Slashdot Mirror
Web Bug Detector
(H)elix1 writes: "I'm sure /. is about to be hit with this, but CNET just released a story about a web bug detector plug-in for IE called Bugnosis by the Privacy Foundation. An interesting toy, but the thing that grabbed my attention was the Web Bug Gallery. It would seem our beloved slashdot has them as well. Course, so did CNET, but that is a different story...." I think improved cookie-handling is much more useful in preventing tracking, but this is interesting because it provides visible feedback about tracking efforts.
I think we need a new moderation choice: 'Didn't get the joke'
From www.slashdot.org/ :
d ex,");
d ex,992004976" WIDTH=1 HEIGHT=1 BORDER=0><BR>
<SCRIPT LANGUAGE="JAVASCRIPT">
<!--
now = new Date();
tail = now.getTime();
document.write("<IMG SRC='http://sd-images.osdn.com/Slashdot/pc.gif?in
document.write(tail);
document.write("' WIDTH=1 HEIGHT=1 BORDER=0><BR>");
//-->
</SCRIPT>
<NOSCRIPT>
<IMG SRC="http://sd-images.osdn.com/Slashdot/pc.gif?in
</NOSCRIPT>
Yep, there they are. Web bugs if I've ever seen 'em...
-grendel drago
Laws do not persuade just because they threaten. --Seneca
The author of the CNET article chould have taken one more step in research... and the author of the slashdot article should have verified.
http://www.slashdot.org
Contained a bug from the Open Source Development Network (OSDN.com)
SLASHDOT is part of the OSDN pages by VA Linux.
It's not a 'bug'.
Bugnosis isn't smart enough to tell the difference between a real bug and a simple page counter, and probably can't be. We should really worry about much more important things and stop feeding paranoia.
First post insanity aside (trust me, it's only fun for about 5 minutes and bad for your karma because moderators despise it), there's this quote featured in the CNN article (yes, I do actually read the related articles before posting flamebait):
"Our goal with the software is to reveal how Web bugs are tracking all of us on the Internet and to get companies to 'fess up' about why they are using them," Richard Smith, the Privacy Foundation's chief technology officer, wrote in his privacy tip sheet.
"Any company that uses Web bugs on their site should say so clearly in their privacy policies and explain the following: why they are being used, what data is sent by a bug, who gets the data, and what they are doing with it," he added.
There are two things that I'd like to point out about those statements. First of all, companies with web sites are (in most countries) legally required to tell you about what kind of data they collect and what they do with it. The majority of such privacy statements either consist of the usual "we don't collect any information that can personally identify you" variety or they are hidden beneath so many links at the very bottom of the most obscure pages in the site that your average user never reads them.
Second of all, I agree with your point regarding the suggestion that companies should be required to thoroughly explain what kind of bugs they use (if any), what's sent and received and where the data goes. I personally think it's a great idea. And it's all well and good for sites that deploy their own web bugs. But what about the web sites who use web bugs belonging to other websites (e.g sites who use DoubleClick web bugs, or Slashdot using a web bug from OSDN)? The application should be the same, of course, but how is that handled from a legal perspective? Who is responsible for the "bug"? The company who wrote/owns it, or the company that deploys it? Answers to any of these questions are more than welcome (particularly by someone involved in the legal profession), as I'm sure that there's at least some of us Slashdot readers that would like to know.
Self Bias Resistor
"Imagination is more important that knowledge." - Albert Einstein
----------
When the pin is pulled, Mr. Grenade is no longer our friend.
Many people have been asking (cursing, etc. :) for Mozilla, Mac, Opera etc. support. I think it would be great to investigate, and I have a student trying to learn something about Mozilla now. We just don't have the expertise yet. I'd be very interested in hearing from potential contributors. Heck, just a plugin or diff that shows how we can tap into browsing events and access the DOM in Mozilla could make it possible for us to proceed. Frankly, IE support was pretty easy because of all the books and sample code out there. Besides, we had just finished a long-winded report on IE browser extensions & their privacy practices when we started this project, which made Bugnosis pretty easy to envision.
We decided not to make Bugnosis a Web bug blocker, just a good analysis and exposition tool. See, the problem with many "privacy enhancing technologies" is that they put the burden on users to protect themselves. I firmly believe that being concerned about privacy shouldn't mean that you have to make it a huge personal priority, say, by committing time to downloading, maintaining, and upgrading yet another piece of software. Privacy should just be built in. Bugnosis shows how the current infrastructure is being used, and so contributes to the debate on what reasonable standards should be. In the privacy arms race, I'd much rather be a reporter in the trenches than an arms manufacturer -- even defensive arms.
Any CS students interested in working with us? We'll be setting up at Boston University in the fall.
David
Cookies are not the big deal. I can block those. Its the 1x1 gifs that kick off an HTTP request, with additional params that bother me.
Look at a few and you will see...
http://svr/path/[*.dll|.gif|etc]?param0=xxxx (amps)param1=xxxx...That, my friend, gives you something far better than just a server log entry. And there is no blocking it... unless you start taking notes and set up your host table to say *.evilsite.com is at 127.0.0.1
+++ UGUCAUCGUAUUUCU
Trolls throughout history:
Trolls throughout history:
Jonathan Swift
But I was hit with a strong sense of irony when I saw "Microsoft" and "Web Bug" and thought that someone had developed a plug-in that would tell you if the page you were viewing was written in bad html.