Slashdot Mirror
Stopping "PattyMail" Email Bugs
An anonymous reader writes, "In the U.S. Congressional Inquiry into the HP spy scandal, it was revealed that HP used Web bugs to track the source of leaks. HP's Fred Adler considers them a useful investigative tool which HP will keep using. Since dubbed PattyMail after HP Chairwoman Patricia Dunn, Web bugs have been around for a while. But it turns out the vulnerability they represent is far worse than first thought. Microsoft Outlook won't have a patch until 2007. The company at the center of the scandal claims they've done nothing wrong. But could repressive governments use them to track down critics? Can anything be done to stop Web bugs?"
Ship all email programs by default configured to not show images in the mail. That would be a start. I've seen some web clients already that automatically filter out tiny "bug" sized graphics.
Where were you when the voynix came?
Can anything be done to stop Web bugs?"
Um, how about not reading email in HTML? Even LookOut!, er, Outlook you can set to convert mail to plain text.
-- Alastair
Outlook is doing exactly what it needs to do, blocking download of images. If it lacks the specialization of countering these "bugs" that's too bad for corporate sleuths and leakers, but it does not expose the user to anything, this is not a vulnerability and the "patch" mentioned will simply give you an additional option regarding image handling. I wouldn't think the "let me forward this mail with the secret tracking device turned off" functionality was high on Microsoft's feature list when they released OLK2003.
Don't read your email in HTML format. Problem solved. a) There is nothing to be said in email that can't be said in plaintext and b) I really could care less to see your smiley face sig and pretty flower background.
pine is non-free (http://www.gnu.org/philosophy/license-list.html), use mutt
Using a crappy old version of Zonealarm here, but any decent software firewall would do the same.
Zonealalarm's pretty basic - it* only has concepts of "local" and "Internet" zones; simply ensure that the Exchange server that it wants to connect to is in the "local" zone and that Outlook can't access the "Internet" zone.
*the version I'm using, anyway.
This sounds like an invitation for some dumbass law "requiring" people to disclose when an email has tracking elements ... except that it would be impossible to enforce, and the spammers/malware-writers would just ignore it anyway.
The solution here isn't regulation. It's just for people to decide whether a feature (in this case, HTML mail) is really worth the risk.
Alterately, we could 'neuter' HTML mail so that only the most basic formatting commands worked; use it purely as a style markup language, with no iframes, images, or externally linked text. That seems like it would solve the problem while preserving the reason 90% of idiot users want HTML: so they can use bold/italic/flashing-red-text or whatever.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
I don't think so. Please explain how your proposal would prevent the sender from detecting the user reading the mail in the following image tag, where the final part of the URL path is a uniquifier:
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
I despise and will never use "blog", but I also despise idiots who use "gay" as a perjorative. It pretty much cancels out the insightfulness of the post.
Can someone explain the IP address munging here? http://0320.185.62311/ easy - URL parser calls gethostbyname() which failing the name lookup (there is no .62311 TLD), looks for numbers. octal numbers begin with zero. hence 0320 (octal) = 208 decimal. 185 is 185 decimal. 62311 is decimal, gethostbyname() figures out it is two bytes, puts it in for the second two bytes of the IP address (243, 103). bingo - 208.185.243.103