you can usually see what information the site looks up by looking at the page source. Thus there is some loss of privacy in including this information in the headers.

Re:This benefits Joe User

[Cplus]

You just referenced Ivory Soap. Four out of dentists approve.

And ELNK advertises freedom from AOL's "sandbox"

[slasher666]

Of course this is the same Earthlink that
advertise that their service is the /true/
Internet and not keeping users in a "sanbox"
like AOL.... THen they come out with their
own privacy raping product and even name
it 'sanbox'? Classic. Fuck ELNK. THey're
gonna get bought by MSFT soon anyway.

Re:As A Web Designer

[slasher666]

Sure. THey have "Page Options". And you
must have /fucking/ /JavaScript/ on to
get to them.

This site /sucks/.

Macintouch shows even more info divulged

[BAM0027]

Macintouch shows that doing a web search on 'ELNSB50' provides more info than simply codified attributes of your client connection. Clicking on results from Google display "Web Browser Agent/Platform Statistics" which can be used to determine which websites a person visits.

At random, I chose the browser ID of "000041100320025802940113000000000502000800000000" and searched on that. I found that browser had visited four specific sites.

I don't want my tracks to be available to everyone. I understand that my perusals are logged in my company's system since that's my net connection, but these aforementioned actions are available publicly. That's not a good thing.

Re:The real issue

[ckaminski]

What is even more insane is if it *IS* PGP, then they've given you a private key, and probably the passphrase.

Some ambitious hacker could then figure out the passphrase, and impersonate Earthlink. :-) How stupid of them Earthlink....

-Chris

Re:The real issue

[Spunk]

These utilities sound very useful. Could you please post links to their websites?

--

Shady irony.

[supabeast!]

I saw an Earthlink commercial on TV the other night. It went on and on about all of the shady things people do to strip away privacy on the internet. Then it stated that Earthlink would never do those things.

Given this stuff is not actually tracking anyone, but it does carry more information than is at all necessary (Not than any is really necessary.).

Of course, given the history net companies have with privacy, it really is not surprising.

Will 99% of Earthlink's users care?

[n8_f]

No. It was a nice attempt to stir up controversy on a story that isn't really that interesting, though.

Will 99% of Earthlink's users ever know about it? No.

Re:not sure about this...

[jamesoutlaw]

I agree with you. I'm really tired of designers who choose style over substance. I am all for making sites beautiful, but adding Java applets and Flash aimations just to "show off" rather than actually enhance the user's experience is a complete waste of time. In the right hands, information such as the bit-depth & connection speed of the end-user's computer would be very useful. Unfortunately, there are too many of the wrong hands designing web pages.

Re:The real issue

[holzp]

c'mon where are your h8X0r's balls? build a de-earthlinkifyer proxy which strips this info off http.

Damn Straight!

[Greyfox]

It's like The Prisoner...

Web Designer: What do you want?
Customer: Information!
Web Designer: You won't get it!

Re:Damn Straight!

[lamasquerade]

You forgot the defiant bit:

Customer: By hook or by crook... We will!

Would Proximitron help?

[BobGregg]

I don't know if the EarthLink browser can be set to run through a local proxy, but if it can, then Proximitron can prevent the extra HTTP header from being sent at all. I just started using it, and it works wonderfully. Plus the paranoid among us can open the HTTP log window and watch what's being sent out and received, for that warm-and-fuzzy reassuring feeling.

Earthlink Avoids AOL Fiasco?

[Havokmon]

So you mean to tell me that Earthlink is monitoring who is browsing from what POP, and to where on the internet? So that can use that information for what purpose?

The only one I can think of is customer service. Everyone knows someone who tries to dial into AOL on a busy night and gets a busy signal. Those boxes should also be giving usage info, but I don't see Slashdot throwing a fit over that. What do you do with that info? You decide whether you need more or less dial-in servers at any location.

This is the same thing for internet traffic. So what if Earthlink rearranges their peering to accomodate heavier volume in other areas? If I was an Earthlink customer, I'd be happy to know that they're making sure high bandwidth users who goto a similar location just might be re-arranged so as to not interfere with the rest of their users.

Re:I would love this feature if it was improved

[JoeShmoe]

I think that screen size falls under "function" and not "form". People with small screens need information (regardless of what it is) presented in a long tall format so they only have to scroll down, not side to side. People with huge screens need information presented in a short wide format so they don't have to scroll at all.

Remember when most sites had a "text only" link? Maybe if the browsers make it easy to identify text-only users then that kind of duality can come back. Right now I think web designers don't want to have to present the text-only question before jumping to the content. But that's laziness more than anything.

- JoeShmoe

I would love this feature if it was improved

[JoeShmoe]

Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"

Its possible that based on the connection speed, you could default modem users to the HTML site and broadband customers to the flash site (of course, with links to the opposite choice). You could also arrange the tables so people with smaller screen sizes are scrolling left to right and people with large screen sizes aren't forced to scroll down a website that fits into the first three inches of their screen.

I do think there is something else they should flag...system color scheme. I use a darker scheme where my text is white and my workspace is black. On many websites with hardcoded white background I can't read a thing. I usually end up having to disable them. It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.

Re:I would love this feature if it was improved

[ChristTrekker]

Netscape 4 was the first browser I saw where the CSS was somewhat useful. Does anyone remember how badly IE 3 sucked? Sure, you have to limit yourself to a small subset (fonts, colors, some basic floats and alignment) but that subset is useful.

A year ago at this time I still restricted myself pretty much to that subset. Now, however, I am using CSS2 features pretty freely. N4 knows zilch about CSS2, so it's pretty safe, as opposed to certain CSS1 properties that it tries to work with and screws up. With Mozilla very stable (meaning a good N6 is just around the corner) and Opera (nearly ready on Linux and Mac) I feel pretty confident using CSS. I haven't used a FONT tag since 1997, and I've been validating my markup almost religiously for about 3 years.

Get ready for tomorrow today. N4 is dead. If the N4 folks complain, point them to Opera, or iCab if they're using a Mac.

Flamebait != Disagree

Re:I would love this feature if it was improved

[ChristTrekker]

Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"

Imagine sending your content in a universally accessible fashion, rather than a proprietary format that requires a plugin. Imagine designing a site correctly so that it automatically fits any size browser with no extra work or finagling on your part.

Its possible that based on the connection speed, you could default modem users to the HTML site and broadband customers to the flash site (of course, with links to the opposite choice).

If you recognize here that people want a choice, why don't you recognize their choices (system preferences) in other areas as well?

You could also arrange the tables so people with smaller screen sizes are scrolling left to right and people with large screen sizes aren't forced to scroll down a website that fits into the first three inches of their screen.

See above. A good design accommodates variable screen sizes without the need for "detection scripts" and such. You don't need to know the user's screen size.

I do think there is something else they should flag...system color scheme. I use a darker scheme where my text is white and my workspace is black. On many websites with hardcoded white background I can't read a thing. I usually end up having to disable them. It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.

Similar functionality exists in CSS. If the site uses your system colors it will behave as you describe.

Flamebait != Disagree

Re:I would love this feature if it was improved

[FTL]

>Similar functionality exists in CSS.

Touch CSS, and watch Netscape 4x become virtually unusable. I would love to use CSS, but I can't for at least another year until NS 4 goes away.
--

Re:I would love this feature if it was improved

[indiigo]

I believe Lynx is still free. Give it a shot!

Re:I would love this feature if it was improved

[pi_rules]

It would be nice if a website could ask my browser what my default text color is and send out the appropriate background.

Ahh... why set the background image? Why set the text color? Let the browser pick it. You can change the default BG color in Mozilla / Netscape 6, and probably in the 4.x series too but I can't remember. I can change my default text color too, my default link color, etc. And i can set up an option to ignore stylesheets. Designers that begin forcing colors onto my browser bug me; but I can understand it to some point simply because everybody does it. Try Yahoo! sometime in Netscape -- they don't even set their BG color. Nice. :)

Justin Buist

Re:I would love this feature if it was improved

[CCat]

I'm not the Anonymous Coward who flamed your sites, but I don't think you realize that you're losing site visitors because of your design decisions. I went to your pages, since as a fan of anime I often spend time looking at such sites, but I wasn't able to get past the front page of one, or the second page of the other one (after choosing the 'netscape' option.)

> The typical age for people who visit my site range from 13 to 23 who run on fast connections and the newer browsers.

I have a cable modem, but I do admit I'm a little outside your target range. Do you realize that by limiting your page in this way, you are helping to ensure that the group of people who visit your site doesn't change? That is, when you turn people away when their web browser doesn't meet what you deem appropriate, you have changed things from 'people who happen to visit my page,' to 'people who I will allow to visit my page.'

> It's fine for them. In fact, if you go around and look at other sites that focus on the same genre of Japanese animation,

And that would be, what, shojo? I have to guess, since I'm not able to actually see enough of the sites to know what they're really about. The guy who does Anipike's Last Exit, found here,

http://www.anipike.com/lastexit/archive.html

has complained about this kind of thing in the past: while dedicated shojo sites are often very pretty, they drive him nuts with various javascript requirements and other problems put in the hands of your visitors.

I don't blame you, or expect you to change. They're your sites, and in the end the only one who needs to be happy with them is you. However, I won't be visiting your sites either, because you won't let me...

