Slashdot Mirror
Web Bug Detector
(H)elix1 writes: "I'm sure /. is about to be hit with this, but CNET just released a story about a web bug detector plug-in for IE called Bugnosis by the Privacy Foundation. An interesting toy, but the thing that grabbed my attention was the Web Bug Gallery. It would seem our beloved slashdot has them as well. Course, so did CNET, but that is a different story...." I think improved cookie-handling is much more useful in preventing tracking, but this is interesting because it provides visible feedback about tracking efforts.
This is a common misconception; the reality, however, is much more disturbing. The little blinky dot you humans call webbugs are actually tiny miniature CIA cameras implanted in your screens to take pictures of you surfing Slashdot naked. Us CIA guys only admitted to using DNABots when they were already obsolete, much like the obsolete Echelon system, which has been replaced by people using Windows XP. We find it's much easier to allow the citizens to administer their own surveillance device. Saves us mucho manpower.
Therefore, buy XP and save the government valuable surveillance budget dollars.
Agent Bitterman, Superspy
President Chief Head Director of the Leadership Branch of the Executive Level of the CIA
It's back in the current 6 betas.
I think we need a new moderation choice: 'Didn't get the joke'
The installation requires Active X controls = on. So that makes the cure worse than the disease. I'll trade some privacy for not opening up my machine to remote execution Active X shit.
As
--
echo '[q]sa[ln0=aln80~Psnlbx]16isb15CB32EF3AF9C0E5D727
echo '[q]sa[ln0=aln80~Psnlbx]16isb572CCB9AE9DB03273snlbxq' |dc
Of course /. uses web bugs. They still use GIFs, too. This is a "do what we say" website, not a "do what we do" one.
-- Don't Tase me, bro!
In the realm of cosmic irony, I installed the web bug tracker, then went into this full article, and promptly got the OSDN web bug.
:-) If someone wants a copy of the list, I could find a home for it.
If you're among the folks like me that have to use IE, use that Restricted Sites setting under the security tab (and while you're in there, crank that restricted zone up to disallow derned near everything). Also set your browser to warn you when you get cookies. Add entire that want to set cookies to your restricted zone. None of the muss and fuss of an ad filter (which breaks everything when I have to VPN to the office).
For the first couple of weeks, you'll be adding a few sites per week. I also added to mine the list someone posted of the sites that track users the most. I don't get cookies now, unless I'm actually shopping online.
My netscape browser can detect any web bug ! it prints "Bus error (core dumped)" everytime it sees one !
From www.slashdot.org/ :
d ex,");
d ex,992004976" WIDTH=1 HEIGHT=1 BORDER=0><BR>
<SCRIPT LANGUAGE="JAVASCRIPT">
<!--
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://sd-images.osdn.com/Slashdot/pc.gif?in
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0><BR>");
//-->
</SCRIPT>
<NOSCRIPT>
<IMG SRC="http://sd-images.osdn.com/Slashdot/pc.gif?in
</NOSCRIPT>
Yep, there they are. Web bugs if I've ever seen 'em...
-grendel drago
Laws do not persuade just because they threaten. --Seneca
The author of the CNET article chould have taken one more step in research... and the author of the slashdot article should have verified.
http://www.slashdot.org
Contained a bug from the Open Source Development Network (OSDN.com)
SLASHDOT is part of the OSDN pages by VA Linux.
It's not a 'bug'.
Bugnosis isn't smart enough to tell the difference between a real bug and a simple page counter, and probably can't be. We should really worry about much more important things and stop feeding paranoia.
Cookies are simply a way of adding state to a stateless protocol. So for the most common example you could automatically remember your username to slashdot the next time you return.
... ) by causing another http request to be made. THis request, although it is for an invisible image, could have peramaters. These parameters could send all of the info that one site has collected about you to another. That third party site could then also send a cookie for its own use to your system.
Most good browsers will let you set them to only receive cookies from the host you are connecting to. And cookies should only get sent back to the host that they came from.
These "web bugs" allow a site to send information to a third party( eg Addvertiser, Government agency,
I hope this makes sense, I am not quite awake.
There are some proxies out there that filter banner ads / cookies / and web bugs.
:)
One of the most interesting ones is webwasher (http://www.webwasher.com - for windows & linux, free for personal use, not open source).
Webwasher does not use regular expressions to filter images: it filters them by size. Most banner ads have a standard size (for ex 468x60). Webwasher has a list of known banner sizes and filters all images which match the list of sizes. And it's efficiency is very impressive!
Thus, using webwasher, it's very easy to filter all web bugs which are usually 1x1
Alas, webwasher is not opensource and has some issues. But I think that the idea behind this product is great and I'd love to see it implemented in an opensource proxy
The way webwasher handles cookies is also very interesting: you can specify 3 sorts of cookies
- the good ones (allow them, keep them)
- the neutral ones (allow them, delete them after 24 hours)
- the bad ones (always block)
The default policy for unknown cookies is to set them to neutral; that lets the user visits site normally (without the occasional glitches that happen when you block all cookies with sites that won't let you browse without allowing them), without compromising the privacy of the users for cookies are deleted after 24 hours.