Re:I would love this feature if it was improved

[AnarchoFreak_00]

Some web designers do this already.. It's called javascript.

And when used in this way it is very bad.

I can count howmany times, I've gone to a site, to be told that I don't have the flash plug-in, when I do, and sometimes they're silly enough not to include a link to the flash as a backup.

Things that automaticly decide what the user will see, is very bad UI.
As some mentioned above, so what if I have a 56k, I wana see the high bandwidth version anyway. Maybe I want to see the site at 800x600, eventhough my screen res has been set to 1024x768 or greater.
It's nearly as bad when a site automaticly pop's up a window, without having to click on the link. and people with no mute option in their flash sites.

Re:I would love this feature if it was improved

[AnarchoFreak_00]

Just a quick point.

The new standards, event though they do offer designers better tools, so they can postion things exatly where they want, and can include lots of style on there site.
They also make it more accesible to visualy impared, or browsers like lynx, PDA and moble phone browsers, becasue the style part is ignored, just leaving the content. And not a whole lot of tables, images with the content, which is what happens at the moment.

Good designers shouldn't need to build a site for differnt screen res's--most of the time--anyway. It isn't that hard to get a site to work in both, and it would be easier if the browsers supported the standards better.

Re:I would love this feature if it was improved

[cliveholloway]

Errr, heard of JavaScript?

Assuming "standard" monitor resolutions:

<SCRIPT LANGUAGE="JavaScript1.2">
if (Screen.availWidth > 980) {
// show 1024 x 768 version
}
else {
// show 800 x 600
}
</SCRIPT>

As for flash, use it as much as the best web sites - Yahoo!, Google, Alta Vista, eBay etc, and you'll do fine :)

Oh, while you're at it, use dreamweaver, it creates really compact code.

cLive ;-)

Re:I would love this feature if it was improved

[gowen]

I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts

In which case the good web designers should stop selling out to the man :)

Re:I would love this feature if it was improved

[gowen]

Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"

Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers.

I want the old internet back.

Re:I would love this feature if it was improved

[KarmaBlackballed]

Imagine never having to answer stupid questions like "flash or html?" "800x600 or 1024x768?"

This is already available through JavaScript in the IE browsers. (See "body" properties.) I wouldn't be surprised to find it in the Mozilla/NetScape6 browsers too.


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~ the real world is much simpler ~~

Re:I would love this feature if it was improved

[kylepike]

You are still making assumptions about the browsing experience.

• My screen resolution is 1600x1200 but I never, ever, ever maximixe my browser window. My browser window never gets wider than about 1024 pixels -- Unless a lame site (like heavy.com) decides to maximize it for me.
• I have an intellimouse. If only HTTP headers could tell us who has wheel-mice. See, I don't mind scrolling. I'd rather scroll than have to read a column of text that's 1000 pixels wide. Any day.
• I still run 56K dialup. So given the option of 1024 or 800, I'll choose 800 every time because the overall load time is bound to be shorter.

I hate to make sweeping generalizations, but it seems to me web designers whose roots in web design come from programming understand the concept of user preference. It also seems to me that the designers with their roots in print, or interactive, want to control every little aspect of the user experience. They want to maximize your window (or worse - use 6 frames) and force you to watch the flash intro and absolutely position every pixel on the page.

Sending screen resolution isn't anything new when it comes to HTTP headers. IE for windows has been doing it since 4.0. Netscape does it too, they just subtract the area that windows' taskbar eats up. I find it interesting that Sandbox is sending the viewable browser size too, which is a much more usable statistic. See this link for more info on that..
(http://evolt.org/article/Real_World_Browser_Siz e_ Stats_Part_II/20/2297/) for the timid.

Re:I would love this feature if it was improved

[Matthew+Ewing]

Yes, imagine. Imagine if web designers weren't obsessed with style over content, with special effects over usability, with animated intros over usefulness, with exactly positioned layout over standards that are easily accesible by the visually impaired or degrade well for old browsers."

I think you will find most good web designers do care about these things...It's the marketing droids that want the shiny spinning stuff and the locked layouts

As one of the lead web developers for a large and successful e-commerce site (who will remain unnamed because I'd like to keep my job) I can attest to this fact. The typical concept-to-implementation for a project starts out with our designers having created low-bandwidth, user-friendly, but still good looking designs, our developers having coded it browser-inspecific, and the database people having given us good structure on the back-end.

Then the marketers and upper-management get their hands on it. "Can you change this feature?" "Can we add flash to that page?" "Can we get that in cornflower blue?"

Not to mention if we ever present multiple design concepts, they never want all of one, they want bits and pieces from all of them, resulting in a frankenstein monster that is not only hell to write, but hell to maintain and hell to use.

It doesn't help that our designers are constantly looking for ways to stretch themselves (you'd get bored doing GIF and JPG banners all day, too) and jump at any opportunity for huge flash projects.

The end result is a meeting room with three or four developers voices about feasability, usability, and scalability lost amid a sea of excited voices about what a fancy, exciting site it's going to be once we implement all the new features.

Most developers really do have good intentions, but we're not given the freedom to implement any of them.

And, because we have a team of top-notch developers, we actually are capable of building the frankenstein monsters they want, and when we succeed in building it, they only want more just like it. Our earlier protests are forgotten, many marketers grumbling quietly that we must just be lazy and not want to do more complicated web design. In the end, to the their minds, we're just their trained monkeys.

Damned if you do, damned if you don't.

Re:I would love this feature if it was improved

[Ayende+Rahien]

No, it's text editors (notepad, pico, etc) that makes compact code.

Re:I would love this feature if it was improved

[vena]

oh yes, truly, now imagine if we all realized some websites aren't meant for you! oh wonderful enlightenment! could it be that sometimes style is the point? horrors! could it be that web sites are often personal?

Re:As A Web Designer

[KilobyteKnight]

Web designer should stop trying to think for the users,

I understand your position. However, as another web designer, I would love to at least have easy access to your preferences. Typically the browser settings would be a good indication of the user preferences. Possibly a better solution would be a "preferences" header. This way each user could set up things like "prefered size", "prefered resolution", "prefered font and size". These could be transmitted to the server and utilized appropriately.

And frankly, as someone who has done tech support, I KNOW that sometimes the experts do have to do the thinking for the end user...

Re:As A Web Designer

[KilobyteKnight]

You can get most of the info through javascript then return it to a cgi for logging purposes.

In my experience, Javascript is usually a bad solution to whatever the problem is (others would disagree stongly). With this particular issue you have the problem of passing the information to the server (a page load), keeping up with the information while the user navigates (session management/cookies/user tracking of some sort), and the generally not-quite-completly-compatible nature of Javascript (you have to write scripts to check for and behave differently for just about every browser and browser version).

Sure, there are plenty of prewritten scripts to do just that. But you still have to worry about the possibility that the user's browser does not support Javascript or that it is disabled. You therefore STILL have to have a default "blind guess" (as opposed to a "Javascript guess") version.

The HTML headers would not remove the need for a "blind guess" version, but it would solve all the other problems. If it existed, the web designer could count on it and utilize it easily.

Re:As A Web Designer

[KilobyteKnight]

On the one hand, I could understand how some of this could be important if we were talking about sending full-fledged web apps to the user. On the other hand, it appears that what most web designers really want is the ability to send me content that would be far better off rendered as a pdf file.

That's right. It would be better visually many times as a PDF... Or an easily resizable Flash... or, or, or. Right now though, the best thing we have to work with for display is HTML.

CSS is still in the "maybe one day it could be really useful" stage, but it is mostly broken in different ways on different browsers. PDF isn't interactive. Flash is about 90% supported display-wise, but tools for interactive use (such as the PHP-Ming combo) are still maturing and you still have to be concerned with the other 10% of users.

Don't get me wrong. I think pixel perfect HTML is much more trouble than it's worth. However, it's generally marketing that makes the look-and-feel decisions, not us measly nerdy web masters. A HTML header that would give me as a designer a couple more tools to work with would be extremely welcome.

Personally, I'd like to see HTML completly scrapped in favor of something that works well. It's being used for things it was never intended. I picture it as this huge pile of scrap stuck together with bubble gum and kite string. Like Microsoft, massive chunks of gizmos tacked on from every direction that somehow still manages to (mostly) work. HTML is not the best tool for most jobs, but it's the most common and compatible.

Re:As A Web Designer

[KilobyteKnight]

Speaking as "another web designer" myself that's also a tech, you're the kind that have given us all a bad name and screwed up the web.

That's going to far.

What you're looking for is more ways to push style over substance, and I'm asking you to reconsider that position.

What I'm looking for is a better way to manage display. Let's face it, most websites are little more than interactive ads. Sites like this are the exception, not the rule. What you suggest works fine for a content driven site, not for a corporate site where the marketing department is extremly concerned about presentation.

Yes, everyone has different preferences, so how about giving them content they can use regardless of those choices instead of trying to manage the myriad of different user preference combinations that might want to see your pages?

That's precisely what I would like to do. With a little more information on what their preferences are, I can easily generate pages that give them what they want in a way they perfer. Want just the basics? No problem. Want fancy animated graphics? No problem. Want it converted to PDF and emailed to you? I can even do that. But if I don't know what you want, I have to make trade-offs to serve the lowest common denominator.

You don't have to do jack to give the user what they want given the preferences they have chosen.

I disagree.

Re:As A Web Designer

[ChristTrekker]

Use Opera. It has a handy 3-way image toggle button right in the window. The user has final control, no matter how badly dee-zyne-ers want to usurp it.

Flamebait != Disagree

Opera

[ChristTrekker]

Windows implementation of MDI is "bletch", yes. Other than that, Opera is a very good web browser. Bring Opera's features to the Mac, where MDI doesn't suck, and you've got one great app.

Flamebait != Disagree

Re:As A Web Designer

[ChristTrekker]

Precisely! Microsoft did the web an injustive when it went down the path of spoofing as Mozilla. Once they did, everybody had to. What would be so wrong with identifying as what you really are?

I always set my browsers (Opera, iCab) to ID correctly. If the site blocks me because they're using some idiotic detection script, I write the webmaster a nice letter. I'd love to see a button in the UI of these browsers to pop up a form letter to the page author or webmaster@<domain>.

Flamebait != Disagree

Re:you miss the point - graceful degradation

[ChristTrekker]

On the contrary, my personal site (which is built with compliant HTML 4.0 and CSS) looks just fine on a wide variety of devices. This includes Mozilla, iCab, WebTV, Lynx, and AvantGo. Separate content from style and you'll never go wrong.

Flamebait != Disagree

Re:Which format are you thinking of?

[ChristTrekker]

I'd love to see SVG take off.

However, what I was trying to say was that Flash is largely unnecessary. Many sites use it for the "gee whiz" factor. It adds nothing useful to the site that plain HTML markup couldn't do. That's what bugs me.

Flamebait != Disagree

you miss the point - graceful degradation

[ChristTrekker]

Screen size is a matter of "form". A "short fat screen" has a different form factor than a "tall skinny screen", right? A properly designed web page is not constrained to any one resolution or window size. CSS has provisions for layout boxes defined as a %-age of the parent element and for floating elements. If I resize my browser window, the web page should reflow into the available content area, not be locked to a particular presentation.

Do you really want to build a site 4 times to accommodate 4 different ways a user might access it? What happens if a 5th method is developed — do you retrofit all your existing sites? No! Build the site correctly and you only have to do it once!

Remember when most sites had a "text only" link? Maybe if the browsers make it easy to identify text-only users then that kind of duality can come back.

There never was a duality, except when lazy web designers were involved. Web content is primarily textual. If you have inline images or other media, you're expected to provide ALT text and similar fallback mechanisms. Graceful degradation and device independence are the key, but the concept seems to have flown right over the heads of an entire generation of dee-zyne-ers.

Flamebait != Disagree

Re:you miss the point - graceful degradation

[stephenbooth]

Something I recently came accross that some /.ers may find interesting or even useful. I was recently involved in a project to provide local council information over a web interface to the citizens. We consulted a number of suppliers omn this and one of the few common statements from all of them was that currently just over 60% of all web users use a device other than a computer to browse (eg WebTV, IdTV &c), that proportion looks set to increase, currently no widely available device supports HTML above version 3.2 and most of those devices have a screen resolution below 640x480 (many are as low as 320x240 or lower and may have other restrictions such as monochrome and/or low update speeds).

The upshot of this is that if you use any version of HTML above 3.2 or require specific screen sizes then you're potentially cutting out 60% of your audience. Sure design you pages to look good in the high end browsers but make damn sure that they degrade nicely for those people on IdTV.

Re:Not a Big Deal

[TopShelf]

Or did They simply snip out that reference without you even knowing???

Re:As A Web Designer

[jmv]

Sometimes people with slow modems don't mind waiting

...and the other way 'round. I have DSL, but I still hate those big pages with all the text dislayed as gif, and which I can't read, since my monitor is 120 dpi and it's written with 75 dpi...

I always choose "slow connection" for sites, when I have the choice

Re:Good Thing

[vuelto]

We could also combine that info with Amazon.com cookies and direct people to websites that suit their economic standing. What a great idea!

Re:As A Web Designer

[Karellen]

This way each user could set up things like "prefered size", "prefered resolution", "prefered font and size"

Uhhhh - all browsers that can display different fonts and different sizes of font already _do_ have that preference.

In Moz, it's under Edit->Preferences->Fonts

I set up my preferred default font and size and, hey presto, get to see all the web in my preferred font and size, unless some stupid shithead 'web designer', probably using frontpage, has put <font face="somecrapfont" size="8pt"> tags all over the fucking place.

(Heh - note that the 'face' attribute has _never_ been part of an HTML _recommended_ spec? The 'font' tag was introduced in HTML 3, but the only attribs defined were color and size. 'Face' does get a mention as a non-standard extension though. And then in HTML 4, the 'face' attribute suddenly appears deprecated. WTF!?! What's the point in adding an item to the spec only to immediately deprecate it? What's the point in that? Dumb bastards.)

Anyway - you want *another* prefs page so that servers can send info back to override the user's default settings?

Er, no. Send some content. Let the User Agent render it how the User want it to.

More proof we need government intervention

[blueskyred]

The big companies will always be ahead of crusade sites like Slashdot. Even though we will eventually find out what is going on, it is always after some form of privacy trampling has taken place.

There needs to be a law on the books that prevents the transmission of any information without the user's express consent. I'm not talking about the "If you install this software, you agree to these terms" type of consent, but the "we are sending the following information to our central database: connection speed, monitor type, ..." with a OK/Cancel popup. This becomes important when you start sending things like "We are sending the following to the Microsoft database: Your hard drive's serial number, your mother board's serial number, your up-to-date billing statement ensuring you have paid for this week's use of Windows XP,..."

Of course, the odds of such a law happening are slim; the odds of a well-crafted law passing are about zero. We need some Slashdotters in Congress, I guess...

Re:More proof we need government intervention

[jgerman]

>>We need some Slashdotters in Congress, I guess Oh God please no! Just what we need congressmen running around DC shouting "First Vote!".

Re:More proof we need government intervention

[Duckz]

no, I don't believe we need a new law on this. The less laws the governments make the better. I'd rather vote with my dollars rather than my freedom when it comes to industry that violates my privacy.

The government is not the best judgement of what information I want and do not want to give away, I am.

--
Todd

Re:More proof we need government intervention

[RESPAWN]

We need some Slashdotters in Congress, I guess...

[I'm sure to get flamed for this one, so please don't take offense.]

Well, if we want to play "amatuer sociologist" (and I'm sure that I just mispelled that) we can probably determine why there aren't many Slashdotters in Congress. I think the main factor is that a large portion of geeks just aren't as socially adept as the vast majority of congressmen. I mean, let's face it guys. An election is simply a popularity contest, and I'd be willing to bet that a lot of us were never popular in either high school or college. (Myself not included, of course. ;) It usually takes a certain kind of person to make a good politician, and those people typically aren't geeks. The traits of 'being popular and knowing how to work people' and 'being a good coder and knowing how to work a UNIX system' are usually mutually exclusive.

That said, I myself will be interning as a basic all around computer geek for a state legislator this summer, who just happens to be a good friend of my grandmother. So, maybe, just maybe, I'll be able to help her to make informed decisions on various technology related policies. Yeah, it's not the same as a Slashdotter in Congress, but it's a start. In fact, I think that what we might really need are some geeks to advise the politicians. That could work.

--------------------------------------

Re:More proof we need government intervention

[gilroy]

Well, I'm glad you're going to sit down and reverse-engineer every piece of software you buy or download, before installing. I suppose you're also going to inspect all the farms that grow your food, the plant that makes your car, etc.

I think the original poster came pretty close to hitting it squarely on the head. Note that the suggestion was not that government ban the sending of information. It was proposed that government mandate the revelation of information-mining, so that you can vote with your wallet... intelligently. It's as easy to say "The fewer laws the better" as it is to call for a cradle-to-grave state. Both are failures and abdication of voter responsibility. What we need is the right laws, and their number will fall somewhere between zero and infinity. Though it was said 150 years ago, it's still true:

The legitimate object of government is to do for a community of people whatever they need to have done, but cannot do at all, or cannot so well do, for themselves in their separate and individual capacities.

-- Abraham Lincoln

Re:More proof we need government intervention

[|<amikaze]

I have a much better solution to your problem. Why not decide to only use SOFTWARE that you trust? I'm not trying to be an open-source zealot or anything, but if you feel that you are being violated by a piece of software that you CHOOSE to use, then it's really your own fault now isn't it? There are always alternatives available, and if there isn't, why not write your own?

Re:More proof we need government intervention

[tanner_andrews]

Isn't it amusing, also, that the Chicago Tribune article cited above forces formatting to a very much useless default? Two columns (right and left) surrounding text, formatted to be too wide to display on a nice big screen without scrolling left and right.

Well, yes, this does tend to support the thesis that folks coming from a print background tend to force-format things, and that the result is usually bad.

Re:More proof we need government intervention

[The-Zaphod]

I agree. There was an artical in the chicago tribune newpaper Yesterday on a company called copyright.net that is using a peice of software, little bot anyway. To scan the harddrives of users that are using the service of napster or gunata(sp) looking for Songs that are copyrighted. The link to the article is HERE

Once is finds a song title on your system is sends of a letter of demand to your ISP, demanding that your connection be terminated until you remove the offending title. This is very much like breading and entering to me. They are not part of any of the services that the user uses, but they secretly invade a system and scan the hard drive. There needs to be laws protecting us from Blantant attacts on our privacy like this. I posted this to /. yesterday but it was rejected as an article so figure is sorta fits here.
The Zaphod

Re:The real issue

[twitter]

Yeah, but 90% of /.ers wouldn't believe them anyway.