!
^_^
First post insanity aside (trust me, it's only fun for about 5 minutes and bad for your karma because moderators despise it), there's this quote featured in the CNN article (yes, I do actually read the related articles before posting flamebait):
"Our goal with the software is to reveal how Web bugs are tracking all of us on the Internet and to get companies to 'fess up' about why they are using them," Richard Smith, the Privacy Foundation's chief technology officer, wrote in his privacy tip sheet.
"Any company that uses Web bugs on their site should say so clearly in their privacy policies and explain the following: why they are being used, what data is sent by a bug, who gets the data, and what they are doing with it," he added.
There are two things that I'd like to point out about those statements. First of all, companies with web sites are (in most countries) legally required to tell you about what kind of data they collect and what they do with it. The majority of such privacy statements either consist of the usual "we don't collect any information that can personally identify you" variety or they are hidden beneath so many links at the very bottom of the most obscure pages in the site that your average user never reads them.
Second of all, I agree with your point regarding the suggestion that companies should be required to thoroughly explain what kind of bugs they use (if any), what's sent and received and where the data goes. I personally think it's a great idea. And it's all well and good for sites that deploy their own web bugs. But what about the web sites who use web bugs belonging to other websites (e.g sites who use DoubleClick web bugs, or Slashdot using a web bug from OSDN)? The application should be the same, of course, but how is that handled from a legal perspective? Who is responsible for the "bug"? The company who wrote/owns it, or the company that deploys it? Answers to any of these questions are more than welcome (particularly by someone involved in the legal profession), as I'm sure that there's at least some of us Slashdot readers that would like to know.
Self Bias Resistor
"Imagination is more important that knowledge." - Albert Einstein
----------
When the pin is pulled, Mr. Grenade is no longer our friend.
As any open source fanatic will tell you, it is imperative that you read the HTML source of every page that you view.
We don't need no stinkin' Bug Detector!
--- note sarcasm ---
"My mother never saw the irony in calling me a son-of-a-bitch." - Jack Nicholson
Many people have been asking (cursing, etc. :) for Mozilla, Mac, Opera etc. support. I think it would be great to investigate, and I have a student trying to learn something about Mozilla now. We just don't have the expertise yet. I'd be very interested in hearing from potential contributors. Heck, just a plugin or diff that shows how we can tap into browsing events and access the DOM in Mozilla could make it possible for us to proceed. Frankly, IE support was pretty easy because of all the books and sample code out there. Besides, we had just finished a long-winded report on IE browser extensions & their privacy practices when we started this project, which made Bugnosis pretty easy to envision.
We decided not to make Bugnosis a Web bug blocker, just a good analysis and exposition tool. See, the problem with many "privacy enhancing technologies" is that they put the burden on users to protect themselves. I firmly believe that being concerned about privacy shouldn't mean that you have to make it a huge personal priority, say, by committing time to downloading, maintaining, and upgrading yet another piece of software. Privacy should just be built in. Bugnosis shows how the current infrastructure is being used, and so contributes to the debate on what reasonable standards should be. In the privacy arms race, I'd much rather be a reporter in the trenches than an arms manufacturer -- even defensive arms.
Any CS students interested in working with us? We'll be setting up at Boston University in the fall.
David
One of the cool things about Mozilla (and its Linux and Windows derivatives) is the opportunity to only accept cookies from the current page. I'm sure that when Mozilla is released and starts to take chunks out of IE's dominance, people will start to use this feature and web bugs will become less useful.
Cookies are not the big deal. I can block those. Its the 1x1 gifs that kick off an HTTP request, with additional params that bother me.
Look at a few and you will see...
http://svr/path/[*.dll|.gif|etc]?param0=xxxx (amps)param1=xxxx...That, my friend, gives you something far better than just a server log entry. And there is no blocking it... unless you start taking notes and set up your host table to say *.evilsite.com is at 127.0.0.1
+++ UGUCAUCGUAUUUCU
Trolls throughout history:
Trolls throughout history:
Jonathan Swift
Yet another reason iCab is my favorite browser.
It has the most sophisticated filtering system I've seen. You can filter cookies using many criteria, including (my favorite) blocking cookies that come from a different domain from the main page. AND you can filter IMAGES by size, w/ options to exclude sizes including 1x1px (this blocks most web bugs) as well as most common advertisement sizes, like the ubiquitous banner. What you get instead is a blank banner-(or whatever-)sized space with an icon of a coffee filter in the corner. Hee!
And speaking as a web designer, the feature doesn't compromise the legitimate use of spacer GIFs.* Page design is preserved, and who cares if the 1-px. GIF is actually loaded or not.
*Yes, I know that with CSS we shouldn't need spacer GIFs. I will rejoice when browser support for CSS is consistent enough for us to rely on them. Meanwhile, though, clients still tend to expect web pages to be as as precisely designed as print, and sometimes you gotta cheat. But that's another discussion.
Fight for your right to read books!
But I was hit with a strong sense of irony when I saw "Microsoft" and "Web Bug" and thought that someone had developed a plug-in that would tell you if the page you were viewing was written in bad html.