90% is too low. No one should believe and report anything they can not verify themselves.

If comments are a guide, the other 10% are making up excuses for the sneaky blood suckers. This is much too high, as are their mutual masturbation +5 scores.

ATI website

[Khopesh]

anybody know how ati's website knows i'm using mozilla?

this seems to be where the browser is defined. this is the main site. I can't find the code that determines anything other than mac vs pc ie vs ns.

I agree with fred that this should not be determined by the website. I would love for mozilla to be able to dynamically change how it identifies itself (but apparently the mozilla team disagrees). Regional detection, which was originally done soley for tragetting local ads, is not as easily within our control (as it is done by traceroute and cooperation of internet and backbone providers.

fred makes a good point. let the user choose what is best for the user!

JavaScript can do more than most use it for

[Khopesh]

Browser size and color depth can be auto-detected by a few neat javascript methods: just highlight this text and pop it into your browser's location bar (and hit enter):

javascript:alert('You are using ' + navigator.appName + ' ' + parseInt(navigator.appVersion) + '\nYour resulution is ' + screen.width + 'x' + screen.height + 'x' + screen.colorDepth + '\n This browser window is ' + outerWidth + 'x' + outerHeight);

(slashdot filters this out when I make it a link, but it is normally possible)

Connection speed can be determined by a java applet that sends packets back and forth. Cellphones send this information already, since they are otherwise nearly impossible to surf with.

The question we have to ask is: Do we always WANT sites to determine what we want? If my browser window is really small and i go to a site with a lot of information, should it load specialized for a small window or should I make my window bigger?

Re:The real issue

[andy@petdance.com]

Earthlink could do themselves a big favour by revealing exactly what is being sent.

Yeah, but 90% of /.ers wouldn't believe them anyway.

--

Re:Google.com, from non-US anyone ?

[limbostar]

Try http://www.google.com/intl/us/.

You can get this info with a standard browser

[boldra]

Easily done with a javascript/cgi combo.

<script language=javascript>
var peek;
peek = getMaxScreenX + getMaxScreenY (etc etc)
document.writeln('<IMG SRC="/cgi-bin/peek.pl?'+peek+'">');
</script>

Nothing fancy, but with 4+ version browsers you have some extra info. You can even get plugin info this way.

Re:You can get this info with a standard browser

[YetAnotherDave]

um, that code doens't appear to work (IE 5.01)

a search of netscape's DevEdge site for getMaxScreenX also returns no results...

??

�AND GET SUED!

[yerricde]

Then you have the cgi return a single pixel gif.

And face a lawsuit from Unisys. But s/gif/png/ and you're fine; however, single-pixel PNGs are a bit bigger (byte-wise).

Anyway, what are you going to set as the alt="..." text (now a required attribute in <img> elements) for such a web bug? A more l33t way to do this would be to make your site logo a web bug; users wouldn't notice as much. This also sidesteps the "1-pixel PNGs are huge" problem.

All your hallucinogen are belong to us.

�Place the link at the top, outside of tables

[yerricde]

Then someone on a 56k or less dialup has to download the heavy content site...just to switch it to lite.

That's easy to solve: place the link to light content at the top of the page, outside of any nested tables.

All your hallucinogen are belong to us.

Re:�Place the link at the top, outside of tables

[boing+boing]

Well I have a solution, put the light content as the default and if they want more give them a link. The light can always be the default, with links to "Click here, let us set a cookie that says you like big bandwidth hogging content from our site forever". Then on the default light content site, check the cookie and redirect to heavy content. Am I missing something?

Re:�Place the link at the top, outside of tables

[popular]

Well, the idea is that the HTTP header would provide enough information for a server side script to determine whether light/medium/heavy should be loaded without user intervention, but it would also be nice for the user to override those settings on per use/site/global levels.

For the kind of work that I'm doing right now (educational software via web), it would be great if there was a simple way to determine the quality of the deliverable content. Corners can be cut in audio, image quality, etc.

--

Which format are you thinking of?

[yerricde]

Imagine sending your content in a universally accessible fashion, rather than a proprietary format that requires a plugin.

What vector animation format doesn't require a plugin? Flash is the most universally viewable vector animation format on the Web today. (This may change with SMIL+JS+SVG but we'll see about that.)

All your hallucinogen are belong to us.

Re:Google.com, from non-US anyone ?

[AnarchoFreak_00]

Off-topic again, but how do you get this header info? It's obviouly not by viewing the source.
Forgive me for this probably obvious question. But I'm on a win box, and networking isn't my specialty.

Thanks.

Enough bits?

[micco]

ELNSB50::0000411003200258029a014700000000050300280 0000000

Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.

It's beside the point, but exactly how many bits do you think are in there?

It looks like you have 48 characters after the colons. That's more than enough bytes to encode the bits you say you need to be a unique ID. If each pair of characters is a hex representation of an 8-bit number, then you have a 192-bit space.

Re:The real issue

[stilwebm]

At least they are sufficiently concerned about our privacy so as to encrypt the information. That should keep it from snoopers!

Oh wait...

Targetted advertising!

[bildstorm]

I used to work for an ISP and we had ideas about things like this.

If you have all that information coming in to the web server, then you can server ads based on their configuration and location.

The more they use it, the more sites end up in their history or cookies, and the more you know about what they like.

Basically it's great for generating revenue. Sucks for the privacy level, but isn't illegal if done right.

Re:Google.com, from non-US anyone ?

[bildstorm]

They're really checking the ISP?

I've been working from Switzerland, and they originally sent me to Google in German. But then I realised my redirect was because of my browser settings, being set for being in Switzerland with a Swiss German keyboard.

A soon as I changed my location settings, I was fine.

Re:As A Web Designer

[chrischow]

don't diss the web designer for not providing content, thats not their job! its the client!

not sure about this...

[iainl]

While I can see some web designers going crazy about the possibility of knowing the exact bit-depth and dimensions of the browser window I'm reading their site in, I rather suspect they are the same ones that would rather send me a couple of hundred k of java every time I want to read their site.

Besides, just because I might be using a fatter pipe than my home 56k dialup, it doesn't mean you can go 'if the client has broadband then lets eat all his bandwidth'.

Re:not sure about this...

[Plum]

I'll third that.

The worst part about the "Flash" revolution, which I use to blanket this rather mindless artistic surge, is that it infects marketers like the herp (not that I've ever had the herp, but so I hear). Once they see someone's flashaholic website, it's practically impossible to interject with a rebuttal based upon functionality.

I guess the real problem is that technology is killing us - innovation is almost suicidal to an extent.

Those of us who learned to write real code, consider exception handling, and contemplate the portability of a solution are the same people empowering those who really shouldn't be leading an enterprise web presence. We empower by writing code like PageMill, Frontpage, and Dreamweaver. These tools, combined with the pure euphoria of the internet, make for....well, the dotcom revolution. And I think we know how that panned out.

Re:As A Web Designer

[iainl]

"Sometimes people with slow modems don't mind waiting"

And sometimes they really do mind waiting and want the low bandwidth version even though they are using a few spare moments while their broadband connection is downloading the latest bignum meg Counterstrike patch or acting as a fileserver. Either way, please be polite and ask them which one they would like?

Re: Earthlink & Scientology

[ldenison]

I'll respond to your message, at the risk of branching off topic.

Sky Dayton is not only still with the company, he's Chairman of the Board. I'm pretty certain the position of Chairman has a large amount of influence in the direction and operations of the company.

No, the company may not be 100% owned by Scientology, but they have significant control - and members of their cult have been placed in key executive and managerial positions. They also provided most of the startup funding for the company before it went public.

The terminology "unofficial investigation" means just that. There are employees of Earthlink who have informed outside sources of practices within the company. Some of those employees are investigating on their own.

Please note that at no time did I state that these were anything other than rumours. The intelligent reader can do their own research and form their own opinions.

Please do not ask me to cite my references, as we all know what Scientology does to people who speak out against them. :) And I'm not about to give a list of names for you to go after.

Cheers!

Earthlink & Scientology

[ldenison]

It is interesting to note that Earthlink is owned by Scientology. This story is especially timely. There is an unofficial investigation underway into the rumour that Scientology maintains a separate set of email servers on Earthlink's network that mirror all email traffic sent to or from it's subscribers. The purpose of which is to scan for Scientology related (read: disparaging) messages.

The rumour is that the server farm is at an offsite location, which only Scientology has access to. The explanation given to the employees of Earthlink about this offsite facility is that it is an "offsite backup" location.

Just something to think about.

Re: Earthlink & Scientology

[elemental23]

It is interesting to note that Earthlink is owned by Scientology.

False. Earthlink was founded by Sky Dayton, who happens to be a Scientologist. Earthlink is owned by it's shareholders and Mr. Dayton is no longer with the company.

There is an unofficial investigation underway into the rumour that Scientology maintains a separate set of email servers on Earthlink's network that mirror all email traffic sent to or from it's subscribers. The purpose of which is to scan for Scientology related (read: disparaging) messages.

False (not to mention stupid). Please state your references for this. Also note that Earthlink carries, unfiltered, the newsgroup alt.religion.scientology, which seems to exist for the sole purpose of critisizing Scientology.

The rumour is that the server farm is at an offsite location, which only Scientology has access to. The explanation given to the employees of Earthlink about this offsite facility is that it is an "offsite backup" location.

Again, cite your references please. Are you an employee? Do you know this for certain? No? Then where did you hear it?

(-1, Troll)

--
The occasional poster formerly known as jihad23

I've got the answer

[BiggestPOS]

Capture these supposedly PGP-encrypted, and hand them over to distributed.net, and let them figure out EXACTLY is in there.

so in other words......

[Dynedain]

They're just trying to move their service to be more like AOL's successfull model by trapping the users into content they want to deliver....this is just the first step

Re:Horrors!

[Frank+T.+Lofaro+Jr.]

There is a DMCA exception for protecting privacy. You can go around it to find out if anything private is being sent and disable it. In addition, the DMCA only protects restrictions placed by the copyright owner, and allows a copyright owner to allow circumvention. You are the copyright owner of your own personal info. Third, the DMCA is unconstitutional.

I am not a lawyer, get real legal advice if you need it. Or just hide your tracks real well. ;)

Judge "DMCA" Kaplan

[Frank+T.+Lofaro+Jr.]

Judge Kaplan of the Southern District of New York does not believe fair use is ANY defense to a DMCA violation.

Re:Google.com, from non-US anyone ?

[f5426]

> A soon as I changed my location settings

Didn't work for me. I have all my regional settings to 'English/us' (and even my keyboards are english ones). Maybe I should try harder.

Cheers,

--fred

Re:Google.com, from non-US anyone ?

[f5426]

> You can set this preference in IE in Tools -> Internet Options -> Languages.

> Hope this works.

For me, it does not. And have you may have seen from my original post, it redirects even a raw 'GET / HTTP/1.0', so it is (at least partially) based on the IP.

Cheers,

--fred

Re:Google.com, from non-US anyone ?

[f5426]

> They just don't want to get sued by France (as yahoo did) if you, or other users, look up sites containing Certain Illegal(in France) Information. Try doing a google search (from the redirect) on that info. Bet it won't allow it.

You lost it. A search on 'nazi volkswagen badge' from google.fr get me straight to an ebay auction for that kind of shit (but yahoo.fr don't give it).

And, thanks to your brilliant idea, I will now have my phone line taped by french secret services due to illegal activities on the net. Thanks :-)

Cheers,

--fred

Re:As A Web Designer

[f5426]

> No, they don't. Just stop using Exploder.

Well, it even redirect me when getting the page through telnet www.google.com 80.

I checked the behavior on:

IE/ Windows
IE/ Mac (French and English versions, with various langage settings)
iCab/Mac
Mozilla/Windows
Mozilla/Mac
Mozilla/FreeBSD
OmniWeb/Mac OS X Server
OmniWeb/Mac OS X
IE5-Carbon/Mac OS X
Fizzilla/Mac OS X
Lynx
Raw Telnet
(And probably a few others)

There is only one browser that is not redirected to the french page, and it is IE5 English version on Mac OS with Language preferences set to french (!). I'll investigate further, but no 'Stop using IE' is not the good answer for me. They obviously do something with the IP.

> If I use Exploder, I will get the danish version of Google, if I use any other browser, I get the english version.

> Except, ofcourse, if I set my default language in those other browser.

You mean if you set the langage to english in those other browsers, then you are redirected to the danish version ? Weird...

Cheers,

--fred

Re:anonymizing proxy

[f5426]

Thanks for the link. I don't know why this is modded Offtopic, as it could also help for Earthlink extra HTTP header.

Cheers,

--fred

MOD THIS ONE UP. He probably get it right.

[f5426]

Bla bla, hate filter. content. content. bla-bla

Re:As A Web Designer

[f5426]

Here's an example: when I go to a web site, I expect (hope?) that the content of the site will be rendered in English

You mean, like in my (not-so offtopic) post ? (http://slashdot.org/comments.pl?sid=01/03/20/1423 223&cid=87)

In a nutshell, in my case, google.com redirects me to the .fr version based on my IP, regardless of my langage settings.

Cheers,

--fred

Re:As A Web Designer

[f5426]

> Like opera, where you can select which one, "Identify as MSIE 5" :) Cool

I used to play that kind of tricks (mostly by using junkbuster), than realised that I was making myself a disservice by pushing IE stats. If everybody masquerade as IE, then webmasters will be right to do IE-only pages, as this is the only thing they will see in their logs.

At this point, the User-Agent: rewrite will stop working, because the sites will really be using proprietary IE functionality that will not even exist in Opera. And you will be forced to use IE.

Cheers,

--fred

Google.com, from non-US anyone ?

[f5426]

[This is partly-offtopic]

Since a couple of weeks ago, my home page, which is www.google.com is displayed in french. More precisely, www.google.com send me a redirect to www.google.fr. My browser is set to request only english documents, so I suspected they base the redirect on thIP address.
A quick direct connection show it:

15:36:10|152 [ladybug:~] fred% telnet www.google.com 80
Trying 216.239.37.100...
Connected to google.lb.google.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 302 Moved Temporarily
Date: Tue, 20 Mar 2001 14:59:24 GMT
Server: GWS/1.10
Connection: close
Set-Cookie: PREF=ID=19fe6a8304c33946:TM=985100364:LM=985100364 ; domain=.google.com; path=/; expires=Sun, 17-Jan-2038 19:14:07 GMT
Location: http://www.google.fr/
Cache-Control: No-Cache
Content-Length: 161
Content-Type: text/html

<HTML><HEAD><TITLE>302 Moved Temporarily</TITLE></HEAD>
<BODY>
<H1>302 Moved</H1>The document has moved
<A HREF="http://www.google.fr/">here</A>.
</BODY></HTML>
Connection closed by foreign host.
15:36:24|153 [ladybug:~] fred%

I beleive they crossed the line here. I really feel that the fact my ISP is in France is none of their business.

Cheers,

--fred

PS: while I am here, is there any way for me to get back www.google.com ?

Re:Google.com, from non-US anyone ?

[sro]

I had the same problem a few weeks ago. It seems that Google has recently made some changes to the site in order to display the Google front page based upon nationality or something similiar.

As my Spanish isn't THAT good I searched frantically for a solution to the problem. On IRC I was told that Google was using my Language Preference.

You can set this preference in IE in Tools -> Internet Options -> Languages.

Hope this works.

Re:Google.com, from non-US anyone ?

[lamasquerade]

I believe this is not so. I am currently in Singapore and for some insane reason Google decided I should be viewing the page in Chineese! (I guess it could be Japaneese or some other such language, I wouldn't know the difference). The reason this is insane is because Singapore's official language of administration is English, and of course because I should be able to choose. Anyway I now go to www.google.com/en .

Re:As A Web Designer

[f5426]

> As a web designer, I'd love to have this information

As a web user, I'd love to smash your head with a 21" monitor.

> Then you could do the high/low quality links for them

Please don't. If I want to download a high quality link on a 56k modem, it is my business. If I want only the lowres from my DSL line, it is my business too.

Web designer should stop trying to think for the users, like google that insist that I have the french version of the page.

Of course, you're going to tell me that you would provide a link to the other version of the site, but the truth is that you wouldn't.

Try broswing ati.com with mozilla. Isn't that nice, a 'Web Designer' that make decisions for its users ? (The site sort-of works with Mac OS X Server Omniweb, or lynx, so it is just becasue they are lazy assholes)

If such headers were commons, it'll take a couple of year until:

1/ Users will have only one link and the server will choose what content is best for him
2/ Users with browsers that don't give the info will be redirected to a please-use latest IE page.

It have been that way for most web [mis]features.

Cheers,

--fred

SPY WARE

[mcrbids]

This kinda reminds me of Broderbund's spyware - dssagent.

If you haven't read the above link, you should. I discovered it shortly after setting up a firewall on a linux gateway - kept getting all these "packet denied" messages that just did not make sense.

Jury is still out on what it did - but here's more proof that it never hurts to be AWARE of what that $1,000 piece of cheap plastic and tin under your desk is really doing!

The idea that my kids are being spied on just makes my blood boil...

-Ben

This benefits Joe User

[Gothmolly]

Yes, its an invasion of privacy. Is it malicious? Probably not. Will it help Earthlink monitor their service, make it more efficient, and potentially more usable (display depth, etc.)? Yes. While I think it's crummy of Earthlink to keep quiet about this, it's no big deal. The average user is going to end up with better service or potentially lower prices because of more efficient use of Earthlink's resources. The average AOLer doesn't think about privacy the way Slashdotters do, witness Smartmouth, an online service which references the database of Stop&Shop, a grocery store, to provide calorie and fat content info on all your groceries. 99 44/100 % of users will think this is a Good Thing.

Re:This benefits Joe User

[Dyolf+Knip]

You just need to know where to draw the line. This is well short of the line, folks

I agree, but where exactly is that line? And more importantly, is a company going to tell me when they have an itch to cross it? Almost certainly not, which is why we need to nip this kind of behavior in the bud.

--

Re:This benefits Joe User

[bluesninja]

Yes, its an invasion of privacy

Oh really? How is that? I think maybe your definition of privacy is a little different from mine. I would consider privacy the right to maintain control over intimate, personal information. Nothing in the information they are sending in that header comes even close to being intimate or even personal. So they know the resolution of your monitor -- big deal, so does the company that sold it to you. So they know your connection speed -- big deal, so does your ISP.

I think people here should chill out and take some time to think about what makes privacy important. It is NOT the ability to live in absolute secrecy while obtaining free services, anonymously, from others.

In order to live in a society of other people, you have to tell people *something* about yourself. When you meet someone face-to-face, you tell them plenty about yourself. They now know all of your general physical features and personality characteristics. So what? This is the same thing, essentially. Earthlink is just requesting gross physical characteristics of your online presence.

You just need to know where to draw the line. This is well short of the line, folks.

/bluesninja

Re:As A Web Designer

[John_Booty]

not dissing the web designers for designing. I'm dissing web sites that provide more design than content.
http://www.bootyproject.org

Re:As A Web Designer

[John_Booty]

"This is bad for two reasons"

It would be cool because the designer could make a more intelligent default choice for the user... lots of artery-clogging graphics, or few artery-clogging graphics?

Then again, considering how shitty 99% of web design is, maybe it's better than designers code their pages in assumption that users have 28.8 modems. I'm freaking tired of graphic design overload and NO content.

Putting your bandwidth in the HTTP request would only be good if...
1. Users could override what goes in the header... for example I have DSL but I hate graphic overload so I'd probably self-identify as a 14.4 modem user :)
2. Users had the power to switch to the low- or high-bandwidth site.

http://www.bootyproject.org

Not a Big Deal

[Rura+Penthe]

Doesn't seem to be a big deal then. I realize some people are going to say "but this is just the beginning, soon they'll be " but the information collected *seems* benign (based on the information Earthlink provided) at this time. Hell, I'd love to see what information they've collected, I'm interested in the statistics on those items. ;)

Re:Not a Big Deal

[Rura+Penthe]

That'll teach me to preview...I meant to say "but this is just the beginning, soon they'll be (insert random conspiracy theory here)". Oops.

Sandbox not required

[big_cat79]

I'm an Earthlink user, and it isn't required that you install the Sandbox software. You just have to be able to set-up a Dial-up networking connection in Windows. Which, even for slightly novice users, isn't particuraly difficult between the Dial-up networking wizard and Earthlink's instructions. My fiance uses the Sandbox stuff. The only thing I see that she gets from using it is a prettier display while the modem is dialing up.

As far as the potential unique serial number not being true, I'm not surprised. Earthlink did stand up against the FBI when it came to installing Carnivore.
BigCat79

Re:As A Web Designer

[the_ph0x]

>Web designer should stop trying to think for the users

Ok note:
As a web designer - it is actually our business to think for the general public so that they dont screw things up, and to give them the most enjoyable experience they can - with as little effort to them.

True for the most part, I too would like to choose for myself, well not everyone thinks like that, face it there are the sheep and there are the shepherds... which one you are is up to you.

There are also so many other marketing uses for this information.. dont get me wrong- I like anonymoty(sp) however this info is great for planning for resolutions, speeds, colordepths, and countless other tidbits for the majority of your users.

And untill the majority of the population are thinking for themselves, this is the way we have to do this. If you don't like it do somthing about it.

The information that is being sent to the web servers is not really the issue here... what should be more focused on is the data going back to Earthlink.

my 2 cents.. ahh heck make it 5 cents..

.ph0x

AOL

[kruczkowski]

I wonder if AOL or MSN does this? I kind of think this would be a good idea if it send info on speed, monitor resolution, and other good info that could make sites load faster or have a more personolized content. After all, cookies do similar things.

Some thoughts on Earthlink...

[yankeehack]

First, about the popID in the HTTP header, I hate to tell you this, but I happen to know that my Earthlink IP address is "nicely" masked via my geographic POP location. Ex. cust1.citystate.etc.etc So, Earthlink in masking my IP numerics uses the city where I dialup from.

Secondly, as long as they don't make me use their in house software as a condition of using their service, I don't care what they develop. I like Earthlink because they do actively support LINUX/PPP connections with very little hassle. I understand that these folks are having support issues, especially that they just ate a number of the remaining clueless lusers from mindspring and onemain.com. Oh, and another thing, that Sandbox screenshot is old. Member start pages (that blue page) were changed in Jan/Feb.

Third, has anyone stopped to think that perhaps the PGP encryption during install might be a new subscribers CC number and other personally identifiying information? Wouldn't that make sense?

Re: Some thoughts on Earthlink...

[elemental23]

First, about the popID in the HTTP header, I hate to tell you this, but I happen to know that my Earthlink IP address is "nicely" masked via my geographic POP location. Ex. cust1.citystate.etc.etc So, Earthlink in masking my IP numerics uses the city where I dialup from.

Earthlink does not do this. You're probably dialing a UUNET or PSI POP.

Compare:

• Earthlink - pool0111.cvx29-bradley.dialup.earthlink.net
• UUNET - 1Cust16.tnt2.panama-city.fl.da.uu.net

--
The occasional poster formerly known as jihad23

Re:The real issue

[schulzdogg]

We can make several guesses based on the fact that it is encrypted. It is encrypted because:

Rabid paranoia aside did you ever think that maybe they want to protect their users privacy, and that's why it's encrypted? Just because something is encrypted doesn't make it evil. Maybe earthlink is being cautious (correctly so, I don't want any data I give them floating around unencrypted).

JUST BECAUSE SOMETHING IS ENCRYPTED DOESN'T MEAN IT'S EVIL

Re:The real issue

[/dev/urandom]

> Earthlink could do themselves a big favour by revealing exactly what is being sent.

And possibly their users a great disservice by specifying what it is. "Hello crackers of the 'net, this PGP data is nothing less than the subscriber's credit card info. Have a nice day! Oh, and btw, please don't crack our encryption keys!"

Then again, we're curious anyway, and people will probably attempt to decypher it simply for that reason...

Ah crap!

[anubis__]

The worst part about this (besides Earthlink's commercials) is a while back I stuck an Earthlink CD in my machine because I needed a new installation of IE and my connection was slow. I went to the bathroom and by the time I came back, autorun had kindly installed the Earthlink version of IE, annoying icon and all, on my machine. I remember a time when installations used to prompt users, not assimulate them.

Boy do I miss BBSes and Telemate.

Re:The real issue

[Lostman]

I had this same problem when dealing with an "application" that insisted on sending information about my computer out.

What I end up doing was having a registry monitoring program called regmon to to monitor all registry access, then I loaded up the program and then stopped monitoring registry... I found that they wanted to send a LOT of VERY personal info out.

No real disassembly is needed... load up regmon or filemon (file access monitoring program) and note what it looks at... betcha you would be surprised...

Re:As A Web Designer

[DivideX0]

You can get most of the info through javascript then return it to a cgi for logging purposes.

example:

Sah=Saw=Scd=Sh=Spd=Sw=0;

if(screen.availHeight)
Sah=screen.availHeight;
if(screen.availWidth)
Saw=screen.availWidth;
if(screen.colorDepth)
Scd=screen.colorDepth;
if(screen.height)
Sh=screen.height;
if(screen.pixelDepth)
Spd=screen.pixelDepth;
if(screen.width)
Sw=screen.width;

document.writeln("<img src=\"/userinfo/index.cgi?i="+Sah+","+Saw+","+Scd+ ","+Sh+","+Spd+","+Sw+"\" border=\"0\" width=\"1\" height=\"1\">");

Then you have the cgi return a single pixel gif.

Horrors!

[LNO]

this data is PGP-encrypted

There needs to be some sort of law to prevent these criminals from encrypting our personal information. This is why encryption should be outlawed - since clearly, only outlaws use encryption.

Re:Horrors!

[jdschmid]

Wrong.... ;)

Or is everyone a criminal, who just wants to use e-commerce sites, or who wants to 'save' his privacy when he's using encryption for email?
C'mon, give me a break.

greetings
jd

Too bad ibm has a patent on it....

[tiwason]

Pay up...

http://164.195.100.11/netacgi/nph-Parser?Sect1=PTO 2&Sect2=HITOFF&p=1&u=/netahtml/search-bool.html&r= 12&f=G&l=50&co1=AND&d=ft00&s1=perl&s2=ibm&OS=perl+ AND+ibm&RS=perl+AND+ibm

Customized Internet content is provided to a requesting client device using an intercepting agent based on the capabilities of the requesting client. The agent, typically at the web server to which the client request is directed intercepts a request made by a requesting client device for a file from a web server. The agent detects client device capability information about the requesting client device, such as display or memory capabilities. The client request is redirected to a Uniform Resource Locator (URL) according to the detected client device capability information to retrieve a version of the requested file.

What's being sent

[Blackbox42]

The data being sent is a record of your connection attempts. This info is them used to find out if the pop you are trying to connect to is malfunctioning or not.

You don't need that many bits anyway.

[Dean+Edmonds]

EarthLink wouldn't need a GUID to uniquely identify everyone. They only need an EarthLink-specific user ID -- which their install program can negotatiate with the server. Maybe that's part of the PGP-encrypted packet which gets sent on install.

So they only need enough bits to identify their expected customer base. Even if we assume megalomania and go for a potential customer base of one billion, that's just a mere 30 bits.

-deane
Gooroos Software: plugging you in to Maya

Re:The real issue

[davonds]

actually what /.ers won't believe is that it is irrelevant what the data says. if you are an earthlink member, then they already have all you personal info, you gave it to them when you signed up. people are getting way too paranoid for their own good. since it only occurs at installation, the only possible data it could send would be necessary hardware and log in data.

Re:Excellent news.

[linzeal]

Hey wasn't there a article about scientology a few days ago? Why don't you ask about the earthlink founder sky davis and his intentions with this information maybe one day we will get little animated gifs nearly like the ones we requested off the porn site but instead of deep throat action we will get little brainwashing slogans like "Got Dianetics?" "L Ron Hubbard is God!" "Smite the christian infidels!" . . .

for those not in the know earthlink's founders contained some scientologists like Mr. Sky Davis

Great googly-moogly, a Slashdot editor researches?

[mblase]

This has got to be a historic first. I... I feel faint...

Obfuscated information

[micromoog]

The numbers from Earthlink don't cover the entire string. Obviously they're using the remaining bits in a sinister plot to compromise user security.

If they encode a piece of user information into the remaining bits, they could use as little as 1 bit per request (or less!) to steal vital information from your computer, such as:

• credit card numbers
• your favorite pr0n sites
• that business proposal for "world-of-spatulas.com" you've been working on
• your Earthlink email address (just imagine the potential damage!)
• your amihotornot.com user ID

This is worse than the Prodigy "we cache private files" scandal of the early 90s. Earthlink must be stopped.

*Tell your users*

[LuckyLuke58]

Really. The information is useful, yes. Is it terrible if somebody knows my modem speed? Probably not. But for God's sake, if you are going to collect information about your clients, no matter how benign it might seem, you TELL THEM!!! (And provide an opt-out too - one that actually works, not one that ignores you and goes ahead and does it anyway, which is another annoying thing American companies seem to be doing more and more these days). Is this concept really so difficult for American companies to understand? A simple message box or checkbox optino somewhere "send Earthlink the following information on my setup". Really, if you're honest and up-front about what you're doing, most people do not mind.

More sinister than the modem info; why would they need to PGP encrypt information that they're sending about you if it was "harmless" information? Obviously they do NOT want people to know what they're sending, which should tell you right away that you do not want their software on your computer.

Don't you hate it when /. goes down just before you hit "submit"? It's not the first time it's happened to me either :(

Re:Not an HTTP header

[closedpegasus]

It most definately is an HTTP header. HTTP can transmit any MIME type, but whether or not the type is text/html has nothing to do with the fact that HTTP is still the protocol being used.

Re:The real issue

[davidmb]

That'll teach me to karma whore - just wanted to see what life was like on the "other side."

The real issue

[davidmb]

The problem doesn't seem to be the id string that the browser uses, but that PGP-encrypted data that gets sent back to Earthlink upon installation.

Earthlink could do themselves a big favour by revealing exactly what is being sent.

Re:The real issue

[NineNine]

Hmmm... could it be, oh, I dunno.... credit card info? I don't use Earthlink, but I'd assume that a user entered in his/her billing information upon installation. If I were an Earthlink user, I'd sure as hell want to make sure that my billing info was PGP encrypted. What do you think they're sending back, the amount of free space on your hard drive?

Re:The real issue

[BigDogKelly]

You are absolutely correct! If EarthLink would open up and say, "Yeah, we encoded X,Y and Z in those strings. They are used for (insert idea here) and will not be sold licensed, leased, etc. to outside companies, partners, mergers etc...." Now all we have to do is hope that X,Y and Z are all nice and good. But thats just what I think.

Oh great!

[AFCArchvile]

Now with these new headers being sent, if the user is at a high resolution and has DSL or broadband, the server will change from using 468x60 GIF banners to 936x120 Flash banners, complete with sound and annoying pictures!

I hate Flash banners! They take so long to load, and you have to hack into the page source to find the source URL so you can bind the offending server to 127.0.0.1 in /etc/hosts. And now they'll tailor your "online experience" (more like advertisement torture session) by stuffing the page full of shameless, bloated drivel!

But they'll know my screen resolution!!!!!

[JohnTheFisherman]

I feel so violated. Get out the tin foil hats....

Re:Sig Critic

[GMontag451]

As a side note, Ted Turner just had to apologize after calling people with ashes on their foreheads "Jesus freaks".

And George Bush Sr. never had to apologize for saying that he thought atheists shouldn't be considered citizens or be allowed to vote.

As A Web Designer

[clinko]

As a web designer, I'd love to have this information. I only wish more browsers immediately told me what speed the person was at. Then you could do the high/low quality links for them.

Re:As A Web Designer

[popular]

I'll happily take the rich bandwidth version by default on the T1 at work or my DSL line at home if it means I never have to see another "choose your bandwidth" page again. They suck just as much as splash pages.

I would only find it impolite if I was directed to the heavy page without being given the option to use the light version instead.

--

Re:As A Web Designer

[popular]

And to clarify exactly what that means, what I attempted to say was that the heavy content should be automatically loaded, but should also provide a link to the light version, if you'd prefer.

--

Re:As A Web Designer

[cavemanf16]

Very interesting point, and a good reason for this type of technology to be used. But I, like many /.'ers, really dislike/distrust the idea that you never find out about what Earthlink or other companies are sending back to their servers until after someone digs through their code. I've only ever seen a few programs that actually explain up front what security issues are involved in using their software, AND how to protect yourself.

I wanted to try the free Earthlink service about a year ago, and when I installed it, it automatically installed their IE5.0 browser over top of what I already had. I was pissed! Their install program never asked me if I wanted to do that. To this day, that old computer of mine has the crappy Earthlink browser installed. I never use it, but I also haven't figured out a way to get rid of it other than a complete reworking of the registry (not a good idea!) to make sure I've irradicated Earthlink crap.

Re:As A Web Designer

[PulsingRedEyeball]

"Of course, you're going to tell me that you would provide a link to the other version of the site, but the truth is that you wouldn't."

You're damn right I wouldn't. Might as well provide a "make this site look like hell and render it nearly useless" link. If I'm sniffing at your browser type and offering your browser a slightly modified CSS file as a result to try to keep it from freaking out when I attempt to change a simple CSS attribute, then be grateful I care enough to do so. If I wrap my site's content around a slightly modified template to better fit your resolution settings, the less you know about it the better.

I don't want to "personalize your web experience" or "create a site that caters itself to your needs." I just want the damn thing to look the same for everyone, a desire that isn't at all facilitated by the current state of web tech. Forget about Flash applications or complex nested DHTML menus. A site using a vanilla HTML+CSS1 combination produces a bewildering variation of output from browser to browser, even without venturing outside of the Netscape4/IE5 safe zone.

It would be nice if web designers weren't even curious about display resolution or bandwidth capabilities. It would be nice if the current state of web tech was mature enough to obviate the perceived need for that kind of information because it provided a development platform that wasn't a running target.

It would be nice but it will never happen. So don't be shy, do us a favor, expose your display resolution to the world.

Re:As A Web Designer

[Ayende+Rahien]

Aside from connection speed, you already can get this information.

Re:As A Web Designer

[Ayende+Rahien]

Nice feature in XP (And probably IE6) is the ability to mascarade your IE browser.
It's neccecary, because some stupid websites actually tells you to "go get IE5.5" if you browse to them with IE 6.

Do your math

[MeowMeow+Jones]

Even a cursory examination should show that these numbers don't have enough uniqueness to be globally unique IDs. Microsoft's GUID had 128 bits; a good hash function might have 160 bits; those serial numbers, culled from widely scattered machines, aren't unique enough.

There are 48 (presumably) hex digits there. Each hex digit represents 4 bits. So the number is a 192 bit value.

Nope.

[topher71]

It's not a new HTTP header. It's an addition to the existing User-Agent header.

Is the number large enough?

[ishrat]

"Is Earthlink's code a unique ID? Apparently not. Does it reveal more information about you when you are browsing the web than is revealed by any other web browser? Yes. Can you turn it off? No, but you could use another browser. Will 99% of Earthlink's users ever know about it? No."

The question however is, what percent of internet users use earthlink and what percent of those users actually care?

28.8Kbps is your answer

[Nick+Driver]

As a web designer, you should design each and every web page you create such that it is downloadable in a *reasonable* amount of time by the least-common-denominator... That is the dial-up surfer who has only a 28.8K connection. If you do this, then those of us with the luxury of 56K, ISDN, DSL, T1, whatever will benefit even better, but the typical user will have a less frustrating experience in viewing your webpages.

Re: It's not even "much" more they find out.

[Karoshi]

You can detect with JavaScript:
- horizontal and vertical screen resolution/ usable resolution
- monitor depth

What you can't find out with default JavaScript funcions is:
- connection speed
- font size (maybe.. dunno)
- POP ID
- Sandbox Version

What you can find out whith a little use of brain:
- connection speed (not hardware.. but true speed)
- font size (not sure about this.. signed scripts should make it possible)
- POP ID - well, they provide your service, so they surely know about it
- sandbox version - if you don't use it, they can't find it out.

What they in fact do, is to pool their incoming information into one channel. That's much easier then to collect, analyze and join all the logs from their different dialups and proxies.

So it's not really a bad thing they do. Just a little bit naughty. Not more evil then banner- and counterhosts detecting your resolution and stuff..

Good Thing

[OpCode42]

I like this idea. if all browsers sent this type of info as a http_header it would make it so much easier to direct people reliably to a version of a site which suited their bandwidth / screen resolution better.

-----

Re:Not an HTTP header

[matrix29]

Let us all not forget that EARTHLINK is a SCIENTOLOGY-owned front operation.

http://www.google.com/search?Earthlink+Scientolo gy

I wouldn't put a page up on Earthlink if you paid me.

Re:You are all missing the real surfing tracker: S

[Zeinfeld]

Since all https certificates come from and are checked against Verisign, then Verisign could theoretically track who is going to what SSL site.

Bzzt, wrong, untrue. Go read the protocol before making such claims.

Once a certificate is issued VeriSign is not involved in its use. That is why the certificate is digitally signed.

If you turn on CRL checking then your browser will download the VeriSign CRL however that has the serial number of every cert VeriSign has revoked (it is a big file).

Web Designer Control Freak Nazis

[Zeinfeld]

I have not come across sites that insist on browsing full screen, however there are many that attempt to. I am really fed up with Web Designers who are control freaks and attempt to dictate how I surf.

A lot of the blame must go the javascript for allowing the web designers too much control. My pet peeve is that a web page can turn off MY toolbars. Cut it out - they are there for MY benefit, they don't concern you Mr Web designer weenie.

Javascript should definitely be enabled on a site by site basis only. I would enable it for my home banking, stock broker and a handful of others.

Also lame is the use of 'mouse trapping' that attempts to stop me from using the back button to get out of a site. Again it is a browser design flaw. I don't give diddly for the control freak who designed the page's intentions. The buttons on my browser should be under my control at all times.

Unfortunately Netscape imposed javascript on the Web in the days when they were very anti-open standards. They liked an 'open standard' if they got their own way but nobody not at Netscape got to comment before it was a fait acompli.

Another real problem is people who try to dictate the font size. I have a 100dpi LCD panel display. Large areas of the CNN.com site insist on being displayed in what I see as a 6pt font.

Part of the problem is the lame table width tag. Originally it was meant to be in %width of the screen and ems - the unit from Knuth's TeX being the width of a lower case letter m in the current font. Using font relative sizes works real well. Unfortunately Eric did pixel points which don't work at all well. In the near future 150dpi screens will be commonplace.

Mind you, the Microsoft IE team could have fixed the problem by allowing the user to configure the 'pixel size'. Rather than choosing the default font size the browser should give a choice more like magnification.

I make no appologies for using IE by the way, Microsoft did not try to screw me over personally, Netscape did.

Re:Not an HTTP header

[Zeinfeld]

The tag at issue is:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows NT) ::ELNSB50::0000811505000400029802c3000000000505000 b00000000

Now the User-Agent field has been widely abused and was never intended to be used for reporting browser features. However it is not such an illogical place to put the data given subsequent usage.

A better approach would be to actually add an X-header to convery the information directly and to write an internet draft and submit it to the IETF.

Could have published the spec first

[Zeinfeld]

I see a number of problems with the earthlink approach

1. Notification

I think Earthlink should have published the spec in advance, if for no other reason than to protect their shareholders from privacy scares. Earthlink has invested millions in its 'serf at AOL' campaign. They need to protect their pro-geek branding.

Another reason for publishing is so people can make use of the tag.

2. Standards Approach

As one of the original designers of HTTP the tag as specified sucks. It is fixed field after fixed field, no extensibility. I think that the idea is fine, but the syntax choosen is not.

First off a non-standard header should have an X- prefix.

Secondly, the scheme does not work for text to voice displays, or for that matter very high definition displays (>100dpi) that are on the horizon. It would be handy to be able to give the monitor size and also the gamma. These are all real needs for real people today, and will be mainstream in a couple of years.

Now there have been folk who have created similar schemes from time to time, none has taken off due to apathy at Netscape and Mr Softy. But that is no real excuse for earthlink. If they don't like the schemes on offer they might at least state why.

GUIDs

[dachshund]

GUIDs consist of a unique system serial number and a time stamp. That's what makes each one 'unique'. The system serial number should be significantly smaller than the full GUID.

Re:Not a Big Deal, you don't see the issue

[onepoint]

Well, I think I can see part of the issue here.

Not knowing certain parts of the first transmission (pgp encoded text)I'll asume the worst.

1) I know your name ( user name )
2) I know where ( ip address and most likely geo. location ) and when you normaly log into (home or office).
3) I know where you surf to
4) I know what you like

What can I do with this information.
Cross link with other databases about you.

How do I make money with this.

on the user:

1) Super targeted net advertising
2) direct mailers
3) promotional give-a-ways ( with the mailers )

For the firm

1) competitive web site info. I've gathered the viewing habits of my users, maybe I can get a simular site working to add to my portal.

2) can offer "super targeted net adverting" for many $

3) can save on bandwidth cost by knowing what might be the best way to certain sites or even cache those sites to my server and host my own advertising.

that is most likely the basics.

please don't kill me about my spelling.

thank you

ONEPOINT



spambait e-mail
my web site artistcorner.tv hip-hop news
please help me make it better

Can't find that "registry" thing in /etc

[KingKenny]

so where the hell is it?


cat /dev/null > /dev/brain

Devil's Advocate

[clark625]

I'd hate to play devil's advocate here, but to be honest I rather like this idea. The information isn't any more identifiable than, say, an IP address. One big benefit is if other browsers begin to include this type of information: PHP could use this information to choose the "best" version of a webpage, video stream, etc to send you. I know I personally get annoyed when a webpage is designed for a much higher resolution than I have set. Similarly, inexperienced internet users shouldn't be allowed to attempt to stream 1Mb/Sec of video through a 56K modem. Sure, it'll look like crap and it's all the end-user's fault but marketing people will tell you that if the end-user screws up you can lose customers because of it (they can go elsewhere, you can't).

OFF TOPIC-Re:Great googly-moogly

[tdye]

Ha! another Maggie and the Ferocious Beast afficionado!

chuckle...

Not an HTTP header

[Yoshi+Have+Big+Tail]

This isn't an extra HTTP header, as is correctly stated at the article. It's a modification of a value of an existing one.

An HTTP header is e.g., Content-type: text/html; this is just changing the value of an existing one.

And, what is more, the User-Agent header is an informative header, so it's just adding more information about the user agent. So what?

OT:Google.com, from non-US anyone ?

[Nickoty]

pointy-haired tip of today: try smarter, not harder

Re:Excellent news.

[jamesoden]

I don't know if you know or not, but you do not have to use EarthLink's browser with their ISP service. Its not like AOL, which a gateway to the internet (or it was last time I checked). As a sysadmin, I have seen more trouble created for my users by them loading some companies "starter" disk for their ISP, and I am talking some real dysfunctional systems being created. At anyrate, at least for my users, the right choice is to just use MS Dial-up Networking services directly (well the real right choice is to put some form of UNIX on your box (-;), and avoid those unnecessary, poorely written, non-standards complient ISP written starter kits.

Excellent news.

[Jakob+Sorrel]

I use Earthlink and had been aware of this for a while, but had been unable to find any solid information regarding the extra header.

I have an Earthlink connection; it's the best I can do because of my location. Anyway, I had written an HTTP proxy Perl script, simply for my own educational purposes. You can imagine my surprise when I noticed this extra header! I could not find a reference to HTTP_ELNSB50 in any of the rfc's or manuals I consulted and I noticed that it never changed.

I did in fact email Earthlink about this, because I feared it might be an invasive identifier. I am disappointed, though, to report that even after repeated emails, I received no answer regarding my queries. I do not grudge Earthlink for this, but I do not think it is the best customer service. I nearly cancled my account when I could not discover what this mysterious header was.

Suffice to say, though, I am very grateful to Slashdot for answering my questions!

You miss the point - tolerance (OT)

[Spamalamadingdong]

Why is the only prejudice it's PC to have is anti-Christian prejudice?

Oh, get real. It's quite PC to be prejudiced against:

• Development of any kind.
• Business and capitalism in general.
• Western literature and civilization in general ("only dead white males").
• Science and the scientific method (by proponents of "other ways of knowing").

You also forget that indifference to Christianity (because it is a religion) is part of the foundation of the United States government.

"I do not find in orthodox Christianity one redeeming feature."

- Thomas Jefferson

(There are more thought-provoking quotes on this page.)
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!

what bothers me is

[asop]

not soo much the extra "HTML Header" or whatever you guys decide it is, but the information it sends out when you instrall their client. THAT is where i see a greater privacy breach.. THere is nothing at that point of the buisness relationship that they need to know, that they dont already know.
they already have my name, phone #, addy, E-mail, and credit info.. what else do they need to know that they get from my computer..? the more paranoid portion of my brain says there looking at he contents of the system ala registry (regardless of wether or not its possible)....
other than that, Earthlink is a crappy provider anywayas........ especially since they bought out my home isp.. it makes me sad :(

----------

Heeey! That explains something odd!

[Vintermann]

I was typing in www.dejanews.com (because it's faster to write than groups.google.com), and I kept being redirected to www.google.de. Must be them experimenting with this system, right? couple of days later it was fixed.